Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Beyond takeover: stories from a hacked account

1,006 views

Published on

In this presentation, Imperva researchers explore the dynamics of credential theft. The team reversed a phishing hook to hack and track phishers using the same methods that phishers use on their victims. The presentation explores questions such as how long it takes from takeover to exploitation, what the attacker looks for in the hacked account, which decoys attract their attention, and what security practices they use to cover their tracks. Check out the slides and read the report to learn about real-world takeover stories and best practices for breach detection and remediation to protect your data. Read the full report: https://www.imperva.com/DefenseCenter/HackerIntelligenceReports

Published in: Software
  • Be the first to comment

Beyond takeover: stories from a hacked account

  1. 1. © 2017 Imperva, Inc. All rights reserved. Beyond Takeover Stories from a Hacked Account Itsik Mantin, Luda Lazar July 2017
  2. 2. © 2017 Imperva, Inc. All rights reserved. • Itsik Mantin • Director of Security Research at Imperva • 16 years experience in the security industry • Holds an M.Sc. in Applied Math and Computer Science • Luda Lazar • Cyber Threat Researcher • 4 years of industry experience, mostly reverse engineering and security technology • Holds B. Sc. in Computer Science Speakers
  3. 3. © 2017 Imperva, Inc. All rights reserved. Acknowledgments • Tammer Ghattas • Jwana Yakub • Thinkst (providers of Canarytokens)
  4. 4. © 2017 Imperva, Inc. All rights reserved. Phishing 1
  5. 5. © 2017 Imperva, Inc. All rights reserved. Social Attacks • 43% of breaches involved social attacks
  6. 6. © 2017 Imperva, Inc. All rights reserved. Phishing • 80% of finance-motivated breaches involve phishing • 5-15% click-rate (varying between industries) Click-rate (per vertical)
  7. 7. © 2017 Imperva, Inc. All rights reserved. Phishing Objectives • Identity theft • Fraudulent transactionsFraud • Steal secret data • Espionage • Steal contacts Data theft • Spamming/phishing • Malware distribution • Site/person promotion Account abuse
  8. 8. © 2017 Imperva, Inc. All rights reserved. Phishing Phishing mail Fake website Credential stealing Malware download
  9. 9. © 2017 Imperva, Inc. All rights reserved. The Phishing Ecosystem Home- made Do-it- yourself Managed services Fraud Data theftAccount abuse
  10. 10. © 2017 Imperva, Inc. All rights reserved. Research Objectives Credential theft and account takeover Relation to breaches Dynamics of phishing attack Attackers’ practices Setup and maintenance of accounts Account monitoring Credentials leakage Collection and analysis of data Disclosing the accounts’ credentials to phishing campaigns Maintain personal online accounts Use Canarytokens to track attackers’ activity in the accounts Collect and analyze results
  11. 11. © 2017 Imperva, Inc. All rights reserved. The Research 11 2
  12. 12. © 2017 Imperva, Inc. All rights reserved. Our “Bait” Network Management Account 30 Groups of accounts 60 Singular email accounts
  13. 13. © 2017 Imperva, Inc. All rights reserved. Make Accounts Authentic
  14. 14. © 2017 Imperva, Inc. All rights reserved. Account Monitoring Activity
  15. 15. © 2017 Imperva, Inc. All rights reserved. Trace Login Attempts
  16. 16. © 2017 Imperva, Inc. All rights reserved. Tracking Account Activity Activity
  17. 17. © 2017 Imperva, Inc. All rights reserved. Canarytokens • Canarytokens toolkit created by Thinkst Applied Research • Decoys – documents and services that trigger alerts when accessed
  18. 18. © 2017 Imperva, Inc. All rights reserved. • Web bugs (URLs) – alert when URL is requested • Microsoft Word Documents – alert when a document is opened • Windows folders (ZIP archives) – alert when someone browsed a folder in File Explorer Canarytokens - Decoys Types
  19. 19. © 2017 Imperva, Inc. All rights reserved.
  20. 20. © 2017 Imperva, Inc. All rights reserved. Credentials Leakage • OpenPhish feed and PhishTank database - sources for zero-day phishing sites • We invite attackers by leaking our accounts credentials to phishing campaigns
  21. 21. © 2017 Imperva, Inc. All rights reserved. Leakage Rounds Credentials Leakage Round .. Credentials Leakage Round 3 Credentials Leakage Round 2 Credentials Leakage Round 1 Round Steps
  22. 22. © 2017 Imperva, Inc. All rights reserved. From Takeover to Exploitation 3
  23. 23. © 2017 Imperva, Inc. All rights reserved. 1 44% Not Penetrated 56% Account Penetration Statistics Repeated penetration 34%One-time penetration 66% One time/Repetitive penetration 1 23% 2 77% Access to data 88 from 200 credentials were used by the attackers 30 of 88 accounts were penetrated repeatedly (99 penetrations in total) 23% of penetrated accounts triggered 114 Canarytokens alerts 61% of Canarytokens triggered during repetitive penetration
  24. 24. © 2017 Imperva, Inc. All rights reserved. Takeover may not be Immediate
  25. 25. © 2017 Imperva, Inc. All rights reserved. Timely Detection Can Stop the Next Breach 56% of credentials were not exploited 54% exploitations happened after more than 24 hours
  26. 26. © 2017 Imperva, Inc. All rights reserved. 60%25% Exploration of a Hacked Account Time between login and last alert Login
  27. 27. © 2017 Imperva, Inc. All rights reserved. Password Reuse Practices Leak a lead account credentials All accounts in “bait” group have the same password Tracked the activity for all group accounts
  28. 28. © 2017 Imperva, Inc. All rights reserved. Propagation to other accounts 16% of attackers reused credentials to propagate to the other accounts
  29. 29. © 2017 Imperva, Inc. All rights reserved. 4 Attacker Practices
  30. 30. © 2017 Imperva, Inc. All rights reserved. Inside your Inbox
  31. 31. © 2017 Imperva, Inc. All rights reserved. What do attackers look for? 1 25% 2 75%
  32. 32. © 2017 Imperva, Inc. All rights reserved. Where did an Attacker Search for Information? 70% 18% 12%
  33. 33. © 2017 Imperva, Inc. All rights reserved. Effectiveness of Traps • Web bugs (URLs) – alert when URL is requested • Microsoft Word Documents – alert when a document is opened • Windows folders (ZIP archives) – alert when someone browsed a folder in File Explorer
  34. 34. © 2017 Imperva, Inc. All rights reserved. Account Abuse • 12% of accounts were used for further malicious activity
  35. 35. © 2017 Imperva, Inc. All rights reserved. Story Time - Full account takeover
  36. 36. © 2017 Imperva, Inc. All rights reserved. Manual or Automatic? Selective Data Access Discontinuous Access Quick First Access to Data 74% of primary Canarytokens triggered in first 3 minutes after login
  37. 37. © 2017 Imperva, Inc. All rights reserved. Covering Tracks
  38. 38. © 2017 Imperva, Inc. All rights reserved. Covering the tracks – Attackers’ Practices 17% 15% 13% 3% 2% Covered tracks Delete sign-in alerts from the Inbox Delete sent emails and failure notice messages Mark messages as unread Delete sign-in alert permanently
  39. 39. © 2017 Imperva, Inc. All rights reserved. Spotting Attackers 5
  40. 40. © 2017 Imperva, Inc. All rights reserved. Spotting Attackers – Anonymous Access 39… Tor, proxies or hosting services • 187 logins from 167 IP addresses and 18 countries
  41. 41. © 2017 Imperva, Inc. All rights reserved. Geographic Distribution of Attackers All accesses Excluding anonymous accesses
  42. 42. © 2017 Imperva, Inc. All rights reserved. Stories from the Hacked Account 6
  43. 43. © 2017 Imperva, Inc. All rights reserved. First Story: Launch Spear Phishing Attack One of the world's largest telecommunications operators
  44. 44. © 2017 Imperva, Inc. All rights reserved. Investigating Incident • Something is wrong…
  45. 45. © 2017 Imperva, Inc. All rights reserved. Investigating Incident • Step 1: Search evidences
  46. 46. © 2017 Imperva, Inc. All rights reserved. Investigating incident • Step 2: Analysis of evidences
  47. 47. © 2017 Imperva, Inc. All rights reserved. Investigating incident pedro……@yahoo.com
  48. 48. © 2017 Imperva, Inc. All rights reserved. Our Investigation • Step 3: Attribution pedro……@yahoo.com
  49. 49. © 2017 Imperva, Inc. All rights reserved. Second Story: In the Crosshairs of Inheritance Scammers Ms. Judith Chan Emma (Our Account)
  50. 50. © 2017 Imperva, Inc. All rights reserved. “…an opportunity like this only comes once in a lifetime” Ms. Judith Chan
  51. 51. © 2017 Imperva, Inc. All rights reserved. Judith Chan The Strategy 51
  52. 52. © 2017 Imperva, Inc. All rights reserved. What next? Agreement Letter
  53. 53. © 2017 Imperva, Inc. All rights reserved. The End of the Scam
  54. 54. © 2017 Imperva, Inc. All rights reserved. Summary and Conclusion 7
  55. 55. © 2017 Imperva, Inc. All rights reserved. Summary When credentials leak, takeover does not always happen (44% only) When it does, it is not always immediate (46% of hacked accounts) of attackers searched for sensitive data inside the honey accounts of the attacks were used for launching further attacks Password reuse was detected in (only) 16% of the attacks Of the attacks seem to use automation
  56. 56. © 2017 Imperva, Inc. All rights reserved. Conclusions • The Phishing threat is here to stay • Large numbers of stolen credentials + manual labor  attackers don’t even use them all (automation?) • Quick detection and mitigation of credential theft can reduce the account hacking probability by 54% • Attackers are sometimes as sloppy as their victims (or they don’t care about being identified) • Password reuse is less reused by attackers than what is commonly believed
  57. 57. © 2017 Imperva, Inc. All rights reserved. Human is Human Attackers • Fell into our phishing scams… • Left clear tracks in most accounts • Were sloppy and left hints for their identity Users • Security training and education is important but people will continue make mistakes, fall into social engineering and give the attackers the road in • Users will continue being the weakest and least predictable part of the organization
  58. 58. © 2017 Imperva, Inc. All rights reserved. CISO Takeaways • Password reuse is dangerous and might provide the attacker’s road to within the organization • Attackers are after data. Credentials, financial data, business data • Assume credentials of users are stolen For applications • Deploy phishing detection solution to detect credentials theft in time • Deploy account takeover protection For the enterprise network • Assume attackers are already in • Protect your business critical data as close as possible to the data
  59. 59. © 2017 Imperva, Inc. All rights reserved. Get the Report Read the full research report “Beyond Takeover - Stories from a Hacked Account” here: https://www.imperva.com/DefenseCenter/HackerIntelligenceReports

×