![Page 1: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/1.jpg)
InfoSec Research and Outreach: Anti-Phishing
![Page 2: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/2.jpg)
Launched in 1999
295 million active accounts
Available in 200+ markets
100+ currencies
PayPal
PayPal is at the forefront of the digital payment revolution. By leveraging technology to make financial services more convenient, affordable, and secure, the PayPal platform is empowering 295 million people and businesses in more than 200 countries to join and thrive in the global economy.
© 2019 PayPal Inc. Confidential and proprietary.
A Digital payments leader
![Page 3: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/3.jpg)
An unrivaled two-sided platform
Provide solutions to help people manage and move money
Offer credit services that are accessible and cost effective
Facilitate simple, secure payments across devices
Deliver flexibility with payment options globally, across platforms and merchants
Power all aspects of digital checkout online, on mobile and, in store
Provide seamless credit solutions to enable growth
Help identify fraud and improve risk management
Offer tools and insights to attract new customers and increase sales
CONSUMERS MERCHANTS
Designed to drive growth and differentiate us from our competitors
© 2019 PayPal Inc. Confidential and proprietary.
![Page 4: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/4.jpg)
Unique perspectives on the evolving Information Security landscape
© 2019 PayPal Inc. Confidential and proprietary.
DataProtection
Global ExpandingRisks
Profitable Cybercrime
Continual adaptation is critical to meeting scale and pace of change
![Page 5: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/5.jpg)
Phishing continues to top the list of attack-vectors
© 2019 PayPal Inc. Confidential and proprietary.
Leading the pack
https://smallbiztrends.com/2019/07/phishing-statistics.html
![Page 6: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/6.jpg)
Current Phishing Trends• Advanced phishing kits harvest more than just account
credentials
• Full identity
• Credit cards
• Bank details
• ID documents
• Heavy use of redirection links (bit.ly, tinyurl.com, etc.)
• Makes detection of phishing e-mails more difficult
• Attackers can change landing pages retroactively to bypass mitigations
• Attackers exploit gaps in the response time and detection capabilities of browser blacklists
© 2019 PayPal Inc. Confidential and proprietary.
Img src: QuickHeal Security
![Page 7: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/7.jpg)
Primary Detection Methodology
© 2019 PayPal Inc. Confidential and proprietary.
Reported [email protected]
External intelligence
Internal data sources Phishing URLs Manual ReviewPriority threats
Automated Review
Blacklists / AV Vendors Takedown
Sophisticated threats
Research & Investigation
All threats
![Page 8: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/8.jpg)
General Anti-phishing Mitigations• Malicious URL blacklisting (Google Safe Browsing, Microsoft
SmartScreen, enterprise AV vendors)
• Report URLs to the ecosystem
• Malicious infrastructure takedown
• Contact web hosts, domain registrars, or site owners
• Account flagging
• Use threat intelligence to secure potentially-phished accounts before damage happens
• Credential flagging
• Secure affected accounts once credentials are exposed on the dark net
• Criminal investigations
• User awareness
© 2019 PayPal Inc. Confidential and proprietary.
![Page 9: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/9.jpg)
Sophisticated Phishing Site Example
![Page 10: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/10.jpg)
Modern Phishing Sites Copy Full Homepage
© 2019 PayPal Inc. Confidential and proprietary.
![Page 11: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/11.jpg)
Example Flow
© 2019 PayPal Inc. Confidential and proprietary.
Fake transaction confirmation w/ dispute link
hxxps://kapsadokyatatil.com/aserdoun.php
(differs from landing page)
![Page 12: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/12.jpg)
Example Flow
© 2019 PayPal Inc. Confidential and proprietary.
![Page 13: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/13.jpg)
Example Flow
© 2019 PayPal Inc. Confidential and proprietary.
![Page 14: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/14.jpg)
Example Flow
© 2019 PayPal Inc. Confidential and proprietary.
![Page 15: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/15.jpg)
Example Flow
© 2019 PayPal Inc. Confidential and proprietary.
![Page 16: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/16.jpg)
Example Flow
© 2019 PayPal Inc. Confidential and proprietary.
![Page 17: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/17.jpg)
Example Flow
© 2019 PayPal Inc. Confidential and proprietary.
![Page 18: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/18.jpg)
Example Flow
© 2019 PayPal Inc. Confidential and proprietary.
![Page 19: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/19.jpg)
Example Flow
© 2019 PayPal Inc. Confidential and proprietary.
![Page 20: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/20.jpg)
Example Flow
© 2019 PayPal Inc. Confidential and proprietary.
![Page 21: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/21.jpg)
Advanced Phishing Kits
• Language and questions automatically change based on the user’s location / browser settings
• At the end of the flow, the user is shown a success message to eliminate suspicion
• Victims often redirected to PayPal.com’s anti-phishing resource pages
© 2019 PayPal Inc. Confidential and proprietary. https://research.checkpoint.com/a-phishing-kit-investigative-report/
![Page 22: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/22.jpg)
Ecosystem Outreach
![Page 23: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/23.jpg)
Anti-Phishing Ecosystem Vulnerabilities
• Google Safe Browsing susceptible to evasion
• Phishing kits commonly include IP filters which redirect non-victims (i.e. crawlers) to benign sites
• Lag time of up to 2 hours before blacklisting occurs
• Mobile browsers still do not receive the full phishing blacklist
• Re-exploitable infrastructure / bulletproof hosting effectively defeats blacklisting
• Lack of protocols to provide ecosystem with actionable evidence when automated detection fails
• Limited controls and reporting for SMS / phone phishing
• Takedowns are slow
• Cooperation of web hosts / ISPs required
• Grace period exploited by criminals
• Free SSL certificates easy to obtain
• No checking for blacklisted domains (LetsEncrypt)
© 2019 PayPal Inc. Confidential and proprietary.
![Page 24: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/24.jpg)
Ecosystem Security Innovation
DMARC prevents this type of attack!
1. Sender policy Fwk: servers authorized to send email
2. Domain Keys: digitally signing of all email
3. DMARC policy published: request verification of all emailpurporting to be from PayPal.
© 2019 PayPal Inc. Confidential and proprietary.
Phishing – DMARC
Support Services & Tools
Mailbox Provider
Sender
Spoof
End User
DMARC Policy Enforcement
DMARC Reports
Analytics Alerting Auditing etc.. . .
Actionable Intelligence
DMARC
PayPal• Authenticating all email sent by or on behalf of PayPal (RFC 7489)
• Operationalized – Customers and Employees
• DMARC had rejected over 275,000 messages in only 15 days
![Page 25: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/25.jpg)
PP Research & Emerging Phishing Detection Methodologies1. “PhishFarm”
• Empirically test anti-phishing detection/reporting systems
• Empirically test criminals’ evasion techniques
• Motivate improved phishing detection and performance at the ecosystem level (e.g. new standards)
• Research collaboration with Arizona State University (ASU)and APWG (Anti-phishing Working Group), published at IEEE S&P 2019
© 2019 PayPal Inc. Confidential and proprietary.
![Page 26: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/26.jpg)
Victim Traffic by BrowserMobile browsers still poorly mitigate phishing
0%
10%
20%
30%
40%
50%
60%
Chrome MobileChrome
Firefox Safari MobileSafari
SamsungBrowser
IE Edge
Before attack detection After attack detection
© 2019 PayPal Inc. Confidential and proprietary.
![Page 27: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/27.jpg)
PP Research & Emerging Phishing Detection Methodologies1. “PhishFarm”
• Empirically test anti-phishing detection/reporting systems
• Empirically test criminals’ evasion techniques
• Motivate improved phishing detection and performance at the ecosystem level (e.g. new standards)
• Research collaboration with ASU and APWG, published at IEEE S&P 2019
2. “Golden Hour”
• Leverage web events to identify phishing sites before and during deployment
• Proactively identify affected customers before they realize they have fallen victim
• High visibility into known attacks
© 2019 PayPal Inc. Confidential and proprietary.
![Page 28: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/28.jpg)
“Golden Hour” Methodology
© 2019 PayPal Inc. Confidential and proprietary.
PP JS/resource web events(on phishing sites)
Phishing domains
Event URLs
Phishing victim traffic
Known PP phishing sites
![Page 29: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/29.jpg)
PP Research & Emerging Phishing Detection Methodologies1. “PhishFarm”
• Empirically test anti-phishing detection/reporting systems
• Empirically test criminals’ evasion techniques
• Motivate improved phishing detection and performance at the ecosystem level (e.g. new standards)
• Research collaboration with ASU and APWG, published at IEEE S&P 2019
2. “Golden Hour”
• Leverage web events to identify phishing sites before and during deployment
• Proactively identify affected customers before they realize they have fallen victim
• High visibility into known attacks
3. “FuturePhish”
• Leverage threat intelligence feeds to identify defaced websites
• Use passive DNS to detect other hostnames associated with the defaced (malicious) infrastructure
• Augment existing phishing URL feeds and expedite mitigation
© 2019 PayPal Inc. Confidential and proprietary.
![Page 30: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/30.jpg)
FuturePhish: At time of defacement
© 2019 PayPal Inc. Confidential and proprietary.
IP
Associated Domains (potentially malicious)
![Page 31: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/31.jpg)
FuturePhish: 14 days later
© 2019 PayPal Inc. Confidential and proprietary.
IP
Associated Domains (potentially malicious) Associated Domains (confirmed malicious)
![Page 32: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/32.jpg)
FuturePhish
© 2019 PayPal Inc. Confidential and proprietary.
Associated Domains (predicted malicious)
Use machine learning to predict which associated domains turn malicious
![Page 33: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/33.jpg)
© 2019 PayPal Inc. Confidential and proprietary.
Summary
![Page 34: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/34.jpg)
©2019 PayPal Inc. Confidential and proprietary. 34
![Page 35: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/35.jpg)
©2019 PayPal Inc. Confidential and proprietary.
Success:
35
![Page 36: InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing detection/reporting systems • Empirically test criminals’ evasion techniques](https://reader033.vdocument.in/reader033/viewer/2022042314/5f03055a7e708231d4072540/html5/thumbnails/36.jpg)