PhishEye: Live Monitoring of Sandboxed Phishing Kits. Xiao Han Nizar Kheir Davide Balzarotti

Size: px

Start display at page:

Download "PhishEye: Live Monitoring of Sandboxed Phishing Kits. Xiao Han Nizar Kheir Davide Balzarotti"

Dorthy Cole
6 years ago
Views:

1 PhishEye: Live Monitoring of Sandboxed Phishing Kits Xiao Han Nizar Kheir Davide Balzarotti

2 Summary Motivation Sandboxed phishing kits Implementation Results

3 [APWG Phishing Activity Trends Report 2 nd Quarter 2016]

4 All time high record [APWG Phishing Activity Trends Report 2 nd Quarter 2016]

5 Motivation PKs monitored only after being detected by anti-phishing services

6 Motivation PKs monitored only after being detected by anti-phishing services Details about entire lifecycle of a phishing kit are still missing

7 Motivation PKs monitored only after being detected by anti-phishing services Details about entire lifecycle of a phishing kit are still missing 71.4% of the domains that hosted phishing pages were compromised websites [APWG global phishing report 2014]

9 Know your enemy: Phishing [Honeynet 05] Evil searching [FC 09]

10 Browser plugin: N. Chou [NDSS 04] User education: P. Kumaraguru [TOIT 10]

11 Learning to detect phishing s [WWW 07] Discovering phishing dropboxes using metadata [ecrime 12]

12 Detection: Cantina [WWW 07], C. Whittaker [NDSS 10] Blocking: Google Safe Browsing (GSB), Phish Tank, Take down: Examining the impact of website take-down on phishing [ecrime 07]

13 Handcrafted fraud and extortion [IMC 14]

15 Incomplete and fragmented view of PKs lifecycle

16 Web honeypot Attacker identification Privacy protection [Credits: Idea Sandbox, Neutronis ]

17 Sandboxed Phishing Kits Global Picture: Attackers, victims, and security researchers Phishing blacklist services Complete privacy protection

18 Implementation Web Honeypot 5 vulnerable web applications x 100 domain names D. Canali [NDSS 13]

19 Implementation Web Honeypot PK installation 5 vulnerable web applications x 100 domain names D. Canali [NDSS 13]

20 Implementation Web Honeypot PK installation 5 vulnerable web applications x 100 domain names Attacker Identification D. Canali [NDSS 13]

21 Implementation Web Honeypot 5 vulnerable web applications x 100 domain names Attacker Identification D. Canali [NDSS 13] Attacker Tracking

22 Implementation Web Honeypot 5 vulnerable web applications x 100 domain names Attacker Identification D. Canali [NDSS 13] YES Attacker Tracking

23 Implementation Web Honeypot Checking 5 vulnerable web applications x 100 domain names Attacker Identification D. Canali [NDSS 13] YES Attacker Tracking

24 Implementation Web Honeypot Checking 5 vulnerable web applications x 100 domain names Attacker Identification D. Canali [NDSS 13] YES Attacker Tracking

25 Implementation Web Honeypot Victims 5 vulnerable web applications x 100 domain names D. Canali [NDSS 13]

26 Implementation Web Honeypot Victims 5 vulnerable web applications x 100 domain names Attacker D. Canali [NDSS 13] Tracking

27 Implementation Web Honeypot Victims 5 vulnerable web applications x 100 domain names Attacker D. Canali [NDSS 13] Tracking NO Client-side Data Mangling

28 Implementation Web Honeypot Victims 5 vulnerable web applications x 100 domain names Attacker D. Canali [NDSS 13] Tracking Inject JavaScript to prevent data leakage NO Client-side Data Mangling

29 Implementation Web Honeypot Victims 5 vulnerable web applications x 100 domain names Attacker D. Canali [NDSS 13] Tracking Inject JavaScript to prevent data leakage NO Client-side Data Mangling

30 Implementation Web Honeypot Victims 5 vulnerable web applications x 100 domain names Attacker D. Canali [NDSS 13] Tracking Inject JavaScript to prevent data leakage Server-side Protection NO Client-side Data Mangling

31 Overview Five months from September 2015 to the end of January phishing kits (PayPal, Apple, Google, Facebook ) Installation Upload 1min

32 Overview Five months from September 2015 to the end of January phishing kits (PayPal, Apple, Google, Facebook ) Installation Testing Upload 1min 10min

33 Overview Five months from September 2015 to the end of January phishing kits (PayPal, Apple, Google, Facebook ) Installation Testing First victim Upload 1min 10min 2 days

34 Overview Five months from September 2015 to the end of January phishing kits (PayPal, Apple, Google, Facebook ) Installation Testing First victim Last victim Upload 1min 10min 2 days 10 days

35 Overview Five months from September 2015 to the end of January phishing kits (PayPal, Apple, Google, Facebook ) Installation Testing First victim Last victim Blacklist Upload 1min 10min 2 days 10 days 12 days

36 Phishing Attack Global Picture

37 Phishing Attack Global Picture

38 Phishing Attack Global Picture

39 Phishing Attack Global Picture

40 Phishing Attack Global Picture Installation was very quick

41 Phishing Attack Global Picture 471 attackers (IP, User Agent) 70% visited the phishing pages 58% submitted fake credentials

42 Phishing Attack Global Picture Only one attempt to use the compromised system to send the phishing s

43 Phishing Attack Global Picture 2,468 potential victims connected to 127 distinct phishing kits 215 users (9%) posted credentials

44 Phishing Attack Global Picture Estimated lifetime is eight days on average.

45 Phishing Attack Global Picture 98% blacklisted by GSB and Phish Tank Average detection latency is 12 days Fire-and-forget approach

46 Blacklist Evasion $random=rand(0, ); $md5=md5("$random"); $base=base64_encode($md5); $dst=md5("$base"); New connection

47 Blacklist Evasion $random=rand(0, ); $md5=md5("$random"); $base=base64_encode($md5); $dst=md5("$base"); $src= source"; recursive_copy( $src, $dst ); New connection Copy

Blacklist Evasion $random=rand(0,100000000000); $md5=md5("$random"); $base=base64_encode($md5);

48 Blacklist Evasion $random=rand(0, ); $md5=md5("$random"); $base=base64_encode($md5); $dst=md5("$base"); Redirection $src= source"; recursive_copy( $src, $dst ); header("location:$dst"); Copy

49 Blacklist Evasion [12/Nov/2015:18:57:41] 14.xx.xxx.198 GET /kit/ 302 User-Agent: curl/ First connection

50 Blacklist Evasion [12/Nov/2015:18:57:41] 14.xx.xxx.198 GET /kit/ 302 User-Agent: curl/ First connection [12/Nov/2015:19:01:35] 213.xx.xxx.100 GET /kit/8c5fcf4518e94a9f272d60ee75c309a7 301 User-Agent: Mozilla/4.0 [12/Nov/2015:19:20:45] 213.xx.xxx.100 GET /kit/8c5fcf4518e94a9f272d60ee75c309a7/redirection.php 200 User-Agent: Mozilla/4.0 Reported phishing URL

51 Early Victims After? blacklisting? After blacklisting

52 Early Victims Before blacklisting After blacklisting Before blacklisting After blacklisting

53 Flash Crowd Effect? After blacklisting

54 Flash Crowd Effect Before blacklisting After blacklisting Third party visitors: Universities Security vendors

55 Real-time Drop Detection 68 distinct drop addresses (Gmail, Yahoo, ) Only 4 were disabled or unreachable

56 Conclusion Novel approach to sandbox live phishing kits Observe the entire lifecycle of a phishing kit Findings Attackers manually test their PKs Separate hosting and spamming infrastructures Many PKs with few victims each Blacklist very effective to protect users, but detection is not fast enough Attackers move quickly between PKs once they get blacklisted

58 Appendix Elimination of Other Malicious Files Heuristics Manual classification

59 Appendix Data Exfiltration by Client-Side Side Channels Disguised as a HTML img Defeated by our client-side protection

Manually Create Phishing Page For Facebook 2014

Manually Create Phishing Page For Facebook 2014 While you are creating phishing page manually you have to do a lot of work Web Templates -- For importing premade template for Gmail, Facebook from SET.