# PHISHING <!-- Put the link to this slide here so people can follow --> slide: https://hackmd.io/@phish123/rkdOlIcWd --- --- ## GOALS - Personal & financial information :money_with_wings: :id: - Credentials :information_source: - Confidental Intel :page_facing_up: - Control :computer: --- ### Two of the most common methods include: --- ## Email - Includes attachment or malicious URL that leads to a phishing site. - Attachment may contain documents or files w/malicious code. - URL leading to fakesite which looks like a legitimate site. ## Phone call - Typically pretends to be from IT support eg. Microsoft. ”Problem with your PC” - Wants user to install remote control application. - In Windows environment runs terminal (cmd) commands ex.”tree” that may distract inexperienced user. ## METHODS ### Display name spoofing - Ex. Attacker is impersonating as co-worker. Only the senders name is falsified and does not correspond to the senders email address. ### Domain spoofing: - Senders address is falsified. More difficult to identify but different methods are used in companies and organizations for prevention such as: DMARC: https://dmarc.org/ SPF:https://web.archive.org/web/20190222070146/http://www.openspf.org/Introduction ### Look-alike domain: - Email address is similar to the real real address ex. acme.com can be acme.inc.com. This counts on user not paying attention. --- ## PHISHING FLOW --- ```graphviz digraph hierarchy { nodesep=1.0 // increases the separation between nodes node [color=black,fontname=Courier,shape=box, fontcolor=black,] edge [color=black, style=dashed] //All the lines look like this Phishing_Start->{site attachment} site->{distribute_link} distribute_link->{social_media email} attachment->{email} social_media->{target} email->{target} target->{success} success->{no} success->{yes} no->{Phishing_Start} yes->{direct_to download_execute} direct_to->{phishing_site} download_execute->{malicious_file} phishing_site->{ask} ask->{credentials credit_card} credentials->{result} credit_card->{result} result->{identity_freud__finacial_loss} malicious_file->{result} result->{control_systems data_theft } } ``` --- ## EXAMPLES - Some examples of fake emails and landing pages: ![](https://i.imgur.com/qIE6gNl.jpg) - [ex1 --- ![](https://i.imgur.com/nHPuKBF.jpg) - ex 2 --- ![](https://i.imgur.com/MM64yOf.jpg) - ex 3 --- # :bulb: ## Watch for: ### Cloned sites - Original site is copied. Usually sometype of login page, when user put his/hers credential to the fakesite, the fakesite redirects to the real site. ### Short URLs - Short urls can be used to deceive the user ### Spelling errors - Often there are several spelling errors or strange statements ### Typo-squatting - Phisher relys on typos. Ex support@example -> supprt -> suport ### Look-alike - Name is close to the original. Ex. facebook facebook-team faceb00k etc.. ### Padlock - Means that the connection is encrypted.The padlock symbol in the addresss bar alone wont guarantee safety, hackers can also encrypt their sites. User must pay attention to the address ---