Month: June 2018

Phishing-As-A-Service (PHASS) Platforms and Frameworks

PHISHING-AS-A-SERVICE (PHAAS) allows attackers to create individual phishing campaigns, schedule and process emails and a lot of other related procedures that are involved in phishing computer targets. While most currently available PhaaS platforms are designed to test the resilience of organizations and their ability to detect social engineering attempts against their employees and help craft training programs to mitigate phishing threats, there are a few that are designed to aid cybercriminals launch and manage illegal phishing campaigns. Some of these legitimate, commercial or open source platforms can also be used for unlawful phishing attacks.

Hack$#!t — EIllegal Phishing Framework:

Hack$#!t is a Phishing-as-a-Service platform named that records the credentials of the phishing bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with a top-level domain (TLD) to evade traditional scanners. The victim’s credentials are sent to the Hack$#!t PhaaS platform via websockets.

FiercePhish Phishing Framework:

The FiercePhish phishing framework is an extensive open-source solution that allows attackers to create and manage individual phishing campaigns. Functionalities include the following:

  • Prefix Establishment – This feature enables the attackers to set up custom URL’s that mask as legitimate sources.
  • Phishing Campaigns Creation and Operation – The framework allows the careful tuning of sending a predefined number of emails over defined periods of time.
  • Sending of Individual Emails – This is used for sending emails to specific targets.
  • Email Configuration Check – The FiercePhish platform allows the operators to parse MX records, A records and SPF records to ensure proper configuration.
  • Activity Logs – The platform tracks all activity and can give detailed information such when the emails were sent and all interactions performed with them.
  • Quick Replacement – The program allows the operators to use an easy Import/Export feature to issue a new server into sending out the emails.
  • User Management – FiercePhish allows its operators to use multiple accounts for better organization.
  • Two-Factor Authentication – The operators can use Two-Factor Authentication using Google’s service.

SPF “SpeedPhishing Framework”:

The SpeedPhishing Framework was designed to help simplify and automate the email phishing process and particularly assist with “credential harvesting” attacks. When provided with minimal input (such as just a target domain name), SPF can search for potential targets, deploy multiple phishing websites, craft and send phishing emails to those targets, record the results, generate a basic report, among other more advanced tasks.

Functionalities include:

  • Can be run fully automated or interactively
  • Automated target identification
  • Profiling of target company
  • Hosting of templated and dynamically generated phishing websites
  • Sending emails
  • Collection of phishing results
  • Verification of results

Ghost Phisher – Phishing Attack Tool:

Ghost Phisher is a Wireless and Ethernet security auditing and phishing attack tool that can emulate access points and deploy. The tool comes with a fake DNS server, phony DHCP server, fake HTTP server and also has an integrated area for automatic capture and logging of HTTP form method credentials to a database. It could be used as a honeypot and could be used to service DHCP requests, DNS requests or phishing attacks.

Functionalities include:

  • HTTP Server
  • Inbuilt RFC 1035 DNS Server
  • Inbuilt RFC 2131 DHCP Server
  • Web page Hosting and Credential Logger (Phishing)
  • Wifi Access point Emulator
  • Session Hijacking (Passive and Ethernet Modes)
  • ARP Cache Poisoning (MITM and DOS Attacks)
  • Penetration using Metasploit Bindings
  • Automatic credential logging using SQLite Database

Phishing Frenzy – E-mail Phishing Framework:

Phishing Frenzy is an Open Source Ruby on Rails e-mail phishing framework designed to help penetration testers manage multiple, complex phishing campaigns. Designed to streamline the phishing process while still providing clients with the best realistic phishing campaign possible, Phishing Frenzy’s goal is obtainable through campaign management, template reuse, statistical generation, and other features.

Functionalities include:

  • Sending Emails
  • Hosting Websites
  • Tracking Analytics
  • Website Cloning
  • E-mail Harvesting
  • Credential Harvesting
  • UID tracking for users
  • Reporting and Analytics
  • Export XML

Gophish – Open-Source Phishing Framework:

Gophish is a phishing framework that makes the simulation of real-world phishing attacks very straight forwards and makes industry-grade phishing training possible.

Functionalities include:

  • One-click Installation
  • Standalone, portable binary with static assets
  • Point-and-click Phishing
  • WebUI
  • Automated Phishing campaigns
  • RESTful API (JSON)
  • Computerized Training
  • Open-Source

Sptoolkit Rebirth – Simple Phishing Toolkit:

The Sptoolkit (rebirth) or Simple Phishing Toolkit project is an open source phishing education toolkit designed to focus on training employees.

Functionalities include:

  • Templates & Visual editor
  • Education completion tracking

Cartero Phishing Framework:

Cartero is a phishing framework with a full-featured CLI interface with a modular structure divided into commands that perform independent tasks (i.e., Mailer, Cloner, Listener, AdminConsole, etc…). Each sub-command can be configured and automated.

King Phisher Phishing Framework:

King Phisher is a tool for testing and promoting user awareness by simulating real-world phishing attacks. It features an easy to use architecture allowing full control over both emails and server content. It can be used to run campaigns ranging from simple awareness training to more complicated scenarios in which user aware content is served for harvesting credentials.

  • Functionalities include:
  • Runs multiple phishing campaigns simultaneously
  • Sends emails with embedded images for a more legitimate appearance
  • Has Optional Two-Factor authentication
  • Credential harvesting from landing pages
  • SMS alerts regarding campaign status
  • Web page cloning capabilities
  • Integrated Sender Policy Framework (SPF) checks
  • Geolocation of phishing visitors
  • Sends emails with calendar invitations




Collaboration in the Twin Cities – Recap of Minneapolis’ Regional Intelligence Workshop

The commitment to increasing retailer’s cyber security posture via collaboration, partnership and sharing threat intelligence was evident at the RH-ISAC Regional Intelligence Workshop, hosted at member company Target’s headquarters June 7. Rich Agostino, Target’s CISO, kicked things off with a powerful opening statement indicating, “Cybersecurity is critical to the success of the entire organization. Collaboration and sharing among cyber threat intelligence analysts across retail is key to bolstering the collective cybersecurity defense capabilities for our industry,” and Target is, “proud to host the RH-ISAC’s intelligence workshop, because regardless of resources, we all have something important to share.”

This sentiment was exemplified in the well-crafted and thoughtful content that Target Team Members presented throughout the day. There was lively conversation among the 40 cybersecurity practitioners in attendance, and an emphasis on openness of sharing and teamwork to better the community at large.

Content during the workshop included a retail threat briefing focusing on point-of-sale (PoS), phishing and account takeover (ATO), a discussion on cyber maturity models and building out a threat intelligence program, operationalizing threat intelligence and how to demystify a campaign by breaking down the dataset. Use case examples included threat driven detection and tracking infrastructure, threat actor group campaign attributes, and ATO attack methods and tracking methodology. We learned that for organizations attempting to build a CTI program with minimal resources, establishing operational capabilities before producing intelligence is crucial and that the key to proactive detection is behavior – when teams key in on actor behavior they can get ahead of the attacks. Overall, one of the biggest takeaways from the day is that regardless of resources, size, or current capabilities, each and every company brings something important to the table to share, and that this community is dedicated to working together to advance capabilities across the board.

Thank you to the entire Target team for hosting, and to our sponsoring partner Symantec for the workshops. For those located in the Dallas area, we have the last regional workshop for this year coming up on June 28 at RH-ISAC member company Sally Beauty’s headquarters. Don’t miss an opportunity to meet up with retail cybersecurity peers and learn how to Action on Threat Intelligence. RSVP Here

RH-ISAC goes to Canada

We took our workshop tour to Canada on Tuesday to host the first RH-ISAC Canadian Retail Cybersecurity Invitational with our partner, Deloitte. The one-day gathering brought cybersecurity professionals together from Canada’s leading retail, grocer, consumer products, entertainment, and hospitality organizations. The day increased local retailers’ awareness of shared cybersecurity challenges and we began meaningful discussions about how we can strengthen our collective cyber threat defense capabilities.

In Toronto, the day was complete with presentations from the RH-ISAC’s Tommy McDowell and Jennifer McGoldrick and Deloitte. We covered topics including a review of the retail industry threat landscape and why intel sharing matters for Canadian retailers. We also tackled issues such as actioning on threat intelligence, strategies for building an intelligence-led and business risk-focused programs, and how the RH-ISAC can help companies in these efforts.

With the uptick in cyber threat activity in Canada it was very valuable to bring current and new members together in Toronto. A couple of pictures from the day are below. We headed to Minneapolis after for our regional workshop at Target which took place on Thursday, June 7. Look for a recap from that event coming soon!

If you’re interested in attending, email us at Check our events page for other upcoming workshops and webinars,



Compromised Point-of-Sale Data Remains a Staple Among Fraudsters

By Kathleen Weinberger and Roman Sannikov

Below is a featured blog post from associate member Flashpoint. This comes as a follow-up to the webinar they presented recently to the RH-ISAC membership. We thank them for their expertise and willingness to share and support the RH-ISAC’s community of retail cybersecurity practitioners. 


Fraud is a persistent problem for brick-and-mortar and e-commerce retailers alike. Retailers’ intelligence teams often focus their attention on loss prevention to combat direct forms of fraud, such as the use of fake receipts, but this is not the only way fraud can threaten retailers. Indeed, intelligence teams must also be cognizant of cybercriminals targeting their point-of-sale (PoS) systems to obtain credit card data, typically with the intention of selling it on illicit card shops on the Deep & Dark Web (DDW).

Underground card shops endure because they are the epitome of a centralized criminal economy targeting retailers. As with other DDW marketplaces, many prominent card shops bear striking structural similarities to legitimate organizations, complete with established infrastructure, a team accountable for the product, and a vested interest in fostering a strong reputation with clients.

Despite significant gains made by law enforcement and private-sector research communities, card shops figure to remain a primary means of obtaining stolen payment card data in the form of dumps or cards, often obtained from compromised retailers.

Dumps consist of payment card data stolen from the magnetic stripe of a payment card through the use of skimmers; these are used for cloning physical cards and for in-store fraud. Cards, meanwhile, are packages of card numbers and other information necessary for card-not-present fraud. Some sellers will also offer what are known as “fullz,” which are complete sets of personally identifiable information (PII) for an individual. Fullz may include a victim’s Social Security number, date of birth, and other information considered useful for carrying out identity theft.

Flashpoint analysts believe fraudsters will patronize underground card shops to avoid the risks associated with obtaining the data themselves. Stealing credit card numbers and other PII from retailers typically involves the installation of a skimmer on a physical card reader or the use of point-of-sale malware. In addition to being a high-risk endeavor, this crime requires specialized skills and the up-front cost of obtaining the necessary malware and hardware. By eliminating the need to obtain this data directly from retailers, the presence of these underground shops has lowered barriers to entry for making fraudulent purchases using stolen card information.

Many card shops have slick user interfaces that allow customers to load funds from a cryptocurrency wallet and check the validity of a dump using an online tool provided by the shop. Some higher tier shops even offer refunds within an allotted time period, say 30 minutes following the purchase, for example, if a payment card number is not valid. Prices of dumps and cards may vary according to the region from where the numbers originate and how recently they were obtained.

The level of service offered by a card shop may vary depending on its tier and reputation within the cybercriminal underground. Tiers definitely matter to buyers, especially when dealing with shops of lesser reputations, known as “junk” and “mid-tier” shops where payment card data may be drawn from the same sources that other similar lower-tier shops draw from. The data is likely to be old and potentially unusable, and there may be less opportunity for a refund.

When it comes to top-tier card shops, the expectation is that the cards and dumps are fresh because many of these shops have private sources of stolen cards. Top-tier shops also shy away from reselling cards that have been sold already, whereas those at the junk tier may not resell on the same shop, but may instead try to sell cards or dumps which have already been used by fraudsters or have already been sold at another shop. Typical buys, meanwhile, depend on the individual; gangs in carding operations may buy in bulk whereas individuals cloning cards on their own may buy lesser amounts.

DDW forums also have their place in this ecosystem of buying and selling stolen card data, whether it be where shops are advertised or new breaches are marketed. Operators can interact with buyers and can in some cases share invitation codes to closed shops providing private access to a new customer.

Shop operators also use forums to discuss infrastructure changes, such as when a shop opens a new domain of operation. Scammers frequently attempt to set up fake shops with similar URLs in order to phish other threat actors, tricking them into entering their login credentials in order to take over their accounts on the official website.

Card shops selling data stolen from retailers remain a viable part of the underground economy, in spite of the emergence of other potential revenue streams introduced through the availability of hundreds of millions of stolen credentials, or the spread of cryptocurrency miners, and ransomware, just to name a few.

Efforts from retailers and financial institutions to implement enhanced security measures to combat fraud have cut into the viability of a stolen card, meaning those that survive likely have an enhanced value to buyers and sellers. All of this is continuing to breathe life into card shops as a primary means of this type of business on the underground.

For more information on Flashpoint, please contact





Diversity: the art of thinking independently together. An interview with Deb Dixson.

By: Jennifer McGoldrick-Stenberg, Director, Membership & Operations, RH-ISAC

As Malcolm Forbes once said, “diversity [is] the art of thinking independently together.” This powerful message is paralleled in the thoughtful responses I received during my conversation with Deb Dixson. As you may know, Deb is the former senior vice president of information security and risk at Best Buy. Her background and breadth of experience speak to the importance of diversity and inclusion, not just in gender and culture, but also in thought and experience.

I hope you enjoy this installation of The Practitioner Mindset Series – Interview with a Cybersecurity Professional as much as I enjoyed my conversation with Deb.

Q: Tell me a little bit about your journey.

A: My background was non-traditional, and my career was reverse-engineered. I was educated in Home Economics, a secret I kept for a long time because I assumed people would think I was less capable. I landed in the technology world by selling testing, grading, scheduling and attendance software and hardware. At that time, if you sold it, you had to install it, and I was simply intrigued by how everything worked. I was good at trouble shooting, spent a lot of time on the phone with engineers, and learned a great deal about the field.

After some personal health issues, I began at a job training and QA testing at a software company. This forced me to learn architecture. Equipped with my newly gained backend knowledge and my former sales experience, I was asked to do more client-facing work and developer management. I took on jobs that others didn’t want and trained myself, asking for help when needed. Quickly I learned that if I was going to be successful, I needed to surround myself with the smartest people I could. This is a mantra I carried forward with me throughout my career and is how I’ve always judged my teams. If I’m the dumbest person in the room, I’ve done a good job pulling a wide-range of expertise together, and I know we’ll come up with the best solution, collectively.

It was by accident that I ended up at Best Buy. I was brought into the company on contract as program manager to implement their gift card program. Understanding the flow of money via gift cards was fascinating to me! After that program rollout, I was put on another project, continued to broaden my exposure to people, departments, and technology, and eventually took over responsibility for POS and mainframe reporting systems, and was a permanent employee. As I continued to deepen my understanding of how the payment card industry worked, and PCI was just getting legs (or teeth), it occurred to me that there would come a time when retailers would need to pay closer attention to information security. After much research, I proposed a Chief Information Security Role for the organization.  It took some time, but I became Best Buy’s first CISO and one of the first in the retail industry.

So much has changed from those days; the threat landscape has exploded. It is one of the things I love about info sec and risk, its constantly morphing and you can never rest on what you knew or did yesterday. It’s never dull, and there’s always a need for new perspectives, skills and tools!


Q: What a ride! You clearly demonstrate a thirst for learning, ability to ask questions and aim to dig deeper. Are these the traits that pulled your career along?

A: The skills that propelled me forward were an endless curiosity to know how things work and a drive to ask questions and do research. It was always important to look for gaps and then bring solutions that fit those gaps. Coming from a different background, I often had a different perspective than many in the room and I wasn’t afraid to speak up. If I could give advice to up-and-comers, I’d say don’t apologize for your background, don’t be afraid to work hard, or differently, to get yourself noticed and get ahead. If you continually demonstrate your talent and skills, you will persevere.


Q: The last time we spoke, you mentioned that only recently in your career did you begin to share details of your educational background. Tell me more about that?

A: That’s correct. Only once I was older and more established in my career did I share my non-traditional journey. More than anything, the reason I spoke up was because I saw too many younger people or those wanting to make a career change into security excluding themselves from opportunities due to their degree or experience. I thought that if people could hear my experience they may decide to take a leap they otherwise wouldn’t. Too many people self-edit without trying. In today’s world, technology is in everyone’s hand, so it is that much more critical to unlock the unique talents that people with non-traditional technology backgrounds have to help us face what’s coming.


Q: Tell me how you have you seen these non-traditional technology employees impact the dynamics of the security team?

A: The more diverse your team can be, the more welcoming it is to individuals who are underserved or underrepresented. This is important for several reasons. Having people with diverse backgrounds and perspectives makes it easier to continue the forward momentum and uncovers answers to questions that might be missed if the room was filled with people who have the same background and thought patterns. As you tackle things like vulnerability management or handling a security incident, the more perspectives you can bring in, the bigger opportunity you have to approach things differently.

Think about the challenge of reaching and educating the population that doesn’t think security is important. How do you get them to care? Why do they do what they do? You need teachers. You need people with a psychology background. It requires innovation to build an effective approach. This shift in dynamics helps teams look at problems from a different angle, which is exactly what this industry needs.


Q: That seems straightforward, and yet we still see a lack of diversity within the cybersecurity industry. How do you think organizations can address the challenge of attracting and retaining talent and improve the gap and drive more candidates to the field?A: There are a couple of things we need to do. No matter the organization or the industry, it starts with looking at how job descriptions are written. Even if they are technically correct, they may exclude or discourage people with non-traditional backgrounds, different cultures or ethnic backgrounds from applying. People write themselves off if the words within the description don’t resonate with them. There is a psychology behind these incremental changes and it’s important to think about the way your organization is positioning roles that need to be filled. Relook at the places you recruit from, is there an unconscious bias playing out that doesn’t produce a diverse pool of candidates to pick from.

Organizations are all competing for talent; there are more jobs than there are people to fill them. Everyone seems to be looking for that “unicorn!”  If you back up and decompose the skills necessary to fill that role, and you take a slightly different approach – you may find that you can accomplish the task by leveraging the discreet talents of several people on the team.  Giving people a chance to stretch and grow by building a “unicorn team”.

Another way we can address this challenge is to be more involved in communities and schools. Focus on younger generations and show children that highly-technical fields are interesting and fun. Find ways to get kids interested in security and risk organizations through events like bring your child to work day or mentoring programs. Too often we get paralyzed by the problem. Figure out how to take little steps that turn into something big.


Q:That’s great advice, thank you for sharing. I have one final question for you if you don’t mind. Can you tell us what’s next for you?

A: Short answer, I don’t know. I would love to be able to continue to do something valuable and important. I’m not sure what that is yet, it could be sitting on a board, working with a start-up, or helping define strategy for an organization like the RH-ISAC. My journey isn’t over, and I look forward to seeing what’s next.

We Need to Be All In

By: Suzie Squier, Executive Director, RH-ISAC

Whether it was working with legal counsel to determine what information can be shared, or in internal discussions with his team, “being all in” was Publix vice president of IS architecture and security Steve Wellslager’s mantra for his efforts in increasing Publix’ sharing within the RH-ISAC community. Steve opened the RH-ISAC’s second of four regional workshops, sharing with the room that Publix was one of the founding members of the RH-ISAC and has been committed to the organization from the beginning.

Steve’s address was followed later in the program with senior manager of IT security Rick Rampolla’s outstanding presentation on how Publix is transforming from a compliance-based security operations center (SOC) to a threat intel-based SOC. We’ve asked Rick to reprise his presentation in a future Cyber Thursday webinar, so stay tuned for details. It is a journey that started with taking a step back to determine, as Rick explained, “what threat intelligence means to us.” It wasn’t a total reversal of their current operations, but a step-by-step process focused on their requirements, which incorporated sharing with the RH-ISAC within their workflow.

“We were consumers of RH-ISAC data for a long time,” explained one Publix team member, “but Rick’s philosophy is that we need to be good stewards to our community and our industry.” During the transformation, Publix came up with an approach that not only got important threat information into their SEIM, but also allowed the team to share what they were seeing with the RH-ISAC community. In writing their report, their listserv contribution is ingested directly into the RH-ISAC Enclave, which, in turn, feeds directly into their SEIM integration. Now, their workflow shares strengthen their environment while simultaneously sharing important information to other RH-ISAC members.

As is usually the case when bringing RH-ISAC members together, the workshop provided a great opportunity to meet with other members in the area, share insights, and allowed the RH-ISAC analysts and team to deepen their awareness of retail’s unique challenges. Thank you to our sponsor, Symantec, and to Publix for hosting this event. Two more workshops remain – this Thursday, June 7, at Target headquarters in Minneapolis, and June 28 at Sally Beauty’s headquarters in Dallas. If you’re nearby and haven’t registered yet, I encourage you to visit our site for more information or email to register.