SlideShare a Scribd company logo

eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CASE STUDY IN SOCIAL ENGINEERING - v1.3

Download as DOC, PDF
Kevin M. Moker, CFE, CISSP, ISSMP, CISM, profile picture
Kevin M. Moker, CFE, CISSP, ISSMP, CISM

The document describes how to steal Gmail credentials using social engineering and the Social Engineering Toolkit (SET). It involves tricking a victim into entering their login credentials on a spoofed Gmail login page hosted on the attacker's machine. The attacker first sets up Kali Linux in a virtual machine and launches SET. They then change the victim's Gmail bookmark to point to the attacker's IP address hosting the fake login page. When the victim tries to access Gmail, they enter their credentials which are stolen by SET. The document warns readers to be vigilant against these kind of social engineering attacks.

1 of 7
Download to read offline
1
2
3
4
5
6
7
HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CASE STUDY IN SOCIAL ENGINEERING A STEP-BY-STEP GUIDE USING KALI LINUX SOCIAL ENGINEERING TOOLKIT (SET) By Kevin M. Moker Hacking? Why hack when you can trick someone more easily than trying to hack into his or her computer? I am talking about social engineering (SE). SE, in the context of information security, is the ability to manipulate someone to steal certain information. Using SE you can steal credit card numbers, or better yet steal someone’s login credentials. With no hacking involved, you will be able to easily reroute payroll funds from an employee’s account to another account before they even know the money is gone. However, with the right knowledge, a victim could thwart an adverse attack. Non-technical individuals should learn how to protect themselves when online. Non-techies should understand what SE is and how to protect themselves. What you will learn: • The ease of hijacking a victim’s account • How to use Social Engineering Toolkit What you should know: • Kali Linux • VMWare • Command line
INTRODUCTION Social Engineering, from an information security perspective, is the art of manipulating victims to acquire sensitive information. For example, tricking someone to go to a phony website that looks like Facebook or Gmail and making them put in their login ID and password. The phony website and the social engineer practitioner will steal the login ID and clear text password, and begin masquerading as the victim. This article will illustrate an attack whereby a corporate victim is tricked into clicking a link, logging into the site, and releasing their personal information. WHAT ARE YOU TRYING TO PROTECT AND WHY? The goal of this article is not to show you how easy it is to hijack someone’s credentials in a corporate environment, but to show you how to protect yourself from being duped into giving out your personal information. I will walk you through the steps illustrating the ease at which I can get your credentials and point out where you should be aware. It should be prefaced that I am not a coder and nowhere near as technical as I should be. That should make you more nervous because just about anyone can pull off this trick, as long as the perpetrator does not get greedy. Greed normally blows covers of perps. WHAT ARE THE STEPS YOU NEED TO PULL OFF THIS ATTACK? The following six steps are the steps I use to maliciously acquire a victim’s login credentials: 1. Have administrative rights to your local computer 2. Have an understanding of VMWare and Linux 3. VMware is installed 4. Kali Linux image created 5. Execute the Social-Engineer Toolkit (se-toolkit) 6. Hijack a users PC that is not locked 7. Tell the user to go to their Gmail account and see what I’ve sent Give a background and overview of the problem you’re trying to solve. Then walkthrough each step. STEP 1: Have administrative rights to your local computer A lot of times, many corporations will allow their employees to have local administrative rights to their computers. That means the employee can do just about anything on that computer, unless the company has some kind of confirmation management software installed. However, with administrative access you can turn the corporate controls off. So now we have a computer with administrative rights to the computer. The next thing is to install the necessary software. We will first start with VMWare. STEP 2: Have a basic understanding of VMWare and Linux For this attack to be successful, you will need a basic understanding of VMWare and Linux. Without these two pieces you will have a hard time understanding how this attack works. • What is VMWare? VMWare is a virtualization software that allows you to run multiple operating system on one computer. In other words, you can runs Windows and Ubuntu Linux on the same machine. This is great when you want to run and test local attacks without harming any other system on the network. STEP 3: VMWare is installed The next step is to download and install VMWare. You’ll have to purchase a license to use VMWare. You could also do this with VirtualBox, but my software of choice is VMWare for ease ability and compatibility. • What is VirtualBox? VirtualBox is very similar to VMWare, but VirtualBox is opensource. You can download it for free without a license. STEP 4: Kali Linux image created After you have installed VMWare you will download Kali Linux from www.kali.org. I suggest using the 32 bit iso version of Kali. I have a mac where I am running VMWare Fusion (Mac’s version of VMWare) and the 32 bit version runs faster. You will have to figure out how to install the .iso into VMWare. • What is Kali-Linux? Kali-Linux is previously known as BackTrack, which is a Debian Linux distribution used for digital forensics and penetration testing. The best way to start with Kali is to use the Live Build ISO. You’ll be able to test the tools without installing the operating system into your virtual environment. STEP 5: Execute the Social-Engineer Toolkit (se-toolkit) For this attack to be successful you will need a basic understanding of SE-Tooklit. Go to https://www.trustedsec.com for more information. This procedure will be explained in more detail later in the article.
• What is SE-Toolkit? STEP 6: Hijack a user's PC that is not locked This step involves finding a victim that has left their PC unlocked. In other words, they did not invoke ctrl+alt+del on their Windows PC. Then changing the www.google.com/mail shortcut to point to 192.168.153.158. • How do you change a bookmark shortcut? STEP 7: Tell the user to go to their Gmail account and see what I’ve sent This step involves telling the victim to go to www.google.com/mail. More than likely the victim will go to their shortcut and not really check the URL bar. That will be illustrated later on in this article. THE ATTACK The perp’s victim is using Windows XP-SP3 computer on Acme Corps network, but it doesn’t really matter what version the victim is using because this will be a link to a spoofed website. The perp is a developer in the e-commerce department with administrative rights to his computer. The perp is using a VMWare Kali Linux image that comes with se-toolkit. The perp fires up his Kali Linux VMWare image and clicks on Applications Kali Linux Exploitation Tools Social Engineering Toolkit  se-toolkit as illustrated in figure one: Figure 2 Illustrates the initial Social-Engineering Toolkit window. Figure 1: Starting se-toolkit
Figure 2: Initial se-toolkit Window Here are the steps to begin the attack: 1. Start by typing 1 for Social-Engineering Attacks at the command prompt and hit enter. 2. Next, type 2 for Website Attack Vectors and hit enter. 3. Next, type 3 for Credential Harvester Attack Method and hit enter. 4. Next, type 1 for Web Template and hit enter. 5. This is where the perp types in his IP address of his computer. For our example we will use 192.168.153.158. We will see this IP address again shortly. Once the IP address has been entered hit enter. 6. The perp elects to use Gmail as his attack credentialed harvesting attack. Select 2 for Gmail and hit enter. See Figure 3. Figure 3: se-toolkit Running Spoofed Gmail Login Server 7. Now the perp goes over to the victim’s machine. The perp notices that the victim’s machine is not locked (no ctrl+alt+del). The perp goes to the victim's Chrome bookmark page and changes their Gmail shortcut to point to his spoofed Gmail login server - 192.168.153.158 (Does the IP look familiar?). 8. The perp then waits for the victim to get back to their desk. The perp goes over to the victim and says, “Hey, I just shot you an email to your Gmail account. Go check it out”
9. The victim logs into the spoofed site not noticing that the IP has not been obfuscated. (See Figure 4) The victim enters their user name and password. Once the user name and password has been harvested se-toolkit redirects the victim to their actual Gmail account. We find that the victim’s credentials for Gmail login were cached, so when the redirect happened the victim didn’t notice the redirect. Figure 4: Spoofed Gmail Login Server The only thing the victim missed, that could have tipped him or her off, is the fact that the IP address was not obfuscated. However, most users trust their bookmarks. Figure 5: IP Not Obfuscated Figure 6 illustrates what the perp collected. As you can see the perp got the full email address, which isn’t a big deal. However, the perp also got the password, which would be considered strong but no match for se-toolkit and a determined perp. Figure 6: Stolen Credentials
IN SUMMARY So, what’s the moral of this story? The moral of this story is that companies need to be very vigilant about awareness training. Many organizations brush awareness training off and are willing to take the risk. Companies figure they can absorb these types of attacks, which they probably can. However, what about the victims? This paper illustrated the ease with which to get a victim’s credentials. Everyone should be aware of how easy this is and to heed the following advice: 1. Know your bookmarks. Make sure they have not changed. 2. Look in the URL field where the web address is illustrated. Ensure that the web address looks right. For example, www.google.com isn’t spelled www.gooogle.com. 3. Ensure there is a digital certificate that is signed by the hosting company. Just because you see a little lock in the browser does not mean it is the actual hosting company. However, you have to be diligent about reviewing the certificate. 4. Have a healthy level of paranoia. This advice is not foolproof and even the best can be fooled. Being aware of this attack and doing your best to thwart it can greatly improve your chances of staying safe. The digital world can be a fun place to learn and also an evil place where perpetrators lurk. ON THE WEB • http://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering (security) • http://kali.org/downloads Kali Linux 32 Bit • https://my.vmware.com/web/vmware/downloads VMware Downloads • https://www.trustedsec.com/downloads/social-engineer-toolkit Social Engineer Toolkit About the Author I have been in the information security field since 1990. I started my career with the United States Army as a Communication Security Specialist. I have acquired my CFE, CISSP, ISSMP and CISM. I have helped develop information security risk management programs for several Fortune 500 companies. I currently work in the retail sector for a Fortune 50 organization. For the past two years I have taught Digital Forensics at Western Connecticut State University. You can view some of my background information at http://www.linkedin.com/in/kevinmoker/.
IN SUMMARY So, what’s the moral of this story? The moral of this story is that companies need to be very vigilant about awareness training. Many organizations brush awareness training off and are willing to take the risk. Companies figure they can absorb these types of attacks, which they probably can. However, what about the victims? This paper illustrated the ease with which to get a victim’s credentials. Everyone should be aware of how easy this is and to heed the following advice: 1. Know your bookmarks. Make sure they have not changed. 2. Look in the URL field where the web address is illustrated. Ensure that the web address looks right. For example, www.google.com isn’t spelled www.gooogle.com. 3. Ensure there is a digital certificate that is signed by the hosting company. Just because you see a little lock in the browser does not mean it is the actual hosting company. However, you have to be diligent about reviewing the certificate. 4. Have a healthy level of paranoia. This advice is not foolproof and even the best can be fooled. Being aware of this attack and doing your best to thwart it can greatly improve your chances of staying safe. The digital world can be a fun place to learn and also an evil place where perpetrators lurk. ON THE WEB • http://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering (security) • http://kali.org/downloads Kali Linux 32 Bit • https://my.vmware.com/web/vmware/downloads VMware Downloads • https://www.trustedsec.com/downloads/social-engineer-toolkit Social Engineer Toolkit About the Author I have been in the information security field since 1990. I started my career with the United States Army as a Communication Security Specialist. I have acquired my CFE, CISSP, ISSMP and CISM. I have helped develop information security risk management programs for several Fortune 500 companies. I currently work in the retail sector for a Fortune 50 organization. For the past two years I have taught Digital Forensics at Western Connecticut State University. You can view some of my background information at http://www.linkedin.com/in/kevinmoker/.

More Related Content

PDF
eForensics_17_2013_KMOKER
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
PPT
Bulletproof IT Security
London School of Cyber Security
 
PDF
How To Defeat Advanced Malware. New Tools for Protection and Forensics
London School of Cyber Security
 
PDF
How To Protect Your Website From Bot Attacks
London School of Cyber Security
 
PDF
What is Penetration Testing?
Rapid7
 
PDF
Advanced Threat Detection in ICS – SCADA Environments
London School of Cyber Security
 
PDF
Combating Phishing Attacks
Rapid7
 
PDF
Getting users to care about security
Alison Gianotto
 
eForensics_17_2013_KMOKER
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Bulletproof IT Security
London School of Cyber Security
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
London School of Cyber Security
 
How To Protect Your Website From Bot Attacks
London School of Cyber Security
 
What is Penetration Testing?
Rapid7
 
Advanced Threat Detection in ICS – SCADA Environments
London School of Cyber Security
 
Combating Phishing Attacks
Rapid7
 
Getting users to care about security
Alison Gianotto
 

What's hot (19)

PDF
Security
Bob Cherry
 
PDF
Ethical hacking
Umang Patel
 
DOCX
Giarritano concept paper 4
leahg118
 
PDF
Hacking 10 2010
Felipe Prado
 
PDF
Hacking 09 2010
Felipe Prado
 
PPT
Network Threats
Dan Oblak
 
PPTX
Lecture about network and host security to NII students
Akiumi Hasegawa
 
PDF
Five things I learned about information security
Major Hayden
 
PPSX
Technology Training - Security, Passwords & More
William Mann
 
PDF
Cyber Security
Dr. Dheeraj Mehrotra (National Awardee)
 
DOCX
Hamza
HamzaBaqee
 
DOCX
SEC 573 Project 1 2.22.15
haney888
 
PPTX
Owasp e crime-london-2012-final
Marco Morana
 
PPTX
Hyphenet Security Awareness Training
Jen Ruhman
 
PPT
At Your Expense
Dan Oblak
 
PPTX
Parag presentation on ethical hacking
parag101
 
PPT
IT security awareness
Dr. Ramkumar Lakshminarayanan
 
DOCX
Cyber crime
Salma Zafar
 
PDF
Puna 2015
Salaj Goyal
 
Security
Bob Cherry
 
Ethical hacking
Umang Patel
 
Giarritano concept paper 4
leahg118
 
Hacking 10 2010
Felipe Prado
 
Hacking 09 2010
Felipe Prado
 
Network Threats
Dan Oblak
 
Lecture about network and host security to NII students
Akiumi Hasegawa
 
Five things I learned about information security
Major Hayden
 
Technology Training - Security, Passwords & More
William Mann
 
Cyber Security
Dr. Dheeraj Mehrotra (National Awardee)
 
Hamza
HamzaBaqee
 
SEC 573 Project 1 2.22.15
haney888
 
Owasp e crime-london-2012-final
Marco Morana
 
Hyphenet Security Awareness Training
Jen Ruhman
 
At Your Expense
Dan Oblak
 
Parag presentation on ethical hacking
parag101
 
IT security awareness
Dr. Ramkumar Lakshminarayanan
 
Cyber crime
Salma Zafar
 
Puna 2015
Salaj Goyal
 
Ad

Similar to eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CASE STUDY IN SOCIAL ENGINEERING - v1.3 (20)

PPTX
Social Engineering and Identity Theft.pptx
Roshni814224
 
DOCX
Lab-12 Social Engineering and Physical Security The firs.docx
pauline234567
 
PPTX
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
Avansa Mid- en Zuidwest
 
PPTX
Hacker tooltalk: Social Engineering Toolkit (SET)
Chris Hammond-Thrasher
 
PPTX
Blue team responses to people who "hack like a girl"
Kate Brew
 
PDF
Security Primer
Alison Gianotto
 
PPTX
Social Engineering and Identity Theft
Scott Teipe, CISSP, CISM
 
PDF
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
IJERA Editor
 
PPTX
Security_Awareness_Primer.pptx
Faith Shimba
 
PPT
Ethical Hacking and Network Security
sumit dimri
 
PPT
C:\Fakepath\Ethical Hacking
sumit dimri
 
PDF
Invited Talk - Cyber Security and Open Source
hack33
 
DOCX
Backtrack Manual Part9
Nutan Kumar Panda
 
PDF
Email security & threads
Inocentshuja Ahmad
 
PPTX
Social engineering 101 or The Art of How You Got Owned by That Random Stranger
Steven Hatfield
 
PPTX
USG_Security_Awareness_Primer (1).pptx
ssuser59e4b8
 
PPTX
USG_Security_Awareness_Primer.pptx
BilmyRikas
 
PPTX
Awareness Security 123.pptx
RajuSingh730938
 
PPTX
USG_Security_Awareness_Primer.pptx
sumita02
 
PDF
Hacking from the Inside
Claranet UK
 
Social Engineering and Identity Theft.pptx
Roshni814224
 
Lab-12 Social Engineering and Physical Security The firs.docx
pauline234567
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
Avansa Mid- en Zuidwest
 
Hacker tooltalk: Social Engineering Toolkit (SET)
Chris Hammond-Thrasher
 
Blue team responses to people who "hack like a girl"
Kate Brew
 
Security Primer
Alison Gianotto
 
Social Engineering and Identity Theft
Scott Teipe, CISSP, CISM
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
IJERA Editor
 
Security_Awareness_Primer.pptx
Faith Shimba
 
Ethical Hacking and Network Security
sumit dimri
 
C:\Fakepath\Ethical Hacking
sumit dimri
 
Invited Talk - Cyber Security and Open Source
hack33
 
Backtrack Manual Part9
Nutan Kumar Panda
 
Email security & threads
Inocentshuja Ahmad
 
Social engineering 101 or The Art of How You Got Owned by That Random Stranger
Steven Hatfield
 
USG_Security_Awareness_Primer (1).pptx
ssuser59e4b8
 
USG_Security_Awareness_Primer.pptx
BilmyRikas
 
Awareness Security 123.pptx
RajuSingh730938
 
USG_Security_Awareness_Primer.pptx
sumita02
 
Hacking from the Inside
Claranet UK
 
Ad

eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CASE STUDY IN SOCIAL ENGINEERING - v1.3

  • 1. HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CASE STUDY IN SOCIAL ENGINEERING A STEP-BY-STEP GUIDE USING KALI LINUX SOCIAL ENGINEERING TOOLKIT (SET) By Kevin M. Moker Hacking? Why hack when you can trick someone more easily than trying to hack into his or her computer? I am talking about social engineering (SE). SE, in the context of information security, is the ability to manipulate someone to steal certain information. Using SE you can steal credit card numbers, or better yet steal someone’s login credentials. With no hacking involved, you will be able to easily reroute payroll funds from an employee’s account to another account before they even know the money is gone. However, with the right knowledge, a victim could thwart an adverse attack. Non-technical individuals should learn how to protect themselves when online. Non-techies should understand what SE is and how to protect themselves. What you will learn: • The ease of hijacking a victim’s account • How to use Social Engineering Toolkit What you should know: • Kali Linux • VMWare • Command line
  • 2. INTRODUCTION Social Engineering, from an information security perspective, is the art of manipulating victims to acquire sensitive information. For example, tricking someone to go to a phony website that looks like Facebook or Gmail and making them put in their login ID and password. The phony website and the social engineer practitioner will steal the login ID and clear text password, and begin masquerading as the victim. This article will illustrate an attack whereby a corporate victim is tricked into clicking a link, logging into the site, and releasing their personal information. WHAT ARE YOU TRYING TO PROTECT AND WHY? The goal of this article is not to show you how easy it is to hijack someone’s credentials in a corporate environment, but to show you how to protect yourself from being duped into giving out your personal information. I will walk you through the steps illustrating the ease at which I can get your credentials and point out where you should be aware. It should be prefaced that I am not a coder and nowhere near as technical as I should be. That should make you more nervous because just about anyone can pull off this trick, as long as the perpetrator does not get greedy. Greed normally blows covers of perps. WHAT ARE THE STEPS YOU NEED TO PULL OFF THIS ATTACK? The following six steps are the steps I use to maliciously acquire a victim’s login credentials: 1. Have administrative rights to your local computer 2. Have an understanding of VMWare and Linux 3. VMware is installed 4. Kali Linux image created 5. Execute the Social-Engineer Toolkit (se-toolkit) 6. Hijack a users PC that is not locked 7. Tell the user to go to their Gmail account and see what I’ve sent Give a background and overview of the problem you’re trying to solve. Then walkthrough each step. STEP 1: Have administrative rights to your local computer A lot of times, many corporations will allow their employees to have local administrative rights to their computers. That means the employee can do just about anything on that computer, unless the company has some kind of confirmation management software installed. However, with administrative access you can turn the corporate controls off. So now we have a computer with administrative rights to the computer. The next thing is to install the necessary software. We will first start with VMWare. STEP 2: Have a basic understanding of VMWare and Linux For this attack to be successful, you will need a basic understanding of VMWare and Linux. Without these two pieces you will have a hard time understanding how this attack works. • What is VMWare? VMWare is a virtualization software that allows you to run multiple operating system on one computer. In other words, you can runs Windows and Ubuntu Linux on the same machine. This is great when you want to run and test local attacks without harming any other system on the network. STEP 3: VMWare is installed The next step is to download and install VMWare. You’ll have to purchase a license to use VMWare. You could also do this with VirtualBox, but my software of choice is VMWare for ease ability and compatibility. • What is VirtualBox? VirtualBox is very similar to VMWare, but VirtualBox is opensource. You can download it for free without a license. STEP 4: Kali Linux image created After you have installed VMWare you will download Kali Linux from www.kali.org. I suggest using the 32 bit iso version of Kali. I have a mac where I am running VMWare Fusion (Mac’s version of VMWare) and the 32 bit version runs faster. You will have to figure out how to install the .iso into VMWare. • What is Kali-Linux? Kali-Linux is previously known as BackTrack, which is a Debian Linux distribution used for digital forensics and penetration testing. The best way to start with Kali is to use the Live Build ISO. You’ll be able to test the tools without installing the operating system into your virtual environment. STEP 5: Execute the Social-Engineer Toolkit (se-toolkit) For this attack to be successful you will need a basic understanding of SE-Tooklit. Go to https://www.trustedsec.com for more information. This procedure will be explained in more detail later in the article.
  • 3. • What is SE-Toolkit? STEP 6: Hijack a user's PC that is not locked This step involves finding a victim that has left their PC unlocked. In other words, they did not invoke ctrl+alt+del on their Windows PC. Then changing the www.google.com/mail shortcut to point to 192.168.153.158. • How do you change a bookmark shortcut? STEP 7: Tell the user to go to their Gmail account and see what I’ve sent This step involves telling the victim to go to www.google.com/mail. More than likely the victim will go to their shortcut and not really check the URL bar. That will be illustrated later on in this article. THE ATTACK The perp’s victim is using Windows XP-SP3 computer on Acme Corps network, but it doesn’t really matter what version the victim is using because this will be a link to a spoofed website. The perp is a developer in the e-commerce department with administrative rights to his computer. The perp is using a VMWare Kali Linux image that comes with se-toolkit. The perp fires up his Kali Linux VMWare image and clicks on Applications Kali Linux Exploitation Tools Social Engineering Toolkit  se-toolkit as illustrated in figure one: Figure 2 Illustrates the initial Social-Engineering Toolkit window. Figure 1: Starting se-toolkit
  • 4. Figure 2: Initial se-toolkit Window Here are the steps to begin the attack: 1. Start by typing 1 for Social-Engineering Attacks at the command prompt and hit enter. 2. Next, type 2 for Website Attack Vectors and hit enter. 3. Next, type 3 for Credential Harvester Attack Method and hit enter. 4. Next, type 1 for Web Template and hit enter. 5. This is where the perp types in his IP address of his computer. For our example we will use 192.168.153.158. We will see this IP address again shortly. Once the IP address has been entered hit enter. 6. The perp elects to use Gmail as his attack credentialed harvesting attack. Select 2 for Gmail and hit enter. See Figure 3. Figure 3: se-toolkit Running Spoofed Gmail Login Server 7. Now the perp goes over to the victim’s machine. The perp notices that the victim’s machine is not locked (no ctrl+alt+del). The perp goes to the victim's Chrome bookmark page and changes their Gmail shortcut to point to his spoofed Gmail login server - 192.168.153.158 (Does the IP look familiar?). 8. The perp then waits for the victim to get back to their desk. The perp goes over to the victim and says, “Hey, I just shot you an email to your Gmail account. Go check it out”
  • 5. 9. The victim logs into the spoofed site not noticing that the IP has not been obfuscated. (See Figure 4) The victim enters their user name and password. Once the user name and password has been harvested se-toolkit redirects the victim to their actual Gmail account. We find that the victim’s credentials for Gmail login were cached, so when the redirect happened the victim didn’t notice the redirect. Figure 4: Spoofed Gmail Login Server The only thing the victim missed, that could have tipped him or her off, is the fact that the IP address was not obfuscated. However, most users trust their bookmarks. Figure 5: IP Not Obfuscated Figure 6 illustrates what the perp collected. As you can see the perp got the full email address, which isn’t a big deal. However, the perp also got the password, which would be considered strong but no match for se-toolkit and a determined perp. Figure 6: Stolen Credentials
  • 6. IN SUMMARY So, what’s the moral of this story? The moral of this story is that companies need to be very vigilant about awareness training. Many organizations brush awareness training off and are willing to take the risk. Companies figure they can absorb these types of attacks, which they probably can. However, what about the victims? This paper illustrated the ease with which to get a victim’s credentials. Everyone should be aware of how easy this is and to heed the following advice: 1. Know your bookmarks. Make sure they have not changed. 2. Look in the URL field where the web address is illustrated. Ensure that the web address looks right. For example, www.google.com isn’t spelled www.gooogle.com. 3. Ensure there is a digital certificate that is signed by the hosting company. Just because you see a little lock in the browser does not mean it is the actual hosting company. However, you have to be diligent about reviewing the certificate. 4. Have a healthy level of paranoia. This advice is not foolproof and even the best can be fooled. Being aware of this attack and doing your best to thwart it can greatly improve your chances of staying safe. The digital world can be a fun place to learn and also an evil place where perpetrators lurk. ON THE WEB • http://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering (security) • http://kali.org/downloads Kali Linux 32 Bit • https://my.vmware.com/web/vmware/downloads VMware Downloads • https://www.trustedsec.com/downloads/social-engineer-toolkit Social Engineer Toolkit About the Author I have been in the information security field since 1990. I started my career with the United States Army as a Communication Security Specialist. I have acquired my CFE, CISSP, ISSMP and CISM. I have helped develop information security risk management programs for several Fortune 500 companies. I currently work in the retail sector for a Fortune 50 organization. For the past two years I have taught Digital Forensics at Western Connecticut State University. You can view some of my background information at http://www.linkedin.com/in/kevinmoker/.
  • 7. IN SUMMARY So, what’s the moral of this story? The moral of this story is that companies need to be very vigilant about awareness training. Many organizations brush awareness training off and are willing to take the risk. Companies figure they can absorb these types of attacks, which they probably can. However, what about the victims? This paper illustrated the ease with which to get a victim’s credentials. Everyone should be aware of how easy this is and to heed the following advice: 1. Know your bookmarks. Make sure they have not changed. 2. Look in the URL field where the web address is illustrated. Ensure that the web address looks right. For example, www.google.com isn’t spelled www.gooogle.com. 3. Ensure there is a digital certificate that is signed by the hosting company. Just because you see a little lock in the browser does not mean it is the actual hosting company. However, you have to be diligent about reviewing the certificate. 4. Have a healthy level of paranoia. This advice is not foolproof and even the best can be fooled. Being aware of this attack and doing your best to thwart it can greatly improve your chances of staying safe. The digital world can be a fun place to learn and also an evil place where perpetrators lurk. ON THE WEB • http://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering (security) • http://kali.org/downloads Kali Linux 32 Bit • https://my.vmware.com/web/vmware/downloads VMware Downloads • https://www.trustedsec.com/downloads/social-engineer-toolkit Social Engineer Toolkit About the Author I have been in the information security field since 1990. I started my career with the United States Army as a Communication Security Specialist. I have acquired my CFE, CISSP, ISSMP and CISM. I have helped develop information security risk management programs for several Fortune 500 companies. I currently work in the retail sector for a Fortune 50 organization. For the past two years I have taught Digital Forensics at Western Connecticut State University. You can view some of my background information at http://www.linkedin.com/in/kevinmoker/.