# Phishing ## Intro to phishing * Before yoyu learn what phishing is,you will need to understand the term social engineering. * Social engineeringis the pyschological manipulation of people into performing or divulging information by exploiting weaknesess in human nature. * These "weaknessess" can be curiousity,jealousy,greed,kindness and the willingness to help someone. * Phishing is a source of social emgineering delivered through email to trick someone into either revealing personal infomation or executing malicious code on their computer. * These emails will usually appear to come from a trusted source. * A term you'll come across and the type of phishing campaign a red team would participate in is spear-phishing, as with throwing a physical spear; you'd have a target to aim at, the same can be said with spear-phishing in that you're targeting an individual, business or organisation rather than just anybody as mass. A red team could be contracted to solely carry out a phishing assessment to see whether a business is vulnerable to this type of attack or can also be part of a broader scale assessment and used to gain access to computer systems or services. Some other methods of phishing through other mediums are smishing which is phishing through SMS messages, and vishing which is performed through phone calls. Example Scenario: The below example scenario shows how an employee of a company could be tricked into revealing their credentials. 1) The attacker locates the physical location of the target business. 2) The attacker then looks for nearby food suppliers and discovers a company called Ultimate Cookies! 3) The Attacker registers the domain name ultimate-cookies.pwn 4) The attacker then crafts an email to their target, tempting them with an offer of receiving some free cookies if they sign up to the website. Because the victim has heard of this local company, they are more likely to trust it. 5) The victim then follows the link in the email to the fake website created by the attacker and registers online. To keep things simple, the victim reuses the same password for all their online accounts. 6) The attacker now has the victim's email address and password and can log onto the victim's company email account. The attacker could now have access to private company information and also have somewhere to launch another phishing attack against other employees ## Writing Convincing Phishing Emails * We have three things to work with regarding phishing emails: the sender's email address,the subject and the content. ### The Senders Address: ideally,the sender's address would be from domain name that spoofs a significant brand,a known contact, or co-woker. To find what brands or people a victim interacts with,you can employ OSINT (Open Source Intelligence) tactics. For example: * Observe their social media account for any brands or friends they talk to. * Serching Google for victim's name and rough location for any reviews. * Looking at the victim's business website to find suppliers. * Looking at Linkedin to find co-workers of the victim. ### The Subject: You should set the subject to something quite urgent,worrying,or curious,so they do not ignore itand on it quickly. Examples of this could be: 1. Your account has been compromised. 2. Your package has been dispatched/shipped. 3. Staff payroll information. 4. Your photos have been published. ### The Content: If impersonating a brand or supplier, it would be pertinent to research their standard email templates and branding (style, logo's images, signoffs etc.) and make your content look the same as theirs, so the victim doesn't expect anything If impersonating a contact or coworker, it could be beneficial to contact them; first, they may have some branding in their template, have a particular email signature or even something small such as how they refer to themselves, for example, someone might have the name Dorothy and their email is dorothy@company.pwn. Still, in their signature, it might say "Best Regards, Dot" Learning these somewhat small things can sometimes have quite dramatic psychological effects on the victim and convince them more to open and act on the email. ## Phishing Infrustructure ### Domain Name You'll need to register either an authentic-looking domain name and or one that mimics the identity of another domain ### SSL/TLS Certificates: Creating SSL/TLS certificates for your chosen domain name will add extra layer of authenticity to the attack. ### Email Server/Account: You'll need to either set up an email server or register with an SMTP email provider. ### DNS Records: Setting up DNS records such as SPF,DKIM,DMARC will improve the delivarability of your emails and make sure they are getting into the inbox rather than the spam folder. ### Web server: You'll need to set up webservers or purchase webhosting from a company to host your phishing websites. ### Analytics: When a phishing campaign is part of a red team engagement, keeping analytics information is more important. You'll need something to keep track of the emails that have been sent, opened or clicked. You'll also need to combine it with information from your phishing websites for which users have supplied personal information or downloaded software. ### Automation and useful software: Some of the above infrastructures can be quickly automated by using the below tools. GoPhish - (Open-Source Phishing Framework) - getgophish.com GoPhish is a web-based framework to make setting up phishing campaigns more straightforward. GoPhish allows you to store your SMTP server settings for sending emails, has a web-based tool for creating email templates using a simple WYSIWYG (What You See Is What You Get) editor. You can also schedule when emails are sent and have an analytics dashboard that shows how many emails have been sent, opened or clicked. SET - (Social Engineering Toolkit) - trustedsec.com The Social Engineering Toolkit contains a multitude of tools, but some of the important ones for phishing are the ability to create spear-phishing attacks and deploy fake versions of common websites to trick victims into entering their credentials.