Why phishing works. Offensive and defensive techniques.

1. Phishing stories from
the trenches
– Cyber
+ Hacking

2. $ whoami
Gabor Szathmari
● Incident manager @ Amazon.com
● Security expert @ Iron Bastion
● Privacy advocate @ CryptoAUSTRALIA

3. We’ll cover
● Why phishing works – examples
● How to get better at offense and
defence

4. Go

5. What phishing is
“Only amateurs attack machines; professionals
target people” - Bruce Schneier
● Social engineering
● Not just email
● From simple to sophisticated

6. Why phishing?
● Steal sensitive stuff:
○ Passwords
○ Payment details (cc numbers, crypto wallets)
● Trick someone into doing something:
○ Reset someone’s password → CIA Director John
Brennan’s AOL account
○ Transfer a phone number → YouTube “h3h3: Your
Privacy is at Risk”

7. Why phishing? (part 2.)
● Install badware
○ Ransomware, cryptolockers
○ Backdoors, Remote Access Toolkits (RAT)
● The long game
○ Resetting pws of other accounts (DropBox, personal
mailboxes, Steam accounts)
○ Tamper with payment directions
○ Lateral movement into corporate networks
○ Fun

8. Outdated pieces of advice

9. Outdated pieces of advice

10. Outdated pieces of advice
● Hover links
● Check the sender’s email address
● Broken English
● Don’t open files
● Change passwords often
“None of the victims are idiots” - me

11. Why they don’t work?
Examples

12. Spot the phish 1.

13. Spot the phish 2.

14. Spot the phish 2.

15. Spot the phish 3.
http://epl.paypal-
communication.com/
T/v40[...]

16. Spot the phish 3.
Lol:
“As for https://epl.paypal-
communication.com it is clearly also just a
tracker made by PayPal”
https://www.reddit.com/r/paypal/comments/4qlnf0/is_this_a_phishing_attempt/

17. Spot the phish 4.

18. Spot the phish 5.

19. Spot the phish 5.
https://twitter.com/cryptoaustralia/status/905981181048401920

20. Spot the phish 6.

21. Enhance! – iPhone
● Sender address
isn’t displayed
● No link hovering

22. ಠ_ಠ – Lotus Notes
“In Outlook email, I can point the mouse over any hyperlink in email body
and right click and copy the URL that the hyperlink is pointing to.
How do you do this in Lotus Notes email?”
“1. Right click on the email and select ‘Edit’
2. Right click on the link in question and select ‘HotSpot Properties’
3. A new box will pop up that has details about the link
4. Select the text in the ‘Value’ field and Ctrl-C to copy the link address.”
https://superuser.com/questions/836890/how-to-copy-links-in-lotus-notes-email

23. Plain English

24. Outdated pieces of advice (recap)
● Hover links – ಠ_ಠ
● Check the sender’s email address – Yeah nah
● Broken English – u w0t m8
● Don’t open files – Good luck with this
● Change passwords often - API creds, application pws
“None of the victims are idiots” - me

25. Offense and Defence

26. Disclaimer
● The following offensive
techniques are meant to be
used in penetration testing/
read teaming engagements
● You must have a written
permission from the right
person of the organisation

27. Phish like a pro
Sender IP reputation:
- DNSBL
- Reverse DNS record (PTR)
Domain reputation:
- Age (> 1 month)
- Old school TLD
(no .horse, .wang, .plumbing)
- Public WHOIS record
- Hosts a website

28. Phish like pro 2.
Spam/Phishing filter evasion:
- Consistent ‘Envelope sender’, HELO, ‘From’ and domain
- SPF / DKIM / DMARC records
- ‘To: f_name l_name <user@example.com>’
- No web links
- No HTTP redirects
- No link shorteners
- Plain-text
- Avoid suspicious wording

29. Phish like pro 3.
URL reputation:
- Don’t get blacklisted:
- URIBL.com
- Google Safe Browsing
- Add safe category:
- http://url.fortinet.net/rate/submit.php
- https://www.trustedsource.org/en/feedback/url
- https://global.sitesafety.trendmicro.com/index.php
- https://sitereview.bluecoat.com/

30. Tooling – Offense 1.
Manage phishing campaigns:
● https://getgophish.com/
● https://github.com/pentestgeek/phishing-frenzy
● https://github.com/securestate/king-phisher

31. Tooling – Offense

32. Tooling – Offense 2.
- Generate domains (typosquatting): dnstwist
- Buy abandoned domains: ExpiredDomains.net
- Obfuscate payload
- https://github.com/Veil-Framework/Veil
- Research & pretext
- “Here’s an AWS gift card for using our #hashtag”
- “We’ll send you a survey tomorrow”

33. How to phish more effectively 101

34. Tooling – Offense 3.
Improve deliverability:
- Spell check / proofread / peer review emails
- Track bounces and spam complaints (self-hosted)
- https://glockapps.com/bounces-complaints-monitoring/
- Use a transactional email services
- Mailgun, Sendgrid ...
- Buy dedicated IP ($$$)

35. Tooling – Offense 4.
Build quality email lists:
● DIY – Browser and loads of time
● Pentesting scripts (e.g. theHarvester)
● Pay someone:
○ Search “Lead generation”
○ UpWork.com, Freelancer.com
● Marketing tools to the rescue: Hunter.io, Snov.io

36. Tooling – Offense 5.
Random words of advice:
● Reduce bounces & complaints:
BriteVerify, emailchecker.io, zerobounce.net
● Spam test: mail-tester.com
● Start slow (warm up with few emails per day)
● Proper salutation + first name
● Add a little variety to each outgoing email

38. Tooling – Defence 1. – Abuse
Domain monitoring w/ Certificate Transparency:
- https://developers.facebook.com/tools/ct/
- https://phishfinder.io
DMARC record:
- Set to ‘reject’
- Receive forensic reports
- OnDMARC, DMARCian, DMARC Analyzer ($$$)

39. Tooling – Defence 2. – Email gw
● Neutralise attachments ( .doc → .html )
● Malware sandbox
● URL rewriting
● DNSBL blocklists
● Email quarantine
● URLs: Web proxy or DNS sinkholing (e.g. Pi-hole, Cisco Umbrella)
Services: Mimecast, MailGuard ...
ASD recommendations:
https://www.asd.gov.au/publications/protect/malicious_email_mitigation.htm

40. Tooling – Defence 3.– Endpoint
● Anti-malware / endpoint protection
○ Anti-phishing filter
○ Ransomware protection
● Browser extensions
○ NoScript, Scriptsafe, Flashblock, uBlock Origin
○ Windows Defender Browser Protection for Chrome
(w00t)
○ Webroot Filtering Extension

41. Tooling – Defence 4. – Layer 8
● Sandboxing
○ VirtualBox
○ Sandboxie
● Awareness:
○ Phishing simulation: PhishMe, PhishingBox

42. Summary
● Outdated pieces of advice don’t work
● Phishing comes in different shapes and forms
● High delivery rate can be tedious (but rewarding!)
● Defense in depth is your God
● Professionals target people → Educate them!

43. Questions?
https://twltter.com/gszathmari
https://www.ironbastion.com.au
gabor@ironbastion.com.au