This is How Hackers use Phishing Campaigns on Employees

A lot has been spoken about phishing attacks in the recent few days. Well, phishing has been the top most used method of hacking among cybercriminals in the past year - and more often than not, hackers have actively targeted employees of a company to breach the network systems and steal information. A survey conducted by Mediapro, a multimedia communications group reveals that 88% of employees lack awareness to stop security incidents. It has not been stressed enough how important training employees and creating awareness is.

To achieve the same, a 20 billion Euro organization, asked Cloudoki, an Application Architecture and Development company to hack it’s IT operations management and InfoSec team, in a meetup. The event took place in Hannover, Germany - where a first-hand demonstration of how hackers steal passwords of employees and breach a company’s network system through phishing campaigns is shown. Cloudoki revealed on stage various phishing methods by hacking the usernames and passwords of attendees - with minimal inside help. Well, all the sensitive data obtained through this campaign was encrypted - so, the organization did not have to bear any data loss.

Here is the step-by-step process how Cloudoki group successfully hacked the employee accounts :

Step 1 : A legitimate looking domain name was brought to send emails and create a fake website. The fake site is designed in such a way that it looks trustworthy and can easily grab people’s attention. It barely took the “hacker group” 7 minutes and costed around 10 dollars.

Step 2 : The VPN was setup from Germany (where the experiment was going on), to host the website - in order to prevent alarming the firewalls and triggers.

Step 3 : A page was built which resembled the login page of the company, through a little inside help. The hackers received screenshots of the login page and rebuilt it as close as they can.

Step 4 : Post this, an email was sent containing links to the fake websites. The mail was sent to a list of employees ‘reminding them of a survey they were asked to fill out’, linking to the fake login screen.

Step 5 : The survey has blank columns to fill in username and password of individual employee. Voila! Now, the hackers have a list of login credentials. Each time employees tried to login, they were redirected to a default error page.

Interesting part is, in the error message, it was clearly mentioned that they fell victim to a phishing attack. However, very few employees paid attention to it. This simple exercise which took hardly half a day’s work and costed the hacker group very little, helped steal 79% of the employees’ passwords. The entire experiment shed light on how vulnerable companies are because of ignorance among employees.