Phishing attacks are SCARY easy to do!! (let me show you!) // FREE Security+ // EP 2

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
it is terrifying how easy it is to do a phishing attack or a fishing hack so easy that i'm gonna show you how to do it right now we're going to hack the ceo of network chuck coffee bernard hackwell he won't even see it coming we're going to build a fishing attack from the ground up from building the fishing website holy crap look at that descending the phishing email it's going to be awesome and real quick disclaimer this is for educational purposes only never do this to anyone for any reason at all unless you have permission and a massive shout out to the sponsor of this video this is it.io this is it is more than a membership it's a mission i'm working with creators like david bomble and jeremy chara we're creating free content low cost content because we believe that i.t education should not be expensive and that's our goal to create amazing content that's accessible to you so consider partnering with us this is it.io we actually just launched a free tier which gives you a ton of amazing free courses and access to a discord community that we just launched and it's awesome get in there ask questions get help get support anyways start hacking so my first phase in hacking bernard hackwell is i want to gain access to his linkedin profile and the easiest way to gain access to his profile is to find out what his credentials are i need that username and i need that password but how do we get it well we're going to trick him of course social engineering here we go this stuff is so fun watch this and you'll get to do this right now which is crazy step one is setting up a fake linkedin webpage and it's going to look just like linkedin it'll have a username field it'll have a password field and then when bernard enters his credentials on this fake webpage we'll be right there listening setting up this fishing page and trying to get bernard's credentials for linkedin this is called credential harvesting one of many social engineering attacks so now let's set the sucker up and again it's super easy watch this to do this attack we're going to use linux now i have kali linux a linux distribution for hacking but you can use other common linux distros like ubuntu to do this attack now here we go i'm going to launch my terminal and we're going to use the command git clone now if you don't already have git installed just sudo apt install get and get it anyways so i'll use a command git clone and we're going to clone this tool called black eye it's a tool that's been around for a while but it's still awesome now real quick disclaimer this is for educational purposes only for you to see how easy this is so you can prepare and protect yourself and also with permission you can mess with your friends and family whatever let's keep going now i've got the link down below but you can just take this url copy it and we'll paste it right here and go it's going to clone that tool and done so from here i'm going to cd into black eye or change directory into my black eye folder that we just downloaded and if i hit ls it'll list the files i have in there all we have to do is run this script right here just like this we'll type in sudo space dot forward slash black i dot sh you ready put in your password and okay we're on our way now first we have to choose what type of phishing website we want to use and we have options look at this is kind of crazy right again we're doing this for educational purposes but man if you're a black hat hacker this is pretty stinking easy so i'm gonna choose linkedin which is number nine and i'm gonna hit enter and that's it i'm gonna wait for it to get going here and it's ready like the phishing website is ready to go that url right there we'll give this to bernard and watch what happens so i'll copy that link real quick fire up my web browser and go to it and you'll probably get this right here it's not working right now it's fine we'll fix it has to do with the service we're using called ngrok it requires you to have an account now this is free no big deal but we do have to set one up so we'll navigate on over to ngrok.com again completely free just sign up for a free account enter your stuff in there and once you're logged in ready to go you're gonna click on setup and installation and then right here under step two we have this command right here all we have to do is take that command copy it get back to our terminal here in cali or whatever linux distro you're using and paste that in there go that's it that issue is fixed so now let's try it again pseudospace period forward black i dot sh again number nine for linkedin and we wait for it to build okay so now when we take this url right here and we copy it and we paste it into our web browser here's what happens holy crap look at that if you saw this would you think it was anything but linkedin and then if we look back at our terminal look what happened we got some info about bernard hackwell here like hey here's his public ip address got him we got info on his web browser i mean tons of valuable information but right now we're waiting for him to log in we're just ready to pounce ready wait the trap is set and let's watch what happens bernard will go up here try to log in type in his username his password and click sign in boom now notice what happened here it took me to linkedin like try again let me get back in there try feed it's not working so well but it legit refreshed me to linkedin so i'm like i only try to get there again okay linkedin's working fine for bernard and bernard is none the wiser over here we got some information on freaking bernard we got his email address we got his password saved to our text file here how crazy is that gosh that's so cool okay in theory that's pretty stinking cool but then how do we get bernard to click on that link easier said than done right we have to somehow get that link to him make him click on it and make him try to log in give him a reason to and that's phase two of our attack phishing emails this phishing email will craft to make it look like it's coming from linkedin like you might say hey bernard you got a really important message from a colleague it's a it's an emergency click on this link now to log in and check it and we'll make it look like it came from linkedin like it'll be legit that's a phishing email no it doesn't have to be an email it could be a uh it could be a text which we call a smishing attack the s standing for you know sms so that text we send him could be the same thing it's from linkedin hey click on this link and we have that link there and it's those are more dangerous i think because we're used to defending ourselves against emails right don't click on links and emails unless you can verify where the email's coming from but texts are different you see most people are not concerned about viruses on their cell phones so clicking on links is not doesn't really occur to them that's a big deal and it doesn't even have to be a text it could be a phone call we call these wishing attacks because you know the v stands for voice so wishing we could call bernard up pretend to be linkedin say hey bernard i need you to go log into linkedin here use this url to login to secret login and uh just put in your username password cool gotcha okay thanks bernard that's all i needed but you know what i say we go old school let's go the email route now typically a phishing email is like going out to lots of people like a mass email like if i didn't care whose linkedin credentials i got i would just send a bunch of phishing emails out to everyone with my url saying hey log into your linkedin you got a message that'd be a typical phishing email attack but i don't want just anyone i want bernard i want bernard's information so when i target someone specifically with a phishing email that's called a spear phishing attack very nautical themed here but the idea is that fishing traditionally you'll be using a net just trying to catch whatever whatever person you can get whereas spear fishing you kind of have someone on target you're going to throw that spear the gun i don't know how spearfish do you spearfish let me know below if you spearfish anyways so spearfishing is when i focus on one individual one target i have in mind bernard and even more so this attack goes further because i'm targeting not just anyone not just a regular guy not a barista not a clerk i'm targeting the ceo of network chuck coffee the highest guy in the company now when hackers target important people in a company people who have influence and power this is called whaling bernard's my whale i'm going to get them so here we go now sending a phishing email is also pretty easy now we're going to use linux again i'll be using cali and we're going to use the social engineering toolkit or set that will come pre-baked on kali linux so that's why i always recommend that here we can do a lot but we're gonna stay focused we're gonna send a phishing email let's do it so option one social engineering attacks we're gonna send the mass mailer attack so i'll choose option five now again if i were just doing a regular phishing attack it'd be yeah let's do a mass mail i'll send it to everybody but no we're doing one single email address we're doing a spearfishing attack more specifically a whale because bernard is a whale so we're gonna choose option one gonna send that to bernard.hackwell gmail.com so in this case you would have to at least know your target's email address enter you can choose to use your own smtp relay or you can just use your gmail account i have a another gmail account i can use i would recommend a fresh gmail account one that you don't normally use so here we go gmail i'll enter my credentials i'm going to show you this i'll say it's from linkedin messaging that'll be the from name and then my gmail password and then some other information attach file no you could attach a file blah blah blah in the email subject this is important because i want to make bernard click on this i'll say important linkedin message that's that's good enough right html or plain i'll just do plain for now and i can enter the body of the message this is where i can put the link in right here so i'll say hey bernard you received a message from let's just make up a name richard it's been marked as urgent check it now and we'll put our link in so i need to set up our attack once more with black eye so i'll do that real quick because it's so stupid easy nine for linkedin cool we got our link i'm just gonna paste that sucker in my fake email get back to my other terminal here and paste then i'll type in all capital end to end this then end once more and i believe it's sending right now yeah it's done it sent it cool so now let's go see if bernard got the email yep there it is right there hey bernard you received a message from richard it's been marked as urgent check it now and i'm like yeah i should check this now the link it looks kind of fishy right you could change that you can change the way it looks but bernard doesn't care it's an urgent message let's check it let's get logged into linkedin right now and of course right now i just got a ton of info on who this bernard guy is and when bernard logs in it takes him to his homepage and he has no idea that i just got his username and password i got him man i gotta now what i just showed you is just one way we could do this we can get even trickier like maybe in that phishing email i don't have a link maybe i have a file that he has to download i'm like hey bring out download this file it's from richard maybe it's a word document but in this file is actually some malware some malicious software and for this case i wanted to do one thing i wanted to mess with this computer's host file pop quiz where does the host file live on windows comment below the host file will override dns on your system so typically bernard when he types in linkedin.com his computer will ask the dns server its dns server hey where does linkedin.com live and the dns server will reply with an ip address and the computer's like cool i know how to get there let's go but bernard's computer will look in the hosts file first before it asks a dns server where certain things are if we can mess with that file we can control where things live for bernard so for example i can make linkedin for bernard go to a different ip address save that file and when it goes to linkedin.com it goes somewhere else to my halloween thing here i'm going to activate that real quick scare my kids now this is obviously not linkedin but just like we did with our fishing webpage we can make a site that looks just like linkedin and every time bernard types in linkedin.com it takes him here this is often referred to as dns poisoning because we're poisoning the dns and this is the most simple way to do it just messing with a host file you can actually hack a dns server we'll get to that stuff later and as far as fishing goes this technique is called farming ph farming and essentially that's what we just did we set up a fake website and we poisoned the dns in this case bernard's computer his host file to always go to our fake website even when he's typing in the legit domain name this is nefarious because you think you're being safe like i know when i check my email whether it's spam you know unsolicited email coming to me or a legit phishing email if i got a link in there tell me to check my account hey check your bank account hey check this i never click that link i will go to a new tab log into my bank account the same way the normal way i always do and that way i know i'm safe but if someone hacked my dns and someone poisoned my dns or i downloaded malware and they changed my host file i may not even be aware of that happening so yeah we successfully hacked bernard hackwell didn't even see it coming so now the question is how do you avoid the pitfalls that bernard hackwell has fallen into how do you keep yourself safe from phishing attacks the biggest thing you can do for you and your company is make sure you have some good spam filters spam is any email that's just unsolicited meaning you didn't ask for it you don't want it who is this person sending me this email i don't even know who you are i mean we're used to that stuff right we get it all the time and where does it normally go it goes to our spam folder and that's fantastic so if you use any kind of modern email system gmail yahoo maybe or just your corporate email you're gonna have a spam folder and stuff you don't really care about goes there and that's good now sometimes it doesn't hackers do get smarter like the way we crafted the email today wasn't very sophisticated but hackers do get crazy which brings me to my next point just be careful about clicking on links or maybe you don't even click on links don't click them don't download them if you receive a notification of a secure message from your bank or something just go log into your bank you'll find it just like that easy enough because you never know now sometimes we have to click on links i get it so when you're looking at your email make sure it's from a reputable source you can open up the header like in gmail here you can look at the information see who it's from so like bernard got an email from this is it you can see most of the information here most important part is down here this is an encrypted message it's from teachable just make sure it's from a verifiable source someone you know or a company or service you know and then lastly realize it's not just email we talked about earlier how you can get text with links in it like right now i'm getting spam over text like crazy because of the election vote for this person vote for this person you gotta consider this but for this person through texting how do they even get my number and some of these texts could be legit phishing trying to get me to do something try to steal my credentials could be a phone call vishing and by the way texting was smishing and it could even be instant messaging i mean facebook messenger any kind of im app you can get spam on that it's actually called spim when it's on a instant message like that spam for instant message and also keep in mind this it's not always going to be one type of attack they may not always be using a credential harvesting attack just trying to get your username and password they could trick you into doing all kinds of stuff social engineering is amazing it's terrifying because again they're hacking the human brain the human os and in some cases actually let's be honest in a lot of cases it's not too hard to do so for example maybe i don't want bernard's credentials maybe i'm going to use a phishing email a spearfishing email and maybe i'll pretend to be one of his vendors maybe one of his coffee vendors like hey um this is homebrew coffee and uh i've got an m voice i need you to pay because maybe through some reconnaissance i researched bernard hackwell and and network chuck coffee and i figured out who their supplier is we covered that in the last video anybody can be a hacker just gathering information being a snooping person on social media and with that info i crafted a phishing email saying hey i'm i'm john from homebrew coffee and i got this invoice i need you to pay click the link go ahead and put your payment information in and i'll accept your payment that happens man that happens all the time invoice scams are legit and most the time especially when you're not tech savvy or maybe you're not even thinking about it you're just working and you get an email from a supplier you recognize and they say hey i need to pay this invoice you're like oh crap i thought i paid that and you feel bad maybe they make you feel bad about it they prey on your emotions so you click on it you go pay that then you're done they have your bank information they might drain your account they can do all kinds of stuff phishing attacks i told you i told you they're pretty easy to do and what we did here is pretty basic but even though it's basic it could fool a lot of people but they do get more sophisticated now again what i showed you here do not use on anyone this is for educational purposes only i'm not sure you can play around with this mess with your family and stuff with permission again permission's key here but i showed you this so you can be aware of the types of attacks that we could face and that it doesn't take a genius a hacking genius to do these attacks it could be a kid in his basement playing around so what you could do with this is again make sure you know and you're looking out for phishing scams and phishing emails and spim and spam and bushing and smishing and all these crazy words but also educate your family maybe older folks in your family who they let's be honest a lot of our grandparents have iphones now so we get calls all the time hey how do i do this how do i fix this make sure they're educated on how to protect themselves against phishing scams say hey grandma don't click on anything please ever under any circumstances do not click that link don't answer phone calls and give information away don't do any of that that's who these people target alright that was episode two of our security plus course a course i'm working on with jeremy chara and david bomble it's gonna be amazing i can't wait for you to see more of this and if you also can't wait because we're releasing a video each week one video but we're also making videos much faster than that so if you want to see more consider joining this is it.io it's more than a membership it's a mission when you join that mission you're helping myself david bomble jeremy chara produce as much free or low-cost content as we can to give to people like you and of course there's perks you get access to our stuff before we release it for free on youtube and you also get community we have a discord community people are already in there helping each other out learning trying to make themselves better building new careers so consider joining we have a free tier which means go in there and just hang out some awesome free courses and then of course if you want the extra goodies or support us in any way you can upgrade and hey if you like this video hit that like button it does help and if you like what i'm doing here on this channel if you want to learn more about hacking or networking or anything i t if you want to watch me geek out and get over caffeinated every day yeah consider subscribing hit that subscribe button hit that notification bell so you can be like ready when i post a video and speaking of linkedin if you want to follow me on linkedin i'm there instagram facebook twitter and of course join my discord server oh yeah that's all i got let me know in the comments below what you think and i'll catch you guys next [Music] time [Music] you
Info
Channel: NetworkChuck
Views: 1,451,701
Rating: undefined out of 5
Keywords: phishing, phishing attacks, spear phishing, vishing, security+, pharming, spam, spim, whaling, credential harvesting, invoice scams, security+ sy0-601, security+ sy0-501, free security+, sy0-501, sy0-601, hacking, ethical hacking, blackeye, black eye, comptia free security+ course
Id: u9dBGWVwMMA
Channel Id: undefined
Length: 17min 54sec (1074 seconds)
Published: Wed Oct 28 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.