 I'm going to introduce Nathan Sweeney. It looks like Sweeney, but it's really Sweeney. And he is our next speaker. Thank you all. And have a good con. Well, thanks for coming, everybody. Find the right spot to stand. Before I get started, I wanted to talk a little bit to get an idea just who's in the audience. So I'm curious how many people are full-time red team. That's what you do. Okay. How many people are full-time blue team? Okay, get out. How many people use fishing regularly on a regular basis? Okay. Good number. So I like cooperative, collaborative, whatever you want to call it, conversation-style speaking. So if you have questions, raise your hand, stand up, heckle me, whatever. Don't necessarily hold them till the end. If you think what I'm saying is stupid or wrong, throw it out there and let's talk about it. I may have even... My hometown newspaper, when I was growing up, had a little thing on one of the back pages that said, you know, we know some people just like to find mistakes, so we put a mistake in here somewhere. If you can point it out to us, that'd be great. So if you find something that I spelled wrong or whatever, throw it out there. So this casting with the pros, the idea of this talk is based on tips and tricks of things that we can do to make fishing more effective. You know, we all have a goal that we're trying to get across, something we're trying to do when we fish. So I just kind of wanted to provide some stuff based on my experiences over the years of doing fishing for a wide range of clients. And I don't know how it looks out there. I think it'll be fine, but my slides are kind of compressed. We were trying to figure out the whole resolution thing. So if things look weird, I apologize. We'll figure it out as we go. So this is me. I'm a security consultant with a company called Secure Ideas. We do offensive testing, general consulting. We do a lot of training, stuff like that. This is my crew. It's not really. It's a family I rented at some local church. Had a deal. You can donate and get a family to take a picture on Easter. I'm also one of the members. I'm one of the organizers of the B-Sides OK Organizer Team. Is anybody from Oklahoma here? Good. They all said they were going to come and heckle me. I wasn't sure if that would happen or not. But I think it's one of the best B-Sides in the country. You know, whatever. At Swayny is me on Twitter. I've got a great story of how I compensated that from a neo-Nazi. I'll tell that some other time. And then I'm also the only Nathan Swayny in the world. So if you can figure out how to spell my name, I'm pretty much an open book. You can find all kinds of information about me. But at Secure Ideas, we do a lot of testing, a lot of pen testing, a lot of red team stuff, a lot of different things for really, really big customers, you know, Fortune 50 type customers, and we do stuff for really small customers. And so we've had a lot of experience over the years in seeing the good, the bad, the ugly, what works, what doesn't, and that sort of thing. So that's kind of my goal for this talk. The obligatory agenda slide. I kind of broke this down into four main sections. We're going to talk about campaign design, right, as you're setting up your fish, considerations, things to take into consideration for designing, targeting, who we're actually sending the fish to, how to select the best people, how to do all that, infrastructure setup, things you'll need, and then some tips and tricks on bypassing defenses and having stuff be successful. So before we get into that, though, I want to talk about why fishing. Why send fishing? It works. You saw my slides. So I will tell you too. You know, I come at this from a corporate perspective. I know that there's a lot of people that are maybe on the other side of the ethical discussion of, you know, hey, we're sending fishing because we're a bad guy and we're trying to get somebody to join our botnet or whatever. I don't have that experience, so I'm definitely not going to come at it from that. I think my advice probably still fits in those scenarios, but there may be some differences. When I look at fishing, I'm looking at it from a perspective of, I'm trying to help test the security controls of a company. I'm trying to figure out, okay, how do we simulate what a bad guy is actually going to do so that we can protect people, right, so that we can make things better? So why fishing? Because meatware is vulnerable, right? There's lots of other talks about software and hardware and how to fix those. The meatware is always going to be vulnerable. People are always going to be... I used to say people are always going to be the weakest link. What I've discovered over time, and this is an extra, this has nothing to do with talk, people can be the weakest link or they can be one of the greatest assets, one of the greatest security controls. If you properly train your people and help them understand that they are a target, help them understand what their role is, use things like fishing attacks to train them as part of a more comprehensive user awareness program, what you'll find, and we've seen this at large organizations that do it well, is that as soon as those attacks start happening, they start, your meatware starts triggering and they can notify you, that allows the blue team to respond faster. And so ultimately, from my perspective, the goal of the red team is to make the blue team better. So that's one of the reasons. Also recent breaches. How many recent breaches started with some type of fishing? I don't know stats, I don't like stats, stats can be used for anything, but if you look at a large breaches, a lot of them start with some type of social engineering attack. They're going after users. We figured out it's not like 20 years ago where we could just pop some server on the external network and then get into the internal. So we want to be able to, as much as possible, simulate actual attacks that are happening. User awareness training, I've already talked about that, trying to make things better. There's a lot of people that do fishing. Just as a, hey, we're going to send this fish to the whole organization. We're going to do this quarterly, monthly, semi-annually, whatever. And then they never do anything with it, right? You go get your know before license and you're all excited and you send fishes and it pisses people off and whatever. And you get to have something you can show the executives of look, here's how bad we are and why you need it, but a lot of people don't take it the next step of saying, okay, this should be part of the education program. We want to, as part of our user awareness training, explain to people, hey, here's this fish we sent. Here are the results and be able to show, you know what, over three months, six months, 12 months period, here's how things have gotten better. Here's how people are getting better educated. And then also, executive impact. I tell people sometimes, like when we're consulting, sometimes you need a hammer, right? They may pay you 80 to $100,000 a year and you say the same thing over and over and over again. I come in and they pay me 20 grand for a week and I say the exact same thing you've been saying and all of a sudden I'm the voice of God because I'm the external third party, right? Sometimes if I have to be a hammer, use me as a hammer. Sometimes that's what fishing has to be. Sometimes we tell the people, hey, this is vulnerable, this could happen, this could happen. Sometimes the executives need to see that report that says, you know, wow, we sent this fish and 95% of our users clicked this and installed it or whatever. Sorry, I took notes and I don't always remember what they're about. One thing we got to keep in mind is that fishing is sexy, fishing is fun, it's exciting, it's one, I mean any kind of red team stuff a lot of times is really cool. It's really easy to get lost in the sexiness. It's easy to get lost in the hey, look what I can do and lose track of the here's why I'm doing this. And so you're going to hear me say a lot through this talk. You got to think about what your goal is, think about what your purpose is, what are you trying to accomplish with this test and that should focus everything else you do. So in this talk I'm also going to talk about some of the latest, greatest executable payloads, the coolest and amazing things you can do, not really. There are lots of other talks of, you know, this exploit or that thing, how to bypass this. We're going to talk around some of that. This is not a talk where I'm going to tell you, you know, hey here's this amazing new thing you can do with Word to bypass everything and it's awesome. The reason is that stuff changes all the time and as part of a red team engagement, part of that is understanding that you have to keep up with what's going on. You have to be able to know, you know, hey here's this technique it was discovered and maybe it's useful for two weeks or six weeks or whatever before, you know, the AV companies start to block it or the anti-span people start to block it or whatever. So anyway, moving on. Let's get into the actual exciting stuff. So campaign design, one of the most important things that we need to do as part of phishing is just look through, try to think of different things that we can use to get people to do something. I want to walk through some different areas and I want to talk about goals. What is the org hoping to get? Whether it's you internally that is doing the phishing, whether it's, you know, you're doing it for a third party or whatever, you need to think through what is your goal, what are they trying to get out of it? Is this a goal-oriented test or is this user awareness training? I talked about that a little bit. A goal-oriented test, like a penetration test, think a red team, I want to make something happen. I want to get a user to let me have access. I want to get access to this particular piece of data. I want to demonstrate, you know, hey, because I send these emails, because I can get in here, I'm able to get access to your, you know, secret recipe for your, you know, 11 herbs and spices or whatever, and this is what happens. You've got to think through, as you're designing the campaign, what am I trying to get at for that? It's also important to think about the consideration of white box, gray box, black box. In this crowd, a lot of times we look at red teaming and we think, well, it has to be black box, right? That's just what it is. It's always black box. That's not always the case. I really like the concept of purple teaming and I don't think we need to get too much into that, but the idea of combining blue team and red team working together, in a lot of your phishing scenarios, if you have conversations either directly with the blue team or with other people in the organization and talk about, okay, what are the actual security controls in place? What do we want to test? Sometimes you may want to do an actual full red box, I'm sorry, black box test to be able to simulate here's what an attack would look like, we know nothing, this is what's going on. Most organizations are not ready for that. How many people feel confident that your organization's blue team is mature enough and ready enough and they'll block your testing and you don't have to worry about anything getting through? Anybody? I know, like, we have two customers that I can think of offhand, both extremely large customers, probably 95% of the tests we send them, they block or at least they catch it within 15 minutes. Those guys, black box tests really, really works because they're wanting unannounced, you know, they're doing stuff right all the time every day. Most people are not ready for that. The vast majority of people you've got controls in place, you know the controls break, you know things don't work, you know people don't do what they're supposed to do. Let's test the actual controls and not waste our time trying to just say, hey, look at this cool new thing I did and nobody knew about it. And that flows into the idea of levels of simulation, right? As a red team we're trying to simulate an actual attacker. So there are different levels of simulation that you want to do. What are the security controls you have in place? Anti-spam, anti-malware, content filtering, users responding and detecting and reporting something, those are all different types of controls you have in place, so you need to think through as you're designing your campaign okay, this particular control, how am I going to test that? Sometimes it makes sense to do different levels of simulation and say, hey, we're going to send these emails and we're going to generate a bunch of different emails and we're going to do like A-B type testing. Does everybody know what that is? A-B testing where you say, hey, you know, here's this, and then we're going to modify it and have a slightly different version, modify it and have a slightly different version and maybe we send five or six and then we see which ones get through and then we use that to take that to the next round of testing and modify it a little bit more. That's very much a white box concept and not something most people consider with fishing, but sometimes it's the most appropriate for the organization. You also need to think about the desired outcome. So what are you trying to get your user to do? You know, when I send this fish, my victim receives it. What do I expect them to do? What are examples? What would you expect out of a fish? What would you hope to see a user do? Somebody. Report it. Okay. Ideally, yes. Put on your black hat now. Think about it from the bad guy, right? Click a link, right? Click the link to a malicious site. That was not a plan. Okay. Open an attachment. Wait. Download and execute a file. Good job. What else? Credentials. Credentials. You're too far. What else? Remote access. Provide me remote access somehow. That kind of goes along with executing a file. It may not. Providing credentials was the next one though. Good job. Nice. So what, any others? Transfer money. Perform an action. I didn't actually get that on there. Good job. You get a prize. What else? Compromise username and password with one of the links? Like what do you mean? Like on a site? Like they provide their credentials? Yeah, I kind of put that with credentials. We've got some examples of that. Anything else you can think of? Forward it. That's a good idea. I like that. Hold on. I got to tell a story. So we sent this file, and I'll give you an example of it later, to a company. And we had one guy, because a lot of times they'll open it, it was a malicious Excel file. It connected back with Empire. This one dude opened it from like six different places. He opened it on his computer. It didn't work right. He sent it to his other work computer. He sent it home. He sent it to his wife. She opened it at her work. This guy was really, really excited to open the file. And you'll understand why here in a little bit. Yeah, if you can do that, sometimes that's good. Sometimes you don't want that. Why would I maybe not want it to be forwarded to other people? Scope. That's a good point, right? You got to think about what's in scope for my testing. I don't want it to be opened at my wife's work computer, or my victim's wife's computer. What else? They know what's up, right? As soon as stuff like that starts getting forwarded around, it's much more likely to get forwarded to the blue team to say, what's going on? This is not good. What else? What? Noise? What do you mean? Noise on the network. That's what you're trying to generate, or is that what... That's what you don't want it forwarded. That's what you don't want it forwarded. What else? What did you say? Yeah, yeah, yeah. That's a good point. Providing information about the infrastructure. Yeah, getting feedback, stuff like that. You're saying as far as a desired outcome, like that may be something you're wanting to get. Yeah, I don't know if I included... I'll come back to that idea later. So, there are times when we're doing a test, and usually it's more of a larger social engineering engagement, where we will use either voice calls, phishing, or phishing, or something else, just to get information to better forward into the actual phishing test that we're trying to do. I've got a little bit more on that later, but that's a good thing. What's another desired outcome? I've got one more that nobody's mentioned. What's that? Like trying to figure out who the positive targets are. Yeah. So, you're wanting to determine who's more vulnerable than others. Yeah, especially as part of a large scale like, hey, we've got a thousand employees, we're going to send this to all thousand employees to see which ones respond. That's build trust. That actually is on my list. That's not the next one, but building rapport. I'll come back to that. What? Say it again? I want them to reply to the message. Yeah, absolutely. Maybe I'm trying to build rapport. So, cross-site scripting is one that nobody's thought about. Why would... What does cross-site scripting have to do with phishing? Possible? What if I have Responder? Okay, so if you don't know, is anybody not familiar with Responder at all? Good, okay. So, Responder is, and this is getting a little bit off topic, but it's an LLMNR spoofing tool. LLMNR, think like NetBios or similar to DNS. The idea is that when somebody's on the network and they say, I want to connect to this computer name, Windows will send out an LLMNR request or maybe a NetBios request and say, okay, who's got this? Where's this IP? What Responder does is it just listens on the local network and when it sees those requests, it says, oh, yep, that's me. Here you go. Here's my IP. Connect back to me. And the reason that's cool is because then that computer that was requesting it will make some type of connection to the Responder box. SMB, maybe it's an HTTP, maybe it's an LDAP connection, some type of connection back to your box. And as part of that, it'll pass along their NTLM credentials, which can then be forwarded to other servers. It's a great way to do SMB relay. There's lots of other talks you can read about that. But here's what's cool. If I've got a Responder box listening somewhere on your network, I don't always get connections back to it. Sometimes it's hard to get those NTLM authentication requests. But if I send a phishing email to assist admin with a link that has cross-site scripting or whatever, basically I can do different things that will, maybe you have cross-site scripting on an internal portal site or maybe it's a page he normally goes to and he trusts, he goes to that page the cross-site scripting then can send a request back to my Responder and I can get his grab his hash basically or forward it through. So again you're thinking through not just a simple hey, I want him to do this one thing, but maybe I'm trying to chain it together as part of another attack. Establishing rapport was brought up by a couple of different people. The idea of I want to get somebody to think about something, I want to get them to do something, I want to get them to trust me. Does anybody listen to Dark Net Diaries? The podcast? It's a really fun podcast. I can't remember the gentleman's name. Does anybody know? Jack Reciter. He does a really good job. Does it seem like he should be on NPR? Like he's got that NPR voice, right? It's just like I listen to it. I'm like, this guy should be on NPR. He did a he did a episode with Jack Hyde. She's not in here, is she? Okay, I thought that would be odd. Does anybody listen to that episode? Okay, so here's what happened. They set up, she was doing a red team for some organization in another country and her and a coworker basically sent this email back and forth to themselves talking about this trip, we're going down, we're going to go in this other country, it'd be really cool if we could meet some people from our own company there while we were there for this conference blah blah blah, and they built this whole chain back and forth and then they forwarded it to some folks in the company that they were targeting and there's all this chain and all this kind of trust built into it. They forwarded these people and said, hey we're going to be in your country, we'd love to meet you blah blah blah and they started building the conversation that way. There was nothing malicious in the email they weren't trying to get them to do anything all they were trying to do is start a relationship of saying, hey we're going to be down there let's hook up, let's talk, let's do whatever. Eventually once they got there then they got the people in the other country actually invited them into the company and did a tour of their office space and showed them in and gave them the opportunity to plug in a device on the internal network, stuff like that. That is part of more of a large-scale social engineering but that might be why you're using phishing. Any other examples you can think of? C-Surf Cross-site request for a dream? Yeah, absolutely. Did I include that? I include that somewhere in my slides and I don't remember where but I'm going to tell you a great story. We're going to go in and prompt you here. Shoot. Alright, let's call this a friend DA, right? You guys know what that is? I think I can tell this story. Several years ago several years ago I did a test of a large identity provider system, an identity and access management system. I won't say who they are but it's three letters. This tool, I'm thinking like, hey we're doing this web app pen test, these guys are huge there's not going to be any, I mean it's a security company, right? They're not going to have any flaws. Oh my gosh, the most unbelievable. It was like checking off the list of the OWASP top ten, right? Got it, got it, got it. This tool, the way it was designed is it interacted with active directory and allowed people to say, hey this person needs added to this group, send the request that would go to a team who has the ability to, you know, the change management process they could approve that and all this. So effectively, I if I had access, could add somebody to the domain admins group with this tool. Well, what's really cool is the tool as part of it when a request was made it would send an email to everybody that had the authority to do that thing or that was in that list, it would send them an email saying hey so-and-so needs to do this blah blah blah click this link to authorize it. They would click the link, they'd go to the site, they would log in, so they had been teaching their people to receive these HTML emails with this link to go to this thing and do this. On top of that, this application had cross-site request forgery requests. So we were able to forge a link that would add a user to the domain admins group send a phishing email to some of the admins, it looks like every other one they got, they're used to it they click the link to go to the page and log in and check it out and it added our user to the domain admins group. Like, that's a really cool phish, we don't see that very often, but that's a good one. Alright, let's move on. So, ruse considerations. The ruse what we're actually doing, what we're going to put there's several things to think about here. I like to use current events. Things that are going on in time right now. One of my favorites ever, and this is the one that the guy sent to six different computers you remember when Trump was first elected? What was that? 2016? What was everybody concerned about? Like in January, what was the big thing? Nobody remembers. Benefits, right? He's going to take away health insurance and I don't remember all the hubbub, but everybody was concerned about benefits. So we were doing a test for an organization. It was a large university and we sent a relatively small phishing attack. I think we had about 50 users, 1575 somewhere in there. And the email said something along lines of, you know, hey, we've already worked out our benefits for next year. Everybody's already signed it, but due to recent changes in Washington with the Trump administration, there's been changes to our benefits. Unfortunately, we've tried to minimize the impact. Unfortunately, some people are going to lose some benefits. The price is going to be raised for some people. Attached as an Excel document summarizes the changes. Please review this, blah, blah, blah. That is a fantastic example of using a current event, especially something that's emotionally charged. Anytime we see big attacks, right, like there's a shooting or, you know, anything that happens in the news, those types of events are great for phishing because people stop thinking. They, well, I'm going to talk in a little bit about some of the psychology that people quit thinking about what they're supposed to do and they react emotionally. Unfortunately, as red teamers, to simulate those attacks, we have to kind of use that as well. Holidays is another great one because things change. It's not business as usual. Things happen differently. So sending an email saying something like, you know, hey, the holiday hours are changing, blah, blah, blah, we need everybody to get your time or else you're not going to be able to take time off for the holidays. That's a great way to get people to click on things and do stuff. We're having a company-wide party. If you want to come to the party, you know, we're having, I don't know, Britney Spears or something and so click here to go to the page and register for the party. Don't forget to log in with your, you know, NTLM authentication. Target-specific situations. So, we were doing a test recently for a company and we found out just doing some recon that they are in the process of getting ready to merge with another company. So that was a great example of saying, you know, we sent an email saying, you know, hey, because of the merger, you know, we're consolidating systems and some of you guys are still using the old, you know, file share system and we're migrating over to this new one on Box and so we've set up this thing with Box. Go here to log in with your company credentials so that you can connect to the new one and not lose access to your files. Right? Nobody wants to lose access to the files. Sometimes it needs to be more personal. I had a co-worker and an acquaintance, I guess, let's say that. He doing some reconnaissance on Facebook found a the, like, I don't remember if it was the CEO or CTO or something like that. One of these executives found his wife's Facebook account and you know, the CEO's account didn't have any information. It was all locked up or whatever, but the wife's account was wide open. And so he was able to do a lot of reconnaissance and found hey, here's where their kids go to school. So he set up an email address that looked like it plausibly could have been from the wife, emailed the guy and said little Johnny just got kicked out of school. I'm so frustrated he got in a fight and I'm just pissed off and, you know, here's the link from the school where you know, the suspension and you click the link and oh, you need to install this Java applet so that you can view the file or whatever. All of those things I'll come back to the psychology and stuff, but those are examples of target specific stuff. Sometimes existing technologies. That goes back to the example I gave earlier with the identity and access management tool, right? If you could find out what types of systems they use internally, you can use that against them. We did a test of one of the largest government agencies in D.C. I get sick to my stomach just sharing this. Very, very big company. We send an email to all of their admins using the same emails they get from their benefits. They have a third party benefits provider that keeps track of time off and all those different types of requests. We send this email saying, hey, you need to go here and log in and do this, blah, blah, blah, whatever. I think we got, however many people we sent it to, we got 12 sys admins that logged in to a third party system, because it wasn't even part of their network. It was a third party external website and we simulated that. They logged in with the same password that they used for their internal sys admin stuff and two of them were domain admin crits. Yeah, we had to sit down with the deputy administrator. We're like four hops down, I think, from the president and he asked us, he's like, what is the chance that we could be the next OMB? Because this was shortly after the OMB breach, right? He's like, what's the chance that we could be the next? I'm like, if you're not already, it's because in a way it's trying. Either you're significantly compromised and you don't know it, or really nobody's out there trying. Yeah. All right, moving on. Domain name selection, right? So we're sending emails, they need to come from somewhere. Maybe we're going to have a landing page that you're going to go to. There's a lot of things we need to think about for domain names. This has to start with reconnaissance. Man, that's really small. I don't know if you can see it in the back. You need to learn what the customer's using. You need to learn what your target is, what kind of systems they have, what kind of domain names they're already using. Any third party services, HR, payroll, training, the more and more that people outsource stuff to the cloud, the better that is for us. Because people are used to clicking on links, right? We used to be able to say, if it doesn't come from company.com, don't click on it. This is the only place. But now everybody's used to clicking on stuff from all these other third party sites. That's actually good for us. And the more we can simulate existing stuff, they're already familiar with it the better. Again, that comes into familiar domains. If you can use something like if their normal domain is company.com, if you use company mail.com, adding on little things like that are great, great way to get stuff by. Adding on, so let's say you register mail server.com, I don't know if that's available or not, that's just an example. But setting up subdomains, mail. company.mailserver.com, right? Like everybody in this room, you think, well, you're not going to fall for that, nobody's going to get that, my mom will fall for that, I guarantee it. We think people are going to be technical and a lot of them just, they're clueless. They see a domain, it's an email, they don't, it says it comes from Nathan Swainey, it must come from Nathan Swainey, why wouldn't it? Who would put that on there? Generic domains, we use a lot for our testing, we have stuff like mail-center.com event, what does that say? coordinator.com, stuff like that, domain-administrator.com, that may be one of our actual ones, I shouldn't have said that. Pretend that's not in the video. Stuff like that, right? People, you can use these, the thing you have to be careful of is, hey, you use this for a test now, do you burn it? Is it done? Or is this something you can continue using? You got to think that through, like, hey, what are we using these for, and what can we continue using them for? Inbails, have any favorites you've used? Other examples? Service desk. Yeah, help desk type stuff, in the back? What's that? SPF records. Am I in trouble? Yeah. Alright, so we just got notified that we have less time than we had intended, so we're going to, it's alright, we're going to get through it. Yeah, so think that through. Puny codes, sometimes they work, sometimes they don't. If you're not familiar with what this is, when browsers started adding the ability to support Unicode, all of a sudden you got all these cool things. So like this right here is what the actual domain is, portal.xn-dash-security-is-f7a, blah, blah, blah. But what it looks like in your browser is security-is.com with that weird little thing over the E. I don't know what that is, I'm American, I don't speak foreign languages. Same deal, this one here, it's an I without the dot, right, it looks the same. You got to be careful with those. Sometimes they work really well, sometimes it doesn't look the way you think it will look in their client. So again it comes back to recon, you got to know what the person actually has, what systems they're using. So psychology, I talked about this a little bit earlier. Urgency, emotion, and familiarity. Familiarity. If you can use those three things, people will do things they're not intended to do. Things they've been trained not to do. Every single one of you, if I can generate a sense of urgency, and if I can make you emotional, if I can make you excited, angry, whatever, you will do things that you've been trained not to do. That's just human psychology as the way it is. We've got to use those things as part of our phishing. Do you know what the critical faculty is? Critical faculty is the part of our brain that says this other stuff out here is not important. This is normal everyday stuff. Don't worry about that. Focus on this. So we can use social engineering techniques to bypass the critical faculty and basically tell the user, tell the user's brain this is just a normal everyday thing. Don't worry about it. Just click OK. That's what people do. And that's one of the things we need to consider. Things like spell check. We've all gotten those emails that are like poorly spelled or the grammar is horrible and you're like, how does this ever work? We notice those things, they stick out because it throws a ringer up in our critical faculty. We need to make sure that things are spelled correctly. We need to mimic email signatures. If you don't know what the email signature is of your client or your target, shoot an email to them or somebody else or whatever, have a legit conversation and see what their signature looks like and then you can use that for phishing of somebody else in the organization. Realistic and similar domains. We kind of talked about that already. Context appropriate language. What's the appropriate type of language for this business setting? Whatever the phishing target may be. And then existing conversations. I gave the example earlier with Jekai of the conversation. If you send an email that's just a single email and nothing else, that's much more likely to be detected as spam. If you have a conversation going back and forth and back and forth and then you copy somebody else on it, no. Nobody ever thinks about that. That's probably not spam. That's a legitimate thing. Things like that can bypass the critical faculty. This is a place to be evil. You put on your red hat and professionally evil. That's our trademark, but you all owe me 25 cents if you use it. But we get to be bad guys. We get to play around a little bit. But not too evil. Hey, Mr. Smith, there's been an active shooter situation at little Johnny's school. We can't get a hold of your son. Has he contacted you? Please let us know. For the most up to date information, please click this link and follow along, whatever. That's a little bit too much. Don't go that far. We got to find that balance of we want to simulate an attack, but we also don't want to be jackasses. Can I say that? Sorry, what? What if it works? That's a good question. There may be legitimate places where it's okay to go that far. But most clients I think are probably going to be that would be what we call a resume generating event when you send that email to their executive, just saying. All right, so some examples. We're in the process of expanding our email storage capabilities. If you're receiving an alert that your inbox is full, please go here, blah, blah, blah. That works because everybody's inbox is always full. Everybody always wants more space. This is the example I gave earlier due to recent changes in Washington, our healthcare stuff, whatever. I've got a co-worker who's a developer and he set up a really realistic looking site. OpenEnrollment.com. I think we still use that actually. OpenEnrollOnline.com. That's what it was. We may not. This is a legitimate email from my uncle. He sent us a Christmas card or something, you know, from blue something or other, whatever. Like, people click this stuff. I don't even know what it's on it because I didn't actually click it. But, like, it would be very easy to set up a site that opens up a Christmas card and runs whatever other stuff in Flash or Java in the background. Um... You know how many people click that button? Like, 99% Targeting. We got to talk about the number of victims. Do we want to send it to one person? Maybe. If it's a very targeted, specific thing, we want to send it to a group, everybody. Those are things you need to think about. It comes back to remembering what's the goal, right? What are we trying to do? There are cases we use awareness. You want to hit everybody all at once. Other times, the more people you hit it, the more likely it is to be detected. So, think that through. You also want to think about the response time. When are you sending this at lunchtime when nobody's going to be at their desk and so you're only hoping to hit a couple of people? Are you sending it at 9 a.m. when most people are kind of sorting through their email already? Think about the response time of the blue team, right? Are you sending it at 9 p.m. when maybe nobody's in the office and stuff will get by except for that one guy who's doing work? The Prairie Dog thing. You got to know the atmosphere of your organization. You send that email and all of a sudden, hey, did you get this? Yeah, did you get that? Right? All of a sudden, it's like, this is obviously you're caught. They know what's going on. So, you got to kind of understand that. One size fits all. Every fish is a little bit different. You got to think through what you're doing. Victim types. These people are particularly vulnerable. Mainly because they're used to interacting with outsiders. They're used to clicking links. They're used to opening documents. You can very easily craft stuff. You know, hey, did you get my resume? I sent it to you, blah, blah, blah, that sort of thing. Can you review this contract before we send it on, whatever? There's also certain people who are particularly privileged. CIS admins, network admins, executives, help desk. Think through, as you're targeting, who am I looking for? I know I'm running through this stuff a little bit quickly, but I want to get to some of the other before. We got about eight minutes. All right, so finding victims. LinkedIn is fantastic going through and scraping. There's a lot of tools you can use to do that automatically. One of the things, if you're going to connect to somebody with LinkedIn or Facebook or whatever, connect to their friends first or the people they're connected to. Connect to the groups that they are in. And then when they get the invitation from you, they'll be like, oh, you're already part of this group. Here's something you didn't know, probably. In LinkedIn, if you export your contacts, it gives you the ability to export your contacts. It includes the email addresses, the personal email addresses of all of the people that you're connected to. How many people use a personal email for LinkedIn? I do. I don't use my work email. I have a personal one. So if you're connected to me on LinkedIn, you can export that and get my personal email address. It's not hard. It's Nathan at Swainy.com.