In April 2018, Microsoft introduced a security questions feature to enable password recovery in Windows 10. This feature allows a user to regain access to a local account by providing “correct” answers to a series of questions—questions of the sort we all know, such as “What was your first pet’s name?” and “What was your childhood nickname?”
As a deceptions researcher, part of my job is to design deceptions against attackers by manipulating or reverse-engineering the common toolkits attackers use. Deceptions are pieces of false information that are planted across the organization and appear as real, relevant information to the attacker. For example, browser deceptions — pieces of information specifically planted in browser history, saved forms, etc. — can be created to lure malicious hackers and insiders to deceptive web servers. In this article, we will show how phishing can be used to catch attackers and how phishing kits can be used for defensive purposes.
