1
00:00:06,980 --> 00:00:13,610
In the last lesson, we saw how to use the social engineers toolkit to clone the Facebook website and

2
00:00:13,610 --> 00:00:19,120
to capture people's usernames and passwords, but we were working on the same call Linux computer,

3
00:00:19,130 --> 00:00:20,810
we logged in from that same machine.

4
00:00:21,060 --> 00:00:27,410
You want to send this out to someone somewhere else for training within your organization's network

5
00:00:27,770 --> 00:00:33,410
or for showing your friends and your family how to spot and avoid phishing emails?

6
00:00:33,890 --> 00:00:39,530
Will the first thing that we do when we were crafting a spear phishing e-mail, a targeted phishing

7
00:00:39,530 --> 00:00:44,430
email as we start with a real email from that organization.

8
00:00:44,780 --> 00:00:50,270
So in this case, Facebook has sent me a notification and I have changed some of the names, of course,

9
00:00:50,270 --> 00:00:51,620
to protect the identities.

10
00:00:51,920 --> 00:00:54,290
But Alice Smith updated her status.

11
00:00:54,290 --> 00:00:59,540
Bob Smith, Charles Doe and 16 others reacted to this open Facebook.

12
00:00:59,540 --> 00:01:01,810
And you can see it has links and things like that.

13
00:01:02,450 --> 00:01:08,660
What I'm going to do is use this as the foundation for a new email that I'm going to send so I can either

14
00:01:08,660 --> 00:01:12,450
forward it or I can just copy and paste it into a new email.

15
00:01:12,890 --> 00:01:19,100
So from your favorite social media account, from your bank account, from your organization's website,

16
00:01:19,250 --> 00:01:22,910
if you get a notification, you've got the foundation of a spear fishing email.

17
00:01:23,120 --> 00:01:28,310
You can find templates out on the web if you don't have any, but you can find one in your own email

18
00:01:28,310 --> 00:01:28,850
account.

19
00:01:29,390 --> 00:01:34,820
So I'm going to come down to the forward option and I'm going to clean up this email just a little bit

20
00:01:35,420 --> 00:01:39,220
so that it has just the notification information.

21
00:01:39,230 --> 00:01:40,520
It doesn't have anything else in it.

22
00:01:40,520 --> 00:01:44,180
You can copy and paste this or you can just forward it like I've done and clean it up.

23
00:01:44,390 --> 00:01:51,800
I'm going to forward this to two accounts, my Gmail account and my work account at the university.

24
00:01:52,280 --> 00:01:55,850
And remember, you must do this only where you have explicit permission.

25
00:01:55,850 --> 00:02:03,560
Don't send this to anyone that you don't have express written permission to do this testing with in

26
00:02:03,560 --> 00:02:05,600
an organization you need that.

27
00:02:05,600 --> 00:02:12,890
The CEO and CEO's permission express written permission before you can send this kind of phishing email

28
00:02:12,890 --> 00:02:14,480
out to train employees.

29
00:02:15,110 --> 00:02:18,620
So for spearfishing to work, in the simplest sense, all we have to do is right.

30
00:02:18,620 --> 00:02:26,180
Click on each of these Web addresses or click on each of these addresses and come to change the euro.

31
00:02:26,690 --> 00:02:34,130
And because we know the Yucel or the IP address of our Cauli Linux box, all we need to put in here

32
00:02:34,130 --> 00:02:38,000
is htp, colon, slash, slash.

33
00:02:40,630 --> 00:02:51,700
Ten oh nine dot four, that's HTP Kalinga ten days ago that nine four have zoomed in just a little bit

34
00:02:51,700 --> 00:02:51,910
more.

35
00:02:51,910 --> 00:02:58,960
So you can see I have the ten Dotto DOT nine Darfor address and I'm going to copy that because I'll

36
00:02:58,960 --> 00:03:01,570
use it in all the other links and click.

37
00:03:01,570 --> 00:03:10,670
OK, go to the Facebook icon itself, change that address to Tendo nine four or whatever the IP address,

38
00:03:10,670 --> 00:03:13,090
if you call Linux box, was it OK?

39
00:03:13,660 --> 00:03:16,960
And we'll go through the entire email making these same changes.

40
00:03:17,600 --> 00:03:21,820
Make sure you change it for every single one of these links.

41
00:03:21,820 --> 00:03:27,850
Just click the link and Gmail or use your favorite email editor and you're going to change the hyperlink.

42
00:03:27,850 --> 00:03:28,330
You might have to.

43
00:03:28,330 --> 00:03:28,590
Right.

44
00:03:28,600 --> 00:03:32,980
Click in Microsoft Outlook, for example, and go to edit hyperlink.

45
00:03:33,220 --> 00:03:35,170
But we're going to change where that link goes.

46
00:03:35,170 --> 00:03:40,390
Instead of Facebook, it's going to go to our Calli Linux Computer Tendo DOT nine.

47
00:03:40,600 --> 00:03:41,830
For once.

48
00:03:41,830 --> 00:03:42,880
You've made these changes.

49
00:03:42,880 --> 00:03:48,400
For every one of the links in your email, you're ready to send a phishing test email.

50
00:03:48,640 --> 00:03:52,630
And if you're calling Linux computers still running in the background, we're going to be able to open

51
00:03:52,630 --> 00:03:56,560
this email up and our Windows box and see how it behaves.

52
00:03:57,460 --> 00:04:04,750
So I've changed all my HTTP, all my URLs, all of my hyperlinks in this Facebook email.

53
00:04:04,750 --> 00:04:08,650
Now go to my Calli Linux listener.

54
00:04:09,460 --> 00:04:17,260
If I come to my email on my computer, on your Windows box or on any of your other VMS, you should

55
00:04:17,260 --> 00:04:19,960
be able to find your email.

56
00:04:20,140 --> 00:04:25,630
And if you hover over each link, you may notice in the far bottom left of your browser, depending

57
00:04:25,630 --> 00:04:28,840
on your browser, you'll see ten point nine four.

58
00:04:28,840 --> 00:04:30,280
But most people don't look at that.

59
00:04:30,280 --> 00:04:33,490
In fact, I'll see that for every single one of the links in this email.

60
00:04:33,490 --> 00:04:38,920
If I called them all a missed one, I'll fix that in the spearfishing upgrade in the next lesson.

61
00:04:39,520 --> 00:04:46,930
But if I click on this Facebook link, it's going to take me to my Tendo nine for Facebook login page.

62
00:04:47,260 --> 00:04:51,250
Now, most people don't recognize this tendo nine four.

63
00:04:51,250 --> 00:04:55,210
And so they might see this warning that I'm getting in Firefox.

64
00:04:55,450 --> 00:04:56,920
This connection is not secure.

65
00:04:56,920 --> 00:05:03,640
Logins in here could be compromised, but most of the time, if we're in a hurry, we'll just try our

66
00:05:03,640 --> 00:05:04,330
log in.

67
00:05:05,860 --> 00:05:11,440
Fred Flintstone, Dotcom and Willmar as a password and click login.

68
00:05:13,350 --> 00:05:16,720
Oh, that didn't work, but notice it took me to Facebook dotcom.

69
00:05:16,980 --> 00:05:18,330
Well, the user thinks it didn't work.

70
00:05:18,330 --> 00:05:26,430
Switch back over to Kelly Linux box and you will see that Wilma at the Wilma password for Fred Flintstone

71
00:05:26,430 --> 00:05:28,150
dot com just got captured.

72
00:05:28,500 --> 00:05:34,530
So even from a different computer running another browser, we can see the username and password that

73
00:05:34,530 --> 00:05:39,540
people are putting in to these phishing web pages and reloads the Facebook page.

74
00:05:39,550 --> 00:05:42,720
So it looks like nothing suspicious to the other user.

75
00:05:43,110 --> 00:05:49,650
But you need to understand that that ten point nine four is one dead giveaway any useful other than

76
00:05:50,700 --> 00:05:51,120
Facebook.

77
00:05:51,120 --> 00:05:57,690
Dotcom, for example, is a dead giveaway that the email is a phishing email attempt.

78
00:05:58,050 --> 00:06:04,320
But in the next lesson, we're going to understand how to modify that you URL so that it can fool even

79
00:06:04,320 --> 00:06:05,730
experienced users.

80
00:06:05,730 --> 00:06:09,660
And you need to be much more careful with this technique that we're about to show you.

81
00:06:09,690 --> 00:06:10,960
So come back in the next lesson.

82
00:06:11,000 --> 00:06:16,740
Let's see how to modify and play with that you URL so that it doesn't give off the immediate red flag

83
00:06:16,740 --> 00:06:19,500
that it's a tendo nine four address.