Beware This Clever "Fake Attachment" Gmail Phishing Scam

 Beware This Clever "Fake Attachment" Gmail Phishing Scam

With a little know-how, most phishing scams are pretty easy to detect. This one, on the other hand, is devilishly clever and just might dupe you if you’re not careful.

The way this phish scam works is simple. Wordfence, who brought light to the scam, says the attacker creates an email address to disguise themselves as someone you know. Then they send you an email with an attachment, like a PDF or Word doc, that looks legitimate. When you click the attachment to see a preview of it, you get redirected to a Google sign-in page where you enter your credentials.
Here’s the trick: those attachments aren’t attachments—they’re embedded images designed to look like attachments that link out to a fake Google sign-in page. You can see an example of how real they look in Tom Scott’s tweet below.

What’s worse is everything about the fake Google sign-in page looks normal. The logo, text boxes, and tagline are all there. The only difference is in the address bar, where careful eyes will see that the page is actually a data URI with the prefix “data:text/htyml”, not a URL with the standard “https://”. But if you don’t spot it, the attackers get your information and use it to send out more of the same phish emails to your contacts.
Google has since updated Chrome to 56.0.2924, which makes it easier to spot fake forms like these, but it doesn’t exactly stop this type of scam dead in its tracks. And whether you use Chrome or not, it’s important to stay vigilant and keep your eyes peeled when checking email.


If you like the post please share it ... :)

Share:

Read More

The Anonymous Group: What is it and How big is it

Research proved that Anonymous hacktivists group is relatively much bigger than you anticipated and become quite popular among people all over the world but how did it all start?

The Anonymous group has been gaining a lot of attention in the past few years. This is mainly due to the way they act and the way they portray themselves. People donning Guy Fawkes masks and taking down the government and non-government agencies are sure to attract some attention, and because the activity of Anonymous is not restricted to a single country, they have gained global attention.




With many people talking about the hacktivist group, people have often wondered just how big the group is, given their widespread activities. However, that question is not easy to give a definitive answer to. As to what the group is, we take a look at that here.

Beginning

Anonymous first came in existence in 2003 when unknown users who were tagged as Anonymous posted images on 4chan’s /b/ board. The images were about random things but the Anonymous tag soon gained popularity on the website. The group then escalated their activities to internet pranks, troll events, and raiding websites like that of Habbo Hotel, a hotel in Finland.
In 2004, they started to use the website of Encyclopaedia Dramatica as a platform for their activities. For some years, they did little more than mass pranks and take action against communities that supported anti-piracy acts.

Change of Stance

In 2008, Anonymous started Project Chanology, a direct campaign against the Church of Scientology. The campaign included repeatedly carrying out DDoS attacks on the Church’s website, the Anonymous members, or Anons as they are called, used to make prank calls to the Church’s hotline, and sending black faxes to them to waste their ink cartridges. This project resulted in the group gaining global criticism from the media and authorities and global appreciation from casual internet users.

In 2010, Anonymous took their next big step, taking down the website of Aiplex software using a DDoS attack. Aiplex was a company based in India which partnered with different film studios to launch DDoS attacks against P2P sharing platforms and websites like The Pirate Bay. The group next took down the website of Recording Industry Association of America and Motion Pictures Association of America.

Under their project “Payback is a Bitch” they hacked the website of Copyright Alliance, giving their reason as an act against all those that want to silence people’s rights to spread information. After this, they attacked websites of companies like Amazon, PayPal, VISA, and Mastercard. This attack, named Operation Avenge Assange, was carried out because the aforementioned companies boycotted WikiLeaks.

Other groups and agendas of Anonymous

Anonymous is a hacktivist group that has grown enormously since it first came into existence. There are a number of groups that are associated with Anonymous, with LulzSec and Operation AntiSec. These groups have also targeted government agencies, video game companies, media groups, etc. LulzSec was formed after Anonymous attack HBGarry.

Official LulzSec logo Via: Enter

Speaking about the philosophy behind Anonymous, there is no particular set of guidelines that the group follows. It is merely a vast and intricate network of like-minded hackers who work with common ideas and goals. Recently, they have been involved in taking down Donald Trump’s Trump Towers’ website following the presidential candidate’s remarks on Muslim immigrants in the USA.



However, the most notable of Anonymous projects, which has gained them the most admirers, is their campaign against ISIS. The group are quite active in taking down any website that copies or spreads the propaganda of the terrorist outfit. They that had moved to the dark net, posting a message next to an advert for a pharmaceutical company that sold Prozac and Viagra. The group have also acted against paedophile websites, saying that they are against the injustice of any kind.

Anonymous – Web Warriors Full Documentary

If you like the post please share it ... :)

Share:

Read More

Top 5 Websites To Learn Hacking

Top 5 Websites To Learn How To Hack Like A Pro

You might be surprised to learn just how many people want to learn how to hack. The stereotype is that of the young college guy – a computer science major for sure – who spends his evenings and weekends writing up intricate hacking scripts to break into whatever computer system he can get his hands on.


The truth is that what was once a male-dominated community is fast changing into one that includes folks – men and women – from many walks of life, from many countries and with many backgrounds. A recent CNET article about DEFCON makes note of the fact that claims of sexual harassment and unwanted advances are increasing. This isn’t because hackers are getting more obnoxious or offensive, but because more female hackers are entering into the community and trying to find a home there, only to find insulting behavior, and other actions unbecoming of a gentleman.




This is the natural evolution of such communities, and in time the scales will balance and men and women will hack side by side – but when searching for places to go online to learn how to hack, it’s important to remember that because demographics and the world itself is changing, what you’ll find at most of the hacker websites are also changing significantly as well.



Platforms in use are shifting from computer-based to more mobile and tablet hacking efforts, there’s much greater emphasis on social networks and the many hacks that are possible there, and all of the other new technologies and hacker tools available. The sites that keep up with these changing times will survive, while those that are stuck in the decades-old mentality of hackerdom-gone-by are doomed to fail.

Where You Can Go To Learn How To Hack Like a Pro

 

 

There’s a caveat that I have to share before diving into these sites. Hacking isn’t a single subject that anyone can pick up overnight. In the title of this article, I mention hacking like a pro. This can not be accomplished after reading one article and visiting a few of these sites – the phrase is used to imply that in time and with lots of practice, you can in fact learn to hack like a pro.



For our many readers that are already at that expert-hacker level, a few of these sites may not be for you. They may feel too simple and basic – for “script-kiddies” as some might say. The truth is, we all had to start somewhere, and these websites are offered as a starting point for those people just embarking down the wrote toward hackerdom.



Your intention for learning how to hack is completely your own. I do not judge. However, it should be noted that there are two forms of hacking – “white hat” and “black hat”.  White hat hackers call themselves “ethical hackers”, in that they find vulnerabilities simply to make systems and applications more secure for everyone. However, there’s a whole other community of hackers – the black hats – who find vulnerabilities only to exploit them as much as possible. Now that you know what sort of community you may be entering, let’s get on with the list of top sites where you can learn to hack.

#1 – Hacking Tutorial: Tech Tips and Hacking Tricks

Sometimes, perfect English isn’t everything. Hacking Tutorial is an example of when the writing skill of the author doesn’t necessarily equate to the quality of his or her technical knowledge. This is actually the case over at Hacking Tutorial, where the author offers articles like “Client Side Attack Using Adobe PDF Escape EXE Social Engineering”, “Exploiting MS11_003 Internet Explorer Vulnerability”, and “Hacking Using BeeF XSS Framework”.

The articles are usually short, but actually offer highly technical, step-by-step instructions on how to do the task at hand, and the tricks and tweets absolutely work, unless the exploit has been patched.  It’s a small blog, but it’s a good one for the volume of technical tricks that you’ll find there.

#2 – EvilZone Hacking Forums

While the name, EvilZone, isn’t exactly the most inviting – it is easily one of the largest forum communities that you’ll find on the subject of hacking. With over 13,042 members and over 50,000 posts (and counting), this community likely has the skills and knowledge to answer any programming question you could possibly have. Just be careful about coming across as a “noob” – these guys don’t handle newcomers with kid gloves, so be careful.

You’d definitely be best off working through the programming and encyclopedia sections first, where you’ll find areas with projects, tutorials and a lot more that will help you become educated and well-versed in hacking techniques and terminology.

#3 – Hack a Day

While I certainly don’t want to offer a nod to any blogs that may be considered competition, you really have to give credit where credit is due when it comes to a particular niche like hacking – and Hack a Day definitely offers an amazing library of information for anyone looking for specific categories like cellphones, GPS or digital cameras. Over the years, Hack A Day has transformed the site into a fairly popular blog.

More than any other site, this particular “hacking” site is very much hardware based, and they redefine the meaning of the word hacking by helping you learn how to hack up electronic devices like a Gameboy or a digital camera and completely modifying it, or building electronics for the sole purpose of hacking other commercial devices. You’ll also find a popular and busy forum section as well – a high point of the site.

While I personally don’t find the articles themselves very detailed (as an EE, I like schematics and elaborate descriptions), the site makes up for it with video demonstrations throughout.

#4 – Hack In The Box

Hack In The Box has really change significantly through the years. It is rebranded as HITB, and the site is completely transformed into what looks like a WordPressed-based platform. Still, today Hack In The Box remains focused on security and ethical hacking. However, it has obviously shifted gears at some point and changed to a more content-focused approach with a greater volume of news, and fewer in-depth articles with detailed hacks.

This transition makes it less of a place to go for actually technical hacking tips, and more of a daily spot to get your latest fix of hacking news. The site is updated frequently, and of course you can also go for the print version of the HITB-branded magazine if you want.



Clearly, HITB has gone very commercialized, but it is a great resource for news for anyone interested in the latest gossip throughout the hacking community.








If you like the post please share it ... :)

Share:

Read More

Hacking WPA/WPA2 without dictionary/bruteforce

Hacking WPA/WPA2 without dictionary/bruteforce

Fluxion (linset)

I hadn't ventured into Hackforums since a while, and this time when I went there I saw a thread about a script called Fluxion. It's based on another script called linset (actually it's no much different from linset, think of it as an improvement, with some bug fixes and additional options). I did once think about (and was asked in a comment about) using something like a man in the middle attack/ evil twin attack to get WPA password instead of going the bruteforce/dictionary route, but never looked the idea up on the internet nor spent much time pondering over it. However, once I saw the thread about this cool script, I decided to give it a try. So in this post I'll show you how I used Fluxion, and how you can too.
Disclaimer : Use this tool only on networks you own .Don't do anything illegal.

Contents

• Checking if tool is pre-installed, getting it via github if it isn't.
• Running the script, installing dependencies if required.
• Quick overview of how to use Fluxion.
• Detailed walk-through and demonstration with text explanation and screenshots
• Video demonstration (not identical to the written demo, but almost the same)
• Troubleshooting section

Just double checking

The first thing I did was make sure that Kali doesn't already have this tool. Maybe if you are reading this post a long time after it was written, then you might have the tool pre-installed in Kali. In any case, try this out:

fluxion

I, personally tried to check if linset or fluxion came pre-installed in Kali (though I didn't expect them to be there).

Getting the script

Getting the script is just a matter of cloning the github repository. Just use the git command line tool to do it.

If you have any problems with this step, then you can just naviagate to the repostitory and manually download the stuff.

Update : There seems to be some legal trouble with Fluxion. The creator of the script has removed the source code of the tool, and uploaded code that is supposed to delete fluxion from your computer. I don't know the specifics of what is going on, but will provide updates ASAP.

Update : Now the repository is gone altogether!
What this means : As of now, this tutorial is useless. If you can find the source code for Fluxion, then you can use it and continue with the tutorial. Otherwise, not much can be done without the tool.


Update Again!
You can try this repo - https://github.com/wi-fi-analyzer/fluxion. It's an old version, might or might not work.

git clone https://github.com/wi-fi-analyzer/fluxion

There are 4 dependencies that need to be installed

Running the script

Just navigate to the fluxion directory or the directory containing the scripts in case you downloaded them manually. If you are following the terminal commands I'm using, then it's just a simple change directory command for you:

cd fluxion

Now, run the script.

sudo ./fluxion

Dependencies

If you have any unmet dependencies, then  run the installer script.

sudo ./Installer.sh

I had 4 unmet dependencies, and the installer script run was a buggy experience for me (though it might be becuase I have completely screwed up my system, editing files I wasn't supposed to and now I can't get them back in order) .It got stuck multiple times during the process, and I had to ctrl+c my way out of it many times (though ctrl+c didn't terminate the whole installer, just the little update popup). Also, I ran the installer script twice and that messed up with some of the apt-get settings. I suggest that after installation is complete, you restore your /etc/apt/sources.list to it's original state, and remove the bleeding edge repositories (unless you know what you're doing). To know what your repository should look like, take a look here.

Anyways, one way or the other, your unmet dependencies will be resolved, and then you can use Flexion.
PS: For those trying to use apt-get to install the missing stuff - some of the dependencies aren't available in the default Kali repos, so you'll have to let the script do the installation for you, or manually add the repos to /etc/apt/sources.list (look at the script to find out which repos you need to add)

Fluxion

Once again, type the following:

sudo ./fluxion

This time it should run just fine, and you would be asked a few very simple questions.

• For the wireless adapter, choose whichever one you want to monitor on. For the channels question, choose all, unless you have a specific channel in mind, which you know has the target AP.
• Then you will see an airodump-ng window (named Wifi Monitor). Let it run while it looks for APs and clients. Once you think you have what you need, use the close button to stop the monitoring.



Fluxion using airodump-ng

• You'll then be prompted to select target.
• Then you'll be prompted to select attack.
• Then you'll be prompted to provide handshake.
• If you don't have a handshake captured already, the script will help you capture one. It will send deauth packets to achieve that.
• After that, I quit the procedure (I was using the script in my college hostel and didn't want to cause any troubles to other students).

If you are with me so far, then you can either just close this website, and try to use the tool on your own (it look intuitive enough to me), or you can read through the test run that I'm going to be doing now.

Getting my wireless network's password by fooling my smartphone into connecting to a fake AP

So, in this example run, I will try to find out the password of my wireless network by making my smartphone connect to a fake AP, and then type out the password in the smartphone, and then see if my Fluxion instance on my Kali machine (laptop) gets the password. Also, for the handshake, I will de-authenticate the same smartphone.

PS: You can probably follow this guide without having any clue how WPA works, what handshake is, what is actually going on, etc., but I suggest you do read up about these things. Here are a few links to other tutorials on this website itself that would prove useful (the first two are theoretical, yet nice, the third one is a pretty fun attack, which I suggest you try out, now or later):

1. Things you should know about Wireless Hacking - Beginner Level Stuff
2. Things you should know about Wireless Hacking Part II - Intermediate Level Stuff
3. Evil Twin Attack

This is the theoretical stuff. Experience with tools like aircrack-ng, etc. would also be useful. Take a look at the navigation bar at the top and look at the various tutorials under the "Wireless Hacking" category.

Anyways, with the recommended reading material covered, you can comfortably move on to the actual hacking now:

The real stuff begins!

This section is going to be a set of pictures with captions below them explaining stuff. It should be easy to follow I hope.

Select language

After selecting language, this step shows up.
Note how I am not using any external wireless card, but my laptop's internal card.
However, some internal cards may cause problems, so it's better to use an
external card (and if you are on a virtual machine you will have to use an external card).

The scanning process starts, using airodump-ng.

You get to choose a target. I'm going after network number 21, the one my smartphone
is connected to.

You choose an attack. I am going to choose the Hostapd (first one) attack.

If you had already captured a 4-way handshake, then you can specify the location
to that handshake and the script will use it. Otherwise, it will capture a handshake
in the next step for you. (A tutorial on capturing the handshake separately)

If you didn't capture a handshake beforehand, then you get to choose which
tool to use to do that. I'm go with aircrack-ng.

Once you have a handshake captured (see the WPA Handshake: [MAC Address] on top, if it's
there, then you have the handhake), then type 1 and enter to check the handshake. If everything's fine,
you'll go to the next step.

Use the Web Interface method. I didn't try the bruteforce thing, but I guess it's just
the usual bruteforce attack that most tools use (and thus no use to us, since that's
not what we are using this script for).

This offers a variety of login pages that you can use to get (phish) the
WPA network's password. I went with the first choice.

After making your decision, you'll see multiple windows. DHCP and DNS requests are being handled in
left two windows, while the right two are status reporting window and deauth window (to get users
off the actual AP and lure them to our fake AP)

In my smartphone, I see two network of the same name. Note that while the original network is WPA-2
protected, the fake AP we have created is an open network (which is a huge giveaway stopping most people
from making the mistake of connecting to it). Anyways, I connected to the fake AP, and the DNS and DHCP windows
(left ones), reacted accordingly.

After connecting to the network, I got a notification saying that I need to login to the wireless network.
On clicking that, I found this page. For some people, you'll have to open your browser and try to open a website (say facebook.com) to get this page to show up. After I entered the password, and pressed submit, the script ran the
password against the handshake we had captured earlier to verify if it is indeed correct. Note how the
handshake is a luxury, not a necessity in this method. It just ensures that we can verify if the password
submitted by the fake AP client is correct or not. If we don't have the handshake, then we lose this ability,
but assuming the client will type the correct password, we can still make the attack work.

Aircrack-ng tried the password again the handshake, and as expected, it worked.
We successfully obtained the password to a WPA-2 protected network in a matter of minutes.

If you like the post please share it ... :)

Share:

Read More