How we phished TUI out of 79% of their passwords

Information security, sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.

⚠️ Disclaimer
We were asked to do this, encrypted (and salted) the sensitive data, never saw, had or stored any non-encrypted sensitive data, and we had some inside help. We loudly applaud this initiative from this company, security, like punctuation and proper grammar, matters.
⚠️ Disclaimer

Phishing TUI out of their usernames and passwords... many jaws dropped.

On stage, we revealed having successfully swindled most attendees out of their usernames and passwords, resulting in big eyes and much gasping.

Here’s how we did it in four easy steps (a fairly common way):

1. We registered a domain name that could easily pass as one of their own

• to send emails from
• and to host the fake website that would grab their credentials

Took us, say, 7 minutes and cost ten bucks.
We set up a VPS in Germany (to host the website), as to prevent the firewalls and protocols from being triggered. Clever girl.

2. We built a one-pager that looked like their login page

This is where the inside info helped — we received a screenshot of what a default login page looks like, and we basically rebuilt it as close as we could, and put it on the fake domain name.

An hour, maybe two, of work. No biggy.

3. We sent them an email, containing two links to the fake website

Our insider gave us a list of targets. (The way this usually works is with social engineering or somebody using CC instead of BCC.)

We sent them a mail, ‘reminding them of a survey they were asked to fill out’, linking to our fake login screen, twice, using default link blue that you just need to click already.

The email had no imagery, nothing fancy, just the text and two links.

4. We grabbed the usernames and passwords from the comfort of our bath tubs

Each time someone tried to log in, our script grabbed the username and password, and displayed a ‘default’ error page.

Funny bit: the error clearly states that they were phished (as to not cause any panic), but nobody rang any bells. Who reads errors, anyway.

Some more disclaiming: we (salted) hashed the passwords before storing them, so we never got or saw any of the real credentials, and it’s virtually impossible to decrypt the salted hashes. Remember: it cost us more effort to encrypt them than to just store them plaintext.

The result: 79% of their passwords in 72 hours.

That’s a whopping 79% success rate, with a few people, and frankly, little effort.

So be careful, it’s very easy to get swindled out of your credentials, and real attackers with bad intentions can wreak all kinds of havoc:

Industrial espionage, security leaks, huge malware-attacks, ransom demands, just a few examples that cost companies billions and billions of Euros, Dollars or Dogecoin every year.

This article originally appeared on the Belgian technology publication Data News and was featured by Medium.

We are HackFridays

We organise hands-on hackathons for developers and people*.
*people being marketeers, customer success, sales, even Steve the janitor.

• www.hackfridays.com
• instagram.com/hackfridays