Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doxing Phishers: Analyzing Phishing Attacks from Lure to Attribution

Published byΔιδώ Καψής Modified over 5 years ago

Similar presentations

Presentation on theme: "Doxing Phishers: Analyzing Phishing Attacks from Lure to Attribution"— Presentation transcript:

1 Doxing Phishers: Analyzing Phishing Attacks from Lure to Attribution
Crane Hassold Director of Threat Intelligence @CraneHassold June 8, 2018

2 Who Cares About Credential Phishing?
Malware usually gets all the attention Some of the biggest breaches in recent years initiated with credential phishing attacks 2017 saw a shift in who credential phish target Evolution from individuals to enterprise users Business-oriented services saw major increases services became the #1 targeted industry – driven by Office365/OWA phish SaaS attacks more than tripled – driven by Adobe/DocuSign phish Follows similar evolution of ransomware targeting in 2016 Facilitates BEC attacks, data/IP theft/ransom Proprietary and Confidential Copyright 2018 PhishLabs

3 Why is Phishing Intelligence Important?
Having a better understanding of the threat allows us to better adapt and react Phishers give us all the information needed to defeat them Lures (the “delivery mechanism”) Phishing sites (the “finished product”) Phish kits (the “recipe”) How does this help? Quicker phish confirmation Fewer false positives Overcome anti-detection hurdles Identify the biggest threats Proprietary and Confidential Copyright 2018 PhishLabs

4 Analysis of Phishing Lures
Phishing lures are the initial exposure a victim has to an attack Lures generally follow the same basic themes Suspicious activity Account validation Account suspension/expiration Awareness of new lures gives us an opportunity to alert potential victims Point us to the phishing site headers give us information about campaign distribution infrastructure Proprietary and Confidential Copyright 2018 PhishLabs

5 Analysis of the Phishing Site
The phishing site provides us a significant amount of intelligence that can be used to track campaigns and enhance detection Source code analysis URL pattern analysis Malicious domain correlation Proprietary and Confidential Copyright 2018 PhishLabs

6 Proprietary and Confidential
Source Code Analysis Analyzing the source code of a phishing page allows us to extract unique strings that can enhance detection Can also be used to link sites to a specific kit or actor Some components that can provide unique strings include: HTML title tags Form posts Comments Signatures Proprietary and Confidential Copyright 2018 PhishLabs

7 Proprietary and Confidential
URL Pattern Analysis Identifying patterns in phishing URLs can be used to cluster attacks into families Landing page names Directory structure Content hashes Indications of defensive tactics (directory generators, URL parameters) This type of analysis allows us to: Shrink the overall phishing ecosystem Identify unique URL characteristics Identify the most significant threats Proprietary and Confidential Copyright 2018 PhishLabs

8 Malicious Domain Correlation
Some phishers register “look-alike domains” used to host phishing content Whois information for these domains can provide a gold mine of intelligence data Valuable intelligence information includes: Registrant organization Registrant address Website title Registration dates This information can then be used to identify additional potential active or inactive phishing sites PassiveDNS analysis to identify other malicious domains on same infrastructure THANKS GDPR! Proprietary and Confidential Copyright 2018 PhishLabs

9 Proprietary and Confidential
Analysis of Phish Kits Kits are the “recipe” for creating most phishing sites Collecting & analyzing kits give us a more in-depth understanding of techniques used to carry out phishing scams Anti-detection techniques Access controls Code obfuscation Data exfiltration Proactive approach – that is, instead of waiting for a phishing site to be identified, take steps to mitigate an attack BEFORE IT EVEN HAPPENS! Proprietary and Confidential Copyright 2018 PhishLabs

10 Anti-Detection Techniques
Two primary ways phishers attempt to evade detection Access controls Dynamic URL alteration HTACCESS files and/or PHP blocklists generally used to control access to a phishing site by: IP address User agent string HTTP referrer Hostname Creating a unique URLs for each visitor is meant to evade browser-based blocking Dynamic directory generation Random URL parameters Proprietary and Confidential Copyright 2018 PhishLabs

11 Proprietary and Confidential
Drop Accounts Analyzing kits allows us to see exactly where compromised data is going Compromised information generally sent to phisher via Other notable tactics: Storing information on the compromised server Sending information to a secondary domain controlled by the phisher Sending information via Jabber We can also identify backdoors inserted by the kit’s author Proprietary and Confidential Copyright 2018 PhishLabs

12 Genealogical Analysis & Kit Clustering
Countless phishers, but few sophisticated phish kit authors Many phishers simply make minor modifications to freely-available kits and pass them off as their own Over time a “family tree” of phish kits is created By analyzing kits, we are able to identify unique artifacts that allow us to cluster them into families This allows us to: Shrink the overall phishing ecosystem Identify the most significant threat actors Detect common anti-detection techniques Proprietary and Confidential Copyright 2018 PhishLabs

13 Proprietary and Confidential - Copyright 2018 PhishLabs
Case Example: Netflix Phishing Campaign Analysis Proprietary and Confidential - Copyright 2018 PhishLabs

14 Netflix Phishing is Apparently Newsworthy
Proprietary and Confidential Copyright 2018 PhishLabs

15 Proprietary and Confidential
The Lure <a style="text-decoration: underline;transition: all .2s;color: #41637e" href=" data-emb-href-display="undefined">Click here to verify your account</a><br /><br />Failure to complete the validation process will result in a suspension of your netflix membership. Proprietary and Confidential Copyright 2018 PhishLabs

16 Proprietary and Confidential
The Phish Proprietary and Confidential Copyright 2018 PhishLabs

17 Obfuscated Source Code
Proprietary and Confidential Copyright 2018 PhishLabs

18 Stepping Through the Phish
Proprietary and Confidential Copyright 2018 PhishLabs

19 Stepping Through the Phish
Proprietary and Confidential Copyright 2018 PhishLabs

20 Proprietary and Confidential
What Do We Know So Far? Primary phishing pages: index.php billing.php payment.php complete.php Source code obfuscation Use of IP address to create unique URLs Redirects to legitimate Netflix homepage at conclusion of phish Proprietary and Confidential Copyright 2018 PhishLabs

21 Proprietary and Confidential
URL Pattern Analysis index.php billing.php payment.php complete.php This family comprises more than 25% of all Netflix phishing sites in 2017 Proprietary and Confidential Copyright 2018 PhishLabs

22 Proprietary and Confidential
Phish Kit Analysis Access control files Proprietary and Confidential Copyright 2018 PhishLabs

23 Primary phishing pages
Phish Kit Analysis Mailing scripts Obfuscation Primary phishing pages Access controls/ crawler blocking Proprietary and Confidential Copyright 2018 PhishLabs

24 Genealogical Analysis
An analysis of Netflix kits shows that ALL of them are related Likely freely distributed and modified over time Enhanced functionality added Form validation Directory generation Additional access controls Conclusion: Many of the Netflix phishing sites created from kits are linked to an original source kit written by a single author WHO IS THE AUTHOR? Proprietary and Confidential Copyright 2018 PhishLabs

25 Going Down the Open Source Rabbit Hole
Proprietary and Confidential Copyright 2018 PhishLabs

26 Potential Original Post
Proprietary and Confidential Copyright 2018 PhishLabs

27 Finding the Download Location
Proprietary and Confidential Copyright 2018 PhishLabs

28 Proprietary and Confidential
The Original Kit Proprietary and Confidential Copyright 2018 PhishLabs

29 Proprietary and Confidential
The Original Kit Proprietary and Confidential Copyright 2018 PhishLabs

30 Proprietary and Confidential
Comparing Kits Original Kit Recovered Kit Proprietary and Confidential Copyright 2018 PhishLabs

31 Proprietary and Confidential
Backdoor Drop account “Access control file” Proprietary and Confidential Copyright 2018 PhishLabs

32 Backdoor Legitimate hostname blocking Proprietary and Confidential
Copyright 2018 PhishLabs

33 Backdoor Backdoor email account Proprietary and Confidential
Copyright 2018 PhishLabs

34 Proprietary and Confidential
Who is Admin? Proprietary and Confidential Copyright 2018 PhishLabs

35 Proprietary and Confidential
Who is Admin? Proprietary and Confidential Copyright 2018 PhishLabs

36 Proprietary and Confidential
Who is Admin? Proprietary and Confidential Copyright 2018 PhishLabs

37 Proprietary and Confidential
Who is Admin? Proprietary and Confidential Copyright 2018 PhishLabs

38 Proprietary and Confidential
Who is Admin? Proprietary and Confidential Copyright 2018 PhishLabs

39 Wrapping Up Family makes up >25% of all 2017 phish
Original lure Family makes up >25% of all 2017 phish One kit to rule them all Original distribution site Likely original kit author Proprietary and Confidential Copyright 2018 PhishLabs

40 QUESTIONS??? Crane Hassold Director of Threat Intelligence
@CraneHassold Proprietary and Confidential - Copyright 2018 PhishLabs

Download ppt "Doxing Phishers: Analyzing Phishing Attacks from Lure to Attribution"

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.

PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J. 2004.

URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Cryptographic.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Cryptographic.
Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 – IMP-201.

Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 – IMP-201.
PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.

PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.

Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.
Windows Internet Explorer 9 Chapter 1 Introduction to Internet Explorer.

Windows Internet Explorer 9 Chapter 1 Introduction to Internet Explorer.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
All Your iFRAMEs Point to Us Niels provos,Panayiotis mavrommatis - Google Inc Moheeb Abu Rajab, Fabian Monrose - Johns Hopkins University Google Technical.

All Your iFRAMEs Point to Us Niels provos,Panayiotis mavrommatis - Google Inc Moheeb Abu Rajab, Fabian Monrose - Johns Hopkins University Google Technical.

Similar presentations

Ads by Google