another regular reminder: if your organization sends out phishing email tests on the regular - document the sending domain.
-
another regular reminder: if your organization sends out phishing email tests on the regular - document the sending domain. dump it into virustotal. click on the details tab. Look at the SSL certificate details. More than half the time, they use a wildcard SSL cert. Congratulations, you just mapped out most of their phishing infrastructure because they re-use the same wildcard SSL cert fuckin' everywhere.
-
R relay@relay.infosec.exchange shared this topic
-
another regular reminder: if your organization sends out phishing email tests on the regular - document the sending domain. dump it into virustotal. click on the details tab. Look at the SSL certificate details. More than half the time, they use a wildcard SSL cert. Congratulations, you just mapped out most of their phishing infrastructure because they re-use the same wildcard SSL cert fuckin' everywhere.
@da_667 Dollar store cryptography at its finest.
-
another regular reminder: if your organization sends out phishing email tests on the regular - document the sending domain. dump it into virustotal. click on the details tab. Look at the SSL certificate details. More than half the time, they use a wildcard SSL cert. Congratulations, you just mapped out most of their phishing infrastructure because they re-use the same wildcard SSL cert fuckin' everywhere.
@da_667 the thing that really worries me about this stuff:
these phishing tests use weird domains, which spam systems have to pass through (otherwise your phishing test is blocked by your antiphishing system).
Now what happens if proofpoint (or whoever) forgets to renew the phishing-test-domain but also forgets to remove the phishing-test-domain from their 'always allow' list? And then some actual phishers register the domain and start using it for, I dunno, phishing?
Anyway I'll steal @Dio9sys 's line and say "Hi, I get paid to be paranoid and anxious"
-
another regular reminder: if your organization sends out phishing email tests on the regular - document the sending domain. dump it into virustotal. click on the details tab. Look at the SSL certificate details. More than half the time, they use a wildcard SSL cert. Congratulations, you just mapped out most of their phishing infrastructure because they re-use the same wildcard SSL cert fuckin' everywhere.
@da_667 I opt for the outlook rule of “if it has a knowbe4 header in it, delete and skip trash”
-
another regular reminder: if your organization sends out phishing email tests on the regular - document the sending domain. dump it into virustotal. click on the details tab. Look at the SSL certificate details. More than half the time, they use a wildcard SSL cert. Congratulations, you just mapped out most of their phishing infrastructure because they re-use the same wildcard SSL cert fuckin' everywhere.
@da_667 I like the "inbox rule to trash based on X-PHISHTEST header" approach too
-
@da_667 the thing that really worries me about this stuff:
these phishing tests use weird domains, which spam systems have to pass through (otherwise your phishing test is blocked by your antiphishing system).
Now what happens if proofpoint (or whoever) forgets to renew the phishing-test-domain but also forgets to remove the phishing-test-domain from their 'always allow' list? And then some actual phishers register the domain and start using it for, I dunno, phishing?
Anyway I'll steal @Dio9sys 's line and say "Hi, I get paid to be paranoid and anxious"
@reverseics @da_667 @Dio9sys KnowBe4 publish a list of their domains, even then they seem to add more with every passing day.
-
@reverseics @da_667 @Dio9sys KnowBe4 publish a list of their domains, even then they seem to add more with every passing day.
@ligniform @reverseics @da_667 @Dio9sys the last few times i had to do phishing shits, i learned that clownshoes outfits like knowbe4 ask customers to configure direct to inbox delivery systems that bypass 100% of mta controls, rendering all their 'testing' bullshit worthless since it would never get past antispam and various other heuristic filters. real attackers have a way tougher time
-
@ligniform @reverseics @da_667 @Dio9sys the last few times i had to do phishing shits, i learned that clownshoes outfits like knowbe4 ask customers to configure direct to inbox delivery systems that bypass 100% of mta controls, rendering all their 'testing' bullshit worthless since it would never get past antispam and various other heuristic filters. real attackers have a way tougher time
@Viss @reverseics @da_667 @Dio9sys the Scientology stuff aside, KB4 is such a shady place. Account managers constantly trying to get you on sales calls, and yeah, just telling you to add their domains to bypass every filter instead of making realistic tests.
-
@Viss @reverseics @da_667 @Dio9sys the Scientology stuff aside, KB4 is such a shady place. Account managers constantly trying to get you on sales calls, and yeah, just telling you to add their domains to bypass every filter instead of making realistic tests.
@ligniform @reverseics @da_667 @Dio9sys of course! it was kevin mitnicks company
