Phishing

Exciting horror stories

and the very boring

antidote

EXPECTATIONS WHAT YOU’LL KNOW, AND NOT KNOW, AFTER I’M DONE WITH YOU

WHAT YOU WILL KNOW

WHAT YOU WONT KNOW

• How someone can be stupid enough the

wire $46.7 million to an offshore account

without making sure the mail asking you

to do so is legit.

• Anything revolutionizing

• How the phishing attack is carried out

• Some really embarrassing examples ..

(…and some less embarrassing ones)

• How you can prevent phishing

• … and why you probably won’t succeed

BIO OR – WHO AM I TO TELL YOU WHAT TO DO

• Works with MSS Services

• IDS and SIEM solutions

• Background in operations

HANNA LIDZELL

. . . . SO WHAT DOES THIS MEAN?

. . . . meetings

• SEC-T

• Collector of stories and images

WORK?

CASE STUDIES HORROR STORIES FROM THE REAL WORLD

CLARA THE CLASSMATE & the Facebook scam

FREDERICK THE FRIEND & the Netflix account

AN AUNT & the targeted attack

UBIQUITY & the really stupid wire transfer

THE FACEBOOK SCAM

CLARA

hellu HANNA

Hi! CLARA

What’s up? HANNA

Sure thing. I’d love to help out if I can be of assistance.

CLARA

Thanks! HANNA

sooo.. What do you need? CLARA

I really need to pay a bill but my bank acount thingie has

stopped working, do you have yours close by?

@home? thought I’d check if you’re up for helping me out real

quickly

Or, what’s your bank? HANNA

Handelsbanken. CLARA

Great. I have HSB too

CLARA THE CLASSMATE CLICKS AN UNFORTUNATE LINK

THE FACEBOOK SCAM

WHAT CLARA DID WRONG

• Clicked a clickbait link

• Filled in her account information

CAUSE AND RESOLUTION

WHAT CLARA DID RIGHT

• Told her friends

• Logged out from all devices

• Changed her Facebook password

• Didn’t change the password everywhere

THE NETFLIX ACCOUNT

FREDERICK THE FRIEND

• 28 y/o

• Tech-savvy

• Slightly hung over

• Bank troubles

• New email client

• Already logged in to Netflix

FREDERICK THE FRIEND HAS A CASE OF BAD LUCK

MY AUNT

MY AUNT

• Works at large Swedish corporation

• Indian tech support scam

MY AUNT IS TARGETED IN A MORE SOPHISTICATED WAY

UBIQUITY

"employee impersonation and fraudulent requests from an outside entity targeting the

Company's finance department.”

"The investigation uncovered no evidence that our systems were penetrated or that any

corporate information, including our financial and account information, was accessed.

The investigation found no evidence of employee criminal involvement in the fraud,"

UBIQUITY & THE STUPIDLY LARGE MONEY TRANSFER

$46,7 MILLION

BUSINESS EMAIL COMPROMISE

SPOOFED EMAIL

A spoofed email impersonating a CEO/CIO

requesting/approving the transfer.

Continual follow up.

TARGETED (SPEAR) PHISHING

Phishing targeting a CEO/CIO, resulting in

access to company email and the ability to

request/approve the transfer from a

legitimate account. Once the credentials to

the trusted account has been uncovered

the attacker can contact users within the

organization without triggering any alerts.

HOW IT MIGHT HAVE HAPPENED

MASS-ATTACKS

• Wide spectrum attacks targeting a

large audience

• Hit or miss, active for short period of

time.

• Low success rate (0,2% – 5%)

• Low profit per success

• Collecting and selling data

• Often detected by IDS, threat

intelligence-, or host protection-tools

SPEAR PHISHING

• Targeted attacks

• Well researched

• Small attack surfaces

• Attack tailored to target

• Specific goal

• Difficult to detect

LACK OF KNOWLEDGE…

… of computer systems

… of security indicators

VISUAL DECEPTION

… deceptive text

… deceptive images

… deceptive windows

… look & feel

BOUNDED ATTENTION

… lack of attention to security indicators

… lacking attention to absence of security indicators

Credit: Dhamija, R., Tygar, J.D., & Hearst, Marti. 2006

WHY PHISHING WORKS

So how do we fix it?

You can’t

RISK MITIGATION

Awareness training Good support systems Be serious about your security policy Help your users understand your security policy Lead by example Be a good person

LEADING BY EXAMPLE

https://privat.ib.seb.se/wow/1000/1000/wow1020.aspx

• Ridiculous URL

• Old copy right stamp (2011)

• Sloppy graphics

• Doesn’t adapt to screen

https://secure.handelsbanken.se/bb/glss/servlet/ssco_auth2?appAction=doAuthentication&path=ssse&entryId=privfor

mse&language=sv&country=SE

• Doesn’t adapt to screen

• Looks like my ‘make your own webpage’-project from fifth grade

• Crazy long URL

• https://internetbanken.privat.nordea.se/nsp/login

• Again, fifth grade project

• Inaccurate description of SSL/TLS padlock

https://internetbank.swedbank.se/idp/portal/identifieringidp/idp/dap1/ver=2.0/rparam=execution=e1s2

• No copy right date

LEADING BY EXAMPLE

BE A GOOD PERSON

POP QUIZ! WHERE WILL WE END UP?

http://www.test/example.com/test/test2/destination

http://www.example∕domaine.com.name/test/test2/destination

http://www.test.com/example.com/destination.url

http://www.test.com.example.com/example.com/destination.url

http://testsite.com:trial@example.com