The 5 Phases of a Phishing Attack

November 4, 2015 | Views: 12463

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This document is written from the attacker’s point of view, showing the mindset behind a phishing hack.

It’s intended to build awareness around computer and online safety. It’s NOT intended for illegal or immoral use.

Phishing attacks have become more carefully crafted and effective. They’re no longer just random mass mailer emails attacks. A phishing email may be a targeted attack or a spear phishing attack. These kinds of attacks have made the headlines for recent large corporate and government hacks.

 



Scenario:
  An employee, student or outside user wants hack to a network.  The network includes a Gmail email domain and a website domain. Note: This is one example – there’s more than one way to “skin a cat.”

 


Phases of a Phishing Attack:


1. Enumeration

The hacker users Using Google Hacking, research on the website (checking links, jobs, job titles, email, news, etc.) or HTTPTrack (to download the entire website for later enumeration). He/she learns staff names, positions and email addresses.

 

2. Scanning

Armed with the basic information, the hacker moves forward. He/she tests the network for other points of attack. The hacker leverages a few of methods to map the network (i.e. Kali Linux, Maltego and find an email to contact to uncover the email server).

3. Gaining Access

The hacker finished enumerating and scanning the network. They have a couple options to gain access inside. A reverse TCP/IP shell in a PDF using Metasploit might be caught by an antivirus or spam filter. They could set up a Evil Twin router and try to Man in the  Middle attack users to gain access.

The hacker plays it safe using a simple phishing attack. He/she infiltrates from the IT department. There are a few recent hires who aren’t up to speed on procedures. A phishing email from CTO’s actual email address is sent to the new hires through a program.

The email contains a link to a phishing website that will collect login and passwords. Using any number of options (phone app, website email spoofing, Gmail, etc), it prompts the users to login to a new Google portal. The Social Engineering Toolkit was already running and has sent an email with the server address, masking it with a bitly or tinyurl.

 

4. Maintaining Access

The hacker gained access to multiple Gmail accounts. He/she begins to test the accounts on the Google domain. The hacker creates a new administrator account based on the naming structure and OU structure to blend in. As a precaution, the hacker seeks and identifies latent accounts. The hacker assumes these accounts are likely either forgotten or not used. He/she changes the password on one account and elevates privileges to admin to maintain access to the network.

The hacker might send out emails to other users containing an exploited file such as a PDF with a reverse shell to extend possible access. No overt exploitation or attacks will occur at this time. If there’s no evidence of detection, the waiting game starts, letting the victim remain in the dark.

Once inside, the hacker begins to make copies of all emails, appointments, contacts, instant messages and files to be sorted and used later.

 

5. Covering Tracks

Prior to the attack, the attacker will change their MAC address and run the attacking machine through at least one VPN to help conceal identity. They will not deliver a direct attack or any scanning technique, which would be deemed “noisy.”

After the attack, the hacker seeks to cover their tracks. This includes clearing out sent emails, server logs, temp files, etc.  The hacker will also look for messages from the email provider alerting possible unauthorized logins.  The hacker will delete those emails.

 

BONUS: Protection for End Users

Talk with end users about protecting themselves against phishing and other attacks. Use these suggestions:

       Do not post information on social media that’s be related to any challenge questions

       Do not use simple passwords, words, etc.

       Do not use common items that pertain to personal life, such as spouse names, pet names, etc.

       Build passwords that are 8 characters or longer with upper and lower case, numbers and special characters.

       Consider 2 factor authentication when possible

       To help with randomization and recall, use shapes instead of spelling words in a password. Shapes tend to be easier to remember than random passwords.

       Be careful of password requests emails. Sites like Google, Microsoft, etc. will not request your current password in an email

       When dealing with emails, especially those pertaining to passwords or logins, verify the source of the email

       For emails containing links, verify the link’s true URL

       If the email contains a file, scan it before opening

       If a compromise is suspected, change the password right away and alert the network admin

       Make sure computers and software are up to date

       Have current antivirus software installed

       Avoid easy to guess challenge questions (including answers that can be skimmed from social media)

       Log out of all sessions, don’t just close the browser

 

Thanks for reading. I hope this information was useful. Knowledge is key. Be aware, be smart, be careful.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
25 Comments
  1. This is short and precise. Thanks for sharing.

  2. Nice and simple… Thnx for sharing

Page 5 of 5«12345
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel