Phishing: A Direct Deposit to the Criminal World (236905935)
description
Transcript of Phishing: A Direct Deposit to the Criminal World (236905935)
Direct Deposit Phishing Attack
Brian [email protected]
Network Security AnalystWashington University in Saint Louis
May 2014
Topics for Today
• Brief overview of the Washington University network
• Brief look at first incident in Sept/Oct 2013• Brief look at second incident in Jan/Feb 2014• Potential phishing defenses• Some examples of real phishing emails• Who attacked us?• Final thoughts
Washington University in St. Louis
NSS
NSO
Business School
Law School
Arts & Sciences
Medical School
Engineering School
Internet
Decentralized Campus NetworkNSS = Network Services and SupportNSO = Network Security Office
Library
Social Work
Art & Architecture
Numbers from Sept/Oct 2013 Attack:
• 13 total victims• 11 Medical School faculty• 2 Business School faculty• 11 had direct deposit info changed• 1 account caught by the new HRMS blacklist
and immediately blocked
Round 1a Phishing Attack
Round 1b Phishing Email
Numbers From Jan/Feb 2014 Attack
• 17 Users were victims– 15 Medical Faculty or Staff– 1 Engineering School Faculty– 1 Law Student
• 4 Victims had their Direct Deposit info changed• 7 Users were protected by the Blacklist• 10 Victims were logged into from new IP
addresses which were quickly added to the Blacklist
Round 2 Phish Three Months Later
Criminals seemingly have a huge advantage
They send hundreds of phishing emails and only need ONE user to fall
for it to succeed
We can turn the tables on them
Force the criminal to run througha gauntlet of defenses to succeed
Reconnaissance Phase
Phishing Email Phase
Criminal Login Phase
HR/SSO Application Suggestions
Payroll Alerting Suggestions
Communication Suggestions
Phishing Examples
WUSTL Site or Phish Site?
WUSTL Site or Phish Site?
WUSTL Site or Phish Site?
Real Email or Phish Email?
Spammers log in and useaccount to send spam
Sept/Oct Attack 1
Jan/Feb Attack
Numbers from September/October:
• 13 total victims• 11 Medical School faculty• 2 Business School faculty• 11 had direct deposit info changed• 1 account caught by the new HRMS blacklist
and immediately blocked
How Much $ Did the Criminals Get in October?
• $97,210.28 Total was Transferred Out• $91,470.53 Was Recovered by Payroll• $5,739.75 Was Lost
.
$0.00
$20,000.00
$40,000.00
$60,000.00
$80,000.00
$100,000.00
$120,000.00
$97,210.28
$91,470.53
$5,739.75
LostRecoveredTotal
Numbers From Jan/Feb Attack
• 17 Users were victims– 15 Medical Faculty or Staff– 1 Engineering School Faculty– 1 Law Student
• 4 Victims had their Direct Deposit info changed• 7 Users were protected by the Blacklist• 10 Victims were logged into from new IP
addresses which were quickly added to the Blacklist
How Much $ Did the Criminals Get in January?
• $0 Total was Transferred Out• $0 Was Recovered by Payroll• $0 Was Lost
• Thanks!• Questions?• [email protected]