For my first breakout session of the TRISC 2009 Conference, I decided to check out Rohyt Belani’s presentation on Spear Phishing.  Rohyt is the CEO of Intrepidus Group and has spoken at a variety of conferences from BlackHat to OWASP to MISTI to Hack in the Box.  I had heard from several other conference attendees that he was a pretty good speaker and the topic seemed interesting enough so I went and wasn’t at all disappointed.  My notes (while not very long) from the presentation are below and the actual presentation can be found here:

  • CEO of Intrepidus Group
  • Adjunct Professor at Carnegie Mellon University
  • Frequent speaker at BlackHat, OWASP, MISTI, Hack in the Box
  • Phishing: The act of electronically luring a user into surrendering private information that will be used for identity theft or conducting an act that will compromise the victim’s computer system.
  • Example of spear fishing used for pump-and-dump scam
  • Example of spear fishing used to download a Trojan, crack the admin password, and create domain administrator accounts on a windows server.
  • Have a service called fishme.com that is used to run mock attacks against companies.
  • 23% +/- 3% are susceptible to phishing attacks based on surveying on fishme.com
  • Convincing people to click via authority works better than reward
  • People are more “click happy” on a Friday afternoon
  • Use an existing website that’s vulnerable to XSS or create a fake SSL certificate