EMAIL and SMS Phishing attacks | Avoid Being Hacked

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

a few weeks ago a hospital near my house decided to hire a penetration testing company and they launched a fishing campaign against this specific Hospital one time through a text message and then also through emailing and about 80 percent of all of the employees at this specific Hospital clicked on the link this is why I'm regularly telling you not to click on any links unless you know who sent it to you and you trust them and then you know where that specific link is going to take you today I'm going to be showing you two really simple social engineering Tools in order to create phishing emails so you can spoof your ID and say it came from Google or Yahoo or really anyone that you want and then I'm also going to show you how to create custom URLs suddenly whenever you send this link to somebody it looks like it is from a legitimate Source the reason I'm making this video is because I regularly am hearing from people who have been hacked by clicking on something they should not have whether it is my family my friends or somebody through an email so I want to make this video to show you just how easy this is and why you need to be cautious from we're clicking on any kind of Link or trusting any kind of data that has been sent to you now before we start I want to tell you that it is illegal to send any kind of text message or email to anybody without their permission let's go ahead and jump into this so the first thing we're going to do is open up a terminal and you should already have this installed if you're using Kali Linux which is what I am using it is just social engineering tool kit just like this and you can hit enter I think we have to run this with sudo which we do so we can go up Ctrl a sudo and then type in our password and it's going to ask us to read this in terms of service I have read this in the past and basically it says don't do anything illegal with this or the people who make this tool are not responsible so we'll say yes and enter so now it's going to say what do we want to do with this we want to use social engineering attacks so we'll go ahead and type in one and then we're going to use website attacks for the sake of this video so we can hit 2 and then we want to create a credential harvesting attack so we want to get the credentials from a potential user so we will tell it three and then we want to use a website template instead of creating our own website for the sake of this video which is going to be number one and then it is going to use our IP from our computer so you don't even need to run ifconfig it is going to automatically run it so we can copy this paste it in and that's going to be the UR URL that we're going to use and which template do we want to use you can use Twitter Google or Java required we're going to use Google because it's really common most people have a Gmail account so we can go ahead and hit number two and then it's going to tell us that this is working so we have credential Harvester is running on Port 80 which is going to be HTTP which can be a problem if your user is paying attention because it's going to say not secure up in the URL but we're going to go ahead and run this anyway so we're cloning the website of google.com so I want to show you what this looks like so if we open up a Firefox we're going to be brought to Google now all I have to do is paste in my IP address and hit enter and you're going to see what happens this looks like the Google login website so if I make up my email and I just want to say got gmail.com and then my password is going to be hacked and I go ahead and click sign in and it's going to go ahead and forward us to the actual Google website right here so we are on the real Google website now and it's going to say it sign in over here because it actually didn't work for us but if we come back over to our terminal it's going to tell us the possible username is got email.com and password is hacked which is exactly what I typed in now what's going to happen in most cases is if you come up here and you send somebody a link that is just this IP address they are not going to click on this and if they come in here and they see this IP address they're going to go okay this is not Google so what you want to do is go out to Google itself and you can just type in url shortener I really like tinyurl because if you create a account and you actually pay for it you are able to spoof your url instead of just typing in your URL and then having it give you something back so I'll give you an example shortened URL is probably the easiest if you're not going to make an account you just put in your link which is going to be our IP address and you type in shorten URL and it gives us this URL right here and you can now copy this and this is what you would send in your email or your text message but this doesn't really look very good because it says short url.com who's going to click that so that's why if you were to use this in a real penetration testing engagement you'd want to create a custom URL for your Target so you would actually want to make an account you're going to have to pay for it and then you'll be able to create a custom URL that is going to look like google.com or whatever you are trying to spoof so now if we come back over here instead of using our IP address we can we can paste in our shortened URL and it brings us back over here so it still gives us the IP address up here but the link that they're going to click on is going to be this one right here so if you send this to them in an email short URL it's still going to look kind of fishy so what you'd want to do is create an account it's going to have to be a paid account and you would spoof google.com so it looks like when they're ready to click on the actual page or the actual link it would be more believable than just short URL and then then it will bring you them back to this page and we already saw how this worked so if you wanted to you could take this link right here and you would just create an email and you would send it to them and you could spoof it that way or you could use a text message which is really becoming the more popular way to spoof people or to fish in order to try and get credentials so I want to show you how this works subtle you know to avoid it and just how easy this can be so we're going to be using octopus you're going to need to create an account I already have an account and you will need to log in so I'm going to go ahead and log in and then I'll bring you back all right now that we are logged in we're going to have some free credits right here we have five free credits and we're going to start a new campaign and I want to show you just how easy this can be we're going to use a text message so we'll use SMS and you would type your message right here so it'd be like check your Gmail and then you could paste in our shortened URL right here and this is what it's going to look like when it sends it to them and we want to change our sender so who is sending this to them we can say Google is sending them this text message and then the contact we want to send this to we're going to click keyboard and in here you're going to enter your phone number so I'm going to enter in my phone number and send this to myself because I give myself permission to send this text message and now we should be able to send this to ourselves so it should look like this it's from Google we're going to check our Gmail and by clicking that site and it will take us to our malicious link so now we should be able to send this by clicking confirm right here it's going to ask us do we want to go ahead and send this and we're going to say yes because we're wanting to send this to ourselves and we are brought to this page right here and it says the campaign was a success meaning that it has sent that text message to me and you should receive a text message that looks something like this right here and if we were to click on it it's going to go ahead and open up that fake Gmail page and asking for a login and a username and if you enter those then it will be sent to us and in our terminal so I just made this video because I wanted you guys to know how easy this really is and if you're going to be a penetration tester this can be really useful for you if you're allowed to use a fishing inside of your penetration testing Rules of Engagement and if you don't have consent and they're not in the Rules of Engagement then you should not use this it would definitely be considered illegal so with that go ahead and let other people know not to click on links that they do not know where they came from or who it is sent from thanks for watching

Info

Channel: Ryan John

Views: 48,822

Rating: undefined out of 5

Keywords:

Id: xRwe4aDRMJ8

Channel Id: undefined

Length: 7min 42sec (462 seconds)

Published: Wed Jun 14 2023