OWA is vulnerable to Phishing

IRJ

I am doing some Social Engineering testing. I was able to create a phishing site to pharm credentials from OWA site pretty easily. I want to send out a phishing email to employees using the cloned site. I think they will easily fall for it.

Seems way too easy. Is anyone using MFA for OWA?

Also I am thinking about creating a blog entry on how to do phishing and credential harvesting to help increase security awareness.

Deleted74295

How is OWA vulnerable to Phishing any more than google.com, amazon.com or MYBANK.com

Come on don't be shy, show us what you have done

IRJ

@Breffni-Potter said in OWA is vulnerable to Phishing:

How is OWA vulnerable to Phishing any more than google.com, amazon.com or MYBANK.com

Come on don't be shy, show us what you have done

Great question @Breffni-Potter Let's take a look and see

If I were to clone Google or this banking website, I could only steal usersnames. I wouldn't have a chance to steal passwords.

Now if we look at Facebook or OWA. I could steal full credentials.

stacksofplates

I just had a scary thought. Using this idea http://fakeupdate.net/ you could make a fake windows login page and do full screen on users who don't lock their computer when they leave for short amounts of time

Deleted74295

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

IRJ

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

It's not easy to clone, because the URL is the same for Google and Online banking. Also Online banking shows an image to confirm your identity and google shows a username on the next page.

Is it possible? I am sure it is. Is it easy? no

Deleted74295

@IRJ said in OWA is vulnerable to Phishing:

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

It's not easy to clone, because the URL is the same for Google and Online banking. Also Online banking shows an image to confirm your identity and google shows a username on the next page.

Is it possible? I am sure it is. Is it easy? no

Yeah but what if the username is just the email address you typed in something that I know most users would overlook, as for URL checking, not sure about that.

Space Coast Credit Union? If those guys show an image of you that's fine but I know of at least 4 banks in the UK won't do that, I think that's fairly rare.

IRJ

@Breffni-Potter I will post on my blog how I did it and you will see why cloning Google or Online banking is much more difficult.

Like I said, I am sure there is a way to do it if you had to use that as your attack vector. I am going to guess chances are if you steal facebook credentials with a gmail username that the password is probably the same for google for most users.

IRJ

@Breffni-Potter said in OWA is vulnerable to Phishing:

@IRJ said in OWA is vulnerable to Phishing:

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

It's not easy to clone, because the URL is the same for Google and Online banking. Also Online banking shows an image to confirm your identity and google shows a username on the next page.

Is it possible? I am sure it is. Is it easy? no

Yeah but what if the username is just the email address you typed in something that I know most users would overlook, as for URL checking, not sure about that.

Space Coast Credit Union? If those guys show an image of you that's fine but I know of at least 4 banks in the UK won't do that, I think that's fairly rare.

Space Coast is our competitor. I am not sure if they show an image, but I know our online banking does.

dafyre

You could also spin up a GoPhish server... https://getgophish.com/ (I haven't tried this yet, but it's in my list of things to check).

IRJ

@dafyre said in OWA is vulnerable to Phishing:

You could also spin up a GoPhish server... https://getgophish.com/ (I haven't tried this yet, but it's in my list of things to check).

I gotta try that one.

IRJ

Most of the time having good locks on your doors and windows in your house will keep most bad guys out. Most hackers are the same way and go after easy prey. If a bad guy is specifically scoping out your house and targeting it, then you have more to worry about. The same thing with IT security.

dafyre

@IRJ said in OWA is vulnerable to Phishing:

Most of the time having good locks on your doors and windows in your house will keep most bad guys out. Most hackers are the same way and go after easy prey. If a bad guy is specifically scoping out your house and targeting it, then you have more to worry about. The same thing with IT security.

Nothing wrong with making sure that your locks work well... and fixing the ones that don't. 8-)

IRJ

@dafyre said in OWA is vulnerable to Phishing:

@IRJ said in OWA is vulnerable to Phishing:

Most of the time having good locks on your doors and windows in your house will keep most bad guys out. Most hackers are the same way and go after easy prey. If a bad guy is specifically scoping out your house and targeting it, then you have more to worry about. The same thing with IT security.

Nothing wrong with making sure that your locks work well... and fixing the ones that don't. 8-)

Exactly. My job has become hacking

stacksofplates

@IRJ said in OWA is vulnerable to Phishing:

@Breffni-Potter said in OWA is vulnerable to Phishing:

@IRJ said in OWA is vulnerable to Phishing:

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

It's not easy to clone, because the URL is the same for Google and Online banking. Also Online banking shows an image to confirm your identity and google shows a username on the next page.

Is it possible? I am sure it is. Is it easy? no

Yeah but what if the username is just the email address you typed in something that I know most users would overlook, as for URL checking, not sure about that.

Space Coast Credit Union? If those guys show an image of you that's fine but I know of at least 4 banks in the UK won't do that, I think that's fairly rare.

Space Coast is our competitor. I am not sure if they show an image, but I know our online banking does.

I forgot you live down there. My wife's aunt works for Florida Community Bank.

DustinB3403

This topic blew up.

Wow.

IRJ

I threw this together really quick. There may be typos, etc. I gotta go run some quick errands.

joelradon.com/phishing-test-employees/

Jstear

I've been doing similar using SPToolkit. When the user clicks on the login/submit/go button it logs their email address and IP, sends them to a webpage that has training on it and explains what they just did and why it is bad, and finally they have to acknowledge that they read the page. I get a report with all of that within the hour. Works great.

momurda

Quick question; How would you go about getting your phishing page to OWA users at a company you were targeting? send them an email with a subject like 'click here to login to your company webmail"? with a link to the fake owa site? They would already have their email open. I suppose it could happen that way, these are users we're talking about.
In the Eternal War on Spam/Malware, what can be done?

Jstear

@momurda said in OWA is vulnerable to Phishing:

Quick question; How would you go about getting your phishing page to OWA users at a company you were targeting? send them an email with a subject like 'click here to login to your company webmail"? with a link to the fake owa site? They would already have their email open. I suppose it could happen that way, these are users we're talking about.
In the Eternal War on Spam/Malware, what can be done?

I've told users they have to change their webmail password. If they fail I explain to them they don't have a special login for webmail and they will get an official email, not a generic change you password one.