1 of 9

Final Project

Social Engineering Toolkit

By Josh Toomey

2 of 9

SEToolkit Project Explanation

Goal - Use the SEToolkit to spoof google log in page and “steal” user login credentials

Why? - Phishing is one of the biggest risks for general public and businesses in regards to information safety. While phishing is preventable with vigilant email review practices, it still remains one of the top tactics for attackers to gather credentials.

Demonstration Steps:

  • Create fake login page for google using SEToolkit
  • Send fake phishing email asking for login information due to suspicious activity
  • Show credential capture in SEToolkit

3 of 9

What is Phishing?

  • Phishing is a cybercrime where a target is contacted by email, phone or text by someone posing as a legitimate institution
  • The goal is to gain sensitive information from the target such as logon information, account credentials, financial credentials
  • There are many types of phishing including email phishing, malware phishing, spear phishing, and whaling
  • In 2021, according to statista.com (sourced from FBI Internet Crime Complaint Center), Phishing/Vishing/Smishing affected 323,972 Americans.

https://www.statista.com/chart/24593/most-common-types-of-cyber-crime/

4 of 9

Visualization

5 of 9

Research

  • I used multiple websites to confirm functions of SEToolkit
  • Determined that I wanted to use the Social-Engineering Attacks
  • Selected the Credential Harvester Attack Method as this is the best method to gather login credentials
  • Researched email spoofing sites to send the phishing email
  • Researched examples of google emails for phishing attempt to ensure believability
  • Found multiple sites online to get email lists of exposed email addresses. I DID NOT PURCHASE ANY OR DOWNLOAD ANY FOR LEGAL REASONS

6 of 9

Install/Set up

Using the Kali-Linux VM, verified the SEToolkit was downloaded and available

Created a fake email for gmail/google account to showcase the phishing attack

Created a template for my phishing email that I can insert a malicious link into

Created an account on 5ymail that allows me to send email anonymously and allows me to set the “from” field.

7 of 9

SEToolkit Demonstration

Due to time constraints, I have recorded a demonstration of the SEToolkit/phishing scam

8 of 9

Effects of Attack

  • Able to grab credentials to user google account
  • With those credentials, I can access their email, their history and their banking information
  • When used on a corporation instead of an individual, I could gain access to the entire company server and steal sensitive data regarding clients, their company and financial information
  • This can also create a disruption in business processes resulting in loss of revenue or loss of public standing depending on breach/data taken

9 of 9

Mitigation Suggestions

  • Private
    • Don’t open suspicious links in emails
    • Verify the address of the sender display and web address of any links in email
    • Make sure it’s a verified sender/email
    • Remember no legitimate company will ask you for a password
    • Watch for grammatical errors and spelling mistakes
  • Business
    • Run anti-phishing campaigns at your company
    • Provide annual training to employees
    • Have multi-factor authentication or two factor authentication
    • Use anti-phishing software/services to detect phishing emails coming in to the server
    • Have anti-malware/anti-virus software in case of a breach to avoid having malicious software installed in case of a phishing attempt