Phish And Chips: Tactics, Tales And Takeaways

Hi everyone, I'm Stefan and welcome to my talk on fishing. I'll try to make this talk a bit more interesting. Maybe you might be able to learn something about fishing from the perspective of sock analyst. So before we get started with this talk, I want to share the contents here. So, I'll go over the introduction shortly, followed by a quick introduction to fishing to get everyone up to speed, some fishing examples from my personal inbox because everyone gets fishing attempts. After that, I will be moving on to some sock war stories about fishing. These have been my absolute top three favorites so far this year. And after that, we'll talk a bit about fishing 2025. And I will end this with

some advice from me on fishing. So who am I? I currently work as a 24/7 sock analyst at LRK netless sock. So I do level one and level two work mostly that is more for anyone more familiar with stock levels. Before that I used to work in threat intelligence at search cyber. A lot of that has been spent on dark web uh single threat actors were up to and so on. In 2023, I did a short lucky track talk which here at B London which I believe is on YouTube for anyone more interested. I remember when I first started my role at Sergey Cyber one in the first week I received a fishing email from the CEO or so asking me to

contact him on WhatsApp. So I did share that with the rest of the TI team as I did find it funny how bad it was the fishing attempt. At first I thought it was um sort of like fishing training for the new interns but now it's an actual actor trying his luck with the new intern. Before that I also used to work in IT sport at University of Portsmouth Portsmouth helping students with any tech issues. So for my education if anyone's curious I have a masters in cyber crime and a bachelor's in cyber security from University of Portsmouth and my socials are also on this slide if anyone wants to connect or come come and say hi

afterwards. Okay. So, what is fishing? I hope that everyone knows what fishing is, but if not, we'll go through a quick definition followed by all different kinds of fishing. So, fishing is a type of cyber attack that uses fraudulent email, cyber text messages, phone calls or websites to trick people into sharing sensitive data, downloading malware, or otherwise exposing themselves to cyber crime. So, as everyone can see from the table, there are plenty of types of fishing in 2025. I do hope I haven't missed any, but if I did, please let me know after this talk. So, we got following types of fishing, and I'm not going to mention every single one of them, but just the notable

ones from my perspective. So, we got email fishing, the classic one that started it all, fishing, fishing, but via phone calls, missing, fishing via text messages. I'm sure we all get text messages from Royal Mail or parking related. We got questioning fishing via QR codes. These have made the news a couple of times recently. We got angler fishing, fake social media messages and profiles and business email compromise, also known as back. This is one of my favorites as whenever I get ill with one of these, I usually spend about an hour before I takes over. And last but one of my favorites is pop-up fishing. one of the one of the reasons as to why I use

ad blockers. So, Ublock Origin can prevent JavaScript from running on websites, which is great. And I also have ASUS routers with Trellics AV built in. Always fun to look at workers block and dig further into them. Moving on to that. So, now I do want to showcase that I get a lot of fishing emails. This is just one full page on the slide of my spam folder. that Gmail sends these to spammers otherwise I could not deal with them. But some of these do fall through the cracks especially the ones containing PDFs PDFs as I have noticed lately this year. So what does my spam contain? We've got account blocked. I have one at team

ebike and Binance has sent me 62,389 USDT. That is about 47K if anyone's wondering which would be nice if they actually did. Yeah, I once received a fish email from PayPal that was pretty decent. It had no spelling errors and he knew a couple of details about my old PayPal account that I and I decided to send that to PayPal as someone might fall for it potentially. I would also recommend that if you see any fishing emails that get past the filters you report them. Now in the next slide I have clicked on on some of these fishing emotes to see if they are still active. I did use a safe environment to limit my

exposure for anyone or nothing. So fishing example number one. So this is the one about my account being blocked. Having a look at this, it shows in the email which is on the left side that my photos are full, my files full, my family is full. Not sure what that is about. And my emails are full. Love the spelling on that one. And we've got my device back up almost being full. So this URL was reported by one security vendor as fishing out of 98. I'll go over these after showing the second example of fishing which I'll bring right up. So here we have a fishing email from Admiral. Based on the context, I believe

it's related to the car insurance side. Demo is congratulating me on winning a car emergency kit. It appears to have a similar pattern as previous one where the email sender is a total mess. They have a laugh when I went on the website and saw that Admiral has given out so much money so far and if they actually did that should have been money saving expert. Okay, so fishing broken down. So what did these fishing attempts have in common? They have have here on the slide the threat from my storage alongside the sense of urgency followed by the email from Admiral who also tells me that the offer even though it's giveway in my opinion expires today.

After that we have a suspicious sender and suspicious subjects that are have raised some red flags out of this for towards the end of the presentation. So the first example was telling me that my storage was almost full. I do not use that service for storage and I and they also had no branding. So I found this quite interesting to be honest for the admiral one. I don't drive and I don't run the car. So why would admiral contact me about winning an emergency car? I would have remembered if I signed up for a giveaway like that most likely and not sure if it would make a decent Christmas present to be fair. Okay, so before I get started with some

of my wars stories as I like to call them, I've got some key points to mentions. Us have been taken down unfortunately as these are pretty old and they didn't stay up after we sandbox them for further analysis have been reported and now they'll flag up when similar activity happens and of course it'd be a bit limited in terms of what I can share about the incidents. There was in some of the examples there was too much PI to cover unfortunately.

So, I want to start this off with a bit of funny fishing attack as this is not what I expected when I first got the alert and I just thought it'd be pretty straightforward one, but no, I was wrong. So, the first employee forwarded a fishing email that they have received for other users within the organization. The security tool has blocked three of the emails once one user has clicked through on the fishing email and entered their Microsoft credentials. This obviously required immediate action from the client as one user was compromised and the second user still had the email in the inbox and it needed to be removed. On my next slide, I will go over the takeaways load from the this

incident.

So the fishing email has spread internally to multiple users due to the lack of training of one user. If this email would have been forwarded further, the company could have had a mass compromise potentially. The security tool did its job technically due to how fishing the fishing link worked by redirecting the site to a different site. It could not categorize it correctly until someone fell for it. We contact the company immediately after send case over with the incident details to take action to prevent further potential damage towards the organization. That is on my so story number two. This is was not escalated by me but reading it I found it really interesting and worth sharing

with everyone to be fair. So this was a targeted spear fishing attempt using a convincing HR style law updated benefits package package to drive urgency and trust. The user engaged with the hero and enter their credentials enabling attacker access. Shortly after Sentinel flagged a sign in from a known malicious IP with a C2 history strong evidence the credentials were actively abused. Although the login appeared to be from the UK, it was geographically inconsistent with the user's normal pattern pointing to account takeover rather than legitimate travel. This highlights that attackers can often choose infrastructure close enough to blend in while still being anomalous. So spear fishing can bypass generic filters. This will trigger for a suspicious login from a known malicious

IP and not due to the user clicking a malicious URL and entering their credentials credentials. We require strict controls and how internal coms are being handled. If HR has a specific way of how they send emails, then all employees should be automatically made aware of it and report anything that stands out of the ordinary. For this specific instant, the action was to reset the user credentials, revoke all sessions and enable MFA for the user as they did not have MFA. I do have to say that my opinion MFA should be the standard for everyone in 2025. War story number three. I do have to say this story is by far my favorite. I was working a night shift from 8:00 p.m. to

8:00 a.m. and my colleague called in sick that night. So I was alone for the 12-hour shift. This alert came through on Sentinel and wanting a little about Sentinel compared to other seams is the instant timeline as it wraps up nicely to build a picture for the client of what happened. I have the in time line present on the slide as well. And at around 10:30 I saw the attack using ITM fishing alert in Sentinel and I knew straight away that just based on the alarm name I would have to call the customer as that was 100% account compromised. At first when I saw this risk sign it didn't point out the user being a high risk user on this occasion

after the escalation and doing some further digging I realized that it was the CEO of the company that fell for a fishing email. So digging around the URL, it showed me the use a Google Docs URL for Microsoft voicemail alert which raised major red flags for me while I was investigating this alert for the client.

So more story takeway three. So senior executives remain prime targets. They're high level value targets because they hold access to sensitive data and their instructions carry out authority making whailing emails especially convincing. ATM bypasses MFA by intercepting live sessions which can be quickly abused as shown in the previous slide where the track actor was waiting to see if the co would fall for it. Um the track actor logged in 5 minutes after the user the co clicked on the malicious email. So real time monitoring of geolocation anomalies and risk signins enable any anomalies observed. I do have to say that this incident I really enjoyed working on this incident and how sent has made it easier to work

with.

So overall this slide highlights why user awareness remains essential in defending against fishing threats. While technology helps reduce risk, it cannot fully eliminate human targeted attacks. Fish fishing attacks can evolve continually. So user training will always be required. Attackers adapt faster than tools, meaning people and need ongoing education to recognize suspicious messages. Solutions such as Zcala and Mcast provide strong protections, but they're not foolproof. Attackers often find ways to bypass filters and things like that as seen before. And for one of these war stories from the sock, I do have to say the company had a capable IT help desk that deals with internal fishing instance really fast. Um, they also had an internal sock and LRQA being the

external sock. So I'm bringing this up to point just to showcase having all of these and fishing can still bypass these security measures but all of these incidents have been resolved before turning out to be much worse. Okay. This slide highlights the core fishing attack figures drawn for the identity theft report in 2025. So, the Internet Crime Complaint Center received just over 300,000 fishing reports in 2025, which is significantly higher than a few years ago and shows a continued upward trend in attack volume. Fishing now tops all cyber crime reports, indicating broad reliance by cyber criminals on this method. Emails remain the dominant delivery channels used in around nine out of 10 attacks with Gmail accounts being

frequently abused. So financial losses directly directly attributed to non- fishing instance exceed $52 million underscoring the economic impact. Almost half of ransomware instance originate from fishing vectors showing how these scams facilitate more damaging attacks. The financial sector is the single biggest target but fishing affects many others including SAS and social media services for the so-cal stories not with the companies mentioned when in finance SAS or social media services.

So following the boring but important part of this talk, I do want to talk about a collective as I like to call it since it's three different groups working as one that has made the news this year. So shiny hunters, scatter spider and lapses. On the slide I have the moto. Sorry if we didn't hit you yet. Don't worry. Tractors associated with shiny hunters, scatter spider and lapses are working hard towards collecting your database. I have to say that their motor is pretty bold. I grabbed this from their telegram chat alongside another interesting piece of information. They have mentioned that their initial demand has never been below 400k. Now that is a lot of money.

Not sure how true that is, but actors have been known to pay huge amounts of money for an initial foothold into an organization. They did this with the help of initial access brokers on the dark web. These tractors sell credential harvested from key loggers and fish credentials. But yesterday they posted an update on Telegram about the unit losing funding for the operation. I did have a laugh when I saw this. But then I remember that I need to update this into the slide as well. Now does this mean that they're gone? No. They might get funding again next week or they might just break apart and continue operations on their own instead of collaborating. Just

because one unit is gone does not mean that it's over. There are plenty of other tractors that will take their place. So from the perspective of from the perspect sock even in 2025 simple fishing emails continue to be highly effective. Attackers don't always need sophisticated method. Basic social engineer still catches people out. For all of the examples shown earlier in my sock war stories, none of the emails appear to be impressive or the websites appear to be highly sophisticated. Maybe it was bad timing on the users or the lack of training played a factor. When we look at activity of groups like shiny hunters, scatter spider and lapsers is clear that fishing remains a core part of their playbook. These

groups target organizations across various sectors and their continued success shows that fishing is not disappearing. The reality is that some users will always fall for fishing emos. Attackers exploit human behavior, curiosity, urgency and stress. These factors are very difficult to eliminate entirely. Fishing is a people problem and our defense must reflect that. some advice from me as a sock analyst on fishing. So based on everything I shared so far during this presentation. Now I want to share some advice towards spotting fishing. So triple check the email. Was it expected? Does he match the sender? Language matters here. Based on what I have served, it seems that most of the fishing emails come from countries where

English is not their first language. So there might be spelling mistakes or maybe something confusing. run the URL through a URL checker to verify if it's legit or if it has been reported before. On the next slide, I will share some URLs that I enjoy using to check for fishing. Check if the domain is legit and written correctly. On this slide, I have a recent URL that has made the news about how simple but effective it is. So, instead of being Microsoft.com, it is air on Microsoft.com. So, swapping the M with an L RN.

Here are some of my favorite websites that I like to use to validate fishing machines. I would recommend everyone use them as they're free and awesome. So, first up, we got Virus Total. It's just great. You can even upload files. Next up, we've got URL scan. I like this website as it gives me screenshots of the website and it shows me where it is hosted alongside with the Google safe browsing API. Next up, we've got URLp. I mostly use this when I'm not 100% sure or I just want a screenshot of the website. URL Void is also great similar to Virus Total and Dracoy, but I do have to say my favorite is Draco due to the integrations

it has. It contains virus total, spam house, level blue labs, and trap box. Great for IOC tracking. And I also have attached a screenshot of the at the bottom for rnicrosoft.com website which has been flagged by 16 security vendors out of 95 for malicious activity. The website is no longer up, hence why the load rating, but this does not mean that it will always be down. The art app doesn't expire for another 4 months and it could be live again tomorrow for now. Thank you.

Do you think I've run a bit fast? So, I've got time for some questions if any's got any. Anyone got any questions? Got one at the front.

Uh, thank you. Yeah, really interesting talk. Really appreciate you doing it. Um, I guess the question I got was around so obviously we we call it security training, but it sounds like it's how to use an inbox training. That's not security, right? Is it? So like so teaching a user how to use an inbox because there some of the I say for your example your the war story was very much a case of use it on an email and forwarded it on to three or four other people and then interesting enough obviously you said that you didn't find the detection or the signature whatever you had to put on there until it had been visited is there I don't know I

guess what I'm asking is that >> is it just basic email you know is it this is how you use an inbox you know it's not security work really like for the user and then equally like how do you get involved or inside that kind of chain of don't forward this on and um identifying it before it's clicked through. Is there any kind of practical measures you do there? Does that make sense? >> Yeah, it does make sense. Uh I would say that would have to depend on each company and more of more so how they take training at the start when they a new employee starts how technical aware they are. Maybe they might have a herd of fishing or so and

it could also be about not forwarding any emails from the outside internally unless it is required or maybe has proven manager approval would say. >> Yeah. Okay that makes sense. Yeah. Sorry it's just more I just I guess >> yeah not an easy question. Sorry, but thanks for the talk. Really really enjoying

>> anyone any questions or to ask Stefan? >> I'll be until the end of the conference if anyone wants to ask anything else. So >> thank you once again.