BSidesPGH 2024 Track 1 Rachel Kang The New Generation of Phishing Beyond the Mailbox

[Applause] you m check hello hi everyone welcome back from lunch I hope everyone's been having a good conference today there's been some really good talks this morning and you're about to hear another one um welcome to my session this is uh the new generation of fishing beyond the mailbox and my name is Rachel I am a manager at Aon and I'm deliver digital forensics and instant response Services based out of Chicago Illinois I've been doing this for around 5 years now and since I started my um journey in this industry I've been supporting responses to a wide range of cyber security incidents whether that's business email compromises ransomwares or even Nation straight intrusions as a

consultant I get to wear many hats and I get to dive into many different areas of incident response and some of my favorites have been um Cloud forensics which is a field that's growing very quickly lately um I also am very interested in Microsoft and Azure based compromises and just you know in general business email compromises themselves outside of the office I somewhat have a life and try to spend some time with my best friend Archer pictured right here I also go rock climbing and do Legos all righty so what to expect from today's talk we'll start by introducing the topic at hand and explore how fishing is no longer limited to just the email environment and as today's title

and Abstract indicates uh we'll be exploring different fishing attacks that have been um transcending um across and outside of the email environment and that thread actors are leveraging um more often we'll discuss how fishing comes into play across our mobile phones and consideration for organizations with bring your own device policies in place then we'll explore how threat actors are leveraging the big brands or trusted services or third party services to conduct fishing attacks that are more sophisticated in nature and complex than ever before and finally we'll close out with some discussions of what's to come next and how AI has been slowly creeping into the fishing landscape um over the last few years and you know you'll walk away

with other actionable guidance to take home with you today okay let's get started um before we dig into the good stuff though I'm going to give you all a quick history lesson I know this is a security conference but this is going to be pretty quick um so 30 years ago we primarily communicated through facts pages and landlines this was the humble beginnings of Global Communication and there were very few options to choose from um to make everyone in this room here feel old I was born in '97 so I can't personally attest to technology here but my parents have told me about it um but fortunately I was here for the next big wave as the world became more

interconnected you know we start to see the evolution of Global Communication uh so AOL mail and aim were the hottest new technologies and people were checking out their friends on my Bas we saw the first ever iPhone in 2007 and the first one of the first biggest computer worms ever hit a global audience if you all remember the love bug virus or I love you bug in the 2010 email was no longer a novity and Google had created a free email client service better known as Gmail Facebook overtook Myspace as the most popular social media platform and we saw more forms of technology start to emerge like the tablets and iPads uh they started to gain traction across the

average user which I did not actually think would happen when it first came out um breaches were getting bigger than ever and we remember the infamous Yahoo mail hack as well as the Equifax breaches that occurred in the mid 2010s we can see a trend here in some sense as our forms of communication grow bigger our breaches are growing bigger as well at least back in this time you can see in this New York Times headline right here um the 2013 Yahoo breach affected all Yahoo accounts that were inside the environment at the time and this was essentially the beginning of the company's reputational downfall so breaches during this time were unique in the sense that technology was advancing

much more rapidly than the security controls could catch up to so this takes us here to today in 2024 at this point many users have many different forms of communications to choose from and actually a little too many if you ask me uh Facebook had become meta platforms Google had not only established Gmail but hundreds of different Services all packaged into this one nice brand called Google workspace nowadays the average user has at least one personal Andor corporate phone laptop potentially even tablet and each of those devices carry various forms of communications and thirdparty services um from third party providers all over the world um these devices in some way have become synonymous with our identity

one part of MFA is something that we have and devices are going to always be with us now nowadays and as you saw from the previous history lesson uh email was one of the earliest forms of communication that emerg and naturally thread actors began to Target it more in the beginning but communication is growing nowadays so fishing attacks are also evolving nowadays Security Experts should be aware of the other threats growing across different mediums and platforms as well according according to reli Quest threat annual threat report 71% of security incidents that occurred in 2023 involved a fishing link or leverage some form of a fishing attack fishing is a very simple but effective concept it's

so simple because thread actors don't need to be uh relying on some kind of technically Savvy VPN exploit or find a zero day vulnerability or something to attain initial access all they need to do is lar one unsuspecting victim into clicking on a link or doing some other activity and boom access is granted so because of how simple it is fishing is still the number one tactic that thread actors use to gain initial access across security incidents to this day and um as we saw threat actors are targeting emails more but because fishing is evolving we'll also explore over today's session various uh fishing attacks and um other attacks that are spreading across mobile devices and

trusted services including Sim swapping SMS text message fishing also better known as smishing we'll be talking through leveraging how thread actors are leveraging big Brands to conduct Advanced social engineering attacks and finally how AI is starting to play a bigger role across fishing campaigns overall But ultimately the goal today is for you all to walk away with more knowledge with the uh the regarding these emerging threats and hopefully provide some guidance on how you can protect yourself on both a individual and an organizational level and um now that fishing attacks are transcending into these thirdparty SMS and uh text message um you know social media territories all righty so bring your own device policies are

becoming much more commonplace than ever before in organizations nowadays which does very several concerns um on how to protect yourself from these mobile based fishing attacks almost all of us have a personal email account or you know a corporate email account and as phones become a part of our identity companies are now starting to integrate those devices into their corporate networks as well so over the next few slides we'll discuss several types of popular fishing attacks against mobile devices including the famous isings as well as Sim swapping we'll also run through a example case study illustrating how such attacks come into play in the real world investigations so as Security Professionals many of us by now all know

what fishing is and what the variations of fishing look like and in generally all these Encompass just mobile based fishing attack so to start SMS text message fishing or smishing is a social engineering attack that targets messaging based platforms so this could be you know Apple's iMessage environment or you know SMS text messages or even WhatsApp messages attempts to fish someone through this method is very difficult to contain from a security perspective because there's very little auditing or Security on messaging platforms than that of something like an email server so even companies that have mobile device management in place can be also affected by limit uh limitation visibilities um as employees' personal phones may also be targeted sometimes as

well Vishing is a social engineering attack that is conducted over Voice or a phone call call thread actors can spoof caller IDs to be originating from a trusted Source or even worse use AI to mimic a trusted Voice or someone that you know to obtain sensitive information for you from you which is pretty messed up there are even less digital footprints for fishing than there is for SMS text message fishing and ultimately you know your cell providers may be very limited in their ability to work with you and provide that kind of you know metadata and information as well finally a novel and rapidly growing ishing attack is called quing or QR code fishing quing relies on users blindly

trusting that the QR code that they're scanning is going to direct them to the expected or trusted site but instead thread actors are starting to reroute um use fishing codes to reroute you to a malicious fishing page there are no ways to hover over a QR code to check its destination and anti- fishing filters are not yet enough advanced yet to be able to scan visual-based QR codes to check for those so though I actually do expect in the near future for more um you know solutions to develop that as this attack becomes more common fold at Aon we investigate many types of uh matters that involve any one of these types of issuing we've encountered

smishing a lot more lately just because you know the prevalence of people using text messages um as a form of communication but to read more about any of this or um any lessons learned from those experience you should check out our case study on our website all righty so moving on to another popular attack that's been gaining a lot of traction in the security world at least for the last few years is Sim swapping so on a level the process goes like this a thread actor identifies a victim and conducts very thorough research on them obtaining their phone number you know cell carrier details personal information um their uh spouse's birthday whatever um all of

that information to letter to later leverage in a social engineering attack once they have all this information they reach out to the cell carrier to swap out the SIM associated with the phone number so essentially the social engineering aspect is entirely targeted to whoever is picking up the phone on the end the phone call for the um the cell carrier end and if this is successful the victim's phone number has now been transferred to the SIM card controlled by the thread actor and the victim loses all connectivity to their phone the thread actor at this point has full access to that phone number is able to access your accounts is able to send text messages posing as you and and make

phone calls this process in its entirety seems very convoluted you know who wants to go the extra step of you know reaching out to a cell carrier provider but this attack has actually been seen in the wild many many times in 2021 the FBI reported an adjusted loss of $68 million to just Sim swapping so this is very much see being seen um very often our team recently also wrote a case study on Sim swapping attacks that we've personally investigated at Aon so if You' like to read further on this topic as well um please check out our blog post all righty so over the next few slides here let's walk through a case study that involves a smishing attack

against the company that has single sign on so for those of you who don't know single sign on is a method that allows users to log onto multiple different applications with just one set of CR ials so step one a thread actor crafts a malicious text message that contains a fishing link then sends it to thousands of employees at uh company X the thread actor designed this link so that it would reroute to a page that looks identical to company X's legitimate login page the fake website is automatically set to capture and forward any cred credentials that are entered to be submitted onto the legitimate page which will you know then trigger a MFA prompt

to the victim themselves the fake website at the same time will request that the user enter the MFA code or onetime password which is similarly forwarded to this legitimate website so through these processes the thread actor now now got the user to enter their credentials and the MFA code into a fraudulent page which was on the back end simultaneously entered into a legitimate Page by the that the thread actor is monitoring so the thread actor now has full access to the victim's account sry because this company leverages single sign on this one log on allowed the thread actor to have full access to the company's Enterprise resources this could be things like that the victim has

access to so things like Salesforce jira and if you're an admin or administrator in your account or in your firm or a help desk employer or whatnot this can mean a lot more privileged applications like production environments or um you know jira or whatnot or bit bucket so we can see how an attack like this can is very simple in nature but can lead to very lasting damages this exact attack scenario actually occurred in mid 2022 and is po more popularly known as scatter swine this affected over 130 us companies mostly hitting it software and cloud service Industries you know you can see examples of fraudulent text messages that employees received um up on the

slide here the links were slightly modified to mimic the legitimate login Pages uh with Dash you know OCT or- SSO or whatnot um so these text messages not only reached corporate phones but employees as personal phones as well as family members of employees as well so Cloud Flair was actually one of the companies hit by scatter swine and I believe they are here today um they released a thorough review of the incident and afterwards uh regarding the tactics techniques and procedures leveraged throughout the incident which is how we were able to uncover these details here today so let's run through some of the details that made this attack so impactful this attack in the in the

nature of itself inherently bypasses MFA because the victim is entering both their password and their MFA code or onetime password into the fraudulent website the thread actor has successfully tricked the system into thinking that they are the user even though they're not and there's no need to call the victim to beg for an MFA code or you know exploit some kind of firewall or whatnot just craft the fishing link and send it over and you're ready to go another reason uh another reason for why this attack is so impactful is because like I mentioned before these sming links were sent to employees as personal phones um not on corporate phones where there are mobile device management and auditing or

Security in place so it was actually very difficult to track down how the threat actor was able to obtain a listing of personal phone numbers as well as family members and phone numbers as well but this just emphasizes how um how strong user training on top of technical controls can help secure environments in the long run a lot of companies use single sign on uh because it's a streamlined way for authentication it's very easy with one set of credentials you can access everything that you need but this also makes it easy for a thread actor uh normally thread actors to gain such a broad access onto an account would have to deploy some kind of script or malware

to you know Elevate their privileges or something along those lines but this method bypassed all of the the need for any of those and just with the nature of single sign on was able to access a broad range of applications say that that did happen even if companies have internal analytics tools uh that track anomalous behavior in place that may also be you know missed or um you know bypassed since the thread actor is using a legitimately authenticated account as opposed to an account that's a guest user or just recently created which in itself raises his own suspicions according to a study conducted by cyber security insiders 82% of organizations have at least some form

of a bring near own device policy in place and as evidenced by the last few slides Security Professionals should be aware of the attacks that are um and attacks and risks against our mobile phones before or while adopting such um you know compliance policies at your organization technical controls will always be the first line of defense mobile device management as well as um device compliance monitoring are are very good first start to ensure that you have full visibility across your corporate environment thread actors are finding very innovative ways to bypass MFA so stronger authentication is also recommended as well things like uh PH2 uh biometric authentications uh even UB keys or whatnot outside of tech technical

controls though employee training will always be always be recommended there's only so much an organization can do in terms of limiting the risks and the add adding more technical controls so essentially the human factor will be the last line of defense say that an attack somehow seeps through all of your firewalls and all of the controls that you have in place evades antivirus Solutions you should ensure that your employees have the or equipped with the knowledge and the right um you know red flags to recognize such attacks as well and report that up and finally policies keep the world compliant and establish guidelines and procedures for employees and for organizations it teams as well establish

process and response plans can help um in the event of a device Bas security incident or just a security incident in general and assist with rapid remediation in that sense all righty so putting our phones aside for a second let's discuss another entity in our lives that is as ever present as our as our SM smartphones are so that's going to be thirdparty trusted Services is there any company out there that does not use thirdparty services in some capacity if I were to start my own company today and I want to use email am I going to create my own email client just to use it or maybe Outsource that to Google's Gmail or Microsoft's

Outlook in this section we'll run through some of the examples that attackers have been leveraging especially with regards to cloud-based productivity Suites and collaboration tools offered by big Brands like Microsoft Google Amazon um and we'll discuss how the directors have been using those tools to evade traditional security measures and conduct sophisticated fishing attacks we'll also discuss consent fishing and similarly run through case studies of such attacks in the real world all righty so at the heart of fishing is just social engineering and we know that at the heart of social engineering is just turning trust into a weapon so by now all of these big Tech names are like Microsoft Google and Amazon we've encountered one of their

services in one way or another in our professional or personal lives these companies have spent decades building their reputation with Cutting Edge services and establish that trust with their customer base and threat actors have been noticing this and exploiting this trust associated with these Brands to try and attempt to deliver fishing attacks there is an especially increased risk factor for services that offer productivity Suites for instance Microsoft One drive and SharePoint are services that are dedicated to storing company data uh potentially sensitive files or whatnot that is a rich place for you know exfiltration in threat actor's mind Google's drive and docs is another example and is also very popularly targeted there's also an increased risk

for service that inherently involve users clicking on an external link uh for file sharing services like Dropbox or box or sending over documents to sign which I know is very common place in legal Industries the so essentially this is routinely conducted and so um these services are at extra risk because of the nature of what they do on a day-to-day basis this method is so effective because thread actors can you know disguise their attacks as a routine you know Google notification or a client share an expected document that you were expecting to receive so you just click on it you don't you know think twice about it they don't have to create any emotional lur to get the victim to click

on the link and the established trust already facilitates that right so let's run through an example case study of how this can come into play in real life a thread actor meticulously crafts a fishing link that looks like an expected Microsoft SharePoint login page or um notification document there's one of two ways that the thread actor can craft this link they can either point it directly to the malicious website itself that uh looks like the SharePoint login page but in actuality is not or they can point it to a legitimate SharePoint link that contains instructions to log onto a secondary site and enter enter credentials into that secondary site the second method bypasses any fishing

filters and um the fishing filters that check through embedded links so we'll more likely see um you know method two in the wild and finally victims enter their credentials allowing the thread actor to capture them for further usage um however they would like like so this is an example of a real fishing email that links to a web page imitating a SharePoint notification as you can see here this attack used a second method to uh in order to prevent any triggering of antivirus or anti-fishing Solutions um for the specific click here link since it doesn't reroute to a fishing link itself it reroutes to a legitimate SharePoint document but and there are instructions to enter their credentials

onto a secondary link so this is how thread actors are able to bypass you know uh fishing filters and whatnot for comparison this is the real SharePoint document sharing notification the threat actor has some work on them they need to keep up with the UI changes that you know Microsoft uh whatever companies um you know conduct just to better convince the victim that this is the service that they um posing to be as so moving on to our next attack related to Brands consent fishing so consent fishing is a very very Insidious technique that in tricks users onto granting a malicious thirdparty application with full access to their account rather than providing something like credentials or MFA none of that is

involved so I'm sure you're wondering how this is even possible and it's because this process relies entirely on tokens and not credentials at all the highle process goes like this so a thread actor creates a malicious application and registers it with a legitimate ooth 2.0 provider once that's registered which is surprisingly easy uh the application is registered with a Target platform like uh uh Azure Marketplace or um Google workspace face or whatnot this is actually the more difficult portion for the thread actors because those companies are now automatically scanning those for those applications for any malicious activity so they're helping us out a little bit there once that's registered the thread actor sends an email or a phone

notification to a uh to a victim asking them to grant their account with permission to the malicious app if the victim accepts the thread actor now has wholesale access to the victim's data and at this point you cannot kick them out with a password reset that will do nothing um because at this point the thread actor did not obtain any credentials to um gain access into your account there are no malicious links that are scanned along the way since the thread actor is controlling a application and not a website that is associated with the link and because there's many so many applications that are integrated into an environment a corporate environment this type of configuration doesn't really raise many

suspicions um I believe you know even my company would we have thousands and thousands of you know thirdparty ooth applications that legitimately integrate and help our business operations every day so it's easy for a threat actor to attempt an offis skate to add a malicious application um under the guise of a real one this is an example of an application requesting such consent to your account all of us have probably seen at this point this before on the left hand side is a unverified application that is requesting access to a list of permissions here those being you know reading all groups maintaining access to your data and just viewing your profile which are pretty you know you know

standard permissions but in the middle here we have much more overarching permissions that may be configured with AI application um and one of some of the most damaging being read and write access to your mail and your fi all your files basically with these permissions the thread actor can pose as you and send emails as you send out fishing links as you and and such and so um or act you know exfiltrate sensitive SharePoint files or whatnot like I mentioned earlier companies are now auditing applications registered in their Marketplace which is very good um so there are some defenses but organizations can also Implement um this on a tenant level by adjusting uh several settings within the Azure ad

portal if say that you're using Azure ad uh Marketplace for your applications and oaf applications you can take actions to limit the employees abilities to approve any oaf applications onto their account without first having an admin review that request or or whatnot so the these attacks are becoming much more prevalent and it looks like at least you know Microsoft um Azure and Google workspace they've been you know responding to these threats by proactively scanning across uh their Marketplace but you know users are should also be aware of what a malicious application looks like I'm sure many of us have never read these permissions or I hope some of us do um but this can be a very damaging method

of accessing someone's account right so because organizations already have some level of trust with third party Services it's easy for Security Professionals to rely on third party services to secure their own environment or whatnot but there needs to be a balance between the vendor the customer and the users themselves to ensure full security across um all mediums from fishing attacks this is going to be a very reoccurring theme but throughout our session but employee training is always going to be recommended when it comes to fishing um when it comes to safety against fishing you can set clear standards for your employees surrounding sharing of sensitive information to avoid any you know wire fraud based activities um ensure that multiple

checks are in place for you know potential social engineering based ATT tag vectors and in addition to that you should you can ensure that your employees are aware of the concept of malicious applications and you know uh things regarding consent fishing more access and Technical controls can also be helpful ensuring that all thirdparty applications are have as minimal access as possible to your environment as necessary and you know routinely auditing the applications that do you wouldn't want uh let's say I use uh the this application um this method to connect my Google account to you know say McDonald's app I don't want McDonald's to have full access to my account they can just you know look at

my profile so these sorts of things you know you should definitely review those um settings associated with the current oaf settings and if you see anything suspicious or unfamiliar should report it to the um Associated Cloud platform all righty so oh one thing I forgot to mention um a notable recommendation uh is to consider AI based Security Solutions to help identify behavioral based alerts because thread actors are starting to avoid including specific signatures like hashes or IP addresses that automatically alert based on an indicator um using AI to help predict malicious alerts based on on the behavior that you see in your environment can help with detecting you know sophisticated multi- chained attacks like we saw in you know consent

fishing and some of these other attacks as well all righty so in our final section here we will be discussing the overall changes to the fishing landscape and what's expected as artificial intelligence is growing and being used a lot more across our day-to-day lives I'll speak a little bit to fishing as a service and fish kits as well as how this shift in landscape is also Shifting the priorities for organizations it teams as well okay so we incorporate AI into our lives to make everyday tasks a lot more efficient and thread actors are also doing the same to make their everyday tasks of conducting fishing campaigns more effective for the longest time fishing emails crafted by a human contained red

flags similar to the ones that you see listed here uh most of us most of which we can spot pretty quickly and most of these are pretty much caught by anti- fishing filters pretty much immediately before even Richie an inbox but just to illustrate this point for example this is a real human generated fishing email about a failed processing order and it contains a wealth of red flags things like typos in the content unexpected font we don't really see this font you don't expect to see that odd sentence structures mismatches between the sender and um the names and very generic greetings and signatures um and finally a sense of urgency in an unexpected and unsolicited email um I never placed an

order I don't know why I got this so this is a pretty bad example this would have been probably caught by filters before it even reached your inbox um but so just to better illustrate here is an example of an AI generated fishing email pertaining to a Netflix billing issue um so as you can see here there are no typos or grammatical errors the sender domain is off fiscated and they greet me with my name and close out with the expected Netflix signature greeting and finally an actual credible sense of urgency that isn't explicitly requested by the threat actor but rather created by the emotional lure that most people would have by losing access to their

favorite streaming service it's interesting now that typos or errors more likely indicates a human had created the email all right so according to a 2023 in study by infosec magazine 71.4% of attacks created by um email attacks created by ai go undetected there is a rising Trend right now where as a service platforms are everywhere and thread actors even getting in on this too they are adopting this model to sell fishing capabilities on the dark web uh also referred to fishing as a service uh thread actors have become service providers and are selling full service offerings on the dark web for as low as $60 a month some even offer curated tech support after hours for an

additional fee um another popular option sold is a one-time P purchase of a fish kit which I believe can also be sold for as low as $20 flat fee AI generated fish kits can include things like highquality fishing templates with uh very catered jargon to your industry SPO company logos on uh login Pages for Dropbox or Microsoft and even recommended lists of potential targets um all the while evading detection uh mechanisms the earlier case study that I mentioned with scatter swine uh related to smiing attacks that affected Cloud flare also leveraged fish kits and came pregenerated with all of those company logos and fraudulent Pages uh pre-prepared so um fish kits are very much in use and have

been seen in the wild very often there are many reasons as to why a thread actor is using AI in fishing scams and it's because the technology is helping Bridge several gaps that are existent in the current social engineering scams right now one of the biggest benefits is the ability to stimulate human interactions between generating perfect emails that is catered to the victim's native language or between that and like mimicking a loved one's voice on a a vising call or whatnot it's becoming very difficult to discern who we're actually talking to on the other side of the phone or email or text message Ai and specifically fishing as a service subscription models uh allow for

criminals with very little technical to conduct Mass fishing campaigns that lowers the barrier of entry for even the most novice cyber criminals to enter this space and conduct fishing attacks and finally with the success rate of AI generated fishing emails thread actors are broadening the reaches of their attacks and increasing the surface area um of potential victims new forms of fishing attacks will continue to emerge but at the heart of it is still the same goal they're all attempts to lure unsuspecting victims to divulge private or confidential information while digital uh communication platforms exist threat actors will continue to evolve and uh defend their techniques to exploit those mediums and there will be no one

solution to eliminate fishing attacks from our digital landscape but there are actions that you can take on an organizational and an individual level to further protect yourselves against such risks and stay educated so throughout the session here today I have Peri periodically provided some you know high level guidances with regards to specific attacks that I've mentioned um but ultimately a combination of equipping your organization with um Advanced AI based Solutions educ the workforce on potential risks and promoting a culture of awareness is the best way to move forward to ensure of a good security hygiene each in organization will have different priorities for its security posture and there's no one answer to this issue but at a minimum the best

place to start is to bring awareness and recognize that this exists if you want to read more about what you can do to protect your organization or want to learn more about any of the you know Concepts mentioned here today you should check out the blog post written by the person who said this fantastic quote up top which happens to be me um my blog post is titled the evolution of fishing campaigns and explores in details a lot of the case studies and information presented here today we do a lot of fascinating work over here at dfy Aon so check out our Twitter page or cyber blogs to read more about anything that I mentioned today

thank [Applause] you any questions yes green

shirt thank you uh when you're talking about the uh Sim swapping events have you found or un covered like Insider threat happening at the service providers where they're part of the Sim swapping um process and sort of helping the attackers or are the attackers themselves um that's a good question I have not personally seen that that sounds like it that that would happen in movies to be honest um yeah I have not personally seen that in the types of sim swapping cases that I've personally seen though um you know I can't speak to all of the Sim swapping cases out there there could definitely be a situation in which that may occur especially if someone who has malicious intentions is

positioned in as a cell carrier provider or whatnot um who's answering those calls so um I haven't personally but there definitely could be uh you anywhere you

choose um yeah so in the in the in the context of fishing Vishing or uh any of the uh have you SE increase in QR fishing and on what specific like whether it's Outlook or yeah so I actually have personally not investigated any QR code Type fishing investigations just yet but I believe um there is I think proof Point releases an annual state of the fish report every year and 2024's prediction was that QR code fishing is rising exponentially this year um you know it's still middle of the year we haven't seen what's going to happen but if that was mentioned by proof point I would say that's something to be you know at least keeping an eye out for

even if I haven't personally investigated it um on a day-to-day basis or whatnot I did hear about barcode fishing on um security badges yeah

that's thank you for the talk um for organizations that have switched over to PH2 so totally passwordless what are the fishing Trends you're seeing being towards those types of targets that's a good question um by by the suggestion of saying you know PH2 UB keys and biometric authentications by implementing those it's still not to say that you're 100% protected from fishing there will be other mechanisms but it is exponentially harder you know using the same tactic as on a password-based um you know authentication you know pho2 is much more difficult to break fortunately I can't think off the top of my head any instances in which that um you know was bypassed in any way I would I did I

think for that actual page I posted a blog post kind of shout out I think there may be some information in there I can double check and um you know reach out to you if that helps but um yeah sorry I can't give you a better answer on that yes wait where I'm getting my steps today hey thank you uh it seems like uh cell carriers and phone manufacturers are trending towards eims now is there any security benefit to having an eim as opposed to like a physical card or is the process still just as vulnerable as it always is I am unfortunately not too much of an expert on eims I know about them and I

know that that's been being adopted a lot more in um partly in response to to sim swapping but for other reasons as well but for um for ease and whatnot I believe that if more more people started to shift towards eims rather than physical Sims there will be ways that thread actors still try to manipulate that especially because it's an Ecard rather than a physical SIM card um people think Sim swapping is less practical because it involved something physical rather than all being you know electronic or whatnot and so um my sus my suspicion is that there will be attacks that emerge with e cards as well although I can't um think of any on top

of my head just like the previous one um but yeah I think you know I might have to do a little bit more research on that and specific to sim swapping and what the future of sim swapping looks like but um yeah I think looking checking out that blog post the simple attacks um we wrote that at Aon should provide you some at least a starting point for where to go next all right we're going to get set up for the next talk Rachel will you be around for discussions out in the hallway I will be awesome thank you for a great talk please another round for