Launch Your Own Website Phishing Attacks workshop

From HOPE Wiki
Revision as of 23:08, 12 July 2020 by Tech Learning Collective (talk | contribs) (First draft of workshop.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Gone Phishing: Launch Your Own Website Phishing Attacks
Presenters: User:Tech Learning Collective
Duration: 1 hour and 30 minutes
Participant limit: 20


Gone Phishing: Launch Your Own Website Phishing Attacks is a workshop slated to be included in the HOPE 2020 conference calendar that teaches Web-based social engineering techniques such as site cloning and credential harvesting and highlights the importance of anti-phishing strategies such as U2F security tokens for defenders. It was created by Tech Learning Collective cybersecurity trainers and features both demonstration and hands-on portions. Students are provided with a "practice lab" that they can run inside of a virtual machine, where numerous website phishing utilities are pre-installed for them.

Abstract

The most common way attackers steal passwords, install malware on a victim’s computer, or get employees to grant them unauthorized access to critical business systems is through so-called phishing attacks. A phishing attack is surprisingly low-tech, which is part of what makes it so devastatingly effective. Learning to spot these attacks is one of the most important things you can do to protect yourself online, since a hacker’s tricks, called “lures,” can appear anywhere from an email, to a Facebook message, to a real Web site that looks exactly like one you recognize! In this attack/defense exercise workshop, you’ll learn how frighteningly easy it is for these scam sites to be built from the ground up, both manually, and with tools like the Social Engineer's Toolkit, and all about the tricks they use to fool you into falling for them.

Full Description

Whether it’s corporate espionage, ransomware, or online fraud, most cyber attacks don’t start with sophisticated software exploits, but rather by employing relatively simple tricks. These tricks are called “phishing” attacks because, much like baiting a lure, they won’t work unless you bite. However, many people do get caught up by them.

In 2019, ninety percent (90%!) of reported data breaches began with a simple phishing scam, costing businesses over $12 billion in losses. Phishing attacks are the most common type of cyberattack on the Internet today, with one and a half million new phishing websites launched every month. Thankfully, it’s easy to spot—and even to perform—these tricks if you have the right guidance.

For example, when you’re at a cafe and you ask the patron next to you to watch your belongings, your stuff will probably be safe when you return. But how safe would you feel if the patron at the next table turned to you and offered to watch your belongings when you next needed to use the restroom? If you had two different reactions to these scenarios, you already have the intuition you need to understand how the overwhelming majority of cybercrime gets a foothold inside your company, home, or organization’s network.

In this workshop, derived from a portion of the Tech Learning Collective’s popular “Hacking with Mr. Robot” Security 101 course, you will have the opportunity to create and deploy your own phishing Web site that can steal usernames and passwords from unsuspecting victims. By learning how attackers build pixel-perfect replicas of familiar sites like the Facebook login screen, you will also gain the skills you need to more quickly recognize the signs of a malicious web site, email, or other online scam.

Registration

Registration information TBD.

Pre-requisite knowledge

This workshop presumes no pre-existing knowledge on the subject. This is a beginner-friendly workshop. That being said, the following knowledge will be useful for students who want to take the workshop's training to the next level more quickly:

  • Basic command line experience in a POSIX environment (Bash on GNU/Linux, for instance), to work with the tools.

Preparation

Workshop attendees must have a laptop capable of participating in the Web video stream, but nothing more.

Preparation for optional hands-on lab

If attendees want to try out the hands-on exercises along with the instructor, they must have:

  • A laptop capable of running Oracle VirtualBox, which means they need physical hardware with support for the Intel VT-x instruction. This excludes many low-end tablet-style devices such as models of Microsoft Surface, netbooks, and so forth. To check your system for hardware virtualization support:
    • macOS: sysctl -a | grep -E --color 'machdep.cpu.features|VMX'
    • Linux: grep -E --color 'vmx|svm' /proc/cpuinfo
    • Windows: systeminfo, then ensure "Hyper-V Requirements" features are marked "Yes" in the output.
  • HashiCorp Vagrant version 2.2.9 or later.
  • A broadband Internet connection (for timely downloading of the Vagrant base box virtual machine lab environment).
  • No less than 10GB free hard disk space in which to install the lab environment and associated assets. (15GB recommended.)
  • At least 1GB free RAM (2GB recommended).

To prepare, attendees must perform the following steps:

  1. Install Oracle VirtualBox.
  2. Install HashiCorp Vagrant.
  3. Download the workshop lab materials (which can be provided on request).
  4. Navigate to the workshop lab materials folder (cd /path/to/lab/folder) in their terminal program of choice.
  5. Spin up the lab environment by invoking the vagrant up command.

Once Vagrant completes, they can use the vagrant ssh command to log in to the lab environment, which will provide them with numerous hash cracking utilities and some hashes to crack.