Defcon 2024 - 15 Minutes to Phish!

I was fortunate enough to attend DEFCON, the largest hacking and security conference in the world. Held annually in Las Vegas, Nevada, DEFCON attracts a wide range of industry professionals. This year's event took place at the massive Las Vegas Convention Center. Security professionals, IT enthusiasts, college students, government officials, and curious individuals all gathered to experience what DEFCON has to offer.

DEFCON was an exhilarating, yet overwhelming, experience. With professional talks, hands-on workshops, and unique villages all happening simultaneously, I found myself constantly making tough choices about where to spend my time. I ultimately found myself spending most of my time at DEFCON villages. These dedicated spaces that focus on a specific topic and feature mini talks, hands-on activities, and networking opportunities. Among the villages, the Social Engineering village was one of the villages that really sparked my interest.

The Social Engineering village featured a vishing competition and cold calls. For those unfamiliar, vishing involves attackers using phone calls to deceive individuals into disclosing sensitive information. In the vishing competition, teams and individuals, who had registered months in advance, faced off by placing live phone calls within a 15-minute time frame, showcasing their techniques and strategies to gather information. Each team was assigned a target company and conducted open-source intelligence to prepare their approach. Teams had to document their plans, including pretext details, phone numbers to call, and numbers to spoof. Cold calls provided attendees, like myself, a chance to make brief calls and experience the world of social engineering without the pressure of competition, as there were no judges scoring these calls. Unfortunately, the signup sheet for cold calls was too long, so I didn’t get a chance to participate. Nevertheless, observing the vishing competition revealed how easily posing as an internal IT employee, whether troubleshooting connection issues or gathering employee feedback on security measures, can deceive users who aren’t aware of social engineering tactics.

One hands-on activity I participated in involved creating a phishing campaign from scratch in just 15 minutes using the open-source phishing framework GoPhish. Many of us have encountered phishing emails posing as legitimate corporations, often with malicious links designed to steal personal information and credentials. It’s concerning to think that creating a phishing campaign is now accessible to anyone with minimal IT skills, especially since GoPhish is free.

GoPhish’s user-friendly interface simplifies the process of configuring and navigating the web application, allowing the creation of malicious phishing websites quickly. To set up my first phishing campaign, I started by configuring users and groups by adding victim email addresses specific to the LAN subnet designated for this activity. Next, I created an email template that mimics a legitimate email from the targeted website. GoPhish makes this easy by allowing you to quickly copy the email payload you want to imitate, aiming to bypass email filters and trick recipients into engaging with the email. The next step was configuring a landing page—the website where users are directed to enter their personal information. These landing pages are designed to replicate legitimate login pages to capture victims' credentials. To create a landing page, I simply copied the HTML source code of the website I wanted to mimic, made a few tweaks to capture credentials, and the page was ready. The final steps involved setting up a simple SMTP server to send the emails and launching the campaign to review the results. The outcome would reveal the type of information an attacker could obtain if a victim fell for the scam.

Learning how to create a phishing campaign using an open-source platform and listening to live social engineering phone calls were among the many highlights of my DEFCON experience. It reinforced the critical role humans play as the last line of defense in IT security. While technical controls are essential for safeguarding systems, phishing awareness and education remain crucial to protecting against threats.