 our speakers are, I want to say that's right, Yaza Rubio and Felix Preto. All right. Yaza is intelligence analyst with the background in information sciences, defense industry and cybersecurity. Felix is a computer engineer with a PHD in computer science and telecommunications. They're well known as trainers of several law enforcement agencies in Europe and regarding OSINT and also cryptocurrency research. Let's give them our attention. Their theme is heavy diving for credentials towards the perfect fishing. So thank you for representation for us. It's like a great being here in Vegas. Just trying to show you one of the latest research that we have performed in 11 paths regarding fishing techniques and fishing methodologies just to try to make a fishing attack more anonymous and just to try to protect the identity of the fisher in this case, in this case of the attacker. So we know that it is the last talk of the day and we know that it's going to be just about 30 minutes. So it's going to be great and we're trying to make some exercises with you with some board of tracks. Now we ask for your collaboration because we have prepared some exercise for you. And there is a price of $25 for the winner in Bitcoins. In Bitcoins. So maybe if you're lucky the Bitcoin price rising in these moments it's not $25 but maybe $30 or $35. I think that it's increasing since yesterday quite a lot. First of all we need to know which infrastructure will need a fisher. So the typical fishing attack is always compounded by an infrastructure which has been rented, hacked or somewhat hired by the attacker. The attacker will clone the website just to try to imitate the real website, okay? The fishers usually try to register a domain that is similar to original one just as a trick to try to trick again the victim. These links are also being served using social media platforms and emails. From the point of view of the victim, the victim will get connected to that fake website and the fisher will get the credential and then the fisher will be able to connect, to get connected to the legitimate domain. The registration of the is a key point for the researchers because the registrar will have the information about who has paid and depending of the spreading method use, his identity, the attacker could be exposed when he sign up in several platforms. So from the point of view of the attacker, there are some problems that he has to face. First of all, the infrastructure that he has been using, it can say a lot of things of who he is and this is something that he has to protect. He has to hide any kind of footprints that this process, in this process, there may be. So this is an important issue that we are going to face in this sort of talk. Related to creative and credible, each attacker will need to be as creative and credible as possible. So the point is that when spreading the malicious links and you will have to find well-known platforms that will maximize the number of victims that you want to get if it is a massive fishing attack or if it is a spear fishing attack, you want to make it as realistic as possible. So these issues are the ones that we are going to try to solve for a fisher in the following minutes. The attacker's identity will need to be anonymous and thus we are going to run a hidden services in TOR. We are going to show you an example, but it is very easy. In fact, it's really easy. Have any of you deployed a hidden service once? It's really easy. Once you have a TOR installed. First of all, we have to TOR install and then we have to deploy a TOR as a service. The next thing that we need to do is just to verify that we are connected to TOR so we can get our public IP address without being connected to TOR and we can TORify them the connection. We are running just the same command, but with TORify, TORify command before, just to include, to send this connection through the TOR network. Really easy. Two commands to do it. Then we have to modify several lines and we have to uncomment two lines in TORRC file. Specifically, we have to uncomment these lines, hidden service deal and hidden service port. Two lines, two commands, so it's really easy. And then we have to restart TOR as a service again. Because if not, the new configuration wouldn't have been loaded. So this is not a problem. What we are doing right now is starting an Apache 2 server, which is the one that is being mapped in port 80, as we have seen in the configuration file. So it's quite straightforward now. If we want to know which hidden services we have, we have to go to a hidden service path and here we can find two files and the file of this file, hostname, we can find this, our dotonion. So if we want to launch a petition to dotonion domain, if we did it with CUR and the dotonion domain, we will not be able to resolve that. But if we do it with TORRify, like in the example, we will be able to grab and to collect all the information from that hidden service. But we have this approach. We have a problem because most users are normal users and that do not use TORR. Yeah, so this is a point because although TORR users have increased quite a lot, there are several studies that say that even in the countries with more penetration, like Moldova and Iceland, TORR users only represent 300 users per 100,000 online common internet users. So the figure is unfortunately quite slow. So we will have to find something different to try to make these hidden services available for a wider number of users. To solve these TORR gateways, when we spread the malicious links through social network, we can use a gateway to redirect the victims to our hidden service. The point is that we are very lazy sometimes and if we don't want to have TORR installed in our system to access to a hidden service, we can use dotonion.to, dotonion.link, dotonion.plus, which are TORR gateways that will let you access these domains even if you don't have TORR browser bundle installed or a TORR connection configured in your system. The point is that we found out when we were doing this research that some TORR gateways were providing additional information that we were not expecting and we are using it for fun and for profit, maybe. Information is exposed by gateways? Okay. We are going to see it in an example that we have released, the search code we have released in GitHub. So you will be able to download it and perform your own test. Okay, so maximize. First of all, we are going to, first of all, we are going to download the hidden service that we have prepared for this demo and it's created with TORR and with Python and Sten. Sten is a library to interact with TORR from Python. What we are doing right now is deploying a very simple but very simple, very simple hidden service that the only things that do is just showing the headers that each and every request to this hidden service is being sending. Why? We are going to see it why. So it's very easy. You get cloner and you install the requirements and then you press Python and start the application. It's really easy to do. Then we are going to see which is the IP address of the victim. It's this and then we are going to verify the connection and with the aim to see the headers of this. So stop there. Stop there. So you can see there that the headers sent by a simple core are almost five, five or four headers. So almost no information regarding the user that got connected to this domain using TORRifyCore. But what happens when we do this using, stop there. When we do this using onion.link platform. Well, we can find something really interesting because amongst the headers, one of the headers that was being sent is xreal IP. So onion.link was sending to the hidden service the real IP address of the guy that wanted to get connected to it. So you can think about how this information can be used if there is a user that is getting connected to, for instance, a pornographic website. The administrator of the pornographic website will know which is the real IP address of the guy. TORR was not intended to be used in that way, but if you use a TORR gateway, maybe your information can be exposed. So please avoid using them and download and install the TORR browser bundle or configure your own TORR connection because you don't know what kind of information can be sent. This first problem, we have addressed it, but we have a hidden service. We have a server that is exposed in a hidden service. And with a TORR gateway for the surface users. Yes, now we have deployed anonymous phishing, but now we have another problem. Now we have another problem related to creative and credible of the attacks. So the problem is that onion links are too long. So it's very easy to see if you are being directed to an onion website. Well, there are some tricks that we are going to use just to try to make the exception better, okay? First of all, we ask you to go to Kahoot. Does anyone know Kahoot.it? Kahoot.it is a platform that we are going to use to give you $25. So we encourage you to go to Kahoot.it. And the only thing that you will need is to insert the code that Jaiza is going to show you. Because here we will ask you some questions regarding these facts. If you want to win the bitcoins, you will have to go to this platform. Kahoot.it. Wait there because we will need to show you the play. Okay, so you will need to insert the following pin code that is going to be shown in the screen. And we are going to put you. I think that they are very easy challenges, but just the fastest one will be awarded with a $25 price. Okay, so hold on a second. We are deploying it. If you are in Kahoot.it, it is requested for a pin. Insert the one that is there. We have here the pin. Four, five. Kahoot.it. Okay, Kahoot.it. And we have to internally. So very simple pin, four, five, eight, seven. Okay, and insert the nickname, whatever you want. The point is that it will be shown in the screen. Please do not use any kind of things strange. Okay, so, wait, wait. We have three users. We have three users. Now we are going to do a test. Have we understood the game? Okay, if you have understood the game, press yes. And we don't have to understand the game. Press no. Okay, four answers. Fill the moment. Any more answers? Okay, ask for six. Six, okay. Time's running out. Well, six answers. So most people, we have controls here. Most people have understood the game. Okay, so we are going to put some challenges here. You have to pay attention to what we are going to see here. Because the skills that we are going to show are the ones that we are implementing the phishing attacks that we are using later, technically, okay? The next challenge is related to attention. In which quadrant is located the only W in this image? Okay, upper left. It's difficult, right? It's really difficult. Do you know why it's difficult? It's difficult because lighters are very similar. So this is a technique that most features tend to use when cyber squatting, when performing cyber squatting attacks, just trying to emulate the original domains of common trait marks. Some people change the M for R and N. So it looks like the same in most browsers. So this is something that we may be using, would be useful for us to see an appropriate phishing. Please don't close the app. Don't close the app. We are coming back in a couple of minutes. Okay? Okay. These type of prattie exercises are needed when conducting a phishing attack. But we have to improve the image of the dot-onion domain because it's so long and so long. We have two approaches here. The typical approach is using a vanity domain, you know, vanity Bitcoin addresses that tend to use, well, users tend to create a Bitcoin address that starts with a given word. We can do the same with onion domains. We can use tools like shallot that are available in GitHub and just saying to shallot, okay, I want my domain to start with Twitter or Facebook or whatever. And we can let the tool try to generate as many domains as many onion domains as he can until he finds a domain that matches with this approach. So this is one, generating vanity domains, okay? It may take a lot of time. In fact, we try to do it with Twitter, which is Twitter, which is six letters and we were waiting for eight hours and we couldn't generate it in our computer. So it's a difficult task. However, there is also another trick to simple works using a cool soft domain before the blah, blah, blah, blah dot-onion. Now we are going to see one example with DuckDuckGo. DuckDuckGo is a search engine that many of you know. DuckDuckGo, DuckDuckGo, the point is that it also has a hidden service, a dot-onion version of the browser that can be reached only using Twitter. Okay, we can see... This is the domain of DuckDuckGo. And we are going to do a very simple trick that many people don't know about onion domains, but that can be useful for us when we want to conduct a fission attack, okay? We only have to put before, for example, Twitter dot com dot blah, blah, blah dot-onion or another example, for example, Facebook dot com dot has dot blah, blah, blah, blah dot-onion. And you may be asking, this is happening only in DuckDuckGo? No, because the point is that for discovering where a hidden service is inside the third network, the only part important is the domain, not the suit domain, okay? So we can put whatever we want in the suit domain part. So in our cases, we would like to put some things that look like the original website just to treat the user. So for instance, if we want to emulate a Twitter domain, we can put twitter dot com dot blah, blah, blah dot-onion. Okay? So this is a very simple trick that simply works and it is something that happens because of how tor is structured and how tor was conceived. So two approaches, vanity domains and this small trick with subdomains. This problem we have addressed, but we have another problem related to spreading the attacks. So we're going back to the cahoot. Just the ones that have taken part until now. Go back to cahoot, okay? We can see that Jmax is in the lead with 826 points and we're going to put two more challenges regarding misdirecting the attention of the victim as usual, misdirecting and the other one is regarding movement. So it is just a matter of answering the question that is appearing at the end of the video that you are going to see right now. Okay? Anybody of you been in London before? Have anybody of you been in London? I have been in London, but only once. Okay, I'm sorry. I'm sorry, I was just tricking you, just trying to misdirect the attention, because the question that we are putting there is what time was in the big bent hour that was shown in the photo? Okay? So the trick is just a matter of misdirecting the attention that we are going to do in the fission. The answers are 6pm, 7pm, 9pm. If you have noticed, if you have remembered which was the hour in the clock, well, you should guess which is the correct answer, which was 8pm. Okay, sorry for the trick, okay? But misdirecting the attention is a very important issue when you want to conduct also a fission attack and we are going to go through a technique that works very well with this. The third challenge is the movement challenge, because the human mind and the human eye works in a way that makes slow changes be very difficult to be noticed by the eye. The question is, in the photo? They are going to start changing right now. Keep an eye on the photo, keep an eye on the photo. Keep an eye on the photo and try to find the elements that are being changed. Okay, keep an eye. Have you seen them? Have you seen any of them? Have you seen any changes in the photo? No changes in the photo? Well, at least... From 0 to 3? Okay, they are having some changes. The plane has been removed, the factory was removed, the colors of the houses were changed. There were some windows that were changing too. The point is that the changes were taking place slowly. So they were taking place slowly and it was really difficult for us to see the difference. If something happens very quickly, it's very easy to notice. So these two... By the way, Jane Max, which is Jane Max? Okay, Jane Max, congratulations. We will... You have been awarded with $25, about $25 in bitcoins. Later, we will pay for them at the end of the talk. But the point is that these two ideas, movement and misdirection, are really important for conducting an appropriate phishing. And there is a technique that can help us like reverse thumbnapping. But what is reverse thumbnapping? It consists of modifying the content of the browser tab that stays in the background. That's when the user goes back to the tab, he will be in another website controlled by the attacker. So the idea can be implemented really easily with just... And it's through a couple of lines of JavaScript code. You can copy that JavaScript code. We have some POCs that we are going to see in a few seconds. And it's really easy. What we are doing here is just exploiting the way in which new links are being opened in new tabs. Some websites like Google Plus are not properly configured to prevent a newly opened tab to modify the original tab in which it was clicked. We are going to see it with an example. Now we are going to see how it works in Google Plus. First of all, we have Publix. In our own website, a POC? This POC, this URL, when the user presses on it, he will redirect to Defcon.org, for example. But the previous tab has been changed. So this is an issue because any link that is opened into a new tab in Google Plus, this does not work, for example, in Twitter because they are protected in Instagram, because they are protected in the Facebook original website. It doesn't work either, but it works in the mobile version of Facebook. It works in the Outlook light web app version. It works in mail.ru light application. And it used to work even in LinkedIn until we reported all these small bugs to them. LinkedIn thought that it was not a security issue. The point is that many platforms have already modified it, and they answered that this is something that cannot be prevented. In two weeks' time, they modified it, and they said nothing to us. So please say hello or something. Now we are going to put all the pieces together with the problem we have seen before. Now we are going to see the POC. The final POC with all of these parts. The parts of the demo are three. First of all, we have to create a malicious website with the malicious link in a hidden service. So if we have a hidden service, it's okay, but we would only be targeting towards users now, but we don't want that. We want common users, normal users, to be vulnerable to this issue. So what can we do? We have seen it. Using an ator gateway, like onion.link, onion.to, onion.plus, or whatever. And we are sending the URL into a common platform. Like in this case, it is Google Plus. The publication in Google Plus will have to be relevant for the user with the aim to spend some time there. And then he will redirect to... While he reads all the news and all the articles. What happens in the background? In this case, he will redirect to telegraph. And the previous tab will have been changed with the phishing domain. With the phishing that will be hosted in a hidden service using onion.link, onion.whatever. So we are going to see it and we are going to analyze the consequences of this approach. So in the example, we have a URL that we are sending a URL with something that we find that can be clicked by lots of people. So while the user clicks on it, the telegraph article is there. The user is reading that. And what has happened before in the previous tab, in the tab in which it was the Google Plus publication, it has been changed onto a hidden service. So from our point of view, it's really good because we have deployed a hidden service. We have deployed a phishing website into a hidden service. And when the researcher wants to... Who is behind that? Who is behind this attack? I want to close down that phishing website. He can't because he doesn't know where the hidden service is located. Why? Because it is on tour. So it's a nice approach, just combining different techniques and reverse tabnavin and tour gateways and tour. And this is really nice because phishers will be somewhat protected. But it's true. We have to recognize that this has some limitations. Still the onion.links are too long, so we have to fight with that. Tour gateways are sometimes too slow and stable and may become too clear indicated of the attack. Yeah, so these websites are not always as fast as we expected. If you are used to tour connections, tour connections are sometimes slow. So we have to find an article in which the user will spend at least some seconds until the fake website is being loaded. And what else? And the other one? Okay, we have published the link into a social network with our own user. So this is still a problem because I will need to find a social network and a social profile that has to be created anonymously so as to be perfectly anonymous. So this is still an issue that has to be dealt. There are a lot of tour gateways like onion.plus or onion.link or onion.2. The best gateways to do this attack, in our opinion, are onion.plus or onion.link because it permits dot-onion subdomains and leak personal information about the victim. Yeah, because onion.2, onion.guide and so on, when you use the subdomain trick, they raise an SSL error and so on so they are not as good as the other ones. But meanwhile, onion.link and onion.plus are good approaches to perform this vision. So it's everything for our side. I think that all of us want to go out tonight and it's so late. We are hungry. Even for Spanish guys who tend to have dinner too late. So we are waiting for your questions and comments and anyway, you can contact us later. Thank you so much for attending.