Download
1 / 30
300 likes | 461 Views
George Mason University and SonicWALL The Phishing Ecosystem Analyzing the Dynamics for Maximum Defense Tuesday, April 11th 2006 – 2:45pm. Agenda. Overview of the Phishing Ecosystem Questions for the panel Scope of the problem What did GMU do Results Phishing education Other email issues
E N D
George Mason University and SonicWALLThe Phishing EcosystemAnalyzing the Dynamics for Maximum DefenseTuesday, April 11th 2006 – 2:45pm
Agenda • Overview of the Phishing Ecosystem • Questions for the panel • Scope of the problem • What did GMU do • Results • Phishing education • Other email issues • Ask questions as we go • Wrap up & lessons learned
The Phishing Checklist • Get an email list • Develop the attack • Locate sites to send phishing email from • Locate sites to host the phishing site • Launch the attack • Collect the information • Transform into cash
A bad day phishin’, beats a good day workin’ • 2,000,000 emails are sent • 5% get to the end user – 100,000 (APWG) • 5% click on the phishing link – 5,000 (APWG) • 2% enter data into the phishing site –100 (Gartner) • $1,200 from each person who enters data (FTC) • Our potential reward: $120,000 In 2005 David Levi made over $360,000 from 160 people using an eBay Phishing scam
A little phishing gang • The David Levi phishing gang – UK • 6 members • Operated for 12 months • At least $360,000 from 160 people • Segmentation of jobs • Techie • Creative designer • Money laundering – mule driver Caught – received sentences from 1 to 4 years each
The phishing ecosystem Collect Construct Launch • Account Info • Credit Info • Identity Info • Logins & Passwords Phishing Kit Sending Machines Email list Hosting Sites Email & Web site $ The Phisher Tools to the Trade Harvested Information Phished information turned into Cash • Hacks & Attacks • “Real” Domain Names • Botnets • Trojans • Worms • Keyloggers • DHA • Site Crawlers • Spyware • Templates • Sitecopy & wget $ The Malware Community
The money laundering “Mule” • “Make Money at Home” • Recruits receive funds in their accounts • Transfer funds from their account via Western Union wire transfers to a 2nd (phishers) account • Paid 10% of the sum of each money transfer • One or two transfers each week - $3,000 to $5,000 each • “Nations Welfare Foundation” • Looking for a “Financial Operations Manager” • Transfer money for young cancer patients in USSR • Real looking web site complete with pictures • Paid 7% - can make $500 to $2,000 per week
Botnets • Botnet: A collection of compromised computers that are run under a common control structure • Functions • Email senders • DHA, spam, phishing, virus • DOS attacks • Rented out for $300 to $700 per hour • Jeanson James Ancheta made $60,000 by selling access • Over 10,000 botnets become active each day (Symantec)
Hacks and Attacks • 9,715 – Number of phishing sites operational in January 2006 (APWG) • 34% – The percentage of phishing sites hosted in the United States for December 2005 (APWG) • 31% - The percentage of phishing sites that are being hosted on “real” web servers (SonicWALL) Hacked bank server hosts phishing sites March 13, 2006 (IDG News Service) – Criminals appear to have hacked a Chinese bank’s server and are using it to host phishing sites to steal personal data from customers of eBay Inc. and a major U.S. bank.
Scaling a phishing gang • The Campina Grande - Brazil • 65 members • Operated for at least 3 months • 200 accounts in six banks • $4.7 million stolen from bank accounts Feb 2006 – 41 members caught, 24 more still on the run
The phishing ecosystem Collect Construct Launch • Account Info • Credit Info • Identity Info • Logins & Passwords Phishing Kit Sending Machines Email list Hosting Sites Email & Web site The Phisher Tools to the Trade Harvested Information Phished information turned into Cash • Hacks & Attacks • “Real” Domain Names • Botnets • Trojans • Worms • Keyloggers • DHA • Site Crawlers • Spyware • Templates • Sitecopy & wget $ The Malware Community
Roles of the Education in Phishing • Victim • Receive and respond to phishing attack • Bad for victim / Bad for you • Labor • Mules • Coders • Phisher • Organized cooperative environment • Participant • Hosting phishing sites • Sending email – Botnets
Email and Academia: The Challenge • Email supports communications, academic projects and business administration, but also makes you vulnerable • Diverse user needs • Limited resources and need to reduce operating costs
Email At George Mason University • 30,000 active email accounts • 400,000 inbound messages/day (82% junk) • Decentralized, ineffective protection for spam • No protection from phishing • Six AV appliances • Costly maintenance
Determine The Requirements • User Town Hall Meetings • Quarantine is required • Ability to opt-out • Systems Management • No new staff – minimize daily tasks • Solaris-based • Management reporting
Evaluation Requirements • Effective - we receive only the emails we want to receive • Easy to manage – something that doesn’t require additional IT time (actually, less time than what we’re spending is better) • Easy for end users – little to no training required, also something they can self-manage
The Process… • Product analysis, review requirements • Vendor questionnaire • Review responses • Invitation to technology day • Each vendor given 50 minutes • Present same info in specified order • Must include pricing and references • Q&A • Vendors cannot see other vendor presentations
Evaluation • All vendors that satisfied all requirements invited • Solutions placed in production mail flow for 15 days
Wrap-up • Overview of the Phishing Ecosystem • Phish School • Scope of the problem • What did GMU do • Results • Phishing education • Other email issues
Thank you Andrew Klein aklein@sonicwall.com www.sonicwall.com
The email process The Brand A company that sends email to it’s customers or employees and therefore is a target for phishing scams The Mailman A company that receives email and delivers it to its employees/customers The Web Site The web site where you are directed to by the email You The person who receives email
The brand • Cut-and-Paste links, minimize links • Use personal information where possible • Dear John J. Smith • Account ending in 1234 • Your zip code is 94304 • Provide non-email ways to verify • Use standard company domain names • Identify your partners • Set and follow standard communication practices • Internally and externally
The mailman • Preemptive • Protect your email address • Phishing is more than spam – think Virus • Technology • Multi-faceted solution – No silver bullet • Sender authentication and reputation, content, contact point divergence, URL exploits, real-time phish lists, etc. • World-wide community collaboration • Change is part of the business • Psychology • Educate your customers/employees – their PhishingIQ • Email is still Good! Really it is!
The web site • Company and personal sites • Monitor your site • Know your content • Practice good passwords • Keep logs, report phishing to authorities • Hosting services • Monitor new customers • Take phishing seriously • Unless they are eBay, assume they are not eBay! • Domain name registration services • Be diligent about domain registrations • Actively work to shut down phishing sites
You • Know your senders • Is this someone I do business with? • Is this something I was told I’d receive? • Look for other ways to respond • Be aware • Look for clues – improve your PhishingIQ • Don’t be afraid to ask • Protect your system • Know how your system is updated • Check your records
