Honeytokens and honeypots for web ID and IH

by Rich Graves
Sept. 1, 2017 0 comments SANS Institute Detection & Response email issues

Honeypots and honey tokens can be useful tools for examining follow-up to phishing attacks. In this exercise, we respond using valid email addresses that actually received the phish, and wrong passwords. We demonstrate using custom single sign-on code to redirect logins with those fake passwords and any other logins from presumed attacker source IP addresses to a dedicated phishing-victim web honeypot. Although the proof-ofconcept described did not become a production deployment, it provided insight into current attacks.

https://www.sans.org/reading-room/whitepapers/email/honeytokens-honeypots-web-id-ih-35962