back to article Hacker dishes advanced phishing kit to hook clever staff in 10 mins

Michele Orru has released an automated phishing toolkit to help penetration testers better exploit businesses. The well-known FortConsult hacker, better known as Antisnatchor (@antisnatchor), dropped the phishing kit at the Kiwicon hacking event in Wellington New Zealand last week, offering hackers tips to more successfully …

  1. Anonymous Coward
    Anonymous Coward

    Discerning?

    Phishing emails developed with PhishLulz are designed to trick discerning targets. An impressive 40 percent of staff at an unnamed Australian Government agency opened Orru's phishing emails and sent him corporate VPN credentials during a previous security test engagement.

    Australian Government employees are neither discerning nor intelligent from any I've had dealings with. Most need their technological arses wiped on a regular basis.

    1. Alumoi Silver badge

      Re: Discerning?

      Few staff can identify dots from dashes in URLs, nor do they pick .co vs .com.

      WTF? Now you tell me government staff can't even tell different symbols from one another? Aren't they required to pass some test, like being able to read and write or filling in an application form? Don't tell me it's all electronic now and the autocorrect is mandatory.

      1. JeffyPoooh
        Pint

        Re: Discerning?

        Corporate email server should send such emails with look-alike links to the bit bucket.

        And include all the dozen or so masked or cloaked variations of URLs.

        1. Pascal Monett Silver badge

          Re: Corporate email server should send such emails with look-alike links to the bit bucket.

          Love the idea.

          Just tell me how the server is going to be able to properly distinguish between the two without error.

          1. JeffyPoooh

            Re: Corporate email server should send such emails with look-alike links to the bit bucket.

            PM "...how the server is going to be able to properly distinguish..."

            Masked URLs are definable, and thus machine detectable.

            Cloaked URLs are definable, and thus machine detectable.

            (Including the not very long list of variations.)

            Then look for similarity (>75% common) but not 100% in links.

            At our workplace, they just mindlessly strip out all shortcuts, and disable many links from external emails.

            As problems go, this isn't all that complicated.

            How about adding a rule that if an email pretends to be from inside, but there's no matching email in the appropriate Sent folder, hmmm... suspicious.

            It doesn't have to be perfect. 95% would help.

      2. This display name is already taken
        Headmaster

        Re: Discerning?

        My reading of this is that non-technical staff don't understand the importance of dots vs dashes in URLs. I am sure that most of them can actually identify a dot and a dash as distinct punctuation marks, but have no idea if one or the other is a character or a separator in the URL.

        1. You aint sin me, roit

          Re: Discerning?

          The worry is that "non-technical", and certainly non-discerning, staff have access to VPN passwords.

          There should be a driving test... "Before we hand you the keys to the Government VPN you are going to have to show that you know what you are doing".

        2. Archivist

          Re: Discerning?

          People are already conditioned to see truncated urls and filenames by the stupidity of OSs and browsers. It's hardly surprising that they'll accept .co in place of .com, or some dots here and there.

      3. HmmmYes

        Re: Discerning?

        From my experience of Northern LAs the test centres around being related to someone already working he council.

      4. Anonymous Coward
        Anonymous Coward

        Re: Discerning?

        >WTF? Now you tell me government staff can't even tell different symbols from one another?

        Either you are being elitist, or you are one of the nerdie techies who makes software difficult by not having common sense how the real world works. They are the type which give us the gormless stereotype.

        Doctor 1: Yes, the patient died. His wife wasn't able to record his heart rate accurately.

        Doctor 2: WTF? Can't she count?

        Policeman 1: Yep, the crash was fatal. They both died.

        Policeman 2: WTF? Doesn't he know how to drive?

    2. John Robson Silver badge

      Re: Discerning?

      I was more concerned with the use of the word impressive.

      Depressing maybe?

  2. Anonymous Coward
    Anonymous Coward

    Is this the sort of 'fake news' Facebook is looking to crack down on?

    "to help penetration testers" LOL.

    Seems to me it is to drum up money for security dudes by creating widely available tools that create the environment necessary for hiring them.

    If the objective was to enhance security on the web these so-called testing tools would leave behind some sort of serial number or indelible trace that would lead to the registered purchaser of the 'testing' product.

    That is the thing with fake news, genuine media outlets become full of it because so often reporters and journalists either start to personally identify with sources.

    1. Tom Paine

      Re: Is this the sort of 'fake news' Facebook is looking to crack down on?

      If the objective was to enhance security on the web these so-called testing tools would leave behind some sort of serial number or indelible trace that would lead to the registered purchaser of the 'testing' product.

      And then all the mail filtering, AS and AV products would add a signature for the indelible trace, and the object of the exercise is defeated.

  3. Destroy All Monsters Silver badge
    Paris Hilton

    I don't understand

    ...how this toolkit is going to improve security in any way?

    Is KiwiCon now Blackhat Con?

    1. Phil Kingston

      Re: I don't understand

      Looking at the picture with the article, his aim may be "to exploit the ignorance of the masses".

      What a nice chap.

      1. Tom Paine

        Re: I don't understand

        Clearly you don't work in infosec!! "taking advantage of the ignorance of the masses" is pretty much what we do, even those of us working in the trenches in corporate air-conditioned nightmareland. (Idiot IT directors and managers don't know how to do their jobs properly, so we get paid more than they do in order to point out to them what they're doing wrong.) It's pretty damn stressful, especially when no-one listens and you can't sob on a peer's shoulder and share your misery, believe me. Developing a healthy, jokey contempt for managers, PHBs and users is just one way of preserving your sanity. Others are available, but they have nasty side effects like liver failure, overdose, jail etc.

        1. Anonymous Coward
          Anonymous Coward

          Re: I don't understand

          "taking advantage of the ignorance of the masses" is pretty much what we do

          Unfortunately, those ignorant masses tend to include the people who take budget decisions. On the plus side, that's why you alert and classify risks and store the email response that it's not classed as major in a dated and sealed envelope somewhere.

          It's probably the bit I hate most about InfoSec in larger companies, having to waste 50% on covering your back from idiots and politics. I much rather spend 100% of my time making sure the walls of the asylum stay strong..

    2. king of foo

      Re: I don't understand

      I think we need people on the 'white' side doing stuff like this 'because they can'. If THEY can then who else is already doing so? If we know 'how' then we can work on prevention/cure.

      I'm not convinced by the argument that white/gray hats are contributing to the problem - I'd rather a white hat pointed out a potential meteor in advance so we have time to build a big cannon or move to Mars than simply not wake up one morning...

      Should be possible to identify phishing emails before the user gets to see them; this work should help to that end as it unravels how they might have been implemented. Block their attacks and you can block someone else... assuming they used a similar approach.

      1. Anonymous Coward
        Anonymous Coward

        Re: I don't understand

        I think we need people on the 'white' side doing stuff like this 'because they can'. If THEY can then who else is already doing so? If we know 'how' then we can work on prevention/cure.

        There's a difference between demonstrating that something is broken and offering classes on how to exploit that - I am personally not impressed with someone attempting to portray the development of a better spam mechanism as "security" research. To me, that's just someone seeking payola.

        1. Anonymous Coward
          Anonymous Coward

          Re: I don't understand

          There's a difference between demonstrating that something is broken and offering classes on how to exploit that

          At my company, no one cared about security until after we got breached. Management won't listen to a theoretical risk. They need to have a real one shoved into their accounting bottom line before they notice.

      2. Hans 1
        Happy

        Re: I don't understand

        Use tool as monthly fool drill !

        And you will see that, one day or the other, even the arrogant will get caught out, because, I dunno, lack of sleep, hung over, argument with wife ... you name it ... we are NOT always at 100% of our capacities and we are human, we all make mistakes.

        Monthly, sounds about right ... lot to talk about comes Friday ... nobody likes being singled out, and will learn the lesson ... real fast.

      3. katgod

        Re: I don't understand

        How about when they catch a phisher they poke his or her eyes out, that may not sound like a white hat but I bet that the number of phishing cases would decline. Many of these articles seem to be around the idea that phishing is some sort of right. If that is true maybe we should just be teaching children 101 ways to make explosives and showing them how to detonate them with low probability of being caught.

        Having said that, I do think it is useful to understand where internet security is poor it just doesn't seem like it should be advertised to everyone. I know that would take away some of these great headlines and if that is what we really need then my teaching children about explosives will generate far better headlines.

    3. Tom Paine
      Go

      Re: I don't understand

      I ran a "fake phishing" training campaign. (We used MWR's phishd.com service though many others are available.) It works. Click-through rates drop dramatically when users are trained to recognise phish.

    4. SW10

      Re: I don't understand

      KiwiCon is now AllBlack-hat Con

      FTFY...

  4. Oengus
    Joke

    Kiwicon

    I thought that was the Kiwis trying to pull the wool over the Aussie's eyes...

  5. Anonymous Coward
    Anonymous Coward

    "automatic domain registration"

    One of the main issues leading to easy spam and phishing. Requiring vetting on registrations (and sinkholing those who don't enforce it, plus fees for any dodgy domain registered....), will solve a good slice of the problem.

    1. YetAnotherLocksmith Silver badge

      Re: "automatic domain registration"

      That's just not going to happen.

      For one thing ,it would show down the registration process - lost your domain to someone who passed it through vetting a bit faster? Bad luck!

      B) The cheap domain names that keep the Internet expanding are automated at the seller end to keep costs right down.

      III) People would bypass it anyway. Whether by pretending to be the domain owner wanting the typo domain name to catch otherwise list traffic, by clever boys trying next obscuration with Cyrillic or Arabic character sets, or by simply submitting a few million requests in a DoS.

      So no.

      1. Anonymous Coward
        Anonymous Coward

        Re: "automatic domain registration"

        A) The vetting would have no impact on request precedence

        B) Who said domain names should be cheaper and cheaper? Someone greed means trouble for many others.

        C) Sure, it won't be perfect but still far better than today when any spammer/phisher can easily hide behind thousands of domains.

  6. JJKing
    Flame

    TWO days to get the Domain Administator password.

    Just 2 days to get the Dom Admin password. I don't know about you but I was impressed. I went to one site where ALL the network and Internet credentials were written on a whiteboard for anyone to see. These credentials had been there so long it required an alcohol soaked rag to remove them. I was stunned that the previous techs had left the damn things there.

    We laugh at the L users for doing stupid stuff like that but the techs that do this need a real good kicking.

    1. Khaptain Silver badge

      Re: TWO days to get the Domain Administator password.

      Yup, just as silly as the companies that hand out little pieces of paper with the Company Wifi Password written on it, it is easy to determine by the age/general state of the paper that some of them were printed a long time ago....

      1. Anonymous Coward
        Anonymous Coward

        Re: TWO days to get the Domain Administator password.

        Yup, just as silly as the companies that hand out little pieces of paper with the Company Wifi Password written on it, it is easy to determine by the age/general state of the paper that some of them were printed a long time ago....

        Personally I find it more silly that they have to hand such details out for an INTERNAL network. We run a Wifi network separate for visitors. It only goes to the Internet and a local printer..

      2. Hans 1

        Re: TWO days to get the Domain Administator password.

        >Yup, just as silly as the companies that hand out little pieces of paper with the Company Wifi Password written on it, it is easy to determine by the age/general state of the paper that some of them were printed a long time ago....

        Yup, and those that do this, use the same password for longer times, have measures in place - said wifi only grants you internet access, with a bunch of blacklisted sites... no physical connection to internal network. The wifi is NOT reachable from outside the building ... yeah.

        Letting visitors with their kit onto your network must be a big nonononono.

        1. YetAnotherLocksmith Silver badge

          Re: TWO days to get the Domain Administator password.

          Hope you guys realise that a segregated wifi network generally isn't actually secure unless it is running on separate hardware too?

        2. Anonymous Coward
          Anonymous Coward

          Re: TWO days to get the Domain Administator password.

          Or you mean that 24 character password with multiple character sets that everyone knows and has been in use for 3 years? ;)

  7. Pascal Monett Silver badge
    Trollface

    "unless they are "dumb""

    Yep. That's where all security stops : at the idiot who will repeatedly click OK/Yes without looking, who will answer all information requests without thinking, who will do whatever is written on the screen.

    I believe the only solution to that is to keep those people away from computers. Of course, then we there is a host of new problems to take care of. I know ! Raise them to Management - with secretaries who take care of the typing and the clicking.

    1. Khaptain Silver badge

      Re: "unless they are "dumb""

      Generally referred to as PHBs..

    2. Anonymous Coward
      Anonymous Coward

      Re: "unless they are "dumb""

      How about the director general of a large inter governmental organisation who demanded that corporate security policy be relaxed in his case, so that "he could use the same 4 digit password that he uses for everything"?

    3. Anonymous Coward
      Anonymous Coward

      Re: "unless they are "dumb""

      It is not just a risk of computers.

      You have no idea how many small chain store businesses have to refuse phone use to those who can access the credit card machines. As just one phone call from "the card machine engineer" can cause so much trouble.

  8. Anonymous Coward
    Joke

    Ban this open source malware immediately

    "Orru, an open source advocate, invited interested hackers to contribute to the project. ®

  9. John H Woods Silver badge

    Warning ... Dumb Questions ...

    I'm interested in security but would certainly not claim to be an expert, so there's a good chance I'm talking rubbish but ...

    Could a corporate email server replace links in external emails with a link to an intranet page containing the "don't click on links in external emails" guidance?

    Could the email server be integrated with the web filter so that incoming links that aren't already whitelisted get put on a temporary blacklist, and staff needing to follow the links could contact IT to have them removed from the blacklist? Perhaps the interface that reads the email server's dumps of the incoming links could look them up and just blacklist those that were registered less than, say, three months ago.

    Couldn't the corporate web filter default blacklist .co domains --- and domains that have characters other than periods, dashes and A-Za-z0-9? There must be plenty of valid something-uk.com domains but anything -com.tld seems automatically suspicious to me.

    I know none of these solutions are watertight, but wouldn't they help mitigate the risk?

    1. Anonymous Coward
      Childcatcher

      Re: Warning ... Dumb Questions ...

      That's not a dumb question and yes you can do all of those things you mention.

      What is dumb however, is the bit where you then get told to remove all those security enhancements because PHBs etc can't be arsed with it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Warning ... Dumb Questions ...

        What helps is that it applies to myself as well, needin another admin to whitelist mine, and the operative phrase, no, fire me. There are some things and/or processes I simply will not do. Been like that since the early '80s and having the security clearance from Hell and zero nonsense track record (platinum references) help immensely.

  10. John 104

    Dumb?

    Most phishing emails need to be highly customised to work, Orru says, unless the target is "dumb"

    I'd say anyone who passes any credentials via email qualify as Dumb. I don't care what your position is, if you are handing out creds using this format, you are a idiot.

    1. find users who cut cat tail

      Re: Dumb?

      > I'd say anyone who passes any credentials via email qualify as Dumb.

      Like: Send me your public SSH key by signed and encrypted e-mail (obviously, after PGP keys were exchanged and are trusted)?

  11. IainWR

    WTF?

    Forgive me, I'm just a dumb guy with two difficult degrees that are only marginally connected to IT. Isn't this whole thing conspiracy to commit a crime? Which leads to the question why the NZ police haven't arrested the lot of them? And if you want a more philosophical approach, should we be considering the great World Wide Web as something akin to a nation, in which case this is an act of war and deserves to be treated accordingly?

    Please. What is it that I'm missing?

    1. John Stirling

      Re: WTF?

      What you are missing is that corporates pay the hackers to penetrative their networks, so it isn't a crime

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like