Chcon2025

login

Hands off my creds: phishing tools vs phishing defenses
.ical
2025-10-31 , Main Hall

Phishing has evolved both in the TTPs of attackers, and their targets. No longer is re-hosting scraped HTML enough, the tooling to launch a phishing campaign to steal credentials and sessions while bypassing MFA are constantly evolving.

So too must the defenses. Early last year we released an open-source phishing detection as part of the Canarytokens.org project, and it became more popular than we ever could have imagined. We are protecting over an average of 100 logins every single second. While it's nice to see defenders are waking up to this problem that accounts for a majority of all breaches these days, alas, it's not just the blue teams paying attention.

This talk will bring the audience up to speed on the evolving game of cat-and-mouse between phishing tools, detections; and the high-stakes battle over our digital identities. Come to learn the impressive lengths attackers will go for a session token, and how defenders can try and stay a (half-)step ahead...

This talk will take the audience through a whirlwind tour of everything that's happened in phishing attack and defense since we all stopped paying attention back in the early 2000s.

We'll talk about:
- Just how much phishing is going on and how it's a huge problem
- Modern phishing systems and how they can trick users and defeat MFA (think AitM, BitM, frame-less, etc.)
- How to defend against it, both properly (phishing-resistant MFA), and as a detection (CSS/JS defenses)
- How phishing tools have evolved in the face of AitM detections
- How we can fight back and stay ahead with clever CSS tricks

The speaker’s profile picture
Jacob Torrey

Jacob is the Head of Labs at Thinkst Applied Research. Prior to that he managed the HW/FW/VMM security team at AWS, and was a Program Manager at DARPA's Information Innovation Office (I2O). At DARPA he managed a cyber security R&D portfolio including the Configuration Security, Transparent Computing, and Cyber Fault-tolerant Attack Recovery programs. Jacob has been a speaker and keynote at conferences around the world, from BlackHat, to SysCan, to TROOPERS and many more.