Morioh
Login
Maud Rosenbaum

Maud Rosenbaum

3 years ago

Introduction

Phishing attacks are great first-entry vectors with technical details which are frequently overlooked by both white and blackhat hackers.

Having participated in multiple phishing campaigns over the years, both in offensive as well as defensive teams, I’ve learned from trial and error a lot of these things to pay attention to. This article will try to summarize them.

Technical subjects

Even if phishing campaigns are often associated with Social Engineering, they have technical components which you need to be aware of in order to be successful. Some of the topics we will cover (superficially) are:

  • Difference between common phishing and spear phishing
  • SPF, DKIM and DMARC
  • OSINT
  • SSL/TLS
  • Spam filters
  • DNS and MX/SPF/DKIM (txt) records specifically
  • Homograph attacks

Considerations

I know a big percentage of the readers just go through the first lines of an article, so let me give you the best advice I can give you now. The first thing that you need to understand is that a phishing attack doesn’t necessarily have to start with an email. Yes, we will cover mostly phishing attacks through email in this story, but there are multiple ways in which you could arrive to a phishing site.

Also, not every phishing site is looking for your credentials or your credit card, or for you to download a malicious file. I’ve heard a lot of people say that as long as you don’t download any file, and you don’t input your credentials / credit card details anywhere, you could go around clicking everything you get sent. This is not true.

I’ve participated on multiple assessments where our entry point was someone clicking on a URL they shouldn’t have, and running a script through an XSS.

Or maybe they want you to send a request and perform an action on your behalf, exploiting a CSRF attack.

Or maybe they just want to exploit your outdated browser with something like metasploit’s browser autopwn (https://blog.rapid7.com/2015/07/15/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter-part-1/).

Maybe they want to beef hook you (https://beefproject.com/).

Maybe the link doesn’t even have a URL but rather a UNC and someone inside your network is trying to relay your credentials (https://github.com/lgandx/Responder-Windows).

Maybe it’s one of the multiple relay attacks that have recently showed up on remote conference software due to the quarantine, in both zoom (https://thehackernews.com/2020/04/zoom-windows-password.html) and team viewer (https://thehackernews.com/2020/08/teamviewer-password-hacking.html)

I could go on, but I’ll stop and hope I’ve given you enough examples to prove the point.

#infosec #devops #security #pentesting #red-team

Recipe for a successful phishing campaign

medium.com

Recipe for a successful phishing campaign

Having participated in multiple phishing campaigns over the years, both in offensive as well as defensive teams, I’ve learned from trial and error a lot of these things to pay attention to. This article will try to summarize them.

1.55 GEEK