Spear Social Engineering Part 2

Questions and Answers

Which method is NOT typically associated with spear phishing?

Post-It notes

Regular newsletters (correct)

E-mail

Carrier pigeon

What is the ultimate goal of spear phishing?

To send spam emails

To hack public websites for information

To create social media accounts

To obtain user credentials for important applications (correct)

Which tactic is recommended when conducting a spear phishing attack?

Use direct confrontational techniques

Build trust through extended interaction with the target (correct)

Employ technically advanced hacking skills

Target as many people as possible quickly

What type of exploitation method does NOT fall under the main methods of spear phishing?

Direct physical theft of credentials

Which of the following methods is considered a less conventional form of spear phishing?

Walkie-talkie

What is the primary purpose of building a correct story in a phishing attack?

To gain the target's trust and facilitate interaction

Which of the following approaches is NOT commonly used in traditional spear-phishing attacks?

Creating entirely new websites from scratch

What aspect must be carefully tested in a phishing website after copying it?

The visual and functional accuracy of the site

Which tool can be used to automate the process of copying a website for phishing purposes?

Social Engineering Toolkit's Site Cloner

What must be considered when copying a website for phishing to avoid technical errors?

Missing dependent files such as CSS or JavaScript

What is a key element in creating a phishing website's appearance?

Incorporating familiar visuals to avoid user suspicion

Which domain name strategy is recommended to avoid raising suspicion?

Registering a subtly misspelled version of the target domain

What is the benefit of registering a domain name that is a secondary domain?

It makes the phishing attempt less detectable

How can one reduce the likelihood of emails being marked as spam when phishing?

By registering a legitimate SSL certificate for the domain

What is an essential feature to implement on the back end of a phishing website?

Functional backend capabilities to capture user information

The primary goal of using a phishing website is to gather user credentials.

True

Technical capabilities are the only type of information needed for a successful phishing attack.

False

A phishing website must render correctly for users to trust it.

True

Stories in phishing attacks should strictly adhere to traditional approaches.

False

The Social Engineering Toolkit's Site Cloner is used to scan for missing files after copying a website.

False

E-mail spear phishing is the only method of spear phishing that is considered effective.

False

The goal of spear phishing is solely to send malicious attachments to the target.

False

Building trust with the target user is an essential tactic for successful spear phishing.

True

Among the methods listed, using a walkie-talkie for phishing is a common practice.

False

Client-side exploits are one of the main methods of exploitation in spear phishing.

True

Phishing websites should have a look and feel that is unfamiliar to the user to attract their attention.

False

Choosing a domain name that is an exact match to the target organization is the most effective strategy for phishing.

False

Using numbers to replace letters in domain names is a common tactic in phishing.

True

The Domain Name System (DNS) is generally well understood by end users, making it difficult to deceive them.

False

Implementing back-end functionality is unnecessary once the phishing website’s appearance is established.

False

Study Notes

Spear Social Engineering Part 2

• Spear phishing aims to compromise a specific target's computer

• Email phishing is a common but not exclusive method

• Various methods can be used including email, snail mail, phone calls, text messages, instant messaging, malicious websites, watering hole websites, CB radio, walkie-talkies, Post-It notes, or even carrier pigeons.

• Internal communication methods, like walkie-talkies or Post-It notes, can be a vulnerability if trusted

• The ultimate goal of spear phishing is to gain access to the target's computer and obtain credentials for important applications

• This can be achieved by using phishing websites, client-side exploits, or custom Trojan backdoors

• Strategies for successful spear-phishing often involve establishing trust through prolonged interaction

• This interaction builds trust with the user in a fake persona or guise

• This interaction is part of the reconnaissance phase

• To be effective, phishing websites need to resemble the genuine website perfectly

• Including elements such as design, fonts, and domain name, to reduce suspicion

• Create a website that appears familiar and credible

• Subtle domain name variations, like a slight misspelling, can be used to trick users

• Different domain variations that may include alternative spellings, extra words, etc., are examples: portal-weaktarget.com, benefit-weaktarget.com, login-weaktarget.com and www-weaktarget.com

• For a phishing website, you can register an SSL certificate that is valid to ensure security and prevent spam filters from blocking messages

• The back-end functionality of the phishing website is crucial

• There are various strategies for responding to the user’s login attempt: redirecting to a legitimate or fraudulent site, creating a proxy, or only registering the login details

• Another option is to only return a "failed login" message to potentially reveal user password history.

Phishing Website Tactics

• Phishing websites usually involve copying and directing a target to a fraudulent site

• Legitimate websites usually have triggers to avoid suspicion.

• Tools like the Social Engineering Toolkit's Site Cloner can automate website duplication

• The complete copying of a website requires attention to detail

• This includes copying all dependent files, such as CSS and JavaScript files.

Website: Look and Feel

• The website's appearance and user interface should look and feel authentic to the target

• Avoiding noticeable differences in the appearance builds trust

• Including font and design elements to increase credibility for the target.

Website: Domain Name Options

• The domain name should minimize suspicion

• Creating entirely new companies or slightly modifying existing ones can be valuable.

• Subtle domain name misspellings of the target can be effective

• Additional options involve adding words or numbers to existing domains to create a perception of being a separate, secondary entity.

Phishing Website Watering Holes

• Selecting a relevant website for specific users based on their industry is critical. These sites are known as "watering holes."

• Public forums, even private forums if creative, can lure users

• The aim is to lure a user into interacting with the website.

• In a user account request, collect necessary user details, which can be used to improve the phishing effectiveness.

Client-Side Exploit

• Targeting vulnerabilities in common applications on user systems, such as office productivity applications or multimedia software, is a tactic

• Popular targets include Microsoft Word, Excel, Adobe Acrobat, and internet browsers (e.g. Internet Explorer, Mozilla, Chrome).

Custom Trojan Backdoor

• This technique leverages the delivery method to a target user

• Delivery channels such as websites, filesharing services, or physical media (e.g USBs, CDs) are common

• The type of software, such as trial versions, pirated versions, or legitimately purchased ones, plays a role in choosing the backdoor software

Description

Explore the techniques and strategies behind spear phishing in this engaging quiz. Understand the different methods used to compromise targets and the importance of trust in these interactions. Test your knowledge on how attackers gain access to valuable credentials through various forms of communication.