Doxing Phishers: Analyzing Phishing Attacks from Lure to Attribution

Slides:



Advertisements
Similar presentations
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Advertisements

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J
Phishing – Read Behind The Lines Veljko Pejović
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Cryptographic.
Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 – IMP-201.
PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
APT29 HAMMERTOSS Jayakrishnan M.
Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.
Windows Internet Explorer 9 Chapter 1 Introduction to Internet Explorer.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
All Your iFRAMEs Point to Us Niels provos,Panayiotis mavrommatis - Google Inc Moheeb Abu Rajab, Fabian Monrose - Johns Hopkins University Google Technical.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 9/19/2015Slide 1 (of 32)
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
Smart Protection Network Kelvin Liu AVP, Core Tech Development.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.
Phishing Problem Kristián Kučerák Milan Just. Abstract In this age of broadband, wireless, and network interconnectivity, we enjoy the unprecedented power.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
VENKAT DEEP RAJAN SUMALATHA REDDY KARTHIK INJARAPU CPSC 620 CLEMSON UNIVERSITY.
Consistency in Reporting Data Breaches
BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.
Detecting Phishing in s Srikanth Palla Ram Dantu University of North Texas, Denton.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Search Engine using Web Mining COMS E Web Enhanced Information Mgmt Prof. Gail Kaiser Presented By: Rupal Shah (UNI: rrs2146)
A Framework for Detection and Measurement of Phishing Attacks Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 2/25/2016 Slide.
Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
THE FUTURE IS HERE: APPLICATION- AWARE CACHING BY ASHOK ANAND.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Advanced Endpoint Security Data Connectors-Charlotte January 2016
Threat Modeling for Cloud Computing
CSCE 548 Student Presentation Ryan Labrador
TMG Client Protection 6NPS – Session 7.
PHISHING Hi, The comms team asked if I could refresh everyone about Phishing after a fairly successful phishing circulated last week that led to.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
IT Security  .
Simple Authentication for the Web
ISYM 540 Current Topics in Information System Management
Ad-blocker circumvention System
Strategies for improving Web site performance
Phishing is a form of social engineering that attempts to steal sensitive information.
ADVANCED PERSISTENT THREATS (APTs) - Simulation
Multi-Factor Authentication (MFA)
Jon Peppler, Menlo Security Channels
Demo Advanced Threat Protection
Cybersecurity Awareness
Stealing Credentials.
Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Matthew Gardiner Product Marketing.
Chapter 27 WWW and HTTP.
Web Systems Development (CSC-215)
CSC 495/583 Topics of Software Security Intro to Web Security
9 ways to avoid viruses and spyware
SEO Hand Book.
Introduction to Symantec Security Service
Cross Site Request Forgery (CSRF)
OPIsrael And The Value Of Next Generation SOCs
Presentation transcript:

Doxing Phishers: Analyzing Phishing Attacks from Lure to Attribution Crane Hassold Director of Threat Intelligence @CraneHassold June 8, 2018

Who Cares About Credential Phishing? Malware usually gets all the attention Some of the biggest breaches in recent years initiated with credential phishing attacks 2017 saw a shift in who credential phish target Evolution from individuals to enterprise users Business-oriented services saw major increases Email services became the #1 targeted industry – driven by Office365/OWA phish SaaS attacks more than tripled – driven by Adobe/DocuSign phish Follows similar evolution of ransomware targeting in 2016 Facilitates BEC attacks, data/IP theft/ransom Proprietary and Confidential Copyright 2018 PhishLabs

Why is Phishing Intelligence Important? Having a better understanding of the threat allows us to better adapt and react Phishers give us all the information needed to defeat them Lures (the “delivery mechanism”) Phishing sites (the “finished product”) Phish kits (the “recipe”) How does this help? Quicker phish confirmation Fewer false positives Overcome anti-detection hurdles Identify the biggest threats Proprietary and Confidential Copyright 2018 PhishLabs

Analysis of Phishing Lures Phishing lures are the initial exposure a victim has to an attack Lures generally follow the same basic themes Suspicious activity Account validation Account suspension/expiration Awareness of new lures gives us an opportunity to alert potential victims Point us to the phishing site Email headers give us information about campaign distribution infrastructure Proprietary and Confidential Copyright 2018 PhishLabs

Analysis of the Phishing Site The phishing site provides us a significant amount of intelligence that can be used to track campaigns and enhance detection Source code analysis URL pattern analysis Malicious domain correlation Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential Source Code Analysis Analyzing the source code of a phishing page allows us to extract unique strings that can enhance detection Can also be used to link sites to a specific kit or actor Some components that can provide unique strings include: HTML title tags Form posts Comments Signatures Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential URL Pattern Analysis Identifying patterns in phishing URLs can be used to cluster attacks into families Landing page names Directory structure Content hashes Indications of defensive tactics (directory generators, URL parameters) This type of analysis allows us to: Shrink the overall phishing ecosystem Identify unique URL characteristics Identify the most significant threats Proprietary and Confidential Copyright 2018 PhishLabs

Malicious Domain Correlation Some phishers register “look-alike domains” used to host phishing content Whois information for these domains can provide a gold mine of intelligence data Valuable intelligence information includes: Registrant organization Registrant email address Website title Registration dates This information can then be used to identify additional potential active or inactive phishing sites PassiveDNS analysis to identify other malicious domains on same infrastructure THANKS GDPR! Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential Analysis of Phish Kits Kits are the “recipe” for creating most phishing sites Collecting & analyzing kits give us a more in-depth understanding of techniques used to carry out phishing scams Anti-detection techniques Access controls Code obfuscation Data exfiltration Proactive approach – that is, instead of waiting for a phishing site to be identified, take steps to mitigate an attack BEFORE IT EVEN HAPPENS! Proprietary and Confidential Copyright 2018 PhishLabs

Anti-Detection Techniques Two primary ways phishers attempt to evade detection Access controls Dynamic URL alteration HTACCESS files and/or PHP blocklists generally used to control access to a phishing site by: IP address User agent string HTTP referrer Hostname Creating a unique URLs for each visitor is meant to evade browser-based blocking Dynamic directory generation Random URL parameters Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential Drop Accounts Analyzing kits allows us to see exactly where compromised data is going Compromised information generally sent to phisher via email Other notable tactics: Storing information on the compromised server Sending information to a secondary domain controlled by the phisher Sending information via Jabber We can also identify backdoors inserted by the kit’s author Proprietary and Confidential Copyright 2018 PhishLabs

Genealogical Analysis & Kit Clustering Countless phishers, but few sophisticated phish kit authors Many phishers simply make minor modifications to freely-available kits and pass them off as their own Over time a “family tree” of phish kits is created By analyzing kits, we are able to identify unique artifacts that allow us to cluster them into families This allows us to: Shrink the overall phishing ecosystem Identify the most significant threat actors Detect common anti-detection techniques Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential - Copyright 2018 PhishLabs Case Example: Netflix Phishing Campaign Analysis Proprietary and Confidential - Copyright 2018 PhishLabs

Netflix Phishing is Apparently Newsworthy Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential The Lure <a style="text-decoration: underline;transition: all .2s;color: #41637e" href="http://gasofin.com/images/color/netflix/Login/index.php" data-emb-href-display="undefined">Click here to verify your account</a><br /><br />Failure to complete the validation process will result in a suspension of your netflix membership. Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential The Phish Proprietary and Confidential Copyright 2018 PhishLabs

Obfuscated Source Code Proprietary and Confidential Copyright 2018 PhishLabs

Stepping Through the Phish Proprietary and Confidential Copyright 2018 PhishLabs

Stepping Through the Phish Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential What Do We Know So Far? Primary phishing pages: index.php billing.php payment.php complete.php Source code obfuscation Use of IP address to create unique URLs Redirects to legitimate Netflix homepage at conclusion of phish Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential URL Pattern Analysis http://divspec.com/documents/netflix/billing.php?ip=162.158.69.111 http://netfllx-unauthorize.com/95a72e66812d77999adc74971/ http://www.ncrweb.in/vqmod/logs/noreplyserviceox/372c563be28852f276cdb879b/ http://divspec.com/documents/netflix/complete.php?ip=141.101.99.17 http://adityakundli.in/netf/netflix/payment.php http://www.calltoaction.com.br/wp-includes/css/Netflix/billing.php?ip=95.85.8.153 https://netfllix-payment.windoors.gr/8a7187c4a9f4c44786953b5f6/ http://www.steuler.nl/theme/netflix/complete.php http://christiantellez.cl/wp-admin/netflix-000547/netflix/Login/payment.php?ip=104.34.224.88 https://www.pponlinestore.com/as/netflix/en/login/Home/ index.php billing.php payment.php complete.php This family comprises more than 25% of all Netflix phishing sites in 2017 Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential Phish Kit Analysis Access control files Proprietary and Confidential Copyright 2018 PhishLabs

Primary phishing pages Phish Kit Analysis Mailing scripts Obfuscation Primary phishing pages Access controls/ crawler blocking Proprietary and Confidential Copyright 2018 PhishLabs

Genealogical Analysis An analysis of Netflix kits shows that ALL of them are related Likely freely distributed and modified over time Enhanced functionality added Form validation Directory generation Additional access controls Conclusion: Many of the Netflix phishing sites created from kits are linked to an original source kit written by a single author WHO IS THE AUTHOR? Proprietary and Confidential Copyright 2018 PhishLabs

Going Down the Open Source Rabbit Hole Proprietary and Confidential Copyright 2018 PhishLabs

Potential Original Post Proprietary and Confidential Copyright 2018 PhishLabs

Finding the Download Location Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential The Original Kit Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential The Original Kit Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential Comparing Kits Original Kit Recovered Kit Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential Backdoor Drop email account “Access control file” Proprietary and Confidential Copyright 2018 PhishLabs

Backdoor Legitimate hostname blocking Proprietary and Confidential Copyright 2018 PhishLabs

Backdoor Backdoor email account Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential Who is Admin? Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential Who is Admin? Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential Who is Admin? Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential Who is Admin? Proprietary and Confidential Copyright 2018 PhishLabs

Proprietary and Confidential Who is Admin? Proprietary and Confidential Copyright 2018 PhishLabs

Wrapping Up Family makes up >25% of all 2017 phish Original lure Family makes up >25% of all 2017 phish One kit to rule them all Original distribution site Likely original kit author Proprietary and Confidential Copyright 2018 PhishLabs

QUESTIONS??? Crane Hassold Director of Threat Intelligence chassold@phishlabs.com @CraneHassold Proprietary and Confidential - Copyright 2018 PhishLabs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.