Deep Sea Phishing: Examples & Countermeasures

Similar documents
Spam Protection Guide

Phishing. Eugene Davis UAH Information Security Club April 11, 2013

Security Using Digital Signatures & Encryption

PROTECTING YOUR BUSINESS ASSETS

Ages Donʼt Fall for Fake: Activity 1 Don t bite that phishing hook! Goals for children. Letʼs talk

Update on new Microsoft Cloud Technology

To learn more about Stickley on Security visit You can contact Jim Stickley at

How to recognize phishing s

An Executive s FAQ About Authentication

How Enterprise Tackles Phishing. Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong

Train employees to avoid inadvertent cyber security breaches

Trustwave SEG Cloud BEC Fraud Detection Basics

Security and Privacy

Who We Are! Natalie Timpone

Anti-Spoofing. Inbound SPF Settings

FAQ. Usually appear to be sent from official address

Online Scams. Ready to get started? Click on the green button to continue.

41% Opens. 73% Clicks. 35% Submits Sent

Cyber Security Guide for NHSmail

On the Surface. Security Datasheet. Security Datasheet

Staying Safe on the Internet. Mark Schulman

Phishing. A simplified walkthrough on how phishing campaigns are often orchestrated, and possible defences. Copyright March 2018

Fighting Phishing I: Get phish or die tryin.

Security Protection

Safety and Security. April 2015

to Stay Out of the Spam Folder

BEST PRACTICES FOR PERSONAL Security

Automatic Delivery Setup Guide

Online Security: Breaking Down the Anatomy of a Phishing

Optimization of your deliverability: set up & best practices. Jonathan Wuurman, ACTITO Evangelist

Table of content. Authentication Domain Subscribers Content Sending practices Conclusion...

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Competitive Matrix - IRONSCALES vs Alternatives

WEB SECURITY: XSS & CSRF

Security 08. Black Hat Search Engine Optimisation. SIFT Pty Ltd Australia. Paul Theriault

Teach Me How: B2B Deliverability in a B2C World

Secure solutions for advanced threats

P2_L12 Web Security Page 1

FRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks

How to prevent phishing attacks? In 3 Pages. Author: Soroush Dalili irsdl {4t[ yahoo }d0t] com Website: Soroush.SecProject.

Your security on click Jobs

Malicious s. How to Identify Them and How to Protect Yourself

Getting into Gmail and other inboxes: A marketer's guide to the toughest spam filters

How to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect

TrendMicro Hosted Security. Best Practice Guide

Authentication KAMI VANIEA 1

Anatomy of Phishing Campaigns: A Gmail Perspective

Target Breach Overview

Sucuri Webinar Q&A HOW TO IDENTIFY AND FIX A HACKED WORDPRESS WEBSITE. Ben Martin - Remediation Team Lead

Contents. Management. Client. Choosing One 1/20/17

End-to-End Measurements of Spoofing Attacks. Hang Hu, Gang Wang Computer Science, Virginia Tech

Automatic Delivery Setup Guide

Two days ago President Obama released his long form birth certificate. The file is available at:

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organisation from Impostors, Phishers and Other Non-Malware Threats.

3.5 SECURITY. How can you reduce the risk of getting a virus?

IT Security Protecting Ourselves From Phishing Attempts. Ray Copeland Chief Information Officer (CIO)

CIS 4360 Secure Computer Systems XSS

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

CHAPTER 2. Troubleshooting CGI Scripts

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Handling unwanted . What are the main sources of junk ?

ITConnect KEEPING TRACK OF YOUR EXPENSES WITH YNAB

Security and Privacy. Xin Liu Computer Science University of California, Davis. Introduction 1-1

COMMON WAYS IDENTITY THEFT CAN HAPPEN:

Authentication GUIDE. Frequently Asked QUES T ION S T OGETHER STRONGER

Master Cold s. - The ebook. Written with at FindThatLead.com

INTERNET SAFETY IS IMPORTANT

DMARC ADOPTION AMONG e-retailers

ybersecurity for the Modern Era Three Steps to Stopping malware, Credential Phishing, Fraud and More

Phishing: Don t Phall Phor It Part 1

1 Achieving IND-CPA security

DMARC ADOPTION AMONG e-retailers

Machine-Powered Learning for People-Centered Security

Cyber Security Guide. For Politicians and Political Parties

TIPS TO AVOID PHISHING SCAMS

I G H T T H E A G A I N S T S P A M. ww w.atmail.com. Copyright 2015 atmail pty ltd. All rights reserved. 1

MPEG Frame Types intrapicture predicted picture bidirectional predicted picture. I frames reference frames

HOLIDAY DELIVERABILITY STAY OFF THE NAUGHTY LIST & GET TO THE INBOX HOLIDAY DELIVERABILITY WEBINAR

GFI Product Comparison. GFI MailEssentials vs Sophos PureMessage

Creating and Using an Account

Defeating Spam Attacks

Phishing in the Age of SaaS

Cyber Hygiene Guide. Politicians and Political Parties

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Deliverability Terms

Online Threats. This include human using them!

1 Defining Message authentication

CMPSCI 120 Fall 2017 Midterm Exam #1 Solution Key Friday, October 6, 2017 Professor William T. Verts

Robbing the Bank with a Theorem Prover

Best Practices. Kevin Chege

Newcomer Finances Toolkit. Fraud. Worksheets

Worksheet - Reading Guide for Keys and Passwords

Home/Network Computing

S a p m a m a n a d n d H a H m 성균관대학교 최형기

Why we spam? 1. To get Bank Logs by spamming different banks.

Building a Scalable, Service-Centric Sender Policy Framework (SPF) System

Norton Online Reputation Report: Why Millennials should manage their online footprint

and video do s and don ts

Transcription:

Deep Sea Phishing: Examples & Countermeasures

Phishing is impersonation of a person or brand.

Our focus is email-based phishing.

Phishing is not malware, spam, or xss, although these often coincide.

Current countermeasures Awareness training using synthetic (fake) phishing emails. Big lists of crowdsourced URLs and domains known to be bad. Cryptographic email standards like DKIM, SPF, DMARC.

Deep Sea Phish You can t seem them, but they re there! And they re really nasty. They use tricks to avoid detection by even well-trained users. They thwart URL and domain blacklisting. And they re thriving. Deep Sea Phishing: Examples and Countermeasures

Example One Bank of Scamerica

Bank of Scamerica This message looks like a legitimate message from Bank of America. But it s actually a phishing scam. There are no obvious visual clues. Even trained experts get fooled by forgeries that are this well-crafted.

Bank of Scamerica Maybe you ve trained your users to look at the From: line to make sure the sender is legitimate. Does this From: line look forged? Look carefully! Deep Sea Phishing: Examples and Countermeasures

Bank of Scamerica Maybe you ve trained your users to look at the From: line to make sure the sender is legitimate. Does this From: line look forged? Look carefully! That s not a Latin lowercase A. It s a Unicode GREEK SMALL LETTER ALPHA a totally different letter. Deep Sea Phishing: Examples and Countermeasures

Bank of Arnerica: Under the Hood The From: and Subject: lines hide the brand name from scanning tools. So this looks like it s from Bank of America to a person, but not to software. This mail was sent from a compromised Cox mail account.

Bank of Arnerica This message has a single URL for the user to click. Let s hover over it. Now look closely at where it points in the zoomed in version below. Notice anything peculiar?

Bank of Arnerica This message has a single URL for the user to click. Let s hover over it. Now look closely at where it points in the zoomed in version below. Notice anything peculiar? How about now?

Bank of Arnerica: Under the Hood The attacker has registered and linked to a visually similar domain.

Bank of Arnerica But what else lurks below? A bunch of invisible text! We ve changed its color from white to red so you can actually see it.

Bank of Arnerica The invisible text was scraped from a language learning website. https://www.lingq.com/lesson/chapter-tenthe-wedding-631789/ Why does the message include this? Because it fools programs that perform statistical analysis on the message text. It makes them think this is a personal email rather than a transactional email from Bank of America. After all, it s mostly text!

Bank of Scamerica: Under the Hood Even the HTML includes extra text, in the form of fake elements and attributes.

How we caught it Fuzzy matching of the From: line that is resilient to Unicode substitutions Visual similarity of the domain in the link to a major brand domain B of A brand imagery detected Not sent from a legitimate B of A mail server therefore, malicious

Example Two Scamerican Express

Scamerican Express This message looks like a legitimate message from American Express. But it s actually a phishing scam. Once again, you d be hard-pressed to tell this is fake, even if you re a trained expert. Like the previous example, this uses several clever tricks to get past mail protection software.

Scamerican Express This is another variation of the From: line cloaking technique we saw in the previous example. Unlike the Bank of America phish, you can tell something s wrong if you look closely. In practice this From: line looks good to most users. But that first A is actually Unicode LATIN CAPITAL LETTER A WITH GRAVE. Deep Sea Phishing: Examples and Countermeasures

Àmerican Express Here s another variation of the From: line disguising we saw in the previous example. Unlike the Bank of America phish, you can discern this if you look closely. But most people won t. In practice this From: line looks good to most users. But that first A is actually Unicode LATIN CAPITAL LETTER A WITH GRAVE. Deep Sea Phishing: Examples and Countermeasures

Àmerican Express: Under the Hood Here again, the From: line makes a person think this is from American Express, but prevents the mail filter software from matching the brand name. Note also the plausible aexp-ib.com domain in the From: and Reply-To: headers.

Let s see where aexp-ib.com is hosted WTF? mail-qk0-f194.google.com?

The DKIM signature is valid, the SPF and DMARC checks both pass, and Exchange Authentication-Results tell us this message is A-OK!

DKIM/SPF/DMARC prove that the mail really came from aexp-ib.com but who controls that domain? Obviously not American Express!

Guess where else we found this host?

The same hostname and IP address appear in this email. It s one of the leaked DNC emails, from Debbie Wasserman Schultz.

DKIM/SPF/DMARC prove what server the mail came from

but not who controls that server!

Àmerican Express This mail actually came from a compromised Google mail server. Servers like this are invaluable to attackers because they have very good sender reputations. The attacker even went to the trouble of properly configuring DKIM, SPF, and DMARC for aexp-ib.com too so this looks entirely legitimate to most mail protection software. Microsoft EOP let it sail right through.

Àmerican Express Now that we know it s fake, we can see a few other tip-offs. Notice the IP address? The last number is 274. But that s an impossible IP address value because each of the four values in an IP address is a single byte, and bytes only range from 0 to 255! And Hello Membership Card? That s rather impersonal

How we caught it Doman aexp-ib.com was registered the same day as the email was sent. Recognized American Express brand imagery in the message Fuzzy-matched American Express brand term in from text Àmerican Express. Not from a valid American Express mail server.

Scared yet?

Takeaways Attackers are using new techniques in Deep Sea phishing emails that make these forgeries difficult for both trained humans and software to spot. These emails use brand terms, imagery, and domain names that are real-looking enough to fool people, but different enough to get past naïve software filters. Inky detects and blocks Deep Sea phishing with machine learning models trained to detect these kinds of emails. Deep Sea Phishing: Examples and Countermeasures

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback