Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Research: From zero to phishing in 60 seconds

1,397 views

Published on

Here are the highlights of our research on do-it-yourself kits for phishing attacks, allowing attackers to quickly and elegantly mount a phishing campaign. These slides present examples of phishing kits, reviews their main capabilities, and shows a statistical and clustering analysis of our collection of phishing kits. The main goal of our research is to shed light on the dynamics of phishing and the distribution of phishing kits in the underground community

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Research: From zero to phishing in 60 seconds

  1. 1. © 2017 Imperva, Inc. All rights reserved. From Zero to Phishing in 60 Seconds Luda Lazar, Imperva Research Team June 2017
  2. 2. © 2017 Imperva, Inc. All rights reserved. Introduction 1 2
  3. 3. © 2017 Imperva, Inc. All rights reserved. Introduction & Goals • How to setup a phishing campaign in 60 seconds? • Phishing kits examples and their main capabilities • Statistical analysis • Clustering analysis 3
  4. 4. © 2017 Imperva, Inc. All rights reserved. How to Setup a Phishing Campaign in 60 Seconds? 4 Spam Service / [SMTP] Server Email List Compromised Server or Hosting ServicesPhishing Pages
  5. 5. © 2017 Imperva, Inc. All rights reserved. Phishing Attack 5 2. Send phishing email Phishing Site Attacker Victim 3. Visit phishing page 4. Send stolen credentials Email Account 5. Harvest new credentials
  6. 6. © 2017 Imperva, Inc. All rights reserved. The Research from 20,000 feet 6 Conclusions Analyzing phishing kits Extracting features Obtaining phishing kits Phishing sites sources
  7. 7. © 2017 Imperva, Inc. All rights reserved. Numbers • OpenPhish feed: – Total amount of phishing URLs: 8388 (after noise cleanup) – Total number of phishing kits: 591  7% • TechHelpList.com pastes (All URLs of last year): – Total amount of phishing URLs: 4463 – Total number of phishing kits: 428 DIY kits  9.6% • Total 1019 kits 7
  8. 8. © 2017 Imperva, Inc. All rights reserved. Phishing Kits Examples 2 8
  9. 9. © 2017 Imperva, Inc. All rights reserved. Phishing Kit Structure • Phishing kits contain two types of files: – Files needed to display a copy of the targeted web site (resources files) – Scripts used to save the phished information and send it to phishers 9
  10. 10. © 2017 Imperva, Inc. All rights reserved. Google Docs Phishing Kit 10
  11. 11. © 2017 Imperva, Inc. All rights reserved. Phishing Processing Code 11
  12. 12. © 2017 Imperva, Inc. All rights reserved. Phishing Kit Capabilities 3 12
  13. 13. © 2017 Imperva, Inc. All rights reserved. Drop Mechanisms of Phishing Kits • 98% of kits use email to send data to the attackers • 2% of kits save collected data on the server in log file (in a one kit the result stored in DB) 13 Remote, 98% Local, 2%
  14. 14. © 2017 Imperva, Inc. All rights reserved. Implicit Recipients • About 25% of DIY kits contains hidden drops, secretly sending emails with the phished information to addresses different than the intended ones – Address Obfuscation – Repeated mail statements 14
  15. 15. © 2017 Imperva, Inc. All rights reserved. Extending the Lifespan - Block Unwanted Access • 17% of DIY kits contain techniques to block unwanted access to them • Focused on avoiding detection by security companies and index services – htaccess – robots.txt – PHP scripts 15
  16. 16. © 2017 Imperva, Inc. All rights reserved. Extending the Lifespan - Blacklist Evasion • Randomize URL per visitor – Creates a random phishing kit subdirectory – Copies the content of the entire kit inside it – Redirects the visitor to the newly generated random location 16
  17. 17. © 2017 Imperva, Inc. All rights reserved. Clustering Analysis 4 17
  18. 18. © 2017 Imperva, Inc. All rights reserved. Research Method • Features characterize phishing kit • Statistical analysis • Clustering: – Files list (metadata of DIY archive) – Author’s signature (results processing file) – Subject (results email) – Sender (results email ‘from’ header) • Every cluster of kits has at least one of the features in common Confidential18
  19. 19. © 2017 Imperva, Inc. All rights reserved. Clustering Results • Total number of clusters: 230 – 19 clusters (size of each cluster => 10), covering 541 kits (53% of data) – 48 clusters (size of each cluster => 5), covering 731 kits (72% of data) – 118 clusters (size of each cluster => 2), covering 907 kits (89% of data) • Similarity statistics: – 14% of the kits have four identical features – 39% of the kits have at least three identical features – 56% of the kits have at least two identical features 19
  20. 20. © 2017 Imperva, Inc. All rights reserved. Phishing Kits Graph 20
  21. 21. © 2017 Imperva, Inc. All rights reserved. Author Signature Total number of authors signatures: 271 • 32% of kits didn’t contain author’s signature • 17% of kits signed with a unique signature • 51% of kits signed with a not unique signature 21
  22. 22. © 2017 Imperva, Inc. All rights reserved. Fud Tool Dot Com 22
  23. 23. © 2017 Imperva, Inc. All rights reserved. Kits’ Buyers (Results Email Recipients) • Total number of buyers: 715 (distinct addresses) • 8% of buyers appear in at least three different kits (represent 23% of kits) • 24% of buyers appear in at least two different kits (represent 46% of kits) 23
  24. 24. © 2017 Imperva, Inc. All rights reserved. Conclusions • Phishing is here to stay – It is still a significant and effective cyber threat – Phishing DIY kits are significant facilitator for this, lowering the cost and time it takes to mount a phishing campaign • Phishing ecosystem resembles legitimate economic ecosystems: – Role-based ecosystem with technology vendors and service providers – Phishers phish phishers: some players misbehave…. 24
  25. 25. © 2017 Imperva, Inc. All rights reserved. More Info • Click here to subscribe to the Imperva blog for more details on phishing, as well as other application and data security trends: https://www.imperva.com/blog/ Confidential25

×