31337 pseudo-evol master plan. GG, EZ Disclaimer:We were asked to do this, encrypted (and salted) the sensitive data, never saw, had or stored any non-encrypted sensitive data, and we had some inside help . We loudly applaud this initiative from this company, security, like punctuation and proper grammar, matters. A leading player in its industry, with a turn-over of an impressive , asked us to do for their IT operations management/InfoSec meetup in Hannover, Germany. 20 billion Euro annually something special , InfoSec_, i_ Information security sometimes shortened to s the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information . Phishing them out of their usernames and passwords, many jaws dropped. On stage, we revealed having successfully swindled most attendees out of their usernames and passwords, resulting in big eyes and much gasping. Me, bringing the good news to the collective worldwide IT management (pic: ) Rudolf van der Ven Here’s how we did it in four easy steps (a fairly common way): 1. We registered a domain name that could easily pass as one of their own to send emails from and to host the fake website that would grab their credentials Took us, say, 7 minutes and cost ten bucks.We set up a VPS in (to host the website), as to prevent the firewalls and protocols from being triggered. Clever girl. Germany 2. We built a one-pager that looked like their login page Anonymized version of the login screen, which of course had branding and bells This is where the inside info helped — we received a screenshot of what a looks like, and we basically rebuilt it as close as we could, and put it on the fake domain name. default login page An hour, maybe two, of work. No biggy. 3. We sent them an email, containing two links to the fake website Our insider gave us a list of targets. (The way this usually works is with social engineering or somebody using CC instead of BCC.) We sent them a mail, ‘reminding them of a survey they were asked to fill out’, linking to our fake login screen, twice, using default link blue that you just need to click already. The email had no imagery, nothing fancy, just the text and two links. CLICK ALL THE THINGS <o/ 4. We grabbed the usernames and passwords from the comfort of our bath tubs Each time someone tried to log in, our script grabbed the username and password, and displayed a ‘default’ . error page Funny bit: the error that they were phished (as to not cause any panic), but nobody rang any bells. Who reads errors, anyway. clearly states Some more disclaiming: we (salted) hashed the passwords before storing them, so we never got or saw any of the real credentials, and it’s virtually impossible to decrypt the salted hashes. Remember: it cost us more effort to encrypt them than to just store them plaintext. Anonymized representation of the information we grabbed. The result: 79% of their passwords in 72 hours. The slide from the picture above , with a few people, and frankly, little effort. That’s a whopping 79% success rate So , it’s very easy to get swindled out of your credentials, and real attackers with bad intentions can wreak all kinds of havoc: be careful Industrial espionage, security leaks, huge malware-attacks, ransom demands, just a few examples that cost companies billions and billions of Euros, Dollars or Dogecoin every year. How can I help? Shoot me a mail.

Dogecoin

Too Long; Didn't Read

Questions about cloud security? Get answers here.

How we phished a 20 billion Euro company out of 79% of their passwords

Too Long; Didn't Read

Coin Mentioned

OrT

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

How we phished a 20 billion Euro company out of 79% of their passwords

Too Long; Didn't Read

Coin Mentioned

OrT

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES