#RSAC

SESSION ID:SESSION ID:

Chris Larsen

Phishermen Changing Targets:Impact Shift from Personal to Organizational

TTA-F01

Architect, WebPulse Threat Research LabSymantec@bc_malware_guy

Armin BuescherPrincipal Security ResearcherSymantec@armbues

#RSAC

Outline

2

Part One: Definitions and DetailsPhishing KitsCatching PhishTop Targets

Part Two: Shadow Data

1 + 2 = 3 (Scoping the Problem)Mapping the Phishermen

Summary / Apply

#RSAC

Part One: Phishing Kits

Definitions, Details, Targets

#RSAC

Phishing vs. Spear-phishing vs. Malspam

4

Basic Definitions:Phishing: Mass e-mail → Link to fake site → steals bank or credit card infoSpear-phishing: Targeted e-mail → link to fake site → steals login credentials:— (VPN, e-mail, network, etc.)

(or, Targeted e-mail → malicious attachment or link to malicious site)Malspam: Mass e-mail → malicious attachment or link to malicious site

We see a LOT of submissions for “phishing” that are really “malspam”(or even plain spam, because people think “attack in e-mail == phishing”)

But, there is blurring now between phishing and spear-phishing

#RSAC

Phishing: Traditional CISO View

5

“What if one of my employees gets phished?”That’s too bad (for them).They might lose some of their data or money.But my organization’s data isn’t at risk.So I’ll deploy a general anti-spam/anti-phishing solution to protect them.And go worry about *my* problems.

#RSAC

Phishing Kits

6

Archives (.zip) of server-side code, ready to deployUsually PHP coded pagesAnd support files (images, JS, CSS, etc.)

Sold in underground cybercrime markets(typical price is quite low: $2 - $10)

Ready to be hosted on:Compromised/hacked serversFree hosting providersBulletproof hosting providers

#RSAC

Phishing Kits: Example Archive

7

#RSAC

Phishing Kits: Designed for Portability

8

Quickly deploy to new sites

Reuse the pages for months (or even years)

#RSAC

Example of Deployed Phishing Kit

9

#RSAC

Phishing for Google Docs Login

10

#RSAC

Phishing for Dropbox Login

11

#RSAC

Phishing for… Adobe Login?

12

#RSAC

Key to Successful Phishing: Look Believable

13

DataFromGINAquarium

#RSAC

Key to Successful Phishing: Look Believable

14

DataFromGINAquarium

#RSAC

Key to Successful Phishing: Look Believable

15

DataFromGINAquarium

#RSAC

Key to Successful Phishing: Look Believable

16

DataFromGINAquarium

#RSAC

Lightbulb!

17

If phishing pages need to look believable…

...so phishermen build them to look good…

...and re-use them in phishing kits…

...then we can visually compare new pages…

...and if we get a match, it’s a phish!

(Or, we can compare the page content-wise instead of visually.)

#RSAC

Top Phishing Targets

18

According to our “Phingerprinter” system, in May 2017.

(Constrained view of “phish market”)

1 Paypal

2 Google (Docs/Drive/Gmail)

3 Dropbox

4 Chase

5 Barclays

6 Societe General

7 Apple

8 USAA

9 Wells Fargo

10 Christian Mingle

11 Docusign

12 Generic E-mail

13 Office 365

14 Alibaba

15 Linkedin

16 Bank of America

17 Adobe

18 Kiwibank

19 AOL

20 MS Outlook

#RSAC

Top Phishing Targets

19

1 Google Docs

2 Dropbox3 Chase4 Apple5 Google Drive6 Docusign7 Adobe8 Free Mobile9 Office 36510 Paypal11 Alibaba

According to our “Project Dolphin” system.

(because it’s smart, and eats phish)

This has a *much* broader view of “phish market” than the previous system…

...and it shows that targets are heavily weighted toward “credential phishing” instead of traditional “financial phishing”

#RSAC

Part Two: Shadow Data

#RSAC

Shadow IT and Shadow Data

21

You’ve probably heard of “Shadow IT”(use of unauthorized applications, etc.)

#RSAC

Shadow IT and Shadow Data

22

How about “Shadow Data”?(important data being stored/used outside of normal applications/controls)

Let’s take a look at some data from colleagues at Elastica…Shadow Data report for 2nd half of 2016

#RSAC

Shadow Data

23

#RSAC

Shadow Data

24

“25% Broadly Shared”

Via analysis of 173M+ files

In popular file sharing apps (Office 365, Dropbox, Box, Google Drive ...)

Or services (Salesforce, AWS, Jive ...)

#RSAC

Shadow Data

25

“3% Contained Compliance-related Data”

#RSAC

Shadow Data

26

Industries that commonly handle certain types of data abuse it more often...

#RSAC

Top Phishing Targets

27

1 Google Docs

2 Dropbox3 Chase4 Apple5 Google Drive6 Docusign7 Adobe8 Free Mobile9 Office 36510 Paypal11 Alibaba

Remember these?

Notice how many are targeting Cloud storage and e-mail services?

Uh-oh….

#RSAC

One + Two = Three

Putting it together…

#RSAC

Putting it together…

29

1 + 2 = 3Phishermen are now commonly targeting

login credentials to e-mail and various Cloud

services

Shadow Data Problem (sensitive data stored

in Cloud services, outside of normal

controls...)

Phishing isn’t just a problem affecting

individual employees. It’s an organization

level threat.

#RSAC

Phishing: Traditional CISO View

30

“What if one of my employees gets phished?”That’s too bad (for them).They might lose some of their data or money.But my organization’s data isn’t at risk.So I’ll deploy a general anti-spam/anti-phishing solution to protect them.And go worry about *my* problems.

#RSAC

Phishing: Enlightened CISO View

31

My organization probably has Shadow Data

My employees will be phished for their credentials

Phishing is an organization-level threat

#RSAC

What to do?

Know your enemy, know yourself…

#RSAC

A Closer Look at Phishing Kits: Collecting

33

Via VirusTotal:We found over 2,900 ZIP archives— (3 GB compressed / 6.8 GB uncompressed)

Via a crawler (Oct. 2016 – Apr. 2017:We found over 6,400 (unique) ZIP archives— (4.5 GB compressed / 9.3 GB uncompressed)— From crawling over 13,000 URLs

129 targeted brands

Top kit was seen deployed 98 times

#RSAC

A Closer Look at Phishing Kits: Clustering

34

Attempted clustering into “kit families”Distance Metric: ratio of shared files between kits

VirusTotal Set:129 clusters

Crawler Set:229 clusters

#RSAC

A Closer Look at Phishing Kits: Clustering

35

CrawlerData Set

#RSAC

Tracking the Phishermen (by Attack Source)

36

#RSAC

Tracking the Phishermen (by Attack Source)

37

Country Percentage

Nigeria 57%

USA 16%

Malaysia 11%

South Africa 10%

UK 6%

#RSAC

Summary / Application

What to do?

#RSAC

Summary

39

Old-school “financial phishing” is still there…

Spammers / Scammers getting more into Phishing…(Ransomware successes showing value of stealing data?)

Growth of Cloud services bigger attack surface for phishing…

Mass-market “credential phishing” is akin to spear-phishing…

Mass-market also means less sophisticated (for now)…

#RSAC

The “Apply” Slide…

40

User training is more important than everMake them aware of the Top Targets— (so they don’t just think of phishing as targeting their bank account)

Re-evaluate your anti-spam/anti-phishing defenses’ coverage

Evaluate CASB-type solutions for tracking Shadow Data use(and add user training about hazards of Shadow Data)

Expect more blurring between phishing and spear-phishing

#RSAC

SESSION ID:SESSION ID:

Chris Larsen

Phishermen Changing Targets:Impact Shift from Personal to Organizational

TTA-F01

Architect, WebPulse Threat Research LabSymantec@bc_malware_guy

Armin BuescherPrincipal Security ResearcherSymantec@armbues