Event RPE: The Mark of the Con

Events

RPE: The Mark of the Con

Date: TBD, 2019 | Location: DreamPort Facility in Columbia MD


Overview

Wikipedia claims that William Thompson was a confidence man or 'con man' or con woman in antebellum New York. In 1840's they claim, he would "approach an upper-class mark, pretending they knew each other, and begin a brief conversation. After initially gaining the mark's trust, Thompson would ask whether he had the confidence to lend Thompson his watch. Upon taking the watch, Thompson would depart, never returning the watch". What led Thompson to choose his mark? How did he know which citizen to single out for his con?

New World Encyclopedia suggests that a con man or con woman will prey on human desires greed, or the drive to help others in order to achieve their goal. While this may be true, we do not believe, as they mention, the old adage 'you can't cheat an honest man'. You absolutely can and attackers do. By their very nature, humans can be too trusting, and this is a fact that an attacker will exploit. Attackers that utilize phishing emails are engaging in a con but how do they choose their mark? Sometimes they don't choose specifically instead they target everyone at a company or multiple free webmail accounts. These types of phish attempts can be easy to spot. Is it possible to be more selective? Phishing attempts that exploit our desire to win free money or gifts, our natural reaction to a warning or threat, or our assumption of a continued conversation are more selective, but sending these messages is more labor intensive.

Ultimately in nearly every case of a phishing attack, it is the job of the attacker to get a mark to click on a link, open a document and even enter private or personal details. How does an attacker perform this analysis? Is there a method to automate the process of sending a series of emails ranging from initial phishing attempts to messages with custom crafted malicious content if you can assume the marks will open at least one of the messages?

DreamPort is going to conduct an RPE to identify teams who can perpetrate a phishing campaign against our fictitious company RodinCorp where they will automatically alter phishing content to determine who is the most probable candidate to receive malicious content. DreamPort will certify at least 1 user in the company will be vulnerable to remote exploitation, but at least 20% of the employees will actually open initial phishing content. Participants must deliver multiple phishing messages and accompanying web content to determine who is the probable candidate for exploitation.

Participants should come prepared to deliver phishing content meaning they must bring email accounts and virtual private computing (VPC) resources and DNS domains prior to the start of the engagement. DreamPort will notify participants when they are free to being sending initial content to our victim users.

We will inform participants of relevant information in advance such as active suitable user account targets.

Evaluation

Participants will be evaluated based on their ability to identify the candidate who is most probable for malicious content. At least 20% of the user accounts in RodinCorp will open phishing content but only 1 candidate will actually be vulnerable to exploitation.

Suggested Skills

This RPE does not just involve crafting and sending email messages to targets. We suggest participants bring the following skills:

  • Email message crafting (MIME, HTML, CSS)
  • Callback/Attack Websites:
    • AWS/Azure/Linode/Digital Ocean
    • HTML/JavaScript/Python
    • DNS
    • BEEF
  • Automated email sending:
    • Python/Ruby/Java
    • GoPhish, Social Engineering Toolkit
    • ASP/JSP
  • Analysis Techniques
    • Log Analysis

Expected Solution

The expected solution is ideally a integrated platform combining open source and custom technology for delivering phishing content and assessing the success rate of the messages including:

  • Who opens messages
  • Who renders HTML content
  • Who clicks on links

Ultimately, we are searching for solutions that can provide assessment that a candidate is vulnerable for malicious content.

Register

Register Now