Strategies to handle Phishing attacks

30
d DATE: 4 th March, 2017 Venue: Hotel Grand Regent (Coimbatore)

Transcript of Strategies to handle Phishing attacks

Page 1: Strategies to handle Phishing attacks

d

DATE: 4th March, 2017Venue: Hotel Grand Regent (Coimbatore)

Page 2: Strategies to handle Phishing attacks

[- AGENDA -]

[x] Overview of Phishing.

[x] Types of Phishing.

[x] What Phishing is not?

[x] Techniques of Phishing.

[x] Phishing information flow.

[x] Phishing attack life cycle and taxonomy.

[x] Anti-phishing efforts (Community & Commercial).

[x] Detection, Prevention and Incident response.

[x] Educational videos.

[x] Bibliography.

Page 3: Strategies to handle Phishing attacks

[^] Phishing is an attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly,  money), often for malicious  reasons, by disguising as a trustworthy entity in an electronic communication.

[- Overview of Phishing -]

[^] Phishing is typically carried out by email spoofing or instant messaging.

[^] It presents a fake website that has almost the same look-and-feel of the original. It directs the user to enter sensitive information.

[^] Communications purporting to be from social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims.

[^] Phishing can also be achieved by tricking a victim into installing a malware with the intention of gaining sensitive information. However one or more malware may also corrupt data.

[^] According to the 3rd Microsoft Computing Safer Index Report released in February 2014, the annual worldwide impact of phishing could be as high as $5 billion.

Page 4: Strategies to handle Phishing attacks

[^] Spear phishing:-

Phishing attempts directed at specific individuals or companies have beentermed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is, by far, the most successful on the internet today, accounting for 91% of attacks.

[^] Clone phishing:-

Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered,email containing an attachment or link has hadits content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email addressspoofed to appear to come from the original sender. It may claim to be are-send of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gainfoothold on another machine, by exploiting the social trust associated withthe inferred connection due to both parties receiving the original email.

Types of phishing

Page 5: Strategies to handle Phishing attacks

5

[^] Whaling :-

- Several phishing attacks have been directed specifically at seniorexecutives and other high-profile targets within businesses,and the term whaling has been coined for these kinds of attacks.

- In the case of whaling, the masquerading web page/email will take a moreserious executive-level form. The content will be crafted to target an upper manager and the person's role in the company.

- The content of a whaling attack email is often written as a legal subpoena,customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email,sent from a legitimate business authority. The content is meant to betailored for upper management,and usually involves some kind of falsifiedcompany-wide concern. Whaling “phishermen” have also forgedofficial-looking FBI subpoena emails, and claimed that the manager needs to click a link and install special software to view the subpoena.

Types of phishing

Page 6: Strategies to handle Phishing attacks

Click What Phishing is not? add title[^] Firstly Phishing is different from “Fraud” because it combines:

- Social Engineering - Phishing exploits individuals’ vulnerabilities to dupe victims into acting against their own interests.

- Automation - Computers are used to carry out phishing attacks on a massive scale.

- Electronic Communication - Phishers use electronic communications networks (primarily the Internet).

- Impersonation - A phishing attack requires perpetrators to impersonate a legitimate firm or government agency.

[^] Non-Phishing examples:-

- Internet-based worms (attacks)

- Virus-email (attacks)

- Relatives stealing your wallet (identity theft)

- Spam

Page 7: Strategies to handle Phishing attacks

Techniques of Phishing[^] Link manipulation:-Link manipulation is done by at least four methods as understood currently

- Misspelled URLs – The hacker takes a domain that has a name quite similar to some legitimate domain name. Example:- www.citihank.com

- Sub-domains – Many links on a portal/website redirect traffic to sub-domains Example:(legit) support.microsoft.com. It is easy for the hacker to craft a URL to confuse the user Example:- (Illicit) microsoft.secuvity.com. While it looks like “secuvity” is some sub-domain of Microsoft, it is actually a trickery. The “Microsoft” word is resolved in the “secuvity” domain (not the other way) which might be the hacker-owned domain.

- HTML anchor tag manipulation – The <A> is a tag that belongs to HTML. It is what helps us to put links on web pages. However a hacker can show some legitimate text to the user as a destination URL while internally it takes a malefic route.Example: <a href=”www.badhacker.com”>www.indiatimes.com</a>

- IDN spoofing/Homograph attack – Since the internet (software) has to support different languages even domain names and URLs can have characters of different languages. A hacker can replace a similar-looking alphabet (Homoglyph but sometimes called Homograph) belonging to a different language in the domain name and acquire a separate domain name that looks similar to something existing. For example the Cyrillic “Ё” can be used in place of an English “E”.

Page 8: Strategies to handle Phishing attacks

Techniques of Phishing

[^] Filter evasion:-

Since phishing filters rely mostly on characters in phishing emails, hackers have started using images, clicking which the user is directed to the malefic site. Anti-phishing filters are emerging that can now counter-attack these cases.

[^] Website forgery:-

- After a user enters a phishing site, the hacker, further, uses JavaScript commands to fake the web address by super-imposing images.

- Hackers have used Cross-site scripting (XSS) attacks against well known payment sites to force the user to enter his/her login credentials. XSS exploits the existing source script and injects malefic code which the user's browser (script engine) executes unknowingly.

- Prevalence of “kits” like the notorious MITM phishing kit (2007) helps design fake websites, that can capture login details, easily.

- PHLASHING - To counter-attack anti-phishing technology, hackers have started using “FLASH” based objects in their website. This way all graphics including text and graphics are “sand-boxed”.

Page 9: Strategies to handle Phishing attacks

Techniques of Phishing[^] Open & Covert redirect :-

URL redirection is a productive functionality that helps a webpage to redirect a page request to another page. However the same can be exploited if appropriate validation is not being done by the webpage (code) when it redirects the user to a page as per user input. Such an option is termed as open-redirect and the attack itself is called open-redirect attack.

Example:- http://example.com/example.php?url=http://malicious.example.com

A covert-redirect happens because of the overconfidence one party has on its partner when it redirects to the partner. But this also exploits the fact that the partner website is vulnerable to the open-redirect attack.

Example:- Facebook logins are allowed in few “partner” websites. A hacker can misuse this and provide partner's domain in the request which Facebook will respond with an “login and authorize” fashion. Once this login is successful the hacker will use a open redirect attack vulnerability to transfer the user to the malicious site. In the interim the attacker would probably even get full control on the user account. Several well-known websites are prone to this attack.

[^] VISHINGVISHING or phone-phishing is where fake message claim to dial back onto specific numbers. These callback-numbers have automated-request for account number and PIN. Thereby the hacker gets the user credentials.

Page 10: Strategies to handle Phishing attacks

Phishing information flow

Three componentsThree components

Mail senderMail sender: sends large : sends large volume of fraudulent emails.volume of fraudulent emails.

CollectorCollector: collect sensitive : collect sensitive information from users.information from users.

CasherCasher: use the collected : use the collected sensitive information to en-sensitive information to en-cash.cash.

Page 11: Strategies to handle Phishing attacks

Phishing attack life-cycle

[^] Planning:-

Whom to attack, what/how to steal, what ruse to use.

[^] Setup:-

Creates attack materials and “machinery” .

[^] Attack:- [^] Collection:- Harvest credentials.

[^] Fraud and abuse:- Trade, use or store credentials.

[^] Post-attack:-

a) Attacker clean-up and lessons learned.b) Victim clean-up.

Page 12: Strategies to handle Phishing attacks
Page 13: Strategies to handle Phishing attacks

Anti-Phishing communities

Among the various Anti-Phishing communities, below are two well known ones.

The Anti-Phishing Working Group (APWG) is an international consortium that brings together businesses affected by phishing attacks, security products and services companies, law enforcement agencies, government agencies, trade association, regional international treaty organizations and communications companies. Founded in 2003 by David Jevans, the APWG has more than 3200+ members from more than 1700 companies and agencies worldwide. Member companies include leading security companies such as BitDefender, Symantec, McAfee, VeriSign, IronKey and Internet Identity. Financial Industry members include the ING Group, VISA, MasterCard and the American Bankers Association.

PhishTank is an anti-phishing site.PhishTank was launched in October 2006 by entrepreneur David Ulevitch as an offshoot of OpenDNS. The company offers a community-based phish verification system where users submit suspected phishes and other users "vote" if it is a phish or not.PhishTank is used by Opera,WOT, Yahoo! Mail, McAfee, APWG, CMU, ST Benard, Mozilla, Kaspersky, Firetrust, Officer Blue, FINRA, Message Level, SURBL, Sanesecurity for ClamAV,Career Builder, Site Truth, Avira, C-SIRT, and by PhishTank SiteChecker.PhishTank data is provided gratis for download or for access via an API call, including for commercial use, under a restrictive license.

Page 14: Strategies to handle Phishing attacks

Anti-phishing working group (APWG)

Page 15: Strategies to handle Phishing attacks

PHISHTANK

Page 16: Strategies to handle Phishing attacks
Page 17: Strategies to handle Phishing attacks

Server-based solutions(Used by service providers – ISP, financial institutions)

Brand monitoring - Crawling on-line to identify “clones” which are nothing but the phishing pages. Suspected websites are added to a centralized “Black-list”.

Behavior detection - Study user behavior with some algorithms. Continue the study for a certain epoch. Subsequent transnational-behavior is validated against the recorded behavior.

Security event monitoring - Security event analyses by way of correlation of security events generated as part of OS,network and device logging.

Strong authentication - More than one factor authentication. This ensure loss of one factor doesn't completely result in an identify theft.

Page 18: Strategies to handle Phishing attacks

Client-based solutions(Browser plugins and email clients)

E-mail analysis – Bayes spam filtering with Hidden-Markov model based algorithms can be leveraged to detect even phishing.

Black-list – Collection of URLs that are identified as malicious.

Information flow – While a user could be tricked with obfuscated URLs the code flow itself cannot be cheated easily. The code path (and data being processed) can be analyzed to identify phishing.

Similarity of layouts – Advanced techniques that analyze visual similarity between two web pages.

Page 19: Strategies to handle Phishing attacks

Client-based anti-phishing programs

Avast!

Avira Premium Security Suite

CryptoPhoto mutual authentication

Cyscon Security Shield - browser extension for Firefox

Earthlink ScamBlocker (discontinued)

eBay Toolbar

ESET Smart Security

GeoTrust TrustWatch

Google Safe Browsing (used in Mozilla Firefox, Google Chrome, Opera, Safari, and Vivaldi)

SmartScreen Filter (used in Microsoft Edge and Internet Explorer)

Page 20: Strategies to handle Phishing attacks

Client-based anti-phishing programsKaspersky Internet Security

McAfee SiteAdvisor

Mozilla Thunderbird

Netcraft Toolbar

NetProtector-web security

Netscape

Norton 360/ Internet Security

PhishDetector an extension for Google Chrome

PhishTank SiteChecker

PineApp Mail-SeCure

Quick Heal

Windows Mail, [with WOT extensions]

Page 21: Strategies to handle Phishing attacks

Service-based anti-phishing programs

Area 1 Security

Google Safe Browsing API

Mimecast Targeted Threat Protection

OpenDNS

PhishTank

Votiro

Webroot Real-time Anti-Phishing API

Anti-Phishing Working Group

Page 22: Strategies to handle Phishing attacks

Incident response (IR) for Individuals(Local law of the nation/region applies- below information is applicable for India)

Each sort of loss has its own strategy to be worked-out for solution. Below discussion applies to “card/credentials/monetary loss” although some of it can be applicable to other sort of “loss” too.• Banking: It's banks' discretion to report. While one bank may provide data for all such cases, another might only report those that are only proven.If a customer falls prey to a “fraud”, the onus is on him to prove it wasn't his mistake. Banks do not take responsibility.Though RBI believes the primary responsibility of preventing fraud lies with banks; it has done little to shift the onus of investigation from customers to banks.• Immediately block the card and/or temporarily freeze the account if needed. Give details of amount debited. Get a reference number.• For online fraud, approach cyber cell and file a complaint.

Ref: http://cybercrimecomplaints.com/

Page 23: Strategies to handle Phishing attacks

Incident response (IR) for Individuals(Local law of the nation/region applies- below information is applicable for India)

• For other fraud, lodge a complaint with nearest police station.• Send a legal notice to the bank, asking to preserve original records and camera footages.• It is currently an unfortunate situation that the customer has to preserve all evidence of the phishing. This includes proof of the fabricated email/website etc. Basic forensic evidence collected from disk like cookies and logs etc will help. Look up to an expert for the same. Also refer next topic “IR for IT” on some techniques that individuals too can follow.• Maintain written communication with bank’s nodal officer.• If bank dismisses your case, approach ombudsman in 30 days.• If aggrieved by ombudsman’s decision, approach the appellate authority, an RBI deputy governor.

In India, the Ombudsman is known as the Lokpal or Lokayukta. These are functionally, state-wise setups.

• Follow up with police. Take the case to court if no progress for a month.

Page 24: Strategies to handle Phishing attacks

Incident response (IR) for IT professionals (adopted from Wombat Security blog & Paladion networks)

[^] Activate IR procedures:- Fail-over/Back-up protocol, Identify origin of attack, magnitude of impact – damage and costs, recovery of systems etc.

[^] Obtain full email headers to backtrack the path of attack.

[^] Mine the web for threat intelligence – Run the suspicious URLs in a sandbox (Virustotal.com/IPVoid.com etc.).

[^] Talk to the victim(s).

[^] Set security perimeter's filters.

[^] Search system-internal logs – Firewall,DNS, DHCP logs etc., Use Splunk or Elasticsearch/Logstash/Kibana(ELK).

[^] Review proxy or outbound logs – Proxies like BlueCoat, Websense etc to mine IP addresses

Page 25: Strategies to handle Phishing attacks

Incident response (IR) for IT professionals (adopted from Wombat Security blog & Paladion networks)

[^] Review mail server logs.

[^] Plan for log retaining.

[^] Reset account credentials and other settings.

[^] Review the systems for any persistent threats

[^] Train the users and set plan for awareness.

[^] Actively feed wrong data to phishing site for temporary obfuscation of critical data acquired through phishing.

[^] Bring down the phishing site.

[^] Review authentication mechanism introduce multi-factor authentication scheme (MFA)

Page 26: Strategies to handle Phishing attacks

CyberSafe [Canada] [3:07 mins]

Page 27: Strategies to handle Phishing attacks

Spear Phishing [2:53 mins][Office of the Director of National Intelligence]

Page 28: Strategies to handle Phishing attacks

Bibliography

[x] Pat Cain's Phishing seminar

[x] Phishing attacks - Dr. Neminath Hubballi [IIT Indore]Dr. Neminath Hubballi [IIT Indore]

[x] https://en.wikipedia.org/wiki/Phishing

[x] https://en.wikipedia.org/wiki/Anti-phishing_software

[x] Anti-phishing security strategy – Angelo Rosiello (Black-Hat)

[x] https://paladion.net/

[x] https://www.wombatsecurity.com/

[x] AWPG – Anti-phishing best practices

Page 29: Strategies to handle Phishing attacks

Q & A

Page 30: Strategies to handle Phishing attacks

Thank You