From 0 to millions: Protecting against AitM phishing at scale

JACOB TORREY

March 21 @ San Jac Saloon >>

ABSTRACT

Phishing has evolved both in the TTPs of attackers, and their targets. From simple clones of a website trying to get a username/password to reverse-proxying systems that steal sessions even with MFA, the target landscape has changed. Many of the defenses against phishing are started to show their age, between block-lists for domains that appear to be illegitimate, SMS/push MFA, and broken functionality cues that may alert someone to the site not being correct. Modern phishing tools, like EvilGinx, Modlishka, and more handle all of these by hiding the phishing content behind a unique "lure" to avoid domain blocking, supporting SMS/push MFA, and seamlessly allowing for login and hand-over once the session has been stolen. This talk is focused on a Canarytoken type that lets you protect a shared-responsibility platforms that are difficult to gain insight into. These include Azure Entra ID, LogTo, and custom sites. The Cloned Site Canarytoken lets you quickly get alerted if someone is mirroring or reverse-proxying a sensitive login page that has any of your users trying to login--you can get alerted about the phishing site's URL before the user has even entered their password! After a view of the landscape of modern phishing techniques, defenses, we'll dive into our novel defenses, and look at the data of token alerts from millions of logins every day to build a view of real-world phishing attacks and their TTPs. We'll finish off with how to respond to alerts, and some attacks against our Canarytoken.

Jacob Torrey

Jacob is the Head of Labs at Thinkst Applied Research. Prior to that he managed the HW/FW/VMM security team at AWS, and was a Program Manager at DARPA's Information Innovation Office (I2O). At DARPA he managed a cyber security R&D portfolio including the Configuration Security, Transparent Computing, and Cyber Fault-tolerant Attack Recovery programs. Starting his career at Assured Information Security, he led the Computer Architectures group performing bespoke research into low-level systems security and programming languages. Jacob has been a speaker and keynote speaker at conferences around the world, from BlackHat USA, to SysCan, to TROOPERS and many more. When not in front of the computer, he enjoys trail running, volunteering as a firefighter/EMT, and hiking with his family.

REGISTER NOW
Ringzer0 ★ BOOTSTRAP25
Welcome To BOOTSTRAP25 Thompson Conference Center, Austin TX // March 18-22 BOOK NOW Keep Austin reverse-engineering and learn with Ringzer0! Ringzer0 returns to the Thompson Conference Center, Austin, TX in March 2025 with BOOTSTRAP25, a celebration of South-West Cyber. Our one-day event follows a week of intense reverse engineering. Come for
Ringzer0Ringzer0

All BOOTSTRAP25 + Bootloader Mixer Talks and Workshops

See also
Our Sponsors
Gallery Image
Gallery Image
Gallery Image
Gallery Image
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated