Identifying Phishing Emails: The Social Engineering Toolkit

Now, this is another fun one. This is UPS. My name came up for a UPS customer gift card worth $90. And they have a nice picture of UPS. They have the UPS logo there. Over $4 million in offers given out so far. So I might as well jump in on this. They sent out $4 million. It’s not something new. This is great, I can get $90. Well, let’s take a look. So first of all, this is not a UPS address. So we can see this nsnkk address. We can see it’s sent to john@aol.com, which clearly isn’t me.

And if we hover over the link here where it says my name came up for UPS customer service gift card, we can see that this is not a UPS address. So again, probably going to collect information on me. Probably get some bank info, login information, something like that. So clearly it works on greed. So this is kind of fun, because one thing here. If we take a look at this address again, we could see this xokctz.blog.core.windows.net.

Now, I’ve never seen that before, so I decide to do a little research. Now what I found on malwareresearch.org was a nice article talking about how phishing emails were spoofed and sent from windows.net. So apparently there’s been a rise of Microsoft Azure blog storage to host phishing websites. And this particular article talks about it targeting Office 365 users, but clearly it’s being used outside of that. So if you head over there, it’s a pretty good article to read. But again, in this case, you’re using Microsoft’s cloud server to send phishing emails.

Now, how hard is it to send a phishing email? Not very hard. There’s a lot of different tools out there. So we have the Social Engineer Toolkit, for one. And if you use Kali Linux, that’s actually built into it, one of the programs on there, you can also instal it on other machines. We have SocialFish. SocialFish is designed to send quick phishing emails out. And we could do things like Instagram, Facebook, Snapchat Twitter, et cetera, et cetera. We have the free email account attack, like the one I did with the Microsoft account. I simply used a free Yahoo! account to create an email and for the name, I put Microsoft Support Team, and the email address, I put Microsoft.

So it made it look more legitimate. So again, didn’t cost me anything. I just used a free email service. I could have even used a Microsoft email service like Hotmail or Outlook or whatever to make it look even more legitimate. So again, pretty low bar in order to create that one. We also have other tools that we could use. There’s Lucy, which is an open source phishing campaign software. It’s actually designed as a learning tool for doing things like launching a phishing campaign on your network to kind of gauge where people are and help educate people on phishing. And there’s even tools for Android phones, things like Spoof Box, and online tools.

Though I do need to say, Android is a lot better about these type of tools. I don’t see nearly as many tools for creating phishing emails on the Android store anymore as there used to be a couple of years ago.

So wrapping up, phishing emails tend to use social engineering to entice users to take action. The methods used typically use fear, authority, scarcity, and/or greed. Now, if you get an email, you should always verify the user send address and make sure it’s accurate and that it’s not using some sort of proxy to change an email address. Try link hovering instead of clicking on the email. If you weren’t an expecting email, try to verify with the user by phone or in person if possible. Don’t respond to the email asking, “is this a real email?”. Pause before reacting. So pausing for a few minutes can make a big difference.

Again, going back to the social engineering section, Amygdala hijacking, things– my Netflix account is locked, someone got in my PayPal account and changed the information. I need to click this right away and find out what’s going on. Now, if I pause and wait for a few minutes, I could start thinking that over and go, “well, okay, before I click this, I should link hover. I should take a look at the actual email address and see if there’s a proxy, if that email was actually a proxy address”. That can make a big difference. Viewing the email header can also give you quite a bit of information. Is the email going to the right account?

Is the email address even addressed directly to me or is it just a general email? Are other people email string for something that is supposed to be confidential? My PayPal account has been compromised. Why is there 30 other people on this email string? That should all be a big red flag.

Now, this was about phishing emails. Next video, we’re going to talk about running a phishing campaign. Thanks for watching. I’ll see you in the next video.