Phishing attacks are on the rise. For hackers, they are a volume game – while most get caught in spam and phishing filters in your personal and work email, many still manage to find their targets. The increase in phishing attacks can be attributed to two factors. First, they are highly scale-able, which means the attacker can easily send out tens of thousands of phishing emails and greatly improve their odds of success with roughly the same amount of effort it would take them to send out just one or two. The second reason is that in most cases it is still much easier to get a human to divulge confidential information than to break into the system that stores it.
Phishing attacks can be used for various purposes, but one of the most common is to steal credentials. This means the victim must be fooled into disclosing confidential information in what they perceive as a safe environment. This can be accomplished by the attackers with the help of a fake bank, webmail, or social media website that is indistinguishable from the real thing. Sounds difficult? Not at all.
To find out just how easy it is to steal login credentials, I began by booting up Kali Linux on my personal laptop. Kali is a freely available distribution of Linux operating system, loaded with dozens of hacking and security testing tools. Kali is used by security researchers, professionals and hackers alike.
In Kali, a few clicks navigated me through the menu of the Social Engineering Toolkit (SET) to the Site Cloner tool.
I pointed Site Cloner at the Facebook URL.
A few seconds later, I had a copy of the Facebook login page, and Site Cloner was ready for unsuspecting victims to enter their usernames and passwords. Total time elapsed since booting up Kali? Under five minutes!
To test Site Cloner’s handiwork, I opened a web browser and typed in the IP address assigned to Kali.
As you can see above, the IP address and the lack of the secure “lock” in the browser are the only giveaways that I am not on the real Facebook login page. Ingeniously, once I entered my (fake) Facebook login info, Site Cloner redirected me to the real Facebook login page. This would minimize any suspicion and lead the victim to believe that perhaps they had just pressed a wrong key.
Meanwhile, back in Kali, Site Cloner had diligently harvested the username and password I had so trustingly entered on the fake login page.
For the purposes of this test, I had simply typed the IP address of the fake login page. In a real phishing attack, the attacker would have crafted a convincing email message that would look like it came from Facebook. The message would ask the victim to reset their password or view a post they were tagged in, and would link to the fake site. The page would likely be hosted on a separate web server, and the attacker would also likely obscure the suspicious-looking IP address behind something a bit more reassuring, like login.facebook.evilhackingsite.com. They would then mass-mail the message to a list they bought on one of the Dark Web marketplaces. Read more about phishing and how to prevent it here.
And that’s all. Phishing has become this simple and this convincing. If you miss just a handful of small details, you become another victim.