End-to-End Measurements of Spoofing Attacks. Hang Hu, Gang Wang Computer Science, Virginia Tech

Transcription

1 End-to-End Measurements of Spoofing Attacks Hang Hu, Gang Wang Computer Science, Virginia Tech

2 Spear Phishing is a Big Threat Spear phishing: targeted phishing attack, often involves impersonation 91% of targeted attacks involve spear phishing 1 95% of state-affiliated espionage attacks are traced to phishing 2 1. Enterprise Phishing Susceptibility and Resiliency Report, PhishMe, DataBeach Investigation Report, Verizon,

3 Real-life Spear Phishing Examples Yahoo Data Breach in 2014 John Podesta s Gmail Account 500 Million Yahoo! User AccountChairman Hillary Clinton 2016 Campaign From Google Affected [accounts.googl .com] Why can phishers still impersonate others so easily? 3

4 I Performed a Spear Phishing Test I impersonated USENIX Security co-chairs to send spoofing s to my account (hanghu@vt.edu) Auto-loaded Profile Picture Adrienne Porter Felt felt@chromium.org From Adrienne Porter Felt From William Enck William Enck felt@chromium.org whenck@ncsu.edu whenck@ncsu.edu 4

5 Background: SMTP & Spoofing Simple Mail Transfer Protocol (SMTP) defined in 1982 SMTP has no built-in authentication mechanism Spoof anyone by modifying MAIL FROM field of SMTP HTTP SMTP SMTP HTTP POP IMAP William ncsu.edu Mail Server vt.edu Mail Server Hang SMTP MAIL FROM: Attacker Mail Server 5

6 SMTP, 1982 Existing Anti-spoofing Protocols MAIL FROM: IP: SPF Process Sender Policy Framework (SPF), 2002 IP based authentication DomainKeys Identified Mail (DKIM), 2004 Public key based authentication SPF Record ncsu.edu Publish DNS Is the IP authorized? Domain-based Message Authentication, Reporting and Conformance (DMARC), 2015 Based on SPF and DKIM Publish policy Yes Is the IP authorized? No MAIL FROM: IP: vt.edu Attacker 6

7 How Widely are Anti-spoofing Protocols Used? Scanned SPF and DMARC records of Alexa top 1 million domains When an fails SPF/DMARC: - Relaxed: No recommending policy - Strict: Rejecting failed s After years, the Less adoption than rates are still low 50% And they also increase slowly Around 5% 7

8 This Study Research questions - How do providers detect and handle spoofing s? - Under what conditions can spoofing s penetrate the defense? - Once spoofing s get in, how do providers warn users? Measurement + user study - 35 popular providers reaction to spoofing s - A user study (N=488) to examine users reaction to warnings 8

9 Outline Introduction End-to-end SpoofingExperiments User Study 9

10 End-to-end Spoofing Experiments Goal: Understand how providers handlespoofing s Method: - Black-box testing - Control inputand observe output Register our own accounts as receivers Change input MAIL FROM: forged@a.com SMTP IMAP POP Client test@gmail.com Our Mail Server Target Server Gmail.com 10

11 Target Providers 35 providers Client Our Mail Server Target Server Full Authentication Check (16) Partial Authentication (15) No Authentication (4) 11

12 Controlled Parameters for Spoofing s Spoofing Client Our Mail Server Target Server Spoofed Sender x 30 SPF/DKIM, strict policy (x10) SPF/DKIM, relaxed policy (x10) No SPF/DKIM/DMARC (x10) Content x 5 Phishing, Benign Blank, Blank w/ URL, Blank w/ attachment IP x 2 Static, Dynamic Experiment Setup IRB Approved Repeat 5 times Randomized sending order 30 x 5 x 2 x 5 = s per service 1500 x 35 = s in total Carefully controlled sending rate 12

13 Penetration Rate Full Authentication Check Check SPF/DKIM but not DMARC No Authentication 53.0% 35.0% 0.0% 100.0% 7.0% 27.0% providersstill let spoofing s in even ifthey conduct authentication check 13

14 Impacting Factors Full Authentication: Strict: SPF/DKIM, Check Strict SPF DMARC & DKIM policy & DMARC PartialSender Relaxed: Authentication: strict policy SPF/DKIM, CheckSPF/DKIM, Relaxed DMARCpolicy notdmarc No Authentication: Receiver full authentication None: No SPF/DKIM/DMARC Don t checkspf/dkim/dmarc The penetration rate is lowest but still 13% Spoofed Sender Address Profile Penetration Rate Strict Relaxed None Full Authentication Receiver Partial Authentication No Authentication It takes both senders and receivers to configure correctly IP Penetration Rate Content Phishing Benign Blank Blank w/ URL Blank w/ attachment 2. Even so there are 13% penetration rate Static 0.60 Penetration When Rate receiver doesn t When do authentication, sender didn t the publish authentication Dynamic 0.34 penetration rates are more records, than the 94% penetration rate is the highest 14

15 How Do Providers Give Warning 29/35 web clients and 24/28 mobileclients didn t give any warnings Gmail Web Mobile Naver Protonmail 163.com 126.com Mail.ru 15

16 Outline Introduction End-to-end SpoofingExperiments User Study 16

17 How Effective are These Security Indicators Research Questions - Howdo users react to spoofing s? - Howeffective arewarnings? Challenge - Howto capture the realistic user reactions? - Lab experiment has limited ability to reflect reality [3] Method IRB Approved - Try to make users not aware they are in an experiment to capture realistic reaction - Inform users after experiment - Users can withdraw data anytime with payment 3. The Emperor s New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies, IEEE S&P 17 17

18 Phase 1/2: Set Up Deception Frame the study as a survey to understand using habits - Ask for users address - Send the participant an with 1x1 tracking pixel - Ask questions about the using habits and other distraction questions - Pay users and make users believe the survey is over Purpose: - Collect and validate users addresses - Test if the tracking pixel works 18

19 Phase 2/2: Sending Actual Spoofing s Wait for 10 days and send users spoofing s Wait for another 20 days and send debriefing s From Amazon Mechanical Turk Embedded Warning A link points to our server Invisible Tracking Pixel 19

20 Deception User Study: Recruiting Participants Amazon Mechanical Turk Recruited 488 users in no warning group in warning group Female 51% Gender Male 49% >=50 14% % Age % <= 29 32% graduate 21% Education bachelor 35% high-school 10% some college 34% 20

21 Deception User Study: Results Phase Users Without Warning With Warning Phase 1 Phase 2 Click Rate All Participants Not Blocking Pixel Opened Clicked URL Overall After Opening % 48.9% % 37.2% 1. Warning only slightlylowers the click rate 2. The absolute click rate is still high 21

22 Discussion A big gap between server detection and user protection - Most providers let spoofing s reach inbox - Most providers lacknecessary warnings - Warnings can t fully eliminate the risk Countermeasures - Promote SPF, DKIM and DMARC - Place warning consistently across web and mobile clients Future work Design more effective warnings Defeat warning fatigue User training and education 22

23 Thank You 23

24 Deception User Study: Results 24

25 Things are Worse with Less Popular Domains 25

26 Misleading UI Elements When spoofing existing contacts or conducting same-domain spoofing Profile Picture Name Card History Web & Mobile Web Mobile Web & Mobile Web Mobile Web & Mobile Web 26

27 Misleading UI Elements Seznam.cz 27

28 Spoofing is a Critical Step in Spear Phishing spoofing is widely used in spear phishing attacks - Business compromise (BEC) scams became a major problem in Use similar domain names or spoofed domain names 3 2. Figure from Phishing Activity Trends Report 4 th quarter 2017, APWG. 3. Phishing Activity Trends Report, 1 st -3 rd quarters 2015, APWG. 28

29 From Virginia Tech [vt.edu] Virginia Tech 2017 Link 29

30 Misleading UI Elements Auto-loaded Profile Picture False Security Cue Auto-loaded name card and history 30

31 Deception User Study: Results Users Without Indicator With Indicator Desktop Mobile Desktop Mobile Opened Clicked URL Click Rate 46.7% 51.0% 36.6% 37.8% 31

32 End-to-end Spoofing Experiments: Results providersstill let forged s in even ifthey conduct authentication check Hotmail.com blocked all forged 32

33 End-to-end Spoofing Experiments: Results providersstill let forged s in even ifthey conduct authentication check 33

34 End-to-end Spoofing Experiments: Results No authentication group let almost all forged s in 34

35 End-to-end Spoofing Experiments: Results Authentication Static Dynamic Full Authentication Check SPF DKIM But not DMARC IP No authentication It s easier for static IP to conduct spoofing 35