Almost Hacked @ Parliament House

Two weeks ago the ARCH team headed to parliament house to show off their wares at the Technology Council of Australia’s (TCA) Parliamentary Innovation Council.

Surrounded by some impressive tech we were challenged to think outside of the box and how we might draw some attention to the work we’ve been doing with our Commonwealth Government clients.

Enter the Almost Hacked @ Parliament House guerrilla campaign. With politicians, staffers, and public servants in the room we thought to highlight the human element of cyber security and run a quishing campaign.

The "human vector" refers to the ways in which attackers exploit human behavior and vulnerabilities to gain unauthorized access to systems or data. Quishing is a form of phishing attack that uses QR codes instead of text-based links.

With permission from our friends at TCA we set about to mimic their branding. Drawing on our years of PowerPoint, we got pretty close. Close enough to warrant a couple of spelling errors. See if you can spot them:

You’ll also notice the offer of a free coffee which something called 'baiting' where you offer something of increasing value to entice people to scan the QR code.

Armed with some good paper from the print shop, blue tac, and around 20 copies of the poster we scoped the event and some of the possible locations. Waiting a mere 5 minutes until the event commenced and hiding ourselves within the busy last minute clean up we took to sticking up our poster.

Maybe it was the excitement of the event, or the fatigue of the first sitting week, but at least 25 people scanned the QR code. That’s not bad. In fact, I’d say that’s quite good. Our intent was to be entirely educational so we redirected to a page that explained how QR codes are used as part of a fake login, credential harvesting, or even just collecting some basic user info like their IP address & browser info.

Maybe in another blog we can tell you about some of the signals floating around the building. Reach out if you’d like us to develop a custom phishing campaign for your organisation or agency.