Grupo de Trabajo Anti-Phising // Anti Phising Working Group
-
Upload
centro-de-investigacion-para-la-gestion-tecnologica-del-riesgo-cigtr -
Category
Technology
-
view
868 -
download
0
description
Transcript of Grupo de Trabajo Anti-Phising // Anti Phising Working Group
Phishing: a Case for Information Sharing
Gary WarnerDirector of Research
in Computer Forensics
2
Some Phishing Numbers
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
New Phish First Date Seen
616 2011-06-01
647 2011-06-02
429 2011-06-03
340 2011-06-04
377 2011-06-05
752 2011-06-06
681 2011-06-07
742 2011-06-08
569 2011-06-09
485 2011-06-10
271 2011-06-11
360 2011-06-12
674 2011-06-13
In the month of May 2011 the UAB Phishing Intelligence system gathered evidence on 16,351 distinct phishing sites imitating 218 different financial institutions or brands.
In 2011 we’ve seen 85,797 distinct phishing URLs imitating 373 different financial institutions or brands.
We believe that less than 1% of these cases of computer intrusion for purposes of financial and identity theft are investigated as a crime.
In other words, for 99% of these criminals, Crime Pays.
3
UAB Computer Forensics Research Laboratory
The goal of our research lab is to addressthis type of disparity in three ways:
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
#1 – training tomorrow’s cybercrime fighters #2 – providing better tools to law enforcement and investigative support for complex crimes#3 – educating the public about cyber threats and how to respond to them
4
Cybercrime Scholars
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
Since 2007 we have offered graduated students in Computer & Information Sciences or Justice Sciences a “Certificate in Digital Forensics”
Since 2010, undergraduates choosing a major/minor in Computer Science and Criminal Justice could apply for the “Internet Identity Scholarship”. This year four students will have their full tuition paid from a pool of more than twenty applicants.
Beginning in 2011, we also offer a Masters in Computer Forensics & Security Management (MS-CFSM).
We strongly support the APWG “eCrime Researchers Summit” to encourage other academics to pursue cybercrime studies.
5
Cybercrime Research
Our 35-workstation lab is divided into three areas:- Spam & Phishing Lab- Malware & Forensics Lab- Investigators Bullpen
The spam & phishing lab provides access to more than 500 million spam email messages in the UAB Spam Data Mine and to the UAB PhishIntel system. More than 200 investigators have accounts to PhishIntel today.
The malware & forensics lab supports local, federal, and international law enforcement on cases involving malware or complex data environments.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
6
Big Computers for Big Evidence
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
This is a picture of the “Rushmore” cluster
16 Pentium cores on 14 servers = 224 processors dedicated to analyzing cybercrime data
Sharing investigative data with agencies such as: - Alabama Bureau of Investigation- FBI Cyber- DHS’s ICE (Immigration and Customs)- Drug Enforcement Agencies “Pharm & Chem Internet Investigations” team- Germany’s BKA (Bundes Kriminal Amt)- Netherlands High Tech Crimes Unit-UK’s Serious & Organised Crime Agency
7
UAB’s Phishing Process
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
From “Reeling in Big Phish with a Deep MD5 Net” by UAB’s Wardman, Warner, Turner & McCalley
8
Typical Phishing Site
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
Here’s a typical phishing site. This one is hosted on “violinocaffe.com”, a website that has been hacked by the phisher.
After hacking the server, the criminal uploads his “phishing kit” and unpacks it to create this website on that server.
9
Not all criminals are the same
–
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
Without additional data, you do not know which phishing site was created by a twelve year old as a prank and which are being run by million dollar crime syndicates
10
Patterns
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
Series10
10
20
30
40
50
60
70
Victims Per Site
Victims Per Site
If we agree that some sites have more victims than others, how could we determine this?
How will this impact our behavior?
11
Patterns
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
Just because a site captured the most userids and passwords does not mean it is responsible for the greatest financial losses.
How could we tie losses to sites?
12
Patterns
– In that example, the criminal has created an unfortunate “signature” for himself.
– He sampled the real bank’s website during “Black History Month”.
– Only one criminal group was doing this. We used that information to justify a search.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
13
Which Phishing Group is your priority?
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
14
UAB PhishIntel for BBVA
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
A live phish . . .
15Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
Asks for our password
16Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
Asks for our Security Questions
17Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
Then sends us to Real Bank site
In the BBVA Compass log files there will be a ‘referrer tag’ telling us that the customer who has just arrived at our website came from “mojaishrana.info”
This will help us identify customers who may have become victims, and to also measure the impact of this particular phish.
18Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
19
Seven Steps of a Phishing Investigation
• Spam Analysis• Site Analysis• Kit Analysis• Phish Clustering• Log Analysis• Search Warrant Analysis• Open Source Intelligence
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
UAB offers training to law enforcement and corporate investigators on the topic of phishing, based on our “Seven Steps of a Phishing Investigation” methology.
We won’t go into deep detail here, as its intended as an all-day class. . . .
20
Automated Kit Extraction
– Here’s an example of how the email addresses found in kits are useful.
– Today we had two Bank of America phishing sites that both contained the same “drop email address” – the email account to which the stolen credentials are sent.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
Sometimes we learn their email addresses
In this example:
All receive the stolen credentials by email.
21Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
22
UAB PhishIntel
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
In this example, [email protected] has been found in eight different Paypal phishing sites dating back to March 12th and ranging up to June 14th.
PhishIntel email reportThe email report proves that this email address,
Was also used on the websites:Designhotelbarcelona.comMirorestobar.com.uyRaioreformaseoye.comInequal.comPoderciudadano.com.arAdonaimiami.comYamburara.comDustproductions.se
Three of those were BBVA phish, but six others were Santander phish.
23Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
1 phisher – 49 sites
• Using this technique, last week we discovered a phisher using the emails [email protected] and [email protected] has successfully used 49 phishing sites from May 15 to June 28th.
• 4 Bank of America, 1 Egg Bank, 1 Halifax, 3 HSBC, 1 M&T, 5 Regions Bank, 2 Royal Bank of Canada, 6 Santander, 3 US Bank and 22 sites against the British Tax authority, Her Majesty’s Revenue Collection Service.
24Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
Information Sharing
• How would any of those banks know that another bank was investigating this criminal?
25Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
26
Turnkeyconcepts.com
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
27
The “Kit” for the phish
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
28
Hidden in each of his kits is a backdoor.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
See the line that has “eval(base64_decode”?
When we base64 Decode that blob of text, we find the hidden email address:
So, while today’s copy of this phishing kit sends its stolen credentials to [email protected] secretly ALSO sends the stolen data to “f9ih.carlos” which is an alias for “shady-flow”.
We’ve seen this 30 times so far this year.
29
Open Source Intelligence– The Kit reveals that it’s author was:
• [email protected]– shady-islam, on the Arabic language hacker website
“arhack.net” also uses that email as his MSN chat handle according to his signature.
– Shady-islam signs all of his emails with an anti-Israeli statement about the Jewish oppressors killing apostles and prophets and ending with:
– العزة و الجالل ذا يا غزة فى المسلمين حرر اللهم– “Oh God, Lord of Might and Glory, free the Muslims of Gaza”
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
30
Open Source Intelligence
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
Here’s Shady-Flow’s Facebook page, where he reveals that he works as a DJ at “FL Studio” in Casablanca, Morocco since February of 2007.
His high school must have been pretty interesting, as it was named “Hacking world.”
31
UAB Spam Data Mine
– Since we also have the UAB Spam Data Mine, we can search for a copy of the email that sent this phish:
– select * from spam_link natural join spam where receiving_date = '2011-06-13' and machine = 'www.turnkeyconcepts.com';
– iid.11Jun13.0645.5834 | www.turnkeyconcepts.com | /Testimonials_files/Bankofamerica.com/Boa/index.html | Bank Of America Alert: You have 1 new Security Message. | Bank Of America N/A | alert.security | bofa.com | 212.5.219.68/32 | 2011-06-13 | | Jun-13-2011 |
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
32
Copy of the email from the UAB Spam Data Mine
Security Precaution,
For optimal viewing of the Bank of America Web site, we recommend that you enable CSS.We at Bank Of America work hard to ensure the security of our clients, In carrying out our responsibility, We recently had cause to suspect that there has been attempts to log into your account, There were multiple password failures during the course of the illegal attempt to log into your account. Though the attempts were unsuccesful We need you to re-confirm your account information by filling in your precise and current account information. If this is not completed within the next 8hrs, we will be forced to suspend your account indefinitely.
To re-confirm, Please Sign on and verify your identity:
Sign On
Bank Of America helps you to plan your financial future. Thank you for helping us protect your account
Sincerely, Bankofamerica.comSecurity Advisor
===================The words "Sign On" are a link to the phishing website: http://www.turnkeyconcepts.com/Testimonials_files/Bankofamerica.com/Boa/index.html
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
33
“Free” backdoored web kits
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
These “free” kits contain back doors that cause the users of the kits to actually also send all stolen credentials to the Kit Creators.
Collectively these are known as “Mister Brain Kits” after the most prevalent group doing these scams out of Morocco.
Chase kit “Action” fileThe downloader of the kit is instructed that the only thing he has to do is update the “$send” variable in this action file with his own email address.
He misses the “include” statement at the top. The included file populates a new variable “$IP” with the kit authors email address [email protected]
The “send array” at the bottom makes sure that BOTH emails get the stolen data.
34Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
35
A Mister Brain example
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
36
Some Success – but still a drop in the bucket
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011 36
Recently Romanian authorities, working on tips developed with the FBI’s Internet Crime & Complaint Center, arrested 70 hackers
The FBI’s Legal Attache to Romania says cyber criminals in that country steal “hundreds of millions of dollars each year” from North Americans.
37
Very Organized Crime: Operation Phish Phry
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
32 Indictments in an example of a US-based organized crime phishing group
38
Brand Impact varies widely(2011 to date numbers)
# of brands seen # of sites seen 3 5000+ sites12 1000-4999 sites59 100-999 sites41 25-99 sites45 10-24 sites46 5-9 sites73 2-4 sites96 1 site
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
39
Zeus
– Zeus is a “keylogging” botnet responsible for stealing many millions of userids and passwords last year.
– Zeus can also use infected computers for remote control.
– This means they can log in to your bank from your customer’s computer, using the correct userid, password, cookie file, browser, IP address and computer.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
40
Zeus Arrests
– While some criminals who use Zeus were arrested last year in the USA, United Kingdom, and Ukraine, many people have the source code and many criminals are using this botnet software.
– To learn more about the Zeus arrests, read about “Operation Trident BreACH” from the FBI
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
41
Zeus & Information Sharing
– In the same way that one criminal attacks many banks with phishing, one criminal also can attack many banks with malware.
– Zeus contains an encrypted “configuration file” that contains a list of URLs. If the user visits any of those URLs, special actions may occur.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
42
Zeus Action Example– Here is one we decoded last summer:
• +++++++++++++++++++++++++++++++++++++++++++++++++• Target URL: https://www.bbvacompass.com/contact/ • field 1: <head>• field 2: </body>• field 3: <title>Tresury Management wesite is currently
unavailable</title></head><body><center><img src="https://e-access.compassbank.com/bbw/brandimage/Login1?t=4" alt=""><br>Due to system maintenance, online Treasury Management will be unavailable for 24 hours. Please try to access this page at a later point or if you have any questions contact our technical support at 1-858-633-0539.</center>
• ++++++++++++++++++++++++++++++++++++++++++++++++– In this example, the displayed web page replaces the “Contact Us” link with
a message saying to call a telephone number controlled by the criminal instead.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
43
Zeus Action Example
In that configuration file were found 176 different banking websites.
Unless they also decrypted the config file, none of those banks are aware that they are being targeted by the same criminal.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
44
APWG – the Anti-Phishing Working Group
That is one of the purposes of the Anti-Phishing Working Group. The APWG exists to help banks that are being victimized by cybercriminals share information.In April, the APWG “Counter-eCrime Operations Summit” is for technical sharing between the members of the group who work on defending banks. In 2011 this meeting was in Malaysia. In 2010 it was in Sao Paulo, BrazilIn November, the APWG General Meeting is held with the “eCrime Researchers Summit” is a meeting where we encourage University scientists and researchers to work on problems to build better technology to fight cybercrime.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
45
APWG – the Anti-Phishing Working Group
In addition to sharing between members, the APWG encourages the reporting of new phishing sites so they may be shared with all members.
We also work actively with Law Enforcement. I am the co-chair of the “Working with Law Enforcement” committee, and we look forward to working more closely with law enforcement around the world.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
46
APWG – the Anti-Phishing Working Group
http://www.antiphishing.org/
For more details about meetings, and how to join.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
47
Working with UAB
At UAB, we also work closely with many banks, and with law enforcement. We provide information for free to law enforcement. We encourage banks to support our research through sponsorship, or by becoming a partner in our Center for Information Assurance and Joint Forensics Research.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
48
Working with UAB
UAB is also always looking for students. We offer a Masters degree in “Computer Forensics and Security Management”We also are always looking for Computer Science students to seek our PhD or Masters Degree.We do have a Spanish-speaking faculty member, Dr. Thamar Solorio, who would be happy to serve as point of contact for potential PhD students from Spain and other countries represented today.Thamar specializes in Natural Language Processing and Artificial Intelligence, and works very closely with the UAB Computer Forensics Research Laboratory.
Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011
We Want To HelpGary WarnerDirector of Research in Computer ForensicsA Research Partnership betweenThe University of Alabama at Birmingham’s Department of Computer & Information Sciences& Department of Justice [email protected]+1.205.422.2113
For PhD student recruitingDr. Thamar [email protected]
Website:www.cis.uab.edu/forensics/
Blog:garwarner.blogspot.com
Spam as Evidence© The University of Alabama at Birmingham, 2011 49