Bringing the Fight to Them: Exploring Aggressive Countermeasures to Phishing and other Social Engineering Scams Allen Zhou Comp116 Final Presentation
What is Phishing? Social Engineering ● Steal credentials, data, or money ● Infect target machine with malware ● Over email, IM, or social media ●
History of Phishing Coined in 1992 on AOL ● Malicious actors asked users to confirm billing info or ● credentials Originally identifiable through poor grammar, shoddily built ● websites, overly urgent subject matters
The Nigerian 419 Scam Name comes from the section of the Nigerian Criminal Code ● that outlaws it Out of the blue email arrives from international individual, ● asking for help to transfer money Victim is promised large sum of money if they can help with the ● transfer by paying a fee to a “trusted” organization
What is Scambaiting? Began in early 2000’s ● Intentionally respond to phishing schemes, especially 419 scams ● Try to waste phisher’s time and resources as much as possible ● Ask phishers to take embarrassing/funny photos ●
Phishing is Evolving Increasingly intelligent, targeted, and harmful ● Now represents a billion dollar criminal industry ● Phishing kits and mailer programs openly available to criminals ●
Clone Phishing Replicate emails sent from trusted organizations ● Pose as an “update” to previous email, with malicious payload ●
Spear Phishing Context aware phishing ● Specifically crafted for a victim ● Pretend to be an organization or individual the victim trusts ●
Whaling One form of Spear Phishing ● Aimed at high profile targets ● Administrators, Business executives, Government officials ● If successful, incredibly destructive ●
General Reactionary Approach to Phishing Avoid phishing links ● Last line of defense is the victim’s own intuition ● Programs to educate employees on how to spot phishing attacks ●
Machine Learning in Phishing In theory, allows Spear Phishing attacks to become scalable ● Precision of Spear Phishing with broad nature of older phishing ● attacks Already in widespread use today ●
SNAP_R Developed by John Seymour and Philip Tully ● Sample prototype of how machine learning can generate custom ● tweets for use in Spear Phishing Uses Markov models and Long-Term Short Memory neural ● networks
Current Anti-Phishing Practices are not Enough SNAP_R demonstrated a doubled success rate compared to ● traditional large scale phishing attacks Reactionary approach does not do enough for these tailored ● phishing attacks Being cautionary on traditional phishing platforms no longer ● enough
What is today’s Scambaiting? As social engineering techniques become more sophisticated, so ● has Scambaiting Less focussed on wasting time, more on actually hacking back ●
Tech Support Scam Reports of scam from U.S. began in 2008 ● Cold call the victim, saying computer is vulnerable and must be ● fixed Use Ammyy Admin to perform a remote connection ● Install keyloggers, malware, or steals data and credentials ●
Hacking Back using Ammyy Admin Turn tables on scammer by taking advantage of security flaw in ● Ammyy Admin Used by today’s scambaiters to hack scammers back ●
The 0 Day Developed by Matt Weeks AKA scriptjunkie in 2014 ● Available as a module on Metasploit ● Allows arbitrary code to be run on scammer’s machine once ● connection is established
Ethicacy and Legality of Hack Back Very risky, especially when botnet systems come into play ● Attribution problem ● How much hack back is too much? ●
Active Cyber Defense Certainty Act Presented by Georgia Congressman Tom Graves in October, 2017 ● Allows victims of cyber attacks to perform vigilante justice ● (hack-back) Highly controversial, most security professionals deem it too open ● ended Attribution problem inherent in the act ●
How should Active Solutions be Constructed? Solutions must be ethical, as well as effective ● Must work at the same or greater speed as phishing attacks are ● being implemented Must be intelligent ●
Honey-Phish Prototype presented at ShmooCon 2016 by Robbie Gallagher ● Automates replies to phishing emails with own phishing link ● When clicked, logs as much info from phisher as possible ● Messages are built using Markov chains ● Corpus pulled from Reddit’s personal finance forum ●
Phish Feeding Proposed by John Brozycki ● Pump phishing websites full of realistic but fake credentials ● Value of real data is decreased ● More time is available to shut site down ●
Honey Tokens Either leave fake tokens in databases so that they can be tracked ● once a phishing attack occurs, or submit it directly Allows law enforcement to track the path of the token and find ● the original perpetrator of phishing attack
Closing Mailer Programs Phishers depend on illegal mailer programs to distribute ● phishing attacks Can track down these programs and prevent its ease of access to ● criminals
Closing Phish Kits Phishers rarely write their own packages to perform phishing ● If information about phishing attack can be compiled, feasible to ● hunt down origins of phishing kits and shut them down
Action Items Still not enough research and development in slowing rise of ● social media phishing attacks Adopt more aggressive anti-phishing campaigns ● Keep up reactionary educational model ● Be careful out there! ●
Recommend
More recommend
