Phish Stories - Contest Entries - DC 33

Collapse
X
Collapse
 
  • Page of 2
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • Serum
    Member
    • Jul 2019
    • 84
    #16
    ENTRANT 15 - Fl4re

    ########################## BACKSTORY SECTION - Entry 15 - Fl4re ##########################

    The Lore:
    I went with Jack Thompson solely because of his tweet about restoring the Scrabble board. I had a few ideas using something related to that, but eventually went the route of a student after seeing how much he supported his school. Rebecca Sinclair was a tempting choice, as she seems very stubborn and ignored problems, and could make an easy click if something potentially damaging might surface to the news if she didn't act. But alas, foolishness won and I went with Jack.
    The email would be from a Blayne student email, as there's a high chance of either reused passwords or getting them to click on a link which ends up giving account access. And with Jack's mentorship program, he's already used to students reaching out, so this doesn't seem out of the blue. There's not a whole lot that's needed in this email, as there's usually a bit of back and forth to get all the questions answered.
    For this case, I'm assuming the company uses Microsoft products and emails. The link would direct Jack to a Microsoft form look-alike that would let him know he needs to sign in again to fill out the form. A device matching his user-agent would sign in at the same time, and if MFA was enabled it would prompt him, and take him to the form. Access would be gained to his account, and he would be too occupied filling out the form to notice anything off.
    As a bonus, Frank Harrison would be recieving a few upset emails from Dennis H., who was discovering that his bedbug problem had became much more severe a month after Frank was supposed to take care of it. Dennis' mother came to visit and had to be hospitalized due to bedbug bites, and now they're getting the hospital bills and want to sue Frank for damages. (Who knows if any of that is legal, but Frank's not a laywer and is real worried about all this.) That keeps him occupied if any alerts go off about this new login by an employee.

    ########################## PHISHING E-MAIL SECTION - Entry 15 - Fl4re ##########################

    To: jack.thompson@email[.]com
    From: jmiller01@blayne[.]edu
    Subject: CS Alumni Project

    Hello Mr. Thompson,
    I hope you're doing well. I'm a freshman in computer science at Blanye State, and taking a summer course, Intro to Computing. One of our major projects is to communicate with an alumni and learn a bit about them. I thought your work designing and reinventing the games at DoubleThree was really cool, and I was hoping you'd be willing to email me a bit this summer.
    As a little bit about me, I'm from Marquette, and enjoy hiking and sailing. I also like collecting old technology, especially PalmPilots. I chose Blayne State for it's strong CS program, and to experience life in a bigger city. I'm really enjoying it so far, and it's nice to be closer to my family in Indiana.
    What were some of your favorite things at Blayne? Is there any advice you would give for someone starting out? What started your interest in games, and what led you to your job today? What's your favorite project you've worked on so far?
    There's a form at the bottom from my professor, if you could fill that out, that's how we get credit for this assignment. <Malicous Link>

    Thanks for your time,
    Jake Miller
    jmiller01@blayne[.]edu
    (906)-127-2600

      Comment

      • Serum
        Member
        • Jul 2019
        • 84
        #17
        ENTRANT 16 - zerouncool

        ########################## BACKSTORY SECTION - Entry 16 - zerouncool ##########################

        I figure everyone was going to pick the Bug Bytes guy because he’s such an easy mark. I went for Jack Thompson because I figure he’s probably lonely being an older gent and he has an obscure hobby in urban beekeeping that he would love talking about with a stranger because no one in his personal life or even random strangers he meets in Vegas would be into it.

        I thought about what kind of cold call email would be most disarming and I took the role of a 9 yo girl. That also gives me leeway for the phishing site to trigger weird errors (which are actually malware) because it’s coded by a kid.

        Being a kid it lets me use a Gmail account and not raise any suspicion as compared to pretending to be someone official from a beekeeping organization. I’ll create an email BeeKool16ABQ@gmail which sounds like something a 9 yo girl born in 2016 who lives in Albuquerque might use. I picked that city because it’s similar in climate to Vegas, where Jack has experience, but far enough away that he won’t request an meeting with the school.

        I thought about why a little girl might email him, how she might have found his contact info, what she might ask of him that he would reasonably respond to, and what the nature of the phishing site would be. I assume his email is on his Twitter profile.

        I came up with a girl who is trying to get an urban beekeeping program going at her school. She’s secured funding. She’s created a website with AI generated images of beekeeping images and plans for a school-based beehive. The site will be full of every type of malware possible. She needs Jack to be a virtual mentor/sponsor of this program. This could work because Jack has shown a propensity to mentoring students and he will probably have a lot of free time in retirement.

        In addition to routine malware, there’ll be a fake Google sheets link in a web frame that is for him to fill out some contact info for the school to reach out to him. It will have a fake Google login popup, since almost everyone has a Google account. The login will fail on the first attempt since I can’t know if he put in his correct password, and then will “pass” on the second attempt. Assuming both passwords I harvest are the same, now I have his Google password. On the form I’ll ask for his phone number, so now I know what he likely uses for 2FA since most people don’t properly compartmentalize their lives. I can later vish him pretending to be a school admin and tell him to validate his account I’ll send him a 2FA code to his phone through the Google Account he logged in with. Meanwhile I’ll have his account queued up to login with his phished creds and now have the 2FA.

        I purposely made the email a little long for what a 9 yo might write, so that Jack would be more invested by the time he got to the end. It’s the foot in the door technique, you got him to commit to read this longish email, now he’s more likely to click the link, he’s more invested in the story. I included bait for him to respond to, like the lights in Vegas "scaring the bees" because they are impacted and this gives Jack an opportunity to respond with details to teach young Kayla.

        ########################## PHISHING E-MAIL SECTION - Entry 16 - zerouncool ##########################

        Hi Mister Jack,

        My name is Kaylee I am 9 years old I go to emerson elementary school in albuqurqee. New mexico not to be confused with old mexico but I don’t have anything against mexicans most of my class is from there and I am trying to start a cool bee program at my school!!

        My favorite beekeeper is Miss Elisha from florida she has over one million subscribers and one day I am going to be famous like her but its not about fame and fortune its about how important bees are to life on the planet!

        I found you from twitter and you seem like a really smart guy and I never got back an email from Miss Elisha but you seem like you have more time since you only have a few subsbscrubers. Also my science teacher Mister Gorshand said to find someone who keeps bees in the dessert because its a hard thing to do with the heat you would be able to help. I have never been to Los Vegas but its real hot I saw a cartoon about it and theres lots of pretty lights but I wonder if that scares the bees!

        I made a website! Its really kool and shows different bee hives I found and ideas I drew to build a hive at my school and the school nurse ordered a dozen eppipenis in case anyone gets stung but I dont think bees are mean like alot of people think if you treat them right

        I hope you are not too busy of a bee to look at my site and I really really really hope you would help us it doesnt cost you anything the school principal says we need an adult who knows about beekeeping and you dont have to come here or nothing like that just help out with ideas but you do have to fill something out for Mister Moss because your a stranger but its no big deal and I figured out to put it on my site to make it easy oh and also he got 500 dollars to build the hive so its going to be the biggest bee hive you have ever seen!

        But I have been trying all summer to get a bee expert to look at the hive plans and Mister Moss said if I dont get someone next week he will spend the money on the football team who already get everything they want as if the stupid boys need 500 whole dollars to throw a stupid ball around while our planet is dying

        I hope we can be buzz buddies here is my website my mom helped me get it and I did the design all myself that shows how the hive will look buzzbuddies.net

        Sincerely

        Kaylee Williams

          Comment

          • Serum
            Member
            • Jul 2019
            • 84
            #18
            ENTRANT 17 - lonervamp

            ########################## BACKSTORY SECTION - Entry 17 - lonervamp ##########################

            Goal: We want access to DoubleTree's systems to steal data, destroy on-site data, and hold it for ransom. Or, if we aren't being detected, stay resident and gain PII about Defcon attendees registered with DoubleTree.

            Target: Jack Thompson. Jack seems like an old school geek and with his long tenure at the casino, almost certainly has server admin rights. He probably isn't entirely sure about the new cybersecurity solution, Frank, either.

            Tactic: Acting as a Defcon security partner, CrowdStrike, we'll convince Jack to install some malware of our choosing on his servers which will cede control to us through backchannel C2. Even if that is blocked, it should also have a backup method to allow us access if we're local on his network, such as in attendance at the con.

            We're going to use DeepFaceLive. This tool will run locally to do real-time face swapping. We'll use this with OBS to simulate webcam output on a Zoom call. This tool can be seeded with an mp4 of facial data, which we can get off YouTube or FaceBook or elsewhere.

            We'll deepfake several people to make the call look more official. Jack will hopefully think he's temporarily joining a standing CrowdStrike/Defcon security planning meeting. We'll find some CrowdStrike folks who have public talks available that we can scrape and deepfake, and maybe some Defcon speakers as well that we'll pass off as volunteer staff.

            We'll also deepfake Frank Harrison. We'll not rely on his avatar much, he's a busy (and strange) man. He'll just be present and nod affirmations now and then for any question Jack may have.

            The script we'll attempt to follow is to convince Jack that we're super busy trying to get plans set up for DoubleTree hosting thousands of hackers. To help secure his systems while the most dangerous network on earth is on his campus, we'll try to get him to install some software of ours under the assumption that it is security software custom for Defcon that will protect his systems from being targets of attack, and after the con can then be removed.

            If Jack gets suspicious, we'll try to curry favor by mentioning we've visited and given a talk at his alma mater Blayne University, and that we're looking forward to collaborating in person on some ideas for other retro games to bring to the casino, such as Clue, Trouble, and Sorry. We'll have ChatGPT nearby in case he asks probing questions about either topic, but we can study up on those games beforehand, too. We'll also make sure he's aware we're very busy and doing 12 things at once while typing away in the background feverishly. Time is money, and we're already behind getting this all set up! We can't wait to get on site and hang out once all this madness is over!

            To get Jack on the call, we're going to send him a phish email. None of this should be malicious up front, but getting him to click on it to sign into the always-on meeting should be enough to show he's buying it.

            We'll purchase defcon33crowdstrike[.]org, which looks like it's available still. We'll set up a redirect to defcon[.]org in case someone visits it, otherwise it just has MX records so we can send an email from it that will get accepted.

            ########################## PHISHING E-MAIL SECTION - Entry 17 - lonervamp ##########################

            Subject: Coordination Request: CrowdStrike Security Call for Upcoming DEF CON Event

            To: Jack Thompson
            CC: ColMustard@defcon33crowdstrike[.]com, [CrowdStrike NOC Logistics], [Your Assistant or Event Coordinator]
            From: CrowdStrike VP Strategic Threat Partnerships
            Email: ProfPlum@defcon33crowdstrike[.]org

            Hi Jack,

            I hope you’re doing well. I’m reaching out on behalf of CrowdStrike, in partnership with DEF CON and BugByte, to coordinate proactive security measures for your environment during this year’s event.

            As you know, DEF CON draws thousands of technically advanced attendees, and while the event celebrates innovation and ethical hacking, it also introduces a unique set of operational risks—especially for on-prem infrastructure.

            To support a safe and secure environment, CrowdStrike is deploying endpoint protection software at critical locations across the venue. This includes select hotel-managed systems that may interface directly or indirectly with attendee-accessible networks.

            To that end, I’d like invite you to a Zoom video planning call between yourself and my Chief Security Maven, ColMustard, who leads the design and protection of DEF CON’s internal and guest-facing network architecture. He is a chief architect at CrowdStrike, the official security partner of DEF CON. We also have Frank Harrison engaged from BugByte Exterminators.

            On the call, we’ll go over:

            Where the CrowdStrike Falcon sensor will be installed and what it monitors

            The non-invasive nature of the deployment (no performance impact, no outbound disruption)

            Our incident response readiness during the conference window

            Any policies or change controls we should be aware of on your side

            This isn't about us taking over—this is about collaborative risk reduction, so both your operations and our event run safely.

            The Zoon video call is an always-on meeting with our security and planning teams, so connect any time, as soon as possible. We need to get this squared away before volunteers and other staff are on-site.

            <LINK TO ZOOM CALL>

            Thanks again for hosting us—we’re looking forward to another successful year.

            Best regards,
            ProfPlum
            Vice President, Strategic Threat Partnerships
            CrowdStrike
            ProfPlum@defcon33crowdstrike[.]org

              Comment

              Previous 1 2 template Next
              Working...