1
00:00:01,020 --> 00:00:02,620
Let's do a little quick review.

2
00:00:02,640 --> 00:00:10,590
We have seen firsthand how powerful a spear fishing campaign can be when you send it out to targeted

3
00:00:10,590 --> 00:00:17,490
people that, you know, use a certain social network that you believe use a certain bank that maybe

4
00:00:17,490 --> 00:00:23,100
users of your email system within your organization or people who just log in to Gmail, Gmail, thank

5
00:00:23,100 --> 00:00:27,180
goodness, will at least ask you your username on one screen and your password on another.

6
00:00:27,480 --> 00:00:34,100
That makes it much safer than having the username and password login and password all on a single screen.

7
00:00:34,800 --> 00:00:36,690
But there are lots of systems out there.

8
00:00:36,690 --> 00:00:42,720
Most banks, most social media sites still give you the username and password in a single page, and

9
00:00:42,720 --> 00:00:48,770
it makes it susceptible to this type of email credential harvesting that we just saw.

10
00:00:49,290 --> 00:00:50,340
So quick recap.

11
00:00:50,340 --> 00:00:57,750
Phishing is the number one attack vector when it comes to social engineering, online pretexting, pretending

12
00:00:57,750 --> 00:01:00,960
to have that email come from Facebook baiting.

13
00:01:00,960 --> 00:01:07,290
And we could put something in that email that says, Bryson, there are embarrassing pictures of you

14
00:01:07,290 --> 00:01:12,660
up at Facebook or it looks like your account has been hacked from an address.

15
00:01:12,660 --> 00:01:17,790
It looks like it's coming from China and put an odd address in there, whatever it may be, that will

16
00:01:17,790 --> 00:01:20,290
bait the user's quid pro quo.

17
00:01:20,310 --> 00:01:25,980
One recent scam that's been going out as a phishing email is the ability to set up a verified social

18
00:01:25,980 --> 00:01:29,520
user account like the real Donald Trump at Twitter.

19
00:01:29,520 --> 00:01:29,880
Right.

20
00:01:30,780 --> 00:01:34,290
A verified social media account sounds like a really good thing to have.

21
00:01:34,290 --> 00:01:37,050
So I could have the real Bryson pain on Twitter.

22
00:01:38,340 --> 00:01:43,350
But when you click through, you have to be really careful, go directly to the website.

23
00:01:43,350 --> 00:01:47,640
And that's a better way to avoid being taken by these click through links.

24
00:01:48,300 --> 00:01:53,910
We didn't use tailgating in this particular instance and we didn't make use of phishing or smooshing.

25
00:01:54,150 --> 00:01:57,330
We didn't send a voicemail or make a phone call.

26
00:01:57,540 --> 00:01:59,550
We didn't send a text message with the link.

27
00:01:59,550 --> 00:02:05,610
But it's just as easy to take this link, turn it into a text message and send it to someone on an Android

28
00:02:05,610 --> 00:02:09,290
device, the same way we just saw how to do it on a Linux device.

29
00:02:09,630 --> 00:02:13,440
And finally we learned the power of spear fishing.

30
00:02:13,440 --> 00:02:20,910
That's when we take a targeted approach at getting someone in our social network, in our organization.

31
00:02:20,910 --> 00:02:27,870
So someone might send an email to your CEO, to your finance officer, to your chief business officer,

32
00:02:28,110 --> 00:02:29,580
to your H.R. director.

33
00:02:29,580 --> 00:02:35,460
And once you get one of those sets of username and password combinations, you can do some really bad

34
00:02:35,460 --> 00:02:36,840
things over the Internet.

35
00:02:37,230 --> 00:02:42,900
You can log in as the boss and send an email to all employees that they're fired or send an employee

36
00:02:42,900 --> 00:02:48,330
to the chief business officer or to the treasurer of the organization and say that you need some money

37
00:02:48,330 --> 00:02:52,260
transferred to a certain account to keep one of your customers there.

38
00:02:52,290 --> 00:02:57,470
All kinds of bad things that can happen to your organization if your employees fall for spearfishing.

39
00:02:57,480 --> 00:02:59,580
There are lots of bad things that can happen to your family.

40
00:02:59,880 --> 00:03:06,540
If one of your older parents or if you have young children going online, predators, con artists,

41
00:03:06,540 --> 00:03:10,020
scammers are all out there on the Internet using techniques like these.

42
00:03:10,020 --> 00:03:15,600
It costs nothing to send thousands of emails and all it takes is one person clicking through.

43
00:03:15,930 --> 00:03:20,370
But unfortunately, we see that even in the best trained organizations, as many as five percent of

44
00:03:20,370 --> 00:03:23,130
people will click through and provide their credentials.

45
00:03:23,880 --> 00:03:28,320
In an organization with no training, that number is significantly higher, about five times higher,

46
00:03:28,650 --> 00:03:31,790
23 percent on average, according to one Verizon study.

47
00:03:32,250 --> 00:03:35,550
So spearfishing, again, was just a focused email attack.

48
00:03:36,000 --> 00:03:42,990
And we saw how to craft one of those by using the social engineers toolkit to create a Web server that

49
00:03:42,990 --> 00:03:48,660
looks just like Facebook or Twitter or your bank or your email login at work.

50
00:03:49,260 --> 00:03:55,500
We set up a server running locally that was a credential harvester site that looks exactly like the

51
00:03:55,500 --> 00:04:00,720
Facebook dotcom login site, but it's running on our local call address.

52
00:04:00,720 --> 00:04:07,830
Mine was ten point nine four and we saw using the IP address converter that we could change that ten

53
00:04:07,830 --> 00:04:15,420
point nine to four to one hundred sixty seven, seven seventy four for sixty eight address.

54
00:04:15,930 --> 00:04:17,340
And then we could craft a U.

55
00:04:17,340 --> 00:04:27,510
RL that looked exactly like http colon slash slash w ww that Facebook dot com at one sixty seven 774

56
00:04:27,510 --> 00:04:29,010
for sixty eight.

57
00:04:29,640 --> 00:04:33,660
And that Assim will remember, converted that first part into a username.

58
00:04:34,690 --> 00:04:36,220
And if I copy that.

59
00:04:39,450 --> 00:04:46,650
And pasted over into my Firefox browser, it will pop up a warning, I copy that and pasted over into

60
00:04:46,650 --> 00:04:52,770
any of my Web browsers as that longer address it'll resolve to our ten point nine to four address.

61
00:04:52,770 --> 00:04:55,980
But most people don't look up in the address bar as often as we should.

62
00:04:56,790 --> 00:05:06,720
So this number, that one sixty seven 774 468 resolves to that ten point nine for address and takes

63
00:05:06,720 --> 00:05:11,160
people unwittingly to our internal phishing server.

64
00:05:11,760 --> 00:05:17,160
And you will only be able to do this attack from a local area network that allows people to surf to

65
00:05:17,160 --> 00:05:23,280
that ten, nine, four address so you can do it safely from your computer, from one IP address or one

66
00:05:23,400 --> 00:05:29,580
virtual machine to the other, like from your Windows box or Android box to this call Linux server.

67
00:05:29,790 --> 00:05:35,880
But you won't be able to send somebody on the public Internet, somebody on a different network, at

68
00:05:35,880 --> 00:05:42,090
a different school, at a different organization, because thank goodness we're blocked by our Internet

69
00:05:42,090 --> 00:05:43,570
service provider from doing that.

70
00:05:44,310 --> 00:05:45,210
To do that.

71
00:05:45,640 --> 00:05:53,640
Well, attackers will set up a full server running someplace on an IP address or get a dynamic IP address

72
00:05:53,970 --> 00:05:57,900
and then send out phishing emails like this in targeted attacks.

73
00:05:58,530 --> 00:06:01,320
But we are not bad attackers.

74
00:06:01,320 --> 00:06:03,000
We are ethical hackers.

75
00:06:03,000 --> 00:06:05,640
We will not send this outside our network anyway.

76
00:06:06,210 --> 00:06:12,330
And you only want to use this to do training inside your own network or to show your friends and family

77
00:06:12,360 --> 00:06:14,820
how easy it is to fall for an IP address.

78
00:06:14,820 --> 00:06:18,630
That looks correct, but take them to a phishing server.

79
00:06:19,230 --> 00:06:25,320
And the way we got people to click through to that phishing server was just by crafting an email using

80
00:06:25,320 --> 00:06:32,550
a real email from a social network and changing all of those you URLs to our HDTV.

81
00:06:32,550 --> 00:06:43,140
Cohen's language about face dotcom at and then our IP address of our Cauli Linux box at as a decimal

82
00:06:43,140 --> 00:06:43,710
integer.

83
00:06:44,280 --> 00:06:49,560
And we just had to do that for every single one of the links in this email so that it looked convincing.

84
00:06:50,070 --> 00:06:56,730
But it is devastating how powerful the spear spearfishing attacks are in an organization to family,

85
00:06:56,730 --> 00:06:57,480
to friends.

86
00:06:57,750 --> 00:07:03,840
If you've got an older family member who's susceptible to scams, you need to show them that this is

87
00:07:03,840 --> 00:07:06,450
possible and tell them never to click through this link.

88
00:07:07,050 --> 00:07:12,600
They always need to type out WDW that Facebook dotcom directly in their browser window to make sure

89
00:07:12,600 --> 00:07:14,460
that they get the right address.

90
00:07:14,460 --> 00:07:17,840
Don't click through any suspicious link ever in an email.

91
00:07:18,750 --> 00:07:23,580
We'll talk a little bit more about how to avoid how to spot and stop phishing in.

92
00:07:23,580 --> 00:07:25,470
The next lesson is a little bonus.