If you’ve checked out the GainSec Shop (Link HERE) you’ll notice the shirt, “Phishing doesn’t make you leet.” This is something we strongly believe in. It is (sadly) extremely easy to fall for a phish, especially if it is a spear phish.
So today I thought I’d mention an phishing concept that I thought of as I watched a silly YouTube video.
I noticed in this YouTube video that this guy was using a fake email to sign up for a game he bought. This got me thinking.
If we pick out a target, such as the CEO of EvilCorp. Okay, we can enumerate his email(s) via OSINT. Great. Now let’s buy a game from a site like g2a. Call of Duty Black Ops 2 for $20. Then lets buy the domain, g2a-support.com Set up an email server (via google if you’re lazy). Forward the email receipt of the purchase to our target (firstname.lastname@example.org)
Now let us open our game, and create an account with the targets email.
This should send the target two emails at least. One saying thank you for your purchase that we forwarded and modified the phone numbers and website to point to our phishing site. Which we can clone g2a with Social Engineering Toolkit (SET Link HERE) and another that the says thank you for registering with call of duty.
We can even go further and include an attachment to the first email of the receipt that is a word document with phishery embedded (Phishery Link HERE)
Now if the target has a kid, it is even more believable, that maybe they went on their work laptop etc. However more then anything, the fact that two different companies sent emails (the one from the gaming company is legit) it makes it all look more legit.
From there it is as easy as asking for the last 4 of their social, their address or phone number, or whatever other information you want. (On top of the username and password they’ll enter into the phishery word document).
Does things like this actually work? YES, I have done multiple phishing campaigns, and honestly, this is way more complex then needed but I thought why not write it up.
Total Price of the Phish:
- $20 Game
- $10 Digital Ocean Droplet VPS
- $40 Google Email Server
- $10 Domain Purchase
- Total = $80
Possible value of the phish = ???
So let me ask you, would you fall for it?