The document discusses the rising challenge of credential stealing emails, detailing the tactics used by hackers to bypass security measures. It outlines the response strategies implemented by a security team during a phishing incident, emphasizing the importance of multi-factor authentication and rapid detection. Recommendations for evaluating threats and securing accounts are provided, alongside resources for further information and monitoring.

1. Credential Stealing Emails
What YOU need to know
Michael Gough – Co-Founder
Brian Boettcher – Co-Founder
IMFSecurity.com
LOG-MD.com

2. Who are we
• Blue Team Defender Ninjas, Incident Responders
• Michael – Creator of all those Windows Logging Cheat Sheets and
the Malware Management Framework
• Brian – co-host of the “Brakeing Down Security Podcast”
• Creators of “Log-MD” – The Log and Malicious Discovery Tool
• NEW – Expanding the BDS podcast
– “Brakeing Down Incident Response”
LOG-MD.com

3. 2 years ago…
• We announced LOG-MD at this very
conference
• Today we would like to announce the release
of…
• LOG-MD ver 2.0
LOG-MD.com

4. The Challenge
LOG-MD.com

5. The Problem or SERIOUS Challenge
• We have a fancy SMTP Gateway that does AV,
SPAM, Outbreaks, URL Scanning, and Malware
Sandboxing
• Credential Stealing Emails are on the rise
• And they are VERY difficult to defend against
• This is a HUGE gap that we get every week
LOG-MD.com

6. Typical Cred Stealing Email
• They come in to 1, 3, 5, dozens to hundreds of
recipients
• They can have a URL in the email or a PDF
with a URL to get by the scanners
– Silly Hackers
• And they look like any one of the following…
LOG-MD.com

7. What the emails
look like
LOG-MD.com

8. A PDF Adobe/Dropbox version
LOG-MD.com

9. Another PDF
LOG-MD.com

10. Or an Dropbox looking email
LOG-MD.com
https://www.millionauto.com/doc.htm

11. PDF with link
But it is safe AVAST says so
LOG-MD.com
https://toppingcloths.id/scripts_mwi/onenew/
b9909ec9f947e4f86a71e8eb07339d39/

12. PDF - Scanned Document
from your HP Scanner
LOG-MD.com

13. DocuSign of course…
LOG-MD.com

14. The Lawyer says Click Here…
LOG-MD.com
https://firstlink-jo.com/jac/font/index.php

15. Embedded Image with URL
LOG-MD.com

16. Let’s look at the Cred
Stealing website
LOG-MD.com

17. PDF Dropbox looking
LOG-MD.com
• Federation ???

18. OneDrive needs your login
LOG-MD.com

19. And your PIN… maybe MFA attempt?
LOG-MD.com

20. DocuSign from a URL
LOG-MD.com

21. But WAIT – There’s MORE
Federation!
LOG-MD.com

22. And they even want your
Telephone and Recovery Email
LOG-MD.com

23. PDF brings you here.. Login Please
LOG-MD.com

24. Dang It… Wrong Password – Try Again !
LOG-MD.com

25. WeTransfer your Credentials…
LOG-MD.com

26. And then send you to OneDrive
LOG-MD.com

27. Let’s Look at a
Targeted Attack
LOG-MD.com

28. Targeted Phish – From Retail Supplier
LOG-MD.com
https://adinshawandco.com/auth/scan.html

29. The website
LOG-MD.com

30. Enter your Creds…
LOG-MD.com

31. After you try logging in they redirected
to an industry article
LOG-MD.com

32. So what does the
attack look like?
LOG-MD.com

33. Incoming !!!
• Started at 7:58am CST
• Ended at 8:05am CST
• We are an hour behind, so sent before we
were at work 7:58am CST
• 191 emails, batched in roughly 50 at a time
• 156 total delivered
• 35 failed to deliver
– Failed addresses went back as far as Mar 2016
LOG-MD.com

34. Incoming Exchange Splunk Query
• You should have a query ready to go for:
– Sender
– Subject
LOG-MD.com

35. What did we do?
• Once reported, or one of our odd email alerts trigger, which this
one did, we just had not seen it yet since we just got into the office
and people were already reporting it
– So yeah.. AHHHHHhhhhhhhhhhh
• We evaluate in a lab and click all the way through, including
entering Fake Creds to see what happens next, and use LOG-MD of
course to evaluate URL’s and Domains ;-)
• We Splunk the email details to identify ALL users that received it
– Now we know whom to notify
• We add the users to a lookup list in order to track their logins
LOG-MD.com

36. What did we do?
• We issued a recall of the email from Exchange
• Emailed all recipients – DO NOT OPEN!!!!
• Anyone who logged into any Internet-facing
system were asked to reset their passwords
• Some accounts disabled if the user did not
respond in a timely manner, like 1 hour
• We called a few people…
LOG-MD.com

37. Knock Knock… Hackers Knocking
• It didn’t take the
hackers 3 hrs to
attempt logins
• These Cred Stealing
actors are LIVE
LOG-MD.com

38. So what did Threat
Intel say about the
URL?
LOG-MD.com

39. FortiGuard Webfilter
• We checked these on the afternoon of the
16th, 10 days after the event
• They rated it Phishing on Feb 13th
LOG-MD.com

40. BrightCloud
• Nothing bad
LOG-MD.com

41. Cisco Talos
• Nothing Bad
LOG-MD.com

42. McAfee
• Phishing
• Checked 10
days later
LOG-MD.com

43. MXToolbox
• Blacklists all clean
LOG-MD.com

44. RiskIQ - PassiveTotal
• Nothing bad
LOG-MD.com

45. PhishTank Didn’t Have Anything
LOG-MD.com

46. Sucuri
• Blacklisted by Norton and McAfee
LOG-MD.com

47. Symantec
• Suspicious 7 Days ago
LOG-MD.com

48. Trend Micro
• Dangerous
LOG-MD.com

49. Unmask Parasites
• Nothing bad
LOG-MD.com

50. URLQuery
• Nothing bad… But wait there’s more !!!
LOG-MD.com

51. URLQuery
• SCREEN SHOT !!!!
LOG-MD.com

52. URLScan
• Nothing bad… SCREEN SHOT !!!
LOG-MD.com

53. URL Void
• Nothing bad
• Domain is 2 years old
• Is from India
• Safety Reputation - 0
LOG-MD.com

54. Google VirusTotal
• Nothing bad… Seriously ???
LOG-MD.com

55. WatchGuard
• Nothing bad
LOG-MD.com

56. Zscaler
• Nothing bad
LOG-MD.com

57. Example #2
Investigate within a
couple hours to the
end of the same day
LOG-MD.com

58. Example #2 - The Scenario
• This email came in at 12:10 EST
• We looked at it within an hour
• Ran Threat Intel within 2 hours
• Then ran Threat Intel again between 4:30-
5:00pm EST
• What do you think we found?
LOG-MD.com

59. What does Threat Intel think?
• Alexa – No rank available
• Cisco Talos – No Score
• DomainTools – Nothing
• ForcePoint – Nothing
• Symantec – Nothing
• Trend Micro – Nothing
• McAfee TrustedSource – Nothing
• URLVoid – Nothing
• URLQuery – Nothing & Screen Shot
• URLScan - Nothing & Screen Shot
• VirusTotal - Nothing
LOG-MD.com

60. What do the Browsers say?
• Tested this at the end of the day
• Chrome Safe Surfing – Deceptive Site
• FireFox - Deceptive Site
• Edge Browser – No warning
• Internet Explorer – No warning
LOG-MD.com

61. Sample #2 - FortiGuard Webfilter
• Winner Winner Chicken Dinner
• 9:34am (UTC) no data.. CLEAN
• 10 mins later at 9:44am - “Medium”
– So if you check early, this might say “OK” too
LOG-MD.com

62. So what should
you do?
LOG-MD.com

63. Your only real options
• MFA
• 2 Factor Auth will cripple these attacks
• The creds won’t work anywhere on Internet
facing systems, so you have time to respond
– “Hopefully”
• Fast and Mass disable of accounts and/or
rotate passwords for ALL recipients
LOG-MD.com

64. Detect and Respond… FAST !!!!
1. The Alert – How you get notified
2. Evaluate the URL in a lab or manually
3. Block the URL and/or IP ASAP
4. Get a list of ALL recipients
5. Consider Fast and Mass password resets
– Yes, painful the larger the event it is…
6. Monitor your Internet logins with the list of
recipients
LOG-MD.com

65. Evaluating the URL
• On the 2nd sample FortiGuard was the only
one that flagged a recently received phish
within the first couple of hours
– Do not take this as an endorsement
– If you check fast enough, it may say it’s “OK”
• I checked all of the URL Threat Intel sites at
the end of the day… so 6 hours later
– 0, zippo, none, zilch changed… YUP, all good
LOG-MD.com

66. Evaluating the URL
• Pick a few of the ones we just blew through and collect the
following to make a quick evaluation
– Screen Shots – GREAT indicator a credential stealing site with an
authentication page
– Domain age - How old is the website in days or years. Is it new?
– Category – Lack of a category or has the site been categorized
(BLOG/Malware/etc.)
– Reputation – Is this a Bad, Neutral or Good site
– Blacklists – Is the domain in any blacklists, if so, why is the SMTP
gateway not catching it
– Country – Where is this URL from
– Alexa Rating - How known is it
• LOG-MD will give you the IPs and WhoIs lookup
LOG-MD.com

67. Other Possibilities
• Add an email warning on all Internet
originating emails
• You could temporarily turn off any non-
MFA/2-Factor systems when these hit
– Ouch !
– Would need buy-in from everyone
– And a good “repeatable” procedure
LOG-MD.com

68. Conclusion
• If you don’t have MFA
– You are screwed
• These actors are active within hours or a day
• You can’t trust your IDS/IPS as it can only see
HTTP (in the clear) traffic, or if the site is well
known as “Bad” could you get an alert
• Learn how to react FAST and reset creds
• Teach your team how to evaluate these quickly
– Evaluate the emails in a lab and click through the URLs
– Many will have re-directs to the Cred stealing site, this
is the URL you want to block!
LOG-MD.com

69. Recommend Sites
• Screen Shots
– URLScan.io
– URLQuery.net
• Blacklist lookup
– FortiGuard.com/webfilter
– global.sitesafety.trendmicro.com
– safeweb.norton.com
– trustedsource.org
– URLVoid.com
– TalosIntelligence.com
• Reputation
– URLVoid.com
– TalosIntelligence.com
• WhoIS
– DomainTools.com
– LOG-MD.com (We have WhoIs lookups now ;-)
• Alexa
– URLVoid.com
– Alexa.com
LOG-MD.com

70. Questions
• You can find us on the Twitters
– @HackerHurricane
– @Boettcherpwned
• LOG-MD.com
• MalwareArchaeology.com
• Preso will be on SlideShare and linked on
MalwareArchaeology.com
• Listen to the PodCast to hear the rest of this topic
– http://www.brakeingdownir.libsyn.com/
LOG-MD.com