Introduction
Phishing is a source of Social Engineering delivered through E-Mail to trick someone into either revealing Personal Information, Credentials or even Executing Malicious Code on their Computer.
These E-Mails will usually appear to come from a Trusted Source, whether that's a Person or a Business. They include content that tries to tempt or trick people into Downloading Software, Opening Attachments, or following links to a Fake Website.
Some other methods of Phishing through other mediums are Smishing which is phishing through SMS Messages, and Vishing which is performed through Phone Calls.
Phishing Infrastructure
| Name | Description |
|---|---|
| Domain Name | You'll need to Register either an Authentic-Looking Domain Name or one that Mimics the Identity of another Domain. |
| SSL/TLS Certificates | Creating SSL/TLS certificates for your chosen Domain Name will add an extra layer of Authenticity to the Attack. |
| Email Server/Account | You'll need to either set up an E-Mail Server or Register with an SMTP Email Provider. |
| DNS Records | Setting up DNS Records such as SPF, DKIM, DMARC will improve the deliverability of your E-Mails and make sure they're getting into the Inbox rather than the Spam Folder. |
| Web Server | You'll need to set up Web Servers or Purchase Web Hosting from a Company to host your Phishing Websites. |
| Analytics | When a Phishing Campaign is part of a Red Team engagement, keeping Analytics Information is more Important. You'll need something to keep track of the E-Mails that have been Sent, Opened or Clicked. You'll also need to combine it with Information from your Phishing Websites for which Users have supplied Personal Information or Downloaded Software. |
| Automation And Useful Software | Some of the above Infrastructures can be quickly Automated by using Tools such as GoPhish - SET (Social Engineering Toolkit). |
Writing Convincing Phishing Emails
The Senders Address: Ideally, the Sender's Address would be from a Domain Name that Spoofs a Significant Brand, a Known Contact, or a Coworker. To find what Brands or People a Victim interacts with, we can employ OSINT (Open Source Intelligence).
- Observe their Social Media Account for any Brands or Friends they talk to.
- Searching Google for the Victim's Name and rough Location for any Reviews the Victim may have left about Local Businesses or Brands.
- Looking at the Victim's Business Website to find Suppliers.
- Looking at LinkedIn to find Coworkers of the Victim.
The Subject: We should set the subject to something quite Urgent, Worrying, or Piques the Victim's Curiosity, so they do not Ignore it and act on it quickly.
- Your Account has been Compromised.
- Your Package has been Dispatched/Shipped.
- Staff Payroll Information.
- Your Photos have been Published.
The Content: If Impersonating a Brand or Supplier, it would be pertinent to Research their standard E-Mail Templates and Branding (Style, Logo's Images, Signoffs etc.) and make your content look the same as theirs, so the Victim doesn't suspect anything.
If Impersonating a Contact or Coworker, it could be beneficial to contact them first, they may have some Branding in their Template, have a particular E-Mail sSignature or even something small such as how they refer to themselves. The Links on the E-Mail should be disguised using the Anchor Text.
<a href="http://website.com">Click Here</a>
Choosing A Phishing Domain
Expired Domains: Although not essential, buying a Domain Name with some History may lead to better scoring of your Domain when it comes to Spam Filters. Spam Filters have a tendency to not trust brand new Domain Names compared to ones with some History.
Typosquatting: Typosquatting is when a Registered Domain looks very similar to the Target Domain you're trying to Impersonate.
TLD Alternatives: A TLD (Top Level Domain) is the .com .net .co.uk .org .gov etc. Part of a Domain name, there are 100's of variants of TLD's now. A common trick for choosing a Domain would be to use the same name but with a different TLD. For example, register website.co.uk to impersonate website.com.
IDN Homograph Attack/Script Spoofing: Originally Domain Names were made up of Latin Characters a-z and 0-9, but in 1998, IDN (Internationalized Domain Name) was implemented to support Language-Specific Script or Alphabet from other languages such as Arabic, Chinese, Cyrillic, Hebrew and more.
An issue that arises from the IDN Implementation is that different letters from different languages can actually appear Identical. For example, Unicode Character U+0430 looks identical to Unicode Character U+0061 used in English, enabling attackers to register a Domain Name that looks almost Identical to another.