Spear Phishing - Jak Się Bronić? Case Studies

Thank you very much. Questions will be at the end. You don't know how it works. You had a pre-lecture yesterday, but you don't remember. I understand. Thank you for the introduction. Przemek is here with me, although he is not here because he helped me in this very short research, which will be somewhere in the middle of the presentation. That's why I thank him by placing him on the slides. I will talk about phishing, about what Adam said today and a little bit about what Adam said later, about various frauds. My name is Borys Słonski, I work in the company Logical Trust. We will perform penetration tests of web, mobile, internet, corporate networks, social technology, etc. I was curious, I've

already performed at B-Sides a few times and it turns out that I've performed there a few times. This event is different and I've always liked that it's from people to people. I'd like it to remain like that, despite the fact that the place has changed. It's not as stuffy as it was in previous places. However, I have a dream that this conference will not turn into something very commercial, terrible, filled with various sponsored gadgets with some small details, which probably don't bother you so much. I will talk about phishing. I hope that each of you knows what phishing is. Phishing is a kind of fraud. It's a kind of attempt to take someone else's side.

We want to give someone else, whether it's an institution, a company or a person, it depends on the specific attack. Today I would like to tell you about more targeted attacks, phishing attacks, We don't try to find our victims in mass, like in the campaigns Adam described today, but we do not deal with attacks that are always targeted at a specific company or specific people. Mass phishing is a classic situation, usually messages that you, as experts, recognize within a few seconds and you know that it is that it is a fraud, there are millions of different indicators that show that it is not true. As you learned from Adam's presentation, an average citizen, an average user will not pay attention to headings, strange things, errors,

letters. He will simply click on the reference, because there is something there that works on him in some way, something related to fear, emotions. He will simply click and infect the computer, give back his data. What is also important in phishing, in many reports, is that phishing is an email in which you get correct programming. It is not just obtaining data to verify. It is important that you also remember this. In Poland, of course, we also have various campaigns. Usually on the trusted third page you can read about them. Remember that such mass campaigns will always have some victims and here the scale makes an effect, because people just click, they are not aware, they

are not interested in security, they are interested in, for example, having a debt to pay off, they have some kind of invoice to pay or they can get some money, so they just click. If you look at the reports, depending on what you are interested in, if you want to buy an anti-phishing solution, if you want to do phishing inside your company, or organization, it's very different here. It may be that if someone will sell you a solution that trains users, your employees, then of course he will show various data that indicate that phishing is a huge problem. Because it really is. In the last report that came out a few weeks ago, I also saw that over 70% of companies experience

phishing and this topic will not be solved quickly. Interestingly, it depends on the country, how people are aware, how they think about phishing, how we teach them, how we educate them. Sometimes it is enough to look at People have different awareness in different countries. It would be nice to work on raising awareness, but as Adam said, it is very difficult. We have been raising awareness for several years now, we work with companies and try to help them. both private and personal, on blogs, in the form of various trainings and lectures. And this is really very difficult. For an average citizen, topics such as a shortening of SSL certificate or the virustotal.com service These are abstract and magical things. People are not

interested in it. You should remember it when you talk to normal people. To get out of your expert nature. To get into the shoes of an ordinary citizen who really has these things with safety completely Here we have interesting foreign statistics, but it also shows the trend. Older people are slowly learning that there are various frauds, not only for grandchildren, but also in the cyber space, in the Internet space. They ignore all security issues because they want everything to work, so they can use social media, so they can click and they are not interested in security. This is a problem that we will face as a community of security guards in the next 10-15 years. This is also evident when you look at the results of

various phishing tests, that generally young people click, the elderly can still think a little, but of course it depends a lot on the group, on people, etc. There was a report many years ago, I emphasize that this is many years ago, because many companies that sell various things with anti-phishing shields or services simulating phishing, they refer to a sentence that appeared once and said that everything starts with a directed phishing attack. Be careful about that too, because it is different. If you have unsecured servers available from the internet, you don't have to start with phishing, you can do it faster and easier. Our statistics show that we always have 100% efficiency. 100% efficiency is a

situation in which we can get at least one reliable data, or at least one person clicks on the connector that allows the computer to be accepted. Our competitors, our colleagues, have the same statistics. Someone will always get caught. The bigger the company, the more time you spend on such an attack, the more effective the results will be. I will show you some simple examples from our case study. Usually phishing is part of red teaming, an attack where we can test a lot of infrastructure, we can try to attack users, etc. Usually we don't have much time for it. And that's where I'll be talking about the results. If you make a dedicated order, where you spend two weeks only on phishing, it really happens that

80-90% of users will simply give back their data or click on a specific link. As for tools, today there are ready-made tools on the market, not only commercial, but also free tools that you can download and install on your systems. and you can test your users, which is quite important, because this training always raises awareness. After every phishing test, like we do on some company for the first time, It's always a huge mess among users, there are huge discussions in the kitchen, the employees sit there for three days and don't say anything else, they just say that they were attacked by real hackers, someone gave them some password. And that's great, it's great in the context that they learn from something that was effective, that worked on

them. It's cool because it stays in their heads for a long time. That's why it's definitely worth doing these types of tests. in companies. We have to remember that we can cross a thin line here because people don't like it when they are shown to make mistakes. We know of a situation where in companies employees closed themselves because one of my colleagues knew that there would be a phishing test usually very few people know about such a test so that this test was as reliable as possible and some friend got offended by it for many months because he did not tell her that there would be such an attack. You have to remember that these types of tests are very sensitive because you deal with

people and you have to take care of it properly. to communicate with users. We don't want to show that Kowalski clicked, Kowalska clicked, because today they clicked, but tomorrow someone will come back from dinner and he will click. It is very important not to use names, but statistics. For example, 10% of users gave their passwords within 15 minutes. This is a serious problem in our organization. Let's think about what we can do We also have tools from our friend Kuba, who created a website with Money in the Middle attack, where you can also grab tokens of 2-factor authentication. So there are a lot of tools. If you are a real hacker, then you know You create a file with email

addresses, send messages, add headers, and you can do it in a very simple way. You don't need to install big combines running in Docker, in a virtual machine, in a cloud, etc. Sometimes in phishing attacks, you can use mistakes. For example, mistakes in the fact that certain browsers can display a bad sign that looks similar to our letter. This type of attack was used on users a few months ago during one of the phishing attempts a panel for managing cryptocurrencies. There was also manipulation of the BGP protocol, phishing website and among others, the use of this type of fraud, which is supposed to make the website appear to be true. It is known that an ordinary user will not enter the certificate, will not check it, but it

seems to be OK and simply clicks. In such a specific attack, you use bugs in the software. At the beginning, in the reconnaissance, you learn that the company uses a specific version of a specific software. A few months ago, this error allowed to overwrite the data in many popular post offices. Usually, people don't read, don't look into details, don't look at the domain of the email, but this can help to increase the effectiveness of such attacks. If I were to explain step by step what a phishing attack looks like, At the beginning, you do a reconnaissance. Sometimes the company says: You're doing phishing from the attacker's perspective, so you don't know anything about our company. And this is one version. Sometimes the company says:

"Okay, you have 1000 email addresses here, let's see who clicks and who doesn't." It depends on the client's specificity, what they want to check. You buy a domain, you buy a similar online domain. This is the simplest and most effective vector attack today. You just change one letter somewhere, the user will do it anyway. They usually won't pay attention. You configure your DNS server. Remember that you may want to make some minor changes. You want it to be promoted quickly, so a short TTL will be a nice solution. You configure your mail servers. It's worth configuring them again. to have additional security mechanisms, to remember that your phishing email should be sent in the most reliable way possible. Different companies have different solutions,

different boxes that try to find out if it is spam or some dangerous software sent in the attachment. Finally, you configure the www server. If you are rich, you can buy SSL certificate. If you are not, you have a free lesson crypto today. It takes only a few seconds. You have a ready-made website with a safe connection. This is the myth that We have been teaching users for the last 15 years that when there is a plug, it is a safe connection. When there is a safe connection, it is safe. However, it turns out that it doesn't really give much. It is just one of the indicators that show that the transmission is encrypted, but in the

context of phishing attacks, when the user logs into a completely different domain, it doesn't mean anything. It is just a safe connection. You have to do some internal tests, see how the message looks like, if you send it in a good way, if you have configured all the elements correctly, if the SPF is well configured, etc. Don't do it for the last moment, give it a moment to spread your infrastructure. Remember that DNS will last for a while. When you buy an Internet domain, it won't be visible for half an hour in the entire Internet network. This is something you need to remember, not to do it for nothing, to prepare for it, to plan your steps and to approach it with

a head. Here are a few examples from the testing. They usually last a day or two to gain access to sensitive data. The most common example is that we buy a similar domain, some communication related to something that should incite the user to take action. They click, and the monitoring of the data appears, and they give the password and login. Here is the first example you have seen. A small company. Basically, everything happens within a dozen or so minutes. The biggest blow of these logins and passwords is the first 15-20 minutes. Then there are some more shots, sometimes after a few hours, sometimes after a few days, if the company does not block these domains in their various systems, it happens

that after a few days someone else will return their because the company didn't inform them about such an incident, even though half of the company knows that it was an attack by the external company. In this case, it turned out that these passwords also matched their Slack. We also got access to other data from Slack, and this data also worked for Jira. So we had to use more data and more sensitive information. As I said, these were red-teaming tests, so we had a range of services. And at the end, when we had access to an email, we could reset the user's password to GitHub. We did that and got access to the source code, which was Software House. So it was an intellectual property that was the most

important for them. And we need to remember that if someone gets access to your email, is usually simply ignored. The second example is very simple. Here is a large organization We don't know who has access to which services, so we do a general campaign, a message from a certain person. Of course, we do a reconnaissance first, we sign up, like a person who works in a technical department or in a PR department, etc. You do all this in the reconnaissance phase, you prepare for it, I'll tell you about it in a moment. 51 people submitted their data in less than an hour. What was interesting was that some of the data was also used in other company services that

were posted on the Internet. Unfortunately, the problem with passwords is something we haven't solved for over 20 years. and even though we, as experts, know that passwords should be random, different, best in password manager, stored stationary, etc. It's hard to teach an average user to use these tools and it will take some time before we solve this problem in a sensible way. Here, a situation similar to what Adam had on his slides happened. Here, the employees started to write down with a screenshot that They sent the data, the password, the page is displayed, but something is missing, something is missing, and they did screenshots with their Outlook, with the data of other clients, etc. We

sometimes interact with these users, try to check what they will give further. Sometimes it happens that when we have access to Slack, we write as a given employee and we have discussions, we look at what will happen next. These are very interesting situations. The third example is a company of about 400 employees. about 6% of users submitted their data. This was also a one-day phishing test. Later we had access to their infrastructure, because it turned out that one of their emails contained data related to VPN. These were key to the password. This was the policy of data distribution. Of course, it was poorly constructed. We got access to the corporate network. On one of the

computers, The known vulnerability was not updated. We used it, we took one server, then another, and for several days we escalated our regulations to get as many servers as possible. And in the end, of course, we took the administrator's regulations of the entire company, we basically gained access to all their sensitive data. It all started with two days of prepared phishing. They also made some mistakes related to passwords in AD, which accelerated our work a bit, we came up with a way to create passwords for some servers, because it was a scheme that we managed to understand. That's it for examples anonymized from our tests. To do some phishing, if you were to think about it, We need email addresses. It's

getting easier to get them, because we have many social services that deal with email addresses aggregation. We also need a service that is available on the Internet, which we can use. In such a situation, you could imagine such an infrastructure that the company has no access to any services on the Internet. This is a nice solution. There is only VPN access, they have their own tokens and then making such an attack is much more difficult. However, if you do a reconnaissance, a lot of companies will provide very strange services for their employees simply by login and password. This should not be done. Today I will definitely do it. And now I want to tell you about a real case study. In which I can tell you how people

looked, how the reaction looked, how the company looked. Because in the previous ones, of course, due to our clients, I could not talk about it. I prepared this pro-lecture at the Confidence conference. I hope that everyone knows it. Proidea is the organizer of the Confidence conference. I know the main owner of Proidea, Andrzej, for a dozen years. And I thought a few weeks before the conference that I should talk about phishing, so maybe I'll try to do phishing for the employees of the company that organizes the conference and we'll see what comes out. If someone gives a password, it will be nice, it will be a nice presentation. We devoted one day to work with

Przemek. We spent one day, two working days, and we checked what could happen. We start with everything that is obvious for people who deal with security. We look at Facebook, we start looking for people who work in a given company. We know the scale of the company, there are about a dozen people, We can do it all manually, we don't need any specialized tools. We start searching for hashtags in various news, for example, where they introduce themselves, who is doing what. We can do a trick, we want to see employees of a company, they show up on Facebook, LinkedIn, of course. We start to look at other social media platforms to get as many e-mail addresses as possible during

the reconnaissance phase. You also have the option to export your contacts to LinkedIn. You can check the email addresses of the users. I had Andrzej and a worker who had a private address. Since the private address was outside the range agreed with Andrzej, we didn't attack him, but a real attacker could write to Anna for a private address and make a specific attack. For me, the Golden Line service is no longer alive, but there is still information that is useful for attackers. More services, more data, all that we are interested in from the perspective of an attacker who only knows the name of the company and the organization. Here, of course, we learn about other companies that are connected to ProIdeo, for example. This is also of interest to

us. Here, for example, you will see Networkers.pl, which is still I check on different websites and in different outposts with passwords, whether their passwords were leaked somewhere. We also try to use these passwords. They did not work, but we also partially confirm some email addresses that were found in the outposts, because it can also be useful. Sometimes we also use tools that automate our work. and try to get the address of V-hosts, the website and email addresses. These are the two things we need to do phishing. We want to know which address to attack. Most often, if there is such a possibility, the easiest and most effective is to attack the email portal. This email gives you

access to really amazing information. You can then reset the password to various services. But it's not always like that. We try to find out what services are available on the Internet. There are many different websites. It turns out that Confidence has been on the market for over 10 years, so there are various old versions of websites. It is worth looking at these websites, because there will often be valuable information. There are also services where Sometimes for free, sometimes for a few zlotys. You can enter the website address and it shows you several dozen e-mail addresses that this company and found it somewhere on the Internet. Here we have 55 e-mail addresses, which is a very good result. Old

websites, current conferences, non-current conferences, everything that can make you find out about a particular person or company. If you pay attention, Proidea was previously associated with the organization of training. Here, the company is limited to responsibility, so you are also interested in connections, because thanks to this you learn more information about your goal. You check old websites, i.e. on Web Archive you verify what the Proidea website looked like, for example, in 2006. And there you find out that there is another sub-website that may be working, It is worth checking. Every little information can be important for you. In this stage of reconnaissance, the more you learn, the better you will do, the easier it will be for you to complete the task.

This is very important. We collect quite a lot of information in a few hours from different sides. We aggregate them to our bases to find out which services we can attack. The simplest thing is to iterate the services using DNS services. We select 10,000 of the most popular phrases and check if they are in the form of an IP address. We check refdns, we check everything that can be verified in the Internet directly, for free, in a quick way, because that's what it was all about, to show that to make such an attack, you really don't need to be an expert, you don't need to be a super specialist, you don't need to use these errors in postage

programs, errors in browsers, use advanced zero-days, etc., etc., because usually it can be done very simply. There are also integrated platforms for managing various data. You just enter the address of the Internet domain and it displays information from various DNS servers, documents, information, etc. There are many of these services. We look at information about SSL certificates. because different SSL certificates can also contain interesting information. Here you can see that Proidea has a SSL certificate for several years and it is also useful for us, because in these SSL certificates, for example, you have information about alternative domains. As a result, we find some calendars that do not work quite, but where there were some other services, we find various additional information

that we need. We find contact people, We check the people on the security portals again, see where they worked, where they work and whether it can help us. Here we find the address of Lis from proidea.org.pl, he also found himself in these DNS questions. There is a website address for managing mailing lists of Proidea without any login or password. We immediately reported it and deleted it. But in such information we can again find out that, for example, certain people deal with their discussion lists. These people are again from Networkers.pl. Another address that interests us. We expand the list. to be able to perform such an attack. More people, more services and this is what it's

all about in such a phase of reconnaissance. We also review ordinary articles, which someone, it was an interview with Andrzej Targosz, where he describes how his career started, who he is today, what company he founded, etc. It turns out that Networkers.pl is also part of one of his businesses and it can be useful for us. We analyze how it looks in legal form. Andrzej Targos is a partner of Networkers.pl, so it all tells us who could be the target if we want to attack ProIDEA. We check the internet addresses, how they are visible in the various reconnaissance services, next addresses, next conferences. Sometimes, when we go outside of phishing, we find an old version of the application that is not used by anyone, not updated and

it is easy to take over such an application and get directly to the server and then escalate the authorization and come to the next servers. Various other services that I hope are more or less known to you, if not, then the presentation will be available somewhere. You can check it out on the website. We look deeper, for example, we download all the PDFs, all the documents and we extract information from metadata that may be useful to us. We check if they are related to what we already knew, because it is again useful information for us. We use VirusTotal. You can also enter your website there and it shows you various subdomains related to these domains. Sometimes

you have taught an employee that he sees some strange document that he received on e-mail. He sends it to VirusTotal. and it checks whether it is a virus or not, at least it tries to find out. But this data is also embedded into the system. It can reveal further information. It appears again on penetration tests, where we test the entire infrastructure. From this simple reconnaissance, we sometimes find out addresses that are more exciting than Cisco or Shqip. because you could guess that. Sometimes the address is more unique so that no one could ever discover it. However, it will somehow be revealed on the Internet and it should always be either with a VPN or with some data-reliable system that verifies it. Because it really

happened to us many times that this type of data leaked and we managed to If you use Slack, you can register and you need to have access to your email address of a specific organization. And there was also a burden, so if we got an email address of any employee, we could also get to the whole Slack. And we have been able to do it many times. We are now moving to the attack phase, we are configuring servers, we are configuring a secure connection, we have a code, here is the lecencrypt, we have a ready-made website. If you look at the moment... OK, it will be in a moment. This is the website of Proidea,

a web page. We decide to attack the simplest and most popular. As I said, we have one day in the schedule. We do it quite quickly. We want to check how it all works. We buy an internet domain. We buy a similar one, so instead of mail.proidea we buy mail.myślnik.proidea. Here we do not force ourselves to some complicated lettering, etc. We do it very simply. We buy an domain. and we put our website here. If you have a good memory and good eyesight, you can see it. We do it really fast. We didn't even copy any CSS file that made this page look even nicer. The address, as you can see, is quite small. We assume that users will not notice it. We set up

a fake website that only records our data from users. As it all happens a week before the conference, the attack is always adapted to what happens in the company. The company comes to the organization, or some of the companies are selling, or they bought another company, or there is a big competition, or they won a prize. Phishing emails should always be related to what is happening in the organization. Then it is closer and you increase the level of trust among employees. And we are here for Andrzej Targosz, the owner of the company, the important person, the so-called "president". Therefore, we assume that employees should listen. In connection with attacks related to Confidence, everyone knows, especially the organizers, that this is a conference related to

security, so attacks can happen. Please change the password to mail. Really, the easiest way to do it is to mail. Of course, we used to mail from a different address with Andrzej to get his stop. This is again the reconnaissance phase, where we ask for completely different things, so that these mails look as reliable as possible. We write as if Andrzej wrote to his employees, or rather "Greetings" rather than "With respect" etc. You always have to consider who is who in the organization, you will definitely find out from the reconnaissance phase. And literally after a few minutes, the first logins and first passwords appear. We log into their post office, it turns out that we

have access to several post offices, there is our message. We get access to other post offices. We already knew that we have good material for presentations. There will be something to show. As you have seen, everything happened in a few hours. But let's talk about how the employees react. Someone has noticed that Sylwia sends a message to everyone: "This is not a lie, this is not Andrzej's email. If you look closely, don't click on this link." It's nice, the employees received information that there is an attack, you have to be careful, you have to start thinking. It would be nice if you had the rules in your companies, what to do in such situations, if the employee knows who to call,

who to write an email to with the question that maybe this message looks suspicious and if someone can verify it. Can your IT departments block such an Internet page? It would be easiest to block our Internet address at this point, so that employees from their computers could not access these addresses. In many attacks we make in companies, we see that employees log into the service during the hour and send their data to the server, and suddenly there is a complete blockade and no one logs in to the server. because the company implemented a global system that blocks this address. We had a situation where the company implemented a blockade, but only for employees in Poland,

and we did phishing for several countries and these other countries continued to give us their logins and passwords. We got a message from Sylwia: "Dodo to Confidence, I invite you for coffee", so a bit of a joke. They didn't see it, of course, but Andrzej Targusz knew that it was a targeted attack, but he ordered it. by the good people, by the people who don't want to harm anyone. However, this is not the best way to react to an incident. Generally speaking, you should not, and this is how you should teach your users, that they should not write to the people who attack them. Regardless of whether it is a curse, a joke, or an

attempt to establish contact, generally speaking, No communication with attackers. It can always lead to worse situations. We had attacks where employees interacted with us and started even more malicious contacts. Thanks to that we took even more computers. We had a situation where we took a computer One lady said that the document wasn't fully open, similar to what Adam said earlier. She sent it to IT department, they clicked and administrators brought their own computer. It happens. You have to be careful and prepare properly to analyze such emails. She said she can't read messages. It depends on how you approach the whole process. But assume that such an attack will always happen in your company or among your loved ones. And try to educate them in the

right way. Of course, we explained everything to Sylwia on coffee, on juice, after a few days after the attack was over. We said that, as Andrzej told everyone, that it was us, that it was Logical Trust, that don't be afraid. We know your passwords, we know they are curses, we won't tell anyone. It's important that you change them. You have to remember the technical details of the incident. It would be nice if the employee, when he or she gives such a password to someone sitting on the other side of the globe, It's very difficult to convince employees to come and say: "I gave away this password. Could you change it to random one? My computer is infected, my data is

taken, try to analyse it." It's very difficult. It's worth trying. It's not their fault that they gave away the password, it's not Kowalski's fault. This is a multi-faceted fault. It is not a personal fault. They will not come to you and say they will be afraid. If you will create an education related to security by fear, your results will be very miserable. It is very difficult to educate employees today. In this particular case we found 55 emails, we delivered 34, because some of them received feedback. And in half an hour we reached 3 email accounts. A quick one-day attack. It took 8 hours, not much, two people. The VPS cost us PLN 3, the domain was for free in the promotion.

So it was the whole cost of the attack, apart from our time. This is how it looks in reality. If someone wants to do a more complicated attack, which will use more complicated tools, which will last longer, which will be longer in the reconnaissance phase, it will be even more effective and a little more expensive. Do not expect that such an attack costs 100,000 PLN. It can be done really cheap. In the end, we went back to Slack, because we were interested in it. When we had access to proidea.org.pl, we set up an account on the email address we had received. In this case, it turned out that nothing was happening here. Many years ago,

they tried it, logged in, tested Slack, they didn't turn it off. It still existed, we didn't get access to any nice information. However, in such tests, It happened sometimes. We had long disputes as employees. Someone wrote a negative email, we wrote "no, no, it works for me". We played with increasing trust. And there are many interesting things happening. Plus, Slack, Jira, is a treasure mine. It's a logins mine, a password mine. We had a pentest in extreme situations, where in Slack, it's not a joke, I've seen a lot, I've been working in security for 11 years, so I've seen a lot, it's hard to surprise me, but the guy made a cell, screen reset, which was a mistake from MySQL console, it logged into MySQL, to

the administrator's account, and there was a mistake. And it did a photo with the password, which it gave in the console, and from the phone it sent it to the second employee. And we had access to this password, to one of the external systems, to which we had to get, it took us about 4-5 days, But this information was useful to us. And it happens. Small, tiny information. Slack is a mine. It's a mine of treasures. So be careful what you type in. People feel that it's an internal, film-like space and you can type everything in there. And there you really find everything. And finally, when it comes to summarizing, how to protect yourself, how

to deal with it, I talked a bit about it, how to try to fight this problem, This is a problem we won't solve quickly and it will take some time. Limit the services you have available on the Internet. Add tokens, add 2FA, make logging difficult for your company services, use VPNs. Countless companies that are concerned with security, for example, verify whether their employees enter some strange domains and block them with automated tools. For example, domains that are similar to their addresses. It happens on the fingers of one hand. companies that implement advanced systems, for example, verify whether new domains appear every day using various scripts that are ready to be downloaded from the Internet, which are similar to

their Internet domains. If such a domain appears, it is blocked on the firewall. Or, for example, A smart, simple idea is to generate ready-made tools on GitHub. You download them and they generate a few hundred similar addresses on your website. You can immediately block them on Web Application Firewall or Proxy. to the website. You can reduce the impact of what happens when a user clicks on a website. Whether you do it on the DNS level or on the www level, it depends. Of course, the email should also be scanned in some way, for the sake of the relevant connectors, etc. This is covered during dedicated attacks. that these antivirus systems are not to be bypassed, but it

raises the barrier to attackers, which raises costs and sometimes they can attack someone else, unless you are the target of a targeted attack, they will spend a few hours more and skip this programming. Educate and train these employees. Show them these things. Look, if you do phishing first in your company, then make presentations for employees. Show some slides. Look, you can take such data from Facebook, you can take such data from some other service. Thanks to this, they will see a slightly different perspective. How such an attacker can get these data, and finally show, look, 20% of employees gave your passwords in half an hour, which contain very sensitive information. And what I was talking about, these employees must know who and where to

send such suspicious e-mail. They can't be afraid. They can't be afraid that when they send some strange message to the IT department, someone will ask them if they restarted the computer. It can't work like that, because then the human firewall that you can create in your company stops working. This is one of the last most important barriers to overcome that you can create in your company through proper discussion and communication. It's very difficult, but you can do it When you train and do these phishings systematically, you can see that the effectiveness is decreasing and that these employees are becoming aware of what attacks look like, that there are such attacks and that someone can put

any value on the front page or that someone can buy a similar domain on the Internet and install the web page, which will be completely different from ours. People don't know that yet, they have no idea of what green is. That you can make a simple Prepare for an accident. Today, for many years, it is not said that you are safe, that you will not have an accident. It does not work like that. We have refined attacks. An effective attack is only a matter of costs. How much money does the attacker have? What resources does he have? If you look at the recent incidents, the biggest institutions were well-protected, they had various safety incidents. Get ready for such a situation, that something bad will happen. Then ask yourself

from the perspective of IT, simple questions. For example, if 300 of the same emails are sent to our organization, and there will be a malicious link, can we simply delete these 300 emails from the 300 boxes? Do we know how to do it? And it often happens that when we discuss with IT companies, they tell us: "Well, we should start to think about it." We don't have such possibilities. We should start to google, search for scripts that would try to do something in PowerShell, etc. But then you waste time, and those employees give you these passwords. And you don't have that time. You have to act as soon as possible. That's why you have to prepare for this incident earlier. What about changing passwords? Should we change

passwords to all users or only to those who admit to it? Do you know that you have employees who always admit to their mistakes? Or do you assume that only one person admits to their mistakes? Or that only one person is aware of their mistakes? This is also very important. Perhaps during such an attack, you need to restart the password and force the password to change. This will also be important. It's worth analyzing such an attack, see what happened, learn from it, draw conclusions. If someone has created a similar domain, and you have a proxy in your company, you could block it. Do something to make it harder for attackers to attack. It's about learning from such attacks. If you see on the third page that

there was an incident, someone was standing there, think about it. Could we try to technically limit some attacks and help our users? Unfortunately, you always have to assume that users will not be aware of it. Finally, some additional material, some references from my pre-lections and a discount for those who would like to come to such trainings, where we show with Adam from the Trustful Third Side how to write safer applications, through breaking their web or mobile security. If you have any questions, I would like to thank you for your attention. I will be available for 10 minutes, or later, or at the after-party. You can come and discuss. Any questions? Don't be afraid. I have your passwords anyway. Don't

be afraid. I have a question about the password change form. Do you pass on the new password to the user and then change it? Do you do any redirects? Have you tested any methods and what are the consequences? It depends on the specific order, on what the client will allow us. Sometimes it is like this: we do phishing in a way that we don't know the passwords at all. We have to create a page in such a way that we can verify if someone is sending any data. We don't have access to these passwords at all. This is always defined at the beginning in the range of specific tests. We can do it like in some reteaming tests, for example, we can

look at such a password and Verify if it will work in another service. Of course, again, to the service that the client allowed to check. This is always very specific with these few people. We don't have such detailed statistics. Maybe because there are still relatively few such tests. and it would be hard to tell what the layout is like, what happens with this password, how it is used later, etc. Rather, we don't try to focus on how it is created, etc. Sometimes this information is useful, but I think we have too little sample. It's not like we have hundreds of such tests every year.

Thanks for the answer, but I wasn't really talking about it. I was talking about what the user sees after changing the password. If he sees the password change form, you may not recognize it, but he sees that he has changed the password. And he will be surprised that my new password doesn't work. So in order not to hide, it would be better to change the password anyway. - I mean how do users receive it? - I misunderstood the question, sorry. We usually use a log-in form, not a password change. We need to simulate a log-in panel, so that someone can log in and give us a password. We can do it once or twice, so that we can simulate the entire web format later. And we

can also see what password it will change. But we did it very rarely, because we don't really need it. We would have to try harder and then we could think about what to do next. I am sure that if we would do it in this deep form, we would also get to know the changed password. And then, yes, you are a familiar user. you would realize that you changed the password, it doesn't work for you, something is wrong. And now the question is whether you would report it or not. Sometimes it's really... It depends on the level of consciousness. You know how attacks work. It's normal for you if something happened to you with a password, and something works or doesn't work, then a state has changed and something

is wrong. But it's not normal for an average citizen. He doesn't think in such categories. He's not technical. Maybe it doesn't work, because maybe the system didn't work. It used to be like that, that it didn't work for seven hours. Maybe it doesn't work today either. The guys from IT will fix it, I'm going for coffee. It doesn't automatically make it so that if something strange happens, the employee thinks: "Oh, there's probably a dedicated attack. I think the IP addresses indicate an attack from China and maybe it's our competition." The employee has to think again in the category of a person who is not interested in IT, is not interested in security. For you, the

password is the most important thing. You generate 60 characters, change them once a week, store them in closed, hidden containers. For the employee, no. For such an average citizen, I'm sorry for the word "somewhere" And again, it's about making employees aware that something strange is going to happen. The feeling that something strange is very difficult to grasp. For you it will be a situation: I changed the password, it doesn't work. You already know that something is wrong in the IT system, something is wrong, but for an employee who doesn't know IT, it may be something completely different. I hope it's a little better. Thank you, thank you. I'll be here later. Did you talk to Sylwia afterwards? How did she find

out? Did she use the link or did she notice something was wrong when she logged in? Sylwia was... She is very rooted in the idea of the game and she is very conscious. She is not from IT and she was not affected by the situation. She knew where Andrzej was and at the moment it was not right for her. I don't want to answer the question if she gave back her password. It reacted to the incident and it was great. Let's assume that sometimes the employee gives back his password and then reacts. That's also great. Because then someone will give the password, change it, or see that something is wrong and then they will be able to see that something

went wrong. It depends on the time of the attack. Whether you do it before or after lunch. Whether people are back from lunch, or they are more lazy, or they are more active. Is it Friday? Do they have some time off? Is it Monday? Are they busy? They don't read the emails. It depends on the organization, on the time, on the lunch, if it was good or not. I would like to refer to the case of Roundcube. What does it show when you put a login password? Does it work? How does it look like? Usually when we do something simple, like here, it was simple. Here, the information was displayed with some error. The system is not available, and that's it. The simplest thing. We weren't

involved in creating it because we didn't have time for it. That was the assumption. But it's all about your imagination. If you have time and resources, you can create an almost working roundtube, feed it with some data, which should also be able to navigate. It depends on what level you want to reach, how much you can. You didn't have a situation where someone tried to change the password, got a message that it doesn't work, panics, searches for the tabs, went to the real one, changed the password. He really wanted to change the password, even though he couldn't, he went to your link. You didn't have a situation where you had 5 minutes to react. In

this case, we didn't do anything at all. After the password login, only the message appeared. System error, end. There was no panel at all, this round club where you have to go into options, change the password, etc. We didn't do it at all because we didn't have time for it. It was very simple and fast. And again, the question is whether the employee will be lit up by a lamp. Something is wrong. You have to remember that when a company is big and sometimes has dozens of internal systems, then employees are used to the fact that something doesn't work. They know that there is a IT department that monitors it systematically, they have big TVs and they don't have to report it because IT department knows that something

doesn't work. It will start working in two hours, like every three days, every five days. You go to the post office of various strange companies and the lady says: the system is stuck. Users are used to it. It doesn't make them automatically turn on the light and say: "Oh, I'm reporting a phishing attack to the incident department, to display the message." I have a question. From my experience, it turns out that someone always clicks. And it's like that, that about 10%, 5% of resources are always able to be taken. Do you have any proposals on how to protect yourself from users who are uneducated? - "To slow down" - Yes, "to slow down" - it's a joke, but you have to be careful. For example, communicating with

the client at the beginning, you have to explain to him right away that if you do a phishing attack and then you want to show that you are slowing down, it is the worst way to educate. - In my test, the employer did not even get an email, so that there was no blame, so he only got statistics. But someone will always click, right? Yes, I think the best option is to give statistics to the client. You can train users, educate them, but as you say, someone will always click. And now the question: how technically do you prepare yourself for: a. blocking this attack as soon as possible, b. cleaning up after the incident? I absolutely do not believe that for

the next 10 years, because later it will be crazy to shuffle what will happen in 10 years, I do not believe that a method will suddenly appear that will make users become aware of these threats and will be able to act accordingly. I do not believe that. I have been educating for years. I see that you can raise the level of awareness. Doing trainings, doing education, trying But it's not like we will achieve 100% efficiency in the context of all employees being aware and no one clicking So, process, educational and technical, trying to fight this problem And assume that we will never win Have you ever attacked companies that use some systems like Universal Two-Factor or Second Factor everywhere, where it is possible?

Smartcard everywhere, various kinds of federated SSO and similar things. Are you able to imagine a system that would be resistant to you? - When it comes to managing the access. - Sure, you can technically increase it. You have different mechanisms. which make it harder to access the service because the user has to provide a lot of additional information, have something etc. to manage the identity and what he does etc. We did not do such tests in which we would have to have very advanced security. Then the cost of such attacks is simply much higher and the customer usually does not agree with it. It is possible, but it requires more work. We have friends in competition who made

similar attacks, once or twice, and they managed to achieve the situation that employees were also transferring their tokens to phishing sites. So there are a lot of dependencies. These are mechanisms that make it difficult for attackers. But if you look at the history of how many years ago they broke into RSA or other big companies that also have great mechanisms and smart cards, it's a matter of how many zero-days you have, how much budget you have and that's it. and not that it's impossible. It's always a matter of costs. We perform such activities here, usually a week or two weeks of work. Therefore, the budget is many times smaller than such attacks that are carried out by organizations that have huge budgets. Cyber-crime

organizations. Okay, I know that there will be many more questions. Time is running out. I suspect that you will catch up with Boris in the backstage. Meanwhile, thank you for the presentation. Thank you very much.