Social Engineering

đź’ˇ For ideas on obfuscated URLs, see Bypassing URL/Domain/IP Formats

Tools: Social Engineering Toolkit (SET), HTTrack, TeamsPhisher (GitHub)

Phishing
Cybersquatting
Social Engineering Attacks
Security Awareness Program

Phishing

Malicious actors primarily leverage phishing for obtaining credentials for initial network access, and for malware deployment for follow-up activities (escalating user privileges, maintaining persistence on compromised systems).

Punycode

Obfuscation of the URL with Punycode, see Look-Alike Domains and Visual Confusion. In Firefox URL: about:config, set network.IDN_show_punycode = TRUE

Zero-Width Spaces (Z-WASPS) – Phishing emails

Bypass spam filter (or anti-phishing mechanisms) by adding zero-width spaces in the URL. Simply insert multiple zero-width spaces within the malicious URL in the phishing email, breaking the URL pattern in a way that the spam filter does not recognize it as a link.

Supported by all modern web browsers, zero-width spaces (listed below) are non-printing Unicode characters that typically used to enable line wrapping in long words, and most applications treat them as regular space, even though it is not visible to the eye.

  • ​ (Zero-Width Space)
  • ‌ (Zero-Width Non-Joiner)
  • ‍ (Zero-Width Joiner)
  •  (Zero-Width No-Break Space)
  • 0 (Full-Width Digit Zero)
The Hacker News

By inserting Zero-Width Spaces (Z-WASPS) into the raw HTML of a URL, hackers can obfuscate a malicious link but render it normally to the recipient.

<!DOCTYPE html>
<html lang="en">
<head>
</head>
<body>
This is a test <a href="https://malicious&#8204;.site.&#8204;com">Link</a>
</body>
</html>

Cybersquatting / Domain squatting

Cybersquatting/domain squatting is the practice of registering, trafficking in, or using an Internet domain name, with a bad faith intent to profit from the goodwill of a trademark belonging to someone else.

Domain name warehousing: registrars obtaining control of expired domain names already under their management, with the intent to hold or “warehouse” names for their own use and/or profit.

Squatting Techniques:

Squatting TechniqueDescriptionExamples
Typosquatting /
URL hijacking		Intentionally register misspelled variants of target domain names to profit from users’ typing mistakes or to deceive users into believing that they are visiting the correct target domain. Usually registering names one edit distance from the original domain, as these are the most common and overlooked mistakes users makewhatsalpp [.] com
CombosquattingNo misspelling, but appending an arbitrary word (e.g. security, payment, verification) that appears legitimate, but that anyone could registernetflix-payments [.] com
Doppelganger domainDomain spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposesaccountmicrosoft [.] com
HomographsquattingDomains take advantage of internationalized domain names (IDNs), where Unicode characters are allowed. Attackers usually replace one or more characters in the target domain with visually similar characters from another language. These domains can be perfectly indistinguishable from their targets, as in the case of apple.com, where the English letter “a” (U+0061) was replaced with the Cyrillic letter “Đ°” (U+0430).microsofŧ [.] com
SoundsquattingDomains take advantage of homophones, i.e., words that sound alike (for example, weather and whether)4ever21 [.] com
BitsquattingDomains have a character that differs in one bit from the same character as the targeted legitimate domain. Bitsquatting can benefit attackers because a hardware error can cause a random bit-flip in memory where domain names are stored temporarily. Thus, even though users type the correct domains, they may still be led to malicious ones.micposoft [.] com
LevelsquattingDomains that include the targeted brand’s domain name as a subdomain. This attack is especially worrisome for mobile users because the browser’s address bar might not be wide enough to display the entire domain name.microsoft [.] com [.] example.com

Social Engineering Attacks

  • Confirm.to – Confirm that someone reads the email. ALWAYS use another email address. Append .confirm.to to recipients’ e-mail addresses before sending. Will get a receipt if the recipient opens and reads the email.
  • Google “fake email” to spoof email (illegal without approval)

Security Awareness Program

Security Awareness & Phishing Program.

Free security awareness modules (English and French):

Publications & Websites