Spear Social Engineering Part 2

Questions and Answers

Which method is NOT typically associated with spear phishing?

• Post-It notes
• Regular newsletters (correct)
• E-mail
• Carrier pigeon

What is the ultimate goal of spear phishing?

• To send spam emails
• To hack public websites for information
• To create social media accounts
• To obtain user credentials for important applications (correct)

Which tactic is recommended when conducting a spear phishing attack?

• Use direct confrontational techniques
• Build trust through extended interaction with the target (correct)
• Employ technically advanced hacking skills
• Target as many people as possible quickly

What type of exploitation method does NOT fall under the main methods of spear phishing?

Direct physical theft of credentials (C)

Which of the following methods is considered a less conventional form of spear phishing?

Walkie-talkie (A)

What is the primary purpose of building a correct story in a phishing attack?

To gain the target's trust and facilitate interaction (D)

Which of the following approaches is NOT commonly used in traditional spear-phishing attacks?

Creating entirely new websites from scratch (D)

What aspect must be carefully tested in a phishing website after copying it?

The visual and functional accuracy of the site (D)

Which tool can be used to automate the process of copying a website for phishing purposes?

Social Engineering Toolkit's Site Cloner (D)

What must be considered when copying a website for phishing to avoid technical errors?

Missing dependent files such as CSS or JavaScript (D)

What is a key element in creating a phishing website's appearance?

Incorporating familiar visuals to avoid user suspicion (B)

Which domain name strategy is recommended to avoid raising suspicion?

Registering a subtly misspelled version of the target domain (C)

What is the benefit of registering a domain name that is a secondary domain?

It makes the phishing attempt less detectable (D)

How can one reduce the likelihood of emails being marked as spam when phishing?

By registering a legitimate SSL certificate for the domain (C)

What is an essential feature to implement on the back end of a phishing website?

Functional backend capabilities to capture user information (D)

The primary goal of using a phishing website is to gather user credentials.

True (A)

Technical capabilities are the only type of information needed for a successful phishing attack.

False (B)

A phishing website must render correctly for users to trust it.

True (A)

Stories in phishing attacks should strictly adhere to traditional approaches.

False (B)

The Social Engineering Toolkit's Site Cloner is used to scan for missing files after copying a website.

False (B)

E-mail spear phishing is the only method of spear phishing that is considered effective.

False (B)

The goal of spear phishing is solely to send malicious attachments to the target.

False (B)

Building trust with the target user is an essential tactic for successful spear phishing.

True (A)

Among the methods listed, using a walkie-talkie for phishing is a common practice.

False (B)

Client-side exploits are one of the main methods of exploitation in spear phishing.

True (A)

Phishing websites should have a look and feel that is unfamiliar to the user to attract their attention.

False (B)

Choosing a domain name that is an exact match to the target organization is the most effective strategy for phishing.

False (B)

Using numbers to replace letters in domain names is a common tactic in phishing.

True (A)

The Domain Name System (DNS) is generally well understood by end users, making it difficult to deceive them.

False (B)

Implementing back-end functionality is unnecessary once the phishing website’s appearance is established.

False (B)

Flashcards

Spear Phishing Methods

Techniques used to target specific individuals, not just random recipients, for social engineering attacks.

Spear Phishing Goal

Compromise a target's computer and obtain their login credentials for accounts like banking portals.

Exploitation Methods

Ways to compromise a target's computer, including fake websites, client-side attacks, and customized malware.

Social Engineering Tactics

Methods used to gain trust and manipulate a target, often involving building rapport with them for a phishing attempt.

Internal Communications as a Vulnerability

Internal communication methods, even seemingly innocuous ones, can be exploited in spear phishing campaigns.

Information Gathering Method

The best approach for collecting data on a target, focusing on both technical and non-technical skills.

Storytelling for Phishing

Creating a compelling narrative to build rapport and encourage target interaction with a fake website or downloaded software.

Phishing Website Tactics (Copy)

Duplicating a real website (phishing site) to trick the target into entering login credentials.

Website Cloning

Automated process of copying a legitimate website. Often used for phishing attacks.

Website Cloning Errors

Ensuring critical files (CSS, JavaScript) are included and the site functions as expected, otherwise the phishing attempt is useless.

Phishing Website Look and Feel

Mimicking a legitimate website's appearance to trick users.

Phishing Domain Name

A domain name that closely resembles the target website but subtly differs, like a misspelling or a secondary domain.

Domain Name Options (Example Target: weaktarget.com)

Registering alternative domain names like portal-weaktarget.com or weaktarget.com.myportal.com to create a secondary entrance.

Website Back-End Functionality (Phishing)

The internal workings of a phishing website needed to perform actions, like collecting credentials, after the user interacts with the site.

SSL Certificate in Phishing

Secure socket layer certificate used for valid HTTPS and creating trust for phishing websites, ensuring email addresses and communications seem legitimate.

Building Rapport for Phishing

Creating a believable story that fosters trust and encourages the target to interact with a phishing website or download malicious software.

Phishing Website Importance

A fake website designed to mimic a legitimate one, used to capture sensitive user information like login credentials.

Website Cloning Tools

Software that automatically copies the files and structure of an existing website, used in phishing attacks to create a convincing imitation.

Domain Name Options (Phishing)

Registering domain names that are similar to the target website to create a sense of authenticity and avoid suspicion, such as using subtle misspellings or creating secondary domains.

Misspelled Domain Names

A common phishing tactic where the domain name is a slight misspelling of the real website, aiming to trick users who might not notice the difference.

Secondary Domain Names

Creating a domain that includes the target website's name as a subdomain, suggesting a related service or login page.

Phishing Website Back-End Functionality

The hidden code and features behind a phishing website that capture user data, often designed to appear harmless but actually steal information.

Study Notes

Spear Social Engineering Part 2

• Spear phishing aims to compromise a specific target's computer

• Email phishing is a common but not exclusive method

• Various methods can be used including email, snail mail, phone calls, text messages, instant messaging, malicious websites, watering hole websites, CB radio, walkie-talkies, Post-It notes, or even carrier pigeons.

• Internal communication methods, like walkie-talkies or Post-It notes, can be a vulnerability if trusted

• The ultimate goal of spear phishing is to gain access to the target's computer and obtain credentials for important applications

• This can be achieved by using phishing websites, client-side exploits, or custom Trojan backdoors

• Strategies for successful spear-phishing often involve establishing trust through prolonged interaction

• This interaction builds trust with the user in a fake persona or guise

• This interaction is part of the reconnaissance phase

• To be effective, phishing websites need to resemble the genuine website perfectly

• Including elements such as design, fonts, and domain name, to reduce suspicion

• Create a website that appears familiar and credible

• Subtle domain name variations, like a slight misspelling, can be used to trick users

• Different domain variations that may include alternative spellings, extra words, etc., are examples: portal-weaktarget.com, benefit-weaktarget.com, login-weaktarget.com and www-weaktarget.com

• For a phishing website, you can register an SSL certificate that is valid to ensure security and prevent spam filters from blocking messages

• The back-end functionality of the phishing website is crucial

• There are various strategies for responding to the user’s login attempt: redirecting to a legitimate or fraudulent site, creating a proxy, or only registering the login details

• Another option is to only return a "failed login" message to potentially reveal user password history.

Phishing Website Tactics

• Phishing websites usually involve copying and directing a target to a fraudulent site

• Legitimate websites usually have triggers to avoid suspicion.

• Tools like the Social Engineering Toolkit's Site Cloner can automate website duplication

• The complete copying of a website requires attention to detail

• This includes copying all dependent files, such as CSS and JavaScript files.

Website: Look and Feel

• The website's appearance and user interface should look and feel authentic to the target

• Avoiding noticeable differences in the appearance builds trust

• Including font and design elements to increase credibility for the target.

Website: Domain Name Options

• The domain name should minimize suspicion

• Creating entirely new companies or slightly modifying existing ones can be valuable.

• Subtle domain name misspellings of the target can be effective

• Additional options involve adding words or numbers to existing domains to create a perception of being a separate, secondary entity.

Phishing Website Watering Holes

• Selecting a relevant website for specific users based on their industry is critical. These sites are known as "watering holes."

• Public forums, even private forums if creative, can lure users

• The aim is to lure a user into interacting with the website.

• In a user account request, collect necessary user details, which can be used to improve the phishing effectiveness.

Client-Side Exploit

• Targeting vulnerabilities in common applications on user systems, such as office productivity applications or multimedia software, is a tactic

• Popular targets include Microsoft Word, Excel, Adobe Acrobat, and internet browsers (e.g. Internet Explorer, Mozilla, Chrome).

Custom Trojan Backdoor

• This technique leverages the delivery method to a target user

• Delivery channels such as websites, filesharing services, or physical media (e.g USBs, CDs) are common

• The type of software, such as trial versions, pirated versions, or legitimately purchased ones, plays a role in choosing the backdoor software

Description

Explore the techniques and strategies behind spear phishing in this engaging quiz. Understand the different methods used to compromise targets and the importance of trust in these interactions. Test your knowledge on how attackers gain access to valuable credentials through various forms of communication.