Lets Go Phishing

Have you ever received one of those emails telling you to log into hotmail.com NOW otherwise Microsoft will delete your account! Ever followed the link and been presented with what looks to be the hotmail website? Ever wonder how they do it and what happens when you enter your details!!! Enter the world of Phishing! Phishing is what’s known in the security industry as Social Engineering, or human hacking. The basic idea is to try and get someone to tell you something they shouldn’t, like hotmail logon details! While many years ago this was mostly done over the phone it’s now done via email. The bad guy sends you an email that looks like it’s come from the company or website in question. Contained within that email will be a link to a site that will help you stop Microsoft from deleting your account.

The site is normally a clone of the original site and the only clue you might have that this isn’t hotmail.com is that the URL in the browser will be wrong. If you enter your details and click the logon button most of the time it will do one of two things, drop you back to the same fake site OR redirect you to the real website. What you are not seeing is that your logon details are being reported back to a server and recorded by the bad guys for use later. How is this all done I hear you ask! Well it’s quiet simple.

The Social Engineering Toolkit The Social Engineering Toolkit was created to help the good guys (white hat hackers) and security folks to perform pentesting and educate users about not just clicking on any old link. The kit has been integrated in to Backtrack linux for ease of use. The following is a quick example of how to use it to create a fake site and record user log on details. You will need Backtrack 5. I am not going to hold your hand while you download it and set it up. BIG FAT WARNING : Only do this in a test lab! DO NOT DO THIS ILLEGALY! Step One: Open a terminal window and change directory to ‘/pentest/exploits/set’ Step Two : Execute set by running ./set . You should see the following screen: Step Three: We want to enter the ‘Social-Engineering Attacks’ section so type 1 and press enter. Step 3: We are going to use the ‘Website Attack Vector’ so enter 2 and press enter. Step 4: The screen will now change to display a heap of very useful info, I suggest that if this is your first time that you read it. Step 5: From this screen we want to use the ‘Credential Harvesting Attack Method’. As the name suggests it allows us to collect people’s credentials. So select option 3 and hit enter. Step 6: You can now choose between cloning a site, using a template or creating a custom site for the attack. I suggest that for now you just use one of the templates, it nice and easy and has a good success rate. Select 1 from the list. Step 7: As you can see you can pick from some of the biggest sites on the web! For the demo we will use Gmail, it’s a nice simple interface and it clones well. Select 2 from the list. Step 8: Press enter when it asks and presto you should now have webserver running on your local machine attached to port 80. Step 9: Open up your browser and point it at http://{yourip}:80 all going well you should see what looks like the Gmail logon screen. Now have a look at the terminal screen… you will notice that stuff has started to be recorded, this is the browser asking for the website. Test out what happens when you enter some FAKE details into the website and hit Sign In… As you can see in my screenshot here the username returned was bob@gmail.com and the password was thisismypassword Bingo! We have a users logon details and now we can read Bob’s email!!! Defence The best way to defend against this is education and care! You need to be educated that these attacks are happening! Keep your eyes open and be a little sus about things sent to you. Take care not to just click on links in emails, even if you think it’s from someone you know or a company you deal with. If you get an email asking you to log into your email or online banking don’t follow the link, type the URL of your online bank or email provider in….