Home 0P3N Blog The 5 Phases of a Phishing Attack
Ready to Start Your Career?
Create Free Account
By: RoninSmurf
November 4, 2015

The 5 Phases of a Phishing Attack

By: RoninSmurf
November 4, 2015
By: RoninSmurf
November 4, 2015

fishing-for-money-cybraryThis document is written from the attacker’s point of view, showing the mindset behind a phishing hack.

It's intended to build awareness around computer and online safety. It's NOT intended for illegal or immoral use.

Phishing attacks have become more carefully crafted and effective. They're no longer just random mass mailer emails attacks. A phishing email may be a targeted attack or a spear phishing attack. These kinds of attacks have made the headlines for recent large corporate and government hacks.


Scenario:  An employee, student or outside user wants hack to a network.  The network includes a Gmail email domain and a website domain. Note: This is one example - there's more than one way to "skin a cat."


Phases of a Phishing Attack:

1. Enumeration

The hacker users Using Google Hacking, research on the website (checking links, jobs, job titles, email, news, etc.) or HTTPTrack (to download the entire website for later enumeration). He/she learns staff names, positions and email addresses.

 2. Scanning

Armed with the basic information, the hacker moves forward. He/she tests the network for other points of attack. The hacker leverages a few of methods to map the network (i.e. Kali Linux, Maltego and find an email to contact to uncover the email server).

3. Gaining Access

The hacker finished enumerating and scanning the network. They have a couple options to gain access inside. A reverse TCP/IP shell in a PDF using Metasploit might be caught by an antivirus or spam filter. They could set up a Evil Twin router and try to Man in the  Middle attack users to gain access.

The hacker plays it safe using a simple phishing attack. He/she infiltrates from the IT department. There are a few recent hires who aren't up to speed on procedures. A phishing email from CTO’s actual email address is sent to the new hires through a program.

The email contains a link to a phishing website that will collect login and passwords. Using any number of options (phone app, website email spoofing, Gmail, etc), it prompts the users to login to a new Google portal. The Social Engineering Toolkit was already running and has sent an email with the server address, masking it with a bitly or tinyurl.

 4. Maintaining Access

The hacker gained access to multiple Gmail accounts. He/she begins to test the accounts on the Google domain. The hacker creates a new administrator account based on the naming structure and OU structure to blend in. As a precaution, the hacker seeks and identifies latent accounts. The hacker assumes these accounts are likely either forgotten or not used. He/she changes the password on one account and elevates privileges to admin to maintain access to the network.

The hacker might send out emails to other users containing an exploited file such as a PDF with a reverse shell to extend possible access. No overt exploitation or attacks will occur at this time. If there's no evidence of detection, the waiting game starts, letting the victim remain in the dark.

Once inside, the hacker begins to make copies of all emails, appointments, contacts, instant messages and files to be sorted and used later.

 5. Covering Tracks

Prior to the attack, the attacker will change their MAC address and run the attacking machine through at least one VPN to help conceal identity. They will not deliver a direct attack or any scanning technique, which would be deemed “noisy."

After the attack, the hacker seeks to cover their tracks. This includes clearing out sent emails, server logs, temp files, etc.  The hacker will also look for messages from the email provider alerting possible unauthorized logins.  The hacker will delete those emails.

 BONUS: Protection for End Users

Talk with end users about protecting themselves against phishing and other attacks. Use these suggestions:

       Do not post information on social media that's be related to any challenge questions

       Do not use simple passwords, words, etc.

       Do not use common items that pertain to personal life, such as spouse names, pet names, etc.

       Build passwords that are 8 characters or longer with upper and lower case, numbers and special characters.

       Consider 2 factor authentication when possible

       To help with randomization and recall, use shapes instead of spelling words in a password. Shapes tend to be easier to remember than random passwords.

       Be careful of password requests emails. Sites like Google, Microsoft, etc. will not request your current password in an email

       When dealing with emails, especially those pertaining to passwords or logins, verify the source of the email

       For emails containing links, verify the link's true URL

       If the email contains a file, scan it before opening

       If a compromise is suspected, change the password right away and alert the network admin

       Make sure computers and software are up to date

       Have current antivirus software installed

       Avoid easy to guess challenge questions (including answers that can be skimmed from social media)

       Log out of all sessions, don't just close the browser

 Thanks for reading. I hope this information was useful. Knowledge is key. Be aware, be smart, be careful.
Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry