John Hammond's New Video: Advent of Cyber 2025 Day 2 - Phishing Challenges

In this video, John Hammond dives into the second day of the Advent of Cyber 2025, a series of cybersecurity challenges presented by TryHackMe. The theme for this day focuses on phishing, a widely used social engineering technique in penetration tests and real-world cyberattacks. The goal is to understand how attackers create fake emails and fraudulent login pages to steal credentials while learning how to protect against these threats.

The challenge is titled Mary Clickmus and involves a simulation where you play as a member of the red team at The Best Festival Company (TBFC). This team is tasked with testing employees' resilience to phishing attacks, a common practice in security audits. John explains that these tests help validate the effectiveness of cybersecurity awareness training within an organization. To carry out this mission, the Social Engineering Toolkit (SET), developed by Dave Kennedy, founder of TrustedSec, is used to automate phishing attacks.

The first step is to set up the necessary infrastructure. TryHackMe greatly simplifies this process by providing an attack box (a preconfigured virtual machine) accessible directly from the browser. Once this machine is launched, along with a second target machine representing the victim's email server, John demonstrates how to run a Python script (server.py) that hosts a fake login page mimicking TBFC's employee portal. This page, accessible via the attack box's IP address on port 8000, is designed to capture the credentials entered by the victim. To make the attack credible, a phishing email must be sent to a fictional employee, factory@wareville.thm, posing as a partner company, Flying Deer, a logistics carrier.

John then details the process of creating the phishing email using the SET. The tool offers several options, including a mass mailer function that allows sending an email to a single target or a list of addresses. In this case, a single email is sent to the TBFC employee. The pretext used is an urgent change in the delivery schedule, a topic likely to grab attention during the holiday season. The email is crafted to entice the victim to click on a link leading to the fake login page. John emphasizes the importance of verifying technical details, such as the SMTP server's IP address and the port used (default 25), to ensure the email is correctly delivered.

Once the email is sent, the next step is to wait for the victim to take the bait. John shows how the server.py script records login attempts, displaying HTTP requests and captured credentials in real-time. In the video, the victim enters a username (factory) and a password (unranked wisdom anthem), which are immediately captured by the attacker. These credentials allow access to the employee's actual email account via the RoundCube webmail interface installed on the target machine. Exploring the inbox, John discovers an email containing a secret code (1984000), which is the final answer to the challenge.

Beyond the technical demonstration, John shares practical advice for protecting against phishing. He explains that attackers often exploit urgency, emotions, or too-good-to-be-true offers to manipulate their targets. He recommends always taking the time to verify an email's authenticity by checking the sender's address, avoiding suspicious links, and manually typing URLs of official sites. He also notes that phishing is not limited to emails; variants include smishing (via SMS), vishing (via voice calls), and quishing (via QR codes), but the principle remains the same: tricking the user to obtain sensitive information.

The day's challenge illustrates how easy it is to set up a phishing attack, even with beginner-friendly tools. This underscores the importance of employee awareness, as they are often the weakest link in a company's security chain. John concludes by encouraging viewers to explore other resources on TryHackMe, such as the room dedicated to phishing prevention, to deepen their knowledge. This video serves as an excellent introduction to social engineering techniques and best practices for defending against these attacks, reminding viewers that these skills are essential for cybersecurity professionals, whether they are red teamers or blue teamers.