I Used Phishing To Get My Colleagues’ Passwords. This Is How I Did It.

Written by: sebastian on 4 februari 2017

Did you know that 1 out of 3 people opens a phishing email, and if it’s a ‘personal’ phishing mail, the numbers are even higher? The American DemocratsSony, and users of Gmail have all been victims of phishing. It’s a problem that’s getting bigger, and the success stories of hackers are growing every day. As designer at UNITiD, I felt the urge to check if my colleagues were aware of the risks of phishing, by trying to collect their passwords.

What is phishing?

First some basics. Phishing is a method that hackers use to steal personal information, like credit card details or login credentials. The hacker duplicates an existing login page from an online service like Dropbox, Gmail or your bank. This fake website contains code that sends all personal data you submit directly to the hacker. To get you to this fake website, hackers send a convincing email to you. In this email, you will be asked to log in to your bank account because ‘the bank’ has discovered an unauthorized transaction.

Setting up the hook for some phishing

Phishing is also a risk for us, a digital design company, because we store a lot of files in the cloud. Besides being a interaction designer, I’m also assigned with the task of our digital security. Instead of giving my colleagues a presentation, I decided to use a different technique to create awareness. I used phishing to really feel the risk.

Before I started ‘hacking’ I first needed some approval. If you hack your own company, it’s better if someone knows of it before it backfires. Although my intentions were good, it’s important that someone has your back. The colleague I talked to about this project was enthusiastic from the start, so the first step was set.

3 things I needed to do:

  • Create an email account to send emails
  • Buy a domain for my fake website
  • Think of a tech company I could use for my fake website

The last one was pretty easy. We use Dropbox and everyone gets an email from Dropbox every once in awhile.

Step 1: Setting up the domain

For the domain I decided to go for “dropboxforbusiness.info”. It was still available, and because Dropbox uses the phrase “Dropbox for Business” for their business products, it was an easy fix. After purchasing the domain, I added a certificate for just 11 euros. The certificate showed a green ‘lock’ and “https://” instead of “http://” in the address bar to anyone who visited the website. A lot of security campaigns of governments and banks tell you to watch for the ‘lock’ and ‘https’. But in fact, it only shows that you’re talking to a website privately. In no way it tells you anything about trustworthiness.

“HTTPS & SSL doesn’t mean “trust this.” It means “this is private.” You may be having a private conversation with Satan.” — Scott Hanselman(@shanselman) April 4, 2012

Step 2: Building the fake website

Next is a fake website. I could build one on my own, but it was faster to go to the Dropbox website in my browser, go to File and choose Save As… A ZIP-file with the login page was downloaded to my computer. I put all those files on the website “dropboxforbusiness.info” and created my own Dropbox login page. I was actually surprised that I could create a fake website so quickly.

Step 3: Making a script to get the passwords

The fake website now showed the login page of Dropbox, but it didn’t do anything. So with help of Google, I managed to write 22 lines of code that sends an email with the username and password that were entered on my fake website. After that, it sends the user that visited the fake website to the real Dropbox site. And if there was still a Dropbox cookie on your computer, you are logged in on Dropbox, so you won’t notice anything.

Step 4: Emailing my colleagues

The website is ready: time to send out emails to my colleagues. I added a second script to the fake website that sends emails similar to the emails Dropbox sends. Although I didn’t want to get on the phishing radar of Google, I didn’t include the word Dropbox in the email. It would send out an email to just 5 people to avoid the spam radar. For the first couple of victims I used the call-to-action “Someone wants to share a folder with you”.

While hitting the return key to send the emails, it felt pretty awesome to do something bad like this. After a couple of minutes, the first passwords were dropped in my mailbox. It was surprising to see how fast I got passwords from people working at a tech company like UNITiD. But I wanted to go a little further. To get more results, I changed the call to action to make it more of an ‘emergency’, so people wouldn’t pay much attention to the email and website. By changing the context of the email to “You deleted 2641 files, is that correct?”, the passwords in my mailbox where absolutely piling up.

Nine passwords within a few hours

With the fake Dropbox email I sent to 38 people, I got 9 passwords, so 26 percent of my colleagues were tricked into this scam. That’s a little below average (30 percent). Although the first couple of emails that said “Someone wants to share a folder with you” were going under the radar. With the second batch with the text “You deleted 2641 files, is that correct?” some people became suspicious. After a few hours my server was blacklisted. That means that all visitors got the message “Warning, deceptive site” on a bright red background. I can imagine that as a hacker you just need one password, so with nine in my mailbox it could have done some damage.

Tips to be aware of phishing

It’s very hard to genuinely arm yourself against phishing. If it was easy Google, Apple and other tech companies would be able to filter them out. But here are some tricks:

  • Keep the amount of times you click on buttons and/or links in emails to a bare minimum. Go directly to the website in your browser.
  • Use password managers. If hackers get one of your passwords, they can’t use it anywhere else. Great example of this is the hack of the Dutch politicians.
  • Don’t rely on just the green lock icon in your address bar. The only thing it tells you is that it is a private channel. It says absolutely nothing about who you’re talking to.
  • Enable 2FA (two factor authentication). It will verify your login attempt with a text message or in a different way.
  • Bonus tip: if the browser plugin of your password manager doesn’t show your login credentials automatically, be extra alert!

This article was also posted on Medium.com.