Once the target is identified/determined attackers begin their tasks. Now we must understand, to launch an attack or gather information, they will rely on the available tools and capabilities that they have.
As per my previous post targets are also determined based on the tools that they can buy or create based on their intent, motives and capabilities. Most of the time their motive is financial gain. Below are few tools that are available to sophisticated attackers and script kiddies as well:
- Kali Linux comes with plethora of tools starting from gathering information to launch attacks.
- Exploit builders – Available on multiple marketplaces – these are usually for sale/rent.
- XXXXX-as-a-service – Malware, ransomware, crypto and others. These services are either for sale or rent. Customized services are also available based on requests such as banking injects.
- Services like BlackTDS – BlackTDS is a multitenant TDS tool that has been advertising its services on underground markets since the end of December 2017. Proofpoint article.
- Underground forums/marketplaces where the mentioned or other services and/or tools are advertised.
- Cracked vendor tools
- Tools/Project available on Github.
Few underground marketplaces :
Why this is important to know? As a target (any organisation or individual users) one should know about the tools that can be used against that. Monitoring such tools and understanding them can assist to prepare against whats coming.
More about information gathering can be found on my previous blog entry : https://fl0x2208.com/2015/11/28/information-gathering-then-now-and-why/
Consider a scenario of phishing users to get the credentials. Now understand when these credentials are collected they are mostly sold on marketplaces.
- Motive : Financial Gain
- Targets : To phish a user they need to contact them. Its mostly done via their email address or phone.
- Getting Emails/phone numbers : Again, this goes back to marketplaces where people sell dumps containing emails and phone numbers from other site. These hacks are mostly done to get vouches and recognition on the underground marketplaces. Other way to get emails/phone numbers are scanning social media sites and other publicly available.
- Tools : Bought a phishing kit or created phishing kit. There are document templates and pages available that these actors can use for phishing.
- Phishing hosting or compromise a site : Tools mentioned about such as blackTDS, VPS service providers etc helps to host the phishing site. If not attackers looks for vulnerable public sites and host their phishing pages. To compromise they use tools available in Kali for example.
- Actions : Mostly the credentials are stored on a database via POST information to php or they are sent to an email address. These credentials are then either used or sold on underground marketplaces.
The cycle continues with number 1 for same scenario or different.
What can we do to stop this?
This can’t be stopped. However, we can make it harder for the phishers or not fall for the phishing by educating ourselves. Being pro-active and notifying phishing attempt to authorities or the organisation that has been phished can also help to take down the phishing site as early as possible.
Following are some links showing some phishing examples: