Week 7 Homework - Email Phishing
The outline for this task is below:
You objective is to use social engineering over email to achieve the following objectives :
Obtain the Facebook login credentials from the Puppy Love organisation Facebook page
Organise for a payment of $1200 to be made to your fake account by the Puppy Love accounts team :
BSB : 123456, ACC NO : 12347890
The first step to doing any sort of phishing is doing some basic reconnaissance. Let’s take a look at the ‘Puppy Love’ website that our targets Sarah and David work at:
A bit of inconsistent information - the puppy love website says that Sarah is married to David, however this instagram post (https://www.instagram.com/p/BWd9VZqBq5j/) says she is married to Mark (maybe she got a divorce or something)
Can calculate Mark’s Birthday (assuming the post is from 2017), his birthday is 04/06/1982
Birthday - 02/12/2014 from this Instagram post: https://www.instagram.com/p/BWd-BRmhxsZ/
Favourite Dog - Max from this Instagram post: https://www.instagram.com/p/BWd9mRuhz1a/
Instagram: https://www.instagram.com/sarah.jenkins0583/
Favourite Dogs - Angela and Jessie
Dogs - Max, Bella, Jessie, Stella
Business Address: 363 George Street Sydney, NSW 2000
Next we need to translate all of this information into something that we can use. If the task required that we try and access one of their accounts, we could try and convert the information we’ve gathered into keywords we could use to guess for passwords:
Jasper, Max, Angela, Jessie, Bella, Stella
David likes microbrewing:
Beer, brewery, microbrewing
James, 02/12/2014, 02122014
Max, 04/06/1982, 04061982
Using the information that we’ve gathered above, I’ve created an email addressed to Sarah seemingly from David who innocuously asks for the facebook log-in details…
That gives us this response:
Easy enough! Now for the second task:
Let’s try a similar approach:
That gets us this response:
Funnily enough, Sarah doesn’t seem to be suspicious at all, and redirects us to ourselves!
So let’s try to switch targets and bait David instead.
As the task outline specified, we’ll be trying to pose as a member of the accounts team in order to try and get a payment from David:
Apparently from the response Sarah doesn’t exactly know who she is:
So let’s, just remove any instances of the word Sarah from our previous email. Doing that lands us this response:
Finally, adding the word ‘urgent’ into our email gets us the flag:
Overall we were able to successfully extract the two flags using a bit of knowledge about phishing. If we were to attempt something like this in the real world however (purely hypothetically), because we know Sarah and David are married, they would probably contact each other about emails and then figure out that something is not quite right. Thus, the likelihood of successfully performing either information extraction or payment fraud is probably low.
Ways that we could avoid phishing after doing this activity:
Never send important and private information such as log-ins over email
Probably verify who you are talking to via in-person or on the phone before you transfer anything like money
As the first flag suggests - you could possibly set up 2-factor authentication