Social engineering is a powerful approach for gaining system access. The amount of phishing attacks (and successful ones at that) continue to increase, so it is vital for employees to be tested and trained to recognize these types of attacks. The Password Reset Phishing (PRP) framework helps perform and audit phishing vulnerabilities to password reset attacks. If a victim provides the low risk and seemingly innocent information PRP requires, their accounts may be compromised for most websites (including that of major companies, e.g. Facebook, Amazon, Google). All the victim needs to do is fill out a “survey” or “registration form” that PRP generates, which may then lead to a multitude of new attack vectors.
PRP campaign overview
PRP utilizes the password rest man in the middle attack. The victim registers for an attacker owned website, but the registration information is used to reset the victim's account. A tester decides which accounts to compromise from a victim. They then manually reset their own account on the respective websites while PRP records it. PRP is then configured to replicate the attack using the recording. The tester decides what questions to ask the victims and match their answers to the reset process. PRP then services a website that will perform the password reset - appearing only as a sort of registration form. As the user answers questions, PRP is using their information to reset their password. Any challenge questions asked by the account reset process will be forwarded to the user to “answer,” though they think it is for registration.
PRP victim details
Defeats multi factor authentication
Most authentication challenges (such as CAPTCHA or security questions) that are presented during the reset process can be forwarded to the victim to solve under the assumption it is for registration. In PRP, each question asked to the user can fall under on of the categories: email, phone number, SMS, generic question, picture, or captcha. These questions are then associated with web browser actions to execute the reset process automatically upon being answering. This configuration is called PRP Recovery Steps.
PRP Recovery Steps
Requires minimal technical knowledge
Many websites are easy to use PRP with. Useful prior experience includes knowing the theory of a PRMITM attack, ' 'knowing how to use Selenium, and about DOM elements
Requires low risk information for successful attack
Some people think they are safe if they do not give out sensitive information such as passwords. PRP may be successful with ' 'as little as a phone number and a confirmation SMS code.
PRP configuration may be shared between users. This includes PRP websites, bait appearance, and password reconnaissance.
Aids in reporting
Any input into PRP is recorded. By utilizing GoPhish, PRP can report when an email is sent, opened, and when the link is clicked.' PRP may also email victims in batch, and export any input they provided.
Please login to purchase