Phishing is a classic favorite attack of hackers. Not only that it provides easy access to victims’ accounts by merely tricking them to key in their credentials, the setup is also pretty easy to do.
This article will feature one of the tools that we found on GitHub – SocialFish.
It has always been a critical case to IT security practitioners to inform users of the danger of phishing. In an enterprise setup, IT security personnel need to raise awareness to all employees on how to spot a phishing attempt be it on their mailboxes or on websites that they visit particularly social media.
SocialFish shows how easy it is for cybercriminals to create dummy pages that mask themselves as legitimate websites. For some, it could be easy to identify the telltale signs of a fake website but what if they’re creative enough to lure you to enter your account information without you realizing that you are already taking their bait?
Such is the case in one of SocialFish’s phishing simulation wherein you can create a seemingly innocent page like a survey or poll site to gather whatever information that may be insignificant to you at first. But later on, as soon as you have already established that trust from your victims, you can have them sign up by using their social media accounts.
SocialFish has templates for the top seven social media sites namely Facebook, Google, LinkedIn, Twitter, Stackoverflow, WordPress and even GitHub. This tool can help you generate the traditional signup or login pages for these social networks. But, what I want to focus on was the feature called ‘advanced login’. Cybercriminals can be so creative to use this technique for more sophisticated attacks.
For the purpose of this article, we have tested SocialFish in a Kali Linux environment. It works perfectly well as soon as it generated the fake template of a poll. Once you’re done filling out the form, you will then be asked to connect your answers to your Facebook account. This is the dangerous part. The culprits are just waiting for this part on the backend. As soon as you’ve finished handing them over your credentials, they now have the liberty to do whatever they want on your account.
To avoid using the tool for malicious activities, SocialFish included a portion of the script that before running the tool, users must accept it is for educational purposes.
You may also watch the tutorial video below of the tool: