Olivia
Online
๐๐ฎ๐ซ๐ญ๐ข๐ฌ ๐๐ซ๐๐ณ๐ณ๐๐ฅ๐ฅ
@CurtBraz
Cybersecurity researcher/blogger/pentester. Try to tweet only technical/educational but occasionally post about ๐
Indianapolis, IN
Joined October 2011
874 Following
2K Followers
3.9K Posts
Hey Friends! I need your help.
It's been so long since I've posted, but if you remember me you know I've been contributing open source tools and phishing research for well over a decade now.
I've been building upon my open source phishing tool all along (PhishAPI). I can't count the thousands of hours I put into it. It's now a full-blown, centrally-hosted framework for red teams, internal orgs, and does training right. I think I've built something REALLY cool, a one-of-a kind phishing platform that's honestly better than the kits the black hats are using.
Each time a new research technique comes out, I work to apply it so pentesters and orgs can use it to perform accurate, real-world phishing tests with conditional training. Think AiTM proxies, ClickFix, OAuth attacks, Device Code phishing, etc. Users need to know what real evasion techniques look like, not allow-listed domains and canned, unrealistic scenarios.
I'm not in marketing or sales and I feel like I've been screaming into the void on LinkedIn and getting banned by mods on Reddit. ๐
The community gets really excited about new kits using some of the same techniques I've already baked in. The less technical folks think it's just another ineffective, allow-listed training tool. I'm just a geek and I think it's genuinely a great and helpful tool that I'm proud of. It's all I use for phishing engagements, as I originally built it for myself.
Hit me up for a demo or trial. I'll be giving away signed copies of "S is for Spear Phishing" to the first 50 people! Please retweet to help me get the word out.
Thanks for your time! โฅ๏ธ
Reach out at https://t.co/jVS6oLMekZ
It's so crazy to me that around 24 hours ago I posted about a new attack technique I discovered and within hours there were literally dozens of AI-generated slop articles and infographics. ๐คฃ
Kind of hilarious, but a little scary.. since many of the LLM bots regurgitating my original blog got the main point SO wrong. They're claiming ALL you need is a 6-digit PIN in some places..
Here are just a few of my favorites (that I've seen so far) for your entertainment!
#VaultJacking #SisforSpearPhishing
New Phishing Technique - Vaultjacking: One Captured PIN, the Entire Google Password Manager Vault https://t.co/qNmPdZ43ge
New phishing meta just dropped: Vaultjacking.
One captured 6-digit Google Password Manager PIN = attacker gets your entire synced vault. All passwords. All passkeys. Banking, crypto, email, work SSO - the whole jackpot.
Google's "convenient" sync layer turns out to be one weak PIN away from total compromise. No device needed, pure Adversary-in-the-Middle magic.
Remember when we were told password managers + passkeys would save us?
Turns out they just created a juicier single point of failure.
"Trust us with your passwords" - famous last words.
Stay safe out there.
https://t.co/Rx6t9c9cx1
Who to follow
SpecterOps
@SpecterOps
Creators of BloodHound | Experts in Adversary Tradecraft | Leaders in Identity Attack Path Management
Black Hills Information Security 
@BHinfoSecurity
Specializing in pen testing, red teaming, and Active SOC. We share our knowledge through blogs, webcasts, open-source tools, and Backdoors & Breaches game.
Sean Metcalf
@PyroTek3
Identity Security Architect @ TrustedSec. Microsoft Certified Master #ActiveDirectory & former Microsoft MVP. Co-Host @ Enterprise Security Weekly. He/Him. #BLM
Hey all! If I've been quiet (for me) it's because I've been hard at work on a NEW phishing technique I'm excited to share. I'm calling it "#Vaultjacking" and the impact is honestly a bit sobering.
In my blog I demonstrate how a single AiTM landing page can spoof your Google passkey/password manager PIN and use that to access ALL of a victim's third-party credentials (yes, including passkeys). A simple phish on one site can lead to a total compromise of all Chrome-saved credentials. ๐ฌ
As always, I'm sharing for awareness and will include in my forever-free training in the PhishU Framework.
https://t.co/286DXdDkMr
#SisforSpearPhishing #VisforVaultJacking
With Cloudflare now supporting PQC encryption, I thought it'd be a fun experiment to see if I could encapsulate Plex traffic in a tunnel since it's not supportive natively. ๐ค
"Using Cloudflareโs Post-Quantum Tunnel to Protect Plex Remote Access": https://t.co/5aUW52hX2G
@intigriti 12. CSRF and DoS ๐ฌ
New board book from @CurtBraz is in!
โS is for Spear Phishing" https://t.co/1gvUTyFRHq
#SisforSpearPhishing #CybersecurityABCs
@0xSeanG Nice!! Thanks for sharing and for supporting the series since the early days, Sean! Hope you're all enjoying them. ๐
Exciting news! ๐
The new "S is for Spear Phishing" books are in, along with a restock of a
"M is for Malware" @ https://t.co/FSZTIACFbp!
Also, after a DECADE + in the making, I'm launching my enterprise PhishU Framework spear-phishing & training tool @ https://t.co/FYaTTIAHoJ!
@_cyber_dude Hey there! People are selling them used on Amazon for way too much. I don't have any so they're only for pre-order on my site. However, I might be able to help. DM me and I'll see what I can do from my personal stash. ๐
The OG Denial of Service? #DoS
Friends! I'm making something new. ๐ This time I'm promoting my company, #PhishU, by being my own sponsor! If you'd like to reserve your copy and pre-order today, please do so at https://t.co/ln6uczuW95. I'm also reprinting M!
#OceanLife #SisforSpearPhishing #CybersecurityABCs
@RetweetableN14 You rock! That is awesome!
It's been a while since I've posted here...
.. but I have a little surprise that's coming very soon that some of you may be interested in... ๐ค๐
#ComingSoon #SisforSpearPhishing #OceanLife #PhishU #CybersecurityABCs
@RetweetableN14 I hope you like phishing terms! ๐
I'm so old...
I remember when GIFs were IRL
I know I said I'd stop at three books in the "#CybersecurityABCs" children's board book series... but I can't shake the idea of another fun one with ocean life/fish as the characters demonstrating AI security terms (if there are enough!) Any help from the community? ๐
I'm just a Social Engineer, sending emails, asking you to click a link.
Last Seen Users on Sotwe
Giccaไบๅทๆบ
Seen from United States
เธญเนเธญเธ เธญเธธเธเธฅ
Seen from Thailand
Elli | syndicete
Boลver Sen Beni
Seen from Turkey
Sleaze Report
Seen from United Kingdom
Sedap Malam
Seen from Indonesia
Power bottoms
Seen from United States
ุงูุชุงุฆุจู ุฎุฏูุฌู๐๐ฆ
Seen from India
Correlance โ correlance.bsky.social
Seen from Germany
SUKA SUSU STW
Seen from Indonesia
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers