We are running a simulated phishing campaign and one of the landing pages has been blacklisted by google. If you try to visit it in chrome you get the big, red warning page “Deceptive site ahead” (works OK in other browsers).
I assume one of our users reported it, thinking it was a real phishing page (kudos for that!) but now we have the problem that other users who are clicking the links in the emails we send are seeing the warning and not continuing, so we are not collecting data on them, or testing to see if they would go further and enter their credentials. Most importantly, we are missing the opportunity to train users who need that training!
I followed the “report a detection problem” link last week but the domains are still blacklisted. This is my question:
Is there a way to whitelist our landing pages with google and the other browser makers, so even though they look like phishing pages, they don’t get blacklisted in the future?
Most hackers keep their links undetected and also up for a long time and send phishing messages.
How is it done? Even Outlook server could not detect them.
I got a suspicious email which looked pretty legit today and wanted to share with the community and maybe people who are more security savvy than me can tell me more about this Phishing attempt.
Basically it’s an email from a ‘customer’ who says they have put in the wrong address and add a link to the email to what looks like your own website that looks like:
It contains a link to :
Does anyone know what type of exploit this is and what it does if you click it?
I want to publish some demo code on github that deals with a new type of phishing attack. However, I’ve used a Google-branded sign-in page for the demo. Will this be a problem with copyright or any legal issues?
My (U.S., R1) academic institution uses CAS to authenticate almost all our web services. However, they don’t use CAS for our GitHub Enterprise instance; rather they use LDAP, so the login page says “GitHub Enterprise”, and there is nothing to indicate it’s an official page of our institution except that the URL is under our .edu domain. Beyond the fact that this bypasses our Duo 2FA deployment, I’m concerned that presenting users with a login page that expects their CAS password but isn’t the normal CAS login page encourages phishing attacks by diluting the message of only putting your password into clearly official, institutionally-affiliated websites. Is this valid, and is it worth raising with our campus IT department? (I’m a graduate student.)
A friend received a spoofed email (from Bank of America using an uber.com address) which was correctly identified as ‘spam’ by Gmail. However, looking at the raw message it seems to have passed SPF, DKIM and DMARC checks.
1) How did a spam email manage to pass SPF, DKIM and DMARC using a source domain as popular as uber.com – a domain the spammers likely don’t control?
2) Is there anything else in the message header/body which would conclusively determine the email to be spoofed? (i.e. other than probabilistic reasoning or blacklisting of elements contained within e.g. external links)
Pasted below is the entire raw message (destination email changed for anonymity).
Delivered-To: firstname.lastname@example.org Received: by 2002:a19:f009:0:0:0:0:0 with SMTP id p9csp8149944lfc; Thu, 2 May 2019 15:48:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqyhm5pZuY7Fm7UQDAafePILEmcZUG7oB/gvcd6J/EhUFwZiS3XMf65THeoGx++FQCmhzOCE X-Received: by 2002:a17:906:13d2:: with SMTP id g18mr3231656ejc.78.1556837320717; Thu, 02 May 2019 15:48:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556837320; cv=none; d=google.com; s=arc-20160816; b=eXB2eqanspJQA6s/q5LqzZmlHbIEk21g9zucGA8hxmjYVXu0b3XnZzYUdJjY5bA0at P6F6qlig4aO5N2Gsr8a9MDRSvvfAibeRTENq/7iO3gaUQIbAM9gQ/aQhV6uLiD+DoSZU dHhhwJB2GQ/5Dh6HoXNuj4SrTMn3yHOEuQA4I+Htw7B1CASkDTIKcs7CART606F33R3N hJqQWlkTlXRNKeSCVY9Ji+7Ij08mciIOJXA2ug0ZYvH9W/C1St8yENSLKfFcrJlk/U/c OyxFmB11yDK9wP9Af5JyzOlkNvGVhXgo1oZzNuB0cyY0nn/HynNrzWhhhTBohg6p92k7 9CuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:to:subject:reply-to:mime-version:from:date :dkim-signature:dkim-signature; bh=qLQDboUSSv8iAbkYL4wb/BR8FXlb49YUxc2eDjBWs5k=; b=EtdsO3m3lHH8+WCcDco6Ahfet2PLEix2p1NKcgzqD7fH+37MPmVieWp3qZo2gy0cgD VP4TGaspSGND2cjBZUqlTr6ScJPj98eRtsIOVb/CRgocSy354o72WzT43P2LXJaOSz+L Rq814M7GHwrtutY3bWpYteO2nEAg18EgSyjC7mYqYvERRa7OFhIJO36/ZnAxCGV5xWTm nd3evLaWNpsRP8eUysyOkuC1wGNW9HGCdcs0q5meSfxl+3PmYzTZ4MlrhAxvEWyPRRM4 gDnwQ7w6RUZjGtbsEWul/5zKa5HDX1jTtH4DRYWe3MaLJ4zpFPQ289mnypfpoHB9vNKb wS5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass email@example.com header.s=s1 header.b=sGXq8dN3; dkim=pass firstname.lastname@example.org header.s=smtpapi header.b=hex9bvGh; spf=pass (google.com: domain of email@example.com designates 126.96.36.199 as permitted sender) smtp.mailfrom="firstname.lastname@example.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=uber.com Return-Path: <email@example.com> Received: from o15.email.uber.com (o15.email.uber.com. [188.8.131.52]) by mx.google.com with ESMTPS id c8si312626edb.189.2019.05.02.15.48.40 for <firstname.lastname@example.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 May 2019 15:48:40 -0700 (PDT) Received-SPF: pass (google.com: domain of email@example.com designates 184.108.40.206 as permitted sender) client-ip=220.127.116.11; Authentication-Results: mx.google.com; dkim=pass firstname.lastname@example.org header.s=s1 header.b=sGXq8dN3; dkim=pass email@example.com header.s=smtpapi header.b=hex9bvGh; spf=pass (google.com: domain of firstname.lastname@example.org designates 18.104.22.168 as permitted sender) smtp.mailfrom="email@example.com"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=uber.com DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=uber.com; h=content-type:from:mime-version:reply-to:subject:to; s=s1; bh=v7x4HoONz0ezNRDnKYF0uc2hhtM=; b=sGXq8dN3+HHhABwT351Y+af+nr2B8 pHTDx2MjlKRIDe7H/cnIsI/CpwpJLrb8Stp9RsP0sP5nK3TZmKHQwJedhRvBTC7n r/uPT0JSi+ONLtF9C+0qRXmWmJtqQzFf9slsVRdHaXX8RLa6yaLLzwsHuuRdaJZG o4oB6ZA5AJCesY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.info; h=content-type:from:mime-version:reply-to:subject:to:x-feedback-id; s=smtpapi; bh=v7x4HoONz0ezNRDnKYF0uc2hhtM=; b=hex9bvGhVyaiDwHKrN h24yUEJB4HO3pTdxhcoAK5VsaYOCXZx9p4blLSQp3uV8ew7NLo2z/zx4csNICZWh SmC8COHDgWcHciNfl43kiraXp400kRYiGsS1pHqVRX5Ob8D0JkPBK5O8DVaeruG8 CZA/6xSoS+V/bEH7nyXlXwrfc= Content-Type: multipart/alternative; boundary=05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2 Date: Thu, 02 May 2019 22:48:36 +0000 (UTC) From: Bank Of America <firstname.lastname@example.org> Mime-Version: 1.0 Reply-to: email@example.com Subject: [ALERT] Your account id has been blocked !! To: firstname.lastname@example.org Message-ID: <EYI_MwnGTyKSrZKHNQnOnw@ismtpd0039p1iad1.sendgrid.net> X-SG-EID: BJ2Hyk3p2HXeBi9v1wQzSyZ8DM5WrDY+tsMwP5EVk1O0bcaJmQS4hZuUFgRtapyAExYteHWmn73qmX 7VEhHR5sd3ci/g+WzM8Uf68Ux7oY1gt0agNXHr4DKEE+nngxEBm8ZP2xGBiEEEpg5Whgqt/yWpHjZ7 HukhCl3QGdVTLehqCV+7CWTGIxhA8qDvQEtuCLBT6YeFBksxtcPbtJlU+nsHzCU+ZUGuJa5/mD+y0F s7tmnWQuHkKZKYL9EbGQts X-SG-ID: Z2FxZazunBjVeNuNdzHDqrF8mxuCpi0krmont6YQrP1PhrSAm6F2vnhCz+cZmwIQQzzeNf3kS2PU4G C99ZbMEWr4lLYj5ol2knDZ/n3jZwq//ee6CYHr7NePdVS5vtJCVf7ranRUtPwlaGzBDEs80XrtvoiJ GPsexH5dsi0CLhc= X-Feedback-ID: 3504297:hpZl/F8wyMjPOktsUM9fV9PBbsSgTLHDWo42qpJEarc=:hISn6uOVLCzR0vuCEri7CQ==:SG --05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Mime-Version: 1.0 Dear Valued Customer,=20 You Have A Personal Security Alert from BankOfAmerica. Sign-On https://flyingteachers.nl//wp-content/Wordpress/ Note: You will need to update your information for that service completely.= =20 =C2=A9 Copyright, BankOfAmerica, 2019.=20 Access https://google.com --05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 Mime-Version: 1.0 <HTML><HEAD></HEAD> <BODY> <IMG src=3D"https://www2.bac-assets.com/homepage/spa-assets/ima= ges/assets-images-global-logos-boa-logo-CSXe4b047c0.svg" width=3D279 height= =3D64>=20 <TABLE id=3Dyui_3_7_2_1_1357636237151_3250 style=3D"FONT-SIZE: 12px; FONT-F= AMILY: Arial, Helvetica, sans-serif" cellSpacing=3D0 cellPadding=3D0 width= =3D600 border=3D0> <TBODY></TBODY></TABLE><BR>Dear Valued Customer, <BR><BR>You Have A Person= al Security Alert from BankOfAmerica.<BR> <P></P> <P><FONT id=3Dyui_3_16_0_1_1399663152274_19869 style=3D"FONT-SIZE: 12px; CO= LOR: #333333; LINE-HEIGHT: 18px" face=3D"Verdana, sans-serif"> <TABLE id=3Dyui_3_16_0_1_1399663152274_48813 style=3D"BACKGROUND: no-repeat= left top" height=3D15 cellSpacing=3D0 cellPadding=3D0 width=3D111 bgColor= =3D#6cae35 border=3D0> <TBODY id=3Dyui_3_16_0_1_1399663152274_48812> <TR id=3Dyui_3_16_0_1_1399663152274_48811 bgColor=3D#6cae35> <TD id=3Dyui_3_16_0_1_1399663152274_48862 bgColor=3D#6cae35 vAlign=3Dmiddle= width=3D15 align=3Dcenter><FONT size=3D2><HTTPS: id=3Dyui_3_16_0_1_1399663= 152274_48861 width=3D"15" height=3D"15" email_cta_arrow.gif=3D"" media=3D""= static_assets=3D"" mcontent=3D"" content.usaa.com=3D""></HTTPS:></FONT></T= D> <TD id=3Dyui_3_16_0_1_1399663152274_48810 bgColor=3D#6cae35 vAlign=3Dmiddle= width=3D96 align=3Dcenter><A id=3Dyui_3_16_0_1_1399663152274_48814 style= =3D"TEXT-DECORATION: none; COLOR: #fff; FONT: bold 11px arial, sans-serif" = href=3D"http://email.uber.com/wf/click?upn=3D-2FQ0tIReEQQvMTn37D6ijIfRAMGF2= MPDMqrIBax6TjqHI26EB2dJUvOpfb6-2BtHW1GBBasvV-2BPdUGxE65m1S0AUw-3D-3D_upBRTD= Ma1f8arr27T-2FChSHKA02CtoItCQ9e6PNbvcG9XxnPK4VYSIoINuPPUDOYMFaHDvWWc6mRXY-2= BjkyEJ4uGUdSbHsos4WOz9Yr529xiH9tDHJLxlZMIShGPk0S8U4onf5vQHto3-2B7-2BwbS3DDx= gGjcR-2BFeB1tfaZTkc-2BdDdmBj2b7z5S6KGHutMpn48l3JhaVOuRvB-2F5niKuSo53oVEp9Ag= pJI7RnaO6AO3D5pLjHBeAsWMwbWL4o9BhEfMC8cT0zWfUna8GP3wEKDFrXWVmspJeNCXCcqbUUp= SUF49HwDS-2F279HaQ-2BkL8PVsX8eMAvnRBRi8DRIAWf938W9MaPq8yv9aeEq8G6uedSgCjCX1= FAAhXKhtxerCOMO6JhOYPlm2-2FHX633X1SrBaiTYZGOw-3D-3D" rel=3Dnofollow target= =3D_blank>Sign-On</A></TD></TR></TBODY></TABLE></FONT></P>Note: You will ne= ed to update your information for that service completely. <BR><BR><FONT id= =3Dyui_3_13_0_1_1398145588576_6499 size=3D1></FONT><FONT size=3D2>=C2=A9 Co= pyright, BankOfAmerica, 2019.</FONT>=20 <img src=3D"http://email.uber.com/wf/open?upn=3DupBRTDMa1f8arr27T-2FChSHKA0= 2CtoItCQ9e6PNbvcG9XxnPK4VYSIoINuPPUDOYMFaHDvWWc6mRXY-2BjkyEJ4uGUdSbHsos4WOz= 9Yr529xiH9tDHJLxlZMIShGPk0S8U4onf5vQHto3-2B7-2BwbS3DDxgGjcR-2BFeB1tfaZTkc-2= BdDdmBj2b7z5S6KGHutMpn48l3JhaVOuRvB-2F5niKuSo53oVEnZOKS1AsqehIRfEXmYLYu3fhQ= UZgheXahrlWwKmrfQylaw7Y2sX09qWBC67FiV-2Fwmf5O6ZvgYoAV3vtQZhLjSa6B7I0DiwhfzK= 11lBOmIXiMuUc30aqH9s9sDIGqnGR8O-2Fdgjw-2FWHQjWqMlfMnd1TWWYULqOl5xYb-2BD-2B1= JMvHPISuLN3S-2BBtXPo-2BSzlYb9YTw-3D-3D" alt=3D"" width=3D"1" height=3D"1" b= order=3D"0" style=3D"height:1px !important;width:1px !important;border-widt= h:0 !important;margin-top:0 !important;margin-bottom:0 !important;margin-ri= ght:0 !important;margin-left:0 !important;padding-top:0 !important;padding-= bottom:0 !important;padding-right:0 !important;padding-left:0 !important;"/= > </BODY></HTML> <a href=3D"http://email.uber.com/wf/click?upn=3D-2FQ0tIReEQQvMTn37D6ijIUDYH= X2-2FyU5mi0Enz-2FchsQI-3D_upBRTDMa1f8arr27T-2FChSHKA02CtoItCQ9e6PNbvcG9XxnP= K4VYSIoINuPPUDOYMFaHDvWWc6mRXY-2BjkyEJ4uGUdSbHsos4WOz9Yr529xiH9tDHJLxlZMISh= GPk0S8U4onf5vQHto3-2B7-2BwbS3DDxgGjcR-2BFeB1tfaZTkc-2BdDdmBj2b7z5S6KGHutMpn= 48l3JhaVOuRvB-2F5niKuSo53oVEggJcxBzsBUTFT7XWbdRLfOKJHct29bBLqq-2FiX-2BnFPQ-= 2BLCqjk6YuSfSFkaKdm5QvdZMBusseXcTQlJhzVP-2Beo5392uwTJHnkaMczik43b2te8teMEjS= hfujpSCF4MTUkjQ5IBldCR7EOeT4-2BF6vpq0Ctnr2W7ZarsqWFftMiNy8s-2BU-2F5eF1gGJwN= 7E92IF4inQ-3D-3D" target=3D"_blank" rel=3D"noopener">Access</a> --05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2--
I’m not a windows user nor do I use outlook, but apparently windows users need to be careful about clicking on suspicious links.
The canonical example is a user in Windows using Outlook clicks on some link and is then infected with spyware.
Technically speaking, how is this possible? Is clicking a single link in an email all that has to happen? Does outlook allow arbitrary code execution allowing a link to install a binary? For the sake of discussion, assume windows 10.
I am looking for a training that goes in depth on creating effective phishing exercises and social engineering stuffs. Displaying an effective way to get into a the network through a phishing email or vishing call is much more effective. Training that goes in depth into how to create payloads and emails that bypass email gateways and tricks the user into clicking them would be great!
I currently work on the IT security team ay my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing “test” emails to see how aware the company employees are to spotting such emails.
We have adopted a highly targeted strategy based not only on the user’s job role but also on the content such employees are likely to see. The content have been varied to include emails asking for sensitive content (e.g: updating a password) to fake social media posts, to targeted advertising.
We have been getting push back from end users that they have no way of distinguishing a legitimate email that they would receive day to day from truly malicious phishing emails. They have been requests to scale back the difficulty of these tests from our team.
When is phishing education going too far?
Is pushback from the end users demonstrative that their awareness is still lacking and need further training, specifically the inability to recognize legitimate from malicious emails?
I want a large no. of phishing websites URL. For example just like phishtank which has a database consisting of website’s urls which have been reported as phishing all over the world.