Few attack methods have gained more attention in recent years than "phishing." An interesting and deeply concerning report published in the second quarter of 2023 by Zscaler ThreatLabZ [1] noted a 47.2% rise in phishing attacks relative to 2022 which, in turn, was massively higher than the number of recorded attacks in 2021.

According to the National Institute Of Standards and Technology (NIST), which is part of the U.S. Department of Commerce, phishing is defined as: "A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person."

And according to Forbes, "Phishing is still one of the preferred methods used by criminal hackers" [2]. More worryingly, the Forbes story notes that "New research shows that up to a half of all HTML email attachments are malicious."

A particularly virulent form of phishing, known as spear-phishing, targets a specific victim for a personalized attack. Hovering over a link to check its authenticity, scrutinizing an email's sender details, and opening attachments only with trepidation are important precautions on today's Internet.

I thought long and hard about writing this article. As a security professional, I advocate giving vendors a fighting chance to fix known vulnerabilities before researchers make them public. And, I am also keen (and strive to) make security knowledge as public as possible. The aim is to help users arm themselves with information to keep their online activities secure. However, phishing tools are particularly powerful and difficult to defend against. The best defense is for everyone on your network to stay alert – don't click on a link unless you are sure you know what it is, and don't be quick to give up personal information on the web.

This article should help you understand how easy and dangerous phishing attacks really are. I'll describe HiddenEye, a tool that could potentially allow even a relatively inexperienced attacker to go phishing. It should go without saying that none of the information contained herein should be used for nefarious purposes. The creators of HiddenEye make it clear that they intend for the tool to be used for testing and education purposes only, but make no mistake: An attacker can do anything a pen tester can do. The techniques implemented in tools like HiddenEye are well known to cybercriminals around the world.

HiddenEye

HiddenEye [3] gives me genuine pause, thanks to its simplicity. The creator of HiddenEye is listed as An0nUD4Y, who also created the phishing tool BlackEye. However, the list of contributors and developers for HiddenEye includes seven names. The code hasn't been updated for three years.

HiddenEye is most commonly used to mimic the login pages of legitimate online services. Figure 1 shows a list of the tunnel options available in HiddenEye, which are a way of automating the publication of the phishing pages that you create.

Figure 1: It's possible to publish to many tunneling services with HiddenEye.

The supported number of operating systems (OSs) is just as impressive as the tunneling options (see the box entitled "HiddenEye Support").

To get HiddenEye up and running, you'll need the PHP language, sudo (which is usually built-in), and Python v3. Navigate to the instructions.md file [4] to learn about installing HiddenEye.

After cloning the repository and entering the directory, you need to install pip, the Python package manager. For Debian derivatives:

$ git clone https://gitlab.com/An0nUD4Y/hiddeneye.git
$ cd hiddeneye/
$ apt install python3-pip

Then pull in the required Python packages using pip, and check whether it is necessary to install the requests module:

$ pip3 install -r requirements.txt
$ pip3 install requests

In my case, these requirements were already met.

Now you're now ready to run HiddenEye. Unfortunately, I got disappointing and mixed results the first time I ran the following command (the software hasn't been updated for three years so I wasn't entirely surprised):

$ ./HiddenEye.py

The initial run crashed, but seeing that the script was checking to see which tunneling options were installed on the system, I noticed it was trying to download Debian .deb package files. I ran it again, and this time I encountered fewer errors. On the second execution I was in luck. The script got as far as asking the following question, to which I replied N:

[?] Do You Want To install LocalTunnel(Y/N):

Then, as seen in Figure 2, I was reminded that the main developer is only providing this tool for educational and testing purposes.

Figure 2: With great power?

Once you agree to use the tool for testing and education only, you will see a long list of web services, relative to other tools, that HiddenEye can mimic (Figure 3).

Figure 3: HiddenEye can mimic a number of popular web services.

Will Robinson

The eagle-eyed among you will spot several nefarious entries in the HiddenEye menu displayed in Figure 3. One thing that jumps out is the word KEYLOGGER at the top. According to a Fortinet site [5]: "A keylogger is a form of malware or hardware that keeps track of and records your keystrokes as you type."

Secondly, at the bottom of Figure 3, you will find a disconcerting option to "Get Victim Location."

If you choose the WordPress option in the menu system, HiddenEye presents a warning about how a keylogger could break tunnel connections, as seen in Figure 4.

Figure 4: Keylogger on or off?

There's also a Cloudflare Protection Fake Page option, which I'll skip. Figure 5 shows that there's even an email option, so you don't have to leave your inbox to receive any data that the tool is managing to harvest.

Figure 5: Can you just email it to me, please?

You are then asked to enter a redirect URL, and, after that, a network port on a separate screen.

Finally, you are asked about which tunneling option you would like to use. After choosing localhost as the tunneling option (to ensure that you won't attract any unsuspecting visitor traffic), you are presented with the screen shown in Figure 6, showing that the tool has now been activated.

Figure 6: HiddenEye is ready to go.

Proof in the Pudding

The terrifying display in Figure 6 states that HiddenEye is listening out for victim information on the URL shown. Due to the way I'm testing HiddenEye, I am going to use SSH forwarding to view the fake, generated web page. I won't go into too many details, but using SSH is an excellent way of getting remote traffic to work locally. The command I'll use is the following (where -p2222 is the remote server's SSH port number):

$ ssh -L 8888:127.0.0.1:8888 chris@remote-machine.tld -p2222

And, low and behold, I can see what is displayed on http://localhost:8888 on my local machine (Figure 7).

Figure 7: It's an authentic WordPress login page and genuinely bad news.

The seemingly innocuous display in Figure 7 is the great reveal. It is a perfectly authentic WordPress login screen that can be published to any URL you wish via multiple tunneling services. An attacker would simply embed the link to the page somewhere that users would expect to log into WordPress, like in an email for example. The possibilities are vast.

The very last bit of the puzzle is to write some dummy data into the username and password fields and see what HiddenEye reveals (Figure 8).

Figure 8: The tool is harvesting information as expected.

In case the information isn't clear in Figure 8, I had entered chris once in the username and once in the password fields. And, as expected HiddenEye is recording the details.

When I exited the tool, it offered an email option to forward all of the data.

Finally, HiddenEye reminds you not to break any laws, as shown in Figure 9. And in all seriousness, use it with great care. I am intentionally not going to demonstrate the vast array of the other web pages that HiddenEye can emulate. I'm sure you get the idea.

Figure 9: A reminder of how much damage this tool can cause.