So I have a website that send phishing emails for employers and I get the results for this campaign (for example how many employees click on the link, etc)
While testing my website on my personal emails the website became dangerous.
What should I do ?
Disclaimer - I run a phishing simulation service called CanIPhish and I came across this exact same issue when building my phishing websites.
What's happening here, is google is discovering and analysing your website through both it's normal indexing capability but also by scanning emails and detonating links.
When Google or it's threat intelligence partners discover your website it's analysing the content and accordingly flagging it as malicious.
To get around this issue, you need to hide the website behind a load-balancer or CDN which can perform conditional routing based on querystring parameters. Within the querystring you need to create a single-use GUID tied to the campaign and target. When the target detonates the link, they're forwarded to the phishing website and the GUID becomes inoperable. This way, when google or a threat intelligence partner index the site or detonate links in an email, they see something completely different to what your actual targets see.
I'm operating my myriad of phishing websites by hosting them on Amazon S3, I'm using Cloudfront as the CDN, Lambda#Edge on Cloudfront to inspect QueryString parameters and a mixture of DynamoDB with S3 for storing target user details and details on whether a GUID has already been detonated.
To see an example of this - try browsing here and all you'll see is a "Oops you clicked a phishing link" instead of the actual page which is a Google phishing site.
Related
I have recently created a website for my client, but when I try to post to my facebook or Linkedin, I noticed that the web security advisor shows it is malicious site and given it a red cross after the link.
I would like to know what is going wrong with this url? Any solution to fix it up?
I ask your help to better understand if my cross-domain tracking (Adobe Analytics via Experience Cloud ID) is working properly. To me it seems not.
As you see in screenshot 1, my visits might come from Domain A and go, within the same session, to Domain B. We're collecting data, from both domains, to the same AA Report Suite.
The Experience Cloud ID Service is active, in the same way, to both configurations (same mc org id, as you see).
Into Analytics Workspace (screenshot 2) I created a fallout analysis to show how visits move from Domain A to B. The Analysis is based on two segments including visits that in turn include hits for domain A or B.
I expected to see Domain A visits to be distributed also to the Domain B, but it seems not. No visits are going there...how could it be?
Am I missing something with the Experience Cloud ID configuration ?
Thanks so much
The out of box setup for Adobe Experience Cloud Visitor ID Service requires the browser to be able to access a third party call to a subdomain under demdex.net, and then stores a cookie containing the user's identifier under demdex.net domain. See Adobe's KB for more detailed description of the process.
If the browser for whatsoever reasons cannot save or read the cookie, then as the visitor goes from site A to site B, the JavaScript JS library (i.e. Visitor.js) will keep requesting on a set of identifiers from demdex.net or failing contacting demdex.net generate a set of identifiers locally.
I have been publishing my site to Azure and I've been restricting IP addresses so only people on my list can access the url ex. mysite.azuretestsite.com. But now I want to show people but I don't want to have to ask everyone for their IP address just to give them permission to view it.
The one thing I'm worried about is bots/web scrappers like Google who will pick up my site and then it might end up in their search results or for other purposes, which I don't want to happen before I go live.
Should I be worried about having the site live even though I have't registered the domain name yet? What are the pros and cons here and does it really matter if nobody know the site url? I'm more worried about bots/etc
Normally, crawlers won't know your site mysite.azurewebsites.net exists, unless you have outbound link, and the landing website happens to turn on analytics.
For that case, there is nothing you can do about it. Otherwise, you have to ask user to sign-up before viewing your site.
I'm designing an online store with Wix.
They have a great graphic interface which allows non-developers like me to build a professional-looking online store.
However, since I'm a noob in online security, I have this concern - the Wix webpage doesn't support SSL within their pages. But as soons as the customer clicks check out to begin the paying process, he is redirected away from the Wix site to the merchant account page (like paypal etc). The merchant do support SSL.
I'm assuming that although the Wix webpage doesn't support SSL, there is no risk envolved for the customer since he'll be entering his credid card info etc in the merchant account page. Is this correct? If I'm not clear, here is the Wix explanation for the matter:
Is Wix eCommerce secure?
When a customer makes a purchase on a Wix eCommerce site or a site with a PayPal or the Add to Cart button, the only information added by the customer on the Wix site is the product and any product options. Once a customer clicks Checkout, the customer is redirected away from the Wix site and to your merchant account page. Any personal or payment details that the customer has to enter are therefore not entered on the Wix site but rather on the merchant account site which is secured by the merchant account. For more information about exactly how they encrypt and secure payment information, please contact the relevant merchant account.
I'm also assuming only this risk (from the customer's perspective). Are there more risks involved in the Wix website by not supporting SSL? Maybe hacking the website or something? (from the seller's perspective)
This question might be suitable for serverfault.com instead.
But as it's related to development I'll try to answer it to the best of my ability:
When the connection is not carried over SSL (or any other security measure), the traffic is interceptable and malleable. This means that you can not trust that the data you are getting is actually from the user, unaltered. Additionaly, the user cannot trust that he is in fact talking to your server directly without someone in the middle snooping or altering the data.
Seeing as the payment system is a separate system that does allow for SSL, then you have the most obvious security issue covered. It is then up to you to evaluate whether anything up to that point can be considered sensitive. (for example username and password, if the store requires a login).
A good rule of thumb is that "Anything not encrypted is potentially known by anyone. In addition it is also alterable." Say a user wants to place an order, and clicks the appropriate buttons and links to get to the payment system. Now, if a MITM attacker wants to snoop the credit card details, he can intercept the traffic and substitute the buttons and link to trick the user to his own system, made to look like yours, with the only purpose of gathering credit card details. Attacks like this are possible because the average user doesn't know or care about the danger of accepting certificates from untrusted sources, and it is hard to combat unless awareness is raised around the issue. I have seen online shops display a warning before accessing the payment system that the user needs to verify that the certificate actually stems from their server, and that the URL is still refers to their webshop.
...But i digress. To sum up: You've got the important part secure. As for the rest, there are some pitfalls, but manageable if handled properly.
I have a domain AAAA.com which is used for marketing an App. It redirects to a page on another domain: BBBB.com/buy-app.php, where Google Analytics is set up.
How do I on BBBB.com/buy-app.php track where the traffic is coming from?
E.g:
An users clicks on a link to AAAA.com on Facebook, which redirects to BBBB.com/buy-app.php – how do I the know where the user came from?
You're talking about "Tracking Multiple Domains": Google Analytics for Developers: Tracking Multiple Domains
For this same use case, I prefer to use Google Analytics on Steroids: Google Analytics on Steroids: Cross Domain Tracking
_gas.push(['_setAccount', 'UA-XXXXX-1']);
_gas.push(['_setAllowLinker', true]);
_gas.push(['_setDomainName', 'AAAA.com']);
_gas.push(['_setDomainName', 'BBBB.com']);
_gas.push(['_gasMultiDomain', 'mousedown']);
* Note: calling _setDomainName multiple times is only supported in _gas and not supported by the default _gaq.