2.2 Time to Go Phishing

00:01

welcome the module to Anzai Berries, crafting the perfect email course. Now that we know what's already working, let's go ahead and write a couple of quick phishing emails.

00:14

So one of my favorite fishing techniques is to elicit emotion from a user, and that's to make them think they've already been compromised or hacked.

00:22

Fear is a very powerful emotion, and nobody wants to get the notes that they've been hacked.

00:27

If you can cause that that real quick emotion of fear, most users won't even review a link. So if I was trying to gain access to someone's social media account, I'd probably use something like this. So grab the Facebook logo very easy to find a subject. We notice a new log in,

00:46

and this is something that they have sent out before. I've seen them in my personal email, and so I just kind of used exactly what they're already using. I want to make it look as legitimate as possible. So hey, John, we noticed. Log in from a device you don't normally use. Google Pixel three Crow Mobile

01:03

for a Moscow, Russia On this date and time,

01:07

please log in to review the details and change your password if necessary. And the log in link would link to my spoofed Facebook site where they would log in with their current credentials.

01:19

And I would actually capture those and then passed them. So it looks like they've changed their credentials and they can access Facebook like normal. Hopefully they don't notice anything that's gone on.

01:29

So again, very easy to spoof. Ah, log in page. We can use thes social engineers toolkit, and this will capture any credentials you can host. Mall where? Anything that you wanted to. D'oh!

01:42

So now we're gonna try and help our user. This email can be extremely successful, especially with a little bit of pretexting. So if you've done your recon correctly, you've got some good information. You can actually call the user first, letting the know that their passwords going to be expiring and you're gonna be sending them a link to a new pastor portal to get that updated.

02:02

If you do this, they will not think twice about clicking that link.

02:07

So again from I T department Very easy to spoof to John Doe Subject Expiring Password.

02:14

Good morning, John. According to our records, your email password will be expiring in one day. Please log in and update your password to prevent to being locked out. There is our call to action, So please access the new pastor portal to update your credentials. We've included a link to the password portal. Thank you. I t department.

02:36

Here's another one to gain email credentials. This is one that I have used. It has worked in the past. So, as you can see, um, it was from someone. Dear Sir, Madam, we've noticed that your passport has expired and you need to reset it. You can click the following link to reset your password. If you hover above that link and you'll see it takes you to a Google form.

02:55

What? You never went anywhere? Password into a Google form.

02:59

Um, thank you. I t department and similar to what? We just went over. We're trying to help the user.

03:07

So sometimes the users who think they can't be fished are actually some of the easiest targets. A lot of I t at Mons think they'll never fall for a phishing e mail.

03:19

I know quite a few that actually have and what better access or credentials to get than someone that's working in I t.

03:27

So if you're like me, you get a 1,000,000 emails from vendors every day, especially when you request white papers from the website to keep up on security news. You can use this to your advantage and actually fish the I T department.

03:40

So again, this is another quick example from Vendor A to John Doe subject you requested white paper.

03:46

Hi, John. Thanks for signing up to receive vendor blogged updates, we will send you periodic e mails of the latest and greatest from the bog. In the meantime, check out our latest white paper how to avoid phishing emails or follow us on Twitter for the latest news and product updates. Jane Doe from Vendor, eh?

04:02

This is something you'll definitely want to your recon on. See what kind of stuff they're interested in, what kind of stuff they're using,

04:10

and most likely this one's going to work.

04:14

We're gonna end this lesson with just another quick quiz.

04:18

So one who were some of the best targets for phishing emails?

04:24

That's right. The I T department, our I T staff. They think they can't be fished, and this can be used to your advantage.

04:32

So what's one tool you can use to clone a website? There's a lot of stuff out there, and I did mention one real quickly.

04:41

Yeah, it's Ah, set or the Social Engineers tool kits, and we're gonna go into some labs that go over how to do exactly this.

04:48

So now that we've gone over our fishing email examples, we're gonna go ahead and write your own. There's no perfect template for every situation each one is going to depend on, what the goal or objective ISS. So user re Kon try to elicit some emotion from your victim.

05:06

Now we're gonna go back in the labs with social engineers, tool kit,