Demonstrating with a real company how a hacker can compromise an organisation in under 2 hours using OSINT and social engineering.

Video Transcript

Today I’ll be demonstrating how cybercriminals use open-source intelligence to create targeted and highly effective phishing emails that can establish a foothold for company-wide ransomware attacks. I’ll show you what a skilled attacker can achieve in less than 2 hours with information available to anyone who knows where to look.

What is Open-Source Intelligence? In my view, it’s anything you can find on the internet if you know how and where to look for it. …


I found a way to alter a premium subscription service price and bought it for a penny. This is how I did it.

Photo by Polina Tankilevitch from Pexels

Whenever I’m bug hunting on a target that takes payments, I always try to buy something using a test credit card number as described in my write-up on Cracking Encrypted Credit Card Numbers. When the payment fails (or succeeds!) I look through all of the requests and responses for the entire process, searching for anything which looks interesting.

Look Out for Numbers

While hacking on a private SaaS bug bounty program, I went through the new user sign-up funnel and entered…


I spoofed access to other people’s email in order to pre-steal user accounts before they are first registered. Here’s how I did it.

Photo by Markus Winkler on Unsplash

One thing I always test while hacking on bug bounty programs is how applications generate tokens. Tokens are used for things such as password resets, email address verification, one-click sign-in, etc.

While hacking on one private program I discovered an application with a weak algorithm for generating email verification tokens. This is how I approached the problem and how I found a way to generate valid tokens to verify ownership of any email address, even those I…


I found an API that exposed encrypted credit card numbers. Here’s how I cracked them to reveal the full card details.

Photo by Avery Evans on Unsplash

While hacking on a private bug bounty program, I found a graphql endpoint that exposed way more information about logged in users than it should have done. By playing with the ‘about me’ graphql API request I was able to guess and retrieve all the logged-in user’s stored values present in the database, not just those disclosed by the web app.

Using these guessed parameters, I was able to retrieve all credit cards added to a user’s account. This…


“We’ve sent a six-digit code to your email address. Enter it below to login.”

Photo by Alvin Lenin on Unsplash

We see them all the time while testing web applications. In order to verify your identity, the application sends a 6 digit numerical code to your registered email address or phone number. The purpose is to prove that the person performing the action is also in possession of the phone or mailbox attached to it. No access, no authorisation. It’s a useful second factor to apply a little extra security to a process.

If you try to guess the code it expires after 5 or so…


Free and open proxy servers promise anonymous internet access, but at what cost?

Never trust an open proxy server
Photo by Mikael Seegen on Unsplash

In a world of ever-decreasing online privacy, it’s easy to get sucked into the ‘use an anonymous proxy to stay safe’ narrative. I’ve got nothing against using reputable proxy services or VPNs (virtual private networks), but the ‘free’ proxy services you find on the web can be anything but.

What’s the Difference Between a Proxy and a VPN?

People use proxies and VPNs (Virtual Private Networks) to hide their real IP address and masquerade as other devices on the internet. There are many reasons to do this including bypassing content geo-restrictions, bypassing government filters ( Great…


Evading detection and building trust with Captcha challenges and Smishing attacks.

The latest SMS Phishing message I’ve received from not-my-real phone company

This week I received another SMS Phishing attack which was almost identical to the previous Smishing attack I covered. There were two things that struck me as particularly interesting this time:

  1. The attack used the s.id Indonesian link shortening service
  2. The attack used a Captcha page to limit access to the phishing page to real people only

Thinking about the first point, it’s clear that s.id, the “World’s shortest URL shortener”, has been chosen to minimise the size of the links in the phishing text message. …


How hackers manually escalated from a malicious email to a devastating, company-wide ransomware takeover in under 5 hours.

Photo by Pixabay from Pexels

(This article aims to contextualize an excellent incident report by Thedfirreport.com. I’ve used my own experience to fill in the gaps to demonstrate how these attacks affect real people in real companies.)

The Attack Started Like Many Others

A phishing email landed in the victim's inbox at around 5 pm UTC and was promptly opened and read. There was nothing particularly suspicious about it. It was a well-written email with a reasonable call to action. There were no urgent demands. It wasn’t claiming to be from the company…


Every image you post online leaks information about you. This is how anyone can find your location using Open Source Intelligence (OSINT).

Let’s find the exact location of this photograph together.

Open Source Intelligence In Action — Geolocating a Photograph

Open Source Intelligence (OSINT) is the practice of using public or ‘open source’ information available on the internet to gather intelligence and gain insights on given targets. By combining public data sources you can find answers to a variety of questions that most people wouldn’t think is possible.

For example, the sunset photo above is one I took a couple of years ago while travelling for work. It’s not an instantly recognisable location. It’s probably not even that…


I got hit by a devastating worm that spread through phishing. This is how it worked and what I learned from it.

Photo by Miguel Á. Padriñán from Pexels

A long time ago in a world without Multi-Factor Authentication…

The first report came in shortly after 10 am. A user had fallen victim to a phishing attack. Their account was spamming out an unusual amount of email, triggering an alert. Another day, another attack.

The response team hit the big red ‘account breached’ button, locking the compromised account down, then we started to investigate. We were looking for the root cause of the compromise and any damage…

Aspiring writer, Cybersecurity Architect, Bug Bounty Hunter, Musician, Movie Producer, Failed Skydiver. https://craighays.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store