Bringing the Fight to Them: Exploring Aggressive Countermeasures to Phishing and other Social Engineering Scams

Transcription

1 Bringing the Fight to Them: Exploring Aggressive Countermeasures to Phishing and other Social Engineering Scams Allen Zhou Comp116 Final Presentation

2 What is Phishing? Social Engineering Steal credentials, data, or money Infect target machine with malware Over , IM, or social media

3 History of Phishing Coined in 1992 on AOL Malicious actors asked users to confirm billing info or credentials Originally identifiable through poor grammar, shoddily built websites, overly urgent subject matters

4 The Nigerian 419 Scam Name comes from the section of the Nigerian Criminal Code that outlaws it Out of the blue arrives from international individual, asking for help to transfer money Victim is promised large sum of money if they can help with the transfer by paying a fee to a trusted organization

5 What is Scambaiting? Began in early 2000 s Intentionally respond to phishing schemes, especially 419 scams Try to waste phisher s time and resources as much as possible Ask phishers to take embarrassing/funny photos

6 Phishing is Evolving Increasingly intelligent, targeted, and harmful Now represents a billion dollar criminal industry Phishing kits and mailer programs openly available to criminals

7 Clone Phishing Replicate s sent from trusted organizations Pose as an update to previous , with malicious payload

8 Spear Phishing Context aware phishing Specifically crafted for a victim Pretend to be an organization or individual the victim trusts

9 Whaling One form of Spear Phishing Aimed at high profile targets Administrators, Business executives, Government officials If successful, incredibly destructive

10 General Reactionary Approach to Phishing Avoid phishing links Last line of defense is the victim s own intuition Programs to educate employees on how to spot phishing attacks

11 Machine Learning in Phishing In theory, allows Spear Phishing attacks to become scalable Precision of Spear Phishing with broad nature of older phishing attacks Already in widespread use today

12 SNAP_R Developed by John Seymour and Philip Tully Sample prototype of how machine learning can generate custom tweets for use in Spear Phishing Uses Markov models and Long-Term Short Memory neural networks

13 Current Anti-Phishing Practices are not Enough SNAP_R demonstrated a doubled success rate compared to traditional large scale phishing attacks Reactionary approach does not do enough for these tailored phishing attacks Being cautionary on traditional phishing platforms no longer enough

14 What is today s Scambaiting? As social engineering techniques become more sophisticated, so has Scambaiting Less focussed on wasting time, more on actually hacking back

15 Tech Support Scam Reports of scam from U.S. began in 2008 Cold call the victim, saying computer is vulnerable and must be fixed Use Ammyy Admin to perform a remote connection Install keyloggers, malware, or steals data and credentials

16 Hacking Back using Ammyy Admin Turn tables on scammer by taking advantage of security flaw in Ammyy Admin Used by today s scambaiters to hack scammers back

17 The 0 Day Developed by Matt Weeks AKA scriptjunkie in 2014 Available as a module on Metasploit Allows arbitrary code to be run on scammer s machine once connection is established

18 Ethicacy and Legality of Hack Back Very risky, especially when botnet systems come into play Attribution problem How much hack back is too much?

19 Active Cyber Defense Certainty Act Presented by Georgia Congressman Tom Graves in October, 2017 Allows victims of cyber attacks to perform vigilante justice (hack-back) Highly controversial, most security professionals deem it too open ended Attribution problem inherent in the act

20 How should Active Solutions be Constructed? Solutions must be ethical, as well as effective Must work at the same or greater speed as phishing attacks are being implemented Must be intelligent

21 Honey-Phish Prototype presented at ShmooCon 2016 by Robbie Gallagher Automates replies to phishing s with own phishing link When clicked, logs as much info from phisher as possible Messages are built using Markov chains Corpus pulled from Reddit s personal finance forum

22 Phish Feeding Proposed by John Brozycki Pump phishing websites full of realistic but fake credentials Value of real data is decreased More time is available to shut site down

23 Honey Tokens Either leave fake tokens in databases so that they can be tracked once a phishing attack occurs, or submit it directly Allows law enforcement to track the path of the token and find the original perpetrator of phishing attack

24 Closing Mailer Programs Phishers depend on illegal mailer programs to distribute phishing attacks Can track down these programs and prevent its ease of access to criminals

25 Closing Phish Kits Phishers rarely write their own packages to perform phishing If information about phishing attack can be compiled, feasible to hunt down origins of phishing kits and shut them down

26 Action Items Still not enough research and development in slowing rise of social media phishing attacks Adopt more aggressive anti-phishing campaigns Keep up reactionary educational model Be careful out there!