how i phished my company
Post on 18-Jan-2017
364 Views
Preview:
TRANSCRIPT
How would I “hack” Omada?
•Hack my way through networks, type a bunch of fancy commands, no.
•Join Anonymous, wear a Guido Fawkes mask, use their collective power, no.
•Launch a Denial of Service attack, bring it all down, no.
•Phish Omada employees, let them give me passwords.
Yes!
•Quid quo pro, entice an employee with something to get their password, no.
“ Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life. ”- @thegrugq
How would I “hack” Omada?
Yes!
The Attack targets
•C-Level and Executives - good targets if I were a Nigerian prince. No.
•Engineers - brainiacs, too much overhead to con them. No.
•User Reps - trained agents, would detect irregular patterns. No.
•Health Coaches - remote, loving human beings willing to help others.
Perfect!
OK, Phishing it is…
•Perform reconnaissance - case the joint (Italian Job style) before you rob it.
•Who’s Who - identify high valued targets (LinkedIn, Twitter, Google).
•Assume recon finds coaches are not part of the corporate HQ.
•Email templates - gain access to Prevent (Self-sign) copy pasta.
(Scenario assumptions)
•Pulling it all together - plan, test, verify, and then execute. Go go go!
Real Fish
This looks good. Save!
Correct email address
Thanks for creating theurgency for me!
Establish trust, but don’t verify.
I love this button!Hyperlinked URL.
Perfect!
Reel Phish
Mine looks better.
Huh? Red Flag!
First name basis? Cool!
Create a higher senseof urgency!
What happened here?Pretty sure this is{clone, spear}-phishing
I just love this button!
The real website
Specify a new password
Extended Validation SSL CertificateIssued to Omada Health
URL is preventnow.com
Hooked, line and sinker
Clearly != preventnow.com orHTTPS Obvious Mi$$pellings are
commonSpecify current password?
Reg flag!
What happened to the bluebutton?!
Again, mine looks better.
The Results
•39 users were targeted.•The first phished credentials were collected 3m after the campaign launch.•24 users had remote images enabled, allowing me to detect when message was viewed.•1 user had a vulnerable web browser, would let me perform drive-by attack.
Viewed the Message87%
34
Clicked the Link64%
25 22
Provided their Credentials56%
Ta-da!(final thoughts)
•Omada Health is a target. Not a matter of if, but when.•Be aware - develop a Phishing IQ.•2-factor (one-time token) would make a difference in real-world scenario.•Fair warning, Omada-wide phishing drills coming to a mailbox near you.
top related