5. What phishing is
“Only amateurs attack machines; professionals
target people” - Bruce Schneier
● Social engineering
● Not just email
● From simple to sophisticated
6. Why phishing?
● Steal sensitive stuff:
○ Passwords
○ Payment details (cc numbers, crypto wallets)
● Trick someone into doing something:
○ Reset someone’s password → CIA Director John
Brennan’s AOL account
○ Transfer a phone number → YouTube “h3h3: Your
Privacy is at Risk”
7. Why phishing? (part 2.)
● Install badware
○ Ransomware, cryptolockers
○ Backdoors, Remote Access Toolkits (RAT)
● The long game
○ Resetting pws of other accounts (DropBox, personal
mailboxes, Steam accounts)
○ Tamper with payment directions
○ Lateral movement into corporate networks
○ Fun
10. Outdated pieces of advice
● Hover links
● Check the sender’s email address
● Broken English
● Don’t open files
● Change passwords often
“None of the victims are idiots” - me
15. Spot the phish 3.
http://epl.paypal-
communication.com/
T/v40[...]
16. Spot the phish 3.
Lol:
“As for https://epl.paypal-
communication.com it is clearly also just a
tracker made by PayPal”
https://www.reddit.com/r/paypal/comments/4qlnf0/is_this_a_phishing_attempt/
22. ಠ_ಠ – Lotus Notes
“In Outlook email, I can point the mouse over any hyperlink in email body
and right click and copy the URL that the hyperlink is pointing to.
How do you do this in Lotus Notes email?”
“1. Right click on the email and select ‘Edit’
2. Right click on the link in question and select ‘HotSpot Properties’
3. A new box will pop up that has details about the link
4. Select the text in the ‘Value’ field and Ctrl-C to copy the link address.”
https://superuser.com/questions/836890/how-to-copy-links-in-lotus-notes-email
24. Outdated pieces of advice (recap)
● Hover links – ಠ_ಠ
● Check the sender’s email address – Yeah nah
● Broken English – u w0t m8
● Don’t open files – Good luck with this
● Change passwords often - API creds, application pws
“None of the victims are idiots” - me
26. Disclaimer
● The following offensive
techniques are meant to be
used in penetration testing/
read teaming engagements
● You must have a written
permission from the right
person of the organisation
27. Phish like a pro
Sender IP reputation:
- DNSBL
- Reverse DNS record (PTR)
Domain reputation:
- Age (> 1 month)
- Old school TLD
(no .horse, .wang, .plumbing)
- Public WHOIS record
- Hosts a website
28. Phish like pro 2.
Spam/Phishing filter evasion:
- Consistent ‘Envelope sender’, HELO, ‘From’ and domain
- SPF / DKIM / DMARC records
- ‘To: f_name l_name <user@example.com>’
- No web links
- No HTTP redirects
- No link shorteners
- Plain-text
- Avoid suspicious wording
29. Phish like pro 3.
URL reputation:
- Don’t get blacklisted:
- URIBL.com
- Google Safe Browsing
- Add safe category:
- http://url.fortinet.net/rate/submit.php
- https://www.trustedsource.org/en/feedback/url
- https://global.sitesafety.trendmicro.com/index.php
- https://sitereview.bluecoat.com/
34. Tooling – Offense 3.
Improve deliverability:
- Spell check / proofread / peer review emails
- Track bounces and spam complaints (self-hosted)
- https://glockapps.com/bounces-complaints-monitoring/
- Use a transactional email services
- Mailgun, Sendgrid ...
- Buy dedicated IP ($$$)
35. Tooling – Offense 4.
Build quality email lists:
● DIY – Browser and loads of time
● Pentesting scripts (e.g. theHarvester)
● Pay someone:
○ Search “Lead generation”
○ UpWork.com, Freelancer.com
● Marketing tools to the rescue: Hunter.io, Snov.io
36. Tooling – Offense 5.
Random words of advice:
● Reduce bounces & complaints:
BriteVerify, emailchecker.io, zerobounce.net
● Spam test: mail-tester.com
● Start slow (warm up with few emails per day)
● Proper salutation + first name
● Add a little variety to each outgoing email
42. Summary
● Outdated pieces of advice don’t work
● Phishing comes in different shapes and forms
● High delivery rate can be tedious (but rewarding!)
● Defense in depth is your God
● Professionals target people → Educate them!
Works over phone, voicemail, SMS or QR codes
Mr. Robot - USB flash drives
Works over phone, voicemail, SMS or QR codes
Mr. Robot - USB flash drives
Smartphones like iPhone doesn’t display the sender email address
Proofreading for $5, pixel perfect copies of Australia Post emails
File attachments are a vital part of every business. E.g. resumes, invoices, essays
You can’t hover on phone or Lotus Notes
Backdoor accounts with API keys or application passwords
Smartphones like iPhone doesn’t display the sender email address
Proofreading for $5, pixel perfect copies of Australia Post emails
File attachments are a vital part of every business. E.g. resumes, invoices, essays
You can’t hover on phone or Lotus Notes
Backdoor accounts with API keys or application passwords
Smartphones like iPhone doesn’t display the sender email address
Proofreading for $5, pixel perfect copies of Australia Post emails
File attachments are a vital part of every business. E.g. resumes, invoices, essays
You can’t hover on phone or Lotus Notes
Backdoor accounts with API keys or application passwords
Low bounce rate
Avoid generic addresses like sales@