Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DetectingSpearPhishingAttacks

591 views

Published on

  • Be the first to comment

  • Be the first to like this

DetectingSpearPhishingAttacks

  1. 1. Detecting and Preventing Spear Phishing Attacks Using DNS Mike Saunders - @hardwaterhacker mike@hardwatersecurity.com
  2. 2. About Mike Pen tester with a defender background (purple team!) 17 years in IT 9 years security
  3. 3. The Problem: Typosquatting What is it? Intentionally misspelled domain names intended to imitate legitimate domain names Why is it bad?
  4. 4. The Problem Why is it bad? Often difficult to easily spot Users may be duped into visiting a malicious site
  5. 5. Motivations Financial Advertising revenue on parked domains Drive traffic to a competitor’s site Malware delivery Harvest email from misspelled domains Phishing attacks
  6. 6. Types of Typosquatting Repeated characters www.google.com www.gooogle.com Omitted character www.amazon.com www.amzon.com Charater swap www.defcon.org www.decfon.org Character insertion www.derbycon.com www.derbycin.com Missing dots www.microsoft.com wwwmicrosoft.com Singular/plural www.apple.com www.apples.com Vowel swapping www.fedex.com www.fadax.com
  7. 7. Types of Typosquatting Homophones www.route.com www.root.com Homoglyphs www.derbycon.com www.derbyc0n.com Wrong TLD www.whitehouse.gov www.whitehouse.com Misspelling www.arcticcat.com www.articat.com Different country code www.evilcorp.com www.evilcorp.cm Bit flipping www.facebook.com www.fccebook.com
  8. 8. Real-World Examples
  9. 9. Real-World Examples
  10. 10. Real-World Examples
  11. 11. Real-World Examples
  12. 12. Real-World Examples Anthem BCBS wellpoint.com targeted using we11point.com Premera BCBS premera.com targeted using prennera.com
  13. 13. More Real-World Examples carefirst.com targeted with ‘l’ and ‘1’ for ‘i’.
  14. 14. More Real-World Examples
  15. 15. Available Tools UrlCrazy Andrew Horton - @urbanadventur3r http://www.morningstarsecurity.com/research/urlcrazy dnstwist Marcin Ulikowski - @elceef https://github.com/elceef/dnstwist
  16. 16. A Better Way crazyparser https://github.com/hardwaterhacker/crazyparser Detect changes between iterations Uses both urlcrazy and dnstwist output
  17. 17. Demo Time Configuration files Command line options Output
  18. 18. Preventative Measures Block in web proxy Blackhole DNS Increase monitoring Proxy logs email containing links to these domains Client DNS queries
  19. 19. + and - Will find some variations, like we11point.com prennera.com not originally detected - dnstwist supported - 9/16 careflrst.com detected, caref1st.com wasn’t originally. dnstwist support added 9/16
  20. 20. + and - Will not detect things like service-paypal.com Does not protect external users / customers Unless you pursue domain seizure under WIPO UDRP or US Anticybersquatting Consumer Protection Act https://www.icann.org/en/system/files/files/guidance- domain-seizures-07mar12-en.pdf
  21. 21. Questions? https://github.com/hardwaterhacker/crazyparser @hardwaterhacker mike@hardwatersecurity.com http://hardwatersec.blogspot.com

×