Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Knowing your Enemies
Leveraging Data Analysis to Expose Phishing Patterns Against a
Major US Financial Institution
Javier ...
About Easy Solutions®
2
Industry recognitionA leading global provider of electronic fraud
prevention for financial institu...
Phishing Fighting Landscape
3
Detection1 Blacklisting2 Takedown3
• Manual reporting
• Honeypots
• Crawling
• E-mail filter...
We focus on understanding the attacks
against a mayor financial institution
Prevention, detection and
takedown of phishing...
What we’d like to know
• Who are the attackers?
• How many are targeting me?
• What is their modus operandi?
• What are th...
Hypothesis
• Every criminal has different motivations, therefore is
interested in capturing different information
• Over t...
Proposed framework
7
Finding Similarities in Phishing Attacks
8
Clusters distribution Features Importance
Finding similarities in Phishing Attacks
9
Clustering the attackers
• Clustering showed to be able to separate attack
styles and purposes
• Will clustering now be ab...
Sub-Clusters Highlights
• Small set of images-only pages
11
Sub-Clusters Highlights
• Mostly hosted in legitimate and still active domains
• Mostly from Lagos and Florida
12
Sub-Clusters Highlights
• Mostly from Netherlands
13
Sub-Clusters Highlights
• Small cluster
• Number of inputs in form reduced only to captured fields
• Deployed using IP add...
Sub-Clusters Highlights
• Attackers mostly coming from Lagos
• Using domains that have been online for more than two
years...
Link analysis to verify clusters
• We used Passive DNS to verify reopening tickets, dormant
domains and new domains
• A sm...
What we learned
• Profiling attacks and attackers can be automated by using
machine learning techniques
• Automated profil...
Thank you!
Any questions or comments, please let me know.
Javier Vargas
Lead Researcher - Easy Solutions
jvargas@easysol.n...
Upcoming SlideShare
Loading in …5
×

Knowing your Enemies - Leveraging Data Analysis to Expose Phishing Patterns Against a Major US Financial Institution

138 views

Published on

Presented at ECrime 2016 - Toronto - APWG

Phishing attacks against financial institutions constitutes a major concern and forces them to invest thousands of dollars annually in prevention, detection and takedown of these kinds of attacks. This operation is so massive and time critical that there is usually no time to perform analysis to look for patterns and correlations between attacks. In this work we summarize our findings after applying data analysis and clustering analysis to the record of attacks registered for a major financial institution in the US.
We use HTML structure and content analysis, as well as domain registration records and DNS RRSets information of the sites, in order to look for patterns and correlations between phishing attacks. It is shown that by understanding and clustering the different types of phishing sites, we are able to identify different strategies used by criminal organizations.
Furthermore, the findings of this study provide us valuable insight into who is targeting the institution and their, which gives us a solid foundation for the construction of more and better tools for detection and takedown, and eventually for forensic analysts who will be able to correlate cases and perform focused searches that speed up their investigations.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Knowing your Enemies - Leveraging Data Analysis to Expose Phishing Patterns Against a Major US Financial Institution

  1. 1. Knowing your Enemies Leveraging Data Analysis to Expose Phishing Patterns Against a Major US Financial Institution Javier Vargas, Alejandro Correa, Sergio Villegas & Daniel Ingevaldson
  2. 2. About Easy Solutions® 2 Industry recognitionA leading global provider of electronic fraud prevention for financial institutions and enterprise customers 250+ customers In 26 countries 70 million Users protected 22+ billion Online connections monitored in last 12 months
  3. 3. Phishing Fighting Landscape 3 Detection1 Blacklisting2 Takedown3 • Manual reporting • Honeypots • Crawling • E-mail filters • Diverse modern heuristics • Major browsers • Toolbars • Anti-virus • Independent vendors • Individual efforts • Outsourced efforts • Collaborations
  4. 4. We focus on understanding the attacks against a mayor financial institution Prevention, detection and takedown of phishing is so massive and time critical that you never have time to look for answers to interesting questions. 4
  5. 5. What we’d like to know • Who are the attackers? • How many are targeting me? • What is their modus operandi? • What are their motivations? • How can we improve? 5
  6. 6. Hypothesis • Every criminal has different motivations, therefore is interested in capturing different information • Over the time they develop their own unique attacking style and modus operandi 6
  7. 7. Proposed framework 7
  8. 8. Finding Similarities in Phishing Attacks 8 Clusters distribution Features Importance
  9. 9. Finding similarities in Phishing Attacks 9
  10. 10. Clustering the attackers • Clustering showed to be able to separate attack styles and purposes • Will clustering now be able to give hints about groups of criminals? 10
  11. 11. Sub-Clusters Highlights • Small set of images-only pages 11
  12. 12. Sub-Clusters Highlights • Mostly hosted in legitimate and still active domains • Mostly from Lagos and Florida 12
  13. 13. Sub-Clusters Highlights • Mostly from Netherlands 13
  14. 14. Sub-Clusters Highlights • Small cluster • Number of inputs in form reduced only to captured fields • Deployed using IP addresses or per-user web folders at large university Temporary Scam 14
  15. 15. Sub-Clusters Highlights • Attackers mostly coming from Lagos • Using domains that have been online for more than two years and registered to small companies or personal pages • No changes at all in form elements. Even hidden elements are kept exactly the same 15
  16. 16. Link analysis to verify clusters • We used Passive DNS to verify reopening tickets, dormant domains and new domains • A small set of IP addresses are being used to host several attacks. Most of them correctly clustered • Also related to attacks to other financial institutions 16
  17. 17. What we learned • Profiling attacks and attackers can be automated by using machine learning techniques • Automated profiling provides invaluable insight to improve mitigation processes • Automated correlation of cases allow focused searches and speedups investigations 17
  18. 18. Thank you! Any questions or comments, please let me know. Javier Vargas Lead Researcher - Easy Solutions jvargas@easysol.net

×