Using Blackeye to Deploy False Login Pages for Phishing Attacks

By Aaron Blondale

Background:

Phishing is one of the most common cyber attacks today. Most people with an email will occasionally receive phishing emails which range from common social engineering attacks to attachments with malware embedded. In this paper, I will be covering the tool blackeye that focuses on spear phishing attacks. (specifically, credential harvesting) Spear phishing is the same concept as phishing for the most part, with the main difference being that it targets a specific individual. Credential harvesting is a type of cyber attack to obtain someone’s credentials. In fact, almost half of all phishing attacks are considered credential harvesting.

What is Blackeye:

Blackeye is an open-source pen-testing tool intended for simulating credential harvesting phishing attacks. The goal is to show how easily this type of attack can be done by someone with little to no technical experience as well as make others more aware of this type of attack. Once installed the blackeye tool allows a user to easily create and launch a fake login page based on one of its many templates. Once the fake website is running, it returns a URL to the website. When the URL is accessed through any browser, the site captures the victim’s IP address and user agent. If the victim enters their login information, then it captures that as well. The site then relays the captured info back to the attacker.

How to Use:

To begin, you will need a machine running any recent Linux distribution. Next, clone the repository https://github.com/Git-Ankitraj/blackeye-im. Once cloned, be sure to run the command “chmod +x ./blackeye.sh” to allow execution of the tool. Once the tool is executed you will see the screenshot below. This screenshot shows all of the website template options the attacker has when running the tool.

Once you decide which website template to go with you can enter the corresponding number and hit enter. The tool will then start launching the website and once it is up and running, it will return a URL and listen for incoming connections. The attacker will then craft a phishing email (or text) in such a way that the victim is likely to click on the link. Once the victim does click on the link, the victim’s IP address and user-agent are immediately sent to the attacker. This is shown in the screenshot below.

The tool then waits for the victim to enter their login information on the fake site. If the victim does enter their information, then the fake site relays the login info to the attacker, then redirects the victim to the actual version of the fake website. The screenshot below shows the example output of the program if the victim does enter their credentials. In this case, the victim’s username and password were “test”. As you can see, the credentials are also saved in a text document.

How it works:

Blackeye has 39 templates for hosting a fake website. These templates span many of the most popular services on the internet such as social media, banking, etc. Each template contains everything needed to host the fake website. This includes the necessary HTML files as well as scripts to run on the hosted site. The screenshots below show the scripts that grab the victim’s IP address, user agent, and credentials (in this case the scripts are for the fake Snapchat website template).

The fake website is hosted through the service ngrok. Ngrok allows a user to easily expose a web server running on a local machine, to the internet. This is the main reason why this tool is easy for anyone to use. You can run it from any network with an internet connection and do not need a public-facing IP address. Additionally, it does not require you to register a domain name. In the case of pen testing, this works great, but if this was used for a real phishing campaign, then it can be assumed that ngrok would flag the traffic and take down the fake website. Below are some examples of the fake webpages and their real counterparts. (fake on top, real on bottom)

From the first look, the fake sites look very similar to the real version with few subtle differences. If I did not know which was which based on the URL, then I  would have a hard time deciding which is the real one. Additionally, If the victim clicked on the link (which looks very sketchy), then they will most likely enter their actual credentials with no hesitation.

Ways to Improve:

As mentioned earlier, the links generated by this tool look extremely sketchy. Especially if the attacker is trying to impersonate a well-known site. There are some techniques to hide this flaw. The first and most obvious being embedding the actual link in a hyperlink in the email. An example of this is shown below.

When it comes to phishing text, there is no option to hyperlink. The solution here is to obfuscate the URL using a URL shortener. This is actually very common when getting legitimate texts from different sites since there is a character limit of 160 for text messages and the shortener will help save space for the rest of the message. An example of a URL shortener is shown below.

Before

After

Conclusion:

Phishing email campaigns currently are incredibly prevalent. This is because there is a large population that is unsuspecting and has no clue what phishing emails are or how they work. As shown by blackeye, even clicking on the link will give the attacker some of your info at the very least. This is why it would be ideal for the general public to be better educated on the subject since phishing emails are something that everyone will receive at some point. It is just a matter of identifying and deleting these types of emails. Furthermore, blackeye showed how easy these fake websites can be crafted and hosted. In fact, it can be done in four terminal commands. This means that almost anyone can perform this attack, even with little technical experience. For these reasons, it is important to make others aware of these attacks.

Sources:

https://comtact.co.uk/blog/common-types-of-cyber-attacks-explained/

https://www.uniken.com/problems-credential-harvesting#:~:text=Credential%20Harvesting%20(or%20Account%20Harvesting,%2F%20password%20combinations)%20for%20reuse

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s