How to set up the perfect phishing attack?
What is a hacker, and how do they steal your data? Do you want to learn how they do it!?How can we use ChatGPT in Social Engineering? How to protect yourself or your company from cyber criminals? All these questions will be answered in this article, and after reading it, you can even practice your first hack! Let’s start.
Disclaimer: This article is for educational purposes only. Hacking without the consent of the company or person is illegal!
What is a Phishing Attack?
Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information or clicking the malicious links to deploy malware to the victim’s electronic devices. As of 2020, phishing is the most common attack performed by cybercriminals, with the FBI’s Internet Crime Complaint Centre recording over twice as many phishing incidents than any other type of computer crime.
Social engineering has become about 75% of an average hacker’s toolkit, and for the most successful hackers, it reaches 90% or more.
John McAfee
Why is a phishing attack so important to hackers?
Today, the first step for most APT groups to start hacking is with a phishing attack.With the phishing attack, they have access to more areas with the information they receive and greatly increases the scale of the attack.In summary, we can say that the first step of a major hacking attack is a phishing attack.
How to Make a Phishing Attack?
These are the steps of a successful phishing attack;
Step 1: Finding information about the target.
Step 2: Creating a phishing page or malicious document aimed at the target.
Step 3: Finding trustworthy domain and e-mail address.
Step 4: Attack phase and harvesting results.
Soo Lets start then;
Firstly we need a server. I will use AWS for this, you can use whatever you want.
How to prepare Server:
Thanks to AWS we can set up free server.
Go to ec2
i’m going to be like to for this you can use what you want
you can connect with ec2 or ssh its your choice i will connect with ec2 for this.
Installing gophising
download gophising and unzip
vi config.json
and after that you have to change listen url to 0.0.0.0
to make it work
chmod +x gophish
./gophish
and go to url
You can find password from terminal
And our gophishing is ready.
Domain Settings
Now we need Domain Name i am going to use godaddy for this.
After you buy domain name go DNS Settings:
in this file you have to add:
your server ip
mailgun all credentials (I will explain it below)
zerossl credentials (I will explain it below)
How to configure mailgun
We choose the domain from Sendings and after that we will add new domain
DNS records can be found here. After registering the info here with godaddy. You can see if it’s working properly by Verify Dns Settings.
We will integrate the smtp credentials here with gophishing.
Create a new sending profiles and use smtp creds here. After you enter credentials you can test your mail by send test mail.
You can send a test mail to https://www.mail-tester.com/ and see your mail score. From here, you can see whether the e-mail you send will go to inbox or junk, and you can increase the score of your e-mail by applying the tips given by the site.
Now you can create your landing page and email templates. This is up to your imagination :).
How can we use ChatGPT in Social Engineering?
You can reduce your workload considerably by using ChatGPT , which is very popular these days.
As you can see, artificial intelligence can handle everything from the landing page, phising email templates and alternative domain names which is a bit scary (:.
How to set SSL Certificate?
When you create your landing page, email it to your victim, and click on it, you’ll probably see something like this. :)
To solve this problem, we will define an ssl certificate.
We will use zerossl for this:
You can verify your domain in the option you want.
You can also use certbot, which can be automated.As I said, it’s up to you, you can do it with whichever is easier for you.
After verifying. It gives you a certificate and a key file. We put these files in the gophising config.log file. And don’t forget the change use_tls: true. Then we restart gophising and we get over this problem. And our system is literally ready.
Now all you have to do is sit back and watch the victims :)).
HOW DO YOU PROTECT YOURSELF AGAINST PHISHING ATTACK?
To stay safe, these are the things to follow:
- Do not answer an e-mail from an unknown sender. And if this e-mail has a link or an attachment, never click on them.
- Do not provide login or financial information unless you’re 100% sure the web page you’re on is legitimate.
- If you get linked to a login page from a website, email or text message, close the window immediately.
- Ignore any attachments or downloads you encounter unless you’re 100% sure the web page you’re on is legitimate.
- If you want to be sure legitimation of any website, check from www.cyber-xray.com
- Use Total Virus to check files and folders if you are unsure about their sender.
- Some malicious websites automatically download files to your computer without permission. Do not open them, and delete them as soon as possible.
- Use multifactor authentication like SMS or Google Authenticator.
- Use a single sign-on password manager.
- Do not give your personal information as much as possible on social media and the internet. What may seem like a piece of harmless information like the answer of ‘What is the name of your first pet ?’ or ‘What is your mother’s maiden name ?’ can be used to make a social engineering attack.
- Keep your antivirus/antimalware software updated. But do not think that it is enough. For example, If they make you feel safe, which is not true and dangerous. I do not trust antivirus software so much.
- Do not put a USB flash drive on your computer if this UBS device was given to you as a present.
- Make sure that your passwords are long and complex. And Change your password frequently.
- Hide your keyboard when you enter your password at your computer or cash machine. Do not be shy or overkind. It is not rude.
References:
