of sandboxed
play

of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing - PowerPoint PPT Presentation

Aug 16, 2023 •316 likes •921 views

PhishEye: Xiao Han Nizar Kheir Live Monitoring Davide Balzarotti of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results [APWG Phishing Activity Trends Report 2 nd Quarter 2016] All time high record

  1. PhishEye: Xiao Han Nizar Kheir Live Monitoring Davide Balzarotti of Sandboxed Phishing Kits

  2. Summary Motivation Sandboxed phishing kits Implementation Results

  3. [APWG Phishing Activity Trends Report 2 nd Quarter 2016]

  4. All time high record [APWG Phishing Activity Trends Report 2 nd Quarter 2016]

  5. Motivation • PKs monitored only after being detected by anti-phishing services

  6. Motivation • PKs monitored only after being detected by anti-phishing services • Details about entire lifecycle of a phishing kit are still missing

  7. Motivation • PKs monitored only after being detected by anti-phishing services • Details about entire lifecycle of a phishing kit are still missing • 71.4% of the domains that hosted phishing pages were compromised websites [APWG global phishing report 2014]

  9. Know your enemy: Phishing [Honeynet 05] Evil searching [FC 09]

  10. Browser plugin: N. Chou [NDSS 04] User education: P. Kumaraguru [TOIT 10]

  11. Learning to detect phishing emails [WWW 07] Discovering phishing dropboxes using email metadata [eCrime 12]

  12. Detection: Cantina [WWW 07] , C. Whittaker [NDSS 10] Blocking : Google Safe Browsing (GSB), Phish Tank, … Take down: Examining the impact of website take-down on phishing [eCrime 07]

  13. Handcrafted fraud and extortion [IMC 14]

  15. Incomplete and fragmented view of PKs lifecycle

  16. Web honeypot Attacker identification Privacy protection [Credits: Idea Sandbox, Neutronis ]

  17. Sandboxed Phishing Kits Global Picture: • Attackers, victims, and security researchers • Phishing blacklist services • Complete privacy protection

  18. Implementation Web Honeypot 5 vulnerable web applications x 100 domain names D. Canali [NDSS 13]

  19. Implementation Web Honeypot 5 vulnerable web applications x PK installation 100 domain names D. Canali [NDSS 13]

  20. Implementation Web Honeypot 5 vulnerable web applications x PK installation Attacker 100 domain names Identification D. Canali [NDSS 13]

  21. Implementation Web Honeypot 5 vulnerable web applications x Attacker 100 domain names Identification D. Canali [NDSS 13] Attacker Tracking

  22. Implementation Web Honeypot 5 vulnerable web applications x Attacker 100 domain names Identification D. Canali [NDSS 13] YES Attacker Tracking

  23. Implementation Web Honeypot 5 vulnerable web applications x Attacker 100 domain names Identification D. Canali [NDSS 13] Checking YES Attacker Tracking

  24. Implementation Web Honeypot 5 vulnerable web applications x Attacker 100 domain names Identification D. Canali [NDSS 13] Checking YES Attacker Tracking

  25. Implementation Web Honeypot 5 vulnerable web applications Victims x 100 domain names D. Canali [NDSS 13]

  26. Implementation Web Honeypot 5 vulnerable web applications Victims x 100 domain names Attacker D. Canali [NDSS 13] Tracking

  27. Implementation Web Honeypot 5 vulnerable web applications Victims x 100 domain names Attacker D. Canali [NDSS 13] Tracking NO Client-side Data Mangling

  28. Implementation Web Honeypot 5 vulnerable web applications Victims x 100 domain names Attacker D. Canali [NDSS 13] Tracking Inject NO JavaScript to prevent data leakage Client-side Data Mangling

  29. Implementation Web Honeypot 5 vulnerable web applications Victims x 100 domain names Attacker D. Canali [NDSS 13] Tracking Inject NO JavaScript to prevent data leakage Client-side Data Mangling

  30. Implementation Web Honeypot 5 vulnerable web applications Victims x 100 domain names Attacker D. Canali [NDSS 13] Tracking Inject NO JavaScript to prevent data leakage Server-side Client-side Protection Data Mangling

  31. Overview • Five months from September 2015 to the end of January 2016 • 474 phishing kits (PayPal, Apple, Google, Facebook …) Installation Upload 1min

  32. Overview • Five months from September 2015 to the end of January 2016 • 474 phishing kits (PayPal, Apple, Google, Facebook …) Installation Testing Upload 1min 10min

  33. Overview • Five months from September 2015 to the end of January 2016 • 474 phishing kits (PayPal, Apple, Google, Facebook …) First victim Installation Testing Upload 2 days 1min 10min

  34. Overview • Five months from September 2015 to the end of January 2016 • 474 phishing kits (PayPal, Apple, Google, Facebook …) First victim Last victim Installation Testing Upload 2 days 10 days 1min 10min

  35. Overview • Five months from September 2015 to the end of January 2016 • 474 phishing kits (PayPal, Apple, Google, Facebook …) First victim Last victim Blacklist Installation Testing Upload 2 days 10 days 12 days 1min 10min

  36. Phishing Attack Global Picture

  37. Phishing Attack Global Picture

  38. Phishing Attack Global Picture

  39. Phishing Attack Global Picture

  40. Phishing Attack Global Picture Installation was very quick

  41. Phishing Attack Global Picture 471 attackers (IP, User Agent) 70% visited the phishing pages 58% submitted fake credentials

  42. Phishing Attack Global Picture Only one attempt to use the compromised system to send the phishing emails

  43. Phishing Attack Global Picture 2,468 potential victims connected to 127 distinct phishing kits 215 users (9%) posted credentials

  44. Phishing Attack Global Picture Estimated lifetime is eight days on average.

  45. Phishing Attack Global Picture 98% blacklisted by GSB and Phish Tank Average detection latency is 12 days Fire-and-forget approach

  46. Blacklist Evasion $random=rand(0,100000000000); $md5=md5("$random"); $base=base64_encode($md5); $dst=md5("$base"); New connection

  47. Blacklist Evasion $random=rand(0,100000000000); $md5=md5("$random"); $base=base64_encode($md5); $dst=md5("$base"); New connection $src =“source"; recursive_copy( $src, $dst ); Copy

  48. Blacklist Evasion $random=rand(0,100000000000); $md5=md5("$random"); Redirection $base=base64_encode($md5); $dst=md5("$base"); $src =“source"; recursive_copy( $src, $dst ); header("location:$dst"); Copy

  49. Blacklist Evasion [12/Nov/2015:18:57:41] 14.xx.xxx.198 GET /kit/ 302 First connection User-Agent: curl/7.25.0

  50. Blacklist Evasion [12/Nov/2015:18:57:41] 14.xx.xxx.198 GET /kit/ 302 First connection User-Agent: curl/7.25.0 [12/Nov/2015:19:01:35] 213.xx.xxx.100 GET /kit/8c5fcf4518e94a9f272d60ee75c309a7 301 User-Agent: Mozilla/4.0 [12/Nov/2015:19:20:45] 213.xx.xxx.100 GET /kit/8c5fcf4518e94a9f272d60ee75c309a7/redirection.php 200 User-Agent: Mozilla/4.0 Reported phishing URL

  51. Early Victims After After blacklisting blacklisting ? ?

  52. Early Victims Before After Before After blacklisting blacklisting blacklisting blacklisting

  53. Flash Crowd Effect After blacklisting ?

  54. Flash Crowd Effect After Before blacklisting blacklisting Third party visitors: • Universities • Security vendors

  55. Real-time Drop Email Detection 68 distinct drop email addresses (Gmail, Yahoo, …) Only 4 were disabled or unreachable

  56. Conclusion • Novel approach to sandbox live phishing kits • Observe the entire lifecycle of a phishing kit • Findings • Attackers manually test their PKs • Separate hosting and spamming infrastructures • Many PKs with few victims each • Blacklist very effective to protect users, but detection is not fast enough • Attackers move quickly between PKs once they get blacklisted

  58. Appendix Elimination of Other Malicious Files • Heuristics • Manual classification

  59. Appendix Data Exfiltration by Client-Side Side Channels • Disguised as a HTML img • Defeated by our client-side protection

More recommend