1 / 47

The Phishing Ecosystem Wednesday, March 22 nd 2006 – 3:00pm

The Phishing Ecosystem Wednesday, March 22 nd 2006 – 3:00pm. Andrew Klein Engineering Manager. Phishing is Everywhere. MailFrontier Employee/Contractor ,

alvaro
Download Presentation

The Phishing Ecosystem Wednesday, March 22 nd 2006 – 3:00pm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Phishing EcosystemWednesday, March 22nd 2006 – 3:00pm Andrew Klein Engineering Manager

  2. Phishing is Everywhere

  3. MailFrontier Employee/Contractor, Your e-mail account was used to send a large number of unsolicited spam messages during the past 5 days. We suspect your account has been compromised. Please click here to change your account password in the next 24 hours. Failure to change your account password will result in the suspension of your login to the system. Virtually yours, The MailFrontier Support Team … and sometimes it hits close to home!

  4. Phishing by the numbers • 6.1 billion – The estimated number phishing email messages that are sent worldwide each month • 2.4 million – Number of online consumers that reported losing money to a phishing scam (Gartner, May 2005 Survey) • 15,244 – Number of unique phishing attacks in December 2005 (APWG) • 7,197 – Number of phishing sites operational in December 2005 (APWG) • 35% – The percentage of phishing sites hosted in the United States for December 2005 (APWG) • 5.3 – Average number of days a phishing site is live in December 2005 (APWG)

  5. What’s Your Phishing IQ

  6. http://www.mbna-mail.com/ets/...

  7. LEGIT

  8. http://chaseonline.rewardprogramsurvey.us/

  9. http://chaseonline.rewardprogramsurvey.us/ Phish

  10. https://www.sbc.com/mysbc

  11. LEGIT

  12. Let’s Go Phishing

  13. Checklist - Step 1 • Get an email list • Develop the attack • Locate sites to send phishing email from • Locate sites to host the phishing site • Launch the attack • Collect results

  14. Get a List: Available on eBay

  15. Checklist - Step 2 • Get an email list • Develop the attack • Locate sites to send phishing email from • Locate sites to host the phishing site • Launch the attack • Collect results

  16. The attack email

  17. “Welcome to our site”

  18. “Give me some credit here”

  19. Checklist - Step 3 • Get an email list • Develop the attack • Locate sites to send phishing email from • Locate sites to host the phishing site • Launch the attack • Collect results

  20. Where we’ll send our phishing email from • Over 1,500 sending sites: • 161.58.214.148 (CodeFreeDVD) • 66.165.106.112 • 66.165.106.111 • 66.165.106.113 • 152.146.187.172 (Y&R) • 195.75.241.4 (Y&R) • 212.250.162.8 (NTL) • 60.40.182.119 • 4.29.226.58 • 221.219.243.27 • 221.168.185.104 • 218.43.179.67 • 80.182.2.12 • …

  21. Checklist - Step 4 • Get an email list • Develop the attack • Locate sites to send phishing email from • Locate sites to host the phishing site • Launch the attack • Collect results

  22. Who will host our phishing site? • Over 12 different hosters: • 210.114.175.226 • 210.78.73.253 • 211.23.187.151 • 61.152.175.161 • …

  23. Checklist - Step 5 • Get an email list • Develop the attack • Locate sites to send phishing email from • Locate sites to host the phishing site • Launch the attack • Collect results

  24. Sending Machines Phish Web Sites Receivers John Mary Tim Tomas Frank Evan 152.146.187.172 210.114.175.226 66.165.106.111 61.152.175.161 161.58.214.148 211.23.187.151 212.250.162.8 195.75.241.4 Jan George Ramona Phil Charlie Elisa Dom Herman June Scott Lana Luann Vadim Andy Tonia Venkat Chao Joe Oliver Attack launched

  25. Checklist – Step 6 • Get an email list • Develop the attack • Locate sites to send phishing email from • Locate sites to host the phishing site • Launch the attack • Collect results

  26. The results of our attack • 2,000,000 emails are sent • 5% get to the end user – 100,000 (APWG) • 5% click on the phishing link – 5,000 (APWG) • 2% enter data into the phishing site –100 (Gartner) • $1,200 from each person who enters data (FTC) • Our potential reward: $120,000 In 2005 the David Levi made over $360,000 from 160 people using an eBay Phishing scam

  27. Money From Mayhem

  28. A little phishing gang • The David Levi phishing gang – UK • 6 members • Operated for 12 months • At least $360,000 from 160 people • Segmentation of jobs • Techie • Creative designer • Money laundering – mule driver Caught – received sentences from 1 to 4 years each

  29. The phishing ecosystem Collect Construct Launch • Account Info • Credit Info • Identity Info • Logins & Passwords Sending Machines Email list Hosting Sites Email & Web site Phished information turned into Cash The Phisher $

  30. The money laundering “Mule” • “Make Money at Home” • Recruits receive funds in their accounts • Transfer funds from their account via Western Union wire transfers to a 2nd (phishers) account • Paid 10% of the sum of each money transfer • One or two transfers each week - $3,000 to $5,000 each • “Nations Welfare Foundation” • Looking for a “Financial Operations Manager” • Transfer money for young cancer patients in USSR • Real looking web site complete with pictures • Paid 7% - can make $500 to $2,000 per week

  31. The phishing ecosystem Collect Construct Launch • Account Info • Credit Info • Identity Info • Logins & Passwords Sending Machines Email list Hosting Sites Email & Web site Phished information turned into Cash The Phisher $ Harvested Information

  32. The phishing ecosystem Collect Construct Launch • Account Info • Credit Info • Identity Info • Logins & Passwords Sending Machines Email list Hosting Sites Email & Web site Phished information turned into Cash The Phisher Tools to the Trade $ Harvested Information • DHA • Site Crawlers • Spyware • Templates • Sitecopy & wget • Botnets • Trojans • Worms • Keyloggers • Hacks & Attacks • “Real” Domain Names

  33. Botnets • Botnet: A collection of compromised computers that are run under a common control structure • Functions • Email senders • DHA, spam, phishing, virus • DOS attacks • Rented out for $300 to $700 per hour • Jeanson James Ancheta made $60,000 by selling access • Over 10,000 botnets become active each day (Symantec)

  34. citibank-validate.info earthlink-reactivation.net services-bankofamerica.com sales-aol.net secure-ebay.com msn-reactivation.net secure-usbank.info service-visa.net verification-e-gold.com rewardprogramsurvey.us customer-verification.com banking-account-renewal.com security-update.cc citibanhk.de Valid SSL certificate issued credltlyonaisse.com Registrar info copied paypal.com Cyrillic “a” in name The name game

  35. The phishing ecosystem Collect Construct Launch • Account Info • Credit Info • Identity Info • Logins & Passwords Sending Machines Email list Hosting Sites Email & Web site Phished information turned into Cash The Phisher The Malware Community Tools to the Trade $ Harvested Information • DHA • Site Crawlers • Spyware • Templates • Sitecopy & wget • Botnets • Trojans • Worms • Keyloggers • Hacks & Attacks • “Real” Domain Names

  36. The phishing ecosystem Collect Construct Launch • Account Info • Credit Info • Identity Info • Logins & Passwords Sending Machines Email list Hosting Sites Email & Web site Phishing Kit Phished information turned into Cash The Phisher The Malware Community Tools to the Trade $ Harvested Information • DHA • Site Crawlers • Spyware • Templates • Sitecopy & wget • Botnets • Trojans • Worms • Keyloggers • Hacks & Attacks • “Real” Domain Names

  37. The phishing ecosystem Collect Construct Launch • Account Info • Credit Info • Identity Info • Logins & Passwords Sending Machines Email list Hosting Sites Email & Web site Phishing Kit $ $ Phished information turned into Cash The Phisher The Malware Community Tools to the Trade $ Harvested Information • DHA • Site Crawlers • Spyware • Templates • Sitecopy & wget • Botnets • Trojans • Worms • Keyloggers • Hacks & Attacks • “Real” Domain Names

  38. The phishing ecosystem Collect Construct Launch • Account Info • Credit Info • Identity Info • Logins & Passwords Sending Machines Email list Hosting Sites Email & Web site Phishing Kit $ $ Phished information turned into Cash The Phisher The Malware Community Tools to the Trade Harvested Information • DHA • Site Crawlers • Spyware • Templates • Sitecopy & wget • Botnets • Trojans • Worms • Keyloggers • Hacks & Attacks • “Real” Domain Names

  39. Scaling a phishing gang • The Campina Grande - Brazil • 65 members • Operated for at least 3 months • 200 accounts in six banks • $4.7 million stolen from bank accounts Feb 2006 – 41 members caught, 24 more still on the run

  40. The Four Parts of the Solution

  41. The email process The Brand A company that sends email to it’s customers or employees and therefore is a target for phishing scams The Mailman A company that receives email and delivers it to its employees/customers The Web Site The web site where you are directed to by the email You The person who receives email

  42. The brand • Cut-and-Paste links, minimize links • Use personal information where possible • Dear John J. Smith • Account ending in 1234 • Your zip code is 94304 • Provide non-email ways to verify • Use standard company domain names • Identify your partners • Set and follow standard communication practices • Internally and externally

  43. The mailman • Preemptive • Protect your email address • Phishing is more than spam – think Virus • Technology • Multi-faceted solution – No silver bullet • Sender authentication and reputation, content, contact point divergence, URL exploits, real-time phish lists, etc. • World-wide community collaboration • Change is part of the business • Psychology • Educate your customers/employees – their PhishingIQ • Email is still Good! Really it is!

  44. The web site • Company and personal sites • Monitor your site • Know your content • Practice good passwords • Keep logs, report phishing to authorities • Hosting services • Monitor new customers • Take phishing seriously • Unless they are eBay, assume they are not eBay! • Domain name registration services • Be diligent about domain registrations • Actively work to shut down phishing sites

  45. You • Know your senders • Is this someone I do business with? • Is this something I was told I’d receive? • Look for other ways to respond • Be aware • Look for clues – improve your PhishingIQ • Don’t be afraid to ask • Protect your system • Know how your system is updated • Check your records

  46. What did we do today • Your PhishingIQ • Phishing 101 • Mayhem and money • What to do about phishing • Take away: It’s your money/identity/job that is lost!

  47. Thank you Andrew Klein aklein@sonicwall.com www.sonicwall.com

More Related