Beyond the Theoretical: A Deep Dive Into Phishing CUNA Technology Conference

Size: px

Start display at page:

Download "Beyond the Theoretical: A Deep Dive Into Phishing CUNA Technology Conference"

Regina Wilkins
6 years ago
Views:

1 Beyond the Theoretical: A Deep Dive Into Phishing 2016 CUNA Technology Conference

2 Agenda Introduction to SMTP service How attackers can spoof Review most popular types of phishing s Deliver ransomware Initiate fraudulent wire transfers Harvest credentials Tips to protect your users, members, and organization

3 Introduction to SMTP

4 SMTP Service Created in 1982 Was not designed with security Two main components relevant to spoofing s SMTP Envelope SMTP Letter (Message)

5 SMTP Service SMTP Envelope The behind the scenes communication between two systems Used to route and deliver MAIL FROM: Alice RCPT TO: Bob

6 SMTP Service SMTP Letter What the end user sees FROM field does NOT need to be the same as the Envelope MAIL FROM filed Also supports the Reply-To field FROM: Alice TO: Bob Reply-To: Prince Charles

7 SMTP Service Connected to relay.mail.cogentco.com ( ). MAIL FROM: 250 OK RCPT TO: 250 Accepted DATA 354 Enter message, ending with "." on a line by itself FROM: <bob@cuna.org> TO: <david.anderson@claconnect.com> Subject: Please send money $$$ Reply-To: <PrinceCharles@nigeria.com> SMTP Envelope SMTP Letter Please send me money. I'm totally legit. :). 250 OK id=1b0iuc-0005qr-6u

8 SMTP Service

9 SMTP Service

10 SMTP Service Sender Policy Framework (SPF) Allows organizations to publish authorized mail servers that are allowed to send Only evaluates SMTP Envelope MAIL FROM field Bypass by using a valid domain that does not have a SPF record contoso.com

11 Popular Phishing s

12 Goal of Phishing Please do something for me.k thx bye Visit a malicious website Download and open a malicious file Provide confidential information (Password, Account Number, etc.) Wire money out of the organization

13 Types of attacks Traditional Attack (Spamming) Attacker targets a large amount of users Spear Phishing A custom message is built for a specific target Whaling C-level executives or management is specifically targeted

14 Types of attacks Ransomware CryptoWall, CryptoLocker, etc. Encrypt all data, hold it ransom for $$ Data on local machine and on network Attackers are putting much more time and effort into these types of attacks over the last year Starting to target other operating systems, like Macs

15 Types of attacks

16 Types of attacks

17 Types of attacks Ransomware New variants are shown to be targeting specific organizations Some strains have custom ransomware web pages that are customized to their victim FBI has told victims to pay the ransom if they cannot recover from backups FBI stated they have started seeing instances where victim is NOT provided decryption key after paying

18 Types of attacks Delivery of Ransomware/Malware Exploit Kits E.g. Angler Exploit Kit

19 Types of attacks Delivery of Ransomware/Malware ZIP/RAR attachments Office Macros

20 Types of attacks Delivery of Ransomware/Malware HTML Application (HTA) Execute operating system commands through web page <script> a=new ActiveXObject("WScript.Shell"); a.run( calc.exe, 0);window.close(); </script>

21 Types of attacks Delivery of Ransomware/Malware Object Linking and Embedding (OLE) Embed malicious files into document

22 Types of attacks DEMO HTA Payload OLE Payload

23 Types of attacks Fraudulent Wire Transfers Attackers are spoofing executives/managers, trying to get people to wire money Targeting CU s and Business Members s typically do NOT contain links or malicious attachments Attackers are doing their homework Online reconnaissance Social media

24 Types of attacks Fraudulent Wire Transfers

25 Types of attacks Social Media Attackers are using LinkedIn to figure out names, titles/positions, s, etc. Attackers are using Facebook to see when executives are out-of-town They quickly figure out who has the power to move money

26 Types of attacks Fraudulent Wire Transfers

27 Types of attacks Fraudulent Wire Transfers

28 Types of attacks Credential Harvesting Attackers abuse credential theft to log into any external resource available Webmail VPN Applications You NEED to have two-factor authentication

30 Types of attacks Credential Harvesting Example: Outlook Web App Makes it very easy to gain sensitive information or attempt to gain unauthorized remote access by impersonating employees

31 Types of attacks Credential Harvesting Example: Outlook Web App Quick side note: OWA is vulnerable to brute force attacks Service discloses internal domain name Service discloses if a username is valid

32 Types of attacks Credential Harvesting

33 Types of attacks Credential Harvesting Example: Outlook Web App If Outlook Anywhere is enabled, we can hijack the employee s workstation remotely Malicious Outlook Rules

35 Types of attacks Tools Rulz.py(Silent Break Security) Ruler (Sensepost) Xrulez (MWRLabs)

36 Types of attacks Video Ruler Mail Rule Pwnage by Sense Post

37 Types of attacks DEMO Send me an Subject: PWNED

38 How to Protect Yourself

39 Protect Against Phishing Harden gateway (spam filter) Block potentially malicious file attachments (e.g. ZIP, RAR, HTA, JAR) Use whitelist approach only allow specific types Prevent your organization s domain from being spoofed Sender Policy Framework (SPF) Custom rule to evaluate Envelope AND Letter FROM field Flag s that originate from the Internet E.g. Modify subject line to say External

40 Protect Against Phishing Web Content Filter Block potentially malicious files (e.g. ZIP, RAR, HTA, JAR, etc.) Block uncategorized web sites Use SSL inspection

41 Protect Against Phishing Lock down Macros Use Group Policy to disable/restrict the use of Macros Train users on the dangers of enabling Macros Office 2016 supports disabling Macros in documents that originate from the Internet

42 Protect Against Phishing

43 Protect Against Phishing Monitor Outlook Rules PowerShell Get-InboxRule Disable-InboxRule If there is a rule that starts an applications, generate an alert and disable the rule

44 Protect Against Phishing Continue to Train Employees and Members Train employees how to spot odd wire requests Politely challenge the request and ask if it has been verified through proper channels (NOT ) Provide educational material and training to business members Provide sample policies/guidelines for organizations that don t have them Hold events for business members that discuss cyber security Explain simple controls to implement (limits, two-step/twofactor, etc.) Make sure request is not authorized via

45 Questions

46 Thank You! David Anderson Manager, Information Security Services David Anderson, OSCP, Manager Information Security Services Group

10 Ways Credit Unions Get PWNED

10 Ways Credit Unions Get PWNED NASCUS 2017 Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. Intro I am going to share with