Stop Snitchin: How Malware and Phishing Hosting Gets Taken Down

hello everyone and welcome if anyone's everever taken any of my secur set online python videos or something I have a reputation for saying that a lot every time I start a new video like hello and welcome so anyway my name is Sir borso and I'm here to talk about snitching snitching in the real world well the real cyber security World anyway and the premise of this is really going to be my own experience of Hosting less than reputable web we sites and how and why they get taken down and as a takeaway it's not just me telling stories it's you know maybe some of you are dealing with the same situations or you're going to host your own C2 servers

or beef hooks or fishing domains or whatever and this may be relevant for you and hopefully I can impart some knowledge and walk away with you know teaching some useful information all right so here's me I can actually Google myself now and I got a little blurb over there on the right hand side that comes up so I figured I'd switch over to this type of descriptor of myself I've got a fair amount of history about 15 years or so in the world of cyber security back in my day it was called information security and cyber security was something we kind of laughed at when we heard come out but it seems to become much more prevalent terminology nowadays

regardless once again my name is sir borso I'm the founder and CEO of spider saac and I teach with the Sands Institute and I published a book last year I I think it was the penetration Tes guide to web applications and I've been doing what I do like I said for 15 years for large businesses big Enterprises application security network security system security penetration testing red teaming purple teaming so on and so forth all of it and that's what my company does nowadays I did it you know for 10 11 12 years for the industry and now I do it for myself that is penetration testing and offering those same type of services I just mentioned

for companies through my company so that's a little bit about me and what I experienced working for companies and doing what I do nowadays is among other things fishing and command control and beef Hooks and other things that require a third-party virtually hosted platform somewhere in the Cloud quote unquote that can host this maliciousness and of course it's not malicious if you're doing something like a a security awareness training campaign or a spear fishing attack and you know you're doing this for the purpose of increasing the security posture of the business you're working for or you're doing this as some type of contract work or Consulting work for a company they've hired you to assess their security you're gonna have

a C2 server you know if you're doing with any type of callback Communications or you're G to have some spear fishing websites that you've registered you try to you know do some credential harvesting or delivery of a payload it requires some external presence out there so as you're going through this talk and kind that's the premise for this where you're going to be hosting stuff and maybe you already are and I certainly have and that's the background for this fishing is prevalent you there's a little maybe citation needed for that I don't haven't Quantified that but I think we can all agree that fishing is rather prevalent and I'll be speaking to kind of that I won't bring

in too much more C2 conversation or B Fook that because it's almost irrelevant the point here is that there is something that you're hosting on a website that to the untrained user or the lay person they're going to look at that and say oh that's malicious or that's suspicious or that's not normal that's not a regular website you're doing something bad or you're doing something whatever and it's gonna get taken down so the background is like I said fishing the company gets hit with a real spear fishing campaign they want to get some awareness training because the people at their company clicked on that link and now there's a malware outbreak or something bad happened

me I've hosted a lot of websites I've registered a lot of fishing domains I'm under a 100 but more than 50 in you know my lifetime I guess and when I do this you know I'm doing awareness training program for a large client I register a domain I go and you know copy the theme from a real website like Drop hax.com and all the different elements and I get an SSL certificate to make it look real and I go by about you know doing my job and then I launched my fishing campaign the day of the campaign when I supposed to be sent out for the client and all of a sudden my website gets taken down or

it gets Tak down before I even send out the fishing campaign and this has happened to me more than once over the years multiple times and it's annoying it's money it's time it's effort and if I'm too stupid to back up my stuff I've I've lost a lot of time money well mostly time but time is money the point here is that my stuff gets taken down and I want to know what the heck is going on so I started doing some research into this 2017 2018 2019 not not consistent like I'm spending you know 40 hours a week doing research but every time I was going to host a fishing website I started paying closer

attention to what was actually going on and I wanted to find out who's the snitch who's narking me out who or whom is the entity or entities that is is or are causing my websites to be taken offline that's the premise for this that's what I'm trying to talk about and that's what I'm going to share with you because I have found the Smoking Gun and at the end of the presentation I'll share the information with you but we'll get there piece by piece so you can read that for yourself I'm not going to read the slides for the most part U but I will kind of use those to kind of guide this conversation but that was really

the premise trying to do my job to help companies increase their security posture by sending out security awareness training and fishing and spear fishing campaigns and then those webites being taken offline okay and I want to find out what's going on so we can look at this and the question of course is what is it and those of you looking at the screen will easily say well obviously that's dropbox.com well yeah certainly looks like it right the theme the colors the font the size of those input boxes that's clearly dropbox.com just like this is clearly amazon.com there's even a copyright at the bottom what else could it possibly be that's definitely you know the legitimate real

amazon.com and those of us who have apple accounts that's definitely Apple's website right well no those are all fishing websites so what so they're fishing websites who cares well let's think about it at what point does a legitimate website that URI go register turn from just a website into something that's more malicious and that's why I got the little caterpillar turning into butterfly up there it's a transformation what happens what makes it just a legitimate server that's listening on Port 80 or Port 443 to the ultimate takeown request that says someone says hey this is malicious or this is suspicious or I don't trust this what what really happens from point A to point B that causes something like that

to occur that's a fair question that's what we're going to talk about so Google your regist your internet service provider your hosting provider if you have a VPS if you have AWS or something in the cloud what's going to cause them to take action to say I'm going to suspend your service or disable your account or what's happened to me I'm going to suspend your service and by the way you just forfeited all of your credit that you had prepaid for the next six months told you I lost time and money I'm not joking let's back up for a second though level set so what am I talking about here there's a there's a process that

goes into play and I am by no means trying to point out these companies on the slide as you know good or bad or whatever I'm just giving you some examples of Who You may go to for your own hosting needs and for your own registration needs so you me anyone on this call who are listening to this presentation can easily go and buy or you know lease a domain name if you have a credit card all you really have to do is just say I want this domain and if it's available and you can afford it you click a couple buttons and that's pretty much it the register are gladly accept your money and that's the first point

meaning if I am Google or I am some some authority of the web who's going to have the potential to launch an abuse notification or a takedown request this is the first kind of point where what you've just created could be screw niiz because before this you there's nothing out there you don't have a website you still don't have a website but now you've gone from zero to you have something you have a domain name if it's called evil website.com is that enough for someone to complain about it you know maybe but that's not gonna that's not going to hold water when someone tries to take it down so that's that's point one though so if you go to

register evil website.com yeah okay not a big deal probably in most cases if you go to register evil dropbox.com well that's a little bit closer now you're you're using the name of legitimate company in your domain name and guess what Dropbox does pay attention to that there is typle squatting and even though that's not a typle squat it's still similar enough to where you're using a legitimate company's name in your own domain name and that's going to raise suspicion one level above nothing so take keep that in mind the next point point number two a domain by itself is just sitting there just because you register a domain doesn't mean you have a website running

on there it could be parked but it certainly isn't your source code or anything it has to do with anything you've done other than register website so this next point is you change DNS and you point the DNS for the aame for your domain to an IP address that can actually host content for you and of course you could keep it with the default DNS and IP address and just use the hosting provider that you register the domain main with but regardless it's the second Point once you actually have DNS pointing somewhere and you're hosting content somewhere now we're talking about I go to your we s ite it resolves DNS it points me to a website

and my browser renders that page now that's you know that's the second Point that's potentially another Avenue where a company or someone who wants to take down your website could say hey this this looks suspicious this evil dropbox.com now there's a domain name and now it takes me to a website Point number two point number three when I'm creating any type of spear fishing website or even even basic security awareness training websites or C2 servers anything that I'm hosting nowadays I'm G to get an SSL certificate for if it's if there's any type of communication that is web- based or needs to be encrypted in transit and it because it's free and it takes very very

limited amounts of effort although it takes a little bit more effort than it did a couple months ago um I'm not gonna get into that but this just go ahead and say SSL searchs are free there's let's encrypt and others like let's encrypt to where it almost doesn't make sense to not do this you know when you're TR to launch a a fishing campaign you want to make it look as legitimate as possible and users have for years have been trained to look for the https so that's Point number three register an SL certificate and we'll get more into why these points matter in just a moment the next thing you have a a website you have DNS you

have you know domain name SSL search and now you got to start copying over stuff perhaps the real theme the real logo the real fonts the real colors all from the websites you're trying to rip off or not rip off but you know what I'm saying like you're going to copy that theme I can go straight to dropbox.com right now using Firefox and say file save as and all that client side content gets saved to my machine and I can upload it and tweak a little bit but essentially upload that to my fishing website and I've got a pretty good copy right off the bat of the real dropbox.com I'm not picking out Dropbox for any other reason

other than they're on my mind right now okay nothing else special about that last Point here is we you know just to reiterate we've registered domain we've changed DNS we're hosting our site somewhere we have ANL certificate we have a functional website and now we send out our actual fishing email to our recipients at any one of these five points I've outlined right here those are specific areas where some company or some human or some technology could intervene and say this looks suspicious of course there's more to it there's a lot more to it but don't have time to go into every single little thing as far as Bots and keys and firewalls and protection and stuff like

that but essentially it's not too crazy to do all the stuff I just said that takes an hour or so to do that now the question becomes at what point during these five points I've outlined do you think that a website could get flagged as suspicious and feel free to I'm looking at Discord right now and I'm happy to you know entertain any guesses you might have once you buy a domain is someone gonna complain about that once you change DNS you get the certificate once you borrow all the themes from the real website and or once you send out the fish at what point are you most likely to get a takeown request or AB notification or

your regist is going to say sorry your account has been Ser your account's been suspended feel free to think about it I guess it's more of a rhetorical question but just to reiterate I am keeping an eye on the Discord Channel and I'm happy to to interact there as well so just to level set kind of what I'm talking about that's the the big red thing you see right there that's within I believe Google Chrome we'll show you something that looks pretty much like that I've avisc some of the content here just because like I said I did this this is a kind of the combination of research I've done over the years but this research is

based off of me registering real websites for real customers that really have ndas in place so I don't want to necessarily show everything but uh that dropbox.com with the first part being aisc is basically like your company name. dropbox.com or whatever the case may be and that's what we see when when Google and their safe browsing project learn about your website and they come to the conclusion that it's suspect or suspicious or a quote unquote web forgery or is malicious or whatever this is what someone sees do you have any idea how big of an impact this plays when you're trying to launch a beer fishing campaign to harvest credentials or to get a foothold into an environment

during a red team engagement it's a big deal you know I downplayed it by saying it's you know it takes like an hour to set all this up but you know I also left out a lot of complexity there there's a lot of troubleshooting and testing and making sure that theme looks exactly perfect and figure out what you do with the credentials once you steal them properly so on and so forth so it's a big deal if you go to Launch your fishing campaign and all of a sudden you're like whoa I can't even get to my website anymore and my victims aren't gonna be able to either that's a big deal it's a pretty big blow to your whole campaign

right there okay and there's a couple other things here I got Amazon shipping. training machine. net Facebook update.com updating server.com those are more generic ones that I've used over the years or at least a year I guess for uh what we're talking about fishing campaigns and so on and so forth and of course in the middle we're seeing a customer notification that's you know below this emails a fishing report we've received about your service we expect you to resolve this within 24 hours or your service will be suspended G thanks thanks a lot where's the the faith in humanity you know I'm doing this for educational purposes not for legitimate harm to people right at any rate this is based

on research and I'm here to basically tell you what I learned so let's kind of take this for what it is what entities are going to flag the website I said you know this Google safe browsing project and companies like Dropbox keep keep pretty close tabs sometimes on similar domains same concept here we'll start with the first I've highlighted it in this pinkish purplish color your registar number one they're not really going to stop you you know the the registrars of the world don't necessarily care about the name of the domain that you choose to register you know there's in this country we got free speech and you can buy whatever the heck you want that's perfectly fine even

if it's called This is a fishing website.com so what they're not GNA be the ones that's going to that are going to Nar you out let's encrypt the SSL certificate the certificate provider of choice for many of us who are just setting up websites like this not paying Too Close of attention to the certificates at issues meaning if they see a request for this is a fishing website.com so what once again freedom of speech freedom of let's encrypt has to sell everywhere type of thing and that would kind of go against some core beliefs to just not allow a certificate based on the name of the domain being suspicious or weird or something like that so once again not a big issue there

based on my experience robots this is real there are Bots that are scouring the web on a day hour minute basis looking for copyright and trademark infringements that's real and when when I'm copying FedEx or UPS or Amazon shipping stuff and I register domain with their their name inside of it that raises some suspicion and when their robot goes to that website and they see that there there's actually some logos and themes from the legitimate website I've gotten dozens and dozens of emails from those type of companies saying to take down the content otherwise they're gonna do something legal against me um so keep that in mind people humans humans that come across your website will definitely say this is

weird this is suspect and they will potentially go there just using a couple Clicks in the browser and report it to Google report it using Firefox or whatever browser they happen to use and say this I think this is a like I said before a quote unquote suspected web forgery whatever that means a suspicious website basically so people people now we we're kind of get a little bit farther up the chain here humans definitely do have an impact on this and there actually are other humans that will look at some of those abuse requests and notices and take some action if it so warrants it next one kind of already touched on this that company a the robots scour the web and

that company is actually going to go and see if you're using their logos and stuff and then they're going to maybe report you or at least send some email to the abuse contact for the who is um information now other stuff that's going to come into play the endpoint Solutions and the other company here so if you register a domain because you're gonna do the stuff we're talking about fishing or beef hooks or you need to host something third party and you need to have a domain name associated with it you go to head register that and then you send out some fishing email to your victim that email goes through usually several layers of filtering there's you know

some email filtering some spam filtering maybe even endpoint detection perhaps but at least some type of some email Gateway that's going to scrutinize at and nowadays because it is 2020 you know this isn't fishing isn't new by any stretch of the imagination people in companies and a lot of us have gotten kind of a little bit smarter and they say well here's a link in this email and I'm going to do a simple who is lookup on this and see when it's been registered and if you registered it like I said A week ago that email scrubbing solution or the filter the Gateway as a case may be can easily ascertain that and then Mark that

as a suspicious email send it to spam or simply quarantine it it doesn't even come to you or something quasi like that they'll just make it so that link isn't even clickable so definitely suspect if it's a very brand new website and all of a sudden there's a link and an email pointing to that brand new website next one no reputation meaning you have a website you registered it maybe six months ago but there's a blank page because you're like I'm getting ready for this engagement or I'm gonna go ahead and register Amazon shipping. because I'm gonna need it at some point then it sits there and nothing is there and it has no reputation reputation

means it's not good it's not bad it's not classified it's not no violent it's not news it's not a Blog it's not whatever you know it's no classification no reputation that's suspect okay and then of course if the certificate has a name of legitimate company in it that too is suspect and it's different than the other stuff we've already talked about I mentioned let's encrypt and I mentioned the company in question like if you're trying to duplicate dropbox.com or amazon.com or apple.com when you actually register that SSL certificate through let's encrypt or a similar provider there is a log of that and the more mature companies who have to deal with this you know at scale

they are looking for those in their certificate transparency logs if they can easily query and search for something that has anything starred apple.com or Star apple.com or some type of fuzzy query to see if there's any apple.com websites being registered like login apple.com and that's interesting now what have I come across to kind of answer some of the stuff I've been laying down here so far what I've seen is number five once an actual email get sent out that has the highest likelihood of being flagged so the email Gateway that's usually where it happens at meaning I can host a website get the DNS pointed over to a hosting server copy over all the themes from the

legitimate Dropbox or whatever Amazon type of website I'm trying to to copy to trick users into divulging credentials or or the like and I'm usually okay I can host it for a matter of weeks what I've come across is it's typically number five once you send that fishing email out and it goes through the gateways and they're checking all those things you has talked about that's where I've had my highest incidence of people humans actually reporting the website as suspicious at that point and that's what I found out so I'll show you some examples here in just a second but in general that was kind of the first half here so once again we have a

website we have a need to do some type of security rareness training or fishing as part of a penetration test or red team engagement so we go ahead and register that website get it all set up and ready to go and then send out that email and it's taken offline like quick with the quickness how do we avoid that because depending on what you do for a living and what your role is at the organization or instiute you work for that may be part of your job and you're supposed to be successful you know you're you're the pent tester you got to start trying harder thinking outside the box and figuring out well okay as soon

as I send the email out I my website gets taken down and it's the consequences are such that it's not just like oh that sucks it's more of a where were you host it was it in AWS because now your whole Amazon account could be called into question and you you want to go talk to AWS about no it's actually a real website that's just hosting for fishing and I'm actually one of the good guys and I you know I have a job doing security awareness training and yeah that that's not so great and what if you have other critical assets linked to the AWS account they get all get suspended okay VPS a virtual private

server that hosting company will suspend your whole account I've had a handful of servers just get taken offline and they they never came back you know I mentioned I briefly eluded to at the beginning of this money I've lost where I actually paid for several months six plus months of service at a virtual private server hosting company and they got one well it was more than one but they got they got uh wind of one of my fishing campaigns and they suspended service and I it was right at a really inopportune time quite frankly right in the middle of a fishing engagement with a client who's paying money for this and now I look like an idiot and I am scrambling to get

my stuff back up and running and I've spent money that is now I guess a spended account and I can refund my money it's like this is serious it's serious on multiple levels so that's why I'm trying to figure out well who's who's the arc who's snitching on me for this because that's that's not cool all right so what do we do about it the first one test offline user firewall what do I mean by this I mean once you get the domain name and you register it you DOL certificates and you're hosting it somewhere leave the firewall turned on Whit list or allow have an allow list for your IP address that you're testing

from and that way you can see it but any robots that goes there no connection no TCP connection no website it's nothing at all it's like it's offline for anyone else you the website while you're you're in beta testing no one else can see it so just firewall it off completely what else second bullet point don't Point website resources to the legitimate website host it locally what do I mean by that let me break that down when you go to utilize the theme and the elements from a legitimate website what I mean is the CSS files the JavaScript files the images the fonts all that stuff those are the resources that comprise any website you

go to right now when you're copying those from a legitimate website there's two different ways to go about doing this you can just say when someone loads the page that image is located at www.dropbox.com images logo.png that's hosted on dropbox.com meaning when someone goes to your fishing website or even you when you're beta testing it that loads from a request that got sent to dropbox.com which directly touches dropbox.com servers hopefully that makes sense so hosting locally means you copy all those images once you go to the website you get the images you get the CSS files you get whatever it may be and then from there we're talking about you have it locally on your server

okay I got aou see a couple people typing in the uh Discord channel is it using hash analysis of the images and trying to search in the CSS no oh I think you said ah I think he got it right so don't point but can they pick up if you CL the images absolutely they can um so the question is uh we we copy those files locally to our own VPS at that point and could dropbox.com then go and say hey based on this image you obviously just cloned it you copied it yeah definitely but that's there's no indicator at this point in time if you're hosting everything locally and some VPS you just spun up

some virtual private server that you just turned on now we're talking about they have no indicator to know to go to your VPS and if you're still in the demo beta phase of this you have it firewalled off anyway it firewalled off meaning no one can even go to the website to see it so that's what I'm talking about there rack fire 45 is typing something and we'll see what that individual has to say in just a moment and I'll address that question or or comment thanks Doug good call on that all right next one wait until final moment before they go live to register the certificate what does that mean and I got little asteris there it can be

negative for reputation going back to reputation I mentioned if you had the reputation if your specifically your website has a reputation it hasn't uh it hasn't made it to being indexed as you know trusted or is just a blog site or B9 I guess essentially is what it would come down to um without that without you registering your certificate and having it online and ready to go you're missing out the reputation meaning if I go register Amazon shipping. I which you guys saw a few slides back that's been up for six months or a year you guys need who is look up on there right now and tell me how long it's been up it's been up for a

while and the reputation on that should be okay because I haven't really hosted anything out there in a while so the point here is you waiting till the last minute can have some negative consequences as well because you don't you don't build up that that trust within the whole system so rire says he's uh this is good information I'm sorry to hear you lost time and money yeah no problem that's probably what keeping me from going further into the security field I hear you on that PM scientist I gota careful how I how I pronounce some of these names question what Pros cons exist for using a site you manage as reverse proxy to man The midle simulated site versus

copying the right bits of the simulated site so Pro cont exist I gotta think about that happens in anything if something I worry about constantly something I worry about constantly yeah um PM SCI scientist I'll come back to that unless I forget another in which case I will come back to that for sure I gotta think about that for a second all right other stuff here um understand in Black bold points right there you got to figure out what your points of exposure are I highlighted the five main ones but there's other stuff out there the the maturity level of the company you're trying to trying to basically trick people into going to like it's not really amazon.com

it's not really dropbox.com it's it's fake dropbox.com if those companies are on their game so to speak and they're doing things like tuo scotting check and they they have their standard policy framework set up properly so you can't just spoof an email and other stuff you see on the screen certificate transparency logs for for instance most companies don't do that I got some around asterisk that's like only some companies are really seriously doing this stuff this takes some automation this takes some humans setting it up this takes some humans actually putting the effort into watching what's going on and as far as typle squatting goes just to be clear you can't stop someone from registering Amazon shipping data IO or

amazon. photography or amazon. ninja or Amazon you can't stop people from doing that it's a free country okay that Amazon kind of stop people from doing that they can try and they can complain about it but in most cases it's just something you don't have control over so there's always going to be that subset of people who are going to click on that link anyway even though it's it's on amazon.com it's amazon. ninja or something like that but there are other areas of exposure highlighted in this slide right here that you need to be aware of that could potentially get you exposed post before your time is up all right hosting platform what do you have

to think about here this is real this is copy and pasted straight from my hosting provider and as far as going back to the main theme and question of this whole talk who's the NC who's snitching on me you can see right there in yellow and I got nothing negative or positive to say um this is just reality this is research and this is me giving it to you in black and white okay this is something that happened to me back in October 2019 Dropbox abuse detected on your infrastructure which is why I was kind of harping on Dropbox as a dropbox.com as a example because I got hit with it I copied all their stuff just like you saw

in the previous slides I hosted it I did all the stuff I talked about and go to launch the fishing website um email campaign then boom posting providers like hey we got nine complaints passed from Upstream providers about fishing so yeah there's companies out there that do this there's companies out there that get paid to do this to protect their customers and it's kind of ironic I'm getting paid to protect that same company and these people are getting paid to protect them in a different way to to watch out so you know there's value in this one way or the other yeah I got burned on it but arguably they were doing their job not arguably they

straight up they were doing their job and it just happened to imp me doing my job there's no no gray area about that it's not bad it's not good it just is what it is but there you go so the snitch people I'll give you a heads up on this the second Bull point there overzealous it administrators back to rire 45 yeah it's good information you can get burned and one of the first times I was doing this I remember it was similar to all the stuff I said you know register domain get the SSL certificate set up send out the spear fishing campaign it looks beautiful looks great and one of the it admins at the company

that received the fishing email actually went to the who is did like a simple who is search on the command line it's pretty very easy to do found the abuse contact email sent down an abuse notification to that point of contact at the registar or I think the hosting platform and got my website taken offline in the middle once again in the middle of the fishing campaign so other you know there's some other pieces that go into this communication with the company you're working for yeah poop Squad 420 that is an ouch without a doubt um it got taken I actually asked that the person my point in contact at that customer to hey this is what just happened can you have

your it admin you know kind of correct the situation because we got some issues doing this campaign right now it's like they're paying me to do this and their own personally kind of took it offline but it is what it is that's just reality of it you know I use a script the abuse contact when I was responsible for the incoming email yeah yeah Technic y uh technology that goes back to what we saw kind of in the last slide people plus technology technology does a pretty good job nowadays quite frankly of picking up on this just based on the the factual information how long has a website been around for and the other easy to

identify things that you could automate like is there any type of you know known history of this website as a hosted malware in the past cast uh is it yeah so on and so forth all right so rire 45 says I'm surprised you couldn't fight it after the fact to at least recover your funding cost time machine would have helped recover lost time yeah I can't complain too much about it it's almost like the uh the two qualifier guys who got arrested for doing their job yeah it sucked but when it was happening around that moment in time I'm like yeah okay it's not cool at this moment in time but I'm sure they're going to have really cool Defcon Defcon

talk or black hat talk you know and of course they did so same thing here I'm talking about it I'm sharing my knowledge and while I lost some time and a little bit of money you know the reality is I I got my knowledge I can share with each of you and hopefully hopefully it's useful for you all right difference between malare and fishing there's not there's not a huge difference here okay there's from the perspective of just like the slide says from this perspective of this Behavior violates the terms of service so on and so forth It's not really much of a difference as far as your hosting provider is concerned or your platform

or your registar if you're violing terms of service whether it's a C2 server whether it's a beef hook the browser exploitation framework or whether it's a spear fishing website it's the same concept there fishing though definitely some copyright issues to take into account meaning if I'm hosting a C2 server I'm not copying a theme from dropbox.com it's irrelevant I'm not doing that so there's some variance Nuance there without a doubt and of course fishing is definitely much better understood I say C2 command and control I'm sorry if I if anyone here didn't immediately know what that was you know but not everyone does C2 means command in control and that's not quite as obvious and prevalent for people not in

the know fishing everyone knows what fishing is most everyone in this industry you know but C2 well maybe not everyone understands that so the point here is when it's more obvious to the lay person it's more likely to potentially get taken down so the other thing here providers might work with you they think your website was compromised that's that's a reality meaning oh it wasn't me doing this on purpose my website was compromised and that's why there's fishing yeah right I'm not advocating saying that at all I always tell the truth I my providers I say hey my here's my name here's my company spider SEC and and you can just go to the website right now and read what we

do you know this isn't new we've been in business for five years and this is who are who we're dealing with so anyway other things you can do the difference here uh maybe a non-standard port could help you out so other things to think about before I go back to PM scientist's question and any other questions that pop up here in Discord are really going to be firewall firewall stuff off there's no need to tell the world about your fishing website or your command and control server before the world needs to know about it quite frankly you could host this on your local Linux box or your Windows machine as your as your preference may be and then just go live

at the last minute with the actual content the reputation helps a lot bullet point that means get the domain name get the certificate host something benign on there like a legitimate blog or a legitimate photography gallery or or whatever and it just sits there it gets some traffic and it gets reputation reputation which isn't negative and then when you're ready to pull the trigger that's when you upload the more malicious component to it and the other thing here yeah flip a record MX last minute absolutely for dog brush just switch over DNS Point somewhere else and you're good to go that's even smarter other smart things you can do redirect if your target organization that you

work for or you're working with if you know if it's like a single location which is probably not nowadays everyone's working from home but if people were all in the office coming from one Ned IP address and you know what that IP address is because you work there and you're doing this in-house as an internal security awareness training pen test or whatever your title may be then you already know what the IP address is and you can just white you can just you can just redirect when you see that IP address on your Apache web server or some other Upstream device you can say if I see this IP address then show this page you do that in in PHP or

your net or Java as a case may be as well same thing for C2 traffic if you if you know what to look for then you can just show the visitor what you want them to see so regular visitor who goes and stumbles across your fishing domain just sees the regular blog whereas someone who you're targeting actually sees the fishing website always has some backup pans in place and then bulletproof kind of last thought with bulletproof hosting providers I took a serious look at them after this happened like the second or third time yes very sneaky indeed the bulletproof hosting providers though they didn't seem to didn't seem to be viable they were quite expensive like

hundreds of dollars a month for hosting and that's difficult to justify that that price point number one number two looking at the second bullet point on the slide deck again reputation helps a lot what do you think the reputation is of a bulletproof hosting provider's IP range yeah okay you're you're lucky and you're yeah you're kind of my may vary with that but generally speaking nowadays maybe IPv6 if if you can get one of those but still um you're paying a lot of money for it and what what I mean by bulletproof hosting just so we're on the same page is when a bulletproof hosting provider receives an abuse notification or takes take down request they're going to say no I like

this fishing website and it's staying up that's kind of the concept behind bulletproof hosting meaning your hosting provider is going to have your back and not take your website offline unless you violate the terms of service which is usually very very limited in terms of what they don't allow so that's certainly an option depending what you're trying to host and what your needs are you can definitely look into something like that okay I'm GNA back up here I'm down to about nine minutes or so and I've highlighted PMS sorry PM scientist question question what pros and cons exist for using a site you manage as reverse proxy to man in the middle or machine in the middle a

simulated site versus copying the right bits of the simulated site I was hoping I'd have a better answer for this by now I don't know if I fully understand that question what's what's good about using a site I manage it reverse proxy to man the middle ass simulate yeah I still I don't really understand that I don't think and I I apologize for that other thing Doug brush mentioned if you can only pay for your hosting provider with uh Bitcoin yeah that was the other thing um I wasn't about I was like I was trying to pay with um what was it uh that one that eBay came up with with uh PayPal I was like I'll pay with PayPal

they're like no we don't we don't accept Paypal it's uh Bitcoin only I was like well I guess that makes sense you know how about a credit card no we don't take credit cards it's it's Bitcoin only and it totally if you're a bulletproof hosting provider I get it and and I was kind of being foolish there but you know it is what it is um Technic he's talking about capturing credentials in Flight um okay is there any benefit to doing it that way um in in the premise of this conversation that doesn't come up so much like uh if I'm understanding it correctly so PM scientist uh thinking that reverse proxy doesn't need to copy images of CSS

and communicate referr headers as I got what you're saying I think I got what you're saying yeah without a doubt um that could prove to be useful for you the the thing I mean you could do an iframe too quite frankly something like that could work work as well um you're still still going to see some calls to that uh to legitimate company one way or another some amount of benefit I'm sure there's some downsides uh yeah there potentially could be it just depends what you're trying to accomplish um and what your kind of risk toleran is there with that all right what else uh questions that's it I don't tweet very much I'm pretty active on LinkedIn I

working that company over there and I'm keeping an eye on this Discord channel for the moment um I know I got seven minutes left but I want to make sure I have enough time for the next presenter to come on and set up so they don't make the mistake that I made by being an idiot hopefully you all got a lot out of this talk thank you so much for joining I really appreciate it if you have any questions please do reach out please feel free to Linkin or hit me up you have one two three different points of contact from me at this moment in time so don't be shy don't hesitate and I

hope to see you all the community and at Future conferences thank you so much and thank you bides for doing this really appreciate that thank you thank you for speaking today one thing that I think that we can all agree on is that if he sends a link in an email we are not clicking it yeah pretty much that's fair certainly Fair now I have a feeling that the last four times I clicked on Dropbox it probably wasn't even Dropbox and he's got all the files I uploaded but I don't want your guys stuff unless you're paying unless someone's paying me for it and it's legitimate I not so much nowadays good talk enjoy all the

pictures of squirrels you know yeah there's no shortage of that thank you lucky 225 thank you poop Squad 420 thank you Mr Doug brush thank you rack fire 45 thanks for the question PM sciences and yes you're all very welcome glad I could be here today