Blog Date: 9/15/2017
Author: Ray Coulombe
During my course, we focused on the Social-Engineer Toolkit (SET), or setoolkit, available as an open source download here.
The exercise we performed during my class was to clone a website in order to set up a phony phishing site. Spear-phishing attacks perform targeted email attacks using points of familiarity from public information, social media, or other sources. A group of emails can be sent based on harvested information from lists or scans, or individuals can be directly targeted. The emails can send malicious files or links, and the sender’s email address can be spoofed. Entering login credentials in the phony site allowed my listener site to capture the data, a technique known as Credential Harvesting.
Using a Website Attack, we also demonstrated how to use the phony site to get a user to download and run a file, in this case a keylogger. Other types of phishing-based website attacks are based upon getting a victim to click on a web link. Using the Metasploit framework (see side note), a web server can be set up on the attacking machine to host various exploit payloads. Clicking the link directs the victim to this server, whereupon the payload, e.g., a keylogger, is delivered. A Java Applet attack will spoof a Java Certificate and deliver the payload. Techniques exist to digitally sign these certificates.
The TabNabbing Method will wait for a user to move to a different tab, then refresh the page to something different. The Web Jacking attack method utilizes iframe replacements to make the highlighted URL link appear legitimate. However, when clicked, a window pops up and is replaced with the malicious link. (iframe is the technique to display information from another web page within the same (current) page and is commonly used in social media.) All of this occurs through the use of port 80 (http) on the attacking machine which is commonly allowed through firewalls. If a browser has not been fully patched, known exploits can take advantage. Many exist for Internet Explorer.
Let’s look at some of the other options the Social Engineer Toolkit provides a hacker to easily compromise a careless victim.
It’s summer vacation time! The last thing you need to worry about it is getting your identity stolen while you’re sitting on a beach somewhere exotic. In 2016, more than 15 million Americans were victims of identity theft, up 16 percent from the previous year, according to Experian. Plus, about 33 percent of that fraud took place when people were traveling.
Here’s a few tips to staying safe all summer while traveling...
read more -->
Cat 5e became an ANSI/TIA/EIA standard in 2001, Cat 6 in 2002, and Cat 6a in 2008. However, it may be extremely useful to consider taking advantage of other existing cabling infrastructure in lieu of running new. Read more to learn how to approach cabling.
read more -->
This year at ISC (the International Security Conference and Exposition), I was determined to try to see the latest iStechnologies hiding in the nooks and crannies—literally! I visited booths in the back, the basement, small kiosks hidden inside larger vendor books, and throughout the Emerging Technology Zone.
In case you missed the show, I’ll round up some of the best new technologies and companies to keep an eye on. Read more.
read more -->
Earlier this year, in March, the City of Atlanta’s nearly 8,000 employees heard words they never thought they would hear: “It’s okay to turn your computers on.” Their computers were powered off for five days. In those five days Atlanta residents could not pay traffic tickets, water bills, or report city issues. Read how ransomware impacted this metropolitan area.
read more -->
There is no one size fits all when it comes to K-12 school security. Schools vary in so many ways: size, age, local environment, affluence, culture, governance, and more. Read some helpful tips and resources that might just help your school be better prepared.
read more -->