Sans phish-orlando
•
0 likes•398 views
The document discusses technical defenses against phishing attacks when human users fail to prevent infection initially. It describes how phishing messages can be purged from mailboxes post-delivery if enough users mark them as spam. It also explains how image referrers can be used to detect and block phishing sites, and how monitoring changes to webmail preferences can help identify compromised accounts being used to send spam by phishers.
More Related Content
What's hot
What's hot (20)
Similar to Sans phish-orlando
Similar to Sans phish-orlando (20)
Recently uploaded
Recently uploaded (20)
Sans phish-orlando
- 1. Phish Stories Technical Intervention when Humans Fail Rich Graves March 2013 GIAC GSE, GSEC, GCIA, GCIH, GWEB, GAWN, GCFE, GPEN, GWAPT; CISSP SANS Technology Institute - Candidate for Master of Science Degree 1 1
- 2. Objective • The story of Nigerian webmail phishing • Technical defense in depth 1. Purge phishing messages post-delivery 2. Image referrer tricks 3. Monitor webmail preferences 4. When stolen accounts start sending spam, detect and act • Summary SANS Technology Institute - Candidate for Master of Science Degree 2
- 3. “Phishing is not my problem” • This is a user awareness problem, not a technical problem • (The Cloud) handles our email • Non-targeted phishing is not a serious issue • We require two-factor auth SANS Technology Institute - Candidate for Master of Science Degree 3
- 4. Nigerian Spear Phishing • Labor-intensive, coordinated • Phish sent from previously phished accounts; “IP reputation” useless • Collect passwords via web forms, sometimes Reply-To • A Persistent Threat SANS Technology Institute - Candidate for Master of Science Degree 4
- 5. Phishing Message Inbound From: helpdesk@example.edu <joeschmo@this.com> To: undisclosed-recipients: ; Subject: mailbox quota exceeded #[1M1QC063GF4xn2r] Your mailbox storage limit/quota has been exceeded until you re-validate your mailbox you cannot send or recieve e-mail.To re-validate your mailbox. - > Click Here: https://docs.google.com/a/nebo.edu/spreadsheet/viewf orm?formkey=dFkzcXM5Z3dLUWRmckl5UEQzZzZ6dVE6MQ Stolen account at https to Google Apps nebo.edu SANS Technology Institute - Candidate for Master of Science Degree 5
- 6. Phishing Collection Forms /viewform: the form /viewanalytics: the answers • Not sophisticated • Mostly use free forms, like Google Drive • This site live > 7 days • Sometimes use hacked sites: PHPFormGen 6
- 7. Upon Successful Phish • Attacker logs on • Usually webmail, sometimes smtp • Usually from abroad, or a VPN • Sends email, with Bcc to the boss • Might change signature, full name SANS Technology Institute - Candidate for Master of Science Degree 7
- 8. Scam Message Outbound Received: from JoeUser ([41.203.67.50]) (authenticated bits=0) Nigeria (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256) Reply-To: <yee.leegrace4@yahoo.com.hk> From: "Grace Lee Yee"<********@carleton.edu> Subject: Genuine Deal.Interested? Hong Kong X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-Antivirus: avast! (VPS 121206-1, 12/06/2012), Outbound message X-Antivirus-Status: Clean Vietnam Deal worth USD45,275, 000.00. Are you interested? Please get back for more details.via email: yee.leegrace1@zing.vn SANS Technology Institute - Candidate for Master of Science Degree 8
- 9. Who is Doing This? Accounts stolen by Nigerian phish have contacted ojo4live, aka “Mafioso,” party to a CREDIT CARD thread on faqs.org. SANS Technology Institute - Candidate for Master of Science Degree 9
- 10. Defense in Depth • Block inbound phish (antispam) • If that fails, stop users from replying • If users reply, identify and contain SANS Technology Institute - Candidate for Master of Science Degree 10
- 11. Remove Phish from Mailboxes • We delivered a phishing message, but it does not need to stay • If more than n users hit the Spam button, trigger global removal • Joe St. Sauver’s “Filtering spam at your leisure” SANS Technology Institute - Candidate for Master of Science Degree 11
- 12. Phishing Site Interdiction: Use the Referer If phishing site HREFs your images: a) You get log entries. b) You can change them. Before: After: SANS Technology Institute - Candidate for Master of Science Degree 12
- 13. Monitor Webmail Preferences • The bad guys often: – Put spam text in signature – Set full name and Reply-To headers – Disable “Save to Sent folder” • Monitor prefs changes, disable suspect accounts – 80% success SANS Technology Institute - Candidate for Master of Science Degree 13
- 14. Detect Internal Spammers • Finally, if not detected, bad guys will use your accounts to spam • Rate-limit. Watch for these regarding outbound email: stat=Deferred.+http://postmaster.yahoo.com stat=Deferred.+http://postmaster.info.aol.com stat=Deferred.+mail.live.com/mail/troubleshoo SANS Technology Institute - Candidate for Master of Science Degree 14
- 15. Summary • Phishing is a real problem • Takeaways: – Know your enemy’s methods – When prevention fails, detect and respond – Phishing is a human problem, but technical solutions are relevant even post-delivery • Q&A: rgraves@carleton.edu SANS Technology Institute - Candidate for Master of Science Degree 15
Editor's Notes
- Here we address some “myths” about why serious security professionals should not waste time worrying about phishing. There were precisely zero “Email Issues” papers added to the SANS Reading Room between January 2009 and January 2013. Is there really nothing new to say? User awareness: Granted, user awareness is critical. However, we all know that users fail: HBGary, RSA, Google/Aurora, to name three organizations that saw serious phishing attacks recently. If you believe in the concept of defense in depth, you need to look for the immediate next line of defense.The Cloud: Yes, due to their privileged position and scale, Gmail and Microsoft can do a better job of antispam/antiphishing filtering than the individual enterprise, and probably better than most antispam vendors. However, as we will see, “cloud” accounts are still abused both to send phishing messages and to collect passwords. Although beyond the scope of this talk, consider how much valuable log data you lose when outsourcing email. With an on-premises server, you know when users log on, and from where; with most systems, you can find the IP address and user-agent used when they sent each email. Google has a little-known Audit API described at https://developers.google.com/google-apps/email-audit/ but it is not real-time.Seriousness: Yes, each non-targeted phish has a low Single Loss Expectancy (SLE). But the Annual Loss Expectancy (ALE) can be high, due to the large number of events. Also, how, exactly, do you tell the difference between a targeted phish and a non-targeted phish?2-factor authentication: True. The attacks described in this talk are defeated by 2FA.
- Our #1 bad actor is clearly a persistent threat, though not an advanced one. This is the opposite of targeted spear phishing.All available evidence (user-agents, timing of page hits, occasional mistakes) is that the attacks are manual.We can attribute them to Nigeria based on IP addresses (various sub-ranges of 41.* and 88.*) and names associated with a few known C&C email addresses.Most of the phish that we see is sent from webmail accounts that were, themselves, phished. Three things to note here:“The phish that we see” is obviously not the complete set. First-tier antispam measures such as DNS-based real-time IP blacklists surely block some.This suggests that it might be cheaper for the attackers to get new accounts from phishing than from signing up for new webmail accounts. Thatis sad.Antispam strategies that depend on the source IP or other stable point-source characteristics are not effectiveYears ago, we saw a lot of emails requesting passwords via email, usually with a Reply-To, and sometimes specifying the email address in the body. Users have become (slightly) more savvy, and email providers are (slightly) better at closing those accounts for abuse. Now, almost all phish offers a link to a web form. Those forms are inevitably on “free form” sites such as 123contactform.com and formstack.com (just 2 examples; there are many such sites).
- A “SYSTEM ADMINISTRATOR HELPDESK” phishing form hosted on Google Drive. The lack of attention to look and feel is not unusual; I have seen forms called “Untitled.” Incredibly, people actually fall for the scam and provide their passwordto forms this bare.Sometimes, as in this case, the attackers fail to secure the data. All collected email addresses and passwords are available simply by changing the last component of the URL from “viewform” to “viewanalytics.”As you can (barely) see at the bottom, every Google Docs form has a “Report Abuse” link. Unfortunately, Google have been extremely slow to respond to abuse complaints.123contactform.com is another form processor that has been abused for phishing. Although the Romanian address might lead you to assume otherwise, this site has an excellent record in dealing with takedown requests. I often get a confirmedtakedown within 30 minutes. Sometimes they have sent me the collected data, i.e., the list of victims.formstack.com and tuclouds.com phishing form URLs are shown in my GSEC Gold paper, http://www.sans.org/reading_room/whitepapers/email/phishing-detecton-remediation_34082. There are many other “free” form sites of that ilk.Many mom & pop web sites (laundromats, churches, etc.) run the general-purpose form processor phpFormGenerator. It generates URLs like /use/(something)/form1.html. From 2010 to mid-2012, it was very common for attackers to search the web for vulnerable installations, install a bunch of phishing forms, and spam them around. I had an IDS rule alerting on POSTs to */form1.html. We still get hits on that rule, and I have also seen phishing forms on hacked WordPress sites. Keep an eye out for entire classes of URLs that might be phishy.
- Attackers who spam and phish like to… spam and phish some more!They test pilfered credentials by logging on via webmail (or occasionally an exposed SMTP server).Often, they expose a Nigerian IP address. If you only expect legitimate logins from a small set of countries, here is an obvious place to detect and stop attacks.To evade that control, they will use a VPN or proxy of some sort. I have seen webmail phishers use the VPN service anchorfree.com, the AOL Desktop client (yes, it still exists), and university VPNs to cover their tracks.They send email, often Cc’ing a known phishing-gang email address on their first or second message (discussed later).They often customize their environment by going into webmail preferences and changing signature and full name.
- We often notice that the first or second message sent by a compromised account goes to a special address, possibly that of a ringleader.The first message sent by the compromised account in the previous slide was copied to ojo4live@yahoo.com, which has a 6-year history on the Internet. On a Nigerian social networking site, he takes the name “Mafioso” and says he is “Exiled to Australasia.” Many years ago, when his English was even worse and he had a keyboard with a STUCK SHIFT KEY, he tried, ineptly, to get into carding.We can use such email addresses, as well as the Reply-To and body email addresses, to identify incoming and outgoing spam. The Anti-Phishing-Email-Reply project collects them, at http://code.google.com/p/anti-phishing-email-reply/
- The rest of this presentation is dedicated to some creative techniques for the prevention, detection, and containment of webmail account compromises. Remember, we are looking at what we can do as sysadmins and incident responders; user security awareness is out of scope, and assumed to have failed.Obviously, we would prefer not to receive or deliver phishing messages. My GSEC Gold paper at http://www.sans.org/reading_room/whitepapers/email/phishing-detecton-remediation_34082 has some thoughts on this. However, in order to make this presentation manageable, today we are assuming that antispam has already failed. The phishing messages are sitting in user inboxes. So, let us remove them as quickly as we can and, in parallel, stop users who might have opened the phish already from replying. If users have already replied, then we need to identify and treat those accounts as compromised.
- Joe St. Sauver had some very interesting musings on the strategy and implications of post-delivery antispam reprocessing at a Mail Anti-Abuse Working Group meeting back in 2006. Check out http://www.uoregon.edu/~joe/maawg7At present, we are not able to do post-delivery spam filtering, but the idea inspired a system for retroactive message removal. The strategy for efficient retroactive phish removal from Zimbra mailboxes is:Decide on an email address and/or Message-ID regular expression to censor.Search the mailbox.log file for matching email deliveries. This requires correlating two separate log messages, first for the LMTP delivery, which includes the sender email address, and then for the deposit in the user’s Inbox, which has the message number we need in order to delete it. The two are threaded together by the Message-ID. 3) Delete the message(s). This can be done with SOAP calls, but it is easiest to pipe deleteMessage commands to the zmmailbox command-line utility, which will create the SOAP calls for us. The zmmailbox commands are:setMailbox (sm) johndoe@example.comdeleteMessage (dm) 376211For details, see my Gold paper,http://www.sans.org/reading_room/whitepapers/email/phishing-detecton-remediation_34082
- (Yes, the HTTP protocol standard spells “referrer” incorrectly.)You can delete phishing messages from your central server, but most organizations allow mobile, IMAP, or MAPI clients in cached mode, so it is possible that people might still be trying to get to the phishing site. Other considerations include users who forward their email to an outside email address, phishing by non-email means (social media, search engine poisoning, etc.), and repeated phish (i.e., they spam you again with the same content). Sometimes you do not actually need to take the phishing site down. If they include images or CSS on your real web site, as here, simply change them based on the referring site. With Apache, you can do something like this:# Redirect requests for CarletonLogoSmall to a phishing warning graphic.RewriteCond %{HTTP_REFERER} .RewriteCond %{HTTP_REFERER}!^https?://(apps|wiki|www)\\.carleton\\.edu [NC]RewriteRule ^/departments/ITS/Images/CarletonLogoSmall.png \\ http://www.carleton.edu/departments/ITS/Images/phish-banner.png [L,NC,R=307]For more, including ideas on how to use referer analysis proactively when the phishers are still at the recon stage, see Rossell, Shelley (2011, April). Phishing technical controls: beyond Proofpoint. Presentation delivered at the EDUCAUSE Security Professionals Conference, San Antonio, Texas. Slides available under the Resources tab at http://www.educause.edu/events/security-professionals-conference/2011/phishing-technical-controls-beyond-proofpoint
- On a Zimbra server, webmail preferences are stored in an LDAP directory. You could tail –f the logs for messages indicating that an account’s preferences have changed, but I just ldapsearch all accounts every minute. If an account’s preferences appear “bad,” we contain it:Kill all current webmail sessionsTrigger account lockout in Active Directory with an intentional series of bad passwords (no privileges needed)Create a help desk ticket, populated with the evidenceSome of the most useful attributes to investigate are zimbraPrefFromDisplay, the full name shown on outbound email; zimbraPrefSaveToSent, which toggles the saving of outbound email; and zimbraPrefMailSignature/zimbraPrefMailSignatureHTML, the signature.zimbraPrefFromDisplay: MrsMagaritaYakovzimbraPrefReplyToAddress: mrsyakov@live.comzimbraPrefMailForwardingAddress: mrsyakov@live.comzimbraPrefSaveToSent: FALSEzimbraPrefMailSignatureHTML: My Name is MrsMagaritaYakov ,I am married to la te Dr. Slavic Yakov who was an Oil&nbsp; Merchant and international businessm an before he died in the year 2001 i have a business of ($18,000,000.00 USD) Full names starting with “Mr” or “Mrs” are associated with advance fee fraud (419 scams). Full names or Reply-To including webmaster, helpdesk, account, and so on suggest phish.
- If absolutely everything else fails, and the bad guys are able to log on undetected, there is a chance to catch them when they start spamming.Rate-limiting with something like Mailfromd or Policy: A good idea, but difficult to set the threshold low without false positives on “legitimate” spammers, like Admissions, Development, and Summer School.Alert when SMTP queue size gets large: If the spammers are trying to contact a lot of bogus domains or if real domains are greylisting you, you will get a queue.Outbound antispam filtering: Useful, but has the same problems as inbound antispam.All of the above are good to do, but more effort than what is suggested in the slide: carefully watch for evidence that other sites are rejecting your mail as spam, and trace why. Yahoo, AOL, and Microsoft Hotmail/Live/Outlook.com all give very lucid, and very quick, feedback.