SlideShare a Scribd company logo

DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration

Felipe Prado
Felipe Prado

DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration

Technology
1 of 56
Download to read offline
PHISHING WITHOUT FAILURE AND FRUSTRATION or “How I learned to stop worrying and love the layer 8” Unabridged Version Jay Beale CTO, InGuardians 1 Larry Pesce Director of Research, InGuardians
▪ As white hats, phishing should be just as easy as for black hats, right? • Write a crafty e-mail that directs readers to a web site. • Build a one-form web site to collect credentials. • Get client approval of the product of steps 1 and 2. • Send e-mail to as many people as possible at company. • Watch the passwords fly in. ▪ Sometimes you get lucky and it really is this easy. Whew! ▪ Expect 10–40% of employees to give their passwords. Why isn't this simple? 2
▪ Larry once had a phishing campaign with a success rate in excess of 100%. ▪ The company targeted a subset of its employees. ▪ His "give us passwords or we cut off your access" call to action worked really well. ▪ They forwarded the phishing e-mail to their co-workers! • Oh, and tested the privilege-separated accounts. • All of them… Success Rates in Excess of 100% 3
▪ A professional phishing engagement should "harden" an organization's staff. ▪ More specifically: • increase individual resilience in every staff member. • train the organization in collaborative detection. ▪ After a couple phishing campaigns, employees will detect scams and report at higher percentages. Why Phish? 4
▪ Most people’s first few professional attempts don’t go this well. ▪ Years ago, when we started phishing, we'd watch our consultants get so frustrated with the situation. We got better. ▪ The rest of this talk details ours and others' frustrating situations, teaching you how to avoid them entirely and achieve success. Why this talk? 5 Layer 8
▪ This isn’t about red team phishing - we do that too, but it rarely involves these challenges. ▪ Eleven stories of failure, each with specific solutions. ▪ Generalizing… ▪ Setting up any professional phishing campaign involves: • Collaboration • Communication • Negotiation ▪ For that matter, anything in life with more than one person involves negotiation. TL;DR 6
▪ Red Team phishing is phishing solely to get initial access, not to test everyone ▪ Incredibly small target pool - usually 1-2 e-mails • Manually determine targets • Use open source recon: LinkedIn, Connect.com, Company website ▪ Low and slow - we must not get caught • It can help to have a pre-established persona with a LinkedIn profile • Pretext focused on specific job function, e.g. recruiters open resumes • Payload needs to be stealthy, topical and never cause suspicion ▪ Pro-tip: use Gmail or Office365 since many organizations whitelist these. Penetration Test Phishing vs Red Team Phishing 7
▪ We're going to tell you eleven stories from real life experience. ▪ Each informed the way that we run a phishing engagement. ▪ We give this advice as if you fill one of these roles: • Consultant working for multiple clients • Security professional inside a single organization Eleven Stories 8
9
▪ We gave our client three scenarios to choose from. ▪ He chose one, we got the pretext built by Wednesday, sent the URL to the client and told him we'd be sending the e-mails on Friday. ▪ He showed the URL to his manager on Thursday, who objected to the entire scenario. ▪ You've just blown your schedule to bits. Story 1: Schedule Fail 10
11 COMMUNICATION FAIL
▪ Guide the client/organization through the process strongly from the beginning. ▪ Tell the org what you're going to need before you even start brainstorming pretexts. ▪ Find out on Day 0 who can veto a pretext. Explain the risk of a late-stage veto. ▪ Set and remind org of deadlines for pretext acceptance. ▪ Prototype pretexts: don't build a site until final agreement on pretext. ▪ Involve the org contact in developing pretexts. ▪ Realize that you're in a multi-party negotiation and rock it accordingly. Story 1: Fix It 12
▪ Communicate more in the beginning Introvert Pro-tip 13 ▪ Far less time spent later on: • talking about frustrations • assigning blame • lamenting failure ==
14
▪ You spend substantial time developing a pretext e-mail and landing page, but then none of your e-mails make it through the organization's spam filters. ▪ Spam filters trigger because: • your domain is too new • your domain lacks or has broken SPF/DKIM/MTA configs • they get lucky ▪ Back to the drawing board! The schedule suffers and the org contact is annoyed. Story 2: SPAM Filters 15
16
▪ On the technical side, configure: • SPF – make sure to include your IPv6 address • DKIM • MTA with a domain that has existed for at least a week. ▪ An even better solution is to explain to your contact that you're testing the humans, not the technology, and ask for a spam filter whitelist. ▪ Make sure to budget time and test the whitelist! Fix 2: Technical and Human 17
18
▪ You use all the best tools (including Maltego) and get only 15 e-mail addresses. ▪ If you want to test the organization as a whole, you need a heck of a lot of e- mail addresses. ▪ Black Hats get to: • brute force mail servers to find valid e-mail addresses • buy mailing lists Story 3: Numbers Game Fail 19
20
▪ Let's stipulate that an attacker could get a very comprehensive list of e-mail addresses. ▪ RED TEAM TACTICS: White Card event ▪ Present options to the client: • We'll find addresses, include them in the report, but then client gives us a comprehensive list of e-mail addresses. • We can brute force your mail server with spam. • Just give us a complete set of e-mail addresses. Fix 3: Numbers Game Fail 21
22
▪ Your e-mail says it's from Robert Smith, the Director of Information Technology. ▪ Your target organization all sits in a one story open floor plan. ▪ People start walking over to Robert’s desk, and he quickly alerts everyone. ▪ Your success rate plummets! Story 4: The Open Floor Plan 23
24
▪ Know your target. ▪ If you are a third party, ask your client contact about: • Where everyone sits • How they communicate • Their escalation procedure – Do they call compliance, help desk, or HR? ▪ Better still, make your client/boss contact and at least one level of management above her part of the pretext brainstorm. Catch pretext problems early. Fix 4: The Open Floor Plan 25
26
▪ Your client asks you to send the phishing e-mails slowly, to avoid detection. ▪ Your victims start to talk. By the time you've got ten e-mails out, someone has alerted the security folks, compliance or the help desk, who send out a mass e- mail. ▪ The jig is up! Story 5: Low and Slow 27
28
▪ Phishing truly is about speed. You must rush. ▪ You’re racing an organization’s ability to communicate and collaborate. ▪ Make sure your e-mail gives so short a deadline that people rush to take your desired action, before: • Someone warns them • They get a chance to think about whether this is a good idea. Fix 5: Speed (racer meme) 29
30 you have chosen…poorly HE CHOSE POORLY
▪ You choose a domain where a single letter is changed or one where you leave out a letter. ▪ Bonus: you can register a TLS certificate! ▪ Examples: • elilily.com • elilil1y.com ▪ Outcome: The employees are trained to catch this. None of them are fooled. Story 6: Poor Domain Choice 31
32
▪ We've had very, very good results with domain names that include the company's true name: • elililly-benefits.com • elillilly.myhealthbenefits.com ▪ Figure out what will work. ▪ Check it with the org and your colleagues. Fix 6: Good Domain Choice 33
▪ What if your client asks for the L-changed-to-1 domain? ▪ Phishing is all about: • Collaboration • Communication • Negotiation ▪ The easiest and most common way to lose in a negotiation is to not realize you're in one. ▪ Can you agree to brainstorm domains as a larger group? Negotiation 34
35
▪ Your org contact asks you to use broken grammar and spelling to simulate the weakest phishes they get. ▪ This lowers your success rate, leaving you feeling frustrated. ▪ Your client has given his company a false sense of security. ▪ By winning his negotiation, the client just lost. ▪ Rule of Negotiation: if anyone loses, everyone loses. Story 7: Broken Grammar 36
37
▪ Share with the org about how broken grammar fails to harden the staff against phishers who write well. ▪ Find a phishing e-mail you’ve received with perfect grammar and share it. ▪ Negotiation: offer to do a round without the broken grammar, then a round with broken grammar/spelling Fix 7: Communication 38
39
▪ The org doesn’t involve their HR, Legal or Compliance folks, who call in the SEC to investigate. ▪ Story of a recent client’s compliance department calling the SEC and the investigation. Story 8: the SEC Investigation 40
41
▪ You have to lead the phishing project. Make involving HR, Legal and/or Compliance a mandatory part of the test. ▪ Humans most easily learn and persuade through story. Make this story part of the conversation early on. ▪ Know your org. Talk about what the escalation paths are and understand where to place your debugger breakpoints. Fix 8: YOU Have to Lead 42
43
▪ Your campaign is successful, but the client feels like you didn't communicate enough. ▪ OR ▪ The client calls you hourly for results. Story 9: Success and an Unhappy Client 44
45
▪ Make client feel loved by giving them stats even more often during first day. ▪ Remember client contact (security people) has been rooting for this kind of thing for a long time . ▪ Pro-Tip: Expectations Management ▪ Keep your level of effort under control by telling them in advance how often you’ll be giving stats. Fix 9: Success and a Happy Client 46
47
▪ You re-invent the wheel every time your group does a phishing campaign, so you don’t innovate enough. ▪ Story: every person in our company who phished created new infrastructure from scratch. ▪ You don’t move forward, you spend too much time building and debugging infrastructure. Story 10: Re-inventing the Wheel 48
49
▪ Pro-tip: use existing good free tools (Phishing Frenzy or dev your own), then teach everyone how to use it. ▪ Every phishing test (or at least every other) should make you better at phishing. Get better or stagnate. ▪ Spin up a few mail servers (MTA’s) then write scripts/processes to change the domain names around. ▪ Enlightened Laziness (automate anything you can) means you reduce errors and spend your time truly creating. Fix 10: Create, Maintain, Publicize 50
51
▪ You don’t follow up with the right people afterward and learn what effect you’re having, and what they did after the campaign. Story 11: Unknown Impact 52
53
▪ Plan how to tell the staff who fell victim about it, focussing on producing better results proactively, not through shame. ▪ Watch to see how reporting rates, escalation and alerting improves. ▪ If you’re a third party, recommend that the org phish itself at least quarterly. Fix 11: Unknown Impact 54
55
▪ Phishing is all about collaboration, communication and negotiation. • If there are 2 people talking, it’s a negotiation. ▪ Most of the failures we’ve described are failures to think ahead and communicate, collaborate and lead with the org. ▪ Use and spread these stories to persuade, plan and win. • If anyone loses a negotiation here, everyone loses. Overall Lesson 56

Recommended

How To Turn Clicks To Cash Flow
How To Turn Clicks To Cash FlowHow To Turn Clicks To Cash Flow
How To Turn Clicks To Cash FlowCharles Blair
 
Damn Spam: What you need to know about avoiding spam filters
Damn Spam: What you need to know about avoiding spam filtersDamn Spam: What you need to know about avoiding spam filters
Damn Spam: What you need to know about avoiding spam filtersSpotler
 
New distributor track
New distributor trackNew distributor track
New distributor trackDon Mennig
 
17 profitable things to say on Linkedin
17 profitable things to say on Linkedin17 profitable things to say on Linkedin
17 profitable things to say on LinkedinTom Mallens 📈 💯
 
Louis Kennedy Chukwuka - Email Addiction (Clients Oasis)
Louis Kennedy Chukwuka - Email Addiction (Clients Oasis)Louis Kennedy Chukwuka - Email Addiction (Clients Oasis)
Louis Kennedy Chukwuka - Email Addiction (Clients Oasis)ilemori olusegun
 
The REAL Success Principles Of Email Marketing
The REAL Success Principles Of Email MarketingThe REAL Success Principles Of Email Marketing
The REAL Success Principles Of Email MarketingInternet Marketing Tools
 
The Search for Work
The Search for WorkThe Search for Work
The Search for WorkJT Pedersen
 
IGS-Local-Solutions
IGS-Local-SolutionsIGS-Local-Solutions
IGS-Local-SolutionsLesley Johnston
 

Recommended

How To Turn Clicks To Cash Flow
How To Turn Clicks To Cash FlowHow To Turn Clicks To Cash Flow
How To Turn Clicks To Cash FlowCharles Blair
 
Damn Spam: What you need to know about avoiding spam filters
Damn Spam: What you need to know about avoiding spam filtersDamn Spam: What you need to know about avoiding spam filters
Damn Spam: What you need to know about avoiding spam filtersSpotler
 
New distributor track
New distributor trackNew distributor track
New distributor trackDon Mennig
 
17 profitable things to say on Linkedin
17 profitable things to say on Linkedin17 profitable things to say on Linkedin
17 profitable things to say on LinkedinTom Mallens 📈 💯
 
Louis Kennedy Chukwuka - Email Addiction (Clients Oasis)
Louis Kennedy Chukwuka - Email Addiction (Clients Oasis)Louis Kennedy Chukwuka - Email Addiction (Clients Oasis)
Louis Kennedy Chukwuka - Email Addiction (Clients Oasis)ilemori olusegun
 
The REAL Success Principles Of Email Marketing
The REAL Success Principles Of Email MarketingThe REAL Success Principles Of Email Marketing
The REAL Success Principles Of Email MarketingInternet Marketing Tools
 
The Search for Work
The Search for WorkThe Search for Work
The Search for WorkJT Pedersen
 
IGS-Local-Solutions
IGS-Local-SolutionsIGS-Local-Solutions
IGS-Local-SolutionsLesley Johnston
 
5 Reasons You Will Fail At Open Networking!
5 Reasons You Will Fail At Open Networking!5 Reasons You Will Fail At Open Networking!
5 Reasons You Will Fail At Open Networking!Stuart Walton
 
Networking For Startups 101
Networking For Startups 101Networking For Startups 101
Networking For Startups 101Stuart Walton
 
How to employ yourself today
How to employ yourself todayHow to employ yourself today
How to employ yourself todayjohnsparksteachingpro
 
How to employ yourself today
How to employ yourself todayHow to employ yourself today
How to employ yourself todayJohn Sparks
 
FSB North Staffs Presentation - 9 Steps To Fail At Business Networking
FSB North Staffs Presentation - 9 Steps To Fail At Business NetworkingFSB North Staffs Presentation - 9 Steps To Fail At Business Networking
FSB North Staffs Presentation - 9 Steps To Fail At Business NetworkingStuart Walton
 
The Five Most Important Ways to Double your Real Estate Business
The Five Most Important Ways to Double your Real Estate BusinessThe Five Most Important Ways to Double your Real Estate Business
The Five Most Important Ways to Double your Real Estate BusinessRichard Smith
 
Steve de's mm ppt for best practices in the us
Steve de's mm ppt for best practices in the usSteve de's mm ppt for best practices in the us
Steve de's mm ppt for best practices in the usjmadrid7
 
Turn Your Contacts Into Contracts Business Networking Course
Turn Your Contacts Into Contracts Business Networking CourseTurn Your Contacts Into Contracts Business Networking Course
Turn Your Contacts Into Contracts Business Networking CourseThe Instant Edge
 
Connects Networking Stoke October 2015 - 9 Guaranteed Steps To Fail At Busine...
Connects Networking Stoke October 2015 - 9 Guaranteed Steps To Fail At Busine...Connects Networking Stoke October 2015 - 9 Guaranteed Steps To Fail At Busine...
Connects Networking Stoke October 2015 - 9 Guaranteed Steps To Fail At Busine...Stuart Walton
 
Alexander Accountancy New To Business Seminar June 2015
Alexander Accountancy New To Business Seminar June 2015Alexander Accountancy New To Business Seminar June 2015
Alexander Accountancy New To Business Seminar June 2015Stuart Walton
 
Top 10 Things To Do If You Want To Get Fired Over A WordPress Project
Top 10 Things To Do If You Want To Get Fired Over A WordPress ProjectTop 10 Things To Do If You Want To Get Fired Over A WordPress Project
Top 10 Things To Do If You Want To Get Fired Over A WordPress ProjectWilliam Bergmann
 
Startup Sales - How to Acquire Your First Customers
Startup Sales - How to Acquire Your First Customers Startup Sales - How to Acquire Your First Customers
Startup Sales - How to Acquire Your First Customers Garrett Smith
 
Burton Chamber Of Commerce Networking Talk - April 2015
Burton Chamber Of Commerce Networking Talk - April 2015Burton Chamber Of Commerce Networking Talk - April 2015
Burton Chamber Of Commerce Networking Talk - April 2015Stuart Walton
 
When Hot Leads Go Cold: How To Avoid The 3 Pitfalls
When Hot Leads Go Cold: How To Avoid The 3 PitfallsWhen Hot Leads Go Cold: How To Avoid The 3 Pitfalls
When Hot Leads Go Cold: How To Avoid The 3 PitfallsErroin Martin
 
13 Secrets to Successful Metrics-Based Marketing
13 Secrets to Successful Metrics-Based Marketing13 Secrets to Successful Metrics-Based Marketing
13 Secrets to Successful Metrics-Based MarketingMorgan Friedman
 
Ten commandments to make your self visible
Ten commandments to make your self visibleTen commandments to make your self visible
Ten commandments to make your self visibleK S Ahluwalia
 
Maximizing Your Virtual Assistant for Realtors
Maximizing Your Virtual Assistant for RealtorsMaximizing Your Virtual Assistant for Realtors
Maximizing Your Virtual Assistant for RealtorsRichard Smith
 
The Guaranteed Steps To Fail At Networking - Uttoxeter June 2015
The Guaranteed Steps To Fail At Networking - Uttoxeter June 2015The Guaranteed Steps To Fail At Networking - Uttoxeter June 2015
The Guaranteed Steps To Fail At Networking - Uttoxeter June 2015Stuart Walton
 
IT Interview Tips: Your Guide to an Exceptional Interview
IT Interview Tips: Your Guide to an Exceptional InterviewIT Interview Tips: Your Guide to an Exceptional Interview
IT Interview Tips: Your Guide to an Exceptional InterviewModis
 
Landing your Dream Job in Tech
Landing your Dream Job in TechLanding your Dream Job in Tech
Landing your Dream Job in Techmairna_rakhlin
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 

More Related Content

Similar to DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration

5 Reasons You Will Fail At Open Networking!
5 Reasons You Will Fail At Open Networking!5 Reasons You Will Fail At Open Networking!
5 Reasons You Will Fail At Open Networking!Stuart Walton
 
Networking For Startups 101
Networking For Startups 101Networking For Startups 101
Networking For Startups 101Stuart Walton
 
How to employ yourself today
How to employ yourself todayHow to employ yourself today
How to employ yourself todayJohn Sparks
 
FSB North Staffs Presentation - 9 Steps To Fail At Business Networking
FSB North Staffs Presentation - 9 Steps To Fail At Business NetworkingFSB North Staffs Presentation - 9 Steps To Fail At Business Networking
FSB North Staffs Presentation - 9 Steps To Fail At Business NetworkingStuart Walton
 
The Five Most Important Ways to Double your Real Estate Business
The Five Most Important Ways to Double your Real Estate BusinessThe Five Most Important Ways to Double your Real Estate Business
The Five Most Important Ways to Double your Real Estate BusinessRichard Smith
 
Steve de's mm ppt for best practices in the us
Steve de's mm ppt for best practices in the usSteve de's mm ppt for best practices in the us
Steve de's mm ppt for best practices in the usjmadrid7
 
Turn Your Contacts Into Contracts Business Networking Course
Turn Your Contacts Into Contracts Business Networking CourseTurn Your Contacts Into Contracts Business Networking Course
Turn Your Contacts Into Contracts Business Networking CourseThe Instant Edge
 
Connects Networking Stoke October 2015 - 9 Guaranteed Steps To Fail At Busine...
Connects Networking Stoke October 2015 - 9 Guaranteed Steps To Fail At Busine...Connects Networking Stoke October 2015 - 9 Guaranteed Steps To Fail At Busine...
Connects Networking Stoke October 2015 - 9 Guaranteed Steps To Fail At Busine...Stuart Walton
 
Alexander Accountancy New To Business Seminar June 2015
Alexander Accountancy New To Business Seminar June 2015Alexander Accountancy New To Business Seminar June 2015
Alexander Accountancy New To Business Seminar June 2015Stuart Walton
 
Top 10 Things To Do If You Want To Get Fired Over A WordPress Project
Top 10 Things To Do If You Want To Get Fired Over A WordPress ProjectTop 10 Things To Do If You Want To Get Fired Over A WordPress Project
Top 10 Things To Do If You Want To Get Fired Over A WordPress ProjectWilliam Bergmann
 
Startup Sales - How to Acquire Your First Customers
Startup Sales - How to Acquire Your First Customers Startup Sales - How to Acquire Your First Customers
Startup Sales - How to Acquire Your First Customers Garrett Smith
 
Burton Chamber Of Commerce Networking Talk - April 2015
Burton Chamber Of Commerce Networking Talk - April 2015Burton Chamber Of Commerce Networking Talk - April 2015
Burton Chamber Of Commerce Networking Talk - April 2015Stuart Walton
 
When Hot Leads Go Cold: How To Avoid The 3 Pitfalls
When Hot Leads Go Cold: How To Avoid The 3 PitfallsWhen Hot Leads Go Cold: How To Avoid The 3 Pitfalls
When Hot Leads Go Cold: How To Avoid The 3 PitfallsErroin Martin
 
13 Secrets to Successful Metrics-Based Marketing
13 Secrets to Successful Metrics-Based Marketing13 Secrets to Successful Metrics-Based Marketing
13 Secrets to Successful Metrics-Based MarketingMorgan Friedman
 
Ten commandments to make your self visible
Ten commandments to make your self visibleTen commandments to make your self visible
Ten commandments to make your self visibleK S Ahluwalia
 
Maximizing Your Virtual Assistant for Realtors
Maximizing Your Virtual Assistant for RealtorsMaximizing Your Virtual Assistant for Realtors
Maximizing Your Virtual Assistant for RealtorsRichard Smith
 
The Guaranteed Steps To Fail At Networking - Uttoxeter June 2015
The Guaranteed Steps To Fail At Networking - Uttoxeter June 2015The Guaranteed Steps To Fail At Networking - Uttoxeter June 2015
The Guaranteed Steps To Fail At Networking - Uttoxeter June 2015Stuart Walton
 
IT Interview Tips: Your Guide to an Exceptional Interview
IT Interview Tips: Your Guide to an Exceptional InterviewIT Interview Tips: Your Guide to an Exceptional Interview
IT Interview Tips: Your Guide to an Exceptional InterviewModis
 
Landing your Dream Job in Tech
Landing your Dream Job in TechLanding your Dream Job in Tech
Landing your Dream Job in Techmairna_rakhlin
 

Similar to DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration (20)

5 Reasons You Will Fail At Open Networking!
5 Reasons You Will Fail At Open Networking!5 Reasons You Will Fail At Open Networking!
5 Reasons You Will Fail At Open Networking!
 
Networking For Startups 101
Networking For Startups 101Networking For Startups 101
Networking For Startups 101
 
How to employ yourself today
How to employ yourself todayHow to employ yourself today
How to employ yourself today
 
How to employ yourself today
How to employ yourself todayHow to employ yourself today
How to employ yourself today
 
FSB North Staffs Presentation - 9 Steps To Fail At Business Networking
FSB North Staffs Presentation - 9 Steps To Fail At Business NetworkingFSB North Staffs Presentation - 9 Steps To Fail At Business Networking
FSB North Staffs Presentation - 9 Steps To Fail At Business Networking
 
The Five Most Important Ways to Double your Real Estate Business
The Five Most Important Ways to Double your Real Estate BusinessThe Five Most Important Ways to Double your Real Estate Business
The Five Most Important Ways to Double your Real Estate Business
 
Steve de's mm ppt for best practices in the us
Steve de's mm ppt for best practices in the usSteve de's mm ppt for best practices in the us
Steve de's mm ppt for best practices in the us
 
Turn Your Contacts Into Contracts Business Networking Course
Turn Your Contacts Into Contracts Business Networking CourseTurn Your Contacts Into Contracts Business Networking Course
Turn Your Contacts Into Contracts Business Networking Course
 
Connects Networking Stoke October 2015 - 9 Guaranteed Steps To Fail At Busine...
Connects Networking Stoke October 2015 - 9 Guaranteed Steps To Fail At Busine...Connects Networking Stoke October 2015 - 9 Guaranteed Steps To Fail At Busine...
Connects Networking Stoke October 2015 - 9 Guaranteed Steps To Fail At Busine...
 
Alexander Accountancy New To Business Seminar June 2015
Alexander Accountancy New To Business Seminar June 2015Alexander Accountancy New To Business Seminar June 2015
Alexander Accountancy New To Business Seminar June 2015
 
Top 10 Things To Do If You Want To Get Fired Over A WordPress Project
Top 10 Things To Do If You Want To Get Fired Over A WordPress ProjectTop 10 Things To Do If You Want To Get Fired Over A WordPress Project
Top 10 Things To Do If You Want To Get Fired Over A WordPress Project
 
Startup Sales - How to Acquire Your First Customers
Startup Sales - How to Acquire Your First Customers Startup Sales - How to Acquire Your First Customers
Startup Sales - How to Acquire Your First Customers
 
Burton Chamber Of Commerce Networking Talk - April 2015
Burton Chamber Of Commerce Networking Talk - April 2015Burton Chamber Of Commerce Networking Talk - April 2015
Burton Chamber Of Commerce Networking Talk - April 2015
 
When Hot Leads Go Cold: How To Avoid The 3 Pitfalls
When Hot Leads Go Cold: How To Avoid The 3 PitfallsWhen Hot Leads Go Cold: How To Avoid The 3 Pitfalls
When Hot Leads Go Cold: How To Avoid The 3 Pitfalls
 
13 Secrets to Successful Metrics-Based Marketing
13 Secrets to Successful Metrics-Based Marketing13 Secrets to Successful Metrics-Based Marketing
13 Secrets to Successful Metrics-Based Marketing
 
Ten commandments to make your self visible
Ten commandments to make your self visibleTen commandments to make your self visible
Ten commandments to make your self visible
 
Maximizing Your Virtual Assistant for Realtors
Maximizing Your Virtual Assistant for RealtorsMaximizing Your Virtual Assistant for Realtors
Maximizing Your Virtual Assistant for Realtors
 
The Guaranteed Steps To Fail At Networking - Uttoxeter June 2015
The Guaranteed Steps To Fail At Networking - Uttoxeter June 2015The Guaranteed Steps To Fail At Networking - Uttoxeter June 2015
The Guaranteed Steps To Fail At Networking - Uttoxeter June 2015
 
IT Interview Tips: Your Guide to an Exceptional Interview
IT Interview Tips: Your Guide to an Exceptional InterviewIT Interview Tips: Your Guide to an Exceptional Interview
IT Interview Tips: Your Guide to an Exceptional Interview
 
Landing your Dream Job in Tech
Landing your Dream Job in TechLanding your Dream Job in Tech
Landing your Dream Job in Tech
 

More from Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 

Recently uploaded

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Recently uploaded (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration

  • 1. PHISHING WITHOUT FAILURE AND FRUSTRATION or “How I learned to stop worrying and love the layer 8” Unabridged Version Jay Beale CTO, InGuardians 1 Larry Pesce Director of Research, InGuardians
  • 2. ▪ As white hats, phishing should be just as easy as for black hats, right? • Write a crafty e-mail that directs readers to a web site. • Build a one-form web site to collect credentials. • Get client approval of the product of steps 1 and 2. • Send e-mail to as many people as possible at company. • Watch the passwords fly in. ▪ Sometimes you get lucky and it really is this easy. Whew! ▪ Expect 10–40% of employees to give their passwords. Why isn't this simple? 2
  • 3. ▪ Larry once had a phishing campaign with a success rate in excess of 100%. ▪ The company targeted a subset of its employees. ▪ His "give us passwords or we cut off your access" call to action worked really well. ▪ They forwarded the phishing e-mail to their co-workers! • Oh, and tested the privilege-separated accounts. • All of them… Success Rates in Excess of 100% 3
  • 4. ▪ A professional phishing engagement should "harden" an organization's staff. ▪ More specifically: • increase individual resilience in every staff member. • train the organization in collaborative detection. ▪ After a couple phishing campaigns, employees will detect scams and report at higher percentages. Why Phish? 4
  • 5. ▪ Most people’s first few professional attempts don’t go this well. ▪ Years ago, when we started phishing, we'd watch our consultants get so frustrated with the situation. We got better. ▪ The rest of this talk details ours and others' frustrating situations, teaching you how to avoid them entirely and achieve success. Why this talk? 5 Layer 8
  • 6. ▪ This isn’t about red team phishing - we do that too, but it rarely involves these challenges. ▪ Eleven stories of failure, each with specific solutions. ▪ Generalizing… ▪ Setting up any professional phishing campaign involves: • Collaboration • Communication • Negotiation ▪ For that matter, anything in life with more than one person involves negotiation. TL;DR 6
  • 7. ▪ Red Team phishing is phishing solely to get initial access, not to test everyone ▪ Incredibly small target pool - usually 1-2 e-mails • Manually determine targets • Use open source recon: LinkedIn, Connect.com, Company website ▪ Low and slow - we must not get caught • It can help to have a pre-established persona with a LinkedIn profile • Pretext focused on specific job function, e.g. recruiters open resumes • Payload needs to be stealthy, topical and never cause suspicion ▪ Pro-tip: use Gmail or Office365 since many organizations whitelist these. Penetration Test Phishing vs Red Team Phishing 7
  • 8. ▪ We're going to tell you eleven stories from real life experience. ▪ Each informed the way that we run a phishing engagement. ▪ We give this advice as if you fill one of these roles: • Consultant working for multiple clients • Security professional inside a single organization Eleven Stories 8
  • 9. 9
  • 10. ▪ We gave our client three scenarios to choose from. ▪ He chose one, we got the pretext built by Wednesday, sent the URL to the client and told him we'd be sending the e-mails on Friday. ▪ He showed the URL to his manager on Thursday, who objected to the entire scenario. ▪ You've just blown your schedule to bits. Story 1: Schedule Fail 10
  • 12. ▪ Guide the client/organization through the process strongly from the beginning. ▪ Tell the org what you're going to need before you even start brainstorming pretexts. ▪ Find out on Day 0 who can veto a pretext. Explain the risk of a late-stage veto. ▪ Set and remind org of deadlines for pretext acceptance. ▪ Prototype pretexts: don't build a site until final agreement on pretext. ▪ Involve the org contact in developing pretexts. ▪ Realize that you're in a multi-party negotiation and rock it accordingly. Story 1: Fix It 12
  • 13. ▪ Communicate more in the beginning Introvert Pro-tip 13 ▪ Far less time spent later on: • talking about frustrations • assigning blame • lamenting failure ==
  • 14. 14
  • 15. ▪ You spend substantial time developing a pretext e-mail and landing page, but then none of your e-mails make it through the organization's spam filters. ▪ Spam filters trigger because: • your domain is too new • your domain lacks or has broken SPF/DKIM/MTA configs • they get lucky ▪ Back to the drawing board! The schedule suffers and the org contact is annoyed. Story 2: SPAM Filters 15
  • 16. 16
  • 17. ▪ On the technical side, configure: • SPF – make sure to include your IPv6 address • DKIM • MTA with a domain that has existed for at least a week. ▪ An even better solution is to explain to your contact that you're testing the humans, not the technology, and ask for a spam filter whitelist. ▪ Make sure to budget time and test the whitelist! Fix 2: Technical and Human 17
  • 18. 18
  • 19. ▪ You use all the best tools (including Maltego) and get only 15 e-mail addresses. ▪ If you want to test the organization as a whole, you need a heck of a lot of e- mail addresses. ▪ Black Hats get to: • brute force mail servers to find valid e-mail addresses • buy mailing lists Story 3: Numbers Game Fail 19
  • 20. 20
  • 21. ▪ Let's stipulate that an attacker could get a very comprehensive list of e-mail addresses. ▪ RED TEAM TACTICS: White Card event ▪ Present options to the client: • We'll find addresses, include them in the report, but then client gives us a comprehensive list of e-mail addresses. • We can brute force your mail server with spam. • Just give us a complete set of e-mail addresses. Fix 3: Numbers Game Fail 21
  • 22. 22
  • 23. ▪ Your e-mail says it's from Robert Smith, the Director of Information Technology. ▪ Your target organization all sits in a one story open floor plan. ▪ People start walking over to Robert’s desk, and he quickly alerts everyone. ▪ Your success rate plummets! Story 4: The Open Floor Plan 23
  • 24. 24
  • 25. ▪ Know your target. ▪ If you are a third party, ask your client contact about: • Where everyone sits • How they communicate • Their escalation procedure – Do they call compliance, help desk, or HR? ▪ Better still, make your client/boss contact and at least one level of management above her part of the pretext brainstorm. Catch pretext problems early. Fix 4: The Open Floor Plan 25
  • 26. 26
  • 27. ▪ Your client asks you to send the phishing e-mails slowly, to avoid detection. ▪ Your victims start to talk. By the time you've got ten e-mails out, someone has alerted the security folks, compliance or the help desk, who send out a mass e- mail. ▪ The jig is up! Story 5: Low and Slow 27
  • 28. 28
  • 29. ▪ Phishing truly is about speed. You must rush. ▪ You’re racing an organization’s ability to communicate and collaborate. ▪ Make sure your e-mail gives so short a deadline that people rush to take your desired action, before: • Someone warns them • They get a chance to think about whether this is a good idea. Fix 5: Speed (racer meme) 29
  • 31. ▪ You choose a domain where a single letter is changed or one where you leave out a letter. ▪ Bonus: you can register a TLS certificate! ▪ Examples: • elilily.com • elilil1y.com ▪ Outcome: The employees are trained to catch this. None of them are fooled. Story 6: Poor Domain Choice 31
  • 32. 32
  • 33. ▪ We've had very, very good results with domain names that include the company's true name: • elililly-benefits.com • elillilly.myhealthbenefits.com ▪ Figure out what will work. ▪ Check it with the org and your colleagues. Fix 6: Good Domain Choice 33
  • 34. ▪ What if your client asks for the L-changed-to-1 domain? ▪ Phishing is all about: • Collaboration • Communication • Negotiation ▪ The easiest and most common way to lose in a negotiation is to not realize you're in one. ▪ Can you agree to brainstorm domains as a larger group? Negotiation 34
  • 35. 35
  • 36. ▪ Your org contact asks you to use broken grammar and spelling to simulate the weakest phishes they get. ▪ This lowers your success rate, leaving you feeling frustrated. ▪ Your client has given his company a false sense of security. ▪ By winning his negotiation, the client just lost. ▪ Rule of Negotiation: if anyone loses, everyone loses. Story 7: Broken Grammar 36
  • 37. 37
  • 38. ▪ Share with the org about how broken grammar fails to harden the staff against phishers who write well. ▪ Find a phishing e-mail you’ve received with perfect grammar and share it. ▪ Negotiation: offer to do a round without the broken grammar, then a round with broken grammar/spelling Fix 7: Communication 38
  • 39. 39
  • 40. ▪ The org doesn’t involve their HR, Legal or Compliance folks, who call in the SEC to investigate. ▪ Story of a recent client’s compliance department calling the SEC and the investigation. Story 8: the SEC Investigation 40
  • 41. 41
  • 42. ▪ You have to lead the phishing project. Make involving HR, Legal and/or Compliance a mandatory part of the test. ▪ Humans most easily learn and persuade through story. Make this story part of the conversation early on. ▪ Know your org. Talk about what the escalation paths are and understand where to place your debugger breakpoints. Fix 8: YOU Have to Lead 42
  • 43. 43
  • 44. ▪ Your campaign is successful, but the client feels like you didn't communicate enough. ▪ OR ▪ The client calls you hourly for results. Story 9: Success and an Unhappy Client 44
  • 45. 45
  • 46. ▪ Make client feel loved by giving them stats even more often during first day. ▪ Remember client contact (security people) has been rooting for this kind of thing for a long time . ▪ Pro-Tip: Expectations Management ▪ Keep your level of effort under control by telling them in advance how often you’ll be giving stats. Fix 9: Success and a Happy Client 46
  • 47. 47
  • 48. ▪ You re-invent the wheel every time your group does a phishing campaign, so you don’t innovate enough. ▪ Story: every person in our company who phished created new infrastructure from scratch. ▪ You don’t move forward, you spend too much time building and debugging infrastructure. Story 10: Re-inventing the Wheel 48
  • 49. 49
  • 50. ▪ Pro-tip: use existing good free tools (Phishing Frenzy or dev your own), then teach everyone how to use it. ▪ Every phishing test (or at least every other) should make you better at phishing. Get better or stagnate. ▪ Spin up a few mail servers (MTA’s) then write scripts/processes to change the domain names around. ▪ Enlightened Laziness (automate anything you can) means you reduce errors and spend your time truly creating. Fix 10: Create, Maintain, Publicize 50
  • 51. 51
  • 52. ▪ You don’t follow up with the right people afterward and learn what effect you’re having, and what they did after the campaign. Story 11: Unknown Impact 52
  • 53. 53
  • 54. ▪ Plan how to tell the staff who fell victim about it, focussing on producing better results proactively, not through shame. ▪ Watch to see how reporting rates, escalation and alerting improves. ▪ If you’re a third party, recommend that the org phish itself at least quarterly. Fix 11: Unknown Impact 54
  • 55. 55
  • 56. ▪ Phishing is all about collaboration, communication and negotiation. • If there are 2 people talking, it’s a negotiation. ▪ Most of the failures we’ve described are failures to think ahead and communicate, collaborate and lead with the org. ▪ Use and spread these stories to persuade, plan and win. • If anyone loses a negotiation here, everyone loses. Overall Lesson 56