How To Carry Out Phishing Attacks. — How to Protect Yourself and Your Company ?

7 min readFeb 9, 2024

NOTE: Hi there, this blog post has been written for the purpose of education and raising awareness about information security. It is essential to use authorized legal methods (White Box Test, Grey Box Test, Aweraness Similation) as mentioned in this post. Our main focus is on the security advice section. Be sure to read that part.

Introduction

Cyber criminals prefer phishing attacks rather than technical actions for quick and simple results. Now, I will try to provide about “How do cyber criminal prepare phishing environments and how we can do prevent its”

Sections

WAN to LAN Phishing with bl*cke**.
Phishing Attack with NodeJS.
Browser In The Browser (BITB) Attack.
Phishing Attack with Evil SSDP Server
Browser Exploitation Framework BeEF
Malicious Phishing Moves
Personel Security Tips
Corporate Security Tips
How are Countermeasures Taken Against Phishing Attacks?

**WAN to LAN Phishing with bl*cke.

Cyber criminals can use a phishing tool or create their own custom tools. The following tool is a sample. I can not show templates for privacy and brand respectability.

Cyber criminals start a tunnel from WAN to LAN with help of n*rok application after cyber criminals select the phishing template in this section.(Figure 1)

As seen in the figure, cyber criminal created a phishing page. (Figure 2)

As a result, cyber criminal may capture a target’s information.(Figure 3)

Phishing Attack with NodeJS

You must not forget that cyber criminals can obtain informations with help of javascript and frameworks without any login actions.(GIF 1)

As an example, cyber criminals may utilize above NodeJS simulation.

This NPM library that can be used as malicious :

https://www.npmjs.com/package/node-iframe-replacement

Browser In The Browser (BITB) Attack

This attack type open a POP-up windows section after perform a reliability URL. Generally, cyber criminals uses quickly login POP-up WEB pages (such as Google Sign-in and Microsoft Sign-in) for this attack method.

Simulation displayed in GIF 2.

Phishing Attack with Evil SSDP Server

This attack type is cybercriminal’s attack to hook target people by installing an SSDP server on a network.

Cyber criminal installs an SSDP server as shown below.(Figure 5)

Cyber attackers can use social engineering to click on the SSDP server. (GIF 2)

GIF 2 : Phishing Attack with Evil SSDP Server Simulation

Cyber attacker’s may capture usernames and passwords on as shown below.(Figure 6)

Browser Exploitation Framework BeEF

Figure 7: BeEF Browser Exploitation Framework Interface

BeEF built to take control over a target’s browser and perform malicious activities throught Javascript and Ruby programming language.

Since this section has a lot of content, only the source is indicated. (Source 13)

Malicious Phishing Moves

Cyber attackers may bypass e-mail service security by utilizing platforms such as Google Drive, Google Docs and Dropbox etc. This situation undermines security reliability. (Figure 7, Figure 8)

You can refer to Source 8 for fake Zoom meetings and calendar phishing.
Cyber attackers increase reliability by purchasing a specific domain.
Cyber attackers may uses link shortening services. (goo.gl, bit.ly, ow.ly, tiny.cc, tinyurl.com, is.gd, bl.ink, sniply.io, t2mio.com, cutt.ly, rebrandly.com etc.)
Cyber attacker can use 301, 302 HTTPS redirects to redirect from inside a trusted web page to a phishing web page.
A cyber attacker can use an SSL certification to increase credibility of a phishing web page.
After a phishing attack, cyber attacker can redirect page to the original web page, increasing credibility.

Moreover, cyber attackers can use like https://webhook.site/ sites.

https://webhook.site/ is a free service that can be used to capture data from web applications. By using HTTP request methods such as GET, HEAD, POST, webhook.site can capture data and send it to a website application.(Source 7)

Personel Security Tips

NORD VPN CyberSec can be used to help mitigate phishing threats, but it’s crucial to understand its limitations.
Exercise caution when encountering complex URLs.
If you receive an email with an attached file. You can scan it with antivirus.
Cyber criminals may perform DNS Hijacking attacks for phishing scenarios on local network.
X-Forwarded-Host HTTP header can be configured for malicious move under phising topic. (Source 9)
Suspicious encrypted files must be detected, and countermeasures must be taken. (Source 10)
Approach tempting or unusual links with suspicion, no matter how enticing they may seem. For example; discount coupon, free holiday, password change requests etc. In summary, the only free cheese is in the mousetrap.
A open source machine learning application can be used for phishing attack detection at such as the following application. (Source 15)
Tracking applications that host phishing web applications can be beneficial. There are sample links below.

‎‎‎‎‎Link : https://www.usom.gov.tr/adres
Link : https://phishunt.io/

Corporate Security Tips

Company cyber security experts should conduct security awareness simulations and provide follow-up training based on the results.
Experts should also be added POP-IMAP, SMTP scan policies (Data, File, Malware Protection sections) on firewall or e-mail gateway security products. So them can harden rules.
Phishing attacks should be also investigated in New-Gen SIEM and EDRs. (Source 6).
Applications that detect possible phishing sites belonging to the company’s domain names or subdomains can be used. As example following link.

ㅤㅤLink : https://dnstwist.it/

Requests from similar domains with applications such as Google Analytics performance analysis systems should be examine.
Cross-links should be also applied to different pages of the web site. This method on search engines. This method increases accuracy in the search engines of the company’s web application and will reveal situations that will allow the person who a phishing attack to ignore.
The company should also create recognizable or distinctive visual elements to protect against phising attacks and strengthen the company’s brand identity.
Cyber security analysts should be able to block phising attacks using On-Premises applications such as Email-Gateway Security, XDR, NDR, CTI Applications etc. after that, They should stay updated on current phising events and able to detect IoCs.
Cyber security experts should be able to analyze current cybersecurity events and protect corporate digital assets utilize Strategic intelligtence, Fraud intelligence, phishing monitoring modules offered by cyber threat applications.
If there are SMTP vulnerabilities, they should be addressed; therefore, hardening rules should be also implemented.
SPF, DKIM and DMARC should be also used together. (Source 14)
Company’s favicon hashes can be searched on website such as shadon.io, fofa.info, hunter.how, zoomeye.org websites after company’s favicon.ico hashes are taken from company website. (Source 11)

Sample Shadon.io Query: http.favicon.hash:857403617 country:TR

857403617 instead your company web site favicon.ico hash.

How to Take Countermeasures Against Phishing Attack Types?

To Prevent NodeJS Phishing Attacks

Information should not be entered into form fields in a complex or unusual URL.

To Prevent BITB Phishing Attacks

It should be made sure that the pop-up screens that pop up can go outside the existing web applications.
Updated browsers should be used.

To Prevent SSDP Phishing Attacks

Care should also be taken after clicking on machines that appear as SSDP servers in network connections. The cyber attacker can perform a phishing attack with the Printer name, Modem Router Gateway name, and any device name that works with UPnP. Footnote : The exact method of taking countermeasures the SSDP protocol is to close port 1900, but this method is not recommended because it will affect other applications using this protocol.

If you discover a creative precautionary method, you can contact me.

To Prevent BeEF Browser Exploitation Framework

Script-blocking applications can be used in browsers. e.g noscript, uMatrix. However, it is recommended to do static tests of the applications.
Updated and most secure browsers should be used.
Antivirus with browser access should be used. e.g Malware Browser Guard.

Above applications can be implemented with the help of System Center ㅤConfiguration Manager (SCCM) on enterprise operating systems.

Therefore, other phishing attack tools.

Soc*aph*sh, Shell Ph*sh, Zph*sher, K*ng Ph*sher, Blackph*sh, Ghost Ph*sher, H*dden Eye.

Stay Safe. Stay Curious. Stay White.

Sources

1-https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

2-https://www.kaspersky.com.tr/blog/browser-in-the-browser-attack/10654/

3-https://mrd0x.com/browser-in-the-browser-phishing-attack/

4-https://www.expressvpn.com/blog/dns-address-hijacking-explained/#ways-to-prevent-dns-hijacking

5-https://zvelo.com/phishing-detection-in-depth/

6-https://www.linkedin.com/pulse/phishing-ve-apt-tespiti-ama%C3%A7l%C4%B1-%C3%B6rnek-siem-kurallar%C4%B1-huzeyfe-%C3%B6nal/?originalSubdomain=tr

7-https://infosecwriteups.com/create-a-simple-phishing-website-and-a-javascript-keylogger-9bcafbe6ffda