Phishing 101: An Intro

If you search on the internet or attend pretty much any security conference, you will find a plethora of information on what "phishing" is and how to perform it.  As such, this post (and the following ones in the series) will just cover the high points and provide useful references on where you can find more in-depth information.

At its core, phishing is the sending of an email to a target with the intent of having the target perform some action which will lead to the attacker gaining some new piece of information or access.

The statement is a bit vague, and it is meant to be so.  That is because phishing can take many forms with many different desired outcomes.  The typical outcomes are:

• harvesting credentials from a target, typically via a credential harvesting website
• compromise of the target's web browser via a drive by browser attack or a malicious java payload
• compromise of a target's system typically via a malicious attachment

For the purposes of this blog post and the following ones, we will be discussing phishing primarily from the perspective of a contractually/legally authorized phishing exercise/engagement.

For most phishing exercises/engagements, the following 4 steps will occur:

1. Target identification via
1. the customer providing the target list
2. the attacker performing Open Source Intelligence Gathering (OSINT)
2. One or more websites are designed and made active.
1. Two possible site types are:
1. credential harvesting
2. browser exploit
3. The attacker will craft and then send the phishing emails to the target email addresses.
1. These emails could be nothing more than a simple template containing a url to one of the previously designed websites, or it could contain a malicious attachment.
4. As the exercise/engagement progresses, the attacker will monitor the results and use them to ultimately create a report for the customer.

Each of these steps will be discussed in more detail in future blog posts.