NLIT 2009 Philip Arwood John Gerber Development of a Process for Phishing Awareness Activities
2Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information What Will We Discuss? Phishing and related Problems – Real world examples Goals and Challenges of Phishing Awareness – Early process – Examples (early and current) – Stats gathered Phishing Technical: Getting Under the Hood
3Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information If Only Life Was Simple
4Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information View Point Of The Problem The following is an excerpt from speech by Mr. George Tenet, Director, CIA, delivered at the Georgia Institute of Technology, Atlanta, Georgia. – “ The number of known adversaries conducting research on information attacks is increasing rapidly and includes intelligence services, criminals, industrial competitors, hackers, and aggrieved or disloyal insiders”.
5Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Common Weaknesses Here are some of the most common visible or known weaknesses an adversary can exploit to obtain critical information: – Inappropriate use of / attachments / web – Lack of awareness: don’t know what to protect, or who to protect it from – Poor access controls – Failure to practice need to know – Failure to comply with security policies
6Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information SANS Top Ten List (what people do to mess up their computer) Number 10 – Don’t bother with backups Number 9 – Use Easy, Quick Passwords Number 8 – Believe that Macs don’t get viruses Number 7 – Click on Everything Number 6 – Open ALL attachments Number 5 – Keep Your hard drive full and fragmented Number 4 – Install and Uninstall lots of programs (especially freeware) Number 3 – Turn off the Antivirus because it slows down your system Number 2 – Surf the Internet without a Hardware Firewall and a Software Firewall Number 1 – Plug into the Wall without Surge Protection
7Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Phishing Stats According to Gartner, December 17, 2007 – The average dollar loss per Phishing Victim is $866 – The total dollar loss of all phishing victim over a 1 year period is $3.6 Billion – The number of people who fell victims to phishing scams over that same 1 year period is 3.2 Million According to a Gartner Survey – More than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008, a 39.8 percent increase over the number of victims a year earlier – Survey indicated a trend toward higher-volume and lower-value attacks
8Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Phishing Stats (cont.) According to SonicWall, 2008 – The estimated number of phishing s sent world-wide each month is 8.5 Billion According to Anti-Phishing Working Group – The number of phishing web sites that were operational in May 2008 is 32,414
9Managed by UT-Battelle for the U.S. Department of Energy According to Gartner, April 2, 2009 – More than 5 million consumers lost to phishing attacks in the 12 months ending in September 2008, a 39.8 increase over the number of victims a year earlier. – The average consumer loss in 2008 per phishing incident was $351, a 60% decrease from the year before. Gartner believes the criminals are intentionally engaging in higher volume and lower- value attacks to stay under the radar of fraud detection systems that have become pervasive at banks and other financial services providers. – About 4.33% of phishing recipients recalled giving away sensitive information after they clicked on a phishing link, which is a 45% increase over the prior year. Phishing Stats (cont.)
10Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Phishing (Real World) Example 1a Point One Point Two Point Three Point Four
11Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Phishing (Real World) Example 1b Point One Point Two Point Three Point Four
12Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Phishing (Real World) Example 1c Point One Point Two Point Three Point Four
13Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Phishing (Real World) Example 2 Point One Point Two Point Three Point Four
14Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Phishing (Real World) Example 3 Point One Point Two Point Three Point Four
15Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Phishing (Real World) Example 4 Point One Point Two Point Three Point Four
16Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Phishing (Real World) Example 5 Point One Point Two Point Three Point Four
17Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Phishing (Real World) Example 6 Point One Point Two Point Three Point Four
18Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Why Phish? Benefits: – Training tool for raising user awareness regarding phishing and the dangers. – Serves as a self assessment tool. The Challenge: – To develop phishing s for monthly assessments – To develop repeatable and reliable delivery methods – To gather meaningful statistics for management
19Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Summary of Early Phishing Process Phishing was developed Researched URL to ensure no “real” sites were used, local redirect created to point to “gotcha” page Recipient list was created UNIX script was used to queue / send . “Gotcha” page was monitored for network traffic, harvested IPs and times of connections
20Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Phishing s The early s were developed to appear plain and contain obvious clues such as misspelled words, hyphenated URLS, etc. As the process evolved the s contained less obvious clues. Following are examples of s used early on and a few current examples.
21Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Early Phishing Example
22Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Early Phishing Example (cont)
23Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Early Phishing Example (cont)
24Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Current Phishing Example
25Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Current Phishing Example (cont)
26Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Current Phishing Example (cont)
27Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Current Phishing Example (cont)
28Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Gotcha Page URL points to a web page that states: – Exercise was initiated by security – Gives information regarding what could have happened – Encourages user to re-take Cyber Awareness training (phishing awareness is reinforced in cyber awareness training)
29Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Gotcha Page
30Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information What Data Do We Gather? End-User Response Time – The time between sending and notification to security via , phone, SPAM folder, … – Total number of responses End-User Click Rates – When the first click occurred – Total number of clicks – Who clicked
31Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Suggestions for Topics? End-Users appear to be more interested in: – E-Cards (Valentines, Holiday cards, etc.) – Local News (highway construction, etc.) – Sports – Humor End-Users appear to be less interested in: – Technology related topics – Surveys
32Managed by UT-Battelle for the U.S. Department of Energy Protecting Your Information Results Result summary for 2008 Result summary for 2009 to date
Phishing Technical: Getting Under the Hood John J. Gerber CISSP, GCFA, GCIH, GISP, GSNA
34Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical A Presentation of Interest “Spear Phishing: Real Cases, Real Solutions” Rohyt Belani, Intrepidus Group. Wednesday, 11:00-11:45.
35Managed by UT-Battelle for the U.S. Department of Energy What Will We Discuss? Basic System Setup Configuration Files Database Tables Programs Involved Walk Through Show Sample Results
36Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical System Configuration Classic LAMP System – Linux – Apache – MySQL – Perl ModSecurity Request Tracker Thunderbird
37Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical Create Data Files We keep each anti-phishing exercise in its own directory. In each directory create: Phishing Employee List LUP Exceptions Previous Clickers Exempt List Images
38Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical Sample Configuration File TEMPLATE::test::template.html TEMPLATE::whole::template.html TEMPLATE::lup::template.html TEMPLATE::clickers::template.html SUBJECT::test::FWD: FWD: FWD: Hilarious SUBJECT::whole::FWD: FWD: FWD: Hilarious SUBJECT::lup::FWD: FWD: FWD: This is Hilarious SUBJECT::clickers::FWD: FWD: FWD: That is Hilarious WEB_HOST::test::upost.com WEB_HOST::whole::upost.com WEB_HOST::lup::upost.com WEB_HOST::clickers::upost.com _FILE::test::test_pool.txt _FILE::whole::whole_pool.txt _FILE::lup::lup_pool.txt _FILE::clickers::clickers_pool.txt REMOVE_ _FILE::whole::received_pool.txt _NUM::test::999 _NUM::whole::550 _NUM::lup::999 _NUM::clickers::999
39Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical SCF: Template FWD: FWD: FWD: Hilarious Check it out! <span style="font-size: 11pt; font-family: "Tahoma","sans-serif";"> From: <span style="font-size: 11pt; font-family: "Tahoma","sans-serif";"> Castle, Frank Sent: Tuesday, March 17, :50 AM To: Barton, Clint; Smith, Travis N.; Jones, Cora M.; James, Jennifer; Redman, Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; Farner Mark K.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.; Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H. Create HTML Editor: Thunderbird Text Based Editor TAGS href="mobile.html“ href="“ img src="opening.jpg"
40Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical Database: Tables attack | Field | Type | | aid | int(10) unsigned | | attack_type | enum('lup','test','whole','clickers') | | started | datetime | | ended | datetime | | first_view | datetime | | last_view | datetime | | first_click | datetime | | last_click | datetime | | sent_user | varchar(50) | | sent_host | varchar(50) | | subject | varchar(50) | | body | mediumtext | | sent_count | int(5) unsigned | | click_count | int(5) unsigned | | name | varchar(15) |
41Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical | Field | Type | | username | varchar(25) | | dcso | varchar(25) | | last_name | varchar(50) | | first_name | varchar(50) | | user_phone | varchar(12) | gerberjj arwoodpc Gerber J J (John) victims Database: Tables (2)
42Managed by UT-Battelle for the U.S. Department of Energy Database: Tables (3) | Field | Type | | uid | varchar(25) | | aid | int(10) unsigned | | username | varchar(25) | | added | datetime | ibYyK1x8lstu1KseMrkpdJaHv 14 gerberjj :32:30 victim_pool
43Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical ibYyK1x8lstu1KseMrkpdJaHv :45:57 NULL :36:04 user123.ornl.gov no | Field | Type | | uid | varchar(25) | | sent | datetime | | viewed_time | datetime | | viewed_log | varchar(255) | | clicked_time | datetime | | clicked_log | varchar(255) | | ip | varchar(50) | | _sent | enum('yes','no') | session Database: Tables (4) user123.ornl.gov - - [25/Mar/2009:10:36: ] "GET /photo/ibYyK1x8lstu1KseMrkpdJaHv/showalbulm.pl?albulm=new HTTP/1.1" "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv: ) Gecko/ SeaMonkey/1.1.14“
44Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical Sample Initial Setup [hilarious]# ls -1 clickers_pool.txt lup_pool.txt phish.conf received_pool.txt template.html test_pool.txt whole_pool.txt No File "Gerber, John J" "Pike, Christopher" "Colt, J M" "Boyce, Phillip" "Tyler, Jose" TEMPLATE::test::template.html TEMPLATE::whole::template.html TEMPLATE::lup::template.html TEMPLATE::clickers::template.html SUBJECT::test::FWD: FWD: FWD: Hilarious SUBJECT::whole::FWD: FWD: FWD: Hilarious SUBJECT::lup::FWD: FWD: FWD: That is Hilarious SUBJECT::clickers::FWD: FWD: FWD: This is Hilarious WEB_HOST::test:: WEB_HOST::whole:: WEB_HOST::lup:: WEB_HOST::clickers:: _FILE::test::test_pool.txt _FILE::whole::whole_pool.txt _FILE::lup::lup_pool.txt _FILE::clickers::clickers_pool.txt REMOVE_ _FILE::whole::received_pool.txt _NUM::test::999 _NUM::whole::550 _NUM::lup::999 _NUM::clickers::999 No File FWD: FWD: FWD: Hilarious Check it out! <span style="font-size: 11pt; font-family: "Tahoma","sans-serif";"> From: <span style="font-size: 11pt; font-family: "Tahoma","sans-serif";"> Castle, Frank Sent: Tuesday, March 17, :50 AM To: Barton, Clint; Smith, Travis N.; Jones, Cora M.; James, Jennifer; Redman, Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; Farner Mark K.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.; Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H. Subject: FWD: FWD: Hilarious gerberjj arwoodpc UID PRIM TYPE PRO_DT UID_DT EMPSTAT UIDSTAT JLP Y NON 9/8/ :18 9/8/ :09 ACT ACT WTR Y NON 10/26/2004 2:00 9/14/ :21 ACT ACT GLF Y NON 3/15/2005 2:00 8/31/ :04 ACT ACT DKP Y NON 7/18/ :03 7/19/ :52 ACT ACT
45Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical Sample Initial Setup [hilarious]# ls -1 clickers_pool.txt lup_pool.txt phish.conf received_pool.txt template.html test_pool.txt whole_pool.txt No File "Gerber, John J" "Pike, Christopher" "Colt, J M" "Boyce, Phillip" "Tyler, Jose" TEMPLATE::test::template.html TEMPLATE::whole::template.html TEMPLATE::lup::template.html TEMPLATE::clickers::template.html SUBJECT::test::FWD: FWD: FWD: Hilarious SUBJECT::whole::FWD: FWD: FWD: Hilarious SUBJECT::lup::FWD: FWD: FWD: That is Hilarious SUBJECT::clickers::FWD: FWD: FWD: This is Hilarious WEB_HOST::test:: WEB_HOST::whole:: WEB_HOST::lup:: WEB_HOST::clickers:: _FILE::test::test_pool.txt _FILE::whole::whole_pool.txt _FILE::lup::lup_pool.txt _FILE::clickers::clickers_pool.txt REMOVE_ _FILE::whole::received_pool.txt _NUM::test::999 _NUM::whole::550 _NUM::lup::999 _NUM::clickers::999 No File FWD: FWD: FWD: Hilarious Check it out! <span style="font-size: 11pt; font-family: "Tahoma","sans-serif";"> From: <span style="font-size: 11pt; font-family: "Tahoma","sans-serif";"> Castle, Frank Sent: Tuesday, March 17, :50 AM To: Barton, Clint; Smith, Travis N.; Jones, Cora M.; James, Jennifer; Redman, Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; Farner Mark K.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.; Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H. Subject: FWD: FWD: Hilarious gerberjj arwoodpc UID PRIM TYPE PRO_DT UID_DT EMPSTAT UIDSTAT JLP55 Y NON 9/8/ :18 9/8/ :09 ACT ACT WTR21 Y NON 10/26/2004 2:00 9/14/ :21 ACT ACT GLF45 Y NON 3/15/2005 2:00 8/31/ :04 ACT ACT DKP72 Y NON 7/18/ :03 7/19/ :52 ACT ACT
46Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical Program: prepare.pl Run: prepare.pl #!/usr/local/bin/perl -w use DBI; use POSIX qw(strftime); "/home/ger/projects/phish/perl"} use ornl_phish qw($db_host $db $mysql_user $mysql_passwd logit runcommand mailit generate_html user_exist check_attack_type read_config find_attack_name ); sub update_received { my($datafile, $rm_min_date, $dbh) $error = ""; my %user_list; # Make sure we add back only unqiue ids (no duplicates) if ( -e $datafile) { my $results = ""; # Pull out the content of previous clickers $/ = "\n"; open(INFILE,$datafile) || ( $error = "ERROR: Problem opening file $datafile: $!\n" ); *.orig - the original files. *_pool.txt - theses are the updated files which the system will use in the next step. Make sure they look correct. received_pool.txt - This file will be updated with unique values that previously existed and data from the database of those who received under a "whole" attack. sample_*.html - sample s. Check them out and make sure they look appropriate. Open file in browser and confirm no format problems. Results
47Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical Results: prepare.pl [hilarious]# ls -1 phish.conf received_pool.txt sample_test.html template.html test_pool.txt test_pool.txt.orig File: received_pool.txt File: sample_text.html FWD: FWD: FWD: Hilarious This is hilarious, check it out! upostfun.com /hilarious/ /2009/04/11/ File: test_pool.txt
48Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical View sample_text.html Use your favorite browser to pull up sample_text.html
49Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical Inform and Authorize CIO Authorization Helpdesk Mail Administrator DNS Administrator
50Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical Program: go_phishing.pl Run: go_phishing.pl #!/usr/local/bin/perl -w # Perl Modules # use DBI; use POSIX qw(strftime); "/home/ger/projects/phish/perl"} use ornl_phish qw($db_host $db $mysql_user $mysql_passwd logit runcommand mailit generate_html user_exist check_attack_type read_config find_attack_name); sub modify_apache { my($apache_conf,$apache_temp,$attack_name,$logfile) my $error = ""; local($datetime) = strftime("%Y%m%d%H%M%S", localtime); undef $/; open(INFILE,$apache_temp) || ( $error = "ERROR: Problem opening file $apache_temp: $!\n" ); if ($error eq "") { my $conf_body = ; $conf_body =~ s/RewriteEngine On.*/RewriteEngine On/s; my $rc = &runcommand($logfile,"/bin/cp","$apache_conf/httpd.conf", "$apache_conf/httpd.conf.$datetime"); s are sent. A 30 minute break between groups. Web areas created. –images –web page people see when they click –report web area created to watch the progress Modify httpd.conf, clear logs, restart server. Results Uses: /usr/bin/nc -vv smtpserver.ornl.gov :10:28 INFO: Started. Sending to gerberjj smtpserver.ornl.gov [ ] 25 (smtp) open 220 mailserver.ornl.gov -- Server ESMTP (PMDF V6.4#31561) 251 mailserver.ornl.gov system name not given in HELO command, phishingphil.ornl.gov [ ] Address Ok OK. 354 Enter mail, end with a single "." Ok Bye received. Goodbye. sent 4340, rcvd 301
51Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical Modifications to httpd.conf RewriteEngine On RewriteRule ^/hilarious$ /usr/local/apache/htdocs/hilarious/index.html [L] RewriteRule ^/hilarious/images/[^/]+/(.*)$ /work/software/apache/htdocs/hilarious/images/$1 [L] RewriteRule ^/hilarious/[^/]+/(.*)$ /work/software/apache/htdocs/hilarious/index.html [L] RewriteRule ^/hilarious/(.*)$ /work/software/apache/htdocs/hilarious/index.html [L]
52Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical Monitoring the Results: Summary Phishing Technical
53Managed by UT-Battelle for the U.S. Department of Energy Phishing Technical Future Request Tracker Additional Reports for Management Possibly Front End – Easier: Is that a good or bad thing? – HTML editor interface – Grab required information from ORNL DBs – Schedule
54Managed by UT-Battelle for the U.S. Department of Energy Final Words Thank you for the opportunity to discuss our phishing awareness work. Philip Arwood John Gerber Source: Source: Source:
55Managed by UT-Battelle for the U.S. Department of Energy Other ORNL Presentations of Interest SharePoint Monday, 11:45-Using SharePoint UI to Deliver General Use Applications, Connie Begovich Tuesday, 11:45-SharePoint at ORNL, Brett Ellis Cyber Security Monday, 1:30-Development of a Process for Phishing Awareness Activities, Philip Arwood & John Gerber Monday, 2:15-How I Learned to Embrace the Chaos, Mark Lorenc Monday, 4:15-TOTEM:The ORNL Threat Evaluation Method, John Gerber & Mark Floyd Desktop Management Monday 4:15-On the Fly Management of UNIX Hosts using CFEngine, Ryan Adamson Tuesday, 11:00-Implementation of Least User Privileges, Doug Smelcer Wednesday, 11:45, Microsoft Deployment Using MDT and SCCM, Chad Deguira Incident Management Wednesday, 11:00-Helpdesk Operations for Clients Without Admin Privileges, Bob Beane & Tim Guilliams IT Modernization Monday, 2:15-12 Months of Technology, Lara James