We were asked to do this, encrypted (and salted) the sensitive data, never saw, had or stored any non-encrypted sensitive data, and we had some inside help. We loudly applaud this initiative from this company, security, like punctuation and proper grammar, matters.
A leading player in its industry, with a turn-over of an impressive 20 billion Euro annually, asked us to do something special for their IT operations management/InfoSec meetup in Hannover, Germany.
Information security, sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.
On stage, we revealed having successfully swindled most attendees out of their usernames and passwords, resulting in big eyes and much gasping.
Here’s how we did it in four easy steps (a fairly common way):
Took us, say, 7 minutes and cost ten bucks.
We set up a VPS in Germany (to host the website), as to prevent the firewalls and protocols from being triggered. Clever girl.
This is where the inside info helped — we received a screenshot of what a default login page looks like, and we basically rebuilt it as close as we could, and put it on the fake domain name.
An hour, maybe two, of work. No biggy.
Our insider gave us a list of targets. (The way this usually works is with social engineering or somebody using CC instead of BCC.)
We sent them a mail, ‘reminding them of a survey they were asked to fill out’, linking to our fake login screen, twice, using default link blue that you just need to click already.
The email had no imagery, nothing fancy, just the text and two links.
Each time someone tried to log in, our script grabbed the username and password, and displayed a ‘default’ error page.
Funny bit: the error clearly states that they were phished (as to not cause any panic), but nobody rang any bells. Who reads errors, anyway.
Some more disclaiming: we (salted) hashed the passwords before storing them, so we never got or saw any of the real credentials, and it’s virtually impossible to decrypt the salted hashes. Remember: it cost us more effort to encrypt them than to just store them plaintext.
That’s a whopping 79% success rate,
with a few people, and frankly, little effort.
So be careful, it’s very easy to get swindled out of your credentials, and real attackers with bad intentions can wreak all kinds of havoc:
Industrial espionage, security leaks, huge malware-attacks, ransom demands, just a few examples that cost companies billions and billions of Euros, Dollars or Dogecoin every year.