🔒

Understanding Phishing Attacks and Prevention

Sep 2, 2024

View transcript

Phishing Attack Demonstration Lecture Notes

Introduction

  • Phishing Attacks: Easy to conduct, demonstrated for educational purposes.
  • Target: CEO Bernard Hackwell of Network Chuck Coffee.
  • Disclaimer: For educational purposes only; never conduct without permission.

Sponsor Note

  • Sponsor: "This is IT.io"
    • Mission: Make IT education affordable.
    • Collaborators: David Bumble, Jeremy Chara.
    • Offer: Free tier with courses and Discord community.

Phishing Attack Steps

Phase 1: Credential Harvesting

  • Objective: Gain access to Bernard's LinkedIn credentials.
  • Method: Set up a fake LinkedIn webpage to trick Bernard.
  • Tools:
    • Linux Distribution: Kali Linux (or Ubuntu).
    • Tool: BlackEye for setting up phishing sites.
    • Command: git clone BlackEye tool, navigate to the directory, run the script.

Phase 2: Distributing the Phishing Link

  • Objective: Deliver the phishing link to Bernard.
  • Methods:
    • Phishing Emails: Craft to appear from LinkedIn with urgent message.
    • Smishing: Send link via SMS.
    • Vishing: Voice call to persuade Bernard to use the link.
  • Technique: Spear phishing targeting Bernard.
    • Whaling: Targeting a CEO or someone of high importance.

Phishing Email Setup

  • Tool: Social Engineering Toolkit (SET) on Kali Linux.
  • Steps:
    • Choose social engineering attack option.
    • Use a mass mailer for sending emails.
    • Craft email to appear urgent and from a trusted source.

DNS and Phishing Variations

  • DNS Poisoning: Alter host file to redirect LinkedIn domain to fake site.
    • Farming: Setting up fake websites and altering DNS.
  • Avoidance Tips: Check email sender, avoid clicking suspicious links, log in directly through known methods.

Avoiding Phishing Attacks

  • Spam Filters: Use modern spam filters on email systems.
  • Link Verification: Verify source before clicking.
  • Multi-Channel Phishing: Awareness of phishing via SMS, voice calls, and IM apps.

Advanced Phishing Tactics

  • Invoice Scams: Pretend to be a known vendor, request payments via phishing emails.

Educational Purpose and Safety

  • Awareness: Knowledge of phishing enables better defenses.
  • Family Education: Important to educate less tech-savvy family members.

Conclusion

  • Security Course: Collaboration on a course for Security Plus certification.
  • Join This is IT.io: Community and educational benefits.
  • Follow and Support: Encouraged to follow on social media and use Discord for learning.

Note: Always seek permission and use this knowledge responsibly.

Full transcript