I was honored to present to students an the public about phishing techniques we use at Pondurance. By request I also demonstrated my PhishAPI tool @ https://github.com/curtbraz/Phishing-API
4. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
PHISHING
INTRO
» Purpose
• Security Awareness
• NOT for Humiliation
» Phishing vs Spear-Phishing
• KnowBe4, etc
» Lateral
» Under the Umbrella of Social Engineering
5. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
02 | PHISHING VS SPEAR-PHISHING
6. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
» Phishing
• Casts a Wide Net
• Not as Effective
• lack of personalization / too generic
• spam filters
• poor grammar
• 1% of 1,000 is still 10
• Scams and Spams
• Scripted and Automated
» Spear-phishing
• Targeted Attacks
• Mission / Objective Based
• Highly Effective
• Takes Time / Not Easily Automated
PHISHING vs SPEAR-
PHISHING
23. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
BELIEVABILITY
» How to create a convincing email?
• Choose a scenario
• Work from Home
• Employee Gift Card Raffle
• Management Request
• IT Department
• PhishAPI has a re-usable repository
• Will be community driven soon
PONDURANC
E
23
24. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
BELIEVABILITY
CAMPAIGN CREATION
» Customized
• TO field instead of BCC
• Match formatting of body and writing style
• Grab an email signature
• Sales Reps
• Customer Support
• Job Application
• Create your own w/ Logo
25. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
BELIEVABILITY
CAMPAIGN CREATION
» Exploit Relationships Between Employees
• HR
• IT
• Hierarchy of Seniority
» Social Tactics
• Scare
• Urgent
• Context
• Calendar Events
• Ticketing Portals / Help Desk
26. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
• Spoof the Sender
PONDURANC
E
26
BELIEVABILITY
27. THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC
E
27
• Spoof the Sender
BELIEVABILITY
28. THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC
E
28
• Spoof the Sender
BELIEVABILITY
29. THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC
E
29
• If spoofing isn’t an option, create similar domain
BELIEVABILITY
37. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING
TECHNIQUES
» Phish early or late in the day
» Calendar invites
» MFA bypass
» SIM swapping
» Hashes in email body
» Check Out of Office in O365
» Establish persistence
• Log in with multiple sessions
• Try credentials on other services
» Use valid creds to export GAL or phish laterally
» Look for patterns
• Password length / requirements
• Repeated default passwords
• Season + Year