Ichthyology: Phishing as a Science

No video

Ichthyology: Phishing as a Science

Рет қаралды 36,604

Күн бұрын

In this talk we'll cover the psychology of phishing, then walk through a series of real-world attacks conducted against a Bay Area tech company - including conversion rates for each attack, and ways in which existing protections were bypassed. We'll cover recent technological advancements in this area, then combine these with our case studies to provide evidence-based techniques on how to prevent, not just mitigate, credential phishing.
By Karla Burnett
Full Abstract & Presentation Materials:
www.blackhat.c...

Пікірлер: 54

@felisalpha1534 3 жыл бұрын

Anyone who tries to raise phishing awareness in the public or at work should have this broadcasted at least once annually. It's really beyond all the techniques the phishing awareness campaign teaches us.

@TheNullBox 7 жыл бұрын

Great talk! You can't blame users. The web's trust model for authenticity needs fixing.

@moth.monster 5 жыл бұрын

Well, sometimes you can.

@StackCanary 6 жыл бұрын

This was well-presented and very informative, thanks Karla!

@kemoknows6035 5 жыл бұрын

Well presented. Thank you Karla.

@Imtotallydiggingthis 6 жыл бұрын

This 0day called "human being" for sure is a nasty one. Great talk!

@maxcarlyle7137 5 жыл бұрын

no patching it either:P

@TimLF 7 жыл бұрын

If only everyone would just ban all non-DKIM mail, that would help. Thanks for the excellent talk.

@thomasbayer1843 7 жыл бұрын

Nice presentation Karla. The only point that I might've missed is how many employees are at your company (ie. sample size)?

@karlaburnett3250 7 жыл бұрын

During the first campaign, around 200 people, these days closer to 800

@samp8753 6 жыл бұрын

Great talk, wish they included the questions though!

@obasaar68 7 жыл бұрын

So informative! Thank you for all of the insight and hard work that you put into this talk to make my life on the internet more secure!

@CU.SpaceCowboy 3 жыл бұрын

really good speaker and informative.

@rogerwilco2 7 жыл бұрын

Interesting topic and very well presented.

@awyee 7 жыл бұрын

Excellent talk, nicely done

@tom7 7 жыл бұрын

Good talk! :)

@marcelc2820 6 жыл бұрын

She's great.

@0xIslamTaha 6 жыл бұрын

Perfect!

@asylum_tv 5 жыл бұрын

How do i get into this field?

@InfiltrateIndustries 4 жыл бұрын

Don't cut her questions wth!?

@darerun1051 3 жыл бұрын

unfortunately most of the talks I've seen from Black Hat have the Q&A sections cut...

@Impedancenetwork 5 жыл бұрын

Does anyone know the presenter's name?

@Impedancenetwork 5 жыл бұрын

Her name is : Karla Burnett

@cadeathtv 6 жыл бұрын

Post from the Heart ^_^

@sent4dc 7 жыл бұрын

Ahhh... so what company does she work for? :)

@filda2005 6 жыл бұрын

for more phishing research, right? XDXD

@ir4640 5 жыл бұрын

Does anybody have any info on how to actually do this

@amandamate9117 7 жыл бұрын

I am in love with this girl :o

@mikechaves2868 7 жыл бұрын

busty-ka tumblr com great presentation, and accent haha

@auzzierocks 7 жыл бұрын

Mike Chaves her accent is confusing to me, she's Australian but cuts in and out of an American accent. I'm Australian also

@amandamate9117 7 жыл бұрын

she is the ideal "boyish" girlfriend

@chrisstott3508 7 жыл бұрын

Pretty sure she's done some voice-training. And I gotta say, it has paid off in spades, the clarity and lack of distraction in the delivery would have made any public speaker proud. (Not denigrating the content, which was also an excellent composition.)

@Tularis 7 жыл бұрын

Her accent is a cross between British English and American English...

@awyee 7 жыл бұрын

It's Australian

@nic4850 6 жыл бұрын

I have over 10000 emails... not one fake...

@jimmy000 7 жыл бұрын

Interesting, but I don't like how they always skew results to give a wow factor when they have a terrible demographic for the "science", especially if it was executed in her own workplace with people she personally knew. If it is companies/engineers they are targeting. Try getting permissions of multiple and different companies to run a phishing simulation. There are plenty of ways to do this sort of test. IMO this is just bad science

@karlaburnett3250 7 жыл бұрын

I ran the campaigns using only information that could be found publicly (e.g. scraped email addresses, security policy and services we've talked about externally), but Jimmy is right that I have a lot more insight into the psychology of the company than an outsider would. You would of course expect conversion rates to be lower for someone external, but with rates so high for an internal actor, I don't think they'd be zero for an external one. Jimmy's also correct that I'm not doing real science, I'm using the term colloquially - the sample sizes are far too small to be anything but indicative. If you'd like hard science, Lorrie Cranor has some great research on user security, but it focuses on less targeted and sophisticated phishing attacks than my work did.

@TremereTT 7 жыл бұрын

+Karla Burnett I don't know what to say. You are a realy realy nice, smart, skilled, humorous, person. I thought that right after the video. And then you showed such a constructive and friendly attitude in this comment. You are realy great. You said we are all just human. I hope it's ok that many of us think you are great not only in your professional fields and as a person. Well I didn't write it, but you know, what I would have want to write so badly.

@imwithcheese 7 жыл бұрын

Strip user rights and only allow admins to use their admin account for administrative activities. Privilege of least blah blah. Tons of ways to mitigate post-phish.

@CrazyDanishHacker 7 жыл бұрын

What if the admins get phished? :-D

@imwithcheese 7 жыл бұрын

If they are using two separate accounts. One for admin. rights for only when they need to use it and one for regular user rights for email, internet browsing, etc. They should not lose their administrative credentials due to any sort of phishing. How would the admin credentials be phished at that point? They should only be putting those credentials into 100% verified and valid portals or forms. I'm guessing I didn't clarify by what I meant enough in the original post.

@TremereTT 7 жыл бұрын

+dragon1000204395 "real men run as root" Reminds me on this save email client built into the bash. It protects root from getting infected mails opened. "ReadMail -RealFast" or in short "rm -rf"

@gg-gg-gg-gg 5 жыл бұрын

wow gril

@joeblack9183 6 жыл бұрын

I HATE STRIPE!!! Stupidest payment company EVER! Don't even have phone support! Smh

@awalvie1060 5 жыл бұрын

Marry Me

@o0julek0o 7 жыл бұрын

These are the *attractive* women.

@moth.monster 5 жыл бұрын

It's an asset if you're a hacker. Some guys see the pretty lady and ignore that she's actually doing something she shouldn't. Damn hormones.

@maxcarlyle7137 5 жыл бұрын

God I want me a hacker girlfriend to bounce ideas off and who doesnt complain she doesnt understand half of what Im saying,as oposed to the "geniuses" Ive been involved with so far,wich Im pretty sure combined IQ legit does not exceed low triple digits...Being a jock /nerd hybrid does have its drawbacks for sure