Let’s Harvest Sensitive Credentials Using Spam Mails
Spam mails have feelings too. Please don’t Ignore them. :(
Now, we are going to do a social engineering attack by harvesting credentials from the victim. Here, we go phishing by making the victim fish and spam mail as the bait. Interesting right ??? :D:D:D:D
So, we will send a spam mail to the victim and ask him to update the password by using the link we provided in the mail which will redirect him to our google form that we created resulting a harvesting attack. So, when he give out the credentials, our harvesting credentials attack becomes successful. Then, we can steal his email and password. Pretty easy right? :)
So, before that, let’s learn what is a social engineering attack and about techniques and tools we are using. More learning, more knowledge!!!
What is a social engineering attack?
Social engineering is the art of manipulating people to give out credentials.
One of the main flaws that exist in computer system is human error. In social engineering, that is exploited and the hacker is manipulating people to reveal their sensitive details that can be used to obtain unauthorized access to the computer system.
What is Credential Harvesting ?
Credential harvesting is a technique commonly used by hackers to obtain user credentials by launching MITM attacks, phishing etc. to access sensitive data. Depending about whose passwords are exploited and if the hacker plans to monetize stolen data, password mining attacks will take many types. To attempt thousands of username/password combinations in fast succession, a typical type of attack uses “credential stuffing.” Other attacks rely on credentials from compromised websites that are “skimmed.” A phishing email that entices the victim to click a hyperlink leading to a phony login page for a famous service that the victim is known to use or might use is among the most prevalent credential harvesting attack types (e.g., Dropbox or Office 365).
What is a Spam Mail ?
Spam email sent out of bulk to an indiscriminate user list is unsolicited and unwanted junk email. For commercial purposes, usually, spam is sent. Botnets, networks of infected computers, can be transmitted in massive volumes. Spam emails are often sent for commercial purposes. While it is viewed as unethical by some individuals, many companies still use spam. The cost per email is incredibly low, and companies can consistently send out mass quantities. A malicious attempt to gain access to your computer can also be spam e-mail. Spam email can be dangerous. It can include malicious links that can infect your computer [As we do in this activity ]. Do not click links in spam. Dangerous spam emails often sound urgent, so you feel the need to act. Keep reading to learn about some of the basic spam types.
The Trouble-Maker. SEToolkit [Social Engineering Toolkit]
The Social-Engineer Toolkit (SET) was developed and written by Dave Kennedy, the founder of TrustedSec. It is an open-source Python-driven platform aimed at penetration testing around Social-Engineering.
It was discussed at conferences including Blackhat, DerbyCon, Defcon, and ShmooCon on a wide scale. It is the benchmark for social-engineering penetration testing, with over two million installs, and is widely accepted within the security community.
It has over 2 million installs in a social-engineering style world and is targeted at exploiting sophisticated technical assaults.
Most of the time this tool comes default with our Kali distribution. If not, we can have it from here.
Copyright 2020 The Social-Engineer Toolkit (SET) Written by: David Kennedy (ReL1K) @HackingDave Company: TrustedSec…
So, let’s jump into the tutorial !!!!!
First, let’s learn how the social engineering toolkit is used to build the fake login page prototype. Open the Kali terminal and type SEToolkit to start the social engineering toolkit.
As we are doing a social engineering attack, type 1 from the given list and again we get to select the attack vector types.
Here, we should give website attack vectors and then we get the list of attacking methods to select.
Select credential harvesting attack method and then we should decide whether to use a web template or clone a site or use a custom input. In this tutorial, we are using web templates.
Then we should give our internal IP address. If you want to do this remotely, use the public IP address.
Then we need to select the type of the template and as we are creating a google form, select google.
Now, we have created the google template. So, while keeping this terminal opened, go to the web browser and type the IP address and the template looks like this.
When the victim get tricked and visit our link, then he will be redirected to this template. So, when you are carrying out the attack, do not close this terminal because, all the credentials given by the victim in the template will be displayed in this terminal.
Now, we are going to create the spam mail. First, open another new terminal and again start the toolkit. Choose social engineering attack and then select mass mailer attack to create the spam mail.
Choose option 1 and then we should give the victim’s email.
Next, select option 1 to give out the e-mail which we expect to use as the sending e-mail.
Then follow the following steps and give out how the spam should be displayed. Here, you can select to send the message as a plain text or as a HTML or whether to attach any file to the mail. It’s up to you. ;)
So, finally we can see that the spam mail has been created and it has been sent to the victim. ¬_¬
So, when the victim visits the link he will be redirected to the template and when he give out the credentials, it will be displayed in our terminal as below.
Disclaimer — This method is only supported inside the network. To preform this attack on outside network you have to use other tools like ngrok. Also remember, this type is hacking is illegal and don’t test those attacks on unauthorized networks. Happy Hacking !!
Originally published at https://annedeshani.medium.com on February 1, 2021.
Written By/ Anne Deshani -3rd Year 2nd Semester -Cyber Security Student at SLIIT-
¯\_(ツ)_/¯༼ つ ◕_◕ ༽つ(*_*)☆*: .｡. o(≧▽≦)o .｡.:*☆\^o^/¯\_(ツ)_/¯