update: it just tickled the red all day then fell off. totally fine if youre a weirdo hermit like me and dont go outside. less good if you do strenuous stuff outside.
"if we're not phshing people with what they NORMALLY get hit by, we're doing them a disservice and training them to freak out on false positives, or whatever bogus nonsense got dreamed up by someone who doesnt actually deal with phishing IR all day. we need to be as close to real attackers as possible"
my job was to bring all the redteam creativity i'd been fostering before taking the job into reorganizing the internal twitter security aparatus. One thing of concern at the time (because this was the hot thing in 2011) was internal phishing training.
meaning: running soft, but live-fire phishing campaigns against the staff to measure how they did. *MY* intention was to improve things, but "the market" later ended up just calling this an insurance/compliance checkbox
one person didnt take the time to click at all, bypassing the entire phishing campaign, they printed out the ticket and walked it to the steakhouse. they presented the qr code to the greeter at the front desk, who went 'uhhh... this isnt real. our gift cards are ... not that.'
this guy insisted. he pushed. so the front desk person went to talk to the manager. the manager ... was not happy.
"where did you get this? why do you think its real?"
so i looked around town for a nice restaurant that had a good selection of stuff, and was on the low end of the 'pricey' side of things, and dreamed up a phishing lure:
a QR code for a 20% off coupon at a nice steakhouse in sf that was popular at the time. the place didnt actually use QR codes as their gift cards. they were super fancy, magstripe cards handed out in little envelopes so guests could feel special. I figured a jpeg of a qr code emailed to people would be a dead giveaway
and twitter at the time was squirting money all over the place. staff got all sorts of perks.
so i figured - hey, all these 20somethings fresh out of college are going back home after work and gushing to their friends about how much cool shit they just got from their cool new job - thats 100% a vector, i should take advantage of that.
so i spent a couple weeks noodling on it. That time was my onboarding.
see, at the time, twitter would fly noobs up to the office in sf for 2 weeks of onsite trainng. part of that, amusingly, was me doing a presentation to the noobs about "welcome to twitter, you now have a target painted on your back, people will try and phish you to either get shells or to get access or to get intel etc. you have to be careful now. just by working here, your risk goes up"
D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ:: Founder, Phobos Group:: Quad Flooper :: Scoville Addict :: Public Speaker :: food pornographer:: Twitter Alum (2011-2012):: security histrionics:: finance histrionics:: tattoo'ed nerd:: security longhairpart george carlin, part bill hicks, part robin williams. I run a tiny security consulting company, make hotsauce, watch cartoons and figured out how to weaponize home assistant. I found 118 dollars of btc in my garage.