Introduction
Phishing is a technique that involves sending an email to a user, pretending to be a legitimate entity (social network, bank, public institution, etc.) with the aim of stealing private information, making an economic charge, or infecting the device. For this purpose, you attach infected files or links to fraudulent pages in the email. How to Perform Phishing
Phishing is no longer only spread via email but can also be spread through other methods, such as social networks, instant messaging, SMS, phone calls, etc.
Techniques for Phishing
Technique 1: Use of Subdomains for Phishing
This first technique uses subdomains and the simple ability to use them to display the information that you want for a specific phishing campaign in these subdomains.
For example, in a banking phishing campaign, if you have acquired the domain “support.com”, you could use a subdomain to send phishing campaigns where the sender of the email or the destination domain of a specific link would be “chase.support.com”.
You only have to purchase the primary domain and add a subdomain of your choice, so by purchasing a domain with a “hook”, you can carry out very believable campaigns. How to Perform Phishing
Technique 2: Use of link shorteners for Phishing
The use of link shorteners is very simple to employ and is indeed one of the most commonly utilized techniques in phishing campaigns.
If you create a fraudulent website, impersonating the identity of another website or any social network, one of the most frequently employed techniques to prevent the victim from realizing that they are being deceived is the use of link shorteners. How to Perform Phishing
To illustrate with an example, in a campaign aimed at attempting to capture credentials, that is, usernames and passwords, from social networks, you could purchase a domain, for instance, “mydomain.com”, where you intend to clone a website, following any of the techniques that can be used. Once the website is cloned, you mask the URL address using a link shortener, so that the person receiving the phishing campaign does not realize that it is, in fact, phishing.
If you wish to employ this technique, there are numerous online and free websites available that will perform the URL shortening for you immediately. You may utilize Bitly, Cuttly, or even Google’s own service.
Technique 3: Utilisation of Typosquatting
This technique is also frequently employed. This technique involves the use of visual deception tactics, whereby you purchase a domain with slight modifications to the original domain name, deceiving users into believing that clicking on the link will lead them to the correct site, when in fact, this is not the case.
To better comprehend this, I shall provide you with a few examples below:
Google.com (Correct link)
Goggle.com (Link with Typosquatting)
Google.com (Link with Typosquatting)
Technique 4: Use of QR Codes
The following method or technique, which is also widely used, is the use of the very famous QR codes. Who can resist the temptation of scanning a QR code? However, do you fully comprehend the underlying processes that take place when you scan a QR code? Do you know where that QR code will take you?
This feature is precisely what you can take advantage of. You could send QR codes by mail, SMS, place them in advertisements, on websites or or even physically at bus, train or metro stops or in restaurants pretending to be the menu, etc. If you are able to create a cloned website with malicious intent or simply want to steal someone’s data, creating a QR code helps a lot, as many people feel the temptation to scan them and see what’s behind them.
You could purchase a domain and create a QR code very simply. There are plenty of free websites that allow us to create a QR code in just a few steps. We enter the URL, which can even be shortened, and give it some personalisation by changing the colours, adding a logo, etc. One of the free websites is QRCode Monkey, although there are many more.
Technique 5: Homographic Attack
This technique is also widely used. It is a Typosquatting variant that uses characters from other languages, like Cyrillic, which are similar to ours but slightly modified and often imperceptible. But these are different characters, so we don’t see anything bad when we read them. However, clicking a link with this technique takes us to a different, cloned, or malicious site. How to Perform Phishing
To understand it a bit better, I will provide you with three examples below; one is good, and the other two are bad.
To carry out a homographic attack, you could purchase a domain that closely resembles a legitimate one, but with subtle character changes. There are numerous online and free websites that allow you to convert different characters, along with a preview of what the result would look like.
Technique 6: Use of Unicode and Punycode
In addition to the previous techniques, you could use Unicode and Punycode to carry out phishing campaigns. These codes will allow you to modify the “normal behaviour” of writing so that it still looks normal to the human eye, but in reality, it does not say what we are seeing. To help you understand it better, we will provide an example below. In the next two lines, I assure you that both convey the same message. But to the human eye, the first is bad and the second is good. How to Perform Phishing
bankse.ai
bank.se.ai
To do this, you could use the Unicode table website. Clicking the link will take you to the Unicode 202E code to run your tests. In such a way that if you write the first of the examples (bankse.ai), copy the Unicode 202E code from the link I indicate and paste it right after the “k”, it will turn the rest of the domain around. So if you send this domain in a link, the victim will see the domain correctly, but however, it will take them to a completely different one where you could have a cloned, fake or malicious site. How to Perform Phishing
There are many codes that you could use. You can research the different types of codes available using the same link that I provided.
Conclusion
These methods have been used for a long time and are still in use today. Moreover, you must consider that all of them can be combined, making their detection extremely complicated.
Imagine that someone sends you an electronic mail with a QR code, which includes an embedded link, that has some modified Cyrillic character, and may also contain some Unicode or Punycode and is shortened on top of that, to give an example. Its detection would be extremely complex for a common person, wouldn’t it?
