GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:01 JST Viss Viss

    https://www.theregister.com/security/2026/06/22/canadian-health-board-sorry-after-tasteless-phishing-test/5259320

    let me tell you a story about the very first time i did an in-house phishing campaign for twitter, after they hired me in 2011

    In conversation about 20 days ago from mastodon.social permalink

    Attachments


    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:48:59 JST Viss Viss
      in reply to

      so i get pulled into a meeting room the next day. theres my boss, and someone else.

      the someone else was twitters head of legal.

      they were like "so walk us through your phishing campaign from yesterday"

      In conversation about 20 days ago permalink
    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:48:59 JST Viss Viss
      in reply to

      i start explaining "so my thinking was that people would just gush over this thing, and that they would click, hit the credential stealer, and if they decoded the QR code it would say "you win, go see viss in security. a bunch of people decoded it and i gave them props, but since the restaurant uses super fancypants gift cards, theres no way a qr code could work so it was supposed to be safe"

      so they nod

      In conversation about 20 days ago permalink
    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:48:59 JST Viss Viss
      in reply to

      then the lawyer starts:

      "right, so what happened was one of the new hires was so enamored by this offer, that they went and sorta caused a ruckus at the restaurant, to such a degree that leadership there got involved, and by the time those people got read in, the only thing they heard was 'twitter is giving fake coupons to their staff', and when youre leadership and you hear that, the first person you call is legal"

      ".. ah."

      In conversation about 20 days ago permalink
    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:48:59 JST Viss Viss
      in reply to

      so i say "i see. i was not expecting someone to run that far out of bounds and into the weeds like that"

      to which legal says "yeah neither were we. youre not in trouble, but lets set some new rules."

      "yes. thats a good idea" i say.

      legal goes away, my boss remains, and he basically says "okay from now on, lets not involve any other companies or businesses or whatever in the campaigns. we would prefer to avoid the liability".

      "got it. ok. i know what i can do."

      In conversation about 20 days ago permalink
    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:48:59 JST Viss Viss
      in reply to

      the next three campaigns i thought up were:

      - 30 days: click here to maintain vpn access, if you dont, you wont be able to work remotely

      - 60 days: click here to get verified (this was a trick, no staff were permitted to be verified)

      - 90 days: we're switching health insurance providers, click here to put a signauture on the dumb bureaucracy. if you dont, you might lose coverage

      can you guess which one had 100% click rate?

      also, after that, zero problems like before.

      In conversation about 20 days ago permalink
      Steve's Place repeated this.
    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:48:59 JST Viss Viss
      in reply to

      so that, internet friends

      is why you never ever FUCKING EVER involve an outside company or outside party in an internal phishing campaign.

      people will do weird shit you dont expect and stuff will go off the rails.

      you need to MANUALLY ENGINEER YOUR BLAST RADIUS. yourself. by hand. dont fuckin trust some outside platform/vendor to do it for you.

      i also did a talk on this program, but the link may have died https://archive.org/details/building-antibodies-the-phishing-program-at-twitter-44con

      In conversation about 20 days ago permalink
    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:00 JST Viss Viss
      in reply to

      so i spent a couple weeks noodling on it. That time was my onboarding.

      see, at the time, twitter would fly noobs up to the office in sf for 2 weeks of onsite trainng. part of that, amusingly, was me doing a presentation to the noobs about "welcome to twitter, you now have a target painted on your back, people will try and phish you to either get shells or to get access or to get intel etc. you have to be careful now. just by working here, your risk goes up"

      In conversation about 20 days ago permalink
    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:00 JST Viss Viss
      in reply to

      and twitter at the time was squirting money all over the place. staff got all sorts of perks.

      so i figured - hey, all these 20somethings fresh out of college are going back home after work and gushing to their friends about how much cool shit they just got from their cool new job - thats 100% a vector, i should take advantage of that.

      In conversation about 20 days ago permalink
    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:00 JST Viss Viss
      in reply to

      so i looked around town for a nice restaurant that had a good selection of stuff, and was on the low end of the 'pricey' side of things, and dreamed up a phishing lure:

      a QR code for a 20% off coupon at a nice steakhouse in sf that was popular at the time. the place didnt actually use QR codes as their gift cards. they were super fancy, magstripe cards handed out in little envelopes so guests could feel special. I figured a jpeg of a qr code emailed to people would be a dead giveaway

      In conversation about 20 days ago permalink
    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:00 JST Viss Viss
      in reply to

      fuckin nope.

      one person didnt take the time to click at all, bypassing the entire phishing campaign, they printed out the ticket and walked it to the steakhouse. they presented the qr code to the greeter at the front desk, who went 'uhhh... this isnt real. our gift cards are ... not that.'

      this guy insisted. he pushed. so the front desk person went to talk to the manager. the manager ... was not happy.

      "where did you get this? why do you think its real?"

      In conversation about 20 days ago permalink
    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:00 JST Viss Viss
      in reply to

      "well, my work gave it to me. i just got hired at twitter and this was one of their onboarding perks"

      so what happened next is super super fucking american. super WEALTHY american, specifically.

      there was no discussion, there was no phonecall, there was no, like, line of questioning

      the steakhouse straight up called their legal team, and had their legal team get in touch with twitters general council

      In conversation about 20 days ago permalink
    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:01 JST Viss Viss
      in reply to

      my job was to bring all the redteam creativity i'd been fostering before taking the job into reorganizing the internal twitter security aparatus. One thing of concern at the time (because this was the hot thing in 2011) was internal phishing training.

      meaning: running soft, but live-fire phishing campaigns against the staff to measure how they did. *MY* intention was to improve things, but "the market" later ended up just calling this an insurance/compliance checkbox

      my program was different

      In conversation about 20 days ago permalink
    • Embed this notice
      Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:01 JST Viss Viss
      in reply to

      my entire angle here was simply:

      "if we're not phshing people with what they NORMALLY get hit by, we're doing them a disservice and training them to freak out on false positives, or whatever bogus nonsense got dreamed up by someone who doesnt actually deal with phishing IR all day. we need to be as close to real attackers as possible"

      In conversation about 20 days ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.