Phish like a Phisher, Defend like a Guardian, Part 2.

I hope you enjoyed my previous article, ‘Phish Like a Phisher, Defend Like a Guardian.’ While we’re still on that topic, we’re diving into something different today.

I used this technique when I was 17 years old to hack my dad’s Facebook account by tricking him into clicking a link and submitting his username and password. I don’t know much about hacking then, but I do know various tricks to access internet browsing for free.

My brother was my mentor in this area because we both loved to play games.

We started with Java and Symbian mobile phones, like the Nokia 3110c, which had a screen size of 128 x 160.

I don’t why you don’t have (PES) multiplayer.

Today, I will walk you through how to use a platform-based phishing website to develop security awareness in your organization, home, and community. The platform I used to hack my dad’s Facebook is no longer available (shadow.za), and I can’t quite remember the website name, but I believe it’s been taken down. If you know the website, feel free to comment this is all part of our learning process.

Disclaimer: This is for educational purposes only. We strongly encourage you to use the techniques and knowledge shared here only with proper authorization from the appropriate parties. Engaging in hacking without permission is both unethical and illegal.

What do i need to phish like a phisher:

1. Internet connectivity
2. Laptop/Mobile
3. Open mind

Let’s get started:

We have different open source application to carry out a social engineering awareness campaign,

1. Gophish
2. King Phisher
3. Phishing Frenzy
4. Evilginx2
5. Modlishka

All the tools mentioned above can be used to carry out phishing simulation awareness in your organization.

We also have a paid phishing simulation platform like:

1. KnowBe4
2. PhishLab
3. Wombat Security (acquired by Proofpoint)
4. Ironscales
5. Cofense

Free web based phishing simulation platform, If you want to minimize cost but it is not a good practice to minimize budget on your crown jewels. Ask yourself “What is your data worth? to you!.

1. PhishSim by InfosecIQ
2. PhishingBox
3. Sc0m

We’ll be using the free web platform based tools. You can also used this for your organization to test your employee security postures.

What is sc0m: is a tool designed for penetration testing and security assessments, allowing users to simulate hacking techniques in a controlled environment.

Click on the website link:

Here we go!

Click on create account:

We got this

Remember, the purpose of this exercise is to assess the level of security education in your business environment, home, and community

Analyst: Consider everything you’re doing now as if you were hired for these services or assigned to perform them in a workplace setting.

Before we proceed my advice for you is to use Temp Mail address for the Email section.

We have different website to create Temp Mail but i will mention two to you:

1. Temp Mail
2. Temp-Mail.io

In my case i will be using the first one to create my temporary email address.

100%

You can create multiple email addresses easily. If you don’t want to use a particular email, simply delete it, and a new one can be created instantly.

My account have been created using the above email.

Click on Log In

My sc0m dashboard

To create a phishing webpage and send it via email, text message, or through WhatsAPP chat.

We can create our own pages.

The links in the box are what we’ll be sending to our employees, using persuasion, trust, urgency, curiosity, and fear to trick them into submitting their credentials.

Copy the link or click on the eye icon.

You should be on this page.

Hmm, I think the URL is too long. What can we do to shorten it?

I’ve got you covered, just click on this link

paste the link to shorten it.

So simple.

Copy the link and send it out via email to various departments in your organization, as well as to family and friends in your community.

In my case, I will send it to my younger brother via WhatsApp

Message dropped

I will wait for him to click on the link, and I can monitor if he does so through my URL shortening dashboard.

BaDaas

What do you think? Never trust your CEO, Confirm before you react to anything.

Let’s check our sc0m dashboard if anything comes up.

How do you feel?

Let’s wait for my brother screen response on this.

He sent me this screenshot

That’s cool.

Let’s check his password.

We have his email.

Click on “Get infor User”

This is interesting!

CLAP FOR YOURSELF!!!!

This is how you’ll compromise all employee credentials by leveraging intuition and penetrating their minds with urgency, fear, trust, and curiosity.

Takeways:

1. Don’t just click
2. Verify the source

“What do you think about my writing style?”

This is how you can carry out phishing activities in your organizaiton, home and communities.

What else;

In my next post i will teach you to “Defend like a Guardian”.

Cybersecurity is Intention

Don’t forget it’s your gUy — Abdul Basit Rotimi

follow me for more cybersecurity contents.