phishing - techworld event · i really need to pay a bill but my bank acount thingie has stopped...
TRANSCRIPT
Phishing
Exciting horror stories
and the very boring
antidote
EXPECTATIONS WHAT YOU’LL KNOW, AND NOT KNOW, AFTER I’M DONE WITH YOU
WHAT YOU WILL KNOW
WHAT YOU WONT KNOW
• How someone can be stupid enough the
wire $46.7 million to an offshore account
without making sure the mail asking you
to do so is legit.
• Anything revolutionizing
• How the phishing attack is carried out
• Some really embarrassing examples ..
(…and some less embarrassing ones)
• How you can prevent phishing
• … and why you probably won’t succeed
BIO OR – WHO AM I TO TELL YOU WHAT TO DO
• Works with MSS Services
• IDS and SIEM solutions
• Background in operations
HANNA LIDZELL
. . . . SO WHAT DOES THIS MEAN?
. . . . meetings
• SEC-T
• Collector of stories and images
WORK?
CASE STUDIES HORROR STORIES FROM THE REAL WORLD
CLARA THE CLASSMATE & the Facebook scam
FREDERICK THE FRIEND & the Netflix account
AN AUNT & the targeted attack
UBIQUITY & the really stupid wire transfer
THE FACEBOOK SCAM
CLARA
hellu HANNA
Hi! CLARA
What’s up? HANNA
Sure thing. I’d love to help out if I can be of assistance.
CLARA
Thanks! HANNA
sooo.. What do you need? CLARA
I really need to pay a bill but my bank acount thingie has
stopped working, do you have yours close by?
@home? thought I’d check if you’re up for helping me out real
quickly
Or, what’s your bank? HANNA
Handelsbanken. CLARA
Great. I have HSB too
CLARA THE CLASSMATE CLICKS AN UNFORTUNATE LINK
THE FACEBOOK SCAM
WHAT CLARA DID WRONG
• Clicked a clickbait link
• Filled in her account information
CAUSE AND RESOLUTION
WHAT CLARA DID RIGHT
• Told her friends
• Logged out from all devices
• Changed her Facebook password
• Didn’t change the password everywhere
THE NETFLIX ACCOUNT
FREDERICK THE FRIEND
• 28 y/o
• Tech-savvy
• Slightly hung over
• Bank troubles
• New email client
• Already logged in to Netflix
FREDERICK THE FRIEND HAS A CASE OF BAD LUCK
MY AUNT
MY AUNT
• Works at large Swedish corporation
• Indian tech support scam
MY AUNT IS TARGETED IN A MORE SOPHISTICATED WAY
UBIQUITY
"employee impersonation and fraudulent requests from an outside entity targeting the
Company's finance department.”
"The investigation uncovered no evidence that our systems were penetrated or that any
corporate information, including our financial and account information, was accessed.
The investigation found no evidence of employee criminal involvement in the fraud,"
UBIQUITY & THE STUPIDLY LARGE MONEY TRANSFER
$46,7 MILLION
BUSINESS EMAIL COMPROMISE
SPOOFED EMAIL
A spoofed email impersonating a CEO/CIO
requesting/approving the transfer.
Continual follow up.
TARGETED (SPEAR) PHISHING
Phishing targeting a CEO/CIO, resulting in
access to company email and the ability to
request/approve the transfer from a
legitimate account. Once the credentials to
the trusted account has been uncovered
the attacker can contact users within the
organization without triggering any alerts.
HOW IT MIGHT HAVE HAPPENED
MASS-ATTACKS
• Wide spectrum attacks targeting a
large audience
• Hit or miss, active for short period of
time.
• Low success rate (0,2% – 5%)
• Low profit per success
• Collecting and selling data
• Often detected by IDS, threat
intelligence-, or host protection-tools
SPEAR PHISHING
• Targeted attacks
• Well researched
• Small attack surfaces
• Attack tailored to target
• Specific goal
• Difficult to detect
LACK OF KNOWLEDGE…
… of computer systems
… of security indicators
VISUAL DECEPTION
… deceptive text
… deceptive images
… deceptive windows
… look & feel
BOUNDED ATTENTION
… lack of attention to security indicators
… lacking attention to absence of security indicators
Credit: Dhamija, R., Tygar, J.D., & Hearst, Marti. 2006
WHY PHISHING WORKS
So how do we fix it?
You can’t
RISK MITIGATION
Awareness training Good support systems Be serious about your security policy Help your users understand your security policy Lead by example Be a good person
LEADING BY EXAMPLE
https://privat.ib.seb.se/wow/1000/1000/wow1020.aspx
• Ridiculous URL
• Old copy right stamp (2011)
• Sloppy graphics
• Doesn’t adapt to screen
https://secure.handelsbanken.se/bb/glss/servlet/ssco_auth2?appAction=doAuthentication&path=ssse&entryId=privfor
mse&language=sv&country=SE
• Doesn’t adapt to screen
• Looks like my ‘make your own webpage’-project from fifth grade
• Crazy long URL
• https://internetbanken.privat.nordea.se/nsp/login
• Again, fifth grade project
• Inaccurate description of SSL/TLS padlock
https://internetbank.swedbank.se/idp/portal/identifieringidp/idp/dap1/ver=2.0/rparam=execution=e1s2
• No copy right date
LEADING BY EXAMPLE
BE A GOOD PERSON
POP QUIZ! WHERE WILL WE END UP?
http://www.test/example.com/test/test2/destination
http://www.example∕domaine.com.name/test/test2/destination
http://www.test.com/example.com/destination.url
http://www.test.com.example.com/example.com/destination.url
http://testsite.com:[email protected]