Before the Phish
Before deep diving into the attack chain, let’s review 3 general principles about hacking.
Principle #1: Cybersecurity attacks are all about finding the weakest link in the chain. In most instances, human beings, unlike technology or processes, are actually the weakest link. People will make the same mistake multiple times because they are unpredictable and in many cases act from emotional queues. At the core, the inability to find a way to prevent all potential victims from making the same mistake more than once makes them the weakest link in the chain and this is exactly what hackers will exploit.
Principle #2: In most news stories about cybersecurity attacks, we hear all about the breach, about how much damage was incurred from the amount of sensitive data exposed, financial loss, or reputation damage. In most cases there will be an analysis of how the attacker could have potentially gained access to the system but not about the many steps taken, before actually breaching the system.
Principle #3: Before any breach, most attackers will do some form of information gathering on their target. In today’s socially connected world, it is very easy to find information about anyone online without doing any hacking at all. That information then can be used in a variety of ways, for example:
The attacker can decide to impersonate an employee within an organization to conduct a phishing campaign and harvest credentials in order to gain access to all of the organization’s systems. The easiest way to do this would be through some form of social engineering, and then a phishing (or if targeting a specific person which is known as spear-phishing) campaign via email.
The attacker can also decide to target an endpoint, .e.g., a computer or mobile device. One popular way to do this is through a technique known as reverse shell in which the attacker uses a bit of social engineering to get the target to download software so that they can access the victim’s device remotely, and ultimately gain entry to the organization that way.
Using Existing Tools and Setting Up Your Phishing Attack
In this article, we’ll take a look at some readily available tools available online that require zero programming knowledge in order to conduct a phishing campaign.