The 5 Phases of a Phishing Attack

This document is written from the attacker’s point of view, showing the mindset behind a phishing hack. It’s intended to build awareness around computer and online safety. It’s NOT intended for illegal or immoral use.

 Phishing attacks have become more carefully  crafted and effective. They’re no longer just random mass mailer emails  attacks. A phishing email may be a targeted attack or a spear phishing  attack. These kinds of attacks have made the headlines for recent large  corporate and government hacks.    

Scenario:  An employee, student or outside user wants hack to a  network.  The network includes a Gmail email domain and a website  domain. Note: This is one example – there’s more than one way to “skin a  cat.”   

Phases of a Phishing Attack: 

1 Enumeration  The hacker users Using Google Hacking, research on  the website (checking links, jobs, job titles, email, news, etc.) or  HTTPTrack (to download the entire website for later enumeration). He/she  learns staff names, positions and email addresses.   

2 Scanning Armed with the basic information, the hacker moves  forward. He/she tests the network for other points of attack. The hacker  leverages a few of methods to map the network (i.e. Kali Linux, Maltego  and find an email to contact to uncover the email server). 

3 Gaining Access The hacker finished enumerating and scanning the  network. They have a couple options to gain access inside. A reverse  TCP/IP shell in a PDF using Metasploit might be caught by an antivirus  or spam filter. They could set up a Evil Twin router and try to Man in  the  Middle attack users to gain access. The hacker plays it safe using a simple phishing  attack. He/she infiltrates from the IT department. There are a few  recent hires who aren’t up to speed on procedures. A phishing email from  CTO’s actual email address is sent to the new hires through a program. The email contains a link to a phishing website  that will collect login and passwords. Using any number of options  (phone app, website email spoofing, Gmail, etc), it prompts the users to  login to a new Google portal. The Social Engineering Toolkit was  already running and has sent an email with the server address, masking  it with a bitly or tinyurl.   

4 Maintaining Access The hacker gained access to multiple Gmail  accounts. He/she begins to test the accounts on the Google domain. The  hacker creates a new administrator account based on the naming structure  and OU structure to blend in. As a precaution, the hacker seeks and  identifies latent accounts. The hacker assumes these accounts are likely  either forgotten or not used. He/she changes the password on one  account and elevates privileges to admin to maintain access to the  network. The hacker might send out emails to other users  containing an exploited file such as a PDF with a reverse shell to  extend possible access. No overt exploitation or attacks will occur at  this time. If there’s no evidence of detection, the waiting game starts,  letting the victim remain in the dark. Once inside, the hacker begins to make copies of  all emails, appointments, contacts, instant messages and files to be  sorted and used later.   

5 Covering Tracks Prior to the attack, the attacker will change their  MAC address and run the attacking machine through at least one VPN to  help conceal identity. They will not deliver a direct attack or any  scanning technique, which would be deemed “noisy.” After the attack, the hacker seeks to cover their  tracks. This includes clearing out sent emails, server logs, temp files,  etc.  The hacker will also look for messages from the email provider  alerting possible unauthorized logins.  The hacker will delete those  emails.   

BONUS: Protection for End Users Talk with end users about protecting themselves against phishing and other attacks. Use these suggestions:

● Do not post information on social media that’s be related to any challenge questions 

● Do not use simple passwords, words, etc. 

● Do not use common items that pertain to personal life, such as spouse names, pet names, etc. 

● Build passwords that are 8 characters or longer with upper and lower case, numbers and special characters. 

● Consider 2 factor authentication when possible 

● To  help with randomization and recall, use shapes instead of spelling  words in a password. Shapes tend to be easier to remember than random  passwords.

● Be careful of password requests emails. Sites like Google, Microsoft, etc. will not request your current password in an email

● When dealing with emails, especially those pertaining to passwords or logins, verify the source of the email 

● For emails containing links, verify the link’s true URL 

● If the email contains a file, scan it before opening 

● If a compromise is suspected, change the password right away and alert the network admin 

● Make sure computers and software are up to date 

● Have current antivirus software installed 

● Avoid easy to guess challenge questions (including answers that can be skimmed from social media) 

● Log out of all sessions, don’t just close the browser  

 Thanks for reading. I hope this information was useful. Knowledge is key. Be aware, be smart, be careful.