1 / 58

Winning the Battle Against Phishing Scams (as the war rages on)

Winning the Battle Against Phishing Scams (as the war rages on). Harvard Townsend Chief Information Security Officer Kansas State University harv@ksu.edu EDUCAUSE SPC 2012 May 16, 2012. “Don’t let anybody tell ya it’s easy!”. Agenda.

eprovost
Download Presentation

Winning the Battle Against Phishing Scams (as the war rages on)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Winning the Battle Against Phishing Scams (as the war rages on) Harvard Townsend Chief Information Security Officer Kansas State University harv@ksu.edu EDUCAUSE SPC 2012 May 16, 2012

  2. “Don’t let anybody tell ya it’s easy!”

  3. Agenda • History (ah, that fateful day in January 2008 when the first phishing scam arrived) • Examples • The statistics • The battle plan • What has worked for you?

  4. First Phishing Scam Received at K-State Jan. 2008 (yielded 4 replies)

  5. Most Effective Spear Phishing Scam - resulted in 62 stolen accounts, 53 of which were used to send spam from our Webmail; can you say “spam block lists,” anyone? 37 were newly admitted freshman who had not yet stepped foot on campus.

  6. Most Effective Spear Phishing Scam

  7. Most Effective Spear Phishing Scam

  8. Another effective spearphishing scam This one also tricked 62 K-Staters into giving away their eID password

  9. Another effective spearphishing scam Actually did come from a K-State email account… one that was compromised because the user gave away her eID password in another phishing scam!

  10. Spear phishing scam received by K-Staters in January 2010 If you clicked on the link…

  11. The malicious link in the scam email took you to an exact replica of K-State’s single sign-on web page, hosted on a server in the Netherlands, that will steal their eID and password if they enter it and click “Sign in”. Clicking on “Sign in” then took the user to K-State’s home page. Note the URL – “flushandfloose.nl”, which is obviously not k-state.edu

  12. Fake SSO web page Real SSO web page

  13. Fake SSO web page – site not secure (http, not https) and hosted in the Netherlands (.nl) Real SSO web page – note “https”

  14. Fake SSO web page Real SSO web page – Use the eID verification badge to validate

  15. Result of clicking on eID verification badge on the fake SSO web site, or any site that is not authorized to use the eID and password

  16. Result of clicking on eID verification badge on a legitimate K-State web site that is authorized to use the eID and password for authentication

  17. Real K-State Federal Credit Union web site Fake K-State Federal Credit Union web site used in spear phishing scam

  18. Phun Phishing Phacts • Significant shift in the form of phishing since September 2010 • Before, was 60-70% “reply to this email with your password” • Since September 2010, 60+% are “click on this link and fill out the form” • 81% were form-based in 2011 • 84% YTD in 2012 • 36% of those in Google Docs

  19. Typical phishing form • Usually hosted on compromised server • Use of PHP Form Generator very common

  20. Typical phishing form Sometimes we can get administrative access to the form and delete or modify it, even view list of people who filled it out in order to identify who from K-State was duped by the phishing scam.

  21. Use of Google Docs Recent trend of using forms in spreadsheets.google.com https://spreadsheets.google.com/viewform?formkey=dEJhZ2RwTHRpakJ0RmNJcmZhX0EyWkE6MQ

  22. Even have form-based AND reply-tomethod in the same phishing scam email!

  23. Phishing by the Numbers • K-State IT security Incidents in 2011 • 223 Spear phishing • 125 Malicious code activity • 101 Unauthorized access • 84 Spam source • 56 Policy violation • 56 DMCA violation • 6 Criminal activity/investigation • 9 Reconnaissance activity • 3 Denial of Service • 2 Web/BBS defacement • 1 Confidential data exposure • 1 Rogue server/service • 0 Un-patched vulnerability • 7 No incident

  24. Phishing by the Numbers • K-State IT security Incidents in 2011 • 223 Spear phishing • 125 Malicious code activity • 101 Unauthorized access • 84 Spam source • 56 Policy violation • 56 DMCA violation • 6 Criminal activity/investigation • 9 Reconnaissance activity • 3 Denial of Service • 2 Web/BBS defacement • 1 Confidential data exposure • 1 Rogue server/service • 0 Un-patched vulnerability • 7 No incident Mostly due to spear phishing scams (65%)

  25. Phishing by the Numbers • K-State IT security incidents in 2010 • 408 Spear phishing • 355 Spam source • 344 Unauthorized access • 103 Malicious code activity • 93 Policy violation • 83 DMCA violation • 23 Criminal activity/investigation • 10 Web/BBS defacement • 8 Reconnaissance activity • 3 Confidential data exposure • 1 Rogue server/service • 0 Un-patched vulnerability • 0 Denial of Service • 82 No incident } Mostly due to spear phishing scams (74% of all incidents!!)

  26. A good change in the last year (55% reduction) largely due to reduced phishing-related incidents. Note the 3.0 incidents per day in 2010.

  27. 0.5 incidents per day (in 2011) instead of 3.0 – we could manage the load w/o phishing scams!

  28. First phishing scam detected at K-State on January 31, 2008 • Data at the end of 2011: • 1,215 compromised eIDs since then and, • 1,145 different phishing scams… that we know of • 68% reduction in compromised eIDs in 2011 • 45% reduction in phishing scams

  29. If extrapolate year-to-date statistics for 2012, it’s even more apparent that the users are getting the message. • As of May 11, 2012: • 47 compromised eIDs • 186 unique phishing scams

  30. 47 compromised eIDs used to send spam on July 9; hackers accumulated stolen credentials and used them all on the same day Criminals on vacation in March? Spring Break! We’re doing somethingright! Are people more susceptible at the start of each semester?

  31. Demographics of PhishingScam Replies in 2011 • 125 Students (85% of total eIDs that replied to scams) • 2 Newly admitted, have not attended yet • 15 Freshmen • 22 Sophomore • 22 Junior • 28 Senior • 33 Graduate (22 Master’s, 11 PhD) • 1 Vet Med • 2 non-degree • 2 Alumni • 11 Staff (8 current, 3 retired) • 8 Faculty (5 current, 1 adjunct, 1 Instructor, 1 emeritus/retired) • 1 Post-Doc • 1 Senior administrator • 1 repeat offender (faculty member who has now given away his password 5 times over the last 3 years) } They shouldknow better!

  32. Demographics of PhishingScam Replies in 2010 • 390 Students (87% of total eIDs that replied to scams) • 95 Newly admitted, have not attended yet • 89 Freshmen • 55 Sophomore • 35 Junior • 54 Senior • 43 Graduate (31 Master’s, 12 PhD) • 6 Vet Med • 10 Alumni • 9 non-degree • 26 Staff (24 current, 2 retired) • 16 Faculty (6 current, 3 adjunct, 2 Instructor, 5 emeritus/retired) • 1 Post-Doc • 0 Senior administrators • 0 Other (like a sorority house mom) • 231 employees(i.e., lots of student employees duped) • 13 Repeat offenders (retired HUMEC faculty wins the prize for replying 5 times; barely beat retired music faculty @ 4 replies) } Theyshouldknow better!

  33. Demographics of Phishing ScamReplies in 2011 • Gender • Female: 83 (56%) • Male: 65 (44%) • (58/42 in 2010)

  34. Demographics of Phishing ScamReplies in 2011 • Students by academic college: • 45 – Arts & Sciences • 20 – Human Ecology • 14 – Business • 13 – Agriculture • 9 – Education • 8 – Engineering • 4 – Architecture • 4 – Technology & Aviation /Salina • 2 – Non-degree students • 1 – Veterinary Medicine • 5 – Undecided/Unknown

  35. Demographics of Phishing ScamReplies in 2011* * From the department of meaningless statistics

  36. More Phun PhishingPhacts • In 2009, 79 of the 296 (27%) phishing scams were “successful” (i.e., got replies with passwords) • Given this success rate, it’s no wonder the hackers don’t stop!!

  37. Our Phishing Defense Strategy!?

  38. The Greatest Threat?! • 96.5% of the security incidents atK-State in 2010 attributed to user behavior • Every one of the 1,262 stolen eIDs could have been prevented by informed users • In other words, we have to “thin the bozone!” (bozone = “The substance surrounding stupid people that prevents good ideas from penetrating”) • User awareness and training a major part of our anti-phishing strategy

  39. “There’s no patch for the stupid user” • Started mandatory annual security trainingfor all employees in 2011 • Focused on phishing scams andpassword management • Developed in-house with K-State-specific info and examples • Refresher training in 2012 includesmore on phishing • Had some positive effect in spiteof venomous push-back

  40. Communicate! Communicate! Communicate! • Email • Web site • Blog • Twitter • RSS • Policies/procedures/guidelines/standards • Weekly IT newsletter articles • K-State Today news • Student newspaper articles • Advertisements • Video • Seminars • Online training • Face-to-face training • Monthly IT security roundtables • Annual day-long security workshop • New student orientation • Notices on enterprise systems • IT employee email footer (“K-State will never ask for...”) • Personal visits to committees,councils, departments And something new in fall 2011...

  41. National Cyber Security Awareness Month

  42. Technical Defenses • Leverage Procera PacketLogic 8720 (primary purpose is P2P filtering) installed at campus border • Block known malicious IPs since Oct. 2010 • Use Python API with web app to block malicious links to phishing forms in scam emails

  43. Help from Trend Micro • K-State uses Trend Micro OfficeScan (TMOS) for endpoint security (AV, firewall, host IDS) • Includes Web Reputation Services (WRS) • Blocks access to known disreputable sites, including those used in phishing scams • Enabled in both Windows and Mac versions • K-State IT security team regularly reports new malicious links to Trend to add to the block list, especially those found in phishing scams • Will soon be able to add malicious URLs to our own “blacklist” in WRS so they’re blocked sooner (feature in TMOS 10.5)

  44. Technical Defenses • Merit Network, Inc. hosts our Zimbra Collaboration Suite (email, calendar, etc.) • Addition of IronPort in Sept. 2010 • Reduced # of phishing scams received (although many undetected since they come from reputable sources – compromised accts at other edu institutions) • More placed in user Junk folders (but still have users responding from there) • If user forwards their ksu.edu email to an external account, like Hotmail, Merit’s spam tagging is not recognized, so the scam still appears in their inbox • Only filters inbound email at this time

  45. Technical Defenses • Quick detection of compromised accounts • Merit monitors for changes in user preferences, identities, and signatures • Changes made from known suspicious IP (41.0.0.0/8!) • Spam-like keywords or domains (“barrister,” “lottery,” “claimsdept,” 9.cn, yahoo.com.hk, live.hk, etc.) • Email addresses in the anti-phishing-email-reply list • Many sequential addresses added to Contact List/AddressBook • Patterns in sent mail • First 3 letters of each recipient; sort; look for close sequences (aaa@aol.com, aab@yahoo.com, etc.) • Large adds to “Emailed Contacts” • And, of course, respond to external complaints

  46. Technical Defenses • Lock accounts that trigger any of these criteria • Merit staff alerted of any faculty/staff acct, then manually inspects it before locking • Student accounts automatically locked during non-business hours (also manually inspected during business hours) • Generates a notification email to K-State • Security team verifies compromise by inspecting the account preferences, signature block, INBOX, Sent folder • Resets password so eID cannot be used for any services • Creates a trouble-ticket (Service-Now) and assigns it to the IT Help Desk • Help Desk contacts user or waits until they call; assists with changing their password; provides opportunistic “training” • The user changing their password removes the Zimbra lock

  47. Fillet-o-Phish • Processing phishing scam emails to limit the threat • Growing number of users trained to submit phishing scams to abuse@ksu.edu – with full headers! • Is a priority to process them asap

  48. Processing Phishing Scams

More Related