 Good morning, everybody. Good morning on day four of the Shah 2017 Our next speaker is dr. Melanie rebuke. She is the CEO and co-founder of radically open security the world's first non-profit computer security consulting company and Not only was she named to ICT professional of the year in 2010 But and one of the most successful women in the Netherlands, but also in 2016 She was one of the most inspiring women in tech. So give her a warm welcome Hello, can you guys hear me? Okay? Perfect. So all right I'm here with with more stories. I Last night gave a talk that was a bit more of a personal nature today. I'm giving a talk I think that's a bit more of a of a technical nature So the story that I'm going to tell today Is basically a job that we had performed for one of our customers I do have permission to say who the customer is in this particular case. We were working with surfnet I had actually invited them to come and join us for this talk. They unfortunately were not able to actually, you know physically be here But in either case I do have a special guest who is going to join very briefly at the end but I'm going to tell a story about spearfishing about the technical side of it about the Tooling side of it and a little bit surprisingly towards the end a bit about the ethical and the philosophical side of it From the perspective of a security consultancy company So we will start at the beginning we were asked to conduct their annual spearfishing test for 2016 and What the situation was they wanted us to so-called spearfish the entire organization. Yeah spearfish 150 people. Okay, that's not really spearfishing, but you know Nonetheless and and the definition of the job that they wanted was they wanted a low and slow fishing attack, you know low and slow 150 people, you know again But yeah, these are lessons, you know, of course us being incredibly bright-eyed and eager. We're like, yes of course we can do that, you know and Well, so the way that that we started was by registering a Domain we wanted to come up with something fairly innocuous sounding so we registered the domain click analytics dot Amsterdam Actually the first use for the dot Amsterdam domain I've ever had but love those new TLDs, but Why click analytics because everybody is used to click trackers You know, and if you basically use something that sounds like a bit, you know analytics E then you know people might not think that it's malicious So that was our reasoning behind registering that particular domain Malware was out of scope. I mean they basically said look if we click we believe that you can own us You know, but given that we want to you know, really just check our entire staff And we want to keep the budget within certain constraints We're just we only want to look at click tracking and click percentages So that again, these are just the rules of the game now, you know of the engagement and Another thing that we basically then did is we set up a landing page that essentially just said insert malicious code here as a placeholder because of course You know, you could very well just as easily insert your client side exploit here But again, that was outside of the rules and of engagement for this particular assignment They just wanted to know are people gonna click or not So Low and slow so we figured okay, how do you do a low and slow phishing attack? Well, why don't we just start with one test subject? So we took our point of contact and we knew that he was incredibly into running So we basically said okay, well, you know low and slow spear phishing targeted. Why don't we try and? Take a running newsletter because we know he's super into running. So he's gonna click on that, right? So indeed, you know subscribe we subscribe to some newsletters, you know, keep on running Pindanelle You know we you know just to see if we could Could use it So we took the running newsletter we basically manually You know scraped the thing converted the URLs so that if you clicked on the URLs it would land on our a click analytics tracking page And you know it basically took us a day to put together a fairly good-looking pretext You know that was actually targeted to this particular guy So, you know bright-eyed and bushy-tailed We sent off the email and we waited And we waited Hmm he didn't click And then we kind of figured out this might be harder than we thought Especially if they want us to fish a hundred and fifty people So all right, yeah, what's plan B? So Yeah, if we think that we're gonna have any hope at all of being able to actually target a larger group of people It's becoming evident to us that automation might be needed here But of course then we start to you know redefining the engagement somewhat because at that point You know it becomes a little bit less spearfishing and a little bit more generic fishing I mean we're still trying to target it But you know again trying to target this mass group of people, you know and Yeah So we came up with a new idea and our idea was well, what about spam? You know everybody receives it sometimes people click on it depending on what the spam is and Nobody's gonna think it's suspicious You know because by definition spam is unwanted and Spam is annoying and if people are annoyed by it, then they're not gonna be suspicious right You know we figured you know we could try you know, this is an experiment So yeah another thing though also about spam is we receive a whole bunch of it So basically what we can do is we can just like take the spam that we receive and then we can just write scripts to Automatically instrument it, you know so that when you click on it it goes to our landing page you know with the insert malware here placeholder and Voila, you know at that point if we just collect enough sort of relevant pieces of spam Then we can probably get a good part of the organization Yeah, so that was that was sort of our our thinking so So that leads then to the question of how much do you actually want to target it? You know spearfishing by definition is fairly hard highly targeted But the question is you know, what are the pros and cons of targeting? You know the thing about spam as spam is actually not always highly targeted Sometimes spam is actually pretty generic But people click on it anyways and the thing is that if you do target somebody If they notice that something is wrong, they're gonna get suspicious much faster Whereas if you target somebody less and instead you just send something a bit more spammy You know if they notice there's something wrong with it Well, I mean there's the you know spelling mistakes and have to spam emails that we get anyways You know or something's not entirely correct So the truth of the matter is is that targeting is more targeting is not actually always better You know, but again these were some of the things, you know that we were experimenting with and learning during this job So the question then became really, you know, to what extent should we be targeting Individual staff members versus just trying to come up with more blanket generic pretexts You know, so we can sort of stand on the radar and just sort of hope that people are gonna be kind of stupid and click anyways You know, so these are some of the questions that we wanted to ask So We took a pretext. I apologize the image quality isn't great, but we took basically one of those book bundles I have to say we love book bundles. In fact, I think I just recently purchased this hacking book bundle, you know Anyway, but you know a lot of us like this kind of stuff So we took one of these so this story bundle and we basically took it scraped it instrumented it and then sent it off to group people what wound up happening was People clicked You know, it was fairly generic. It was kind of spammy. It wasn't really that targeted but people liked it Another thing that we did and this is kind of evil But I decided to do it anyways is you know, we were dealing again with surfnet and they're very much in the internet community So at one point I decided we were going to take the Infrontation letter for the isoc.nl New yarsporal so and then basically take that instrumented send it. I told Michela and ours that I was doing it and he kind of rolled his eyes at me But you know, so we did and Surprisingly actually fewer people clicked And you would think why right because you know a lot of the people at surfer actually going to this thing You know And this is actually something that's more relevant to the community But actually more people clicked on the pretext related to the book bundle Why I don't know, you know Just because something actually is somewhat highly targeted to the area that people are working in Actually doesn't always mean they're gonna click more often But again, I think to me at least started to challenge some of my assumptions about fishing and targeting You know, so so this was interesting. So what wound up? Happening is and right now I'm basically gonna I decided to use screenshots today because I don't feel like opening my email on a live stream, but You know only hackers are watching what could happen But uh, sorry the image quality is so horrible. Sorry, but but anyway, this is a screenshot from rocket chat, which basically is our Working environment within radically open security and what we did and I'm sorry This is barely readable, but basically the first thing that I did here is like I Executed a command using our chatbot that basically said raw spot shell command create pretext shot 2017 volunteers and what I did is I actually put in the URL HTTPS shot 2017.org Slash, uh, yeah, I think it was a Let me actually read it from my screen. Sorry Yeah slash a call for volunteers And then after that I put the the sender email address which basically is no reply at chat 2017.org so essentially what I did this morning is I basically just scraped the most latest Blog article from the Shaw website and I basically said I want to take This website I want to scrape it and then I want to turn it into a fishing male with this pretext name So that's shot 2017 of volunteers. I'm sorry. This isn't really readable But the shot 2017 volunteers is the name of the pretext and then what we do is we decouple the actual stored pretext So the creation of the pretext from actually sending it so we can actually create a database of targets using a list of group names and Then we can then send different sort of pretexts to different groups at different times So that's the way that we set up this spear fishing toolkit so Sorry, this isn't readable so basically what wound up happening then is Yeah, if you could read this it basically says Ross bot getting pretext. So the first thing that it's do is it's doing is it's actually Basically picking up the page so you can see sort of here this call for volunteers right around here. So it's actually right now Downloading the web page at that point then what it is doing is I Call another command so you can see this command right here this Ross bot shell command Spear fish send so at this point we can either send to groups or send to individuals I wanted to send to myself. So I said spear fish send shot 2017 volunteers Melanie at radically open security calm. So in this case, I only wanted to send it to myself So I did So the next thing that happens and again, sorry, this is not very readable on the big screen But it then says Melanie at radically open security calm has hash number and then the hash ID With email Melanie at radically open security calm and then the next thing that you see is it says I received a click in a fishing email By Melanie at radically open security calm. I received an image view in a fishing mail using the pretext shot 2017 volunteers and then you can see right here at the bottom it actually registered a Second click so I was again I received a click in a fishing mail by radically Melanie at radically open security calm So the way that it actually works and how I did it with with surf net and also how I've done it with other customers Is we actually let again the customers into the chat room and the fun part is they can actually watch While the people in their own organization are clicking They can actually see it coming in in real time Which is really a lot of fun, you know, and they can actually see who did the clicking because in the URL I mean essentially all we're doing in the URL is just hashing essentially the pretext name the sender email address, you know and then based on this hash ID that you know It's stored in our in our database so we can then of course look up Which pretext was it which email address was it and then it renders that in real time more or less in the You know in the in the what and in the chat room, so that's essentially how the spear fishing suite works So the actual email itself, this is a little bit easier to read But what you can see now is this is the blog post that I was talking about from the Shah website so that Script that we wrote basically all it did was scrape it Turn it into an email and you can basically see that I was viewing this I think in Thunderbird You know and the sender email address should be what we specified Which is basically and we always use no reply at and then choose your domain name because that way if people try to respond to it they're not going to get anything and Yeah, and for the rest all of the links if you click on them What's going to happen is first it's going to go to our landing page So in this case click analytics on Amsterdam, of course in the future I'm not going to be using that one anymore because I'm telling you guys what it is, but But you guys get the idea so so yeah So first it goes to a click analytics on Amsterdam and then the next thing that it does is it redirects to the actual content So at that point people actually are on the page where they expect to be so Um Another thing that was made things a little bit more complicated is this actually only works really for HTML Mails because if people are using text based email clients or if people are using certain mail clients where HTML is turned off sometimes by default Then you actually can see the redirect through a click analytics You know, it's a design decision whether or not we want to be able to operate with Non-html males in our case what we did is we actually just put in a warning that if somebody opened it in a non HTML compliant email reader. We basically just said we're sorry, you know, this email cannot be displayed, you know Because there's HTML I use another email client So we did that to basically prevent people, you know with non HTML browsers for being able to see our landing page Just in case in case click analytics Amsterdam might make anybody suspicious. So All right So, you know with this toolkit it basically gave us a number of knobs that we could turn in this experiment So it gave us, you know, the targeted versus non targeted knob that we could adjust Other things that we could adjust for example where batch sizes, you know answering questions like is it better? To fish more people at once, you know, but then, you know risk that they're going to talk with each other But at the same time of course fishing more people at once is also more efficient and remember We're trying to do this within a budget, you know, which is limited So, you know, we can't spend unlimited amounts of time on this either But of course, that's exactly the same plight that a real attacker is going to have as well You have to try and make trade-offs about how effectively you can actually fish somebody versus the amount of time And after it you want to spend on it so All right, so surprise surprise The number one most clicked pretext Was a fake LinkedIn invitation Again, we're talking about highly technical people You know and to me it was actually really surprising that when we sent a whole bunch of really Targeted pretexts and then we sent a whole bunch of really generic pretexts. What did people click on? generic stuff Even though they were highly technical highly IT savvy actually reasonably security savvy people and that to me was really a surprise so Yeah, so that was certainly one of the one of the lessons that we learned I mean, you know, perhaps also some of you guys can you know, it starts to make you reevaluate May perhaps how in your own fishing awareness sessions? Maybe we're going to present some of this stuff But but yeah, I mean but the truth is non tech, you know, even highly technical people click on this kind of stuff, too So a detailed breakdown Total target addresses 145 in the end we did 14 mailings The reason again, this is why we needed the automation if we had actually tried doing 14 independent pretexts by hand It would have taken us forever, you know So that's actually why in the end we sort of needed the scraping tools and being able to scrape it automatically from web websites Because that allowed us to create those pretexts really quickly So we sent 528 messages 261 times these messages were opened and we were actually able to see if they were opened by Image views so we also had instrumented the images in the HTML males in the same way that spammers You know often do so we could actually see even if they didn't click on it We were still able to see if they opened the mail to look at it total clicks 46 unique click IP addresses 29 and the most clicked pretext was linked in with eight clicks So the funny thing was the biggest problem that we wound up having was the spam filter I'm surprised Yeah, but if you're trying to fish with spam, that's what happens So, you know, so what we wound up doing is You know we first started researching SPF values To basically try and figure out how we could evade the span filter So, you know, that was that was that was interesting and also we found that the optimum batch size of Fishing spam so basically using spam to fish were batches large enough to hit as many targets as possible Without getting marked by the spam filter Seriously so Yeah, again, this went in sort of completely surprising directions, you know while we were doing this job, but it makes sense I mean when you think about it so, you know at first we were being really really cautious and then as the deadline Towards the end of the fishing job came up We started getting more and more aggressive just because we wanted to know sort of how far can we push this before people start noticing So we started, you know getting a little bit ballsy We started, you know doing things that were a little bit more reckless just because well Look if they catch us, that's one of the end conditions of this fishing test at some point Actually, we kind of want them to catch us because we want to know how far we can push it, you know You know, so at a certain point what we did is, you know We started Increasing the batch sizes, you know, just to see what they notice that didn't really attract too much attention What did attract our attention the very first time though was Sending basically a fake Mozilla security update to the C-Zert team You know if we were really trying to be low and slow we wouldn't have done that but we basically just figured Yeah, let's see if they're paying attention So we did that and indeed they noticed so we wound up getting six clicks On the fake Mozilla security updates. We are presuming from a sandboxed environment And of course the C-Zert team the other thing also is that we didn't really take much effort to try and Hide our tracks. So if you did actually look at the click analytics domain It was actually registered to radically open security, you know I mean look if I were a real attacker real attacker like a malicious one I would have gone to more effort to try and hide our identity But the way that I figured it, you know, if they got suspicious I actually wanted to lead back to us quickly so they can understand that it's a phishing test And so we're not gonna cost too much damage. Hopefully, you know, while they're trying to figure out what actually happened so But then you know things At one point sort of got a little bit out of control So I guess first I'm gonna I'm gonna tell my side of the story And I'm gonna invite a special guest up on stage to tell his side of the story so there's this new media organization called setup in Utrecht and You know, they've got a lot of good connections with the surf organization And there's a lot of people within surf that are on the board or that are you know members of setup or that like them So we basically figured well, let's take setup and let's use them as a pretext because again We were experimenting with targeting. We basically figured, you know, what harm is it gonna do, right? I mean, it's basically just going to you know, it's gonna stay within the surf environment and Set up probably won't even notice and you know, everything's gonna be great. That's what we thought Until it escaped so I guess probably now is the time I'm gonna invite that time on stage here to tell his side of the story Yes, that was fun. So we suddenly started with the tweet that we got and and we just sort of think like It said that hey setup, stop spamming us. What's going on, you know with your systems and we were felt immediately quite ashamed and and I Remember like I thought oh, I built the first version of our website And it used to have this mailing module in it in Drupal and I thought oh, maybe that's been abused so I started going to website disabling stuff modules from way back when and hoping that would fix it and while my colleague Frank Jan, he's our communication guy and he was trying to you know communicate in Twitter and and make you know, everybody feel okay And that we spent basically in the afternoon trying to to handle this and trying to understand what was going on And that that we find out what the really the cause was and maybe I can go into a little bit about what what happened that in the end it was it was really good for us because Surf Nets Got in touch with us and we got in touch them and in the end they became our sponsor for our yearly privacy lecture that we do Yeah, so so that was a really good outcome for us where they they said no We'll try to compensate for you and now they're doing it again this year So it became a running thing So in the end it was really good for us, but that day was really like what the hell's going on Yeah, so that's a bit my my story anything else maybe for the question Yeah But that was kind of a stressful day for me too because I was on my way back from a customer I just gotten off the train. I was like just getting in the bus I got a phone call like Melanie lock it log into rocket chat now. I was just like oh crap. What's going on? So I basically log in it's sort of like panic. They're like, oh my god You know, we've been caught and they're angry and oh my god like legal action and like oh my god I have to fix this so I you know I spent basically the first you know 24 hours like on the phone with everybody Like I was on the phone with the setup like profusely apologizing I was on the phone with with the surf organization because what wound up happening is people from surf Literally started posting on twitter You know set up. Why are you spamming us? It's like crap So, you know so so, you know Now I have to basically talk to people everybody in the surf organization You know who didn't know about the phishing test and tell them immediately what's going on So they'll basically take stuff off of twitter You know and at the same time, you know, you know, we're supposed to be the ethical security company here. Yeah. Oops, you know You know, sometimes we make some mistakes too, you know, but uh, yeah So the first day was really just just damage control and you know once we got the damage control I mean as as he said, I mean in the end, you know, hopefully all's well that ends well, but We learned some lessons from it You know and those lessons are things that I think that the whole well everybody can learn from and also for future engagements We can actually carry forward to also try and prevent You know making those same incredibly stupid mistakes again So, you know so that actually leads then to you know, the question of ethical issues As a security company conducting spear phishing attacks I had a never thought about this You know if you are a A security company and you are using other third parties as a pretext Is that okay? You know because basically what you're doing is you're stealing the identity of a third party who did not sign a waiver with you And you're causing them some kind of reputational damage You know, even if you think it's not going to escape the environment of your customer In this case, I did not think it was going to escape the surf environment, but it did You know and that wound up causing some amount of damage, you know, thankfully, you know in the end it worked out but You know, but the thing was I did not ask set up in advance for their permission Is that okay? I think actually no, it's not okay But you know it never occurred to me because I I just thought oh, but everybody in the industry does this right? I mean this is normal right, you know, and I just didn't even think about it twice until the situation blew up in my face But then that leads to the question. Well, if you're not going to be using third parties as pretexts, then what are you going to be using? You know, I mean you can use things from the target organization That's reasonably, you know safe because the the target organization themselves have signed a waiver with you You know, you can also make up pretexts, but that's expensive You know because if you're going to actually try and pretend, you know to be a fake organization That would mean you would actually need to create a plausible website for them and you know and all the context surrounding it And of course, you know who has the time in the budget for that So it's actually kind of difficult You know, so then, you know the question really is uh, you know, is there some way to solve this problem? I mean, I can't really think of actually an easy way to solve it I mean, is it perhaps possible that you could get a group of organizations together that give each other permission You know to use each other as fishing pretexts You know on the presumption that you know, everybody needs to do fishing exercises occasionally And it could very well be that you know, you want to use some low-hanging fruit You know third parties to as pretexts to get people to click on them You know and perhaps, you know on a friendly basis good organizations Maybe agree to allow others to use their identity for each other's fishing You know males I mean, I don't know if anybody actually is going to care enough to want to start such an initiative like this But I mean it could be one possible solution But as you guys can see it's actually really quite a tricky problem You know, and I think that it's something that at least I'd never heard anybody thinking about it before And I'm hoping that you know, perhaps after this talk, maybe I've stimulated, you know This this discussion now then you guys can think about it And if you guys have any answers for how to solve this ethical problem I'm all ears, you know, I want to hear it so So, uh, but then back I guess to technical lessons learned so, um If you want to stop our fishing fishing spam, uh, there's a number of ways to do it So first of all check spf and de kim values on your inbound mail another thing that you can do to try and Well, stop this kind of fishing attacks or at least try and hinder it Is to disable default image loading and email clients You know for the similar similar reasons why you're trying to stop, you know For privacy reasons, you know all the click analytics things that are going on It could very well be that malicious attackers are also Using the same tools to try and see if you're opening stuff or not. So, uh, so, you know Disabling image loading by default but also disabling html in general is not necessarily a bad idea Um flag newly registered domains is suspicious, you know click analytics dot amsterdam I mean, we only registered it, you know a week before the job started, right You know or maybe a week into the job. So when you see Domains that are extremely new. I mean and of course you have this more often anyway when you're dealing with things like, uh, you know Fast-fluxing of domains. I mean, so I think in general just for her, you know Yeah domain name generation anyway in terms of malware and iocs is is kind of relevant But also for spam if you if you see anything newly registered, that's a reason perhaps to red flag it Security awareness training. I mean, of course, uh, you know at the end if you're doing these kinds of things It's it's good to give a presentation to actually inform your staff of what you just did and what lessons they can learn from it You know in this particular case I I wanted to give also this talk to a wider audience Because I think that there were a lot of interesting lessons from this That hopefully everyone can benefit benefit from even though some of the lessons were a little bit surprising but, um Of course at the end awareness training only gets you so far You know, I mean one thing that I really like to say and to tell people is actually, you know, a really well-crafted fishing attack You know, I would click on it I mean if it were really well-crafted And the point is that you need to understand that awareness isn't enough you need technical backups You know you need defense and depth Because ultimately if somebody really wants to fish you They're going to you know, it's just a matter of putting enough effort into, uh, constructing a believable pretext So, you know again, you want to pick up the low hanging fruit But you also want to understand that you need defense and depth because it's not going to be foolproof And also, uh monitor network traffic and that's actually kind of interesting perhaps for incident response later Both with the uh mozilla fake security Update email, but also with what we did with setup. Of course, they actually went into their server logs And uh, you know, we're actually able to do some amount of sort of forensic analysis on it sort of after the fact You know, at least surfnet was able to so, uh, you know to try and figure out where this came from You know, if you're not doing the logging and you're not doing the monitoring then of course you're not going to be able to tell Where this stuff came from So, uh, again, that's again just best practices that hopefully you guys can do So yeah, so anyway, I found myself this this job to be extremely interesting I hope that you guys also found this presentation to be interesting Maybe you learned something and if anybody has any comments or questions, I would be happy to take them right now Could you come closer to the mic? Okay, thank you. There's all now The first question uh ethical issue I also perform such tests and it's not covered Give you the The names of the employees who clicked on your phishing or spear phishing mails To your client or not Because if the client Gives the names of the employees they clicked that can massive Influence on this specific employees. Yeah. Okay. So I guess your question really is should we be Tracking the names of these people just in case naming and shaming is going to happen. Yeah Yeah, I'm not a big fan of naming and shaming Uh, I think that with these kinds of experiments, it could be a good thing maybe to approach the people individually privately, you know, I mean Because I think some amount of personal feedback, you know is is maybe okay. It could very well be also that An alternative is after the landing page instead of just having insert malware here You could actually have another page that explains by the way. This is was just a phishing test You know and you just clicked that could be maybe another way of handling the situation You know in a way that they get immediate feedback that oh crap. I just clicked, you know without actually having to Name and shame people. So I agree with you I mean, I think that calling people out in front of their colleagues is generally not a good idea But I also think that you don't have to I mean if I give a presentation like this I'd like to give aggregate statistics if people clicked they know who they are But I I usually don't think it's a good idea to try and embarrass anybody Yeah, sure, but that's more ethical than for me Can I use a linked in a content or facebook or whatever? Well, I mean, I think they're separate ethical issues, but yeah, thank you Next yeah so, um, basically a suggestion and a suggestion and a and a question so at first the suggestion So when it comes to the can we use other organizations? Well, uh, I've been I've been doing a like a Fishing exercise as well Where we not so much used another organization, but used the principle of word blindness So in case of your email errors, radical radical the sexy Just switch the d and the i made a great call the sexy And that gives you in a domain name just a large number of possibilities Which you can just use the typosquadding principle for fishing people and they will fall for that Without of course having to abuse other organizations And then for the question So, uh, I mean, of course you you are tracking all the other all the people that clicked and the images that have been gone Have you also considered like the the privacy implications of storing that information and how long you can store it for? Yeah, um, well, I consider that kind of information to be similar to generic pentesting information. Um, I mean, obviously, uh, both You know from the spirit of the law as well as the spirit of just trying to do things right I mean it's best not to retain You know personal data and customer data any longer than we have to um You know periodically at radically open security we go, you know archiving and purging Pentest repositories for our various customers. How long we keep it around sort of usually tends to be how long we think we need it for In the case of the spearfishing suite. I mean, we've basically taken this the suite itself and kind of made it generic Oh, I forgot to mention by the way we open sourced this so the actual toolkit itself is available on our github So if you go to radically open security.com, I'm sorry if you go to github.com slash radically open security The spearfishing toolkit is actually on there um, you know Well, people of course have also asked do you feel it's ethical open sourcing this toolkit? But uh, yeah, well, you know, I assume that the real attacker is the evil guys have their own toolkits as well so but Yeah, so so the generic stuff, uh, I try and separate out and keep the actual customer data. I try to um purge every so often, uh, you know, if I think that they're going to want repeated You know, uh retests or you know that kind of stuff then I might keep it around a little bit longer But uh, yeah, I mean to me that's more a generic data retention issue Not a fishing issue. Thank you Hi, Melanie. Once again a nice talk a small technical question You mentioned that you found 26 individual IP addresses from which there was clicked. Is that where it is from? I mean, I'm assuming they're not all from the uh organization itself, but from remote users or what was that? Yeah, um, I think it probably was a mix. I mean, you know, some of it I think we're on their work machines or laptops. I mean some of it was from their mobile devices I mean, we saw a mix of clients. Uh, I mean, obviously you can track that somewhat from the web logs from the landing page so Doesn't that improve? I mean doesn't have an implications for say the target's ability to do forensics on or whatever They're sort of clicking on because uh, it sounds like they would miss a lot of the activity of their staff How would they miss activity? Well, I mean if they're clicking from IP addresses that they're not controlled by the organization I mean, they don't control the 26 IP address. It's not all of them. Yeah, um Look, I think that basically again, they were using multiple devices and we can actually verify that anyway because the hash that we were using Basically translates back to the email address that we sent to the target So if we can see that multiple IP addresses are actually coming from a single email address And we can see that one of them is maybe a macbook pro and the other one is an android phone You know, I mean that also of course give us information about the platforms that the targets are using Um, I mean does it make our phishing any less effective? I don't think so I think that's that that's very interesting additional information. Uh, but not the point I was I was looking at and that is the, um The opportunities that the target organization has to defend itself against these phishing attacks because obviously they don't track all the click activity of their staff Oh, yeah, I see what you're mean. Um Yeah, well, I mean, yeah any time you have multiple devices it makes monitoring and controlling things harder. Yeah Okay, thanks for collaboration. Thank you Next question Hi, thanks for the talk What I've seen as sort of most effective at getting people where I work to click on emails has always been Take purchase orders fake invoices That you and with that you can actually target it to look like the type of customers they would typically have Is that something you experimented with? Um with vendors, uh In this particular case with surf net. No, uh with other customers. I've had yes So, um Yeah, I mean again, it sort of depends on how we're doing the targeting I mean, I think with this particular one We were being a little bit wild in our use of third parties, but I've also had but again the target was 150 employees We've also done spear phishing where it actually really was spear phishing And I was just targeting like for example a support desk of an organization with with real client side malware You know to actually, you know be the first step of the kill chain You know in those cases then we're going to approach it really differently And then we're going to try and usually use something that's a little bit closer to the organization Yeah If a regular if a regular spam filter is already kind of a pain for people doing spear phishing should we be training? Bayesian filters specifically to spot spear phishing as the distinct from other kinds of spam and and basically giving organizations a A set of metrics like how many spear phishing emails are you getting right now? Where are they coming from? How many people opening them? And just you know get that view into into the it department. Yeah, that that is a super question. I never thought of it I think to me that sounds like interesting research Thank you. So no more questions Okay, well, thank you guys so much for your time um So I've got a question I just curious how many of you are professionals in this field that do spear phishing Can I see a small raise of hands? What do you do you do spear you're involved in spear phishing? activity to pen test for example Okay, so and what percentage of you? Use other organizations as a cover to do that So if you raise your hands first and then put them down if you don't so could you raise your hand if you do spear phishing All right, so that's and then raise them down if you Don't do that So, sorry, that's unclear If you don't do Don't use other organizations, then you can put your hand down again So I just want to see the hands up in the air of the people who do that use other organizations So that's only one I think his question is how many of you here use third parties as pretexts Sorry during your phishing too much beer raise your hand if you use third party Thank you for for for saying that and I'm curious to hear you guys talk about this Because of course as organization being used as pretext. We were a little bit surprised I'm a little surprised as well to hear that this is such a common practice um So I'm curious to hear other voices on on on the ethical question of that because we did not like this at all So our red team engagements Our red team engagements are very much backed by governance and compliance that comes from Sorry, I can't understand you what you're saying. Sorry. I said our red team engagements are very much backed by compliance That comes from central government So we have we roll all the way up the tree to yeah, for example the bank of england c s g etc So there's a degree of Responsibility that flows all the way down um We've not had any instances where it's caused a specific problem but on the other hand we also maintain quite a large stock of credible domains credible assets that sit outside Either a real organization or outside the target organization okay, and So with your case you say there's some kind of chain of command where you can The organization you who you use as cover are somehow related to the Organization you're testing so then there's some kind of responsibility or they they certainly can be I It largely depends, but yeah, there are instances and opportunities to leverage that um Yeah, if we're working for for a bank the chances are that they roll up to the bank of england for example There are there are conversations that can be had because we are trying to simulate As close to real world as possible and it's never blown up in your face Indeed that does lead to an opportunistic domain squatting by security companies And I've seen this also happen multiple times. So it's never blown up in our face The most amusing incident was when we um pretended to be an upstream isp of our target And essentially reported ourselves for fishing Just to see just to see how that would work and we ended up getting responses back that indicated that they thought We were the upstream isp. So But no, I've never seen it blow it up you I have a question if you for the bridge investigation did you get the headers of the email? for us, yeah Like before you started looking if you were spamming actually the surf net Have you looked at like did you request them to send you with the email that they were spent with? Because then you would probably seen that it was not you spamming, right? That's a good question. I don't know the might my colleague might have So I was more busy with trying to fix the web server and he was more busy on that side of communicating with surf net So that's I'm sorry. I can't answer that. Yeah, as I understand things. I mean they got the Set up got the technical details from surf and yes surf looked at the mail server headers and we again as I said before we made absolutely zero attempt At hiding our tracks. So it was obvious that we were using the rat at the open security mail server We made absolutely no attempts to to cover this up. So yes, they they noticed this extremely quickly But yeah, all right, thank you