Getting your scope in control during a Quishing Red Teaming Assessment
Red teaming can be challenging especially when simulating real-world attacks like QR code phishing (“quishing”) within a tightly defined scope. How do you credibly launch a phishing campaign without wanting to know the specific targets, exposing sensitive information, or putting unintended users at risk? This session offers a behind-the-scenes look at how our team tackled these constraints. We will dig into some opensource tools that can be used and some custom tweaks that we made to make it more secure / believable and the pitfalls you can hopefully avoid. We will walk you through our attack chain: (1) Creating a phishing poster, (2) Using a customized EvilGinx instance to verify the scope, (3) Creating a believable landing page for our targets, and (4) Lessons learned and possible automated attacks.
Speaker
Bob van der Staak
Nederlandse Spoorwegen
Bob van der Staak is a Ethical hacker and red teamer at the Dutch Railways. Sharing knowledge is his passion, and with his background in software development and technical informatics, he implements code to assist with his daily assessments. From web penetration testing to malware development and cloud technologies, he is eager to learn and share his expertise.... read more
Rutger Flohil
Ethical hacker / Red teamer @ Nederlandse Spoorwegen
Rutger Flohil began his career as a .NET developer, building a solid base in software development before switching gears to focus on cybersecurity. After gaining valuable experience in the Security Operations Center (SOC) of the Dutch TLD, he moved on to his current role as a Red Teamer at Dutch Railways (NS). Rutger enjoys the creative side of security, especially when it comes to writing offensive scripts in Python. Always curious and eager to learn, he’s passionate about discovering new techn... read more