How to set up a phishing attack with the Social-Engineer Toolkit
Cybercriminals are now using artificial intelligence to make phishing attacks more effective. Learn how in this episode of Cyber Work Applied.
Artificial intelligence and phishing attacks
Infosec Principal Security Researcher Keatron Evans walks you through how manual phishing attacks work and how phishing is rapidly evolving thanks to AI and machine learning in this episode of Cyber Work Applied.
Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.
How to set up a phishing attack
Below is the edited transcript of Keatron’s phishing attack walkthrough.
How phishing attacks work
(0:00-0:41) Did you know that some of the more devastating phishing campaigns are being driven by very powerful cloud-based artificial intelligence-driven supercomputers? We're going to take a deep dive into what phishing looks like traditionally, then examine the power behind the modern and highly successful campaigns we deal with today.
Phishing attacks are becoming so common that if you're unaware of how they work, you will probably fall victim to one yourself. The best way to see what's involved in a phishing attack is to take a look from concept to execution. In this demonstration, you'll see how easy it is to pull off a good phishing attack. And then afterward, we'll look at what's being done to take the effectiveness of phishing to the next level.
See Infosec IQ in action
Social-Engineer Toolkit: Fake Twitter login page
(0:42-1:49) What I'm doing here is simply setting up the Social-Engineer Toolkit. This automates creating a phishing attack and makes it very easy. So I'm going to select item one here, which is “Social-Engineering Attacks.” Then on this next menu, I'm going to select item two, “Website Attack Vectors.” Then, on this next menu, I'm going to go with item three, “Credential Harvester Attack Method. “
Next, we will use Twitter as an example of what we will try to clone. So I will go ahead and use “Site Cloner.”
And the IP address that I want my connection to come back to — that's going to be this machine's IP, which is 192.168.248.251. Then it asks me what I want to clone and I will input Twitter’s URL.
What just happened is that the tool went out to the real Twitter and copied down the Twitter homepage. Now we're going to feed this to a victim as if they got a new Twitter message or something like that to get them to click on the link.
Manually sending a phishing email
(1:50- 3:36) So what happens as a result? I will go into my Gmail account and send the phishing email. So I'm going to compose this. Today, we will be phishing Bob Vance from Vance Refrigeration. So let’s send an email to vancerefrigerationattheoffice@gmail.com.
I'm just going to put the subject as “new twitter message.” For the body, I can say something like, “did you see what is being posted about you on Twitter?”
So I sent him that message. Check this out. I will make this link visible so you can see what it points to. I'm just going to put a link to this machine, “http://192.168.248.251.” Now we could mask this and make it say “twitter.com.” But I want you to see what the link looks like. So we go ahead and send that message as is.
How the victim gets their credentials phished
(3:27- 4:35) Alright, so now we're gonna go play the victim. Remember, we have our attack still waiting here. So we go over to the victim’s machine. The victim goes and opens their Gmail. In this case, it's Bob Vance.
So Bob Vance logs into his Gmail account. He sees a new message here. He opens it. He checks to see what people are writing about him on Twitter. He gets there and realizes he needs to log in. So Bob logs into his Twitter account. He clicks login.
And then, as a result of him putting that email and password in and logging in, what we see on the attacker side, if we go back, is that the attacker has now captured Bob Vance's login and password.
Using machine learning and AI for phishing
(4:36- 6:29) That was easy. But this method is hard to scale and recycle. Sure we could blast it out to 100,000 people. But what about handling 100,000 responses instantly and instantly learning from all those responses? What type of user clicked on the link the most? How effective is it?
What if we could read those 100,000 responses in real-time and within a millisecond build another attack back based on feedback and re-phish everyone using that intelligence? Then repeat this over and over, getting a higher percentage of bait takers with each relaunch.
This is where machine learning comes in. APT groups are now using machine learning algorithms combined with massive computing power to run these extremely effective campaigns. This is made possible by cloud computing service models.
First, they build training models that will be trained based on feedback from phishing attempts. Next, they start phishing. Once the responses come back, all of this data is fed into cloud servers that are designed to handle massive amounts of data efficiently. We're talking to 1,000 machines with four terabytes of RAM, for example. This is where machine learning and the massive compute power from cloud servers are critical.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Once all the responses are computed and run through machine learning models, output is produced and cycled back through the training engine. Immediately everyone is phished again, but better this time. This process is painfully effective.
We could do all this manually, but we would be very slow and mostly ineffective. This is one of the main reasons that phishing attacks today are so effective, and are getting so much better so fast.
This is also why it's important to make sure if you're trying to defend against this, you're using something that can match the horsepower and the intelligence of these machine-learning engines. It's also important to ensure you're using a phishing testing solution capable of mimicking this behavior.
More cybersecurity training resources
Want more free resources? Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders.
Cyber Work listeners also get other free cybersecurity training resources. Check out the latest free courses and resources to keep learning!
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- How to set up a phishing attack with the Social-Engineer Toolkit
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
