EMAIL and SMS Phishing attacks | Avoid Being Hacked

a few weeks ago a hospital near my house decided to hire a penetration testing company and they launched a fishing campaign against this specific Hospital one time through a text message and then also through emailing and about 80 percent of all of the employees at this specific Hospital clicked on the link this is why I'm regularly telling you not to click on any links unless you know who sent it to you and you trust them and then you know where that specific link is going to take you today I'm going to be showing you two really simple social engineering Tools in order to create phishing emails so you can spoof your ID and say it came from Google or Yahoo or really anyone that you want and then I'm also going to show you how to create custom URLs suddenly whenever you send this link to somebody it looks like it is from a legitimate Source the reason I'm making this video is because I regularly am hearing from people who have been hacked by clicking on something they should not have whether it is my family my friends or somebody through an email so I want to make this video to show you just how easy this is and why you need to be cautious from we're clicking on any kind of Link or trusting any kind of data that has been sent to you now before we start I want to tell you that it is illegal to send any kind of text message or email to anybody without their permission let's go ahead and jump into this so the first thing we're going to do is open up a terminal and you should already have this installed if you're using Kali Linux which is what I am using it is just social engineering tool kit just like this and you can hit enter I think we have to run this with sudo which we do so we can go up Ctrl a sudo and then type in our password and it's going to ask us to read this in terms of service I have read this in the past and basically it says don't do anything illegal with this or the people who make this tool are not responsible so we'll say yes and enter so now it's going to say what do we want to do with this we want to use social engineering attacks so we'll go ahead and type in one and then we're going to use website attacks for the sake of this video so we can hit 2 and then we want to create a credential harvesting attack so we want to get the credentials from a potential user so we will tell it three and then we want to use a website template instead of creating our own website for the sake of this video which is going to be number one and then it is going to use our IP from our computer so you don't even need to run ifconfig it is going to automatically run it so we can copy this paste it in and that's going to be the UR URL that we're going to use and which template do we want to use you can use Twitter Google or Java required we're going to use Google because it's really common most people have a Gmail account so we can go ahead and hit number two and then it's going to tell us that this is working so we have credential Harvester is running on Port 80 which is going to be HTTP which can be a problem if your user is paying attention because it's going to say not secure up in the URL but we're going to go ahead and run this anyway so we're cloning the website of google. com so I want to show you what this looks like so if we open up a Firefox we're going to be brought to Google now all I have to do is paste in my IP address and hit enter and you're going to see what happens this looks like the Google login website so if I make up my email and I just want to say got gmail. com and then my password is going to be hacked and I go ahead and click sign in and it's going to go ahead and forward us to the actual Google website right here so we are on the real Google website now and it's going to say it sign in over here because it actually didn't work for us but if we come back over to our terminal it's going to tell us the possible username is got email.

com and password is hacked which is exactly what I typed in now what's going to happen in most cases is if you come up here and you send somebody a link that is just this IP address they are not going to click on this and if they come in here and they see this IP address they're going to go okay this is not Google so what you want to do is go out to Google itself and you can just type in url shortener I really like tinyurl because if you create a account and you actually pay for it you are able to spoof your url instead of just typing in your URL and then having it give you something back so I'll give you an example shortened URL is probably the easiest if you're not going to make an account you just put in your link which is going to be our IP address and you type in shorten URL and it gives us this URL right here and you can now copy this and this is what you would send in your email or your text message but this doesn't really look very good because it says short url. com who's going to click that so that's why if you were to use this in a real penetration testing engagement you'd want to create a custom URL for your Target so you would actually want to make an account you're going to have to pay for it and then you'll be able to create a custom URL that is going to look like google. com or whatever you are trying to spoof so now if we come back over here instead of using our IP address we can we can paste in our shortened URL and it brings us back over here so it still gives us the IP address up here but the link that they're going to click on is going to be this one right here so if you send this to them in an email short URL it's still going to look kind of fishy so what you'd want to do is create an account it's going to have to be a paid account and you would spoof google.