Attack vector 1: Phishing Attack

Bank of Uganda issued cybersecurity guidelines for supervised financial institutions (SFIs) that came into effect on 1st July 2024. In preparation to the launch

Bank of Uganda issued cybersecurity guidelines for supervised financial institutions (SFIs) that came into effect on 1st July 2024. In preparation to the launch of Summit Consulting Ltd’s Project Frontline 2024 that details the state of cybersecurity in Uganda, we will be publishing common methods and schemes hackers use to gain unauthorised access and compromise your security (confidentiality, integrity and availability of data) on a daily basis. If you use any digital device to access the Internet, take time to educate yourself.

You will learn how hackers can break into any system and how you could easily become a victim of a cyber hack. We will also share simple steps to take to protect yourself from danger.

One such attach, is called phishing —  a type of online scam where criminals use all ways to trick you into giving them your personal information, like passwords, bank account details, date of birth, or credit card numbers. 

Hackers do this by pretending to be someone you trust, like your bank, a well-known company, or even a friend.

A case in point:

One of the most common ways in Kampala hackers use is vishing – using voice phone calls to obtain personal information from suspects. You must probably have once received that phonecall from someone pretending to be a customer care agenda, claiming to be calling from your bank or telecom company. They sound professional and tell you there’s an issue with your account that needs to be resolved immediately. To fix it, they ask for your account number, PIN, and password. If you are not “awake”, you end up trusting them, and you provide the information, only to find out later that it was a thief pretending to be your bank to steal your money.

Phishing works the same way but happens online through emails, messages, or fake websites.

You are a hacker targeting the employees of a prominent financial institution or any organzation. The goal is to steal login credentials to gain unauthorized access to the bank’s internal systems. This is how you would go about it:

Tools to Be Used

First you need a powerful laptop or computer, that is fully set up with virtual machines and all hacking tools, including:

  1. Email Spoofing Tool. To send emails that appear to come from a trusted source.
  2. Phishing Kit. A pre-packaged set of phishing tools that includes fake login pages, email templates, and more.
  3. SMTP Server. To send bulk phishing emails.
  4. Social Engineering Toolkit (SET). To create convincing social engineering attacks.
  5. Keylogger. To capture keystrokes once the malware is installed.
  6. SSL Certificates. To make the phishing site appear legitimate (optional but adds credibility).

How hackers execute the phishing attack

  1. Research and Reconnaissance.
    • This is the first step. Identify the target and research about them. What is the name of the financial institution you wish to attack?
    • Identify the specific financial institution and gather information about its employees, especially those in IT, finance, and management. You want to know their names, emails, interests and hobbies, among others.
    • Use LinkedIn, company websites, and social media to collect email addresses and details about their roles. The more information you have about the target, the better and higher chances of succeeding.
  2. Write the Phishing Email.
    • Create a convincing email that appears to come from the bank’s IT department or a trusted partner. With today’s large learning models like ChatGPT, this is not so easy to do by any hacker. Now you can write exactly like the person being impersonated!
    • The email should contain a sense of urgency, such as a security update or account verification requirement.
    • Use an email spoofing tool to make the email appear legitimate. Ensure the email address closely resembles the bank’s official domain. For example, if the bank’s official domain is bankyabato.com; with official emails like g.alex@bankyabato.com; the hacker can easily spoof the emails to appear like g.alex@bankyabata.com.

Sample Email :

Subject: Urgent: Security Update Required

 

Dear [Employee Name],

 

As part of our continuous efforts to ensure the security of our systems, we are implementing new security measures. You are required to verify your account details by following the link below.

 Failure to do so within the next 24 hours will result in temporary suspension of your account.

 [Phishing Link]

 Thank you for your cooperation.

 Best regards,

IT Department

[Bank Name]

  1. Setting Up the Phishing Website:
    • Use a phishing kit to create a fake login page that closely mimics the bank’s official login portal.
    • Host the phishing site on a domain that looks similar to the bank’s official domain (e.g., bankyabata.com).
    • If possible, obtain an SSL certificate to make the site appear secure (https). So that the link is https://www.bankyabata.com.
  2. Distributing the Phishing Email
    • Use the SMTP server to send the phishing email to the targeted employees.
    • Ensure the email is personalized to increase the likelihood of the recipient falling for the scam. The research you did about your targets at the reconnaisence phase comes in handy.
  3. Capturing Credentials.
    • When employees click on the link and enter their login details, the information is captured by the phishing kit.
    • Optionally, install a keylogger on their devices through a malicious link or attachment in the email to capture additional information.
  4. Exploiting the Stolen Credentials.
    • Use the captured credentials to log in to the bank’s internal systems.
    • Extract sensitive information, transfer funds, or carry out other malicious activities.

How to Avoid Detection

  1. Email Crafting.
    • Use language and terminology familiar to the employees.
    • Avoid common phishing triggers like misspellings and generic greetings.
  2. Domain Setup.
    • Use a domain that closely resembles the legitimate one to avoid raising suspicion.
    • Register the domain with privacy protection to hide your identity.
  3. SSL Certificate.
    • Obtain an SSL certificate for the phishing site to make it appear more legitimate and avoid browser warnings.
  4. IP Address Rotation:
    • Use different IP addresses to send the emails to avoid detection by spam filters.
  5. Timing:
    • Send the emails during business hours to increase the likelihood of being opened promptly.
    • Spread out the email distribution to avoid triggering bulk email detection mechanisms.
  6. Monitoring:
    • Regularly monitor the phishing site and captured data.
    • Quickly use stolen credentials before they are detected and revoked.

Mitigation Measures for the Target Organization

  1. Employee Training
    • Conduct regular phishing awareness training for employees.
    • Simulate phishing attacks to test and improve employee responses.
  2. Email Filtering
    • Implement advanced email filtering solutions to detect and block phishing emails.
    • Use DMARC, DKIM, and SPF records to prevent email spoofing.
  3. Multi-Factor Authentication (MFA)
    • Enforce the use of MFA for all sensitive systems and accounts.
    • This adds an extra layer of security even if credentials are compromised.
  4. Incident Response Plan
    • Have a robust incident response plan in place to quickly address phishing attacks.
    • Regularly update and test the plan to ensure its effectiveness.
  5. Monitoring and Detection:
    • Use network monitoring tools to detect unusual login attempts and other suspicious activities.
    • Implement behavioral analytics to identify anomalies in user behavior.

 

Your online resources are available for all to see. Anyone can easily hack into you. Now is the time to protect yourself. Basic training is essential to this end.

At your home, for example, if you do not have a perimeter wall, you increase the chances of strangers knocking on your door. Similarly, if you do not invest in online security, you leave your digital door wide open to cybercriminals. As you invest more in strengthening the security of your home with locks, alarms, and surveillance, you should also invest in securing your online presence. This includes using strong passwords, enabling two-factor authentication, keeping your software up-to-date, and being cautious of suspicious emails and links. Just as you wouldn’t leave your front door unlocked, don’t leave your digital life unprotected.

Leave a Reply

Your email address will not be published. Required fields are marked *