Phishing for User Credentials
Harvesting credentials through a phishing attack are typically performed through cloned websites during adversarial attack simulations. A cloned website works by copying the front end (such as the Gmail login page) and hosting it on a domain designed to mimic the actual environment (gmail.com vs. gmail.com-google.net).
Once the cloned website is created, an unsuspecting visitor will visit the login page and enter their credentials. The cloned site then records the victim user’s credentials and then displays a “Login Error” message, making it appear that the victim mistyped their password. The cloned website then redirects the user victim to the actual website’s login page.
While this phishing attack method often succeeds in its attempt to steal the victim’s credentials, some issues arise with this method. Cloned websites are sometimes easily identified as fake, and two-factor authentication (2FA) adds difficulty, requiring a real-time attack.
Sometimes, the attacker cannot make a perfect copy of the website they are attempting to mimic, or the attacker will try to introduce additional fields seeking more information beyond just a username and password, all of which raise suspicion.
In some instances, victim users are 100% certain they entered their credentials correctly and are immediately suspicious when they can’t log in to the cloned website. In a red teaming engagement, this can be a point where we can get caught.
In addition, if 2FA is enabled on a targeted account, then the username and password make up only two-thirds of what an attacker will need to phish the victim user successfully. Suppose the victim uses SMS or a Time-based One-Time Password (TOTP) like Authy, Google Authenticator, RSA token, etcetera for 2FA. In that case, the attacker must capture their login credentials in real time. The attacker must craft another ploy to grab a token if they don’t.