Analysis of Regional Phishing Attack

1
A n a l y s i s o f
R e g i o n a l P h i s h i n g A t t a c k
F i s h i n g t h e P h i s h e r s
Photo by Johannes Plenio on Unsplash
J u n e P a r k @ N a v e r C o r p . [ S e c u r i t y ]

2
J u n e P a r k
S e c u r i t y R e s e a r c h e r
@ N A V E R C O R P .
A b o u t M e
- Security Research and Pentesting @ Samsung (10 years)
- DEFCON 27 DEMO LABS (Mobile + Cloud Vuln.)
- Interest : Phishing, App Security, Cloud Security
- june.park@navercorp.com
Journey to the
Security Expert

3
AGENDA
Global Phishing Attack Trends
Why Phishing Attacks keep Growing
I n t r o d u c t i o n
Phishing Campaign Types
Analysis of Adversarial Tactics
R e g i o n a l P h i s h i n g L a n d s c a p e
Previous Research and Limitations
Why We Should Be Prepared for Regional Phishing Attack
B a c k g r o u n d & M o t i v a t i o n
NAVER Anti Phishing System
Early Detection and Prevention
Mitigation
D e t e c t i o n a n d D e f e n s e

4
AGENDA
C o n c l u s i o n
Case Analysis 1 : Leak Accounts from Darkweb
Case Analysis 2 : Kakaotalk Malware and Phishing
H o w t o U t i l i z e C T I
Real-World Limitations
What We Do for Next?
D i s c u s s i o n a n d F u t u r e W o r k

5
- Definition
- Global Trends
P h i s h i n g A t t a c k T r e n d s
- Single Point of Failure
- Low Effort High Impact
W h y P h i s h i n g A t t a c k s k e e p G r o w i n g
Introduction

6
h t t p s : / / f a n c i f u l - t a r s i e r - c 2 3 d 0 9 . n e t l i f y . a p p
[ N O T N A V E R . C O M ]
A c c o u n t
L e a k
P e r s o n a l D a t a
L e a k
P r e p a r e
N e w A t t a c k
I n p u t L o g i n C r e d e n t i a l
C r e d e n t i a l D e l i v e r e d
T o H a c k e r s
Collect and Sell
(Dark-Market)
Emails, Files in Cloud
Contacts, Etc.
Abuse the Service
Abuse the Account

7
Phishing
Reaches All-Time
High in Early
2022
I n t h e f i r s t q u a r t e r o f 2 0 2 2 , A P W G o b s e r v e d 1 , 0 2 5 , 9 6 8 t o t a l
p h i s h i n g a t t a c k s . T h i s w a s t h e w o r s t q u a r t e r f o r p h i s h i n g t h a t
A P W G h a s e v e r o b s e r v e d , a n d t h e f i r s t t i m e t h a t t h e q u a r t e r l y
t o t a l h a s e x c e e d e d o n e m i l l i o n
P h ish in g At t a cks,
2 Q2 0 2 1 ~ 1 Q2 0 2 2
b y A P W G
G l o b a l T r e n d s

8
FBI Crime
Report
2020 - 2021
The type of cybercrime with the most
victims in 2020 was phishing.
In 2021, this trend also continued, resulting
in the largest number of victims by phishing.
G l o b a l T r e n d s
Photo by Setyaki Irham on Unsplash

9
Single
Point
of
Failure
W h y P h i s h i n g A t t a c k s k e e p G r o w i n g
On the portal site, users can use all detailed services
with a single log-in.
Paradoxically, this presents an
opportunity for hackers.
V i c t i m ’ s C r e d e n t i a l
( S i n g l e P o i n t )
H a c k e r s
H a c k e r s T a k e A l l

10
Low Effort
Phishing attacks are less difficult than
malware or zero-day exploit attacks.
High Impact
However, the benefits of successful
phishing attacks are huge.
P h o t o b y D r e w C o f f m a n o n U n s p l a s h
P h o t o b y S h a n e o n U n s p l a s h

11
- Inferring Phishing Intention via Webpage Appearance and Dynamics
- Google Safe Browsing with ML
P r e v i o u s R e s e a r c h
- Limitations - Blacklist
- Limitations – Adversary’s Tactics
- No One Knows Better than You
B e P r e p a r e d f o r R e g i o n a l P h i s h i n g
Background
&
Motivation
Photo by Aaron Huber on Unsplash

12
Inferring Phishing Intention via
Webpage Appearance and Dynamics
( U S E N I X 2 0 2 2 )
AWL describing the regions and positions of UI components
A b s t r a c t W e b p a g e L a y o u t
build a CRP classifier that takes the screenshot and the AWL as input, and
classifies whether the webpage requires user credentials.
C R P C l a s s i f i c a t i o n
Emulating user clicks on the reported links/buttons, and retrieve new redirected
URLs along with their screenshots and HTML codes
C R P T r a n s i t i o n L o c a t i o n

13
Building a more helpful browser
with machine learning
( G o o g l e S e c u r i t y )
identifies 2.5 times more potentially malicious sites and phishing attacks as the
previous model
R o l l e d O u t a N e w M L M o d e l
Chrome predicts when permission prompts are unlikely to be granted based on
how the user previously interacted with similar permission prompts, and silences
these undesired prompts.
I m p r o v e T h e B r o w s i n g E x p e r i e n c e ,

14
But, Why Browser Fail to Detect
D e t e c t i o n t e c h n i q u e s a r e e v o l v i n g , b u t d e t e c t i o n r a t e s f o r r e g i o n a l p h i s h i n g a r e s t i l l i n s u f f i c i e n t .
C h r o m e , E d g e S a f a r i , E t c .

15
Attacker
Victims
@ Google Safe Browsing
Blacklisted
D-Day
D+7
(Average)
Phishing Campaign
Start
Limitations - Blacklist
I t t a k e s a n a v e r a g e o f 7 d a y s f o r p h i s h i n g a t t a c k s t o b e b l a c k l i s t e d .
Browsers Don’t
Detect
Now Browsers Detect
As Phishing Site
Victims

16
• I P B l a c k l i s t
• U s e r - A g e n t C h e c k i n g
• R e f e r r e r C h e c k i n g
• P a r a m e t e r C h e c k i n g
Limitations –
Adversary’s Tactics
Y o u w a n t t o d i s c o v e r
p h i s h i n g s i t e
B u t , Y o u w i l l s e e
G o o g l e
B y p a s s i n g t e c h n i q u e s
Attackers utilize bypassing techniques not to be captured by
phishing hunters.

17
“No One Knows
Your Brand
Better than You”
T h a t ’ s w h y W e S t u d y N a v e r P h i s h i n g

18
- 3 Types of Phishing
P h i s h i n g C a m p a i g n T y p e s
- Sophisticated Phishing
- Domain Squatting with HTTPS
- Phishing Emails with Social Engineering
- Credential Redirection
- Circumventing Techniques
A n a l y s i s o f A d v e r s a r i a l T a c t i c s
Regional Phishing
Landscape
Photo by Aaron Huber on Unsplash

19
The goal of this type is to steal information
from the target. It uses social engineering
techniques to lure victims to phishing sites.
S o ph ist ica t ed
P h ish in g
Phishing pages are displayed only when
accessed through the search engine. It is a
phishing attack against an unspecified
number of users.
S ea rch Abuse
P h ish in g
It is a fraudulent method of stealing accounts
and money by luring victims after registering
false sales in the ”Joonggonara Café”
Jo o n g g o n a ra
P h ish in g
3 Types of Phishing
P h i s h i n g C a m p a i g n T y p e s

20
Build Phishing Site
STAGE A
Send Phishing Emails
STAGE B
Account Hijacking
STAGE C
Steal Information
STAGE D
[1] Sophisticated Phishing
-Attack Flow
Adversary’s
Tactics
• Domain Squatting
• Free TLS Certificates
• Collecting Emails
• Social Engineering
• Credential Redirection
with Proxy Configuration
• Change Security Setting
• IMAP/POP3 Setting
A s t h e m o s t s o p h i s t i c a t e d t y p e o f p h i s h i n g a t t a c k ,
v a r i o u s t e c h n i q u e s a r e u s e d t o i n c r e a s e t h e a t t a c k s u c c e s s r a t e .

21
Registering domains similar to Naver,
causing the victim to recognize the
phishing site as normal.
• navers.co.in
• help-navers.com
• account.nhn-signer.kro.kr
• nid.naversec.o-r.kr
• nidserver.naverrer.com
D o m a i n S q u a t t i n g E x a m p l e
+ =
Attackers implement HTTPS phishing sites using free certificates.
It allows an adversary to avoid a browser warning of missing a valid
certificates.
-Domain Squatting with HTTPS

22
-Phishing Emails with Social Eng.
most of the email titles include
attention-grabbing information.
T o l u r e v i c t i m s

23
-Credential Redirection
F o r w a r d C r e d e n t i a l
I n p u t C r e d e n t i a l
R e s p o n s e S e s s i o n
L o g g i n g C r e d e n t i a l
i f r e s p o n s e i s O K
P h i s h i n g S i t e ( P r o x y ) h t t p s : / / w w w . n a v e r . c o m
V i c t i m
P r o x y c o n f i g u r a t i o n f o r r e d i r e c t i n g a v i c t i m ' s c r e d e n t i a l .
A n a t t a c k e r o b t a i n s a w o r k i n g c r e d e n t i a l w h e n a v i c t i m h a s s u c c e s s f u l l y s i g n e d i n a t a r g e t w e b s i t e .

24
A t t a c k e r s u t i l i z e b y p a s s i n g t e c h n i q u e s n o t t o b e c a p t u r e d b y p h i s h i n g h u n t e r s .
p h i s h i n g s i t e c a n b e a c c e s s i b l e s o l e l y w h e n a c e r t a i n c o n d i t i o n i s m e t w h e r e a n e m p t y p a g e
o r a r b i t r a r y w e b s i t e w o u l d b e r e t u r n e d / r e d i r e c t e d o t h e r w i s e .
N o R e f e r r e r : R e d i r e c t t o G o o g l e N o P a r a m e t e r s : 4 0 4 n o t f o u n d P a r a m e t e r + R e f e r r e r : P h i s h i n g

25
[2] Search Abuse Phishing
-Script Call Chaining
A t t a c k e r s p l a n t m a l i c i o u s s c r i p t s o n h a c k e d s e r v e r s a n d
d e s i g n t h e m t o b e c a l l e d i n a c h a i n .
S i t e A
S i t e c
C o m p r o m i s e d
…
S i t e B
a a . c o m / j s _ c o m m o n . j s
b b . c o m / l o g i n . j s
c c . c o m / l o g i n . p h p
2 - 1 . C a l l
2
-
2
,
C
a
l
l
1 . S e a r c h & F o l l o w L i n k s
2
-
3
.
C
a
l
l
3 . R e t u r n P h i s h i n g P a g e
S i t e D
4 . S e n d C r e d e n t i a l s
C o m p r o m i s e d
P h i s h i n g S h o w u p
w i t h
< i f r a m e > p o p - u p
I n s o m e c a s e s ,
c r e d e n t i a l s a r e
e n c r y p t e d ( R S A )
b l a h b l a h . t x t

26
p h i s h i n g s i t e c a n b e a c c e s s i b l e s o l e l y w h e n a c e r t a i n c o n d i t i o n i s m e t
R e f e r r e r C h e c k
( I f v i c t i m s f o l l o w e d s e a r c h e n g i n e l i n k s )
C o o k i e C h e c k
( P h i s h i n g o n l y w o r k s o n f i r s t v i s i t )
T i m e C h e c k
( P h i s h i n g o n l y w o r k s a t s p e c i f i e d t i m e )
C r e d e n t i a l E n c r y p t i o n
( T o d i s r u p t a c c o u n t p r o t e c t i o n a c t i v i t i e s )
Phishing works
If all conditions are met

27
-Social Engineering
I n o r d e r t o l u r e a s m a n y v i c t i m s a s p o s s i b l e t o p h i s h i n g s i t e s ,
a t t a c k e r s h a c k e d s i t e s t h a t c o u l d b e t r e n d i n g a n d u s e d t h e m f o r p h i s h i n g .
JANUARY FEBRUARY MARCH APRIL MAY JUNE
Popular topics can be
targeted by hackers.
P
O
P
U
L
A
R
I
T
Y

28
[3] Joonggonara Phishing
-Attack Flow
1 . R e g i s t e r B a i t I t e m s
2 . C o n t a c t
C o n t a c t m e v i a
K a k a o t a l k
3 . A c t i v a t e & D e l i v e r P h i s h i n g U R L
4 . I n p u t C r e d e n t i a l s
T h e p h i s h i n g k i t o f f e r s a n a u t o m a t i o n o f t h e w h o l e p h i s h i n g p r o c e s s i n g i n c l u d i n g t h e p r e p a r a t i o n
o f a p h i s h i n g w e b s i t e . s e n s i t i v e i n f o r m a t i o n o b t a i n e d f r o m t h e v i c t i m c a n b e c o m p r o m i s e d f o r a
p h i s h i n g a t t a c k i n t h e f u t u r e .

29
[3] Joonggonara Phishing
-Hit and Run
2 . C o n t a c t
3 . A c t i v a t e & D e l i v e r P h i s h i n g U R L
4 . I n p u t C r e d e n t i a l s
P h i s h i n g U R L i s a v a i l a b l e f o r
o n l y f e w m i n u t e s

30
- Mission & Goal
- System Overview
- Certificate Transparency Monitoring
- Spam Detector
- Whale CSD (Client-Side Detection)
- Profiling Adversary
N A V E R A n t i P h i s h i n g S y s t e m
- Break the Chain
- Victim Recognition and Protection
- NAVER Safe Browsing
- APWG
- User Interface Improvements
P r e v e n t i o n
Detection
&
Defense
Photo by charlesdeluvio on Unsplash

31
Mission & Goal
N A V E R A n t i P h i s h i n g S y s t e m
O u r m i s s i o n i s t o d e t e c t N a v e r p h i s h i n g a s q u i c k l y a s p o s s i b l e a n d
t o p r o t e c t u s e r s f r o m v a r i o u s p h i s h i n g a t t a c k s .
WRITE HERE
YOUR GREAT
AND NICE
Y O U C A N W R I T E H E R E
A company is an association or collection of individuals,
whether natural persons, legal persons, or a mixture of both.

32
CT
Monitoring
Spam
Detector
Whale
CSD Logs
User
Logs
Detect newly created phishing
domains early through certificate
transparency monitoring.
P h i s h i n g D o m a i n
Record and analyze phishing site
information detected by the
Whale browser (client side).
P h i s h i n g U R L
Categorize phishing mail among
spam mails reported by users
and extract phishing URLs.
P h i s h i n g M a i l & U R L
Analyze logs for suspected
attackers to prepare for future
phishing attacks.
A d v e r s a r y P r o f i l e
N A P S
System Overview
N a v e r A n t i P h i s h i n g S y s t e m

33
CT Monitoring
W h e n a u s e r r e q u e s t s a n S S L / T L S c e r t i f i c a t e , a C A m u s t ( f r o m A p r i l 1 , 2 0 1 8 ) s u b m i t t h e
c e r t i f i c a t e d e t a i l s t o a C T l o g .
Factors Risk Score Example
Suspicious TLD Navers.co.{in}
TLD as Domain Naver.{com}.co
Brand Keyword {nid.naver.com}.de
Suspicious Keyword {nid}.never-{cloud}ing.com
Domain Squatting Members.{never}.com
# of Hyphens {nid.naver.com-user06-nidlogin}.me
# of Sub Domains naver{.}nid{.}coms{.}party
Free Certificate Let’s Encrypt or Zero SSL
C a l c u l a t e
C h e c k P h i s h i n g
R e g i s t e r t o B l a c k l i s t

34
Spam Detector
A m o n g s p a m e m a i l s r e p o r t e d b y u s e r s , s u s p e c t e d p h i s h i n g e m a i l s a r e c l a s s i f i e d a n d a n a l y z e d b y
t h e s e c u r i t y t e a m .
S e n d a p h i s h i n g m a i l
S P A M D B
R e p o r t !
K e y w o r d _ A
K e y w o r d _ C
K e y w o r d _ B
K e y w o r d _ E
K e y w o r d _ D
K e y w o r d _ F
K e y w o r d _ G
K e y w o r d _ H

35
Whale CSD Logs
T h e C S D f e a t u r e o f t h e W h a l e b r o w s e r h e l p s c l i e n t s d e t e c t a n d b l o c k p h i s h i n g ,
e v e n i f t h e p h i s h i n g s i t e i s n o t b l a c k l i s t e d .
P h i s h i n g
F e a t u r e
E x t r a c t i o n

36
Profiling Adversary
S M T P S e r v e r I n f o .
F r o m A d d r e s s
( S e n d e r )
T a r g e t A d d r e s s
( R e c e i v e r )
…
H o s t i n g S e r v e r I n f o .
P r o x y S e r v e r I n f o .
P a s s i v e D N S
…
M a k e a p r o f i l e o f
A d v e r s a r y
G r o u p A
G r o u p B
G r o u p C
M a t c h
N e w P h i s h i n g D e t e c t e d

37
Break the Chain
P r e v e n t i o n
B y a n a l y z i n g t h e e l e m e n t s o f e a c h s t a g e o f a p h i s h i n g a t t a c k a n d b r e a k i n g t h e l i n k ,
w e p r e v e n t t h e s p r e a d o f d a m a g e .
• Block targeted phishing
attacks
• prevent the spread of
victims
Block Phishing Mails Block Phishing URLs Victim Protection Improve Usable Security
• Block users accessing
phishing URLs
• Account protection and
information leakage
prevention for phishing
victim accounts
• Increase user
awareness of phishing
attacks

38
Break the Chain
P r e v e n t i o n
B y a n a l y z i n g t h e e l e m e n t s o f e a c h s t a g e o f a p h i s h i n g a t t a c k a n d b r e a k i n g t h e l i n k ,
w e p r e v e n t t h e s p r e a d o f d a m a g e .
Attacker
Blocked
@ Google Safe Browsing
Blacklisted
D-Day
D+7
(Average)
Phishing Campaign
Start
Now Other Browsers Detect
As Phishing Site
Phish!
@ NAPS in 24 Hours
Detected
by Naver Safe Browsing
Blocked
D+1
(Average)

39
Victim Recognition and Protection
P r e v e n t i o n
I n p u t C r e d e n t i a l
R e s p o n s e S e s s i o n
L o g g i n g C r e d e n t i a l
i f r e s p o n s e i s O K
P h i s h i n g S i t e ( P r o x y ) h t t p s : / / w w w . n a v e r . c o m
V i c t i m
H o s t i n g A d d r e s s
x . x . x . x
y . y . y . y
z . z . z . z
L o g i n H i s t o r y
v i c t i m _ 0 0 1 : x . x . x . x
v i c t i m _ 0 0 2 : x . x . x . x
v i c t i m _ 0 0 3 : x . x . x . x
V i c t i m R e c h o g n i t i o n
V e r i f i c a t i o n
& P r o t e c t i o n

40
NAVER Safe Browsing
P r e v e n t i o n
CT
Monitoring
Spam
Detector
Whale
CSD Logs
User
Logs
N A P S
+
Block
Naver
Phishing

41
NAVER Safe Browsing with Whale
P r e v e n t i o n
O t h e r b r o w s e r s c a n n o t d e t e c t N a v e r p h i s h i n g w i t h t h e d e t e c t i o n b y p a s s t e c h n i q u e a p p l i e d .
W h a l e i s p o s s i b l e , b e c a u s e w e h a v e a t e a m t h a t s p e c i a l i z e s i n a n a l y z i n g a n d r e s p o n d i n g t o N a v e r p h i s h i n g .
S a f a r i , E d g e , E t c . N a v e r W h a l e
<

42
Strengthen warning messages when accessing phishing sites
C h a n g e t h e W a r n i n g S c r e e n
Provides notification when user security anomalies are detected
E n h a n c e d S e c u r i t y A l e r t
Conduct security enhancement campaigns to prevent phishing
S e c u r i t y C a m p a i g n
Our security and service teams are collaborating to improve usable
security, and the results are continuously reflected in our services.
User Interface Improvements
P r e v e n t i o n
W e a r e i m p r o v i n g t h e u s e r i n t e r f a c e t o i n f o r m u s e r s a b o u t p h i s h i n g s i t e s .
A S - I S T o - B E

43
OUR LATEST ACHIEVEMENTS
IN NUMBERS
P r e v e n t i o n
T h e N a v e r S e c u r i t y T e a m i s c o n t i n u o u s l y r e s e a r c h i n g p h i s h i n g a t t a c k s a n d
a c t i v e l y r e s p o n d i n g t o t h e m .
8000+
Registered @
Naver Safe Browsing
Naver Phishing
400K+
Blocked Proactively
Phishing Mail
1M+
Blocked by
Naver Safe Browsing
Phishing URLs
5+
Utilize Phishing Data
APPS

44
C a s e A n a l y s i s 1 : D a r k w e b
C a s e A n a l y s i s 1 : K a k a o t a l k M a l w a r e
a n d P h i s h i n g
How to Utilize
CTI
Photo by AbsolutVision on Unsplash

45
We are monitoring various channels to protect Naver
accounts from being leaked on the Internet.
We protect leaked accounts by analyzing information
collected from OSINT, Telegram, etc.
In addition, accounts leaked on darkweb or leaked by
malware are monitored and protected.
Behind the Scene
to Protect Users
D a r k w e b
Photo by Ryoji Iwata on Unsplash
u s e r 0 0 1 / q w e 1 2 3 4 ~ !
u s e r 0 0 2 / u s e r ! @
u s e r 0 0 3 / p a s s c o d e # @

46
CTI Information Sharing
K a k a o t a l k m a l w a r e a n d P h i s h i n g
T h r o u g h r a p i d i n f o r m a t i o n s h a r i n g , i t i s p o s s i b l e t o a n a l y z e a n d r e s p o n d t o r i s k f a c t o r s
t h a t m a y o c c u r i n N a v e r .

47
R e a l - w o r l d P r o b l e m
N e x t S t e p
Discussion
&
Future work

48
Why Don’t We Cooperate?
R e a l - W o r l d P r o b l e m
I n o r d e r t o r e s p o n d t o p h i s h i n g i n t h e r e g i o n , i n c l u d i n g N a v e r ,
c o o p e r a t i o n a n d i n f o r m a t i o n s h a r i n g a r e e s s e n t i a l .
I n v e s t i g a t i o n o f h a c k e d s e r v e r s
It should be possible to quickly retrieve the phishing
victim accounts collected by the attacker.
I n v e s t i g a t i o n o f s c a m m e r s
It is necessary to investigate fraudsters who steal not only
accounts, but also personal information and money.
s h a r i n g o f p h i s h i n g i n f o r m a t i o n
Collaborative response is needed rather than
individual battles
Photo by Aubrey Odom-Mabey on Unsplash

49
The More We Care, The Safer Naver is
N e x t S t e p
W e a r e r e s e a r c h i n g p h i s h i n g a t t a c k s a n d w o r k i n g h a r d t o r e f l e c t t h e m i n o u r s e r v i c e .
E x p a n d i n g S a f e B r o w s i n g
Building a safe service ecosystem from phishing
C o o p e r a t i o n w i t h …
Organization, Internet company, T.I, Etc.
R e s e a r c h & D e v e l o p m e n t
Phishing analysis and response automation
Photo by Kelly Sikkema on Unsplash

50
Conclusion

51
GET IN TOUCH
WITH US
L O C A T I O N
NA V ER 17 84
C O N T A C T M E
j un e .park@n ave rc orp.c om

Analysis of Regional Phishing Attack

Recommended

Recommended

More Related Content

Similar to Analysis of Regional Phishing Attack

Similar to Analysis of Regional Phishing Attack (20)

Recently uploaded

Recently uploaded (20)

Analysis of Regional Phishing Attack