The Engineer's Handbook

Appearance

Room 3: Phishing - Merry Clickmas

This room is about phishing, and how to not get caught in that trap. Phishing is that act where emails, and links are shared to target making them belive they are a trusted entity to lure indivuals into providing sensitive information. This involves social engineering which is a method of manipulating individuals to send sensitive information, through various forms of communication.

Social Engineering

Refers to manipulating a user to make a mistake. Examples of such mistakes include sharing a password, opening a malicious file, and approving a payment. Attackers rely on psychological tricks to get the target user to cooperate. Some of the psychological factors which can play a key role of such attacks are urgency, curiosity, and authority. This is one reason why social engineering is also known as human hacking.

Phishing

Phishing is a subset of socical engineering in which communication medium is mostly messages. At one point, the most common phishing attacks happened via email. The attakcers purpose is to make the user click, open, or reply to a message so that attacker can steal information, money, or access. Unfortunately, phishing attacks are becoming harder to spot. Even careful people might fall targets to such attacks. Before opening a link, you need to think twice, whether they force you to open the link or not, in fact find anythin suspicious and doubt every possibilities.

One possible way to check the URL for yourself, if there is any spelling mistake in the URL which you thought is a trusted source, or by typing in the URL for yourself.

Build a Trap

You must sound very convincing as a penetration tester for a successful phishing attack. It’s not only how you write the phishing email or messages, but also how you set up the trap for the target. The trap can be anything, depending on your objectives and the research you conduct on the target. Sometimes, attackers aim to compromise the target’s machine, and they achieve this by attaching a malicious file to their phishing email. Attackers sometimes craft a web page that mimics a legitimate login page to steal the target’s credentials.

Social Engineering Toolkit (SET)

So, we have our phishing page ready, we could send the phishing email to our target users. Sending it from our personal email is the worst idea. Ideally, the mail should appear coming from a legitimate-looking sender. The more a phishing email gets realistic, the more likely is chance for him to believe and get phished.

For this, we have a tool called SET, which is an open-source tool designed for social engineering attacks. It lets you compose and send phishing emails to the target users.

If a user, clicks on the URL which you sent, they will fill the form thinking the form is legit, but behind the screens you will be actually listening for responses.