End-to-End Measurements of Spoofing Attacks. Hang Hu, Gang Wang Computer Science, Virginia Tech

Similar documents
On the Surface. Security Datasheet. Security Datasheet

Security & Phishing

The Anti-Impersonation Company. Date: May 2 nd, ValiMail. All Rights Reserved. Confidential and Proprietary.

Security by Any Other Name:

Competitive Matrix - IRONSCALES vs Alternatives

FRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks

Webomania Solutions Pvt. Ltd. 2017

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Cybersecurity in 2016 and Lessons learned

DMARC ADOPTION AMONG

DMARC Continuing to enable trust between brand owners and receivers

Phishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO

Anti-Spoofing. Inbound SPF Settings

Social Phishing. Tom Jagatic Nate Johnson Markus Jakobsson Filippo Menczer

DMARC ADOPTION AMONG

Design and Implementation of a DMARC Verification Result Notification System

How Enterprise Tackles Phishing. Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong

DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

Evolution of Spear Phishing. White Paper

Security Protection

The Highly Insidious Extreme Phishing Attacks

2017 Annual Meeting of Members and Board of Directors Meeting

Security and Privacy

Office 365: Secure configuration

How to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect

A Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

DMARC ADOPTION AMONG

About Us. Overview Integrity Audit Fighting Malicious & Deceptive August 13, 2014

DMARC ADOPTION AMONG e-retailers

Update on new Microsoft Cloud Technology

Usability Testbed for Website Authentication Technologies

An Executive s FAQ About Authentication

DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

REPORT. proofpoint.com

DMARC ADOPTION AMONG

DMARC ADOPTION AMONG e-retailers

IRONSCALES Federation Combines Human Intelligence with Machine Learning to Discover & Stop Spear-Phishing Attacks

TrendMicro Hosted Security. Best Practice Guide

Trustwave SEG Cloud BEC Fraud Detection Basics

TABLE OF CONTENTS Introduction: IS A TOP THREAT VECTOR... 3 THE PROBLEM: ATTACKS ARE EVOLVING FASTER THAN DEFENSES...

Personal Cybersecurity

Private Browsing: an Inquiry on Usability and Privacy Protection

UK Healthcare: DMARC Adoption Report Security in Critical Condition

X-Platform Phishing: Abusing Trust for Targeted Attacks

Deep Sea Phishing: Examples & Countermeasures

A Buyer s Guide to DMARC

Agari Global DMARC Adoption Report: Open Season for Phishers

JAPAN CYBER-SAVVINESS REPORT 2016 CYBERSECURITY: USER KNOWLEDGE, BEHAVIOUR AND ATTITUDES IN JAPAN

BUILDING AN EFFECTIVE PROGRAM TO PROTECT AGAINST FRAUD

Securing, Protecting, and Managing the Flow of Corporate Communications

Phishing Attacks. Mendel Rosenblum. CS142 Lecture Notes - Phishing Attack

Evolution of a Phish That Got Through the Net[work]

Who We Are! Natalie Timpone

Automatic Delivery Setup Guide

Getting into Gmail and other inboxes: A marketer's guide to the toughest spam filters

Extract of Summary and Key details of Symantec.cloud Health check Report

The Humanity of Phishing Attack and Defense 2016 Alabama Cyber Now

Phishing. Eugene Davis UAH Information Security Club April 11, 2013

CISO as Change Agent: Getting to Yes

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

SOUTH AFRICA PHISHING RESPONSE TRENDS. Welcome to the Jumble

Automatic Delivery Setup Guide

Table of content. Authentication Domain Subscribers Content Sending practices Conclusion...

THE CLOUD SECURITY CHALLENGE:

24 User education and phishing

PEOPLE CENTRIC SECURITY THE NEW

Copyright 2018 Trend Micro Incorporated. All rights reserved.

Authentication GUIDE. Frequently Asked QUES T ION S T OGETHER STRONGER

How to recognize phishing s

Fighting Phishing I: Get phish or die tryin.

To learn more about Stickley on Security visit You can contact Jim Stickley at

Phishing Read Behind The Lines

WHITEPAPER. Protecting Against Account Takeover Based Attacks

Security and Human Factors. Maritza Johnson

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Correlation and Phishing

falanx Cyber Falanx Phishing: Measure your resilience

Anatomy of Phishing Campaigns: A Gmail Perspective

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

Web Security. Course: EPL 682 Name: Savvas Savva

Security and Compliance for Office 365

Phishing Response Trends AUSTRALIA PHISHING RESPONSE TRENDS. Losing the War. Human Phishing Defence. Copyright 2017 PhishMe, Inc. All rights reserved.

How to Build a Culture of Security

Building a Resilient Security Posture for Effective Breach Prevention

CYBER THREATS: REAL ESTATE FRAUD ADVISORY COUNCIL

Best Practices. Kevin Chege

IT Security Protecting Ourselves From Phishing Attempts. Ray Copeland Chief Information Officer (CIO)

AN ANTI-SPOOFING TOOL: SPOOFGUARD++

Ecosystem at Large

Phishing. A simplified walkthrough on how phishing campaigns are often orchestrated, and possible defences. Copyright March 2018

SiteAdvisor Enterprise

S a p m a m a n a d n d H a H m 성균관대학교 최형기

ANATOMY OF A SPEAR PHISHING ATTACK. A Menlo Security Research Report

User Authentication + Other Human Aspects

CE Advanced Network Security Phishing I

Protecting Against Account Takeover Based Attacks

How Breaches Really Happen

How to prevent phishing attacks? In 3 Pages. Author: Soroush Dalili irsdl {4t[ yahoo }d0t] com Website: Soroush.SecProject.

Webroot Phishing Threat Trends

Transcription:

End-to-End Measurements of Email Spoofing Attacks Hang Hu, Gang Wang hanghu@vt.edu Computer Science, Virginia Tech

Spear Phishing is a Big Threat Spear phishing: targeted phishing attack, often involves impersonation 91% of targeted attacks involve spear phishing 1 95% of state-affiliated espionage attacks are traced to phishing 2 1. Enterprise Phishing Susceptibility and Resiliency Report, PhishMe, 2016 2. 2013 DataBeach Investigation Report, Verizon, 2013 2

Real-life Spear Phishing Examples Yahoo Data Breach in 2014 John Podesta s Gmail Account 500 Million Yahoo! User AccountChairman Hillary Clinton 2016 Campaign From Google Affected [accounts.googlemail.com] Why can phishers still impersonate others so easily? 3

I Performed a Spear Phishing Test I impersonated USENIX Security co-chairs to send spoofing emails to my account (hanghu@vt.edu) Auto-loaded Profile Picture Adrienne Porter Felt felt@chromium.org From Adrienne Porter Felt From William Enck William Enck felt@chromium.org whenck@ncsu.edu whenck@ncsu.edu 4

Background: SMTP & Spoofing Simple Mail Transfer Protocol (SMTP) defined in 1982 SMTP has no built-in authentication mechanism Spoof anyone by modifying MAIL FROM field of SMTP HTTP SMTP SMTP HTTP POP IMAP William ncsu.edu Mail Server vt.edu Mail Server Hang SMTP MAIL FROM: whenck@ncsu.edu Attacker Mail Server 5

SMTP, 1982 Existing Anti-spoofing Protocols MAIL FROM: whenck@ncsu.edu IP: 1.2.3.4 SPF Process Sender Policy Framework (SPF), 2002 IP based authentication DomainKeys Identified Mail (DKIM), 2004 Public key based authentication SPF Record ncsu.edu Publish DNS Is the IP authorized? Domain-based Message Authentication, Reporting and Conformance (DMARC), 2015 Based on SPF and DKIM Publish policy Yes Is the IP authorized? No MAIL FROM: whenck@ncsu.edu IP: 5.6.7.8 vt.edu Attacker 6

How Widely are Anti-spoofing Protocols Used? Scanned SPF and DMARC records of Alexa top 1 million domains When an email fails SPF/DMARC: - Relaxed: No recommending policy - Strict: Rejecting failed emails After years, the Less adoption than rates are still low 50% And they also increase slowly Around 5% 7

This Study Research questions - How do email providers detect and handle spoofing emails? - Under what conditions can spoofing emails penetrate the defense? - Once spoofing emails get in, how do email providers warn users? Measurement + user study - 35 popular email providers reaction to spoofing emails - A user study (N=488) to examine users reaction to warnings 8

Outline Introduction End-to-end SpoofingExperiments User Study 9

End-to-end Spoofing Experiments Goal: Understand how email providers handlespoofingemails Method: - Black-box testing - Control inputand observe output Register our own accounts as email receivers Change input email MAIL FROM: forged@a.com SMTP IMAP POP Email Client test@gmail.com Our Mail Server Target Email Server Gmail.com 10

Target Email Providers 35 Email providers Email Client test@t.com Our Mail Server Target Email Server Full Authentication Check (16) Partial Authentication (15) No Authentication (4) 11

Controlled Parameters for Spoofing Emails Spoofing Email Email Client test@gmail.com Our Mail Server Target Email Server Spoofed Sender x 30 SPF/DKIM, strict policy (x10) SPF/DKIM, relaxed policy (x10) No SPF/DKIM/DMARC (x10) Content x 5 Phishing, Benign Blank, Blank w/ URL, Blank w/ attachment IP x 2 Static, Dynamic Experiment Setup IRB Approved Repeat 5 times Randomized sending order 30 x 5 x 2 x 5 = 1500 emails per service 1500 x 35 = 52500 emails in total Carefully controlled sending rate 12

Penetration Rate Full Authentication Check Check SPF/DKIM but not DMARC No Authentication 53.0% 35.0% 0.0% 100.0% 7.0% 27.0% Email providersstill let spoofing emails in even ifthey conduct authentication check 13

Impacting Factors Full Authentication: Strict: SPF/DKIM, Check Strict SPF DMARC & DKIM policy & DMARC PartialSender Relaxed: Authentication: strict policy SPF/DKIM, CheckSPF/DKIM, Relaxed DMARCpolicy notdmarc No Authentication: Receiver full authentication None: No SPF/DKIM/DMARC Don t checkspf/dkim/dmarc The penetration rate is lowest but still 13% Spoofed Sender Address Profile Penetration Rate Strict Relaxed None 0-0.25 Full Authentication 0.13 0.45 0.6 0.25-0.5 Receiver Partial Authentication 0.28 0.37 0.5 0.5-0.75 No Authentication 0.94 0.95 0.94 1. It takes both senders and receivers to configure correctly 0.75-1 IP Penetration Rate Content Phishing Benign Blank Blank w/ URL Blank w/ attachment 2. Even so there are 13% penetration rate Static 0.60 Penetration When Rate receiver 0.457 doesn t When do 0.495 authentication, sender 0.467 didn t the 0.428 publish authentication 0.427 Dynamic 0.34 penetration rates are more records, than the 94% penetration rate is the highest 14

How Do Email Providers Give Warning 29/35 web clients and 24/28 mobileclients didn t give any warnings Gmail Web Mobile Naver Protonmail 163.com 126.com Mail.ru 15

Outline Introduction End-to-end SpoofingExperiments User Study 16

How Effective are These Security Indicators Research Questions - Howdo users react to spoofing emails? - Howeffective arewarnings? Challenge - Howto capture the realistic user reactions? - Lab experiment has limited ability to reflect reality [3] Method IRB Approved - Try to make users not aware they are in an experiment to capture realistic reaction - Inform users after experiment - Users can withdraw data anytime with payment 3. The Emperor s New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies, IEEE S&P 17 17

Phase 1/2: Set Up Deception Frame the study as a survey to understand email using habits - Ask for users email address - Send the participant an email with 1x1 tracking pixel - Ask questions about the email using habits and other distraction questions - Pay users and make users believe the survey is over Purpose: - Collect and validate users email addresses - Test if the tracking pixel works 18

Phase 2/2: Sending Actual Spoofing Emails Wait for 10 days and send users spoofing emails Wait for another 20 days and send debriefing emails From Amazon Mechanical Turk <support@mturk.com> Embedded Warning A link points to our server Invisible Tracking Pixel 19

Deception User Study: Recruiting Participants Amazon Mechanical Turk Recruited 488 users - 243 in no warning group - 245 in warning group Female 51% Gender Male 49% >=50 14% 40-49 15% Age 30-39 39% <= 29 32% graduate 21% Education bachelor 35% high-school 10% some college 34% 20

Deception User Study: Results Phase Users Without Warning With Warning Phase 1 Phase 2 Click Rate All Participants Not Blocking Pixel Opened Email Clicked URL Overall After Opening Email 243 176 94 46 26.1% 48.9% 245 179 86 32 17.9% 37.2% 1. Warning only slightlylowers the click rate 2. The absolute click rate is still high 21

Discussion A big gap between server detection and user protection - Most email providers let spoofing emails reach inbox - Most email providers lacknecessary warnings - Warnings can t fully eliminate the risk Countermeasures - Promote SPF, DKIM and DMARC - Place warning consistently across web and mobile clients Future work Design more effective warnings Defeat warning fatigue User training and education 22

Thank You 23

Deception User Study: Results 24

Things are Worse with Less Popular Domains 25

Misleading UI Elements When spoofing existing contacts or conducting same-domain spoofing Profile Picture Name Card Email History Web & Mobile Web Mobile Web & Mobile Web Mobile Web & Mobile Web 26

Misleading UI Elements Seznam.cz 27

Spoofing is a Critical Step in Spear Phishing Email spoofing is widely used in spear phishing attacks - Business email compromise (BEC) scams became a major problem in 2015 3 - Use similar domain names or spoofed domain names 3 2. Figure from Phishing Activity Trends Report 4 th quarter 2017, APWG. 3. Phishing Activity Trends Report, 1 st -3 rd quarters 2015, APWG. 28

From Virginia Tech [vt.edu] Virginia Tech 2017 Link 29

Misleading UI Elements Auto-loaded Profile Picture False Security Cue Auto-loaded name card and email history 30

Deception User Study: Results Users Without Indicator With Indicator Desktop Mobile Desktop Mobile Opened Email 45 49 41 45 Clicked URL 21 25 15 17 Click Rate 46.7% 51.0% 36.6% 37.8% 31

End-to-end Spoofing Experiments: Results Email providersstill let forged emails in even ifthey conduct authentication check Hotmail.com blocked all forged email 32

End-to-end Spoofing Experiments: Results Email providersstill let forged emails in even ifthey conduct authentication check 33

End-to-end Spoofing Experiments: Results No authentication group let almost all forged emails in 34

End-to-end Spoofing Experiments: Results Authentication Static Dynamic Full Authentication 0.57 0.27 Check SPF DKIM But not DMARC IP 0.53 0.26 No authentication 0.95 0.94 1. It s easier for static IP to conduct spoofing 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback