Why More Than Half of Email Phishing Leaks Happen on Mobile Devices

June 22, 2020 By Craig Hays Leave a Comment

Reading Time: 5 minutes

Over 60 percent of people who are phished by email are phished on mobile devices. This is why it happens and what you can do about it.

mobile phishing — Photo by Rasheed Kemy on Unsplash

Why Mobile Devices are More Prone to Phishing

I’ve sent a lot of phishing emails. All with good intentions I must add. While reviewing the results, one of the most surprising things that I discovered was that the majority of people who fall for phishing tests (and therefore real phishing attacks) are using mobile devices. In my experience, 60% of those who are successfully deceived are victims of mobile phishing.

These are my conclusions as to why this is true and recommendations on what we can do to help people stay safe online.

[Read more…]

What Happened When I Leaked My Server Password on GitHub.com

June 10, 2020 By Craig Hays Leave a Comment

Reading Time: 7 minutes

I deployed a honeypot and ‘accidentally’ leaked a valid SSH username and password into a GitHub repository. This is what happened over the next 24 hours.

Github SSH Honeypot — Photo by Arwin Neil Baichoo on Unsplash

Searching for juicy information in GitHub repositories is nothing new. In the past, I’ve written about mining GitHub for sensitive information and contributed to open source projects that help to automate this process. Having used this technique as an ethical hacker, I was curious to see what it looks like when criminals do it for real with malicious intent.

[Read more…]

Save and Search Your Web Traffic Forever with elasticArchive for Mitmproxy

June 8, 2020 By Craig Hays Leave a Comment

Reading Time: 3 minutes

Log and perform full-text searches on all of your web traffic with Mitmproxy and ElasticArchive, a tool for bug bounty hunters, red teams, and OSINT.

Introducing ElasticArchive – a Mitmproxy Add-on to Store Everything in Elasticsearch

I was looking for an easy way to record all of my web traffic in elasticsearch so that I could search full requests and responses for cookie names, parameter names, strange URLs, and short-lived content but I couldn’t find one. So I made one – elasticArchive.

[Read more…]

Bug Bounty Hunting Tips #6 — Simplify

May 11, 2020 By Craig Hays Leave a Comment

Reading Time: 6 minutes

Apply Occam’s razor to your bug bounty hunting. Cutaway all that is unnecessary. Reduce to the essential. Simplify to what is important and ignore the rest.

On the surface, the web is a complicated place. For bug bounty hunters, most of it is just noise. A distraction from what is truly important. If you’re fuzzing inputs with an automated or semi-automated scanner, the more inputs and effective payloads you have to play with the more likely you are to find a bug. Otherwise, aim to simplify everything and manually test what remains.

Why You Should Simplify Requests When Bug Bounty Hunting

[Read more…]

Bug Bounty Tips #5, Half-Life Alyx, Everyone works from home, and more…

April 6, 2020 By Craig Hays Leave a Comment

Reading Time: 2 minutes

Craig’s Newsletter April 6, 2020 Edition

Hi All!

Here’s a little update on what I’ve been doing since we last spoke.

What I’ve Been Writing

Since the last update I’ve published my 5th in a series of bug bounty hunting tips:
Bug Bounty Hunting Tips #5 — Aim to Become World-Class in Your Niche. You can read it for free on craighays.com or if you’re a medium.com member you can support me by reading it there.

What I’ve Been Watching

Things are pretty stressful for everyone right now. We can’t go outside, we can’t see family and friends, and everything’s a little bit tense. While unusual for me, I’ve been enjoying watching jacksepticeye playing Half-Life Alyx in virtual reality from start to finish. I haven’t owned a gaming PC for a very long time and I can’t justify building one just for this game. I’ve found that watching someone else play it is good enough for some well-needed escapism without investing in all the kit needed to play it.

What I’ve Been Doing

It feels like the entire world has changed since I last emailed out a couple of weeks ago. All over the world, anyone who can do it is now working from home. The safety net of the corporate firewall is gone. People are working permanently behind home routers with default passwords, firewalls turned off, and… who knows what else is happening. Therefore, I’ve spent the last couple of weeks at work making sure everything is as it was designed to be, for when things like this happen. I suspect many of you will have been in the same situation.

That said, I’ve started learning more about gRPC at a very low level as I’m really interested in bug bounty targets using this method of data transfer. It isn’t as easy to work with as text encoded HTTP requests so there might not be so many people testing this in this bug bounty space. I did, however, find this Burp Suite Protobuf plugin from NCC Group which looks really useful. Hopefully, I’ll get a chance to try it soon.

What I’m Doing Next

I’m planning on publishing an article on my work analysing external inbound and outbound email through Exchange 365 as there doesn’t seem to be any way to do it in detail in the native reports. My PowerShell scripts need a bit of polishing to make them publishable, but once done I’ll host them up on Github and link to them from the article.

As always, if you’ve got feedback, questions, or something to add, please get in touch.

Stay home, stay safe, and take care.
Craig