2014 Phishing (new Methods?)

[l0n3r]

This article just came about about 3 days ago, talking about Microsoft getting breached, supposedly via a spear phishing campaign, compromising the email accounts and social media accounts of Microsoft employees.

Article: http://securityaffairs.co/wordpress/21622/cyber-crime/spear-phishing-against-microsoft.html

My questions is regarding modern day phishing techniques. From my understanding, two/four years ago it was totally possible to do the standard:

1) copy web page
2) write credential grabbing php
3) upload to free web host
4) craft email
5) breach (capture credentials)

This sounds vague but I hope you guys get the point. The old ways of making phishing email is what im referring to, I think there is a post somewhere on here regarding what I was talking about.

But in 2013-2014, that isnt gonna fly obviously. Your more than likely to land a nice spot in the spam or junk box. My questions is what are some modern techniques in crafting these emails that are working these days?

Ive been reading that people would compromise a website/server, redirect victim to compromised server, and feed drive-by attacks to passerbys. And then there are stored xss (fairly rare now) breaches and CSRF attacks,etc. But without sounding to eager, but what are the BH tactics. As a penetration tester, I need to replicate and simulate a BH attack in ways. And phishing emails are crucial in attacks, but not dated attacks. My job currently audit website security. But I wanna expand to replicating APT attacks and leveraging user ignorance on my engagements. Just alot of the public info is dated....

[iTpHo3NiX]

I believe kali has a suite for it, but the name escapes me

[Kulverstukas]

I believe kali has a suite for it, but the name escapes me

SET (Social Engineering Toolkit). Never used it though.

[iTpHo3NiX]

SET (Social Engineering Toolkit). Never used it though.

That be the one. I experimented if for a little while.

https://www.trustedsec.com/downloads/social-engineer-toolkit/

tut on using SET phishing:
http://www.lokisec.com/?p=366

[l0n3r]

Ah thanks guys! I'm familiar with it, but for sure I will look deeper into the kit. thanks again

[b0whunter]

SET is a great tool, copy a login page on the fly in conjunction with DNS spoofing, you dont need to send any email, just wait for them to type the url.

[jahuh]

dead/boring  forum.

[b0whunter]

dead/boring  forum.

This forum is rather like an interactive library. There' new content, questions, discussions, etc. Most importantly, as you probably noticed, the irrelevant stuff gets thrown out.

[jahuh]

still boring/dead..  they ignore pples questions and request to help on tutorials.. i believe other hacking forums are better.. i miss devilzone.net hope they'll come back soon or create a new site.. this forum is dead!!!!

[proxx]

still boring/dead..  they ignore pples questions and request to help on tutorials.. i believe other hacking forums are better.. i miss devilzone.net hope they'll come back soon or create a new site.. this forum is dead!!!!

Just get the fuck out if you want spoonfeeding, wrong board kid.

[nafuti]

still boring/dead..  they ignore pples questions and request to help on tutorials.. i believe other hacking forums are better.. i miss devilzone.net hope they'll come back soon or create a new site.. this forum is dead!!!!

Think he is claiming he knew the old EZ. If you have been around that long dude then you most notably should have had your knowledge base flowing. But if you are still at the level of asking for tutorials and probably hack this site for me, then you are no better than the complete NOOB i am.


I suggest you tuck your tail between your legs and run to your master or settle in, flow with the wave and you will discover the secret chamber of secrets. I am trying to do just that.

[hppd]

still boring/dead..  they ignore pples questions and request to help on tutorials.. i believe other hacking forums are better.. i miss devilzone.net hope they'll come back soon or create a new site.. this forum is dead!!!!

Haha mister

where do i buy a botnet and tutorials on how to use it for newbie??

What do you mean with dead? Ez has really valuable info.. If you wanna be a botmaster go on TF if you want people to spoonfeed you go on HF..

Cheers

SET is a great tool, copy a login page on the fly in conjunction with DNS spoofing, you dont need to send any email, just wait for them to type the url.

How do you spoof the dns on someone else's lan?
 

[proxx]

Haha mister
What do you mean with dead? Ez has really valuable info.. If you wanna be a botmaster go on TF if you want people to spoonfeed you go on HF..

Cheers


How do you spoof the dns on someone else's lan?

Its not just spoofing, basically its a race between the true DNS server on the network and you, whoever comes first.
Otherwise you would have to gain a mitm position in one way or another, plenty options there.

[hppd]

But don't you have to be on their network somehow?? I can't imagine how you would do it otherwise 

[proxx]

But don't you have to be on their network somehow?? I can't imagine how you would do it otherwise 

Makes it a hell of a lot easier.
But one could still somehow effect his dns configuration, viral or by weak passwords of modems and that kinda stuff, than alter the DNS config and point it to your own DNS server.