Phish-Back: How to turn the problem into a solution.
Unknown
BSides Las Vegas 2025 · Day 1
**Gutier Bjon**, CEO of **Moken**, presents **“Phish-Back”** (spelled **“Fishbach”** by the host in the transcript): a strategy to recover visibility into **stolen credentials** by placing **high-fidelity fake login portals** on the **internet**, deliberately discoverable during attacker **enumeration**, so that **credential tests** against a plausible corporate surface generate **actionable alerts**. The talk contrasts this with traditional **security awareness training**, **phishing simulations**, and **dark web monitoring**, arguing that most stolen credentials never appear in marketplaces and that **MFA**—while important—did not prevent a major incident in the speaker’s past when a **new subsidiary** rolled out without MFA enabled.
AI review
Clever operational concept with real engineering teeth (fingerprinting and noise control), but the talk is light on adversarial counterplay and governance edge cases. The field stats are interesting if you trust the speaker’s deployment, but they are not independently verifiable from the stage content alone.