• by Ray Schultz , Columnist, January 5, 2018

Tired of the work that goes into being a legitimate email marketer? Phishing is easy and fun, judging by a new report from the threat research lab Comodo.
We’re sure Comodo didn’t intend to offer a step-by-step guide on how to phish. But in essence, that is what we have here.

“You can buy phishing attacks online,” Comodo observes. “Phishing attacks are easily created and spread rapidly.”

Ready for your first lesson in phishing for fun and profit? Follow the example of an imaginary top-level hacker named Joanne.

Joanne begins by researching the target company — its C-level executives, its employees and its press releases, among other things. The objective: To create “plausible phishing emails,” Comodo writes.

If she needs it, she can dig out more hidden information using “Google dorks — special commands that help to extract data from a site,” Comodo continues.

Next, Joanne deploys Harvester software to scan public sources and gather “emails, subdomains, hosts, employee names, open ports and banners,” Comodo continues.

From there, she uses Maltego to “uncover the mail servers of the target company and messaging details such as linked email addresses,” it adds.

Joanne now registers a domain name similar to that of a popular website. That done, she simply copies the site she wants to use as bait. For this, she can use the Social-Engineer Toolkit or the HTT Track website copier.

She then breaks into an unprotected server, and works from there to “cover her tracks in cyberspace,” Comodo goes on.

Now it’s time to launch. Joanne fields a phishing email, adding some socially engineered tasks and attaches the link to her fake site. Her victims “do all the work by clicking on the link and giving away their credentials,” Comodo notes.

Of course, it doesn’t stop there. Ransomware is installed, creating untold damage. And the poor victim is none the wiser. 

We’re not saying you should attempt this — nor is Comodo.

But it shows how simple it is for an evildoer like Joanne, using attackware as a service from a Malware Depot.