Gone Phishin’ — An Attacker’s Perspective & Solutions

Curtis Brazzell
17 min readMay 10, 2019

Intro

You can teach a man how to phish, but.. you can’t make him phish-proof? Aside from the headings in this blog I’ll try to avoid the fish puns to save your forehead from all of the potential for face palms. Why am I creating this blog? I’m hoping to shed some light on some Security 101 Best Practices for techies and non-techies alike from the viewpoint of an attacker. It’s not quite Security Awareness Month (October), so consider this an appetizer.

Spear-phishing is something we have great success with during our Social Engineering engagements at Pondurance. Sure, there are a lot of tools out there which regularly tests employees to see who’s had enough coffee in the morning, but manual, targeted attacks can take things to the next level. I’ve seen IT administrators who are proponents of phishing training, CEO’s, and just about anyone else you can imagine in various positions throughout organizations fall victim to our shenanigans.

In fact, phishing is so successful in the wild that according to a recent report from Cofense, 91% of all cyber attacks today originate from a phishing campaign. This checks out in my mind as a quick sanity check, because if I know I’m on an engagement as a red teamer and phishing is in scope, I’m confident we’re going to find a way into the organization. Alternatively, we have to hope there’s an external misconfiguration of a device, bad code in an application, or a vulnerability in the form of a patching deficiency somewhere on the perimeter of the environment to which the chances of success aren’t nearly as high today.

It should be no surprise then that since most incidents start as phishing, the human factor or human error is the weakest link and often targeted first. It’s easier to exploit a person than it is a device nowadays, and security awareness training isn’t as effective as it should be. So, that being said, let’s take a look at what a targeted spear-phishing campaign looks like through the eyes of the attacker and the solutions in place to help prevent you from getting hooked! Ugh, I did it again.. sorry!

Scoping Out a Watering Hole (I mentioned these previously!)

--

--

Curtis Brazzell

Passionate geek for Information/Cyber Security! I’m always learning and am happy to contribute anything I can share with the community. Follow me @ Twitter!