Spear Social Engineering - Part 2

Questions and Answers

Which method is NOT commonly used for spear phishing?

• Social media advertising (correct)
• Carrier pigeon
• Snail mail
• E-mail

What is the ultimate goal of spear phishing?

• To send spam messages
• To compromise personal computers (correct)
• To create a malware-free network
• To gather general information

Which of the following is a method included in the spear-phishing tactics?

• Mass email campaigns
• Public forums
• Client-side exploits (correct)
• Fast information gathering

How should one approach social engineering during spear phishing?

Focus on a single target (C)

What type of interaction helps increase the success of social engineering in spear phishing?

Building trust through deceit (D)

What is a primary consideration when building a story for phishing?

It should elicit the necessary response from the specific user. (D)

Which tactic is commonly used in spear-phishing attacks related to websites?

Copying an existing website to direct targets to a fraudulent site. (B)

What is a potential issue when copying an existing website for phishing purposes?

Some dependent files like CSS or JavaScript may be missed. (D)

What is a recommended approach after copying a website for phishing?

Test the website to ensure it renders correctly. (B)

Which example of a story would be effective in a phishing context?

You work for a partner company seeking feedback on trial software. (C)

What is an important factor to consider when creating a phishing website's appearance?

It should look exactly as the user expects to avoid raising suspicion. (B)

What technique is suggested to register a domain name that is related to an established website?

Register a domain with a subtle misspelling of the target's domain. (D)

Which of the following is NOT a recommended domain naming strategy for phishing?

Using a completely different domain that is unrelated. (A)

What advantage does registering your own domain name provide for phishing activities?

Obtaining a valid Secure Socket Layer (SSL) certificate. (B)

What should be implemented on the back end of a phishing website after designing its front end?

The necessary features to perform the intended phishing actions. (D)

A phishing website should look familiar to users to avoid suspicion.

True (A)

A domain name that uses a capital 'I' instead of a lowercase 'l' is a common technique for phishing.

False (B)

Using SSL certificates is crucial for phishing websites to appear legitimate.

True (A)

One strategy for phishing is to choose a domain that is entirely different from the target's.

False (B)

Implementing proper back-end functionality is not necessary for phishing websites.

False (B)

A successful phishing website must look exactly like the legitimate website.

True (A)

Cascading Style Sheet (CSS) files are often excluded when copying a website for phishing purposes.

True (A)

Phishing tactics do not require a story to elicit a response from the target user.

False (B)

The Social Engineering Toolkit can be used to automate the process of copying existing websites.

True (A)

Testing the appearance of the cloned website is unnecessary after copying it for phishing.

False (B)

E-mail is the only effective weapon for spear phishing.

False (B)

Carrier pigeon can be used as a method of spear phishing.

True (A)

The ultimate goal of spear phishing is to compromise a target individual's computer.

True (A)

Building trust with the target user does not affect the success of spear phishing.

False (B)

Post-It notes are a recommended method for spear phishing.

True (A)

Flashcards

Effective Phishing Story

A story tailored to a specific user that encourages them to interact with a phishing website or install software.

Phishing Website Tactics

Techniques for creating a fraudulent website that mimics a legitimate one to trick users into sharing credentials.

Website Copying Tools

Software used to automatically replicate existing websites for phishing attacks.

Missing Files/Testing

It's crucial to check for missed files (CSS, JavaScript) when replicating a website for phishing. Verify website functionality.

Website Functionality

Ensuring the copied website looks and works like the original to successfully deceive the target.

Spear Phishing Methods

Different ways to target specific individuals, not just mass emails. These can include email, snail mail, phone calls, text/instant messages, websites, even unusual methods like walkie-talkies or carrier pigeons.

Spear Phishing Goal

The aim is to get access to a person's important computer accounts, like banking or work portals, through deception.

Technical Spear Phishing Tactics

Methods to accomplish the spear phishing goal (accessing critical accounts). This can include creating fake websites to steal logins, using harmful computer programs, or developing a custom Trojan horse to gain entry.

Building Trust in Spear Phishing

Social engineers often build trust with a target to make them more likely to give sensitive information by interacting with them under false pretenses. This is essential to get the target to trust what is being presented.

Target in Spear Phishing

The attacker focuses on a specific person or group, rather than a large group of people. Targeted attacks are more effective in obtaining sensitive information.

Phishing Website Look & Feel

Mimicking a legitimate website's appearance to trick users into revealing sensitive information

Phishing Domain Name

Choosing a domain name similar to a target's legitimate website to mislead users

Subtle Misspellings

Registering a domain with a slight misspelling of a target company's domain to avoid suspicion

Secondary Domains

Registering a domain name which functions as a component of the target domain name, like 'portal-targetcompany.com'

Back-End Functionality

The technical aspects of a phishing website, ensuring it collects desired information

Technical Spear Phishing Exploitations

How hackers can exploit vulnerabilities to achieve their goal: fake websites to gather credentials, malicious software, or custom backdoors.

Spear Phishing Tactics

Methods used to deceive targets into interacting with phishing schemes. This includes creating believable stories, impersonating trusted sources, and leveraging social engineering techniques.

Why is building a good story important?

It helps establish trust with the victim, making them more likely to interact with a phishing website or install malicious software.

What are good phishing stories?

Stories that involve collaboration with a partner organization, a free software trial, a common interest group, or feedback requests on trial software.

What's the purpose of copying a website?

To create a fake website that looks identical to a legitimate one, tricking users into entering their credentials.

What are missing files?

Essential files like CSS or JavaScript that might be missed when copying a website, affecting the appearance and functionality of the fake one.

Why is testing a phishing site important?

To ensure the copied website looks and functions correctly, avoiding suspicion and maximizing the success of the attack.

Domain Name Mimicry

Creating a domain name that closely resembles the target's legitimate website to deceive users.

Website Look & Feel

Making the phishing site visually identical to the legitimate website to avoid arousing suspicion.

Study Notes

Spear Social Engineering - Part 2

• Spear phishing is a targeted attack, not just sending spam emails.
• Spear phishing aims to compromise a target's computer and obtain their credentials to access important applications like banking portals, not just emails.
• Attackers use various methods beyond email, such as snail mail, phone calls, text messaging (e.g., Twitter, Facebook), instant messaging, watering hole websites, malicious websites, CB radio, walkie-talkies, and even carrier pigeons.
• While these methods might seem unusual, some companies use them for internal communication, making them appear trustworthy and vulnerable to attack.
• Social engineering tactics involve building trust with the target.

Spear Phishing Methods

• Email, snail mail, phone calls, text messaging, and instant messaging (Twitter, Facebook) are employed.
• Attackers may use watering hole websites, malicious websites, CB radio, walkie-talkies, Post-it notes, or even carrier pigeons.
• Email spear phishing is an effective tactic but not the only one.

Spear Phishing Goal

• The goal is to compromise the target computer and obtain credentials for important applications.
• Main exploitation methods include phishing websites to obtain credentials, client-side exploits, and custom Trojan backdoors.

Technical Spear Phishing Tactics

• Tactics apply to various exploitation methods, but attackers should avoid targeting too many people at once, as this could raise suspicion.

• They aim to have more interaction to build trust by interacting with the target under a false guise.

• This interaction builds on reconnaissance (gathering information about the target).

• Collecting as much technical and non-technical information about the target is vital.

Building the Story

• Craft a believable story to establish a rapport with the target.
• Ignore conventions; think outside the box when crafting stories.
• Determine the most impactful and accurate story for each target.

Examples of Effective Stories

• A partner, sister company, or parent company offering trial software
• An internal salesperson providing a free trial
• Inviting interest in a common hobby or interest group
• A product feedback request (e.g., software trial) for their industry.

Phishing Website Tactics

• The traditional method involves copying a legitimate website and directing the target to the fraudulent site.
• The fraudulent site should mimic the legitimate one, including triggers (e.g., legitimate look, feel, and functionality).
• Tools like the Social Engineering Toolkit (SET) Site Cloner automatically copy existing websites.
• Configuring the tool to harvest credentials is essential.
• Missing dependent files (like CSS or JavaScript) require checking and inclusion for a complete phishing website.
• Thorough testing (visual and functional) is critical.

Website Look and Feel

• The website must convincingly mimic the authentic website to avoid suspicion.
• Maintain familiar visual elements, down to the font, for maximum effect.
• Understand the target's expectations to create a believable and successful phishing operation.

Website: Domain Name Options

• Choose a domain name that won't raise immediate suspicion from the target.
• Create a new company or subtly alter an existing one's domain name (e.g., using a misspelling or adding extra characters).

Website: Domain Name Example

• If a target's domain is weaktarget.com, consider registering portal-weaktarget.com, benefit-weaktarget.com, login-weaktarget.com, or www-weaktarget.com.
• Register a domain name that is similar to the legitimate one (e.g., Softwarex0.com).

Phishing Website: Back-End Functionality

• Implement the proper features on the backend (e.g., user login forms).
• Select a suitable back-end language (e.g., PHP).
• Set up for user login (username and password fields; file storage for data).
• Credentials need storage in a file (e.g., .txt).
• Capture not just usernames and passwords but also IP addresses.
• Give users options after they log in.

Phishing Website: Back-End Functionality Alternatives

• Redirect users to a legitimate or "static" page on the attacker's website.
• Redirect users to a malware deployment page.
• Act as a proxy between the target and the genuine website, while logging all activity.

Phishing Website: Watering Holes

• Watering holes are common sites visited by a target user.
• Focus on building a site that targets the specific user's industry.
• The site gives users the illusion of a public or private forum to join.

Client-Side Exploit

• Attacks target vulnerabilities in endpoint software (like workstations).
• Popular software targets include office productivity suites, email clients, and multimedia software (e.g., Microsoft Word, Excel, Adobe Acrobat, browsers).

Custom Trojan Backdoor

• Custom Trojan backdoors are very efficient for deployment.
• The backdoor software can be bundled with pirated or trial software from legitimate vendors.
• Direct delivery to the target can be accomplished via websites, public file-sharing sites, or physical media (like CDs, USB drives).