Anatomy of Phishing Campaigns: A Gmail Perspective

Size: px

Start display at page:

Download "Anatomy of Phishing Campaigns: A Gmail Perspective"

Grant Hines
5 years ago
Views:

1 SESSION ID: HT-R03 Anatomy of Phishing Campaigns: A Gmail Perspective Nicolas Lidzborski Ali Zand Gmail & G Suite Security Engineering Lead Google Anti-Abuse Research team #RSAC

2 Phishing 101

3 Is phishing still a thing? Hello! We reviewed your account and decided a compatible account for for the instagram rules and we wanted to give you a verified badge. ( ) Eligible send us your real name Username, and password we can send you a verified badge. Thank you, The Instagram team.

4 Phishing is actually prolific and effective!

5 Gmail sees over 100M phishing s per day!

7 Successful Hijacking 25% 7% Phishing Credential Leaks 12% Keyloggers Source: Data breaches, phishing, or malware?: Understanding the risks of stolen credentials

8 Phishing is a global issue!

10 Attackers use IPs from variety of countries

11 Targets are everywhere Source: Google

12 Components of a phishing campaign Target website sending infrastructure Target users Credential exfiltration website templates People managing operation

13 Open-source Phishing Campaign Engine Sent Opened 82% 8% Links Clicked Submitted Data 6% 5% Phishing Success Overview % of Success Jan 2018 Feb 2018 Mar 2018 Apr 2018 May 2018 Jun 2018 Jul 2018 Source: gophish dashboard

14 Campaigns are small and short lived phishing s per campaign minutes campaign half life (median)

15 The three guards Delivery Vector Target User Target Service

Defeat the Delivery Vector Defeat the User Email is

16 Defeat the Delivery Vector Defeat the User is accepted User interacts with phishing Your account is blocked. CLICK HERE Defeat the Target Service Stolen authenticator logs in the phisher (ie. bank)

17 Defeat the Delivery Vector is accepted

18 Anti-Phishing Infrastructure

19 Reputation analysis Clustering Content understanding

20 Feature reputation Feature Extraction domain.org x xxxx.tld

21 Name / domain spoofing G00gle Feature Extraction G00gle Tech Support support.google.com.phish.org Match

22 Visual similarity Match

23 Harnessing AI to keep the bad out

24 How to defeat ML? Evasion Make attack a moving target

25 Evasion: simple cloaking by IP subnet and domains deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny from from from from from from from from from from from from from from from from from from from from paypal.com 112.2o7.com firefox.com apple.com zeustracker.abuse.ch virustotal.com adminus.net aegislab.com alienvault.com antiy.net avast.com team-cymru.org eset.com fireeye.com microsoft.com kernelmode.info malwaredomainlist.com wilderssecurity.com eset-la.com blogs.eset-la.com

26 Evasion: block by user agent if(in_array($_server['remote_addr'],$bannedip)) { header('http/ Not Found'); exit(); } if(strpos($_server['http_user_agent'], 'google') or strpos($_server['http_user_agent'], 'msnbot') or strpos($_server['http_user_agent'], 'Yahoo! Slurp') or strpos($_server['http_user_agent'], 'YahooSeeker') or strpos($_server['http_user_agent'], 'Googlebot') or strpos($_server['http_user_agent'], 'bingbot') or strpos($_server['http_user_agent'], 'crawler') or strpos($_server['http_user_agent'], 'PycURL') or strpos($_server['http_user_agent'], 'facebookexternalhit')!== false) { header('http/ Not Found'); exit; }

27 How to defeat ML? Evasion Deception Make attack a moving target Make ML and user see different things

28 Deception: Human Perception vs Machine

29 How to defeat ML? Evasion Deception Confusion Make attack a moving target Make ML and user see different things Trick the user to provide ML with misleading data

30 Confusion: fake affinity via reply To cancel the termination request reply to this mail.

31 Confusion: fake affinity via reply

32 How to defeat ML? Evasion Deception Confusion Make attack a moving target Make ML and user see different things Trick the user to provide ML with misleading data

33 Defeat the User User interacts with phishing Your account is blocked. Update your credit card information CLICK HERE

34 Attention is a limited capacity resource

35 How to fool users? Habits Safe and Familiar Pressure Embarrassment and Fear Vanishing Reward Limited opportunity

36 Familiar user interface Source:

37 Technical support reaching out

38 Thanks from X-rated Using embarrassment or fear X-rated THANKS FOR SHARING X-rated now has automated video sharing to your social media account Thanks X-rated Decline Sharing No need to share your videos to your friends and family ever again because this new revolutionary sharing feature does it for you! Automatically!

39 Hi, stranger! Credential leaks for sextortion I know the password123, this is your password, and I sent you this message from your account. If you have already changed your password, my malware will be intercepts it every time. You may not know me, and you are most likely wondering why you are receiving this , right? In fact, I posted a malicious program on adults (pornography) of some websites, and you know that you visited these websites to enjoy (you know what I mean). While you were watching video clips, my trojan started working as a RDP (remote desktop) with a keylogger that gave me access to your screen as well as a webcam. Immediately after this, my program gathered all your contacts from messenger, social networks, and also by . What I've done? I made a double screen video. The first part shows the video you watched (you have good taste, yes... but strange for me and other normal people), and the second part shows the recording of your webcam.

40 Dear Customer, Thank you for choosing XXXXXX. Service interruption... We are currently upgrading our server to give you the best of our service. We require you to upgrade your account details to avoid service being interrupted. A separate confirmation will be sent with your contract terms and conditions once your upgrade has been successfully processed. For more details please log in to your XXXXXX Control Panel: Sincerely, Sebastian Gonzalez XXXXXXX Head of Customer Service

41 ... with ironic anti-phishing training

42 Entice you with the promise of a prize...

43 and ask nicely for your bank credentials

44 The life of a message Attachment download Sync Message open Link click External Website Reply Send Delivery Reclassification

45 Delivery Attachment download Sync Message open Link click External Website Reply Send Delivery Reclassification

46 Sync Attachment download Sync Message open Link click External Website Reply Send Delivery Reclassification

47 Message open Attachment download Sync Message open Link click External Website Reply Send Delivery Reclassification

48 Big and obvious warning banners This message seems dangerous

49 Message open: warning banners Re: Security Banner Design Charlie Samuel This message seems dangerous The sender s account may have been compromised. Avoid clicking links, downloading attachments, or replying with personal information. If you Know the sender, consider alerting them (but avoid replying to this ). Report Looks Safe

50 Reclassification Attachment download Sync Message open Link click External Website Reply Send Delivery Reclassification

51 Phishing locality: co-worker warning via outbreak banners

52 Link click Attachment download Sync Message open Link click External Website Reply Send Delivery Reclassification

53 Suspicious Link Warning

54 Suspicious Link Warning

55 Real Time Check

56 Reply Attachment download Sync Message open Link Click External Website Reply Send Delivery Reclassification

57 Out of Domain Warning

58 Defense in depth Antivirus check Preview Attachment download Sanitize Sync Reject Warning banners Restricted actions Suspicious prompt Message open Link click External Website Safe browsing check Delivery Reply Out of domain warning Reclassification Deep Scanning Send

59 Look ahead for malicious remote content

60 Protect against domain and employee spoofing

61 Defeat the Target Service Phisher using the stolen authenticator

62 Sign In Challenge SUCCEED ALLOW User Normal workflow Sign In Challenge Can t Continue DENY Hacker Hijacker workflow??? VICTIM

63 Attackers are adapting RSA SecurID Phisable 2FA Mobile Platforms

64 Monitor for unusual activity Faking user geolocation/ browser configuration Use second factor Phish for second factor Use phishing resistant authentication Use a different attack method

65 Raising the bar

66 FIDO U2F tokens

67 Make it mandatory and phishing resistant for employees

68 Apply what you learned today Build defenses in depth Use phishing resistant solutions Apply domain specific defenses Monitor unusual activity on accounts

69 Takeaways: next week Ensure your outgoing s are all strongly authenticated (DKIM, DMARC). Use a password manager and 2FA.

70 Takeaways: over the next 3 months Start plan for phishing resistant 2FA solutions for all employees. Enable advanced security options for incoming s.

71 Takeaways: over the next 6 months Investigate Brand Indicators for Message Identification (BIMI). Investigate FIDO2 for service auth.

72 Questions?

73 Thanks.

FAQ. Usually appear to be sent from official address

FAQ. Usually appear to be sent from official address FAQ 1. What is Phishing Email? A form of fraud by which an attacker masquerades as a reputable entity in order to obtain your personal information. Usually appear to be sent from official email address