Vishing in 2025 - How We Get Your Interns to Download Our Malware - Adin Drabkin

All right. All right. Welcome. Uh this is uh visioning in 2025. Uh how we get your interns to download our malware. Excited to be here and this is the first time uh doing this talk. Uh so I'm going be building it out the whole year. Uh so I appreciate any feedback afterwards as well. All right. So a quick uh background on who I am. I'm Aiden Dvkin. I'm based in New York City. Uh I'm a red teamer on mandience uh red team. Uh so we do red team consulting incident response etc. Uh my focus is on active directory uh AWS uh social engineering purple teaming uh you know everything that's really fun to to break these days. I have cyber

security degrees from RIT. I know they have a campus here as well uh in NYU. And then I have OCP plus CRTO bunch of different vulnerability disclosures and things that allegedly qualify me as a hacker. All right. So, because we're doing uh voice fishing, there's my alternative, who am I? Uh so, when I'm calling someone up, I'm not going to say who I am. I'm going to pick one of these two personalities instead. Uh so, one of them is a security intern at a Fortune 500 company. Um so, I don't really understand company policy yet. Maybe I have a high-pitched voice and I'm just doing a benign task that my manager assigned me. I don't really understand

the process and I was just told to call someone up and have them download a compliance checking tool to their computer. Um, I don't really understand anything yet and if I get stuff wrong, you know, you can't really hate on it. I'll just go talk to my manager and let them know. Uh, then the other personality is a senior IT analyst. I take my job very seriously. Really deep voice, talk very slowly. I'm really confident in the process. And if you think uh downloading this tool to your computer is wrong, it's your fault for not understanding it uh yet. All right, so quick agenda for this talk. It's about just under 25 minutes now. Um, so some context on this, why

it's important. uh the types of fishing that we do and that we see in the wild. Um how we do OSENT on the people we're targeting. Uh so how do you do a deep background on them? What kind of information is important? How do we assign value to the information that we find uh about the company, the person? And then also doing this for uh using LinkedIn primarily and then finding the phone records that you need for the person you want to target. I'll also go briefly talk about infrastructure uh talk about the scenario and how we execute the scenario we're doing. And I'll talk about some real uh interns that I've fished and some real problems

I've had. uh because you don't expect things to happen with interns that always happen. And then also what you have to do at the end, your responsibility is to be a good person and not get someone fired if possible. All right. So just a quick expectation for the talk. Um there's a lot of different technology you can use when you're doing some sort of fishing. And I'm not going to talk about that as much because it changes uh every few weeks. It feels like uh whenever Microsoft changes their login page, for example, you have to build out an entire new process to clone it. Um, and I'm going to be focusing uh primarily just on the

social engineering of a single person as opposed to calling a help desk. All right. So, some quick background. Uh, this was primarily over the last two-ish years. Uh, there's a lot of high-profile breaches uh involving phone based uh social engineering and this was targeting uh a lot of entertainment related organizations especially with Lapsis and Scattered Spider. Uh, and they had a lot of success. What was popular at least publicly in the news uh was a lot of help desk fishing. So they call up and they reset someone's password or they reset security questions to get into someone's account, uh log in remotely and then hack the environment. Uh recently, as Evan was discussing during the keynote, uh

there's been a lot of voice modification related tooling. Uh the deep fake demo, I know it didn't work, uh but it's real, I promise, where you can with a clip of someone's voice, uh generate uh like like almost like a clone of their voice. So then when you talk and if as long as you use their mannerisms, it will sound almost exactly like them when you call up a help desk. Uh we have actually published some blogs on this uh last summer. Uh we did this to compromise a company. We impersonated one of their seuite members by using a publicly available video of them. Um so we do this on our engagements as well. Um so

over time uh this is going to get more and more popular as you can imagine. Uh we're also seeing this uh in in real life as well for call centers. So there's a bunch of companies now that have created uh they call it AI uh or they call it call center accent neutralization. So it makes the person's voice sound more American effectively or more European depending on who you're talking to. And then that way they can go call someone up and they'll sound very close to me and it will sound more similar to the company that you're targeting. >> All right. So there's two primary types of fishing attacks that we see both in the wild and that we conduct when we're

doing assessments. U so the first one's help desk. Uh this is more common in the news uh really with Lapsis and Scattered Spider. You call up the help desk, you have information on the employee, you reset their security questions, you reset their password, you get access as them. Uh we do this as well. Um but this can be uh quite difficult. Um so when when you when you want to get into or when you want to get into a company, if they have a very mature help desk, it's going to be difficult to get past the process. If they say you have to go in person, for example, then that becomes a challenge for an attacker to do. So

against a a mature help desk, it's not going to be very possible. Uh but again in an individual employee um you kind of are are relying on the employee security as opposed to the help desk is desk's process being followed. Um so this is less common in the news. Uh I can only speculate on why maybe people don't want to publish information about their employees being called especially if it's a personal phone or there's some sort of threats involved with a lot of these groups. Uh this also can require additional technology. So when you're calling a help desk you your goal is generally to log in legitimately uh on the remote desktop tool that they use.

When you're calling an employee, you may need to set up a a fishing redirector, set up like a malware payload, etc. So, it could require some more technology. Uh, but your general goals here are going to include resetting their password. Uh maybe capture credentials, capture MFA, or even get them next to get a payload. Uh, if you're confident enough in your technology, uh, this is feasible against companies with a mature help desk. Uh, because like I mentioned, it doesn't matter how strong the policies are. If you can get an employee to download something and the technology is strong enough, you're going to be able to get execution and get a malware sample running. All [Music]

right. So, deep background. What kind of information do you want to gather on someone and what's useful before you start calling them up? So, generally speaking, when I have a target that I want to uh find, I first need to figure out the location of who I'm impersonating and then who I want to target, um, make sure that they don't know each other or they likely won't know each other. If they're from the same department or the same company, they're going to say, "I'll just walk over to your desk and talk to you." And that's going to get you burned really quickly. Um, so, do they work in the same office? Uh, and if they do, what's

their work from home policy? Especially after COVID, if they're home uh Monday and Friday, then I'll only do my calls on Mondays and Fridays, so they can't go ask questions to their co-workers. Uh, what's their company uh norms for their their company and their school? Um, so some schools in the US, they do a six-month internship. Some only do a three-month internship. Um, so if you're doing voice fishing on internship, if this is very important to know, you can't call up and say you're someone who's no longer at the company. They're going to say, "You don't even work here. What's what's wrong with you?" Um, if you want to figure out how long they've they've been at the company, uh,

if you're impersonating someone and you have a scenario for them and they've been there for four years and you don't say you don't you say you don't know the processes, they're going to say, "Well, it says here you've been here for 4 years. What do you mean you don't know how the processes work?" Um, I would say data breaches, including the target, uh, is quite important. Finding if they have any passwords that are commonly leaked online, any sort of patterns they use, this can all enable your attack on that person. And I would say, um, my favorite thing is paying attention for the first day LinkedIn posts. Um some of the posts are very basic and some give you a lot

of information and that information um I guess you'll see a pattern a lot through these slides is information that should be treated as public but feels private. So information that's not really a secret but it feels like a secret if you know it. So first day post of their laptop it feels like a secret but it doesn't really matter what laptop you have that shouldn't be a secret. Uh it's not shouldn't uh enable you anyway. All right. So some quick uh definitions here. So you have your target and your company of course. Um and I would say there's three types of categories I assign. A lot of people I see doing this the first few times they spend a lot of

effort uh going through and finding every single piece of information about their target even if it's not super useful. Um and this can really take a lot of time especially if you're doing it as a consultant and you're time constrained maybe only one or two weeks of research for a whole company. Um so valuable information I say is like I'm going to use this on the call or it's going to directly impact how I I do an attack. Uh useful is maybe they ask me some side questions. I might have a quick answer I can give them uh based on it, like a backup answer. And likely a distraction is something I'm not going to use, but it feels really cool to find

it when you're doing research. You get really excited when you find it. And then for the company itself, uh without this kind of information, at least on the valuable side, you can get caught really quickly by accident. I think the most important ones are the terminology that's being used. Um, so if a company is referred to just as one, if they have a threeletter name or three word name and you're referring to them as the wrong part of that word, if they have like an acronym they go by and you use the wrong acronym on the phone, they're going to call you out really quickly and know what you're up to. Um, so similarly, um, other policies about

the company. So the return to office policy, like I mentioned before, uh, internships versus co-ops, their primary office locations can be really important, um, to know where you want to make a fake phone number from, your fake or your area code that you impersonate, etc. Um, what kind of cloud providers they use. This will really inform what kind of infrastructure you want and where you're going to be hosting it as well as their employee ID format. Some companies, it's as easy as first name, last name. Other companies are going to be like a random number followed by a letter. And if you don't understand that format, your vision is going to be useless. Uh useful information is maybe

the help desk phone number. If you want to know the area code of that help desk, um that can be really useful. So if you register a phone number in the same state or the same city, it will look more legitimate to that employee because they're used to that area code. Um, so their password policy, uh, so when you're calling them up, um, and you get them to go to your website maybe and they enter their password. If that password is not compliant with the password policy that you know they have, you know that they're messing with you, uh, and that you should have that inform your attack. Um, so similar idea, use like username format as well. And then

likely a distraction. There's like a whole list of things you could have on here, but I don't want to distract you, so I won't only add one. All right. So, the target themsel um the absolute essentials that I need to v someone as their name of course, their phone, their role at the company, uh their time at the company, their working location, and their historical passwords uh if they're online. Uh useful information is going to be u other employment history. Um their background or they have a technological background or they have like more arts background. Uh their manager's name can be really useful u because then I can talk to them as if I have access to their internal systems. I

can see their org chart and that's at least the impression they get. And likely a distraction is hobbies, interests, family history, their exact address. All of this feels really cool to find about someone, but it's not really useful when you call them up. All right, so gathering information on the company. So identifying documents, I think, is my first uh first thing I do when I go out and find a company's information. So the general goal like I mentioned before is you want to find documents that contain mildly sensitive or not sensitive at all information that should be treated as public but it feels very private uh to the employees. Um so I'm going to skip

the general osent part and then just jump into this cuz this is more interesting at least in my mind. Um so virus total searching um for office documents that contain the company's domain. If you upload something to virus total and you don't mark it as private, it's going to be public information. That's how you share malware samples with the community. Uh some people are really really good with security culture and they want to check every single document that's sent to them over email which is a great idea but then in practice they just go and take it and upload it to Virus Total and it contains the metadata of the company name on it. Um it could also say like last edit was

by uh their name. It could say the company and the metadata itself just has the company's acronym. I've seen that before. U and that can be a good way to find like secretive documents with quotes, company policies, etc. Google searching for the company's domain. Uh this one it feels very basic but I I see a lot of people struggle with it in general. Um but if you can can find a a secretive with quotes subdomain for the company that only internal company documents will reference and you search that on the internet you'll get hundreds of results for that company for documents that shouldn't be exposed. So once you have that like one little um thing that you found, you can leverage

that to find a lot more. Uh so an example would be like internet.comp.com. If it's only accessible in the internal network and you search it on Google, you may find other documents that reference this. And then just you just keep doing more and more Google dorking with that and it kind of snowballs until you have a like a very decent understanding of how the company operates uh their policies their websites etc. So these are some examples that I found when I was making these slides last month. Um I just took took a random company from the Fortune 500 and started searching to see what I could find. This is not one of my clients just randomly

was searching. Um so I found the company's uh internal domain very quickly and I started searching that to get more information. Uh within a few minutes we found the bring your own device policy which was very useful for us to understand that they might not have uh edr on all the devices on the network if you're allowed to bring your own device into the company. Uh we we found more information on how the user IDs are formatted. So the employees are logging in with their email address. Uh most usually or most typically it says and we also found the password policy. Uh so it's 10 character as opposed to the default or usual 8 character and it

talks more about that. Uh so we understand what we should be looking for and what's legitimate when we call someone up. All right. So, we kept searching and kept searching and this is probably about after 10 or 15 minutes. Uh, we found their internet. It was not just internet.comp.com. It was like a special uh with it had home in it. So, I wouldn't have guessed that one by default. Uh, and then within that same document I found they use like Microsoft Teams, which is great. And then here's their compliance email and here's their compliance phone number and it has the area code, the local area code. Um, so I now have got a lot of information on the

company. And then I also found some how-to documents for the company that explained uh how you should sign up for the different uh systems they have. So, and then in this example, uh the person who made this document had a screenshot of like 20 or 30 IDs and they were improperly blurred. I blurred them properly, but they just used like the pen feature on Microsoft Paint. Um so then I had the name, the full name, and then the the special ID number, like the secret ID number for all these employees, uh like 20 or 30 of them. So if I wanted to impersonate them, it would be very easy to now. And I kept searching a little bit more

and then I found a policy that they called the reportable event policy. And this one actually contained the mobile phone number of the CISO and a few different IT team members. So for spoofing, this is the best thing I could do. And it also tells me that there's a legitimate reason to use a personal phone number. So if I was to call someone's personal cell phone and say this is one of the members of the IT department and they say why are you calling my cell phone? I can just say well check the reportable event policy. It says to use the mobile cell phone. You know it's very clear immediately with no delay and it's involved.

All right. So, the patterns that were identified here in about 15 20 minutes of research uh was that there's this reportable events page, reportable event policy. So, I can reference that when I'm talking to someone. They wouldn't expect an outsider to the company to understand that word. They also reference the term local IT help desk repeatedly. So, maybe there's a few different IT desks. Uh it's a global company. Um their compliance team is separate. So, I want to be careful how I use the term compliance uh because they might think it's it's two teams being put together. So someone with more time at the company would be a little bit suspicious. And then the usernames that

they have to software as a service products are going to be their work email addresses. And these are just some snippets from the screenshots earlier.

Great. And moving on to LinkedIn.

So, I use almost only LinkedIn for a lot of my OSENT on a target on fishing, especially for interns because they're really excited about their new internship and they want to post it everywhere online and that means on LinkedIn every two weeks. This is this is an example from one of my co-workers. Um, this is a good example because it's very basic. It's there's nothing really wrong with this, right? Um, but I search LinkedIn for key phrases. So, I look for the words accepted and then sort by someone who works at whatever company I'm targeting. uh join summer, co-op, intern, etc. Um so he's just happy to share that he's starting a new position and it has his

name and it's not much information. It's just his name. It's not going to help me very much. But if we keep searching, we can find better examples. Uh this is one of my favorite ones uh to find because it seems really it doesn't seem obvious until you read it and then you're like, "Oh, I understand. I shouldn't post that now." Um so this one references this person's manager and then other manager and then possibly a recruiter and then also includes references to the company name. Um, so this is really useful to me because when they're thinking their their managers, then I know their manager's names and when I call in or I call them or I call someone as them, I

can use that. Um, so someone I may call someone up and then they say, "Okay, who's your manager? Prove it's really you." Like, "Oh, here's my manager's name." Um, so this is perfect. But there's even better examples, and this is my favorite one is when someone posts a screenshot or a photo of all of their technology, uh, because this establishes a lot of legitimacy for me. So, it has the new hire swag in there, uh, t-shirt, sunglasses. It has their work laptop, work monitor, and then it also included, I think it also included the manager's name. So, it was like a all-in-one. Um, but it tells me the operating system version they're using and the exact

model of laptop. So, if I want to do a scenario uh in which we would like refresh their laptop or give them a new device, I can say like, "Oh, can you confirm that you're still using a Lenovo whatever model?" And they go and check and they say, "Oh, yeah, I'm still using that." And that's information that they feel like I would only know if I was a true employee. All right. So now we have information on the person, we have information on the company, uh we have some good background, but we need to get the phone number of the person we want to target. And this will be more US focused um because that's where I operate.

So a quick uh briefer or primer on public phone records in the US. You can purchase really accurate lists from marketing companies. There's these marketing companies that exist and you can pay them, I would say, a subscription of a few hundred per year and then you get about a dollar per phone number. that's quite expensive. Um, that's probably not what the attackers are doing and I want to do it more like the attackers if possible because that's how they're that's how they're doing it. Um, there's also public databases. So, in the US when you register or you buy a house or you have a mortgage or you get your phone published in a phone book or something,

this can get indexed online. Uh, the database quality is extremely low cuz a lot of companies try to index these and they're not very good at it a lot of the time. Um, which is fine for them because they don't really need to care. Um, I would say for those who are older than 40 years old in the US, the the quality of the databases is between 30 to 50% in my experience. Um, and if uh if you're older than 40, the reason behind this is because if you went out when cell phones became a mainstream thing and you went to go buy your cell phone originally, it had your name on it and your phone

number. Um, so a lot of this information can be found online quite easily. Uh, but if you're younger than 40, uh, you probably were added to your parents plan at some point first before you went off and got your own plan. And this makes it extremely hard to find that person's phone number. Um, and you can see there's a problem here because interns are typically younger than 40 years old in the US and that's who I want to target. Um, and this is kind of this meme represents me trying to call up the intern and just I call their grandma by accident and then their mom and then their dad and their sibling and I could

never get their actual number the whole time. So filling in the gaps for public records, uh, especially for interns. Uh, so résumés uh, posted online. Uh, this one's kind of an obvious one. Uh, but people still include their their phone numbers on their resumes even when they're applying for IT roles at more like modern tech companies. Um, and I I don't know why this is still a thing that we do. It's a tradition to do. Um, but it it's really useful. It usually is the direct phone number to that person. And if interns are looking for a job, they're posting their resume all over LinkedIn. U, occasionally you can get it from data breaches. Uh, there are some

big data breaches that included phone numbers back in the 2010s. Uh but again, if you're targeting someone who's 22, 21 years old now in the US, they might not be in these data breaches. Um so I have some like fun alternate paths I've used a few times here and there. I think my favorite one uh is the college uh college groups in the US that are run by students. Um so Greek life in the US um or other special interest groups as well. They'll post their events on on Instagram or in Facebook and they'll say like if you have any questions, please call us and they'll have like a list of the members phone numbers just right

there. and and this has had I think I've gotten up to 40% of a social group of like 80 people just by their Facebook uh in about what the course of a year they just posted uh 80% of them. Uh other special interest groups maybe like an archery club. Same idea applies. Uh in the US about less than 10% I think 9 or 10% of private school students are part of these groups and that's still a significant sample size if you're targeting a decently uh large company. Uh and then another one is is uh siblings. Um, so siblings who are close in age, when you walk into a phone store in the US and you get your first first

phone number, technically you can choose whatever number you want, but usually they just assign you something and if you walk in with two or three siblings at the same time, they just uh increment it by one each time. So if you can get one person in that family, you might be able to get everyone else in that family if they got their phones at the same time. So here's an example. Um, this one's actually just from my sisters because I didn't want to put a real uh number in there. Uh, but for my sisters, this happened to them. They wanted to get their phone numbers at the same time. Um, and this is um, so she's starting

her internship this summer, so I kind of made this for her. But, uh, we had, uh, the other sister's name from her LinkedIn that she put, or she posted her resume on LinkedIn, uh, and it ends with a four. And then I incremented it by one and decremented by one. And then my other sibling came up, uh, searching it right there. Um, and if you were to search up my sister's name, you wouldn't have gotten her her number, but if you were to search up the phone number, you would have gotten her name. Um, so you can kind of confirm it that way. All right. So going over some quick infrastructure. So no matter what scenario you're doing,

u you have to have a legitimate phone number some way, otherwise you can't call someone. Um if you're able to spoof it, that's great. Spoofing is getting harder and harder as time goes on. Uh providers, you can spoof it still if you have legacy accounts with some providers. Uh but they obviously don't want you to be doing malicious things, so they make it hard to spoof numbers. Uh you can't spoof 800 numbers, for example, no matter what, at least in my experience. Uh, you also want to get cloud infrastructure as close to the target as possible. Um, if you're going to be logging in as them or on their behalf, are they're going to be entering

credentials. You want it to look like it's a real login. Um, so for example, I was targeting someone in Ohio a few months ago and I was able to get US East 2, so it looked like it was Ohio and Ohio. There was no impossible travel, so there was no alerts for that login. Uh, so some scenario specific infrastructure. And then important thing to keep in mind is each time you add another piece of infrastructure, it gets easier to attribute uh that they're being attacked. Um, so if you're doing credential capture, you have to have some sort of man-in-the-middle server going. Uh, so maybe Evil Jinx 2. Uh, you can use a VNC solution like Evil NoVC,

which is a public tool. You can even use a custom page if you want to, but nowadays these are pretty obvious. Um, if you're doing payload delivery, maybe you only need a single page to download the file. Um, or you do a credential capture and a payload delivery. But if you're able to just reset their password and call them up, you don't need any infrastructure uh at all. if you if they're if they're being sent like an MFA code and you can get them to read the MFA code back to you. You don't need any infrastructure besides just logging in from a virtual cloud instance somewhere. And so that's my favorite type because uh you can call them up and

you can go for 10 minutes, 20 minutes and they won't have any way to attribute it to you, especially if you're spoofing a phone number. All right, so I'll go over uh let's see what time it is. Yeah, so I'll go over uh one example. Uh this is a real example I've anonymized. I've combined a few different examples that have happened to make it a story that can't really be traced back to one person. Um, but it's a real intern and it has real problems. So, I'm going to call this person Lana. It's not their real name. Uh, but Osent went perfectly. We found them. They posted their first starting post. They post their manager's

name, a photo of their computer. It was incredible. Uh, they had a non-technical background. I believe they were maybe like a teacher before this or something and they shifted to be an intern at this company. They just started the internship about 2 weeks prior. Um, and they had a hybrid work schedule uh because it was postco and they were at like one of the different office locations. Um, and that was super exciting because now we can call them about 3 days per week without any risk of them talking to someone in the office. Uh, we got their personal email address and phone number. Uh, they were in a bunch of historical data breaches going back to like 2010. Uh, and they

had the same password pattern used across like five or six different websites. Um, so we had some idea of how they how they operate. And as as recently as 2019, which is actually quite recent as far as getting passwords go now, um especially nowadays since passwords are hashed and salted. If you're able to get someone's plain text password from as recently as five or six years ago, um that's it's going to be fresh in their mind still. They still know that they use that password. So we created a scenario for this person uh involving a password breach. Um so we're going to say that there was a password breach. We were alerted by our compliance vendor um that there there

was some sort of loss of sync between their account and the the vendor uh because their passwords were breached. So I called her up and I said this and we said to sync your account again and she was a little bit suspicious at first and I was like well yeah but the vendor gave us information uh the password that they they said was breached and I read off her password to her and it was like silence on the phone for 5 or 6 seconds and she's like yeah that's the password I used but I didn't I didn't use it here I promise. Uh and then she was like okay what do I have to do and she was very

like she believed it was us cuz we had her password and everything like that. Um, and we called her multiple times over the course of a week. First, we got the password. Uh, we got some tokens for Azure to get more information. And then eventually we called her back and we said, "Okay, it's nothing's working. We have to run a tool again." And we got her to download the payload and execute the payload. Amazing. Um, so no alerts. The payload's calling back. Everything seems great, right? Um, but we had some problems. I'll skip over the first half, but um, we we had this uh, we bonded with her over time. the payload executes uh and we got persistence and then after

a day the payload stopped calling back and then each day it would only call back for like an hour or two and eventually it just stopped calling back altogether. Um and this was this was a big problem of course on a red team. So we missed one critical detail with targeting this intern um was that this person was only logging on to their computer for 2 hours a day and doing their work and then closing their computer. And maybe there was some extrrenuous circumstance. We don't know. But we were convinced that they were on to us. And the payload didn't call back for for 2 weeks straight. And then after the assessment finished, uh we got more

payload call backs again. U so maybe they took a break from their internship for a few weeks. Uh but we luckily got another employee in the in the uh in the process. But it's something you would ever consider. If you're targeting like a a full-time employee, this would never happen. It's it's too obvious. But interns might have less work they have to do. All right. And then one quick slide on um just being a good person about this. I know I didn't include any countermeasures in here, but I have to at least say how you can report this without getting someone in trouble. Um so I've seen like some companies have cultures where they've like they fire

people if they get socially engineered. This is a problem especially if we're being hired to socially engineer the company cuz it's like you lose or you lose. Uh we don't want to affect someone's career in a negative way uh due to a training problem. Usually if like it's usually going to be a training problem or a technical problem. You have to think about it like defense in depth. If I call someone up and they're able to go to a website, enter their password, download a payload, execute the payload, and then I can get domain administrator, it's probably not just their fault. There is like a bunch of different steps along the way you could have stopped me.

Um, employees should be suspicious, but if it's their second or third day at the company and they haven't been told, like what are you going to do? You can't really uh they can't be the they're not going to be failroof. Um, and if they don't know the escalation process and I have to tell them the process over the phone, you probably didn't teach them well enough uh to be relying on them as your security mechanism. And I checked this person's still at the company, so we're safe. The person I was talking about previously. All right. Thank you. Any questions?

[Applause] Uh, thank you for the presentation. It was beautiful. I only want one question, please. Uh, a couple of years ago, a breach in Albania happened which occurred and leaked multiple people's personal information. And let's say this thing happened in the US. I don't hope it doesn't. We all do. But uh how could you use this information to v someone that you are targeting for or how can you use it for malicious purposes? >> Yeah, I mean in this specific case I would just use it to get the phone number of the person. Uh I don't really care as much about the home address or anything but it's just the phone number and the name is the most valuable part.

>> Hi thanks for your presentation. And I wanted to ask if uh the like job or department that your targets work in or the career field they're working in uh plays into selecting them when you're doing OENT like do you feel like certain departments are are more gullible for these sort of reindeer games or uh or is it you know like let's not go after the security guy he's going to be on to me right away. I would say that people usually mention that you should just target HR or public relations or something like that, but I found that they're they've been at least more in recent times, they've been better at detecting this because they've been

trained so much cuz they're kind of like the first line of defense to the company. Um, so generally speaking, I mean, I've gotten IT interns before as well. I think that software engineers are a surprisingly good target um because people just rule them out and they don't give them the same training they give to other parts of the company. So that's what I've seen as well. >> Interesting. All right. I Any other question? Quick questions? No.