Phishing without Failure and Frustration presented at Defcon 2016

by Larry “@haxorthematrix” Pesce, Jay Beale,

Summary : You want to phish your company or your client. You’ve never done this for work before, you’ve got a week to do it, and you figure that’s plenty of time. Then someone objects to the pretext at the last minute. Or spam filters block everything. Or you decide to send slowly, to avoid detection, but the third recipient alerts the entire company. Or you can only find 5 target addresses. We’ve all been there on our first professional phishing exercise. What should be as easy as building a two page web site and writing a clever e-mail turns into a massively frustrating exercise with a centi-scaled corpus of captured credentials. In this talk, we’ll tell you how to win at phishing, from start to finish, particularly in hacking Layer 8, the "Politics" layer of the OSI stack that’s part of any professional phishing engagement. We’ll share stories of many of our experiences, which recently included an investigation opened with the US Security and Exchange Commission (SEC). Finally, we’ll tell you how we stopped feeling frustrated, learned to handle the politics, and produced successful phishing campaigns that hardened organizations at the human layer, and started to screw things up for the bad actors.