Labels

Day 2 — Phishing Exercise at TBFC: A Red Team Operation

 


Day 2 — Phishing Exercise at TBFC

A Red Team Social Engineering Operation

Introduction

The Best Festival Company (TBFC) recently experienced an increase in cybersecurity threats. In response, an authorised red team engagement was launched to assess the organisation’s security posture.

One of the most critical focus areas was phishing awareness—specifically, how well employees can identify and respond to social engineering attacks. This controlled phishing exercise was designed to measure the effectiveness of TBFC’s existing cybersecurity training.

In this Day 2 challenge, we follow the red team elves — Recon McRed, Exploit McRed, and Pivot McRed — as they design, deploy, and execute a realistic phishing attack against TBFC staff.

๐Ÿง  Understanding Social Engineering

Social engineering is the art of manipulating human behaviour to trick individuals into revealing sensitive information or performing unsafe actions.

Unlike traditional technical attacks, social engineering targets people, not systems. Attackers often exploit psychological triggers such as:

  • Urgency – “Act now or lose access”

  • Curiosity – “Important update inside”

  • Authority – “Message from IT or management”

This type of attack is often referred to as human hacking, and it remains one of the most effective entry points for attackers.

๐ŸŽฃ What Is Phishing?

Phishing is a specific form of social engineering delivered through messages designed to deceive users.

While phishing is commonly associated with email, it can also appear as:

  • SMS messages (smishing)

  • Phone calls (vishing)

  • QR codes (quishing)

  • Social media messages and DMs

The attacker’s objective is simple: convince the victim to click, open, or respond, and then steal credentials or gain access.

๐Ÿ›‘ TBFC’s S.T.O.P. Awareness Framework

TBFC trains its employees using two S.T.O.P. frameworks to help identify phishing attempts.

S.T.O.P. — All Things Secured

  • Suspicious?

  • Telling me to click something?

  • Offering an amazing deal?

  • Pushing me to act now?

S.T.O.P. — TBFC Version

  • Slow down

  • Type the address manually

  • Open nothing unexpected

  • Prove the sender

This exercise evaluates whether employees apply this training in real-world scenarios.

๐Ÿงช Building the Trap: Fake TBFC Login Page

The red team’s objective was to capture credentials using a cloned TBFC login portal.

A preconfigured phishing server script was provided as part of the exercise.

The script launches a local web server hosting a fake login page that closely resembles the legitimate TBFC portal. Any credentials entered into this page are logged directly on the server.

This simulates a common real-world phishing technique used by attackers.

๐Ÿ“ฌ Phishing Delivery Using SET (Social-Engineer Toolkit)

Sending phishing emails from personal accounts is ineffective and easily detected. Instead, the Social-Engineer Toolkit (SET) was used to create a more realistic phishing campaign.

Attack Method

  • Attack Type: Mass Mailer

  • Target Address: factory@wareville.thm

  • Sender Address: updates@flyingdeer.thm

  • Sender Name: Flying Deer

  • Email Subject: Shipping Schedule Changes

  • Payload: Link to the fake TBFC login page

The phishing email was designed to appear legitimate and time-sensitive, increasing the likelihood of user interaction.

๐Ÿ“Š Results of the Phishing Exercise

Within minutes of sending the email, the red team successfully captured valid TBFC credentials.

This confirmed that at least one employee fell for the phishing attempt, indicating a serious security risk.

Using the harvested credentials, the team accessed TBFC’s internal email portal and discovered sensitive operational data, including the total number of toys scheduled for delivery:

1,984,000 units

This demonstrates how a single phishing email can escalate into full system compromise.

⚠️ Impact Assessment

This exercise highlights several critical issues:

  • Employees may still trust well-crafted phishing emails

  • Credentials can be harvested without exploiting software vulnerabilities

  • Phishing can act as a gateway to sensitive business information

  • Awareness training alone is not always sufficient

✅ Conclusion

The red team’s simulated phishing attack successfully captured valid credentials, proving that real-world attackers could exploit similar weaknesses.

TBFC must:

  • Strengthen phishing awareness programs

  • Conduct regular simulated phishing campaigns

  • Reinforce verification procedures

  • Promote a culture of skepticism and reporting

Phishing remains one of the most effective and dangerous attack vectors—because it targets human behaviour rather than technology.

Labels:

Comments

Post a Comment

Popular Posts