Skip to content
The need to keep information safe has made people more aware of the importance of securing their accounts. Passwords by themselves are no longer sufficient for this purpose. Users often pick easy to guess passwords and worst still, reuse these passwords over multiple accounts. To further complicate the situation, password breaches allow malicious actors to easily obtain login information—including passwords. The easiest way to improve the minimal security provided by a password or passphrase is by enabling two-factor authentication (2FA) on your accounts.

What is realtime phishing?

Realtime phishing, otherwise referred to as Man-in-the-Middle (MitM) phishing, is a type of novel phishing attack that tricks a victim into accessing a proxy server (a server that acts as an intermediary) controlled by an attacker. The attack relays network traffic to and from the victim’s browser to the legitimate website. Essentially, to the victim, the realtime phishing proxy pretends to be the legitimate website, and to the legitimate website, the realtime phishing proxy pretends to be the legitimate user.

Keeping phishing tests ethical

Running phishing tests, also commonly referred to as phishing simulations, helps you to identify and track weaknesses and points of improvement in your security awareness program. Phishing tests can also help identify the types of phishing attacks that are most successful against your organization. However, if handled incorrectly, it is easy for people to feel hard done by phishing tests. They may sometimes appear to be “unethical” or “unfair”, and it might leave your colleagues with a bitter taste in their mouth.
Simulated phishing attacks provide an effective way to help identify, track and measure weaknesses and improvements in your security program as they relate to phishing and social engineering. Phishing simulation can also help you identify which types of phishing attacks are most successful against your organization and which groups of employees to focus more on as part of your security awareness training efforts. There are several ways to run phishing simulation exercises across your organization.
The annual release of the Verizon Data Breach Investigations Report (DBIR) is personally one of my most anticipated “news” releases of the year since 2016. It’s a great opportunity to take a macro and micro view of how cybersecurity is impacting our social and economic activities in a format that lends itself well to answering nuanced questions. This year’s report definitely extrapolates trends from previous years and the purpose of this opinion piece is not to tell you how bad phishing and social engineering is — we all know that.
Today, we’re excited to unveil the newest feature in PhishDeck, Target and List data export. The name suggests how simple this new feature really is – you can now export in addition to the already existing Campaign results export, you can now also export Target and List data in both CSV and JSON. The new data export features in PhishDeck now allow you to easily export per-Target or per-List data for further analysis for using spreadsheet applications, or any other application or bespoke script that accepts CSV or JSON input.
Humans aren’t great with passwords – specifically, in creating strong, random, unique passwords and keeping them private. This leads to issues ranging from account takeovers (when an attacker takes control of a victim’s account by obtaining their password), to financial scams and identity theft (when goods or services are bought or sold using a stolen identity), to data breaches and other security incidents. The truth is that we suck at passwords because passwords are in many ways, flawed.

What is Phishing Simulation?

Phishing simulation, also referred to as a phishing test, is used to test how susceptible an organization is to phishing. More importantly, phishing simulation allows organizations to prepare how to respond in the event of a real attack. Phishing simulation typically involves recipients, or targets, within an organization receiving a simulated phishing email that is intended to mimic a real phishing attack. Typically, like real phishing emails, phishing simulation emails are intended to trick their target into performing some action at the request of an attacker.
Two-factor authentication, commonly shortened to 2FA, or referred to as two-step verification, dual-factor authentication or multi-factor authentication; refers to the process whereby users are asked to verify their identity using more than one (typically two) authentication factor. The purpose of using two-factor authentication is to prevent an attacker who has compromised a user’s password from being able to log into an account – the attacker will need to get past the second factor of authentication in order to successfully log in, drastically reducing the chances of the user’s account being taken over.

Phinn: On engineering a real-time phishing simulation proxy

Advanced phishing attacks are becoming increasingly commonplace with tools that allow attackers to harvest credentials, bypass Two-factor authentication (2FA), as well as run automated post-exploit scripts the instant you enter your credentials. This post takes a look at our journey towards releasing Phinn, the real-time phishing simulation proxy that sits at the core of the PhishDeck phishing simulation platform. The Problem In recent years we have seen a dramatic surge and shift in the phishing landscape that we have not seen in a very long time.