phishermen changing targets: impact shift from … · phishermen changing targets: impact shift...
TRANSCRIPT
#RSAC
SESSION ID:SESSION ID:
Chris Larsen
Phishermen Changing Targets:Impact Shift from Personal to Organizational
TTA-F01
Architect, WebPulse Threat Research LabSymantec@bc_malware_guy
Armin BuescherPrincipal Security ResearcherSymantec@armbues
#RSAC
Outline
2
Part One: Definitions and DetailsPhishing KitsCatching PhishTop Targets
Part Two: Shadow Data
1 + 2 = 3 (Scoping the Problem)Mapping the Phishermen
Summary / Apply
#RSAC
Phishing vs. Spear-phishing vs. Malspam
4
Basic Definitions:Phishing: Mass e-mail → Link to fake site → steals bank or credit card infoSpear-phishing: Targeted e-mail → link to fake site → steals login credentials:— (VPN, e-mail, network, etc.)
(or, Targeted e-mail → malicious attachment or link to malicious site)Malspam: Mass e-mail → malicious attachment or link to malicious site
We see a LOT of submissions for “phishing” that are really “malspam”(or even plain spam, because people think “attack in e-mail == phishing”)
But, there is blurring now between phishing and spear-phishing
#RSAC
Phishing: Traditional CISO View
5
“What if one of my employees gets phished?”That’s too bad (for them).They might lose some of their data or money.But my organization’s data isn’t at risk.So I’ll deploy a general anti-spam/anti-phishing solution to protect them.And go worry about *my* problems.
#RSAC
Phishing Kits
6
Archives (.zip) of server-side code, ready to deployUsually PHP coded pagesAnd support files (images, JS, CSS, etc.)
Sold in underground cybercrime markets(typical price is quite low: $2 - $10)
Ready to be hosted on:Compromised/hacked serversFree hosting providersBulletproof hosting providers
#RSAC
Phishing Kits: Designed for Portability
8
Quickly deploy to new sites
Reuse the pages for months (or even years)
#RSAC
Lightbulb!
17
If phishing pages need to look believable…
...so phishermen build them to look good…
...and re-use them in phishing kits…
...then we can visually compare new pages…
...and if we get a match, it’s a phish!
(Or, we can compare the page content-wise instead of visually.)
#RSAC
Top Phishing Targets
18
According to our “Phingerprinter” system, in May 2017.
(Constrained view of “phish market”)
1 Paypal
2 Google (Docs/Drive/Gmail)
3 Dropbox
4 Chase
5 Barclays
6 Societe General
7 Apple
8 USAA
9 Wells Fargo
10 Christian Mingle
11 Docusign
12 Generic E-mail
13 Office 365
14 Alibaba
15 Linkedin
16 Bank of America
17 Adobe
18 Kiwibank
19 AOL
20 MS Outlook
#RSAC
Top Phishing Targets
19
1 Google Docs
2 Dropbox3 Chase4 Apple5 Google Drive6 Docusign7 Adobe8 Free Mobile9 Office 36510 Paypal11 Alibaba
According to our “Project Dolphin” system.
(because it’s smart, and eats phish)
This has a *much* broader view of “phish market” than the previous system…
...and it shows that targets are heavily weighted toward “credential phishing” instead of traditional “financial phishing”
#RSAC
Shadow IT and Shadow Data
21
You’ve probably heard of “Shadow IT”(use of unauthorized applications, etc.)
#RSAC
Shadow IT and Shadow Data
22
How about “Shadow Data”?(important data being stored/used outside of normal applications/controls)
Let’s take a look at some data from colleagues at Elastica…Shadow Data report for 2nd half of 2016
#RSAC
Shadow Data
24
“25% Broadly Shared”
Via analysis of 173M+ files
In popular file sharing apps (Office 365, Dropbox, Box, Google Drive ...)
Or services (Salesforce, AWS, Jive ...)
#RSAC
Top Phishing Targets
27
1 Google Docs
2 Dropbox3 Chase4 Apple5 Google Drive6 Docusign7 Adobe8 Free Mobile9 Office 36510 Paypal11 Alibaba
Remember these?
Notice how many are targeting Cloud storage and e-mail services?
Uh-oh….
#RSAC
Putting it together…
29
1 + 2 = 3Phishermen are now commonly targeting
login credentials to e-mail and various Cloud
services
Shadow Data Problem (sensitive data stored
in Cloud services, outside of normal
controls...)
Phishing isn’t just a problem affecting
individual employees. It’s an organization
level threat.
#RSAC
Phishing: Traditional CISO View
30
“What if one of my employees gets phished?”That’s too bad (for them).They might lose some of their data or money.But my organization’s data isn’t at risk.So I’ll deploy a general anti-spam/anti-phishing solution to protect them.And go worry about *my* problems.
#RSAC
Phishing: Enlightened CISO View
31
My organization probably has Shadow Data
My employees will be phished for their credentials
Phishing is an organization-level threat
#RSAC
A Closer Look at Phishing Kits: Collecting
33
Via VirusTotal:We found over 2,900 ZIP archives— (3 GB compressed / 6.8 GB uncompressed)
Via a crawler (Oct. 2016 – Apr. 2017:We found over 6,400 (unique) ZIP archives— (4.5 GB compressed / 9.3 GB uncompressed)— From crawling over 13,000 URLs
129 targeted brands
Top kit was seen deployed 98 times
#RSAC
A Closer Look at Phishing Kits: Clustering
34
Attempted clustering into “kit families”Distance Metric: ratio of shared files between kits
VirusTotal Set:129 clusters
Crawler Set:229 clusters
#RSAC
Tracking the Phishermen (by Attack Source)
37
Country Percentage
Nigeria 57%
USA 16%
Malaysia 11%
South Africa 10%
UK 6%
#RSAC
Summary
39
Old-school “financial phishing” is still there…
Spammers / Scammers getting more into Phishing…(Ransomware successes showing value of stealing data?)
Growth of Cloud services bigger attack surface for phishing…
Mass-market “credential phishing” is akin to spear-phishing…
Mass-market also means less sophisticated (for now)…
#RSAC
The “Apply” Slide…
40
User training is more important than everMake them aware of the Top Targets— (so they don’t just think of phishing as targeting their bank account)
Re-evaluate your anti-spam/anti-phishing defenses’ coverage
Evaluate CASB-type solutions for tracking Shadow Data use(and add user training about hazards of Shadow Data)
Expect more blurring between phishing and spear-phishing