Demystifying Phishing Techniques

Discover the inner workings of phishing techniques, as I delve into the techniques employed by cyber criminals. Make sure to read the Techniques used by Malicious Actors for Email Phishing at the end….

Phishing has become a widespread cyber threat that has been affecting individuals and organizations worldwide.

When it comes to Phishing, Email Phishing is the most common technique for a malicious actor as emails are considered to be the most formal communication technique and any email received is viewed with utmost importance which helps the actor.

Parts of an Email

Now there are mainly three parts of an Email that may help us in differentiating between a Phishing attempt and a legitimate Email.

• The Email Address : These are basically unique identifiers for individuals for communication. Format- username@domain. Example- john@gmail.com
• The Email Headers : Email headers contain information such as the sender and recipient’s email addresses, the date and time of the message, the subject, and information about the email servers involved in the message’s transmission.

To view Email Headers in detail, you need to click on the three dot More option and then select Show Original.

There are many email header fields which can be seen after viewing the original email which can be intimidating at first but is very useful for analyzing emails.

To make it easier to understand, here you will find the meaning of individual email headers -> https://mediatemple.net/community/products/all/204643950/understanding-an-email-header

Moreover, if you don’t want to analyze email headers manually, you can always use this to make it easier for you. All you need to do is paste the headers there and wait for the results.

Questions to consider when conducting a phishing analysis:

-Is the email being sent from the correct SMTP server? [You can check the Received field for this]

-Is the data for “From” and “Return-Path / Reply-To” the same?

• The Email Body : This contains the main content which the phisher may use to lure users in. The text in the Email Body may indicate Urgency, which is a very common way to make a normal user commit a mistake; a mistake as simple as clicking on a URL directly, or clicking on a picture with embedded hyperlinks, or downloading a attachment without verifying it.

Example of Urgency in Email Phishing

Techniques used by Malicious Actors for Email Phishing

1. Email Spoofing

Email spoofing is a technique which is used by a malicious actor to send an email which appears to have been originated from a trusted source. Now, how do they achieve this? They start out by gathering as much information as possible about their target a.k.a OSINT. This helps them send out a more personalised email which guarantees a higher rate of success.

First thing to do is creating an SMTP server. I am going to be using Brevo for this. After creating an account there, go to your dashboard and in the dropdown of My Company, you will see “SMTP & API” option. Click on that. Then go to the SMTP tab.

You will see 4 fields there- SMTP Server, Port, Login & Master Password. Copy all of them and keep them handy.

Now open your kali terminal and type this : sendemail -xu [email] -xp [pass] -s[server:port] -f "SENDER_EMAIL" -t "TO_EMAIL" -u "SUBJECT" -m "MESSAGE” -o tls=no (The one’s in CAPITAL are customizable as per needs. The others are the credentials which was from Brevo).

The mail received:

2. URL Shortening Services

URL shortening services are commonly used in phishing emails to disguise malicious links. Hackers can’t really stick in a suspicious looking link in their phishing emails and expect it to be clicked by their target. By shortening the link, it looks comparatively more legitimate and has a higher click rate.

Most common URL Shortening I have come across is bitly.

First off head to the bitly website and sign up. And then click on “Create New” and click “Link”.

Paste the Destination Link and Click on Create. You will have the link created.

Tip: If you ever receive a shortened link and want to know the actual destination link without opening it, add a “+” at the end of the shortened link.

3. Pixel Tracking

Pixel tracking is a technique used in phishing emails to gather information about the recipient and it involves embedding a tiny, invisible image in the email that notifies the sender when the email is opened. This allows phishers to confirm active email addresses, track engagement, and personalize subsequent phishing attempts.

Go to Google Apps Script and Create a New Project. Paste the code below.

function doGet (request){
if(request.parameter.secret != PropertiesService.getScriptProperties().getProperty("secret")){

PropertiesService.getScriptProperties().setProperty(Date.now(),"Page was viewed on "+Date());
return ContentService.createTextOutput("error image not found");

}
//var scriptProperties = PropertiesService.getScriptProperties();
//var props = scriptProperties.getProperty("propertyKey");


var props = PropertiesService.getScriptProperties().getKeys();

var finalarray = [];

for (i in props){

finalarray.push(PropertiesService.getScriptProperties().getProperty(props[i]));
}
return ContentService.createTextOutput(JSON.stringify(finalarray)).setMimeType(ContentService.MimeType.JSON);

//return ContentService.createTextoutput(JSON.stringify(finalarray)).setMimeType(ContentService.MimeType.JSON)
}

Next go to Project Setting and scroll to the bottom and add a property named secret. Add a value of your choice.

Go back to the editor and make a new deployment. Edit the “Who has access” field to “Anyone”. Then finally Deploy.

You will be presented with a link. Open it in a new tab-

To see the number of views, add a ?secret={value} at the end of the URL. [For me, it will be ?secret=password ]

Now, how do the phishers put this in an email. Well, sure, they can just paste the link in the email body and pray that their target clicks on it. But that is not at all an effective way. What would be cool is if the target just opens the email and it gets logged.

So, for this, first of all copy the URL of the log page. Then open VScode and then write the following code:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    <img src="{The Link copied}" width="1" hieght="1">
</body>
</html>

Open it with a live server. You will see a completely empty webpage. CTRL+A and then CTRL+C in that page and paste it in your phishing email body. Now send it to your target. Now whenever your target opens the email, it will get logged.

That’s it for the Phishing Techniques….

Connect with me on Linkedin and let’s learn together :)

https://www.linkedin.com/in/aayush-dasgupta/

Follow me for more such articles ;)