Phishing Tips

If you are looking to phish your own company (with permission), or perform phishing as part of a security service there are a lot of resources to help you get started. I’ve spent some time on this lately learning from others like those at Black Hills Info. Sec. and Zeknox (Phishing Frenzy). Below are a couple tips I picked up along the way that I feel are important when phishing.

  • Register a convincing domain to use 
    • Use a consistent registrar so it is easy to manage the domains. (Godaddy DNS records update really fast, which is good for phishing.)
  • Actually have a real email address (Sometimes this will be checked before messages are received)
    • Setup an email server and email account for the sending email address
      • Godaddy often offers free Office 365 email for a month, so that is one easy way to setup a temporary email server and email account. That deal isn’t constant, so it isn’t always an option.
      • Rackspace offers cheap business email accounts and you can manage multiple domains from one interface, which is nice. Minimum number of accounts is 5 for $10/month, but you can add one at a time after that.
  • Setup DKIM and SPF records
  • Use Legit TLS Certs for Websites
    • Let’s Encrypt can be used to generate TLS certs and get your site looking more legit.

That’s it. Just a couple quick tips.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s