Phishing is possibly one of the attack vectors that will never go away. It’s low effort, it’s easy, and it works. This is arguably one of the hardest things to defend against. It’s not uncommon for myself to hear someone say “my defense is simply not clicking suspicious links”, but the fact is: it still happens.

There is no shortage of fake websites online. Most can be easily identified very quickly. But some are still convincing enough to trick the technically-savvy without further research into it’s origins. This journal entry was supposed to supply three separate fake websites, but I have two listed. The third is a fake as well, but was created to demonstrate how easy it can be to quickly generate something that is not only convincing, but has the capability to harvest credentials from the victim.

1. A Fake News Site

Initially, I thought this might be a bit harder to just simply look for some fake websites. It’s not something I typically go out of my way to look for, but honestly, it did not take long to find the first one for this entry.

I sometimes have a bit of downtime with much of the traveling I do for work, so I sometimes find myself doom scrolling every once-in-a-while. Very recently, as of this writing, there was a rather tragic news story back home being shared by some of the news agencies on social media. Looking at the comments on the post, it didn’t take long to find the site for the first entry.

This might be tricky to someone that is not tech-savvy to identify. After all, it has Fox News in the URL. It has to be legitimate, right? In this case, Fox News is actually the sub-domain of the page hosting this content. A domain can have any sub-domain that they wish to have. This is just one of the many tricks some malicious actors will attempt to try to trick individuals into believing the website is legitimate.

Attempting to browse it, for my own curiosity, results in uBlock Origin blocking the page for a “Badware risk”, which it identifies as “programs that have unwanted hidden functionality.”

2. Fake Squishmallow Site

Everyone seems to love Squishmallows. It has become a popular item to collect for both children and adults alike. However, this leads us to the next fake website:

This one, unfortunately, tends to fool a lot of people, and has been for a few months as of this writing. It has it’s own SSL certificate, the URL looks convincing enough. Even the page is organized rather professionally. However, this is not the official Squishmallow store page. Everything on this site is uncharacteristically on sale significantly cheaper than they are usually priced. When doing a quick search about other user’s experiences with the site, it was not long before more red flags were found:

It really goes to show that sometimes, a fake can be very convincing. But, as they say, if it’s too good to be true, then it probably is. I’m unaware of how long this page has been hosted, but even the prices was not enough to make visitors think twice, as it seems this particular page took advantage of the holiday season, leading to a false sense of security with the unusually low prices. For reference, the legitimate page currently looks very similar, minus the steep discounts:

3. Let’s Make Our Own Fake Website

With tools freely available online, it has become simple for a malicious actor to quickly craft a fake website. Instead of trying to locate a third fake website, I’ll instead show how quickly and easily a web page can be created to harvest user accounts and credentials.

The Social-Engineering Toolkit, or SET, is an open-source penetration testing framework designed for social engineering. Designed to generate a variety of custom attack vectors, it allows a user to create and host believable-looking websites quickly.

Once installed and ran, attacks can be crafted using a simple menu-driven interface. From here, we can quickly clone a webpage, or pick from a template.

Browsing to the crafted page, it may look legitimate at a quick glance. Aside from the fact that Twitter is no longer called Twitter, the web URL is also a give-away to this being a fake login page. It is also worth noting there is no SSL certificate associated with this crafted-page, self-signed or otherwise (in this instance, I believe it is because I am missing specific packages to deploy SSL certificates in attacks. If utilized, the end user would most likely be prompted with a warning that the page may not be legitimate). However, most modern web browsers will notify the end user that the data provided will be transmitted unencrypted.

Once the victim attempts to login, the credentials are harvested, as identified in the image.

This week we have reviewed 7 different motives for committing cybercrime. I have to admit, they seem rather self-explanatory when you hear the individual motives: boredom, entertainment, money, political, recognition, revenge, and multiple reasons. I’m going to rank these from motives that make the most sense to the least sense. I do want to make a note before I begin: the reading this week that was provided for “boredom”, https://www.theherald.co.za/news/2021-05-31-cyberbullying-and-online-sexual-grooming-of-children-on-the-increase/, did not sound as a direct motive by the perpetrator, but the contributing factor that led to an individual being victimized, and will take this into consideration for my ranking decisions.

Money
This one speaks to me, because admittedly, I like money. I know I have a skill set, and it’s a skill set I enjoy practicing. Why not make money off it? I get to travel all over the world and get paid to perform my role in cyber. The truth is, we all need money. Again, with bug-bounties programs increase in popularity, this is a perfectly legal motive if performed within the defined scope of the program. We always hear about the groups and actors that manage to (illegally) gain a large amount of money from their exploit-adventures, but those that hack legally should not be forgotten. Some of us partake (legally) to pay our bills and provide for our families. I can’t think of a better reason than that.

Political
I believe this to make the most sense and doesn’t surprise me that as time goes on, the amount of hacks originating from state-actors or hacktivists have grown. The way the world has come to rely on the internet for everyday life has made all of the systems connected to it prime targets for an attack. We have seen everything from sensitive data leaks to simple defacement of websites, all for a variety of reasons ranging from inciting change, demanding transparency, revealing wrong-doings, to even just to simply spread the hacker’s beliefs. In addition, with more and more of our lives online, it would not surprise me if we see more cyber attacks due to war and conflict between groups and countries, similar to Stuxnet in the early 2000s. As these threats become more relevant, the reason behind them, whether I agree or not with their position, does.

Recognition
This one comes from two separate perspectives. Yes, there are people that will simply attempt to perform a hack simply for the fame of doing it. However, this is not necessarily the reason I think of. Cybersecurity, for some, has become a difficult field to enter. Finding ways to stand-out to potential employers proves to be a challenge for some. Do we show talk to them about our homelabs? How about our self-studies and IT related hobbies? What about the CVE we discovered? Hacking for recognition does not have to be from illegal activities. With the increased popularity of bug-bountry programs and methods of disclosing issues, developing a “resume” of sorts that can showcase one’s own personal accomplishments, and contributions, to the cyber field makes this a perfect way to stand out in the never-ending pool of people trying to enter cyber.

Entertainment
Sometimes people get bored. Sometimes we just need a new challenge. Online hacking labs such as HackTheBox and Offensive Security’s Proving Grounds provides just that, a challenge. I’ll typically boot up a purposely-vulnerable virtual machine to pass time. For some, when this boredom overlaps with curiosity, it does not surprise me that some individuals might find themselves poking at a system just to see how far they can go. This is not always done with malicious intent. Maybe they’re curious to how the web app’s back-end might function. Perhaps they can find some lost and forgotten file accidentally being hosted on a publicly facing server. Curiosity is what motivated many of the first hackers. These people were not just hobbyists, but tinkerers. Sometimes we just find joy in discovering something new.

Multiple Reasons
I had to think about where exactly to rank this. How do you rank multiple reasons? While most of the above motives can be driven with positive intentions combined just as much as themselves individually. I feel like I should rank this higher, but honestly I don’t know where, or exactly why. Entertainment and money? Sure, I’d love to have fun and make money! Recognition and entertainment? I’d love to research something I enjoy and get recognized for it. But then I think of instances being motivated by money and those below boggle my mind. I understand we all want money, for example, but, for example, making money on a cyber crime like revenge porn? Or cyber bullying somebody because you need some entertainment in your life? Trash motivations to fulfill one’s wants. I couldn’t begin to understand the reasoning why someone would go this route.

Revenge
This is where I get to thinking “that’s not really a good reason to do that”. There’s no valid reason to extort anyone online. There’s nothing positive about image-based sexual abuse. Nothing good comes from deliberately harming anyone. I don’t thing I can explain it any better than that.

Boredom
This was one that (somewhat) confuses me. Boredom? You mean entertainment? The reading however, discusses the topic of children being groomed online or cyber bullying, so I’m taking this in the context of a “bored” individual becoming a victim due to their activities online. With this said, the only thing I can ask is “why?” Every other reason makes sense (well, except revenge. That’s still a trash reason). Targeting bored children online, and manipulating them to take advantage of them, is just outright terrible. Targeting anyone online simply because they are an easy victim just doesn’t make sense to me.

I have not heard of the Maslow’s Hierarchy until this week. Being a hierarchy of human needs, at a glance it appears to be simple to understand. The hierarchy consists of five tiers, with basic physiological needs at the bottom and the more “self-actualization” needs at the top. With all this said, I’m going to attempt to compare each tier to my life as a traveling cybersecurity analyst to view how fulfilled I am in comparison.

Physiological needs: I think it’s a given that this could be met easily for most people, but can actually be rather rough to meet when you’re career can force a nomadic lifestyle. I am always on the move. In fact, I recently joked that I am probably in an airport more than I am actually working. It’s seriously not uncommon for my trip to include 30 hours of non-stop travel, one-way. Sleep becomes a luxury. Even if I’m home or landed at my work area, sleep becomes the hardest thing to have. I sleep when I can. I’ve slept in airline clubs, the airport floor, to even empty staterooms on ships or at a desk while I wait for an assessment to complete. I find a way to get my sleep. Food, air, shelter, all the other items to keep me alive at a minimum, are easy in comparison. With that said, I’d say this tier, despite the complications of getting a good night’s rest, is met. I might add, as a joke, I need internet connectivity to survive. Thanks to GoogleFi, I’m good to go here, too.

Safety needs: It’s somewhat funny that, in terms of technology, I’m one of the guys that provides safety to others. As such, I always will seem to have some form of job/financial security. With the ever continuing evolution of cyber threats, there will never be a shortage for the need of those in my field in the foreseeable future. As odd as it may sound, it brings me peace knowing this.

Love and belonging needs: With all the travel I do, it does get difficult managing friendships and relationships. With my previous career choice, professional wrestling, it was a known secret that anyone in the business would essentially put these things on the back-burner. Now here I am, leaving that industry to hopefully spend more time at home without the physical stress to… Traveling all the time (I guess I just can’t leave that portion of my life behind). I meet and interact with so many people, but there are very few I will continue to interact with outside of my work obligations. Thankfully, technology has made this easier. I can video chat with the family. I can message friends back home, or wherever they may be in the world, at any time. Without that technology, I’d probably go crazy if I couldn’t talk to my son, but honestly sometimes being stranded on a tiny tropical island without any contact with the outside world is also a refreshing experience.

Self-esteem: I don’t mean to gloat, but I’m good at my job. I know the systems I’m working on. I know what needs to be done to improve their cybersecurity posture. I also know how to remediate those open issues with minimal impact to the end-users, and to do it as fast as possible without shortcuts. These days, I’m asked, by name, to be the one to pay a vessel a visit to get them up-to-speed. I can’t think of any better boost to one’s self-esteem than knowing that you’re trusted and respected in your craft. I will always attest that my job can be learned, and with time, one can become very proficient and efficient at it, but it is rewarding to get the recognition.

Self-actualization: This would be the one that I feel is not fully met. I know I can do more. I would much rather work red-teaming/penetration testing. I have my OSCP and OSWP. I even got the Pentest+ just because I was bored. However, I still work on a different facet of cybersecurity. Maybe one day. Admittingly I do enjoy the travel, and I find my current role “easy” because of the familiarity. But I know I can do more, and currently, I’m not.

After reviewing the information available on previous data breaches on Privacy Rights, all I can immediately think is “I can’t believe there are data breaches everyday?!?” I joke when I say that is proof we in the cyber field have plenty of job security, but it is still rather shocking to see how many have been reported. It is somewhat disheartening to see that a large number of entities did not report how the breach occurred. As a consumer, I want to have the confidence that not only is it understood how the breach occurred, but that the cause has been remediated. From the perspective of someone working in the field, I want to know what and how it happened.

It’s unfortunate that breaches happen. Even more so given how apparently common it is (and if I’m not mistaken, the site only provides data for entities in the USA). Each breach is a hard lesson learned. Is more employee training needed for cyber awareness? Do software and web developers require stricter code audits before deployment? Are our company policies in place with the current trends and needs of the cyber world? Do we need to harden our configurations? These are some of the basic questions that need to be addressed afterwards. How did the malicious actor get a foot hold, and how can we prevent this from happening again? The study and open-communication when it comes to any breach or cyber attack only helps everyone as a whole become more aware of the tactics being used. This way, others can ensure mitigation measures can be put in place as soon as feasibly possible before a similar attack happens to another entity. More so, with the ability to study previous breaches, frameworks and best-practices can also be developed to help guide and assist entities with ensuring their cyber posture is in-line with current attack trends to better harden their infrastructure as much as possible to, hopefully, becoming an unfortunate “teachable moment” for others to learn from.

When reviewing the principals of science, it becomes easy to notice how this framework intertwines itself in the study of cyber security.

Technology is always changing. With these rapid changes, the way technology influences our lives has changed. The way we interact with one another, to the way technology provides society critical services and infrastructure for our daily lives, has led to the development of new laws and policies to assist with governing our usage. It becomes easy to see the relativism at work, as these technological advances and changes has influenced what is considered acceptable, and not.

When developing any type of new law or policy, objectivity should be observed as to prevent bias decisions. Opinions and one’s personal point-of-view should be avoided when performing research to gain further insight.

Parsimony, or the act of choosing the simplest explanation for one’s observations, should be practiced. Sometimes, one of the first thoughts for many people when it comes to cyber security is that the practice is filled with complicated or technical jargon. When it comes time to explain one’s observation, this needs to be taken into account. The end users, whom may not be knowledgeable of how all of the technology that they utilize, need to be able to understand the information being communicated when policies are enforced, for example.

Empiricism must be used when seeking a solution for problem. Evidence and research should be directly observable. As such, opinions should never be utilized. There should also be ethical neutrality when performing these duties, as to protect the rights of the individuals being studied.

Lastly, the behavior being observed or researched as a result of, or influenced by, specific events, is determinism. This is possibly the most “human” element in the framework. Unlike the technical side of cybersecurity, there is no definite one-size-fits-all answer. Individuals can be motivated to perform actions for a variety of reasons, but research can be performed to determine what may have influenced this behavior.

Looking over and being able to read more about the NICE Workforce Framework is rather interesting. While it does not necessarily come as a surprise to me that a framework exists, it is, however, the first time I have seen a framework that aims to help standardize the type of roles and duties of those in the cybersecurity field. It even goes to show just how broad the cybersecurity field actually is, with roles varying from management and oversight, all the way down to the help-desk worker that provides technical support to the end user.

Oversight and governance roles, admittedly, are not very attractive to myself. I do find it important that there needs to be strong leadership to oversee their respective domains, but I have never considered myself the “management” type. I have always had the preference of getting my hands dirty and working directly with the people and systems when it relates to my work. I strongly prefer to perform, rather than direct others to do the same. I have always felt this has given myself better insight to exactly what our customers are experiencing first hand, allowing the possibility to better refine our documentation, policies, and workflow if there happens to be an item requiring improvement on our end.

My current role in cybersecurity fits into three separate categories: Design/Development, Implementation/Operation and Protection/Defense. My current job title is Cybersecurity Analyst, but in the NICE Workforce Framework, the two separate roles that closely define my duties are Systems Testing and Evaluation and Vulnerability Analysis. Some of my main responsibilities include vulnerability assessments and using those assessments to best guide some of our clients to better improve their cybersecurity posture. Or, more commonly, to implement these changes ourselves. Occasionally, I’ll travel to a site and perform a test on all the patches and configuration changes on a live network that we are looking at implementing before a full deployment. This field of work is not my career goal of penetration testing, but it does allow me to get my hands dirty directly with different systems.