Data URI Phishing with King Phisher One of the newest techniques being blogged about in the security world is phishing through the data URI. Thanks to a viral Twitter post, many sites like Wordfence have published specific advisories to warn users about this type of attack. What makes this technique so effective is the ability to create a convincing address in the address bar. ... READ MORE
Blog
Customizing King Phisher Using Plugins
With the ability to write your own plugins for King Phisher, basically the possibilities for what YOU want King Phisher to do have fallen into your hands. During the newer release for King Phisher, the development team has incorporated the ability to add your own plugins to allow customization on what you'd like the phishing tool to do. For example, we've started a plugin ... READ MORE
Target Locked: Game Accounts
Millions of people play video games in some way, shape, or form, from Call of Duty to World of Warcraft to Candy Crush, on multiple devices. As with anything popular, games are drawing the attention of those who want to exploit the unaware. As technology has grown, so has cybercrime, and gaming is no safe zone. Even as leading companies in gaming are working to increase ... READ MORE
CTF Example – Coding
You sit there in front of your desk after getting hired in to a security position, and quickly realize that it is no point-and-click job. Security on both sides of the house leverage the power of programming to automate tasks. This can be anything from alerting on specific key words on logs, to making a quick script to gather information for the environment you just caught a ... READ MORE
CTF Example – Wireless Security
Each of RSM's previous Capture the Flag events has included a challenge in which participants were tasked with tracking down a specific wireless access point. There are many examples of the practical applications of being able to accomplish such a task. These include manually verifying potential rogue access points and signal triangulation (which is an entire science in and of ... READ MORE
CTF Example – Cryptography
Our Cryptography challenges have historically been paper-and-pencil options, requiring less raw, technical skill to complete. The category is meant to be a more approachable option for participants who favor puzzles instead of hacking or coding. The example I'll walk you through in this post is no exception. The 300 point challenge from our 2016 CTF event required the ... READ MORE
CTF Example – Forensics
You might not realize it, but your files say a lot about your identity. Whenever you take a picture on a digital camera or cell phone, essential information called metadata is written into the image file. This data can include things like the model of camera, whether or not the flash fired, date, time, and even GPS coordinates. EXIF data is a specific subset of metadata ... READ MORE
Let’s Build an Arcade Cabinet: Episode V
The project is finally complete. It's been roughly nine months since we got started, but we finally have a working cabinet in the office. This final post in the series will cover the following items: Final painting Routing Internal hardware Hyperspin Front-end Custom artwork Believe or not, there were no significant changes to design this time! And that was ... READ MORE
Building a Convincing USB Drop
One of my favorite attack vectors is the USB drop. At RSM, our two go-to drops are the Rubber Ducky and backdoored executable files on a normal USB flash drive. We will typically load a Ducky with an Empire script which executes a PowerShell one-liner when plugged into a victim machine. The executable-loaded drives require the victim to mount and open the USB drive and then ... READ MORE
Gotta Vish ‘Em All: Managing a Large Vishing Engagement
I was recently tasked with managing a rather large vishing campaign targeting a major financial institution. Normally when we get these kinds of campaigns, we're tasked with making ten to fifty phone calls (whether or not someone answers) and report the results. This campaign differed in that we had to talk to 100 individuals. Now it doesn't sound so bad, right? In reality, our ... READ MORE