In this talk, we take a look at the latest trends in phishing - volume of attacks, brands and other interesting data points. We examine some newer techniques like use of free SSL services, social media based attacks, homograph attacks and some older techniques like reputation hijacking. We share tips and techniques that security researchers can use to identify each of the aforementioned attack types and uncover details on infrastructure of the bad actors.
Lookup tool: https://checkphish.ai
Company: https://www.redmarlin.ai
4. PHISHING…STILL ALIVE AND THRIVING
•…phishing attacks in 2016 was 1,220,523,
a 65% increase over 2015.
•…APWG saw an average of 92,564 phishing
attacks per month, an increase of 5,753%
over 12 years
Source: http://docs.apwg.org/reports/apwg_trends_report_q4_2016.pdf
16. HOMOGRAPH ATTACKS
• Homograph - Different entities that look the same
• Perpetrated via similar looking domains as famous brands
• Domains registered are IDNs in Punycode
• Punycode - Encoding to convert Unicode characters to a subset of ASCII - consisting of letters,
digits and hyphens. E.g. - Cyrillic characters
Source: https://www.xudongz.com/blog/2017/idn-phishing/
17. HOMOGRAPH ATTACKS
• Homograph - Different entities that look the same
• Perpetrated via similar looking domains as famous brands
• Domains registered are IDNs in Punycode
• Punycode - Encoding to convert Unicode characters to a subset of ASCII - consisting of letters,
digits and hyphens. E.g. - Cyrillic characters
Source: https://www.xudongz.com/blog/2017/idn-phishing/
xn--80ak6aa92e.comapple.com
22. HUNTING FOR HOMOGRAPH DOMAINS
https://domainpunch.com/premium/daily.php
DNSTwist: https://github.com/elceef/dnstwist/
23. HUNTING FOR HOMOGRAPH ATTACKS
• Just by searching two characters ‘ou’
• Over 20 day period
Source: https://www.redmarlin.ai/punycode-new-domains-passive-dns-tale-hunting/
24. PHISHING VIA HTTPS
• Misinformation on https leads to bigger problems
• Rapid rise in https phishing in June-July 2017
• 10% of all phishing sites are now on https
25. PHISHING VIA HTTPS
• Misinformation on https leads to bigger problems
• Rapid rise in https phishing in June-July 2017
• 10% of all phishing sites are now on https
26. PHISHING VIA HTTPS
• Top abused CAs
• Let’s Encrypt
• Comodo SSL
• cPanel
• GoDaddy
• GlobalSign
27. PHISHING VIA HTTPS
• Top abused CAs
• Let’s Encrypt
• Comodo SSL
• cPanel
• GoDaddy
• GlobalSign
28. PHISHING VIA HTTPS
• Top abused CAs
• Let’s Encrypt
• Comodo SSL
• cPanel
• GoDaddy
• GlobalSign
29. PHISHING VIA HTTPS
• Top abused CAs
• Let’s Encrypt
• Comodo SSL
• cPanel
• GoDaddy
• GlobalSign
30. PHISHING VIA HTTPS
• Top abused CAs
• Let’s Encrypt
• Comodo SSL
• cPanel
• GoDaddy
• GlobalSign
31. TECH SUPPORT SCAMS
• $1.5B estimated loss in 2015 as per Microsoft
• $25M defrauded by one scamming company alone
• 2 out of 3 Microsoft users affected
• FBI reported users from 78 countries affected in 2016
http://www.aarp.org/money/scams-fraud/info-2017/how-to-handle-tech-support-scams-fd-jj.html
https://blogs.microsoft.com/on-the-issues/2017/05/18/fight-tech-support-scams/
32. TECH SUPPORT SCAMS
• User gets a cold call from the scammer
• User visits a site that maliciously redirects them to the scam site or pops us another window
• User mistypes the URL in a browser and the scammer controls the incorrectly typed domain
41. WHAT’S UP WITH THIS ATTACK?
https://youtu.be/qjGyBGPEHSs
42. POPULAR BLOCKING TECHNIQUES
• Block URL if there is prior confirmed intelligence (blacklists)
• Penalize hosts if repeat offenders
• Penalize based on bad IP addresses/ASNs/registration dates
• Patterns in URLs (e.g. paypal.com.badwebsite.com)