let me tell you a story about the very first time i did an in-house phishing campaign for twitter, after they hired me in 2011
Conversation
Notices
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:01 JST
Viss
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:48:59 JST
Viss
so i get pulled into a meeting room the next day. theres my boss, and someone else.
the someone else was twitters head of legal.
they were like "so walk us through your phishing campaign from yesterday"
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:48:59 JST
Viss
i start explaining "so my thinking was that people would just gush over this thing, and that they would click, hit the credential stealer, and if they decoded the QR code it would say "you win, go see viss in security. a bunch of people decoded it and i gave them props, but since the restaurant uses super fancypants gift cards, theres no way a qr code could work so it was supposed to be safe"
so they nod
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:48:59 JST
Viss
then the lawyer starts:
"right, so what happened was one of the new hires was so enamored by this offer, that they went and sorta caused a ruckus at the restaurant, to such a degree that leadership there got involved, and by the time those people got read in, the only thing they heard was 'twitter is giving fake coupons to their staff', and when youre leadership and you hear that, the first person you call is legal"
".. ah."
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:48:59 JST
Viss
so i say "i see. i was not expecting someone to run that far out of bounds and into the weeds like that"
to which legal says "yeah neither were we. youre not in trouble, but lets set some new rules."
"yes. thats a good idea" i say.
legal goes away, my boss remains, and he basically says "okay from now on, lets not involve any other companies or businesses or whatever in the campaigns. we would prefer to avoid the liability".
"got it. ok. i know what i can do."
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:48:59 JST
Viss
the next three campaigns i thought up were:
- 30 days: click here to maintain vpn access, if you dont, you wont be able to work remotely
- 60 days: click here to get verified (this was a trick, no staff were permitted to be verified)
- 90 days: we're switching health insurance providers, click here to put a signauture on the dumb bureaucracy. if you dont, you might lose coverage
can you guess which one had 100% click rate?
also, after that, zero problems like before.
Steve's Place repeated this. -
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:48:59 JST
Viss
so that, internet friends
is why you never ever FUCKING EVER involve an outside company or outside party in an internal phishing campaign.
people will do weird shit you dont expect and stuff will go off the rails.
you need to MANUALLY ENGINEER YOUR BLAST RADIUS. yourself. by hand. dont fuckin trust some outside platform/vendor to do it for you.
i also did a talk on this program, but the link may have died https://archive.org/details/building-antibodies-the-phishing-program-at-twitter-44con
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:00 JST
Viss
so i spent a couple weeks noodling on it. That time was my onboarding.
see, at the time, twitter would fly noobs up to the office in sf for 2 weeks of onsite trainng. part of that, amusingly, was me doing a presentation to the noobs about "welcome to twitter, you now have a target painted on your back, people will try and phish you to either get shells or to get access or to get intel etc. you have to be careful now. just by working here, your risk goes up"
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:00 JST
Viss
and twitter at the time was squirting money all over the place. staff got all sorts of perks.
so i figured - hey, all these 20somethings fresh out of college are going back home after work and gushing to their friends about how much cool shit they just got from their cool new job - thats 100% a vector, i should take advantage of that.
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:00 JST
Viss
so i looked around town for a nice restaurant that had a good selection of stuff, and was on the low end of the 'pricey' side of things, and dreamed up a phishing lure:
a QR code for a 20% off coupon at a nice steakhouse in sf that was popular at the time. the place didnt actually use QR codes as their gift cards. they were super fancy, magstripe cards handed out in little envelopes so guests could feel special. I figured a jpeg of a qr code emailed to people would be a dead giveaway
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:00 JST
Viss
fuckin nope.
one person didnt take the time to click at all, bypassing the entire phishing campaign, they printed out the ticket and walked it to the steakhouse. they presented the qr code to the greeter at the front desk, who went 'uhhh... this isnt real. our gift cards are ... not that.'
this guy insisted. he pushed. so the front desk person went to talk to the manager. the manager ... was not happy.
"where did you get this? why do you think its real?"
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:00 JST
Viss
"well, my work gave it to me. i just got hired at twitter and this was one of their onboarding perks"
so what happened next is super super fucking american. super WEALTHY american, specifically.
there was no discussion, there was no phonecall, there was no, like, line of questioning
the steakhouse straight up called their legal team, and had their legal team get in touch with twitters general council
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:01 JST
Viss
my job was to bring all the redteam creativity i'd been fostering before taking the job into reorganizing the internal twitter security aparatus. One thing of concern at the time (because this was the hot thing in 2011) was internal phishing training.
meaning: running soft, but live-fire phishing campaigns against the staff to measure how they did. *MY* intention was to improve things, but "the market" later ended up just calling this an insurance/compliance checkbox
my program was different
-
Embed this notice
Viss (viss@mastodon.social)'s status on Tuesday, 23-Jun-2026 03:49:01 JST
Viss
my entire angle here was simply:
"if we're not phshing people with what they NORMALLY get hit by, we're doing them a disservice and training them to freak out on false positives, or whatever bogus nonsense got dreamed up by someone who doesnt actually deal with phishing IR all day. we need to be as close to real attackers as possible"
-
Embed this notice