How we phished a 20 billion Euro company out of 79% of their passwords

960 reads

31337 pseudo-evol master plan. GG, EZ

Disclaimer:

We were asked to do this, encrypted (and salted) the sensitive data, never saw, had or stored any non-encrypted sensitive data, and we had some inside help. We loudly applaud this initiative from this company, security, like punctuation and proper grammar, matters.

A leading player in its industry, with a turn-over of an impressive 20 billion Euro annually, asked us to do something special for their IT operations management/InfoSec meetup in Hannover, Germany.

Information security, sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.

Phishing them out of their usernames and passwords, many jaws dropped.

On stage, we revealed having successfully swindled most attendees out of their usernames and passwords, resulting in big eyes and much gasping.

Me, bringing the good news to the collective worldwide IT management (pic: Rudolf van der Ven)

Here’s how we did it in four easy steps (a fairly common way):

1. We registered a domain name that could easily pass as one of their own

to send emails from

and to host the fake website that would grab their credentials

Took us, say, 7 minutes and cost ten bucks.

We set up a VPS in Germany (to host the website), as to prevent the firewalls and protocols from being triggered. Clever girl.

2. We built a one-pager that looked like their login page

Anonymized version of the login screen, which of course had branding and bells

This is where the inside info helped — we received a screenshot of what a default login page looks like, and we basically rebuilt it as close as we could, and put it on the fake domain name.

An hour, maybe two, of work. No biggy.

3. We sent them an email, containing two links to the fake website

Our insider gave us a list of targets. (The way this usually works is with social engineering or somebody using CC instead of BCC.)

We sent them a mail, ‘reminding them of a survey they were asked to fill out’, linking to our fake login screen, twice, using default link blue that you just need to click already.

The email had no imagery, nothing fancy, just the text and two links.

CLICK ALL THE THINGS <o/

4. We grabbed the usernames and passwords from the comfort of our bath tubs

Each time someone tried to log in, our script grabbed the username and password, and displayed a ‘default’ error page.

Funny bit: the error clearly states that they were phished (as to not cause any panic), but nobody rang any bells. Who reads errors, anyway.

Some more disclaiming: we (salted) hashed the passwords before storing them, so we never got or saw any of the real credentials, and it’s virtually impossible to decrypt the salted hashes. Remember: it cost us more effort to encrypt them than to just store them plaintext.

Anonymized representation of the information we grabbed.

The result: 79% of their passwords in 72 hours.

The slide from the picture above

That’s a whopping 79% success rate,

with a few people, and frankly, little effort.

So be careful, it’s very easy to get swindled out of your credentials, and real attackers with bad intentions can wreak all kinds of havoc:

Industrial espionage, security leaks, huge malware-attacks, ransom demands, just a few examples that cost companies billions and billions of Euros, Dollars or Dogecoin every year.

How can I help?

Shoot me a mail.

Tags