Phishing Capabilities Demonstration
The goal of this whitepaper is to summarize technical details of a phishing infrastructure we developed and has unique capabilities among its open-source alternatives. It is capable of sending phishing emails using multiple techniques, bypassing multi-factor authentication and consequently stealing users’ logged in sessions, with a possibility of a manual takeover or doing automated actions.
Our goal is to demonstrate capabilities a dedicated attacker might create using off-the-shelf open-source tools and some programming effort in putting them together. This article does not aim to provide a step-by-step solution to build a phishing infrastructure.
Phishing email is a type of online scam when a cyber-criminal sends an email that appears legitimate but tricks the user into doing some actions that help the attacker. Most common is credential harvesting, which tricks a victim into disclosing their username and password, or they are tricked into running an executable, which can give the attacker access to the computer.
According to IBM1, phishing still lies at the root of 14% of all data breaches, making it the 4th most used attack vector. Verizon Data Breach 20202 estimates, that 22% of all data breaches involved phishing. With the average data breach costing as much as $3.86 billion, no avenue can be left unchecked. Even tech giants such as Facebook and Google have fallen victim to multi-million dollar phishing scams. Although many security solutions have built-in phishing detection and prevention tools, attackers are continuously discovering new techniques for phishing filter evasion.
Multi-factor authentication or MFA is an authentication method, which requires two or more verification factors to grant access to the user. These factors can be categorized as either knowledge (something only the user knows), possession (something only the user has), or inherence (something only the user is). The best policy is to require at least two factors from different categories.
Download Phishing Infrastructure Whitepaper to learn more.