How I Phished Omada.Secret Squirrel stuff.

“ Omada Health, which coaches online groups on healthy behavior… ”

Plenty of Buzz around Omada

How would I “hack” Omada?

•Hack my way through networks, type a bunch of fancy commands, no.

•Join Anonymous, wear a Guido Fawkes mask, use their collective power, no.

•Launch a Denial of Service attack, bring it all down, no.

•Phish Omada employees, let them give me passwords.

Yes!

•Quid quo pro, entice an employee with something to get their password, no.

“ Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life. ”- @thegrugq

How would I “hack” Omada?

Yes!

The Attack targets

•C-Level and Executives - good targets if I were a Nigerian prince. No.

•Engineers - brainiacs, too much overhead to con them. No.

•User Reps - trained agents, would detect irregular patterns. No.

•Health Coaches - remote, loving human beings willing to help others.

Perfect!

OK, Phishing it is…

•Perform reconnaissance - case the joint (Italian Job style) before you rob it.

•Who’s Who - identify high valued targets (LinkedIn, Twitter, Google).

•Assume recon finds coaches are not part of the corporate HQ.

•Email templates - gain access to Prevent (Self-sign) copy pasta.

(Scenario assumptions)

•Pulling it all together - plan, test, verify, and then execute. Go go go!

Real Fish

This looks good. Save!

Correct email address

Thanks for creating theurgency for me!

Establish trust, but don’t verify.

I love this button!Hyperlinked URL.

Perfect!

Reel Phish

Mine looks better.

Huh? Red Flag!

First name basis? Cool!

Create a higher senseof urgency!

What happened here?Pretty sure this is{clone, spear}-phishing

I just love this button!

The real website

Specify a new password

Extended Validation SSL CertificateIssued to Omada Health

URL is preventnow.com

Hooked, line and sinker

Clearly != preventnow.com orHTTPS Obvious Mi$$pellings are

commonSpecify current password?

Reg flag!

What happened to the bluebutton?!

Again, mine looks better.

The Results

•39 users were targeted.•The first phished credentials were collected 3m after the campaign launch.•24 users had remote images enabled, allowing me to detect when message was viewed.•1 user had a vulnerable web browser, would let me perform drive-by attack.

Viewed the Message87%

34

Clicked the Link64%

25 22

Provided their Credentials56%

Ta-da!(final thoughts)

•Omada Health is a target. Not a matter of if, but when.•Be aware - develop a Phishing IQ.•2-factor (one-time token) would make a difference in real-world scenario.•Fair warning, Omada-wide phishing drills coming to a mailbox near you.

Thank You Let’s be careful out there!