Trials and Tribulations of setting up a Phishing Campaign - Insight into the how presented at CircleCityCon 2017

by Haydn Johnson,

Summary : Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but once you realize you aren’t getting command and control, that fuzzy feeling wears off quickly. Everyone knows in theory what Phishing is, what Phishing emails looks like, they even may even theoretically know how it all works.
What about executing a Phishing Campaign? This talk will show you the journey of setting up and executing a Phishing Campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish. An important understand in Phishing (like any attack) is the side of the victim; what they see and do in receiving a phishing email; this is referred to as advancing ones tradecraft.
We will go through:
The main difference between phishing for clicks and phishing for shells
Choosing and setting up a Phishing Framework
Actions I take when learning something new
Testing delivery and bypassing Spam filters with Microsoft Click once
Testing different user interactions for executing payloads
Learning different payloads for command and control
Understanding the email minefield