The Art of Phishing : What you should know Arvind Vishwakarma 05/24/2019
Agenda 1. Phishing – In a Nutshell 2. Phishing – Types & Techniques 3. Phishing – Stats & Modern Trends 4. Case-Study 5. Stay Safe 2
Speaker ABOUT ME Penetration Tester with 7 years of Experience ● Currently working with Rapid7 - Singapore ● KEY AREAS OF INTEREST Penetration Testing (Network & Web Apps) ● Social Engineering (Electronic) ● Internet of Things ● Insert speaker image here BLOGS & PUBLICATIONS http://resources.infosecinstitute.com/author/arvindvishwakarma ● TWITTER Find_Arvind ● Arvind Vishwakarma Penetration Tester 3
Phishing - In a Nutshell *Image Source: cio.com 4
Types of Phishing Attacks ★ Targeting specific group of individuals & companies. ★ General background information is collected to make emails specific. ★ Example: EPF Attack (https://www.eff.org/deeplinks/2015/08/new-spear- Spear phishing-campaign-pretends-be-eff) Phishing ★ Targeting specific Individuals. ★ Intensive research is done to collect specific information related to individuals roles. ★ Example: SnapChat Attack Whale (https://searchsecurity.techtarget.com/definition/whaling) Phishing ★ Cloning legitimate emails received by the victims ★ Legitimate links and attachments are replaced with malicious one’s Clone Phishing 5
Common Phishing Techniques ★ Making a malicious URL appear as an authentic Link URL. ★ Example: Spoofing Authentic URL thelegitbank.com vs. Shady URL theleg1tbank.com ★ Spoofing a website to make it appear as Website legitimate, authentic site using javascript and flash. ★ Examples: Spoofed websites msfirefox.com & Spoofing msfirefox.net ★ Forcibly redirecting users to attacker controlled Malicious websites. ★ Examples: Compromising websites and placing Redirects code in them to redirect to malicious sites. 6
Phishing - Stats 91% 92% of Malware Cyberattacks spreads through start with Phishing Phishing 90% of Security Incident breaches include a phishing elements 76% Org’s reported they 98% Social Media experienced ATO are through phishing Phishing attacks Sources: Verizon DBR-2018, PhishMe Stats, CSO Online, Check-Point Research, Rapid7 QTR 7
Phishing – Modern Trends Phishing sites now use legitimate HTTPS Image Source: https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/ 8
Phishing – Modern Trends SAAS Providers are now targeted for Phishing 9
Phishing – Modern Trends File-less Phishing attacks Image source: https://www.forbes.com/sites/forbestechcouncil/2019/01/10/four-phishing-attack-trends-to-look-out- 10 for-in-2019/#3a106a824ec2
Phishing – Modern Trends Phishing inside Shared Folders. Image Source: https://www.microsoft.com/security/blog/2017/01/26/phishers-unleash-simple-but-effective-social- 11 engineering-techniques-using-pdf-attachments/
Phishing – Modern Trends SMS-Phishing – Using cell phone text messages to deliver the bait to induce people Source: https://www.channelnewsasia.com/news/singapore/phishing-scam-dbs-posb-customers-fake-sms- 12 police-10957456
Phishing – Modern Trends Vishing – Voice Phishing carried out through phone- calls Image source: http://www.carmelowalsh.com/2015/07/phishing-and-vishing-attacks-are-up/ 13
Phishing Attacks : Case Study Study the Target Select Phishing Create Phishing Sent Phishing Capture Site Email Email Credentials / Execute Code 14 14
Phishing Attacks : Case Study Step 1: Attacker studies the Target Organization (Eg: Rapid7) Public Facing Domains • Looks for Corporate Website, Webmail, VPN Login Pages, Customer Portals, File Transfer Portals • etc. Gathers Information about the Domain he chooses to target. • Employee Data • Gathers Employee Email-ids (through LinkedIn, Hunter.io, Data.com etc.) • Generates a list of Email-Ids for the attack. • 15 15
Phishing Attacks : Case Study Step 2: Selects the Target Domain Attacker chooses a File Transfer Portal • (insight.rapid7.com) Registers fake domain – • (insight-rapid7.com) Categorizes the Domains to bypass • filtering 16 16
Phishing Attacks : Case Study Step 3: Attacker creates Phishing Email (Pretext) Pretexting is the process of using the collected information to craft a realistic communication to the target that is believable enough to get them to act upon it. Builds the pretext around the public facing file transfer portal. • For example: Sending an email that an invoice has been submitted through the File transfer portal. • Employee Appraisal Letters, Compensation letters, Tax Letters. • Creating a sense of urgency or fear. • Personalizing the Pretext • 17 17
Phishing Attacks : Case Study Step 4 - Phishing Email Sent Phishing mail with the phishing link. 18 18
Phishing Attacks : Case Study Step 5: Capturing Credentials Attacker captures Credentials Victim clicks on the phishing link and is redirected to the login portal 19 19
Phishing Attacks : Case Study Attacker sets up Phishing Redirection Capturing the Credentials • Clones the Original file transfer portal to capture user credentials • Redirects to the payload hosted on the domain after capturing the user credentials • Executing the Payload • Payloads drops on the systems and executes. • Attacker gets a connection back from the payload on his CC Server. • 20 20
Phishing Attacks : Case Study Step 5: Payload drops on the target system 21 21
Phishing Attacks : Case Study A Word on Payloads Delivering a malicious payload via a phishing email is the most and direct reliable way to get attackers code executed on a victims machine. Malicious payloads are sent as attachments (For example: HTA, Clikckonce, LNK) • Payloads are embedded in form of macros in office documents. • Attackers are making stealthier payloads using obfuscation techniques, adding • sandbox checks etc. Tools like unicorn, sharpshooter, veil etc. all aid in making good payloads • 22 22
Phishing – Stay Safe Think twice Be Proactive – Enable 2 Report Conduct Conduct before giving Educate Factor Phishing Awareness Phishing PII or yourself Authentication Emails Training Simulations Financial Info 23
Thank You. Email apacsales@rapid7.com Visit http://rapid7.com
Recommend
More recommend
