Return Path eCrime Mid-Year 2013 - A Fresh Look at Phishing

  • 488 views
Uploaded on

Return Path's presentation from the eCrime Mid-Year Meeting. This presentation takes a fresh look at phishing, examining new metrics to measure for proactive brand protection: …

Return Path's presentation from the eCrime Mid-Year Meeting. This presentation takes a fresh look at phishing, examining new metrics to measure for proactive brand protection:

• Moving from reactive to proactive phishing protection - using email authentication, DMARC and non-owned domain analysis

• Preparing for the next generation of phishing threats - understanding the impact of mobile and new gTLDs

• Protecting customers from malicious attacks sent in your brand’s name – the forgotten half of the phishing equation

• Uncovering the true scale of phishing against brands - empirical analysis comparing existing and next generation reporting models

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
488
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. A fresh look at phishing Ken Takahashi General Manager, Anti-Phishing Solutions Return Path, Inc.
  • 2. Agenda •  Defining the problem space •  Threat scenario assessments – the tip of the iceberg •  What can companies do about it? •  Real cost of phishing (direct & indirect) •  Conclusion
  • 3. Valuable information outside your control * WITHIN  YOUR  CONTROL   * OUTSIDE  YOUR  CONTROL  
  • 4. Analysis of fraudulent activity •  Profiled 3 separate attacks •  Target was a UK bank •  Incidents selected from August to October 2013
  • 5. Attack A – initial assessment Detail   Ini6al  assessment   Type  of  a=ack   Phishing   Threat  detected  (GMT)   Fri  Sep  13  2013  14:40   Shut  down  (GMT)   Fri,  Sep  13  2013  22:37   Dura6on  (hours)   7.95   URL   h8p://  aaual.ual.pt/…  www. {bank}.com/login.htm   Hosted   US   Total  emails  sent  (est.)   ?   First  email  sent  (GMT)   ?   Last  email  sent  (GMT)   ?   Subject   ?   Reported  URLs   ?   Severity   MEDIUM   +1   Contribution to industry statistics
  • 6. Attack A – detailed analysis 1.05 M   Emails sent (est.) Timestamp of email delivery URLs included in email “Friendly from” From email address Subject
  • 7. Attack A – updated assessment Detail   Ini6al  assessment   New  assessment   Type  of  a=ack   Phishing   Phishing   Detected  (GMT)   Fri  Sep  13  2013  14:40   Fri  Sep  13  2013  13:19   Shut  down  (GMT)   Fri  Sep  13  2013  22:37   Fri  Sep  13  2013  22:37   Dura6on  (hours)   7.95   9.30   URL   h8p://  aaual.ual.pt/…  www. {bank}.com/login.htm   h8p://  aaual.ual.pt/…  www.{bank}.com/ login.htm   Hosted   US   US   Total  emails  sent  (est.)   ?   1.05M   First  email  sent  (GMT)   ?   Fri  Sep  13  2013  13:19   Last  email  sent  (GMT)   ?   Sat  Sep  21  2013  23:38   Subject   ?   Account  reveiw..  [sic]   Reported  URLs   ?   4   Severity   MEDIUM   HIGH  
  • 8. Attack B – initial assessment Detail   Ini6al  assessment   Type  of  a=ack   Malware   Detected  (GMT)   Sat  14  Sep  2013  00:32   Shut  down  (GMT)   N/A   Dura6on  (hours)   N/A   A=achments   1   Subject   Important  –  Documents  A8ached   Hosted   N/A   Total  emails  sent  (est.)   ?   First  email  sent  (GMT)   ?   Last  email  sent  (GMT)   ?   Reported  URLs   ?   Severity   HIGH   +1   Contribution to industry statistics
  • 9. Attack B – detailed assessment 10.9 M   Emails sent (est.) Timestamp of email delivery File name URLs included
  • 10. Attack B – updated assessment Detail   Ini6al  assessment   New  assessment   Type  of  a=ack   Malware   Malware   Detected  (GMT)   Sat  14  Sep  2013  00:32   Fri  13  Sep  2013  22:05   Shut  down  (GMT)   N/A   N/A   Dura6on  (hours)   N/A   N/A   A=achments   1   1   Subject   Important  –  Documents  A8ached   Important  –  Documents  A8ached  (etc.)   Hosted   N/A   N/A   Total  emails  sent  (est.)   ?   10.9M   First  email  sent  (GMT)   ?   Fri  13  Sep  2013  22:05   Last  email  sent  (GMT)   ?   Wed  16  Oct  2013  08:15   Reported  URLs   ?   1   Severity   HIGH   HIGH  
  • 11. Attack C – initial assessment Detail   Ini6al  assessment   Type  of  a=ack   Advanced  fee  fraud   Detected  (GMT)   Fri  02  Aug  2013  06:15   Shut  down  (GMT)   N/A   Dura6on  (hours)   N/A   Subject   DIPLOMAT  WITH  YOUR  MONEY   Hosted   N/A   Reported  URLs   0   Total  emails  sent  (est.)   ?   First  email  sent  (GMT)   ?   Last  email  sent  (GMT)   ?   Severity   LOW   +1   Contribution to industry statistics
  • 12. Attack C - detailed assessment 83.5 K   Emails sent (est.) Reply-to “Friendly from” From address Subject Timestamp
  • 13. Attack C – updated assessment Detail   Ini6al  assessment   New  assessment   Type  of  a=ack   Advanced  fee  fraud   Advanced  fee  fraud   Detected  (GMT)   Fri  02  Aug  2013  06:15   Thu  01  Aug  2013  23:58   Shut  down  (GMT)   N/A   N/A   Dura6on  (hours)   N/A   N/A   Subject   DIPLOMAT  WITH  YOUR  MONEY   DIPLOMAT  WITH  YOUR  MONEY   Hosted   N/A   N/A   Reported  URLs   0   0   Total  emails  sent  (est.)   ?   83.5K   First  email  sent  (GMT)   ?   Thu  01  Aug  2013  23:58   Last  email  sent  (GMT)   ?   Fri  18  Oct  2013  23:55   Severity   LOW   LOW  
  • 14. Additional information we can discover •  “Traditional” metrics do not account for: –  Size of attack –  Start of attack –  Recurrence/duration of attack –  Target users by ISP –  Nature of attack (e.g. distributed) –  Unreported attacks •  How are we able to discover this information? –  Access to relevant data sources –  All of the scams were sent from an email address spoofed to match that of the bank in question!
  • 15. What can you do about spoofing? •  Exercise your domain rights to manage risk outside of your network: •  Gain insights to understand true scale & nature of attacks •  Block spoofed attacks at the biggest ISPs •  Use information to shut down attacks more quickly
  • 16. The Full Spectrum of Phishing Threats
  • 17. Emerging threats •  Growth of mobile email –  Cannot see full email addresses –  No concept of mousing over links •  New gTLDs –  500+ more domain choices –  Lower prices
  • 18. Addressing email-borne threats
  • 19. Real cost of phishing Direct   Costs  to  your  operaaons   Costs  to  your  customer   Indirect   Long-­‐term  impact   Immediate  impact  
  • 20. A look from inside the inbox
  • 21. Conclusion •  Significant security risks exist outside your network •  Historical solutions lack: –  Valuable information (tip of the iceberg) –  Prevention •  Companies can use latest technology to: –  Understand the true threat landscape –  Eliminate risk •  Drive quantifiable benefits to your company and your customers •  All of this is available to you today…