How to Perform Phishing
Introduction
Phishing is a technique that involves sending an email to a user, pretending to be a legitimate entity (social network, bank, public institution, etc.) with the aim of stealing private information, making an economic charge or infecting the device. For this purpose, you attach infected files or links to fraudulent pages in the email.
Phishing is no longer only spread via email but can also be spread through other methods, such as social networks, instant messaging, SMS, phone calls, etc.
Techniques for Phishing
Technique 1: Use of Subdomains for Phishing
This first technique uses subdomains and the simple ability to use them to display the information that you want for a specific phishing campaign in these subdomains.
For example, in a banking phishing campaign, if you have acquired the domain “support.com”, you could use a subdomain to send phishing campaigns where the sender of the email or the destination domain of a specific link would be “chase.support.com”.
You only have to purchase the primary domain and add a subdomain of your choice, so by purchasing a domain with a “hook”, you can carry out very believable campaigns.
Technique 2: Use of link shorteners for Phishing
The use of link shorteners is very simple to employ and is indeed one of the most commonly utilized techniques in phishing campaigns.
If you create a fraudulent website, impersonating the identity of another website or any social network, one of the most frequently employed techniques to prevent the victim from realizing that they are being deceived is the use of link shorteners.
To illustrate with an example, in a campaign aimed at attempting to capture credentials, that is, usernames and passwords, from social networks, you could purchase a domain, for instance, “mydomain.com”, where you intend to clone a website, following any of the techniques that can be used. Once the website is cloned, you mask the URL address using a link shortener, so that the person receiving the phishing campaign does not realize that it is, in fact, phishing.
If you wish to employ this technique, there are numerous online and free websites available that will perform the URL shortening for you immediately. You may utilize Bitly, Cuttly, or even Google’s own service.
Technique 3: Utilisation of Typosquatting
This technique is also frequently employed. It involves visual deception tactics, wherein you could purchase a domain with slight modifications to the original domain name, leading users to believe that clicking on the link will indeed take them to the correct site, when in fact, nothing could be further from the truth.
To better comprehend this, I shall provide you with a few examples below:
Google.com (Correct link)
Goggle.com (Link with Typosquatting)
GooglIe.com (Link with Typosquatting)
Technique 4: Use of QR Codes
The following method or technique, which is also widely used, is the use of the very famous QR codes. Who can resist the temptation of scanning a QR code? But when you scan a QR, do you really know what happens behind the scenes? Do you know where that QR code will take you?
This is precisely what you can take advantage of. You could send QR codes by mail, SMS, place them in advertisements, on websites, even physically, at bus, train or metro stops, in restaurants pretending to be the menu, etc. If you are able to create a cloned website, with malicious intent or simply want to steal someone’s data, creating a QR code helps a lot, as many people feel the temptation to scan them and see what’s behind them.
You could purchase a domain and create a QR code very simply. There are plenty of free websites that allow us to create a QR code in just a few steps. We enter the URL, which can even be shortened, give it some personalisation by changing colours, adding a logo, etc. One of the free websites is QRCode Monkey, although there are many more.
Technique 5: Homographic Attack
This technique is also widely used. It is a variant of the Typosquatting technique and is based on the use of characters in other languages, such as Cyrillic, where there are characters similar to ours, but with slight modifications, which are often imperceptible to the human eye. However, these are different characters, so when we read them, we do not perceive anything malicious, but when we click on a link containing this technique, it will take us to another website, cloned or malicious, completely different from what was expected.
To understand it a bit better, I will provide you with three examples below, one is good and the other two are bad.
To carry out a homographic attack, you could purchase a domain that closely resembles a legitimate one, but with subtle character changes. There are numerous online and free websites that allow you to convert different characters, along with a preview of what the result would look like.
Technique 6: Use of Unicode and/or Punycode
In addition to the previous techniques, you could use Unicode and/or Punycode to carry out phishing campaigns. These codes will allow you to modify the “normal behaviour” of writing, so that it still looks normal to the human eye, but in reality, it does not say what we are seeing. To help you understand it better, we will provide an example below. In the two lines that you can see next, I assure you that they say the same thing. However, to the human eye, you can see that the first one is bad and the second one is good.
bankse.ai
bank‮se.ai
To do this, you could use the Unicode-table website. If you click on the link, it will take you to the Unicode 202E code so that you can carry out your tests. In such a way that if you write the first of the examples (bankse.ai), copy the Unicode 202E code from the link I indicate and paste it right after the “k”, it will turn the rest of the domain around. So if you send this domain in a link, the victim will see the domain correctly, but however, it will take them to a completely different one where you could have a cloned, fake or malicious site.
There are many codes that you could use. On that same link that I provide, you can research a bit about the different types available.
Conclusion
All of these techniques have been widely used for a long time and, of course, they continue to be very much in use nowadays. Moreover, you must consider that all of them can be combined, making their detection extremely complicated.
Imagine that someone sends you an electronic mail, with a QR code, which includes an embedded link, that has some modified Cyrillic character, and may also contain some Unicode or Punycode and is shortened on top of that, to give an example. Its detection would be extremely complex for a common person, wouldn’t it?