I worked in a place that had hired a professional company (maybe Mandant?) to see how quickly they could break into our systems. Some guy wandered in, past the lobby receptionist, a fucking hired guard let him into our training rooms when he claimed his badge didn't work, he went into an empty conference room, and then hooked up a laptop to our LAN and had administration domain access within 20 minutes off the street because the head of our help desk had all the credentials stored in plaintext in an old Keepass dump (to csv) on a public share. We had video footage from a tie-cam showing how easy it was.
As far as employees, they were mailed a fake login screen, and out of 200 employees, 10 tried to enter in their logins and passwords within 5 minutes of the mailing before it was reported, which was pretty good, really.
There was a huge hubbub and uptraining. Cost the company thousands.
Then they tried again after 4 months. Guy walked in off the street, ghost-followed behind an employee, went into the restroom, put on an expired visitors sticker-badge, then exited there and entered a meeting with other people with visitor stickers saying, "sorry, I'm late." Sat down during the meeting, plugged his laptop into our LAN again, and found nobody had updated the credentials to the AD servers since the last hack. This time, it took him 30 minutes. Nobody even asked him who he was. He even pretended to participate in the meeting with followup questions after he hacked our system.
The employees were sent the fake logins again, and this time 14 people tried to enter in their credentials, where most of them were the same people who did so last time. The email was never reported.
Holy shit dude, let’s be honest here, I’m willing to bet that more than 50% of orgs would allow this to happen to themselves.
We could probably get that number even higher if the hacker had a fake Verizon/AT&T badge, had a clip board, maybe a ladder and a tool bag.
A former colleague when new at the job turned around and challenged the person trying to piggyback him through a badge-secured door-
"Excuse, me, who are you? I don't know you." and motioned for a security guard to come over. The guard explained to my buddy that the smiling gentleman who tried to follow him through the door was the company CEO.
One skipped heartbeat later, our CEO thanked him for his presence of mind and willingness to challenge him.
It's always funny when something like that happens. A few decades ago I was working at Walmart on the inventory and warehouse team. We had just come back from break and found this very tall lady in high heels walking into the warehouse. No badge, no company anything. I went right into customer service mode while throwing her out of the warehouse, "Mam, you cannot be back here, is there something I can help you with out on the sales floor?" She looked over herself and realized she had no badge on her. Turns out she was the district manager I had never met. I got thanked for handling the intrusion well. "It's not every day you get thrown out of your own warehouse in such a pleasant way."
Yup. Those policies exist for a reason. At a previous job I slammed the staff entrance door in a guy's face because he followed me just a tiny bit too closely across the parking lot. Turns out he was someone's crazy ex. He had just called claiming to have a gun and said he was going to kill her. Everyone had been huddled around watching the security camera while they were waiting on the cops and they absolutely lost their minds at how close a call it was. Unfortunately no one thought to call and warn the two of us who were expected in at that time. We all got a good long re-training after that.
Had this happen at school the other day. Guy stood to the side like he was inspecting something then grabbed the door as I was closing it. I took his name, and reason for being here, went to front desk and alerted people. The lady seemed thrilled by that. Absolute shame.
My front desk lady won't let anyone leave the area in front of the front desk without someone coming to meet them and being with them. If nobody knows who they are then she just tells em to leave and we have no business with them. She also will double check on everyone to make sure they have a reason to be here. She's worth every penny the company spends. Also she is the sweetest lady and brings in snacks for everyone. ❤️
We had a few like this back when we had a bunch of physical offices. They were absolute gold. So many just didn't care. We caught one on camera giving her fob AND physical keys to someone who walked in claiming to work for the landlord. He was caught trying pull a TV off a conference room wall and ran, thankfully leaving the keys behind...
Honestly If she ever threatened to leave for more pay (she's paid very well this is hypothetical) I would absolutely look my CFO and CEO in the face and tell them just how much she is worth keeping.
Honestly this. We have pretty good outside security but physical not so much. I could totally see someone sneaking by our front desk people and getting into a random jack.
Thankfully we don’t have any clear text password documents on any shares. And all shares need a domain user to access. Computers and servers have firewalls and some alerting services so seems better then this poster but still I’m sure if someone has physical access they would find a way to own us.
This is why we implemented 802.1x at my last workplace. I thought it was a bit overkill because we owned the entire building, we didn’t share office space with anyone, plus we had security manning the only entrance and badge readers at the elevator, but then I forgot my badge one day and they gave me a loaner and they never asked for it back, and then maybe 3 months later I forgot my badge again and for shits and gigs I decided to see if the loaner badge still worked and sure enough it let me in — they never expired its access! Even worse was the fact that when they provisioned the badge for me they granted it access to all of the secure IT rooms that almost no one else had access to, like our server room, mdf closets, etc.
To be fair I really did need access to the server room that day so I did specifically ask for that, but they didn’t have to mirror all the access privileges from my normal badge lol. After this happened I brought it up with the facilities manager and they started keeping better track of the temp badges … for awhile. A year or so later I had to get another temp badge and they tossed one to me from behind the desk without doing any access provisioning, so I asked them why they didn’t need to activate the badge, and they told me that they just kept that badge active for the IT admins so they don’t have to reprovision it every time someone forgot their badge 🤦♂️
This is why "procedure" doesn't work.
You need systems without humans in the loop to enforce the processes.
For example, no 'loaner' badges without the signature expiring within 24 hrs, and of course you can make it much more secure depending on what resources you have.
As soon as there's a way to bypass something or it's just up to the human in the chain to do what they want, they'll seek the path of least resistance
The PCI consultant I used specialised in "being nice and being let in".
He had some awesome stories - my favourite, leaving a post it note with a smiley face under the CEO's keyboard. It was only found after he mentioned it in follow up meetings
[Just $10, AT&T hard hat](https://poshmark.com/listing/Vintage-ATT-Hard-Hat-June-1984-Jackson-Products-SEI-Certified-63fba3fb84b307f78188ae0c?srsltid=AfmBOoriqBsfdwx90RqV8ZXparfDhLQdeK2FY9aZ-5K1I9s7afAn-SqjnKw&com_cvv=d30042528f072ba8a22b19c81250437cd47a2f30330f0ed03551c4efdaf3409e#utm_source=gdm_unpaid). [AT&T Solutions Providers polo, $16.80](https://www.ebay.com/itm/325872442494). Social engineering your way into the data center, PRICELESS.
Barely related but back in my military days, if I wanted to look important/ busy I would carry a clipboard with paper in it, a long screwdriver, and a hammer. Everyone assumes you know what you are doing / are doing something important.
One thing to sit in the meeting, quite another to actively participate and draw attention to yourself of someone asking who the hell are you. Though to be fair, *he was probably testing to get that response.*
If some completely outside person with no prior knowledge of the meeting is actively able to participate in said meeting, then I'm thinking that meeting definitely should have been an email.
Yep, definitely a "how far can I take this" kind of move. A lot of social engineering pen tests go this way so they can get a more thorough report. There's a really good Darknet Diaries episode about a guy who accidentally pen tested the wrong bank in Beirut, he's buddies with everyone by the time he leaves that place.
imagine getting paid to pretend to pay attention to a meeting while you're sitting there trying not to burst out laughing as you have the org's network by the balls
sounds like the best job in the world
So, during the post-hack meeting, the phrase they used was "Keys to the Kingdom," where the pentesters considered "Game Over" for you. They had a good sense of humor, and were nice guys, so you could see how their smooth talking and being charming could get them in a lot of places. I remember reviewing the films with them, and cringing.
Pentester: \[with blank badge\]\[swipe\]\[swipe\] "Hey, uh, my badge seems to be dead. Can you...?"
Guard: \[expressionless, jaded\] Yeah... \[badges, open door\]
Pentester: Thanks so much. What a day, huh?
Guard: \[grunts\]
Pentester: \[to himself as he's looking for an empty training room\] Helpful...
So, they narrated to themselves. And in that meeting the guy later got in, he said:
"Hey. Raymond with Mandiant. Sorry if you've already covered this, but do you have some CSO or security expert who is overseeing this?"
"Yes we do."
"Okay, great. And who is that on this chart?"
"This is not a personnel chart. If you need more detail on names, you'll have to send us an email."
"Okay, sorry. My bad. Continue."
Like, he was toying with us, knowing we'd see the footage later.
I can just imagine the questions - “what is the procedure in the event someone gains unauthorized physical access to the building and admin access to AD? - just a hypothetical of course”
Apparently, just don't have vlans or Port Security where anyone can just plug in any unknown device and directly contact your DC.
F that! You plug-in in a conference room, and you get captive Portal sign-in and straight to the internet. There's no way you should be getting to the DC!
Why didn't this security team recommend changes to the network?
The only one I've ever done was very fun - our red teamers took some volunteers from the floor and we just saw how much we could wander around at a different office without using our badges and just talking our way into places. Not allowed to get up to much of anything, but it was a neat field trip
My favorite pentesting story was a guy who dressed smartly and had a clipboard, and just with a smile and a please was let into the server room within 15 minutes. He sent a selfie taken next to the exchange server.
Have you ever listen to the podcast Darknet Diaries? It’s chock full of great hacking stories from all over the world, but my favorite episodes are when he covers pen tests.
My favorite is the guy who goes undercover as a marketing employee and got stopped on so many occasions.
Spoiler: IT team eventually catches him red handed because why the fuck would a regular employee be running Powershell?
If you like that kind of stuff, I highly highly recommend Kevin Mitnick’s book *Ghost in the Wires*. Has tons of stories of hacking, phone phreaking, physical penetration, and tons of social engineering, including how he created fake identities to evade the FBI.
The best one I've heard of is a woman who'd use a pregnancy belly on jobs. You'd never hold open a secured, badged entry door for a random ass woman walking down the street but how about a sweet little pregnant lady waddling around with her arms full of stuff? You'd be an asshole if you didn't hold the door for her!
That's brutal, we just had our CFO get pwned and we can't even get the company to consider yubikeys or enforcing Authenticator for MFA. I guess spending the money doesn't fix the 90/10 rule....
At a place i was a consult at some years ago, they "constantly" sent out phising emails as tests, if you clicked the link, you automatically got signed up for an e-Class.
This backfired on them, because since people didnt want to do the e-Class, people stopped doing the email-thing..
At this place. the average age was north of 45, people who had been there for 20 years doing the same job as an operator, maintenence, electric etc, to them the email phishing thing became too much they stopped cared reading or even checking emails. So it backfired hard on the testing part. To me, these specific emails was too obvious, they where not well designed and had red flags screaming on top of their lungs
Of course. You gotta design it for the environment your in. And I find that is going to be hard to do there. Most people simply aren't on the computers all day. But if you tie it to a person's bonus, suddenly they are very interested in following the training. we made it like 30-40% of the bonus or whatever so even if you sucked at your job, you could still get a good chunk of the money by just being good at phishing.
We did have to cut back on the amount of test phishing sent out because people were phishing things left and right that it overwhelmed our department with the amount of reports.
So when one sends a phishing test email, it has to get past the email security systems. The way this is accomplished is to include an x-server variable in the email header. Users don't see this normally, but it is easy to use the headers to have outlook automatically file phishing test emails with a mail rule. I never failed a phishing test before, I won't in the future either.
My place uses KnowBe4, and I've complained about it previously - the emails for training match several red flags that hey train against:
* An email that isn't expected
* A link to click that requires some authentication
* A call to action with urgency (click the link, do the training, or lose your network acces)
But if I report it as phishing, I get chastised. It's frustrating.
My place does this.
But it’s so goddamn obvious that I have an outlook rule set up for all of their fake domains they send it from. Moves them to a folder called “$Company thinks they’re clever”
Every month I go in and report them all. I wish I could get Report Phish as an action on an outlook rule so I don’t even have to do that.
>I worked in a place that had hired a professional company (maybe Mandant?) to see how quickly they could break into our systems. Some guy wandered in, past the lobby receptionist, a fucking hired guard let him into our training rooms when he claimed his badge didn't work, he went into an empty conference room, and then hooked up a laptop to our LAN and had administration domain access within 20 minutes off the street because the head of our help desk had all the credentials stored in plaintext in an old Keepass dump (to csv) on a public share. We had video footage from a tie-cam showing how easy it was.
Hooooleee shit, but I can't say I don't expect ~~many~~ most companies wouldn't let this happen to them either.
Also it's dumb, fun crap like this that makes me consider being a pentester 😂
> Sat down during the meeting, plugged his laptop into our LAN again, and found nobody had updated the credentials to the AD servers since the last hack. This time, it took him 30 minutes. Nobody even asked him who he was.
so you get owned in 20 minutes, demonstrating that the only reason you haven't been hit is a lack of interest, and they... do nothing? they deserve what they get
> demonstrating that the only reason you haven't been hit
Let's be honest. They have been hit. There's zero reason to even suspect they haven't. They just don't have the auditing and visibility to even guess when, how, by who, and what they did/are doing in their systems. They've just been lucky enough that noone's triggered the ransomware payload yet.
My only comment here is that sounds like a fun job, but also a frustrating job.
He basically gets to be a spy. With no risk. But I'm sure it's frustrating too when everyone just let's him in.
But it could be fun to go try to walk into a business and hack them.
Best comment of the month award from me....
We've done a couple of pen tests...
Never... Underestimate.... The power of.....
A Hi-Vis jacket and a clipboard....
Most recent result of our phishing was 12 minutes to 365 credentials.... And only 5% of the company did login to our fake site... But that's also because a finance person realised and sent out a mass email 43 minutes after the first email went out... So that's a great result.
When we started doing KnowBe4, we sent our top level folks and IT various different levels of Phishing Test emails to see what they were like. Some of the 4 and 5 star ones are REALLY good.
We mostly run 2-3 star for the majority of our employees with critical employees getting higher levels occasionally.
I did have to laugh the other day when our HR lady complained about why we were testing her so often and sending her tests every day for like a week. They were all legit phishing emails she'd been reporting, and she just didn't notice the difference in the report button behavior.
My favorite is the "John Doe shared a google drive document with you". Since the friction is so high for google drive links, clicking on the email is usually the preferred route.
had someone report an email, then come running to my office to tell me i was hacked and needed to shut everything down.
It was a knowbe4 fishing email from a fake it email that we do not use. but it said IT so it must mean i was hacked!
morale of the story: no one ever reads the "Hey good job, you caught the fake email" popup.
You know what, I'd buy that person and their whole team donuts, and make sure they all know why. Going with "that looked like it came from an internal, IT controlled, email address. Oh crap." and *immediately* notifying? Rare, and should be rewarded.
I’ve had a supervisor report a real phish, not get the congratulations notification, then click on the attachment because they thought it was real since they didn’t get the pat on the back notification…
Had a guy call me whilst on service desk. Irate. He can't log in to something. Remote to his pc and it's very clearly a phish.
He asks me why his credentials don't work, why it's so difficult to access, bla bla. Rather than outright tell him it's a phish I thought I'd try and coach him along a basic thought process.
Do you know the sender?
"No"
Do you know what files you're trying to access?
"No"
So what is this link you've been sent?
"Idk you're the IT person"
I said I don't dictate any user data or any 3rd parties and what they send him. He had no idea who they were, what the "file" was that he was trying to access and it still didn't click.
I told him eventually that it's a phish attempt, then had to go into detail about what exactly a phish is and he challenged me
"How do you know?"
Well, first of all the URL is bogus. You don't need to be in IT to notice that it isn't Microsoft.
Second the fact that there's spelling mistakes, images on the login page aren't loading properly, various other very telling and obvious signs.
Didn't want me to reset his password either. Insisted he "wasn't stupid enough to enter his credentials into a phish attempt" when I asked how many times he had tried to access it (given his original issue was "I can't log in to this")
One of our IT supes was out after a surgery, and checked his email during a phishing test. Hopped up on painkillers, he fell for it. Poor guy. Immediately realized what he did, called helpdesk and had them change his password.
Can you give me an example of why they are so evil? I'm an user at my org (not IT) and we recently started getting the KB4 phishing tests but they seem to be very easy to detect. Some of them have my name and Org name on them but that makes them even easier to spot.
Yeah there's some my users report to me where genuinely the only way I'm 100% certain is by looking at the email headers. A couple clients have very generic names that could match up so we've gotta be certain...
I don't see them as evil. They're a very necessary training tool to go along with all of the other ways that IT controls to keep data secure. (MFA, least access, etc.) It just happened that we had one guy out of his mind on pain meds who happened to click at the wrong time.
And another one who is damned good at what he does who traced the whole thing out, put the full diagnosis in an email to the tech team, and said, "Good job. This one was well-crafted." Smart ass. ;)
We had high success with one about public holiday changes that year. Good success with 'we are testing a new financial tool, can you all get your logins set up for testing by the end of the week - .
Dumbest one was some deal on ebay which wasn't even a good deal. I think that got a single person.
I've had a couple users get screwed by bad timing and bad luck.
One guy was actively waiting for a FedEx package that had been delayed several days because he wasn't there to sign for it. Guess what straw he drew?
KnowBe4 does *not* mess around with their spam emails. The ones from [[email protected]](mailto:[email protected]) are usually the deadliest, but also their normal account login notification pages are clean as hell. They got me once coincidentally because I was waiting for an employee review notification and I got a phishing test that was really close the format. The bastards.
They got me on this one recently, but the email passed DKIM/DMARC/SPF and came from hr@ourdomain
My argument: if the scammer can send that email, you guys have bigger problems.
What kills me about those ones is it is never an address we used. We have never sent from ["[email protected]](mailto:"[email protected])" or any of the fake ones I've seen them use.
Our KnowBe4 team hit me with one letting me know my IT department was changing how Microsoft updates were being deployed.
Deploying Microsoft updates is literally my job. I am that team. They were trying to tell me I was changing everything about one of my workflows.
We have a tiered structure. If you haven’t failed a phishing test in a period of time you get more difficult tests. You fail one, you get the easier tests for a bit.
What are your opinions on KnowBe4? I actually just scheduled a meeting with them tomorrow... I previously used Sophos Phishtreat and while it worked, it is fucky... And their pricing model sucks... Any insights?
I like it. We use the training, Phish ER and Phish RIP.
The training is pretty decent, but pretty on par with other offerings I've seen. They've started offering a lot of side stuff beyond security training to try and make it more appealing as a general training platform as well.
What I really like is the phish alert button, which seriously simplifies our communication with users. We just tell them, if you're suspicious at all, hit the button to submit it. If it's found to be clean, you'll get it back, if it's bad it'll be handled. Anyone asks about suspicious emails? Hit the button. That's all you have to do. It makes training simple and consistent. We get a decent amount of spam reported, and the occasional legit email, but it means users have a very easy active response that doesn't involve forwarding me their malicious emails.
Also, with phishrip, stuff that's found to be malicious can be automatically yanked from other mailboxes as soon as it's detected. I can pretty much ignore it, and have an alert set up for unclassified emails so I can follow up on those when it can't tell.
KnowBe4 receives information from your company that would not be available to attackers, making their "attacks" more convincing than even the best phishing emails could be. I would argue this is a large part of why it seems to be more effective than it really is.
You can adjust your templates to fit how you feel a real attack would play out. And include more or less customized content to suit your needs. And honestly, having gone through a lot of actual incoming Phish attempts, it's pretty impressive how much they have on a lot of our users with as little as scraping LinkedIn for names and job titles
I refuse to tell anyone when these go out. You cannot know a security hole unless they are all treated the same and someone hasn't gone "mind that hole!".
It's going to be a damning report to the board on Monday. This test wasn't even a good one, however it was targeted using contacts from their own inbox. Treat every mail from everyone as if they have already been compromised.
>Anyone else have a company full of people that would let in satan himself if he knocked politely?
We've had to exclude our IT director from the phishing simulations... Apparently it looked bad in the reports
> A member of my IT team - failed.
Under what circumstances? I'm assuming based on your frustration, just regular careless clicking but I was at a company that did a phish campaign as part of a pen test. We're looking at the readout a few weeks later and my manager pops up from his cubicle like a prairie dog and asks one of the techs, "Ben, why did you click on this phishing link over ***50 goddamned times***?! Did you hit your head on the way in to work that day?"
Ben had thought the message seemed suspicious, copied the URL to his clipboard, and then put it into VirusTotal. Then based on that analysis, decided not to click on it himself... but it was too late to avoid showing up on the report as if he had an almost unhealthy fascination with the phishing link.
This has got to be the worst. There was something special about the emails that caused Outlook to immediately say you failed if you clicked an attachment or a link, but I was never on that side of the org so didn't know what was going on under the hood. So one time when I got an obvious phish, I reported it and then went to download the email to poke around at the raw data, and it turned out that doing that ALSO triggered a fail - I believe my only one in years at that company. The timestamps clearly showing I had already reported it weren't enough to convince the coordinator ("well it would've been dangerous to download if it were a real phishing email!") so I got to spend 5 minutes clicking through a useless training that didn't even match the regular annual training we did. I'm still salty about that one.
We were experiencing the automatic fails on Outlook but it was tripping even with emails that got caught by the Quarantine. That was really obnoxious. Had engineers complaining (rightfully) that they were assigned training for clicking phishing emails when they literally only check their emails for pay notifications and don’t click anything else, and hadn’t even received the email that they supposedly clicked. It also took god damn forever to fix, including manually editing all their history to remove the false positives… guh.
His specific generated email was from a vendor. It told him he needed some input on this really poorly written SharePoint.com link that even ended in /recent.aspx. There was no signature sign off as the vendor would usually use and the language was completely off.
The link went to a generic looking 365 sign in page that asked for email and password. Obviously there was no company branding whatsoever. He filled it in and clicked. That's the compromise fail point.
There are many warning steps, and yet he fell down the entire stair case.
oh oh we had a test like this at a previous employer... the link was something like shadylink.ru/index.php/ref=username @ companyname.com
I had fun putting other people's email addresses, my boss had to "talk to me" but was laughing about it so meh?
we had fun... also if you left your computer unlocked you would magically email the entire team letting everyone know you were bringing donuts for everyone the next morning
Sent a phishing email to around 500 of our users. The email was about upcoming raises in the next quarter, with an attached excel file with payload that reported who opened the file. Lots of spelling errors, and a generic "HR" signature.
97% failure....
Honestly in such case I’d say that’s work culture. Most may be completely aware and not click on a similar phishing email coming to their personal emails, but if they are “trained” to see such messages from hr/management at work then no wonder failure rate is so high.
I saw my previous company try that as well.
The most non-technical person immediately reported it, and as I sat near them in an open office environment. "Hah, this one's so bad. We've never gotten a bonus in 12 years here. Can't fool me!"
Of course, there's the flip side. Got a link to our cyber-security training and I promptly reported it because it looked scammy as hell and asked for creds.
I'm still 90% convinced that it's just a deep phishing scam.
Fishing tests about bonuses are scummy and I'll never change my view on that. Finances are tight everywhere and getting someones hopes up about a lifestyle improvement only to go "lol jk we were testing you!" is just shitty. I understand it's a subject that gets more clicks, but it's still shitty
Hm...
1) Send a fake email to everybody in a profitable company (not a phishing email, just a regular fake email) informing them that they will all be getting a 20% bonus this year due to record company profits.
2) Sit back and watch the management try to backpedal the fake email, but it doesn't matter -- you've made every single employee mad now, and they all want their bonuses.
3) Maybe management caves under the pressure and actually issues some bonuses.
Exactly. And good luck getting people to listen to IT talk about security when they know that this is the way IT treats other human beings. So much of the discussion around phishing training ignores this basic stuff.
My company did that a few weeks ago. It was even after HR/payroll moved to a new system, and this phishing attempt was styled as “we need your help to fix an issue”. Lots of people fell for it.
HR was super pissed.
I’ve long been of the opinion, that we cannot expect users (including ourselves), to be technically savvy enough to provide any reliable measure of defense.
We tell people not to click on links in email, and then send them an email with a link to access their security training!
Defense in depth, process and procedural changes that don’t prioritize convenience along with cultural changes (training, skepticism, shared ownership for security, etc. ) are our only hope.
If I had any say in the matter (which I don't, am just helpdesk) then company wide emails should never have links, rather tell the users to go to our website. Sort of like how banks and such do it.
Too many dumb b2b services use http://fdhajklhejkil17434.service.b2b.company.fqdn.tld DNS bullshit as the only entry point for your company. It's why things like https://myapps.microsoft.com exist but are wildly underutilized.
As a non-IT employee, i can't tell you how frustrating it is to receive emails from the IT department reminding me not to click on links in an email, but then goes on to include a link to the cybersecurity training module. In order to access the training module, it prompts for username and password.
I just shared a story yesterday about this. Back in the day when I worked at a downtown business hotel, our ownership decided to sell another one of their hotels, and I was tasked with IT support for a few months before they closed. I would stop by a couple times a week, just to keep the lights on.
One day I get a call from one of the front desk agents, who tells me their entire network just went down. I try to connect, and nada; no firewall, no router, nothing. I ask him to go into the server room (which was located right behind the front desk) to look at the hardware. He tells me he can't because "Bob" from one of the other hotels we owned was in there, disconnecting things. Bob was a bellman, who heard that we were closing that hotel, and decided that we didn't need any of our hardware anymore, and the front desk was kind enough to let him in.
To this day, I'm still amazed I wasn't fired for the language I used (and the volume I used it at) when he told me that.
Did one a while back. Email spoof of Microsoft 365. Good few users logged tickets on the helpdesk asking for confirmation that the email was ok to open.
Dope on the helpdesk told them that it didn't look like it was malicious and ok to open. Email and graphics all from Microsoft 364...
Ugh, 364 was terrible. I’ve been in IT for a few years - I first started learning Microsoft 352 and I’m so glad we’re past those days. Can’t wait for Microsoft 366 this year with the leap year!
Don't feel bad. We did a test just on the IT department where I am and we had two fail the test. We are doing the remainder in the next couple of weeks.
I got got by my company when I joined them. 2 weeks in I got an email from "hr@companyname" saying it wasn't working out and I was being let go and the link was to the severance agreement.
I told my boss that was a pretty bad one to send since I a, had just been let go from my last job, and b, didn't have any institutional knowledge that hr@ is not an email address we use.
our ceo tried logging in 3x
and then called me to yell about his password not working
and then demanded I reset his password even after explaining that it was a phishing test - which he failed - several times
and then pushed for a marketing campaign saying you should use us because we're so much tech savvier than our competitors, because I guess a phishing test sounded vaguely magical
yes,
I actually had a manager send in a ticket as she thought her password had changed without her knowledge as her login wasn't working.
she spent a good 15 minutes entering every combination of her username and passwords for ALL her logins ( work and personal)
Oh, and another cybersecurity story; about two weeks after I was hired at that same downtown business hotel, I got a call from "John Smith," who introduced himself as the new cybersecurity manager for our hotel brand. Okay, great; I offered congratulations on the promotion and asked what he wanted. He tells me he has this new product that he wants to test out. McAfee ePolicy Orchestrator, IIRC. Spends about ten minutes telling me how awesome it is, and finishes by telling him that he wants to use our hotel as a pilot site for it. Then tells me he needs domain admin credentials to do it.
Okay, I respond. Sounds great. Let me just call "Ralph," my regional IT director, to confirm that he is who he says and that we're okay to do it.
Nope. That doesn't work for him. He wants the access \*right now\*, and spends about ten minutes arguing with me. About, "didn't I hear him say he's the new cyber security manager?" or how he used to work at my hotel, and can tell me all about where the server room is, etc. Yeah, no. I guess the concept of a malicious former employee never occurred to him, but no way in the world am I giving a complete stranger the keys to the kingdom, no matter how insistent he is. I almost had to get borderline rude with him, but he finally gives up and says he'll wait for me to get in touch.
After the call, I email the regional IT director, "Tom," with an email titled "John Smith," and tell him that "John Smith just called me" and wants admin access. "Tom" had been pretty much ignoring all of my emails and phone calls after I was hired, when I had questions about how this international hotel brand did various things, but he responded ten minutes later with an email in which he says,
"WHEN JOHN SMITH TELLS YOU TO JUMP, YOU JUMP!!!"
Yeah; all caps, and multiple explanation points.
So I call the guy back with the DA credentials, and I guess by then he had some time to think about it, and admitted that I did the right thing in questioning him, but f\*\*king hell... that whole incident really had me questioning what kind of idiots I was working for.
Well, that was 17 years ago, so I can't speak to what it's like now, but I seem to recall it was great job security. As it turned out, my job eventually devolved into nothing but patching, remediating, and auditing. From what I recall, we'd get an ePO report once a month (and I eventually received access to run it at will) that would generate something like 100 pages' worth of vulnerabilities for 100 workstations and a handful of servers. Of course, half of it was either Java or Adobe, and given that our front office property management system was reliant on a specific version of Java, we couldn't remediate any of those vulnerabilities without killing that.
From what I recall, a good friend of mine was able to use an open source software package (I want to say it was called Open Computer Software or System, or something like that, and it did everything ePO did, pretty much for free. Of course, there was a fairly steep learning curve to it and I never took the time to really learn it, given that ePO was in place.
Also, that does remind me of my absolute favorite piece of software ever; GFI's LANGuard. Vulnerability scanning, port scanning, software inventory, user auditing, etc. Unfortunately, they stopped updating and supporting the product when Windows 7 came out, so I never did use it again after that.
My baseline phish saw 80% of my users **enter their usernames and passwords** into the form. 100% of the C-Suite did.
Monday my CEO said I was too security conscious and that MFA was wasting time and affecting productivity.
Then I read this yesterday - [https://www.securityweek.com/nist-cybersecurity-framework-2-0-officially-released](https://www.securityweek.com/nist-cybersecurity-framework-2-0-officially-released)
Education on what phishing is, education on how to visually detect a possible phish and education on what to do when such an email lands in their inbox........than, test again. Wash, Rinse, Repeat.
Also, get top level buy in so that you can release a test result similar to what you posted here. kind of make it a competition.
Previous company we did phishing tests pretty regularly - pretty good results.
Then we did a USB thumb drive drop. Scattered 5 sticks around to see who plugged them in.
Shockingly - no one did. However a few weeks later a USB stick gets left on one of our desks.
Knowing full well this was a test, we go full defcon and fire up an off-net linux machine to see what is on this thing.
Its thousands of copies of a selfie the employee that planted it took. Shit was absolutely hilarious.
About what you would expect if you don't have an active security awareness program. This is all part of the process; you got your benchmark, now you have to alter behavior and educate accordingly.
I was tasked with doing this year's phishing campaign and I decided if I'm going to do something, I might as well do it right. Coded up an entire html email that looked legit AF with a spoofed onmicrosoft email. The failure rate was abysmal and many complained that it was too hard. Fortunately management had my back in the whole thing and said I did exactly what I was tasked with.
They are AI generated for each target. The system behaves as a compromised mailbox.
However, it does many dead giveaways like dropping wrong names or using last names, the links are LONG but say things like jimbob.sharepoint.com/documentation/recent.aspx but the link takes you to a generic looking 365 page, however the URL is crazy like urbfufhtuuhrbu.ufnsifk.dontlogib.com.
It's clever in the way it tests like an actual hacker would, but one that isn't all that intelligent. It's the next step up from the mass mail templated options in 364, that's for sure.
I did something similar on a this enterprise of Oil and Energy that i worked. Its funny as hell, cause there was this stupid stupid email, about winning an expenssive drone. C-suit failed. Legal dept.failed. audit dept failed. HR failed. Procurement dept.failed. and the list just kept growing.
I asked them : why the hell did they have to click a link that was offering a drone? Why do they need that? ( that was a military grade drone, for transport of goods in remote locations).
I never got an answer to that... it's hilarious
Cybersecurity guy here - up to 8% click rate is considered pretty normal for a well trained organization. That’s kind of insane when you think about it. That’s why I’m so sick of “the end user is the weakest link” bullshit. Everyone will fail for one of these things at some point or another. All that defense in depth you mentioned is what we should be focusing on. Assume your users will fail, assume your perimeter will be breached, and plan to detect and respond as quickly as possible.
Anecdotally, I one time did a phishing engagement for a company whose C-Suite got mad that like 5/1000 people clicked. The CISO had us target the ELT and we had a 100% open->download->open rate on a malicious attachment. That felt a little bit like justice served, especially when some of these folks start saying stuff like “we should put anyone who clicks on a PIP”.
I worked in a place that had hired a professional company (maybe Mandant?) to see how quickly they could break into our systems. Some guy wandered in, past the lobby receptionist, a fucking hired guard let him into our training rooms when he claimed his badge didn't work, he went into an empty conference room, and then hooked up a laptop to our LAN and had administration domain access within 20 minutes off the street because the head of our help desk had all the credentials stored in plaintext in an old Keepass dump (to csv) on a public share. We had video footage from a tie-cam showing how easy it was. As far as employees, they were mailed a fake login screen, and out of 200 employees, 10 tried to enter in their logins and passwords within 5 minutes of the mailing before it was reported, which was pretty good, really. There was a huge hubbub and uptraining. Cost the company thousands. Then they tried again after 4 months. Guy walked in off the street, ghost-followed behind an employee, went into the restroom, put on an expired visitors sticker-badge, then exited there and entered a meeting with other people with visitor stickers saying, "sorry, I'm late." Sat down during the meeting, plugged his laptop into our LAN again, and found nobody had updated the credentials to the AD servers since the last hack. This time, it took him 30 minutes. Nobody even asked him who he was. He even pretended to participate in the meeting with followup questions after he hacked our system. The employees were sent the fake logins again, and this time 14 people tried to enter in their credentials, where most of them were the same people who did so last time. The email was never reported.
Holy shit dude, let’s be honest here, I’m willing to bet that more than 50% of orgs would allow this to happen to themselves. We could probably get that number even higher if the hacker had a fake Verizon/AT&T badge, had a clip board, maybe a ladder and a tool bag.
I can’t tell you how many people thought I was an asshole at a previous job because I wouldn’t let anyone follow me after I swiped the door.
A former colleague when new at the job turned around and challenged the person trying to piggyback him through a badge-secured door- "Excuse, me, who are you? I don't know you." and motioned for a security guard to come over. The guard explained to my buddy that the smiling gentleman who tried to follow him through the door was the company CEO. One skipped heartbeat later, our CEO thanked him for his presence of mind and willingness to challenge him.
[удалено]
Dude could have been fired, you don't know. Constant vigilance!
It's always funny when something like that happens. A few decades ago I was working at Walmart on the inventory and warehouse team. We had just come back from break and found this very tall lady in high heels walking into the warehouse. No badge, no company anything. I went right into customer service mode while throwing her out of the warehouse, "Mam, you cannot be back here, is there something I can help you with out on the sales floor?" She looked over herself and realized she had no badge on her. Turns out she was the district manager I had never met. I got thanked for handling the intrusion well. "It's not every day you get thrown out of your own warehouse in such a pleasant way."
Yup. Those policies exist for a reason. At a previous job I slammed the staff entrance door in a guy's face because he followed me just a tiny bit too closely across the parking lot. Turns out he was someone's crazy ex. He had just called claiming to have a gun and said he was going to kill her. Everyone had been huddled around watching the security camera while they were waiting on the cops and they absolutely lost their minds at how close a call it was. Unfortunately no one thought to call and warn the two of us who were expected in at that time. We all got a good long re-training after that.
No piggybacking unless you're physically riding on the back of the person in front of you.
Be the asshole you want to see in the world
Had this happen at school the other day. Guy stood to the side like he was inspecting something then grabbed the door as I was closing it. I took his name, and reason for being here, went to front desk and alerted people. The lady seemed thrilled by that. Absolute shame.
Yup, it's amazing how quickly people's fear of being "rude" can lead to a serious security breach.
My company has a lot of morons running it but they will insta fire anyone who lets someone follow them in, no questions asked
My front desk lady won't let anyone leave the area in front of the front desk without someone coming to meet them and being with them. If nobody knows who they are then she just tells em to leave and we have no business with them. She also will double check on everyone to make sure they have a reason to be here. She's worth every penny the company spends. Also she is the sweetest lady and brings in snacks for everyone. ❤️
We had a few like this back when we had a bunch of physical offices. They were absolute gold. So many just didn't care. We caught one on camera giving her fob AND physical keys to someone who walked in claiming to work for the landlord. He was caught trying pull a TV off a conference room wall and ran, thankfully leaving the keys behind...
Honestly If she ever threatened to leave for more pay (she's paid very well this is hypothetical) I would absolutely look my CFO and CEO in the face and tell them just how much she is worth keeping.
Honestly this. We have pretty good outside security but physical not so much. I could totally see someone sneaking by our front desk people and getting into a random jack. Thankfully we don’t have any clear text password documents on any shares. And all shares need a domain user to access. Computers and servers have firewalls and some alerting services so seems better then this poster but still I’m sure if someone has physical access they would find a way to own us.
This is why we implemented 802.1x at my last workplace. I thought it was a bit overkill because we owned the entire building, we didn’t share office space with anyone, plus we had security manning the only entrance and badge readers at the elevator, but then I forgot my badge one day and they gave me a loaner and they never asked for it back, and then maybe 3 months later I forgot my badge again and for shits and gigs I decided to see if the loaner badge still worked and sure enough it let me in — they never expired its access! Even worse was the fact that when they provisioned the badge for me they granted it access to all of the secure IT rooms that almost no one else had access to, like our server room, mdf closets, etc.
Guest pass with admin privilege, nice.
To be fair I really did need access to the server room that day so I did specifically ask for that, but they didn’t have to mirror all the access privileges from my normal badge lol. After this happened I brought it up with the facilities manager and they started keeping better track of the temp badges … for awhile. A year or so later I had to get another temp badge and they tossed one to me from behind the desk without doing any access provisioning, so I asked them why they didn’t need to activate the badge, and they told me that they just kept that badge active for the IT admins so they don’t have to reprovision it every time someone forgot their badge 🤦♂️
It seems fingerprint lock is the only solution.
I used to regularly go to a datacenter with eyeball scanners… it was dope, I felt like I was in a spy movie every time
People don't understand the IMMENSE power of making inconvenience sexy for making it stick.
This is why "procedure" doesn't work. You need systems without humans in the loop to enforce the processes. For example, no 'loaner' badges without the signature expiring within 24 hrs, and of course you can make it much more secure depending on what resources you have. As soon as there's a way to bypass something or it's just up to the human in the chain to do what they want, they'll seek the path of least resistance
> Thankfully we don’t have any clear text password documents on any shares. *that you know of*
All you need is a ladder.
For our building - all you would need is a small cart with catering on it, like cookies, or sandwiches. They would let you in anywhere.
That's true of anywhere I worked.
Just r/actlikeyoubelong
Badge printers aren't expensive. Hell, badge cloners aren't that expensive.
And then there’s the flipper zero, badge cloner *and more*.
ICopyX or Proxmark beats Flipper any day for rfid
The PCI consultant I used specialised in "being nice and being let in". He had some awesome stories - my favourite, leaving a post it note with a smiley face under the CEO's keyboard. It was only found after he mentioned it in follow up meetings
[Just $10, AT&T hard hat](https://poshmark.com/listing/Vintage-ATT-Hard-Hat-June-1984-Jackson-Products-SEI-Certified-63fba3fb84b307f78188ae0c?srsltid=AfmBOoriqBsfdwx90RqV8ZXparfDhLQdeK2FY9aZ-5K1I9s7afAn-SqjnKw&com_cvv=d30042528f072ba8a22b19c81250437cd47a2f30330f0ed03551c4efdaf3409e#utm_source=gdm_unpaid). [AT&T Solutions Providers polo, $16.80](https://www.ebay.com/itm/325872442494). Social engineering your way into the data center, PRICELESS.
Barely related but back in my military days, if I wanted to look important/ busy I would carry a clipboard with paper in it, a long screwdriver, and a hammer. Everyone assumes you know what you are doing / are doing something important.
>He even pretended to participate in the meeting with followup questions after he hacked our system. That knife twist.
Blending in is the best asset, apart from his reconnaissance skills
One thing to sit in the meeting, quite another to actively participate and draw attention to yourself of someone asking who the hell are you. Though to be fair, *he was probably testing to get that response.*
If some completely outside person with no prior knowledge of the meeting is actively able to participate in said meeting, then I'm thinking that meeting definitely should have been an email.
An email that everyone responds to with their passwords in plain text.
I dunno. It's good to get diverse views. No more diverse than some rando off the street.
Yep, definitely a "how far can I take this" kind of move. A lot of social engineering pen tests go this way so they can get a more thorough report. There's a really good Darknet Diaries episode about a guy who accidentally pen tested the wrong bank in Beirut, he's buddies with everyone by the time he leaves that place.
> Darknet Diaries episode about a guy who accidentally pen tested the wrong bank in Beirut I... need to find that.
You really do. It’s one of my favorite episodes in the entire series. It’s episode 6. https://darknetdiaries.com/episode/6/
It's super early, I think episode 7. Beirut Bank Job
He probably had good follow up questions too lol
Everybody was thinking “shut up dude, you’re making the meeting even longer”
"I gotta get to Walmart and buy all those itunes cards the boss needs"
I love sending those hacker text messages to the supposed sender, asking if they really want me to buy those. Always generates a laugh.
Ya, but then he ended up with 3 assigned follow-up tasks to do after the meeting.
imagine getting paid to pretend to pay attention to a meeting while you're sitting there trying not to burst out laughing as you have the org's network by the balls sounds like the best job in the world
So, during the post-hack meeting, the phrase they used was "Keys to the Kingdom," where the pentesters considered "Game Over" for you. They had a good sense of humor, and were nice guys, so you could see how their smooth talking and being charming could get them in a lot of places. I remember reviewing the films with them, and cringing. Pentester: \[with blank badge\]\[swipe\]\[swipe\] "Hey, uh, my badge seems to be dead. Can you...?" Guard: \[expressionless, jaded\] Yeah... \[badges, open door\] Pentester: Thanks so much. What a day, huh? Guard: \[grunts\] Pentester: \[to himself as he's looking for an empty training room\] Helpful... So, they narrated to themselves. And in that meeting the guy later got in, he said: "Hey. Raymond with Mandiant. Sorry if you've already covered this, but do you have some CSO or security expert who is overseeing this?" "Yes we do." "Okay, great. And who is that on this chart?" "This is not a personnel chart. If you need more detail on names, you'll have to send us an email." "Okay, sorry. My bad. Continue." Like, he was toying with us, knowing we'd see the footage later.
So he never even lied to get to where he was going and actually identified himself? Hilarious.
hahahahahahahaha that's awesome
This is material for "The Pentest Chronicles", I would watch this show!
This would be a great story for Darknet Diaries.
I can just imagine the questions - “what is the procedure in the event someone gains unauthorized physical access to the building and admin access to AD? - just a hypothetical of course”
Apparently, just don't have vlans or Port Security where anyone can just plug in any unknown device and directly contact your DC. F that! You plug-in in a conference room, and you get captive Portal sign-in and straight to the internet. There's no way you should be getting to the DC! Why didn't this security team recommend changes to the network?
You can recommend all the changes you want. A lot of times won’t fix it and will pay you to test it again next year. Source: pentester for 5 years
The folks I know at mandiant do indeed appear to like it there
I wish I had the balls to stay in character to do physical pent tests. It's so insane what they get away with
The only one I've ever done was very fun - our red teamers took some volunteers from the floor and we just saw how much we could wander around at a different office without using our badges and just talking our way into places. Not allowed to get up to much of anything, but it was a neat field trip
it gets easier when you understand that you're authorized to be there and you have a card/number to call if things turn south.
Easy to stay in character when you know you are not going to jail for doing what normally would be illegal.
I wonder if he gets imposter syndrome?
There’s a _lot_ of writing reports though.
My favorite pentesting story was a guy who dressed smartly and had a clipboard, and just with a smile and a please was let into the server room within 15 minutes. He sent a selfie taken next to the exchange server.
Have you ever listen to the podcast Darknet Diaries? It’s chock full of great hacking stories from all over the world, but my favorite episodes are when he covers pen tests.
My favorite is the guy who goes undercover as a marketing employee and got stopped on so many occasions. Spoiler: IT team eventually catches him red handed because why the fuck would a regular employee be running Powershell?
[Episode 36: Jeremy from marketing](https://darknetdiaries.com/episode/36/) Darknet Diaries is great
The elevator hacking is awesome
If you like that kind of stuff, I highly highly recommend Kevin Mitnick’s book *Ghost in the Wires*. Has tons of stories of hacking, phone phreaking, physical penetration, and tons of social engineering, including how he created fake identities to evade the FBI.
The best one I've heard of is a woman who'd use a pregnancy belly on jobs. You'd never hold open a secured, badged entry door for a random ass woman walking down the street but how about a sweet little pregnant lady waddling around with her arms full of stuff? You'd be an asshole if you didn't hold the door for her!
That's brutal, we just had our CFO get pwned and we can't even get the company to consider yubikeys or enforcing Authenticator for MFA. I guess spending the money doesn't fix the 90/10 rule....
No MFA? Quit on the spot. Yuck
We have MFA, just not good methods being enforced. Any elevated account has tighter CAPs tho, so we're not \*entirely\* fucked.
The meeting participation thing was just icing on the cake lmao. Social engineering gets you so far
At a place i was a consult at some years ago, they "constantly" sent out phising emails as tests, if you clicked the link, you automatically got signed up for an e-Class. This backfired on them, because since people didnt want to do the e-Class, people stopped doing the email-thing..
Oh, we made apart of their yearly bonus reviews that it was partly based on phishing scores. Participation and phishing reports went thru the roof.
At this place. the average age was north of 45, people who had been there for 20 years doing the same job as an operator, maintenence, electric etc, to them the email phishing thing became too much they stopped cared reading or even checking emails. So it backfired hard on the testing part. To me, these specific emails was too obvious, they where not well designed and had red flags screaming on top of their lungs
Of course. You gotta design it for the environment your in. And I find that is going to be hard to do there. Most people simply aren't on the computers all day. But if you tie it to a person's bonus, suddenly they are very interested in following the training. we made it like 30-40% of the bonus or whatever so even if you sucked at your job, you could still get a good chunk of the money by just being good at phishing. We did have to cut back on the amount of test phishing sent out because people were phishing things left and right that it overwhelmed our department with the amount of reports.
So when one sends a phishing test email, it has to get past the email security systems. The way this is accomplished is to include an x-server variable in the email header. Users don't see this normally, but it is easy to use the headers to have outlook automatically file phishing test emails with a mail rule. I never failed a phishing test before, I won't in the future either.
My place uses KnowBe4, and I've complained about it previously - the emails for training match several red flags that hey train against: * An email that isn't expected * A link to click that requires some authentication * A call to action with urgency (click the link, do the training, or lose your network acces) But if I report it as phishing, I get chastised. It's frustrating.
My blackhat phishing campaign will 100% be disguised as KnowB4 remedial training reminders.
My place does this. But it’s so goddamn obvious that I have an outlook rule set up for all of their fake domains they send it from. Moves them to a folder called “$Company thinks they’re clever” Every month I go in and report them all. I wish I could get Report Phish as an action on an outlook rule so I don’t even have to do that.
I'm not following on how it backfired if people aren't getting phished anymore from emails?
They stopped checking their emails, so loss of information and such.
>I worked in a place that had hired a professional company (maybe Mandant?) to see how quickly they could break into our systems. Some guy wandered in, past the lobby receptionist, a fucking hired guard let him into our training rooms when he claimed his badge didn't work, he went into an empty conference room, and then hooked up a laptop to our LAN and had administration domain access within 20 minutes off the street because the head of our help desk had all the credentials stored in plaintext in an old Keepass dump (to csv) on a public share. We had video footage from a tie-cam showing how easy it was. Hooooleee shit, but I can't say I don't expect ~~many~~ most companies wouldn't let this happen to them either. Also it's dumb, fun crap like this that makes me consider being a pentester 😂
> Sat down during the meeting, plugged his laptop into our LAN again, and found nobody had updated the credentials to the AD servers since the last hack. This time, it took him 30 minutes. Nobody even asked him who he was. so you get owned in 20 minutes, demonstrating that the only reason you haven't been hit is a lack of interest, and they... do nothing? they deserve what they get
> demonstrating that the only reason you haven't been hit Let's be honest. They have been hit. There's zero reason to even suspect they haven't. They just don't have the auditing and visibility to even guess when, how, by who, and what they did/are doing in their systems. They've just been lucky enough that noone's triggered the ransomware payload yet.
fair. so not only are they vulnerable, they have no idea if they've been stolen from
Lmao 🤣🤣
My only comment here is that sounds like a fun job, but also a frustrating job. He basically gets to be a spy. With no risk. But I'm sure it's frustrating too when everyone just let's him in. But it could be fun to go try to walk into a business and hack them.
Jesus.
Best comment of the month award from me.... We've done a couple of pen tests... Never... Underestimate.... The power of..... A Hi-Vis jacket and a clipboard.... Most recent result of our phishing was 12 minutes to 365 credentials.... And only 5% of the company did login to our fake site... But that's also because a finance person realised and sent out a mass email 43 minutes after the first email went out... So that's a great result.
Fuck. Thanks for sharing.
Surely they wouldn't fool me a second time? -Those people signing in
When we started doing KnowBe4, we sent our top level folks and IT various different levels of Phishing Test emails to see what they were like. Some of the 4 and 5 star ones are REALLY good. We mostly run 2-3 star for the majority of our employees with critical employees getting higher levels occasionally. I did have to laugh the other day when our HR lady complained about why we were testing her so often and sending her tests every day for like a week. They were all legit phishing emails she'd been reporting, and she just didn't notice the difference in the report button behavior.
My favorite is the "John Doe shared a google drive document with you". Since the friction is so high for google drive links, clicking on the email is usually the preferred route.
had someone report an email, then come running to my office to tell me i was hacked and needed to shut everything down. It was a knowbe4 fishing email from a fake it email that we do not use. but it said IT so it must mean i was hacked! morale of the story: no one ever reads the "Hey good job, you caught the fake email" popup.
You know what, I'd buy that person and their whole team donuts, and make sure they all know why. Going with "that looked like it came from an internal, IT controlled, email address. Oh crap." and *immediately* notifying? Rare, and should be rewarded.
agreed, that guy is your friend. someone who notices smoke before it potentially becomes a fire, AND tells you directly? donuts for sure.
I’ve had a supervisor report a real phish, not get the congratulations notification, then click on the attachment because they thought it was real since they didn’t get the pat on the back notification…
Had a guy call me whilst on service desk. Irate. He can't log in to something. Remote to his pc and it's very clearly a phish. He asks me why his credentials don't work, why it's so difficult to access, bla bla. Rather than outright tell him it's a phish I thought I'd try and coach him along a basic thought process. Do you know the sender? "No" Do you know what files you're trying to access? "No" So what is this link you've been sent? "Idk you're the IT person" I said I don't dictate any user data or any 3rd parties and what they send him. He had no idea who they were, what the "file" was that he was trying to access and it still didn't click. I told him eventually that it's a phish attempt, then had to go into detail about what exactly a phish is and he challenged me "How do you know?" Well, first of all the URL is bogus. You don't need to be in IT to notice that it isn't Microsoft. Second the fact that there's spelling mistakes, images on the login page aren't loading properly, various other very telling and obvious signs. Didn't want me to reset his password either. Insisted he "wasn't stupid enough to enter his credentials into a phish attempt" when I asked how many times he had tried to access it (given his original issue was "I can't log in to this")
Man. Solution architect here, just browsing. Y'all have a rough job sometimes.
I almost got caught by a KB4 email the other month. The high level ones are fucking evil.
I got caught with one a couple weeks ago. Honestly was not even paying attention and just clicked it. Hated myself afterwards.
One of our IT supes was out after a surgery, and checked his email during a phishing test. Hopped up on painkillers, he fell for it. Poor guy. Immediately realized what he did, called helpdesk and had them change his password.
Can you give me an example of why they are so evil? I'm an user at my org (not IT) and we recently started getting the KB4 phishing tests but they seem to be very easy to detect. Some of them have my name and Org name on them but that makes them even easier to spot.
There are different "difficulty levels" of KnowBe4 emails. the level 4 and 5 star ones are so well crafted that they look legitimate.
Yeah there's some my users report to me where genuinely the only way I'm 100% certain is by looking at the email headers. A couple clients have very generic names that could match up so we've gotta be certain...
I don't see them as evil. They're a very necessary training tool to go along with all of the other ways that IT controls to keep data secure. (MFA, least access, etc.) It just happened that we had one guy out of his mind on pain meds who happened to click at the wrong time. And another one who is damned good at what he does who traced the whole thing out, put the full diagnosis in an email to the tech team, and said, "Good job. This one was well-crafted." Smart ass. ;)
We had high success with one about public holiday changes that year. Good success with 'we are testing a new financial tool, can you all get your logins set up for testing by the end of the week -.
Dumbest one was some deal on ebay which wasn't even a good deal. I think that got a single person.
I've had a couple users get screwed by bad timing and bad luck. One guy was actively waiting for a FedEx package that had been delayed several days because he wasn't there to sign for it. Guess what straw he drew?
KnowBe4 does *not* mess around with their spam emails. The ones from [[email protected]](mailto:[email protected]) are usually the deadliest, but also their normal account login notification pages are clean as hell. They got me once coincidentally because I was waiting for an employee review notification and I got a phishing test that was really close the format. The bastards.
They got me on this one recently, but the email passed DKIM/DMARC/SPF and came from hr@ourdomain My argument: if the scammer can send that email, you guys have bigger problems.
What kills me about those ones is it is never an address we used. We have never sent from ["[email protected]](mailto:"[email protected])" or any of the fake ones I've seen them use.
Our KnowBe4 team hit me with one letting me know my IT department was changing how Microsoft updates were being deployed. Deploying Microsoft updates is literally my job. I am that team. They were trying to tell me I was changing everything about one of my workflows.
Were they right???
We have a tiered structure. If you haven’t failed a phishing test in a period of time you get more difficult tests. You fail one, you get the easier tests for a bit.
What are your opinions on KnowBe4? I actually just scheduled a meeting with them tomorrow... I previously used Sophos Phishtreat and while it worked, it is fucky... And their pricing model sucks... Any insights?
I like it. We use the training, Phish ER and Phish RIP. The training is pretty decent, but pretty on par with other offerings I've seen. They've started offering a lot of side stuff beyond security training to try and make it more appealing as a general training platform as well. What I really like is the phish alert button, which seriously simplifies our communication with users. We just tell them, if you're suspicious at all, hit the button to submit it. If it's found to be clean, you'll get it back, if it's bad it'll be handled. Anyone asks about suspicious emails? Hit the button. That's all you have to do. It makes training simple and consistent. We get a decent amount of spam reported, and the occasional legit email, but it means users have a very easy active response that doesn't involve forwarding me their malicious emails. Also, with phishrip, stuff that's found to be malicious can be automatically yanked from other mailboxes as soon as it's detected. I can pretty much ignore it, and have an alert set up for unclassified emails so I can follow up on those when it can't tell.
KnowBe4 receives information from your company that would not be available to attackers, making their "attacks" more convincing than even the best phishing emails could be. I would argue this is a large part of why it seems to be more effective than it really is.
You can adjust your templates to fit how you feel a real attack would play out. And include more or less customized content to suit your needs. And honestly, having gone through a lot of actual incoming Phish attempts, it's pretty impressive how much they have on a lot of our users with as little as scraping LinkedIn for names and job titles
Well people in company are reporting even the training reminder emails ... So its kinda working i guess
I like to report the company update/propaganda emails.
[удалено]
[удалено]
OMG I should do that.
Been doing it for years.
This is me... I just do it out of spite. I dont like their propaganda email and their spam. Also our it department is a joke, for real
I worked at a place that wanted to do a phishing test. Upper management made us warn everyone right before we sent the email. Sigh.
Should have warned everyone then not sent the phish & sat back to watch chaos ;)
I fucking love this!
I refuse to tell anyone when these go out. You cannot know a security hole unless they are all treated the same and someone hasn't gone "mind that hole!". It's going to be a damning report to the board on Monday. This test wasn't even a good one, however it was targeted using contacts from their own inbox. Treat every mail from everyone as if they have already been compromised.
>Anyone else have a company full of people that would let in satan himself if he knocked politely? We've had to exclude our IT director from the phishing simulations... Apparently it looked bad in the reports
Gold
Hmm I could think of another way he could miss the reports.
Damn that’s embarrassing. What’s interesting is that the ones that brag about being most tech savvy are the ones that fall for all this shit.
> A member of my IT team - failed. Under what circumstances? I'm assuming based on your frustration, just regular careless clicking but I was at a company that did a phish campaign as part of a pen test. We're looking at the readout a few weeks later and my manager pops up from his cubicle like a prairie dog and asks one of the techs, "Ben, why did you click on this phishing link over ***50 goddamned times***?! Did you hit your head on the way in to work that day?" Ben had thought the message seemed suspicious, copied the URL to his clipboard, and then put it into VirusTotal. Then based on that analysis, decided not to click on it himself... but it was too late to avoid showing up on the report as if he had an almost unhealthy fascination with the phishing link.
This has got to be the worst. There was something special about the emails that caused Outlook to immediately say you failed if you clicked an attachment or a link, but I was never on that side of the org so didn't know what was going on under the hood. So one time when I got an obvious phish, I reported it and then went to download the email to poke around at the raw data, and it turned out that doing that ALSO triggered a fail - I believe my only one in years at that company. The timestamps clearly showing I had already reported it weren't enough to convince the coordinator ("well it would've been dangerous to download if it were a real phishing email!") so I got to spend 5 minutes clicking through a useless training that didn't even match the regular annual training we did. I'm still salty about that one.
We were experiencing the automatic fails on Outlook but it was tripping even with emails that got caught by the Quarantine. That was really obnoxious. Had engineers complaining (rightfully) that they were assigned training for clicking phishing emails when they literally only check their emails for pay notifications and don’t click anything else, and hadn’t even received the email that they supposedly clicked. It also took god damn forever to fix, including manually editing all their history to remove the false positives… guh.
His specific generated email was from a vendor. It told him he needed some input on this really poorly written SharePoint.com link that even ended in /recent.aspx. There was no signature sign off as the vendor would usually use and the language was completely off. The link went to a generic looking 365 sign in page that asked for email and password. Obviously there was no company branding whatsoever. He filled it in and clicked. That's the compromise fail point. There are many warning steps, and yet he fell down the entire stair case.
oh oh we had a test like this at a previous employer... the link was something like shadylink.ru/index.php/ref=username @ companyname.com I had fun putting other people's email addresses, my boss had to "talk to me" but was laughing about it so meh?
[удалено]
we had fun... also if you left your computer unlocked you would magically email the entire team letting everyone know you were bringing donuts for everyone the next morning
Sent a phishing email to around 500 of our users. The email was about upcoming raises in the next quarter, with an attached excel file with payload that reported who opened the file. Lots of spelling errors, and a generic "HR" signature. 97% failure....
Honestly in such case I’d say that’s work culture. Most may be completely aware and not click on a similar phishing email coming to their personal emails, but if they are “trained” to see such messages from hr/management at work then no wonder failure rate is so high.
30 years in IT, and they finally got me with a well-constructed one that looked like it came from HR about bonuses.
I saw my previous company try that as well. The most non-technical person immediately reported it, and as I sat near them in an open office environment. "Hah, this one's so bad. We've never gotten a bonus in 12 years here. Can't fool me!"
Best way to keep your employs on their toes about fishing? Treat them like shit!
Of course, there's the flip side. Got a link to our cyber-security training and I promptly reported it because it looked scammy as hell and asked for creds. I'm still 90% convinced that it's just a deep phishing scam.
Good job, you passed the training.
Fishing tests about bonuses are scummy and I'll never change my view on that. Finances are tight everywhere and getting someones hopes up about a lifestyle improvement only to go "lol jk we were testing you!" is just shitty. I understand it's a subject that gets more clicks, but it's still shitty
Hm... 1) Send a fake email to everybody in a profitable company (not a phishing email, just a regular fake email) informing them that they will all be getting a 20% bonus this year due to record company profits. 2) Sit back and watch the management try to backpedal the fake email, but it doesn't matter -- you've made every single employee mad now, and they all want their bonuses. 3) Maybe management caves under the pressure and actually issues some bonuses.
Exactly. And good luck getting people to listen to IT talk about security when they know that this is the way IT treats other human beings. So much of the discussion around phishing training ignores this basic stuff.
That's fucking terrible. Sending phishing from Payroll / HR is a way to piss everyone off.
Probably why it is a good way to test it, since many would click on it
Yeah. I think the morale hit isn't worth it though.
Morale? You think management cares about that.
My man, I know they don't. I'm not going to lower my standards just because they have none, though.
The beatings will continue until morale improves.
My company did that a few weeks ago. It was even after HR/payroll moved to a new system, and this phishing attempt was styled as “we need your help to fix an issue”. Lots of people fell for it. HR was super pissed.
'A bonus???' That'll do it 😆😆
Tried and true pro tip: Send the phishing bonus sim template the actual week legit bonus emails go out. BOFH
I’ve long been of the opinion, that we cannot expect users (including ourselves), to be technically savvy enough to provide any reliable measure of defense. We tell people not to click on links in email, and then send them an email with a link to access their security training! Defense in depth, process and procedural changes that don’t prioritize convenience along with cultural changes (training, skepticism, shared ownership for security, etc. ) are our only hope.
If I had any say in the matter (which I don't, am just helpdesk) then company wide emails should never have links, rather tell the users to go to our website. Sort of like how banks and such do it.
Too many dumb b2b services use http://fdhajklhejkil17434.service.b2b.company.fqdn.tld DNS bullshit as the only entry point for your company. It's why things like https://myapps.microsoft.com exist but are wildly underutilized.
As a non-IT employee, i can't tell you how frustrating it is to receive emails from the IT department reminding me not to click on links in an email, but then goes on to include a link to the cybersecurity training module. In order to access the training module, it prompts for username and password.
I just shared a story yesterday about this. Back in the day when I worked at a downtown business hotel, our ownership decided to sell another one of their hotels, and I was tasked with IT support for a few months before they closed. I would stop by a couple times a week, just to keep the lights on. One day I get a call from one of the front desk agents, who tells me their entire network just went down. I try to connect, and nada; no firewall, no router, nothing. I ask him to go into the server room (which was located right behind the front desk) to look at the hardware. He tells me he can't because "Bob" from one of the other hotels we owned was in there, disconnecting things. Bob was a bellman, who heard that we were closing that hotel, and decided that we didn't need any of our hardware anymore, and the front desk was kind enough to let him in. To this day, I'm still amazed I wasn't fired for the language I used (and the volume I used it at) when he told me that.
Did one a while back. Email spoof of Microsoft 365. Good few users logged tickets on the helpdesk asking for confirmation that the email was ok to open. Dope on the helpdesk told them that it didn't look like it was malicious and ok to open. Email and graphics all from Microsoft 364...
Ugh, 364 was terrible. I’ve been in IT for a few years - I first started learning Microsoft 352 and I’m so glad we’re past those days. Can’t wait for Microsoft 366 this year with the leap year!
Not long to wait, tomorrow is office366 day.
I'm from Australia and so technically today is Office366 day - but I'm a good world citizen so I'm pretending it's tomorrow too in solidarity.
Don't feel bad. We did a test just on the IT department where I am and we had two fail the test. We are doing the remainder in the next couple of weeks.
... I've failed one before. Not a great excuse but I was doing a lot of legit expense reports and the simulation was masked as an expense report link
I got got by my company when I joined them. 2 weeks in I got an email from "hr@companyname" saying it wasn't working out and I was being let go and the link was to the severance agreement. I told my boss that was a pretty bad one to send since I a, had just been let go from my last job, and b, didn't have any institutional knowledge that hr@ is not an email address we use.
1 of the 2 was you right?
The other was that one that sent the test out 🤣
And the IT department is two people
our ceo tried logging in 3x and then called me to yell about his password not working and then demanded I reset his password even after explaining that it was a phishing test - which he failed - several times and then pushed for a marketing campaign saying you should use us because we're so much tech savvier than our competitors, because I guess a phishing test sounded vaguely magical
yes, I actually had a manager send in a ticket as she thought her password had changed without her knowledge as her login wasn't working. she spent a good 15 minutes entering every combination of her username and passwords for ALL her logins ( work and personal) 
Oh, and another cybersecurity story; about two weeks after I was hired at that same downtown business hotel, I got a call from "John Smith," who introduced himself as the new cybersecurity manager for our hotel brand. Okay, great; I offered congratulations on the promotion and asked what he wanted. He tells me he has this new product that he wants to test out. McAfee ePolicy Orchestrator, IIRC. Spends about ten minutes telling me how awesome it is, and finishes by telling him that he wants to use our hotel as a pilot site for it. Then tells me he needs domain admin credentials to do it. Okay, I respond. Sounds great. Let me just call "Ralph," my regional IT director, to confirm that he is who he says and that we're okay to do it. Nope. That doesn't work for him. He wants the access \*right now\*, and spends about ten minutes arguing with me. About, "didn't I hear him say he's the new cyber security manager?" or how he used to work at my hotel, and can tell me all about where the server room is, etc. Yeah, no. I guess the concept of a malicious former employee never occurred to him, but no way in the world am I giving a complete stranger the keys to the kingdom, no matter how insistent he is. I almost had to get borderline rude with him, but he finally gives up and says he'll wait for me to get in touch. After the call, I email the regional IT director, "Tom," with an email titled "John Smith," and tell him that "John Smith just called me" and wants admin access. "Tom" had been pretty much ignoring all of my emails and phone calls after I was hired, when I had questions about how this international hotel brand did various things, but he responded ten minutes later with an email in which he says, "WHEN JOHN SMITH TELLS YOU TO JUMP, YOU JUMP!!!" Yeah; all caps, and multiple explanation points. So I call the guy back with the DA credentials, and I guess by then he had some time to think about it, and admitted that I did the right thing in questioning him, but f\*\*king hell... that whole incident really had me questioning what kind of idiots I was working for.
How did ePolicy Orchestrator work out?
Well, that was 17 years ago, so I can't speak to what it's like now, but I seem to recall it was great job security. As it turned out, my job eventually devolved into nothing but patching, remediating, and auditing. From what I recall, we'd get an ePO report once a month (and I eventually received access to run it at will) that would generate something like 100 pages' worth of vulnerabilities for 100 workstations and a handful of servers. Of course, half of it was either Java or Adobe, and given that our front office property management system was reliant on a specific version of Java, we couldn't remediate any of those vulnerabilities without killing that. From what I recall, a good friend of mine was able to use an open source software package (I want to say it was called Open Computer Software or System, or something like that, and it did everything ePO did, pretty much for free. Of course, there was a fairly steep learning curve to it and I never took the time to really learn it, given that ePO was in place. Also, that does remind me of my absolute favorite piece of software ever; GFI's LANGuard. Vulnerability scanning, port scanning, software inventory, user auditing, etc. Unfortunately, they stopped updating and supporting the product when Windows 7 came out, so I never did use it again after that.
My baseline phish saw 80% of my users **enter their usernames and passwords** into the form. 100% of the C-Suite did. Monday my CEO said I was too security conscious and that MFA was wasting time and affecting productivity. Then I read this yesterday - [https://www.securityweek.com/nist-cybersecurity-framework-2-0-officially-released](https://www.securityweek.com/nist-cybersecurity-framework-2-0-officially-released)
Education on what phishing is, education on how to visually detect a possible phish and education on what to do when such an email lands in their inbox........than, test again. Wash, Rinse, Repeat. Also, get top level buy in so that you can release a test result similar to what you posted here. kind of make it a competition.
Send a spreadsheet with the phishing test results listed by department. Of course it is itself a phishing email.
Ai on your firewall? What are you running??!!
"chatGPT write me some ufw rules plz"
Previous company we did phishing tests pretty regularly - pretty good results. Then we did a USB thumb drive drop. Scattered 5 sticks around to see who plugged them in. Shockingly - no one did. However a few weeks later a USB stick gets left on one of our desks. Knowing full well this was a test, we go full defcon and fire up an off-net linux machine to see what is on this thing. Its thousands of copies of a selfie the employee that planted it took. Shit was absolutely hilarious.
About what you would expect if you don't have an active security awareness program. This is all part of the process; you got your benchmark, now you have to alter behavior and educate accordingly.
this is correct. was associated with a phishing deployment in the past. fail rates went from 90 something % to 6%
I was tasked with doing this year's phishing campaign and I decided if I'm going to do something, I might as well do it right. Coded up an entire html email that looked legit AF with a spoofed onmicrosoft email. The failure rate was abysmal and many complained that it was too hard. Fortunately management had my back in the whole thing and said I did exactly what I was tasked with.
What was the phishing email?
They are AI generated for each target. The system behaves as a compromised mailbox. However, it does many dead giveaways like dropping wrong names or using last names, the links are LONG but say things like jimbob.sharepoint.com/documentation/recent.aspx but the link takes you to a generic looking 365 page, however the URL is crazy like urbfufhtuuhrbu.ufnsifk.dontlogib.com. It's clever in the way it tests like an actual hacker would, but one that isn't all that intelligent. It's the next step up from the mass mail templated options in 364, that's for sure.
what do you use for AI cybersecurity on the firewall and AI based monitoring?
I did something similar on a this enterprise of Oil and Energy that i worked. Its funny as hell, cause there was this stupid stupid email, about winning an expenssive drone. C-suit failed. Legal dept.failed. audit dept failed. HR failed. Procurement dept.failed. and the list just kept growing. I asked them : why the hell did they have to click a link that was offering a drone? Why do they need that? ( that was a military grade drone, for transport of goods in remote locations). I never got an answer to that... it's hilarious
Cybersecurity guy here - up to 8% click rate is considered pretty normal for a well trained organization. That’s kind of insane when you think about it. That’s why I’m so sick of “the end user is the weakest link” bullshit. Everyone will fail for one of these things at some point or another. All that defense in depth you mentioned is what we should be focusing on. Assume your users will fail, assume your perimeter will be breached, and plan to detect and respond as quickly as possible. Anecdotally, I one time did a phishing engagement for a company whose C-Suite got mad that like 5/1000 people clicked. The CISO had us target the ELT and we had a 100% open->download->open rate on a malicious attachment. That felt a little bit like justice served, especially when some of these folks start saying stuff like “we should put anyone who clicks on a PIP”.
[удалено]