Blackhat 2017 Day 1 – Phishing as a Science



This may have been my favorite session.  The content and the speaker were great.

There’s a theory that there are fundamentally two modes of thinking: System 1 and System 2.

System 1: Fast, Instinct, Gullible, Emotional
System 2: Slow Methodical, Skeptical, Rational.



The problem with all methods of preventing phishing requirement System 2.  When I talk about System 1, I call it the "lizard brain" when making security decisions.  One of the open questions I still have is how do you create instinct?

The talk focused on phishing for credentials.  Attacker create an email with “a hook” – a call to action (e.g. verify account, verify settings, verify salary).  The victim clicks a link and gets sent to the phishing site.  Then with the phishing site extract the credentials.

Based on the data used, the presenter found that people are more susceptible (better hit rate on the phishing campaign) when the email looked very like the site it was spoofing.  Even if the emails from that site, for example, are traditionally only in plain text.



I believe this resonates some of the research being done at Duke (by Dan Ariely, I think) that was presented while I was getting my MBA.  I’d have to find the research, but I believe that research could be the blueprint for launching successful phishing campaigns. 

From the talk at Duke, the fundamental idea is that humans prefer process, items, people that are similar to something they know.  Even if they don’t like that the similarity.  For example a blended picture of a random person and an ex-president. The blended picture tested better than just the picture of the random person.

Another interesting tid bit is that people don’t trust the password manager.  If the password manager doesn't populate the password because the site is indeed malicious, people will go ahead and enter in the password.

For now, be careful and trust the password manager.


In the future, U2F (Universal 2-factor authentication) will be built into Intel chips.  From my independent investigation, U2F has huge promise.

Comments