Republic of the Philippines

CEBU TECHNOLOGICAL UNIVERSITY

DAANBANTAYAN CAMPUS
Agujo, Daanbantayan, Cebu, Philippines
Website: http://www.ctu.edu.ph E-mail: [email protected]
Phone: +6332 437 8526 loc.102/316 1905

Group 3: BSIT – 3B
Deonan Leo Baslan April
11, 2025
Niña Carla Velarde
Kimberly Conde
Stephanie Tumabini
Junel Baring
Mark Vincent Pabillon
Jayson Ortega
Maridel Hijapon
Joshrael Yaun

Simulated Phishing Attack

Step 1: Using Kali Linux operating system

Step 2: Tool used: SET (Social Engineering Toolkit)
Step 3: After running SET, we picked no.1 Social Engineering Attacks

Step 4: Then next we picked no.2

 Republic of the Philippines
CEBU TECHNOLOGICAL UNIVERSITY
DAANBANTAYAN CAMPUS
Agujo, Daanbantayan, Cebu, Philippines
Website: http://www.ctu.edu.ph E-mail: [email protected]
Phone: +6332 437 8526 loc.102/316 1905

Step 5: We chose no.3

Step 6: Next, we clone the website we will use which is our CTU portal.
 Republic of the Philippines
CEBU TECHNOLOGICAL UNIVERSITY
DAANBANTAYAN CAMPUS
Agujo, Daanbantayan, Cebu, Philippines
Website: http://www.ctu.edu.ph E-mail: [email protected]
Phone: +6332 437 8526 loc.102/316 1905

Step 7: We hosted the cloned website using apache

Step 8: We made a template for the email.

 Republic of the Philippines
CEBU TECHNOLOGICAL UNIVERSITY
DAANBANTAYAN CAMPUS
Agujo, Daanbantayan, Cebu, Philippines
Website: http://www.ctu.edu.ph E-mail: [email protected]
Phone: +6332 437 8526 loc.102/316 1905

Step 9: We chose the email attack specifying only one target.

Step 10: We chose the email template we made.

 Republic of the Philippines
CEBU TECHNOLOGICAL UNIVERSITY
DAANBANTAYAN CAMPUS
Agujo, Daanbantayan, Cebu, Philippines
Website: http://www.ctu.edu.ph E-mail: [email protected]
Phone: +6332 437 8526 loc.102/316 1905

Step 11: We specify our target’s email then use our dummy email.

Step 12: We change the from name to make it look more legitimate.
 Republic of the Philippines
CEBU TECHNOLOGICAL UNIVERSITY
DAANBANTAYAN CAMPUS
Agujo, Daanbantayan, Cebu, Philippines
Website: http://www.ctu.edu.ph E-mail: [email protected]
Phone: +6332 437 8526 loc.102/316 1905
Result:
 Republic of the Philippines
CEBU TECHNOLOGICAL UNIVERSITY
DAANBANTAYAN CAMPUS
Agujo, Daanbantayan, Cebu, Philippines
Website: http://www.ctu.edu.ph E-mail: [email protected]
Phone: +6332 437 8526 loc.102/316 1905

The gathered info:

 Republic of the Philippines
CEBU TECHNOLOGICAL UNIVERSITY
DAANBANTAYAN CAMPUS
Agujo, Daanbantayan, Cebu, Philippines
Website: http://www.ctu.edu.ph E-mail: [email protected]
Reflection
Phone: +6332 437 8526 loc.102/316 1905

In today’s increasingly digital world, the threat of phishing attacks

continues to rise, targeting individuals and organizations with deceptive
tactics designed to steal sensitive information. As part of a cybersecurity
learning exercise, our group conducted a simulated phishing attack using Kali
Linux and the Social Engineering Toolkit (SET). The goal of this activity was to
understand how phishing attacks are structured and to reflect on the
psychological and technical methods attackers use to harvest credentials.
Additionally, it provided us with an opportunity to evaluate ethical
considerations and explore strategies to protect against such attacks in real-
world scenarios.

The simulation began with the use of Kali Linux, a popular operating
system for penetration testing. We launched the Social Engineering Toolkit
and selected the “Website Attack Vectors” option, eventually choosing to
clone a legitimate website—in our case, the CTU portal. This cloned site was
then hosted using Apache, making it accessible through a local server. To
lure a target into visiting the site, we created a convincing phishing email
using an email attack module. This email was carefully designed to look
official, and we modified the sender’s name to enhance its legitimacy. Once
the email was sent, the unsuspecting target was led to the fake portal. If
they entered their credentials, those details were captured and stored on our
server.

This simulation highlighted how easily an attacker could harvest

credentials by exploiting trust and familiarity. The phishing message relied on
psychological tactics such as urgency, authority, and legitimacy. For
example, an attacker might impersonate an administrative figure and issue
warnings about account deactivation to create a sense of panic. These
tactics pressure users into acting without thinking critically, increasing the
chances of success for the attack. However, there are signs that can help
users identify a phishing attempt. In our case, a careful user might notice
that the URL of the login page was slightly different from the official CTU
portal. Additionally, the absence of a secure HTTPS connection and potential
spelling or formatting errors could have served as red flags. Encouraging
users to remain vigilant about these details is crucial in preventing such
attacks.

To prevent phishing attacks in the real world, a combination of

technical and human-centric approaches must be applied. Organizations
should implement email filtering tools, secure login mechanisms like multi-
factor authentication (MFA), and conduct regular employee training.
Educating users on how to recognize suspicious emails, hover over links to
check their true destination, and report any anomalies is essential in building
a security-aware culture. Real-world phishing attacks on social media
platforms are all too common. For instance, attackers have used fake
cryptocurrency giveaways on Twitter or impersonated friends on Facebook
and Instagram to solicit financial help or credentials. These incidents
 Republic of the Philippines
CEBU TECHNOLOGICAL UNIVERSITY
DAANBANTAYAN CAMPUS
Agujo, Daanbantayan, Cebu, Philippines
Website: http://www.ctu.edu.ph E-mail: [email protected]
demonstrate how social engineering thrives in environments where people
Phone: +6332 437 8526 loc.102/316 1905
let their guard down due to perceived familiarity.

Fortunately, there are tools available to detect and combat phishing.

Email security solutions such as Proofpoint, and browser extensions like
Netcraft or McAfee WebAdvisor, can help flag suspicious links. Additionally,
tools like VirusTotal can scan URLs before users click them. Technical
safeguards like SPF, DKIM, and DMARC help validate legitimate email senders
and reduce spoofing.

User education remains one of the most powerful tools in the fight
against phishing. Through regular training, simulations, and awareness
campaigns, users can develop the critical thinking needed to question emails
that seem too urgent or too good to be true. They should also be taught to
look out for suspicious login pages, generic greetings, and unexpected
requests for personal information.

Lastly, it is important to acknowledge the ethical and legal boundaries

of such simulations. While our activity was conducted in a controlled
environment for educational purposes, deploying such a phishing simulation
in the wild without consent could lead to serious legal consequences. Under
the Cybercrime Prevention Act of 2012 in the Philippines, unauthorized
access and identity theft are punishable offenses. Individuals involved could
face fines, imprisonment, and civil liability.

In conclusion, this simulation provided us with invaluable insights into

the mindset of attackers and the vulnerabilities of end users. It also
underscored the importance of ethics, user awareness, and robust security
practices. As future IT professionals, we must use this knowledge responsibly
to help protect digital communities and uphold the highest standards of
cybersecurity.