Anatomy of Phishing Campaigns: A Gmail Perspective

Similar documents
FAQ. Usually appear to be sent from official address

How to recognize phishing s

Phishing. Eugene Davis UAH Information Security Club April 11, 2013

Webomania Solutions Pvt. Ltd. 2017

Quick Heal AntiVirus Pro Advanced. Protects your computer from viruses, malware, and Internet threats.

How Enterprise Tackles Phishing. Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong

Manually Create Phishing Page For Facebook 2014

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

BEST PRACTICES FOR PERSONAL Security

SOCIAL NETWORKING'S EFFECT ON BUSINESS SECURITY CONTROLS

Train employees to avoid inadvertent cyber security breaches

Competitive Matrix - IRONSCALES vs Alternatives

One Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious

DMARC Continuing to enable trust between brand owners and receivers

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Addressing Credential Compromise & Account Takeovers: Bearersensitive. Girish Chiruvolu, Ph.D., CISSP, CISM, MBA ISACA NTX April 19

Office 365 Buyers Guide: Best Practices for Securing Office 365

Phishing Read Behind The Lines

Evolution of Spear Phishing. White Paper

Cyber Security Guide. For Politicians and Political Parties

How to Build a Culture of Security

Phishing. What do phishing s do?

Best Practices Guide to Electronic Banking

Target Breach Overview

Phishing Activity Trends Report August, 2006

Security and Privacy. Xin Liu Computer Science University of California, Davis. Introduction 1-1

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Phishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO

Cyber Hygiene Guide. Politicians and Political Parties

Security and Privacy

WHITEPAPER. Protecting Against Account Takeover Based Attacks

Attacking Your Two-Factor Authentication (PS: Use Two-Factor Authentication)

How to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect

Fighting Phishing I: Get phish or die tryin.

BRING SPEAR PHISHING PROTECTION TO THE MASSES

ybersecurity for the Modern Era Three Steps to Stopping malware, Credential Phishing, Fraud and More

ATTACHMENTS, INSERTS, AND LINKS...

Frequently Asked Questions (FAQ)

RSA FRAUDACTION ANTI-PHISHING SERVICE: BENEFITS OF A COMPREHENSIVE MITIGATION STRATEGY

STEVE GOODING JUNE 15, 2018

Quick Heal Total Security

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

Incident Play Book: Phishing

Deep Sea Phishing: Examples & Countermeasures

Cyber Security Updates and Trends Affecting the Real Estate Industry

ANATOMY OF A SPEAR PHISHING ATTACK. A Menlo Security Research Report

Quick Heal AntiVirus Pro. Tough on malware, light on your PC.

End-to-End Measurements of Spoofing Attacks. Hang Hu, Gang Wang Computer Science, Virginia Tech

PROTECTING YOUR BUSINESS ASSETS

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Fraud Update: Why Fraudsters Love Wires and How to Stop Them. Luis Rojas, Director, Product Management WesPay 2014

Staying Safe on the Internet. Mark Schulman

MODERN DESKTOP SECURITY

Employee Security Awareness Training

CloudSOC and Security.cloud for Microsoft Office 365

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment


Review Kaspersky Internet Security - multi-device 2015 online software downloader ]

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Chapter 12. Information Security Management

How Breaches Really Happen

Phishing Activity Trends

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Security Awareness. Chapter 2 Personal Security

Table of Contents. User Guide

Security & Phishing

Update on new Microsoft Cloud Technology

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues

On the Surface. Security Datasheet. Security Datasheet

Adobe Security Survey

Custom Plugin A Solution to Phishing and Pharming Attacks

Phishing in the Age of SaaS

Spam Protection Guide

Sophos Central Admin. help

Cyber Security Guide for NHSmail

GUIDE TO KEEPING YOUR SOCIAL MEDIA ACCOUNTS SECURE

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

3.5 SECURITY. How can you reduce the risk of getting a virus?

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

Discount Kaspersky PURE 3.0 internet download software for windows 8 ]

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

CS 161 Computer Security

Safety and Security. April 2015

Jordan Levesque Making sure your business is PCI compliant

Who We Are! Natalie Timpone

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Protecting Against Online Banking Fraud with F5

Cyber security tips and self-assessment for business

Phishing Activity Trends Report March, 2005

Part 2: How to Detect Insider Threats

Jordan Levesque - Keeping your Business Secure

ANATOMY OF AN ATTACK!

NHS South Commissioning Support Unit

2 User Guide. Contents

with Advanced Protection

MRG Effitas Android AV review

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

Transcription:

SESSION ID: HT-R03 Anatomy of Phishing Campaigns: A Gmail Perspective Nicolas Lidzborski Ali Zand Gmail & G Suite Security Engineering Lead Google Anti-Abuse Research team #RSAC

Phishing 101

Is phishing still a thing? Hello! We reviewed your account and decided a compatible account for for the instagram rules and we wanted to give you a verified badge. ( ) Eligible send us your real name Username, and password we can send you a verified badge. http://verifiedteam.0fees.us Thank you, The Instagram team.

Phishing is actually prolific and effective!

Gmail sees over 100M phishing emails per day!

Successful Hijacking 25% 7% Phishing Credential Leaks 12% Keyloggers Source: Data breaches, phishing, or malware?: Understanding the risks of stolen credentials

Phishing is a global issue!

Attackers use IPs from variety of countries

Targets are everywhere Source: Google

Components of a phishing campaign Target website Email sending infrastructure Target users Credential exfiltration website Email templates People managing operation

Open-source Phishing Campaign Engine Email Sent Email Opened 82% 8% Links Clicked Submitted Data 6% 5% Phishing Success Overview % of Success 100 80 60 40 20 0 Jan 2018 Feb 2018 Mar 2018 Apr 2018 May 2018 Jun 2018 Jul 2018 Source: gophish dashboard

Campaigns are small and short lived 250 12 phishing emails per campaign minutes campaign half life (median)

The three guards Delivery Vector Target User Target Service

Defeat the Delivery Vector Defeat the User Email is accepted User interacts with phishing email Your account is blocked. CLICK HERE Defeat the Target Service Stolen authenticator logs in the phisher (ie. bank)

Defeat the Delivery Vector Email is accepted

Anti-Phishing Infrastructure

Reputation analysis Clustering Content understanding

Feature reputation Feature Extraction 192.168.0.1 domain.org 192.168.0.x xxxx.tld http://www...

Name / domain spoofing G00gle Feature Extraction G00gle Tech Support support.google.com.phish.org Match

Visual similarity Match

Harnessing AI to keep the bad out

How to defeat ML? Evasion Make attack a moving target

Evasion: simple cloaking by IP subnet and domains deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny from from from from from from from from from from from from from from from from from from from from paypal.com 112.2o7.com firefox.com apple.com zeustracker.abuse.ch virustotal.com adminus.net aegislab.com alienvault.com antiy.net avast.com team-cymru.org eset.com fireeye.com microsoft.com kernelmode.info malwaredomainlist.com wilderssecurity.com eset-la.com blogs.eset-la.com

Evasion: block by user agent if(in_array($_server['remote_addr'],$bannedip)) { header('http/1.0 404 Not Found'); exit(); } if(strpos($_server['http_user_agent'], 'google') or strpos($_server['http_user_agent'], 'msnbot') or strpos($_server['http_user_agent'], 'Yahoo! Slurp') or strpos($_server['http_user_agent'], 'YahooSeeker') or strpos($_server['http_user_agent'], 'Googlebot') or strpos($_server['http_user_agent'], 'bingbot') or strpos($_server['http_user_agent'], 'crawler') or strpos($_server['http_user_agent'], 'PycURL') or strpos($_server['http_user_agent'], 'facebookexternalhit')!== false) { header('http/1.0 404 Not Found'); exit; }

How to defeat ML? Evasion Deception Make attack a moving target Make ML and user see different things

Deception: Human Perception vs Machine

How to defeat ML? Evasion Deception Confusion Make attack a moving target Make ML and user see different things Trick the user to provide ML with misleading data

Confusion: fake affinity via reply To cancel the termination request reply to this mail.

Confusion: fake affinity via reply

How to defeat ML? Evasion Deception Confusion Make attack a moving target Make ML and user see different things Trick the user to provide ML with misleading data

Defeat the User User interacts with phishing email Your account is blocked. Update your credit card information CLICK HERE

Attention is a limited capacity resource

How to fool users? Habits Safe and Familiar Pressure Embarrassment and Fear Vanishing Reward Limited opportunity

Familiar user interface Source: Twitter @tomscott

Technical support reaching out

Thanks from X-rated Using embarrassment or fear X-rated <team@xrated.com> THANKS FOR SHARING X-rated now has automated video sharing to your social media account Thanks X-rated Decline Sharing No need to share your videos to your friends and family ever again because this new revolutionary sharing feature does it for you! Automatically!

Hi, stranger! Credential leaks for sextortion I know the password123, this is your password, and I sent you this message from your account. If you have already changed your password, my malware will be intercepts it every time. You may not know me, and you are most likely wondering why you are receiving this email, right? In fact, I posted a malicious program on adults (pornography) of some websites, and you know that you visited these websites to enjoy (you know what I mean). While you were watching video clips, my trojan started working as a RDP (remote desktop) with a keylogger that gave me access to your screen as well as a webcam. Immediately after this, my program gathered all your contacts from messenger, social networks, and also by e-mail. What I've done? I made a double screen video. The first part shows the video you watched (you have good taste, yes... but strange for me and other normal people), and the second part shows the recording of your webcam.

Dear Customer, Thank you for choosing XXXXXX. Service interruption... We are currently upgrading our server to give you the best of our service. We require you to upgrade your account details to avoid service being interrupted. A separate confirmation e-mail will be sent with your contract terms and conditions once your upgrade has been successfully processed. For more details please log in to your XXXXXX Control Panel: http://cp.xxxxxxxxx.com.nevs.net.au Sincerely, Sebastian Gonzalez XXXXXXX Head of Customer Service

... with ironic anti-phishing training

Entice you with the promise of a prize...

and ask nicely for your bank credentials

The life of a message Attachment download Sync Message open Link click External Website Reply Send Delivery Reclassification

Delivery Attachment download Sync Message open Link click External Website Reply Send Delivery Reclassification

Sync Attachment download Sync Message open Link click External Website Reply Send Delivery Reclassification

Message open Attachment download Sync Message open Link click External Website Reply Send Delivery Reclassification

Big and obvious warning banners This message seems dangerous

Message open: warning banners Re: Security Banner Design Charlie Samuel <csamuel@frdesign.cx> This message seems dangerous The sender s account may have been compromised. Avoid clicking links, downloading attachments, or replying with personal information. If you Know the sender, consider alerting them (but avoid replying to this email). Report Looks Safe

Reclassification Attachment download Sync Message open Link click External Website Reply Send Delivery Reclassification

Phishing locality: co-worker warning via outbreak banners

Link click Attachment download Sync Message open Link click External Website Reply Send Delivery Reclassification

Suspicious Link Warning

Suspicious Link Warning

Real Time Check

Reply Attachment download Sync Message open Link Click External Website Reply Send Delivery Reclassification

Out of Domain Warning

Defense in depth Antivirus check Preview Attachment download Sanitize Sync Reject Warning banners Restricted actions Suspicious prompt Message open Link click External Website Safe browsing check Delivery Reply Out of domain warning Reclassification Deep Scanning Send

Look ahead for malicious remote content

Protect against domain and employee spoofing

Defeat the Target Service Phisher using the stolen authenticator

Sign In Challenge SUCCEED ALLOW User Normal workflow Sign In Challenge Can t Continue DENY Hacker Hijacker workflow??? VICTIM

Attackers are adapting RSA 225 646 SecurID Phisable 2FA Mobile Platforms

Monitor for unusual activity Faking user geolocation/ browser configuration Use second factor Phish for second factor Use phishing resistant authentication Use a different attack method

Raising the bar

FIDO U2F tokens

Make it mandatory and phishing resistant for employees

Apply what you learned today Build defenses in depth Use phishing resistant solutions Apply domain specific defenses Monitor unusual activity on accounts

Takeaways: next week Ensure your outgoing emails are all strongly authenticated (DKIM, DMARC). Use a password manager and 2FA.

Takeaways: over the next 3 months Start plan for phishing resistant 2FA solutions for all employees. Enable advanced security options for incoming emails.

Takeaways: over the next 6 months Investigate Brand Indicators for Message Identification (BIMI). Investigate FIDO2 for service auth.

Questions? https://safety.google https://cloud.google.com/security

Thanks. https://safety.google https://cloud.google.com/security

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback