Spear Social Engineering - Part 2

Questions and Answers

Which method is NOT commonly used for spear phishing?

Social media advertising (correct)

Carrier pigeon

Snail mail

E-mail

What is the ultimate goal of spear phishing?

To send spam messages

To compromise personal computers (correct)

To create a malware-free network

To gather general information

Which of the following is a method included in the spear-phishing tactics?

Mass email campaigns

Public forums

Client-side exploits (correct)

Fast information gathering

How should one approach social engineering during spear phishing?

Focus on a single target

What type of interaction helps increase the success of social engineering in spear phishing?

Building trust through deceit

What is a primary consideration when building a story for phishing?

It should elicit the necessary response from the specific user.

Which tactic is commonly used in spear-phishing attacks related to websites?

Copying an existing website to direct targets to a fraudulent site.

What is a potential issue when copying an existing website for phishing purposes?

Some dependent files like CSS or JavaScript may be missed.

What is a recommended approach after copying a website for phishing?

Test the website to ensure it renders correctly.

Which example of a story would be effective in a phishing context?

You work for a partner company seeking feedback on trial software.

What is an important factor to consider when creating a phishing website's appearance?

It should look exactly as the user expects to avoid raising suspicion.

What technique is suggested to register a domain name that is related to an established website?

Register a domain with a subtle misspelling of the target's domain.

Which of the following is NOT a recommended domain naming strategy for phishing?

Using a completely different domain that is unrelated.

What advantage does registering your own domain name provide for phishing activities?

Obtaining a valid Secure Socket Layer (SSL) certificate.

What should be implemented on the back end of a phishing website after designing its front end?

The necessary features to perform the intended phishing actions.

A phishing website should look familiar to users to avoid suspicion.

True

A domain name that uses a capital 'I' instead of a lowercase 'l' is a common technique for phishing.

False

Using SSL certificates is crucial for phishing websites to appear legitimate.

True

One strategy for phishing is to choose a domain that is entirely different from the target's.

False

Implementing proper back-end functionality is not necessary for phishing websites.

False

A successful phishing website must look exactly like the legitimate website.

True

Cascading Style Sheet (CSS) files are often excluded when copying a website for phishing purposes.

True

Phishing tactics do not require a story to elicit a response from the target user.

False

The Social Engineering Toolkit can be used to automate the process of copying existing websites.

True

Testing the appearance of the cloned website is unnecessary after copying it for phishing.

False

E-mail is the only effective weapon for spear phishing.

False

Carrier pigeon can be used as a method of spear phishing.

True

The ultimate goal of spear phishing is to compromise a target individual's computer.

True

Building trust with the target user does not affect the success of spear phishing.

False

Post-It notes are a recommended method for spear phishing.

True

Study Notes

Spear Social Engineering - Part 2

• Spear phishing is a targeted attack, not just sending spam emails.
• Spear phishing aims to compromise a target's computer and obtain their credentials to access important applications like banking portals, not just emails.
• Attackers use various methods beyond email, such as snail mail, phone calls, text messaging (e.g., Twitter, Facebook), instant messaging, watering hole websites, malicious websites, CB radio, walkie-talkies, and even carrier pigeons.
• While these methods might seem unusual, some companies use them for internal communication, making them appear trustworthy and vulnerable to attack.
• Social engineering tactics involve building trust with the target.

Spear Phishing Methods

• Email, snail mail, phone calls, text messaging, and instant messaging (Twitter, Facebook) are employed.
• Attackers may use watering hole websites, malicious websites, CB radio, walkie-talkies, Post-it notes, or even carrier pigeons.
• Email spear phishing is an effective tactic but not the only one.

Spear Phishing Goal

• The goal is to compromise the target computer and obtain credentials for important applications.
• Main exploitation methods include phishing websites to obtain credentials, client-side exploits, and custom Trojan backdoors.

Technical Spear Phishing Tactics

• Tactics apply to various exploitation methods, but attackers should avoid targeting too many people at once, as this could raise suspicion.

• They aim to have more interaction to build trust by interacting with the target under a false guise.

• This interaction builds on reconnaissance (gathering information about the target).

• Collecting as much technical and non-technical information about the target is vital.

Building the Story

• Craft a believable story to establish a rapport with the target.
• Ignore conventions; think outside the box when crafting stories.
• Determine the most impactful and accurate story for each target.

Examples of Effective Stories

• A partner, sister company, or parent company offering trial software
• An internal salesperson providing a free trial
• Inviting interest in a common hobby or interest group
• A product feedback request (e.g., software trial) for their industry.

Phishing Website Tactics

• The traditional method involves copying a legitimate website and directing the target to the fraudulent site.
• The fraudulent site should mimic the legitimate one, including triggers (e.g., legitimate look, feel, and functionality).
• Tools like the Social Engineering Toolkit (SET) Site Cloner automatically copy existing websites.
• Configuring the tool to harvest credentials is essential.
• Missing dependent files (like CSS or JavaScript) require checking and inclusion for a complete phishing website.
• Thorough testing (visual and functional) is critical.

Website Look and Feel

• The website must convincingly mimic the authentic website to avoid suspicion.
• Maintain familiar visual elements, down to the font, for maximum effect.
• Understand the target's expectations to create a believable and successful phishing operation.

Website: Domain Name Options

• Choose a domain name that won't raise immediate suspicion from the target.
• Create a new company or subtly alter an existing one's domain name (e.g., using a misspelling or adding extra characters).

Website: Domain Name Example

• If a target's domain is weaktarget.com, consider registering portal-weaktarget.com, benefit-weaktarget.com, login-weaktarget.com, or www-weaktarget.com.
• Register a domain name that is similar to the legitimate one (e.g., Softwarex0.com).

Phishing Website: Back-End Functionality

• Implement the proper features on the backend (e.g., user login forms).
• Select a suitable back-end language (e.g., PHP).
• Set up for user login (username and password fields; file storage for data).
• Credentials need storage in a file (e.g., .txt).
• Capture not just usernames and passwords but also IP addresses.
• Give users options after they log in.

Phishing Website: Back-End Functionality Alternatives

• Redirect users to a legitimate or "static" page on the attacker's website.
• Redirect users to a malware deployment page.
• Act as a proxy between the target and the genuine website, while logging all activity.

Phishing Website: Watering Holes

• Watering holes are common sites visited by a target user.
• Focus on building a site that targets the specific user's industry.
• The site gives users the illusion of a public or private forum to join.

Client-Side Exploit

• Attacks target vulnerabilities in endpoint software (like workstations).
• Popular software targets include office productivity suites, email clients, and multimedia software (e.g., Microsoft Word, Excel, Adobe Acrobat, browsers).

Custom Trojan Backdoor

• Custom Trojan backdoors are very efficient for deployment.
• The backdoor software can be bundled with pirated or trial software from legitimate vendors.
• Direct delivery to the target can be accomplished via websites, public file-sharing sites, or physical media (like CDs, USB drives).

Description

Dive deeper into the world of spear phishing in this quiz, where you will explore the targeted and sophisticated methods used by attackers to compromise their victims. Learn about various communication methods attackers may employ and how they build trust to execute their plans effectively.