Haloa Squad!
Today, we will examine a phishing technique that may appear harmless but actually, silently effective. Phishing is not limited to sending a fake social login page to obtain your login credentials. It can also involve tricking you into visiting a website where you may unwittingly provide much more information than your email and password. Even if you believe you are visiting a legitimate website, you may still be a victim of a phishing attack or more…
I’ll skip over Phishing and what you can do about it, but feel free to look at some of my older posts for more info.
Why is this Advanced Phishing?
Sometimes ( not always ), some Phishing tools show low user data when hooking the victim, and again, some but not all; thus, if not correctly designed, they grasp only some user data like input requested (password, username, or email), along with IP and a few bits but no much more. Besides, free tools often, does not last live for long….but, not always….
On the other hand, we have other accessible and reliable options that are often not blocked or flagged malicious as long as we use new subdomains or domains….but let’s dig in…
By employing reliable free subdomains or paid domains, you can engage the victim in visiting a website, converting a free website service into a spy trap machine.
Let’s start by playing on the Corsair flank while digging the whole tail to comprehend the fort.
As tech advances, cyber pirate tools & techniques follow aside, too;in fact, it is not news that hackers & coworkers often employ subdomains from reliable firms like Google, AWS, Microsoft & so on…Impersonating businesses, friends, families & governments, but keen to steal our data & money in any possible way.
In today’s blended scenario, we will examine one of the simplest, free, scalable, anonymous, effective, but invasive ways of silently sniffing data while observing a target when it is live on your site. With a website and the right apps, you can see the target in real time, get specs and details, and collect much more data to perform attacks or further investigate, staying incognito while using free tools.
It could be considered a live Phishing or OSINT technique and may be viewed as a hacking reconnaissance phase.
- You opt which one better suits you…
“ Before we begin, I want to remind you about Privacy, ethical boundaries, and respect for others. It is crucial to note that any illegal activities using this information will be solely at the user’s discretion and responsibility and may result in legal action towards him, her, it, yours, ping, pong, dragons, butterflies, lions, zebras, etceteras and etceteras…”
This information is intended solely for educational purposes.
Any misuse of this information will be billed to the pirate, not the author.
I appreciate your understanding.
Now, roll up your sleeves….
Regardless of your email provider, the first step is to use a forwarding service when testing or investigating to protect your Privacy. You can easily create an account using Firefox Relay, an easy-to-go forwarding service for iOS, Android, Windows, and Linux users.
Visit -> https://relay.firefox.com <- to create an account and start guarding your email.
Nowadays, Cyber-Pirats use countless Websites, and today, we will use Wix, one of the most customizable, easy to use, fast, and accessible. To start, we will head to > https://www.wix.com <. & Create a website from a template perfect for your needs; as we will phish today, let’s opt for a catchy one, but you chose!
Once you are ready, we can move to the next step, which is the subdomain editable part.
Before customizing your website, there are two essential elements to consider. First, ensure that your editable subdomain URL is linked with your phishing context during an attack. This may prevent the target from raising suspicions and avoid any potential clicking on the subdomain.
Imagine we send an email with “Your Package is Ready for Collection”, but on our URL, we write “Happy Birthday, Mom.” It will surely raise suspicions and may get a laugh, but not a click.
Second, ensure that your website name, even under a subdomain, is easily recognizable, as this also plays a crucial role during an attack.
Once you ensure the whole URL raise no suspicions and will match your needs, we can now add the needed Apps to grasp upshots. Even before going live, we will go to the right corner, add an app, analyze traffic,
> WEB-STAT < Install it, and open an account & you nearly, ready to go…..
Feel free to drag and drop the Icon, play with the website, and make sure you are advertising its use only a little, even if almost no one cares or understands the peril within. By now, we should have our website in sync with the app, but we can always check the settings to maximize results; besides, you can easily edit settings by clicking on the icon app and then settings to start.
Or access the edit page from
Perfect. You now have a complete website that gathers visitor data.
Remember, data can often be more detailed, but let’s look at what we give when visiting a website. As I will not use this to perform any attack at any time, I will show some of the other test websites I use to develop content with WEB STAT linked to it. You can see one of my posts in it; indeed, I guarantee you that I always visited it through PC and the same location even though the data did not match, but you keep reading to understand how I did it…
As you can see, several visitor details are available, such as Country, IP, City, postal code (not complete), Device, and OS ( Operating System ), followed by mobile or PC and even Apple, Linux, or Android, along with a specific date, time, and location…
Remember, we are using a very basic tool, and hackers, scammers, along their professional colleagues often use high-tech websites and tools to gather almost your exact position and much but much more….
Always be sceptical about websites and double or triple-check the URLs.
Ethically OBVIOUSLY! & With PRIOR Authorization.
- You will now better understand what traces we leave online when visiting websites and be able to see details you never considered before.
Take note of it 4 next time you’re on the web….
Now, how can we protect ourselves from it?
Options & techniques on the market are countless, but surely a few will be undoubtedly Beneficial:
- - A VPN, even if FREE & possibly loginless, then you found your love. Yes, it may often leak DNS, but you can always double-check online, 4 it & 4 FREE. It would be better if on Device & in Browser 2, just in case. As long you as you don’t have to hack a bank or similarly, a free VPN it’s ok for basics needs or tests.
- - Online/Web Proxy can help better cover online tracks, even if mixed with a device or browser VPN to disguise your virtual steps.
- - User Agent & Session Manager Adds to your Web Browser to isolate your web session while deceiving your online IDs.
- - Use ScamAdviser, VirusTotal, and similar websites to inspect suspicious links. (Be aware that if you test your malware on those websites, you are done with it. Other websites, no. Stay tuned.)
- Change your DNS, as resolvers often offer content filtering to block malware and spam sites and botnet protection to block communication with known botnets.
Options
1- VPN Free & Paid
+ Mor info About what a VPN is & some nice Add on
2 — Web Proxies & Proxy Websites
3 — User Agent / Session Manager ADDS On
4 — ScamAdviser & Similar Websites
5 — Some DNS options
As per Google, this is the best & short answer…..
Best Free & Public DNS Servers
- Google: 8.8.8.8 & 8.8.4.4.
- Control D: …
- Quad9: 9.9.9.9 & 149.112.112.112.
- OpenDNS: 208.67.222.222 & 208.67.220.220.
- Cloudflare: 1.1.1.1 & 1.0.0.1.
- AdGuard DNS: 94.140.14.14 & 94.140.15.15.
- CleanBrowsing: 185.228.168.9 & 185.228.169.9.
- Alternate DNS: 76.76.19.19 & 76.223.122.150.
Credits: Google & LifeWire
The Best Free and Public DNS Servers (2024) — Lifewire
https://www.lifewire.com › Home Networking › ISP
- & remember, those are only some options, not the solution…. —
Also, some extras reminders just in case for students.
Common Features of Phishing Emails
- Too Good To Be True: Scammers use lucrative offers or eye-catching statements to grab attention. Be cautious if it seems too good to be true.
- Sense of Urgency: Cybercriminals create urgency, asking you to act quickly. Ignore such emails and verify independently.
- Hyperlinks: Hover over links to verify their actual destination. Beware of misspelt URLs or suspicious domains.
- Attachments: Unexpected attachments may contain malware. Only open .txt files.
- Unusual Sender: Be wary of emails from unknown or unexpected sources.
Subcategories of Phishing
- Spear Phishing is targeted attacks on specific individuals or organizations. Attackers tailor messages to exploit their interests or roles.
- Whaling: Similar to spear phishing, but aimed at high-profile targets (e.g., executives, CEOs).
- Business Email Compromise (BEC): Impersonating company executives to manipulate employees into transferring funds or sensitive data.
- Clone Phishing: Attackers modify legitimate emails, making them appear authentic while containing malicious content.
- Vishing (Voice Phishing): Phishing over phone calls, where scammers pretend to be from trusted organizations.
- Smishing: Phishing via text messages.
- Snowshoeing: Spreading malicious messages across multiple IP addresses to avoid detection.
Perfect. Please add all this to your arsenal and be even more aware of your surroundings. If you are an IT pro, I hope you had a good read and may have encountered new tools or enjoyed another view.
>>>>>>>>>>>>>Either way, I hope you all enjoyed the trip.
- If you’re curious about OSINT and are okay with a work in progress, I suggest you look at a few projects I’m working on. You’ll enjoy them. Remember to share your thoughts!
- https://start.me/p/ME7aRA/oosint
OR
At last, so much info. It’s not a problem, as I was wondering about it. Here are some options on how to easily switch URLs into PDFs for further and tidy reference.
I hope you are having a good day by now. If you enjoyed this, Clap, Share, and Stay tuned for more!
If you have not, tell me why. !?!
As we learn from our mistakes……
Alone, we are drops; together, we can be an ocean.
