Phishing Made Easy — SniperPhish: A Web-Email Spear Phishing Toolkit — by Gem George & Joseph Nygil

SINCON 2020 Conference Workshop Track

Day 1 (2 Jan 2021)

7.30pm—9pm

@ Workshop Room

[SINCON 2020 Conference Full Schedule]

Abstract

Email Phishing campaigns are commonly used to test employees' awareness in a company/organization. This exercise involves mostly the combination of phishing emails and websites. An effective campaign requires careful preparation starting from designing a phishing website to executing payload at the target in an undetectable manner. SniperPhish is an advanced Web-Email-Spear-phishing toolkit developed in PHP to conduct professional phishing assessments. In this session, we demonstrate how web-email-based phishing attacks or targeted spear-phishing is conducted in the real-world using our virtual environment. The main advantage of Sniperphish is that it automates most of the manual tasks for you while setting up the environment. We will cover the SniperPhish installation, configuration, campaign creation, phishing website configuration, and campaign execution. The session also covers how the campaign results are tracked and how we can generate custom reports containing web and email data. The abstract idea behind this toolkit is to simulate, combine, and centrally track all campaigns that involve email and phishing websites. SniperPhish avoids manual coding for each website created as part of the campaign and allows website customizations without touching the tracking codes used on the website. In addition to the core campaign module, we also detail the addon-on modules included in the SniperPhish toolkit.

About the Instructors

GEM GEORGE is a security consultant, presently working in one of the auditing firms in Singapore, focused on Vulnerability Assessment and Penetration Testing. Gem holds a master's in Cybersecurity, as well as certifications from offensive security and CREST. Gem has over 5 years of experience in the security field and passionate about attending CTFs and security tool developments. He has been acknowledged by tech giants such as Google and Cisco for reporting vulnerabilities and holds several CVEs in his name. He is also a volunteer of Google as a Product Expert (Google PE) supporting on Gmail and Google Accounts.

JOSEPH NYGIL has 13 years of combined information technology and cybersecurity experience. He has a passion for cybersecurity and helping his clients to identify their risks and determine their cybersecurity preparedness. Nygil specializes in ethical hacking, vulnerability management, application security assessment and red teaming. Nygil holds a degree in Electronics and Communication Engineering, and InfoSec certifications from offensive security.