1 / 55

Philip Arwood John Gerber

Development of a Process for Phishing Awareness Activities. Philip Arwood John Gerber. What Will We Discuss?. Phishing and related Problems Real world examples Goals and Challenges of Phishing Awareness Early process Examples (early and current) Stats gathered

shellie-kelly
Download Presentation

Philip Arwood John Gerber

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Development of a Process for Phishing Awareness Activities Philip Arwood John Gerber

  2. What Will We Discuss? Phishing and related Problems Real world examples Goals and Challenges of Phishing Awareness Early process Examples (early and current) Stats gathered Phishing Technical: Getting Under the Hood Protecting Your Information

  3. If Only Life Was Simple Protecting Your Information

  4. View Point Of The Problem The following is an excerpt from speech by Mr. George Tenet, Director, CIA, delivered at the Georgia Institute of Technology, Atlanta, Georgia. “The number of known adversaries conducting research on information attacks is increasing rapidly and includes intelligence services, criminals, industrial competitors, hackers, and aggrieved or disloyal insiders”. Protecting Your Information

  5. Common Weaknesses Here are some of the most common visible or known weaknesses an adversary can exploit to obtain critical information: Inappropriate use of email / attachments / web Lack of awareness: don’t know what to protect, or who to protect it from Poor access controls Failure to practice need to know Failure to comply with security policies Protecting Your Information

  6. SANS Top Ten List (what people do to mess up their computer) Number 10 – Don’t bother with backups Number 9 – Use Easy, Quick Passwords Number 8 – Believe that Macs don’t get viruses Number 7 – Click on Everything Number 6 – Open ALL Email attachments Number 5 – Keep Your hard drive full and fragmented Number 4 – Install and Uninstall lots of programs (especially freeware) Number 3 – Turn off the Antivirus because it slows down your system Number 2 – Surf the Internet without a Hardware Firewall and a Software Firewall Number 1 – Plug into the Wall without Surge Protection Protecting Your Information

  7. Phishing Stats According to Gartner, December 17, 2007 The average dollar loss per Phishing Victim is $866 The total dollar loss of all phishing victim over a 1 year period is $3.6 Billion The number of people who fell victims to phishing scams over that same 1 year period is 3.2 Million According to a Gartner Survey More than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008, a 39.8 percent increase over the number of victims a year earlier Survey indicated a trend toward higher-volume and lower-value attacks Protecting Your Information

  8. Phishing Stats (cont.) According to SonicWall, 2008 The estimated number of phishing e-mails sent world-wide each month is 8.5 Billion According to Anti-Phishing Working Group The number of phishing web sites that were operational in May 2008 is 32,414 Protecting Your Information

  9. Phishing Stats (cont.) According to Gartner, April 2, 2009 • More than 5 million consumers lost to phishing attacks in the 12 months ending in September 2008, a 39.8 increase over the number of victims a year earlier. • The average consumer loss in 2008 per phishing incident was $351, a 60% decrease from the year before. Gartner believes the criminals are intentionally engaging in higher volume and lower-value attacks to stay under the radar of fraud detection systems that have become pervasive at banks and other financial services providers. • About 4.33% of phishing e-mail recipients recalled giving away sensitive information after they clicked on a phishing e-mail link, which is a 45% increase over the prior year.

  10. Phishing (Real World) Example 1a Point One Point Two Point Three Point Four Protecting Your Information

  11. Phishing (Real World) Example 1b Point One Point Two Point Three Point Four Protecting Your Information

  12. Phishing (Real World) Example 1c Point One Point Two Point Three Point Four Protecting Your Information

  13. Phishing (Real World) Example 2 Point One Point Two Point Three Point Four Protecting Your Information

  14. Phishing (Real World) Example 3 Point One Point Two Point Three Point Four Protecting Your Information

  15. Phishing (Real World) Example 4 Point One Point Two Point Three Point Four Protecting Your Information

  16. Phishing (Real World) Example 5 Point One Point Two Point Three Point Four Protecting Your Information

  17. Phishing (Real World) Example 6 Point One Point Two Point Three Point Four Protecting Your Information

  18. Why Phish? Benefits: Training tool for raising user awareness regarding phishing and the dangers. Serves as a self assessment tool. The Challenge: To develop phishing emails for monthly assessments To develop repeatable and reliable delivery methods To gather meaningful statistics for management Protecting Your Information

  19. Summary of Early Phishing Process Phishing Email was developed Researched URL to ensure no “real” sites were used, local redirect created to point to “gotcha” page Recipient list was created UNIX script was used to queue / send email. “Gotcha” page was monitored for network traffic, harvested IPs and times of connections Protecting Your Information

  20. Phishing Emails The early emails were developed to appear plain and contain obvious clues such as misspelled words, hyphenated URLS, etc. As the process evolved the emails contained less obvious clues. Following are examples of emails used early on and a few current examples. Protecting Your Information

  21. Early Phishing Example Protecting Your Information

  22. Early Phishing Example (cont) Protecting Your Information

  23. Early Phishing Example (cont) Protecting Your Information

  24. Current Phishing Example Protecting Your Information

  25. Current Phishing Example (cont) Protecting Your Information

  26. Current Phishing Example (cont) Protecting Your Information

  27. Current Phishing Example (cont) Protecting Your Information

  28. Gotcha Page URL points to a web page that states: Exercise was initiated by security Gives information regarding what could have happened Encourages user to re-take Cyber Awareness training (phishing awareness is reinforced in cyber awareness training) Protecting Your Information

  29. Gotcha Page Protecting Your Information

  30. What Data Do We Gather? End-User Response Time The time between sending email and notification to security via email, phone, SPAM folder, … Total number of responses End-User Click Rates When the first click occurred Total number of clicks Who clicked Protecting Your Information

  31. Suggestions for Topics? End-Users appear to be more interested in: E-Cards (Valentines, Holiday cards, etc.) Local News (highway construction, etc.) Sports Humor End-Users appear to be less interested in: Technology related topics Surveys Protecting Your Information

  32. Results Result summary for 2008 Result summary for 2009 to date Protecting Your Information

  33. Phishing Technical: Getting Under the Hood John J. Gerber CISSP, GCFA, GCIH, GISP, GSNA

  34. A Presentation of Interest “Spear Phishing: Real Cases, Real Solutions” Rohyt Belani, Intrepidus Group. Wednesday, 11:00-11:45. Phishing Technical

  35. What Will We Discuss? Basic System Setup Configuration Files Database Tables Programs Involved Walk Through Show Sample Results

  36. System Configuration Classic LAMP System Linux Apache MySQL Perl ModSecurity Request Tracker Thunderbird Phishing Technical

  37. Create Data Files • We keep each anti-phishing exercise in its own directory. In each directory create: • Phishing Email • Employee List • LUP Exceptions • Previous Clickers • Exempt List • Images Phishing Technical

  38. Sample Configuration File TEMPLATE::test::template.html TEMPLATE::whole::template.html TEMPLATE::lup::template.html TEMPLATE::clickers::template.html SENDER::test::jennifer_james@upostfun.com SENDER::whole::jennider_james@upostfun.com SENDER::lup::Jennifer_James@upostfun.com SENDER::clickers::Jen_James@upostfun.com SUBJECT::test::FWD: FWD: FWD: Hilarious SUBJECT::whole::FWD: FWD: FWD: Hilarious SUBJECT::lup::FWD: FWD: FWD: This is Hilarious SUBJECT::clickers::FWD: FWD: FWD: That is Hilarious WEB_HOST::test::upost.com WEB_HOST::whole::upost.com WEB_HOST::lup::upost.com WEB_HOST::clickers::upost.com EMAIL_FILE::test::test_pool.txt EMAIL_FILE::whole::whole_pool.txt EMAIL_FILE::lup::lup_pool.txt EMAIL_FILE::clickers::clickers_pool.txt REMOVE_EMAIL_FILE::whole::received_pool.txt EMAIL_NUM::test::999 EMAIL_NUM::whole::550 EMAIL_NUM::lup::999 EMAIL_NUM::clickers::999 Phishing Technical

  39. SCF: Template <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>FWD: FWD: FWD: Hilarious</title> </head> <body bgcolor="#ffffff" text="#000000"> <big><big>Check it out!</big></big><br> <p class="MsoNormal" style="margin-bottom: 12pt;"><b><span style="font-size: 11pt; font-family: &quot;Tahoma&quot;,&quot;sans-serif&quot;;"><br> From:</span></b><span style="font-size: 11pt; font-family: &quot;Tahoma&quot;,&quot;sans-serif&quot;;"> Castle, Frank &nbsp;<br> <b>Sent:</b> Tuesday, March 17, 2009 9:50 AM<br> <b>To:</b> Barton, Clint; Smith, Travis N.; Jones, Cora M.; James, Jennifer; Redman, Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; Farner Mark K.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.; Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H.<br> Create • HTML Editor: Thunderbird • Text Based Editor • TAGS http://REPLACEWITHHOST/REPLACEWITHID/ href="mobile.html“ href="“ img src="opening.jpg" Phishing Technical

  40. Database: Tables attack +-------------+---------------------------------------+ | Field | Type | +-------------+---------------------------------------+ | aid | int(10) unsigned | | attack_type | enum('lup','test','whole','clickers') | | started | datetime | | ended | datetime | | first_view | datetime | | last_view | datetime | | first_click | datetime | | last_click | datetime | | sent_user | varchar(50) | | sent_host | varchar(50) | | subject | varchar(50) | | body | mediumtext | | sent_count | int(5) unsigned | | click_count | int(5) unsigned | | name | varchar(15) | +-------------+---------------------------------------+ Phishing Technical

  41. Database: Tables (2) victims • +------------+-------------+ • | Field | Type | • +------------+-------------+ • | username | varchar(25) | • | dcso | varchar(25) | • | last_name | varchar(50) | • | first_name | varchar(50) | • | user_phone | varchar(12) | • +------------+-------------+ gerberjj arwoodpc Gerber J J (John) 865-574-9756 Phishing Technical

  42. Database: Tables (3) victim_pool • +----------+------------------+ • | Field | Type | • +----------+------------------+ • | uid | varchar(25) | • | aid | int(10) unsigned | • | username | varchar(25) | • | added | datetime | • +----------+------------------+ ibYyK1x8lstu1KseMrkpdJaHv 14 gerberjj 2009-03-24 10:32:30

  43. Database: Tables (4) user123.ornl.gov - - [25/Mar/2009:10:36:04 -0400] "GET /photo/ibYyK1x8lstu1KseMrkpdJaHv/showalbulm.pl?albulm=new HTTP/1.1" 200 2577 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081204 SeaMonkey/1.1.14“ session +--------------+------------------+ | Field | Type | +--------------+------------------+ | uid | varchar(25) | | sent | datetime | | viewed_time | datetime | | viewed_log | varchar(255) | | clicked_time | datetime | | clicked_log | varchar(255) | | ip | varchar(50) | | email_sent | enum('yes','no') | +--------------+------------------+ ibYyK1x8lstu1KseMrkpdJaHv 2009-03-24 13:45:57 NULL NULL 2009-03-25 10:36:04 user123.ornl.gov no Phishing Technical

  44. Sample Initial Setup <html> <head> <title>FWD: FWD: FWD: Hilarious</title> </head> <body bgcolor="#ffffff" text="#000000"> <big><big>Check it out!</big></big><br> <p class="MsoNormal" style="margin-bottom: 12pt;"><b><span style="font-size: 11pt; font-family: &quot;Tahoma&quot;,&quot;sans-serif&quot;;"><br> From:</span></b><span style="font-size: 11pt; font-family: &quot;Tahoma&quot;,&quot;sans-serif&quot;;"> Castle, Frank &nbsp;<br> <b>Sent:</b> Tuesday, March 17, 2009 9:50 AM<br> <b>To:</b> Barton, Clint; Smith, Travis N.; Jones, Cora M.; James, Jennifer; Redman, Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; Farner Mark K.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.; Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H.<br> <b>Subject:</b> FWD: FWD: Hilarious No File gerberjj@ornl.gov arwoodpc@ornl.gov goffy@ornl.gov duckd@ornl.gov mousem@ornl.gov • [hilarious]# ls -1 • clickers_pool.txt • lup_pool.txt • phish.conf • received_pool.txt • template.html • test_pool.txt • whole_pool.txt TEMPLATE::test::template.html TEMPLATE::whole::template.html TEMPLATE::lup::template.html TEMPLATE::clickers::template.html SENDER::test::Jennifer_James@upostfun.com SENDER::whole::Jennifer_James@upostfun.com SENDER::lup::Jen_James@upostfun.com SENDER::clickers::jennifer_james@upostfun.com SUBJECT::test::FWD: FWD: FWD: Hilarious SUBJECT::whole::FWD: FWD: FWD: Hilarious SUBJECT::lup::FWD: FWD: FWD: That is Hilarious SUBJECT::clickers::FWD: FWD: FWD: This is Hilarious WEB_HOST::test::www.upostfun.com WEB_HOST::whole::www.upostfun.com WEB_HOST::lup::www.upostfun.com WEB_HOST::clickers::www.upostfun.com EMAIL_FILE::test::test_pool.txt EMAIL_FILE::whole::whole_pool.txt EMAIL_FILE::lup::lup_pool.txt EMAIL_FILE::clickers::clickers_pool.txt REMOVE_EMAIL_FILE::whole::received_pool.txt EMAIL_NUM::test::999 EMAIL_NUM::whole::550 EMAIL_NUM::lup::999 EMAIL_NUM::clickers::999 00007 GERBERJJ@ORNL.GOV "Gerber, John J" 12312312 00009 PIKEC@ORNL.GOV "Pike, Christopher" 23123123 00010 COLTJM@ORNL.GOV "Colt, J M" 23123123 00011 BOYCEP@ORNL.GOV "Boyce, Phillip" 23123123 00012 TYLEYJ@ORNL.GOV "Tyler, Jose" 23123123 No File kirckjt@ornl.gov mccoylb@ornl.gov suluh@ornl.gov chekov@ornl.gov gerberjj arwoodpc UID PRIM TYPE PRO_DT UID_DT EMPSTAT UIDSTAT JLP Y NON 9/8/2005 14:18 9/8/2005 15:09 ACT ACT WTR Y NON 10/26/2004 2:00 9/14/2005 15:21 ACT ACT GLF Y NON 3/15/2005 2:00 8/31/2007 14:04 ACT ACT DKP Y NON 7/18/2005 15:03 7/19/2005 15:52 ACT ACT Phishing Technical

  45. Sample Initial Setup <html> <head> <title>FWD: FWD: FWD: Hilarious</title> </head> <body bgcolor="#ffffff" text="#000000"> <big><big>Check it out!</big></big><br> <p class="MsoNormal" style="margin-bottom: 12pt;"><b><span style="font-size: 11pt; font-family: &quot;Tahoma&quot;,&quot;sans-serif&quot;;"><br> From:</span></b><span style="font-size: 11pt; font-family: &quot;Tahoma&quot;,&quot;sans-serif&quot;;"> Castle, Frank &nbsp;<br> <b>Sent:</b> Tuesday, March 17, 2009 9:50 AM<br> <b>To:</b> Barton, Clint; Smith, Travis N.; Jones, Cora M.; James, Jennifer; Redman, Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; Farner Mark K.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.; Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H.<br> <b>Subject:</b> FWD: FWD: Hilarious No File gerberjj@ornl.gov arwoodpc@ornl.gov goffy@ornl.gov duckd@ornl.gov mousem@ornl.gov • [hilarious]# ls -1 • clickers_pool.txt • lup_pool.txt • phish.conf • received_pool.txt • template.html • test_pool.txt • whole_pool.txt TEMPLATE::test::template.html TEMPLATE::whole::template.html TEMPLATE::lup::template.html TEMPLATE::clickers::template.html SENDER::test::Jennifer_James@upostfun.com SENDER::whole::Jennifer_James@upostfun.com SENDER::lup::Jen_James@upostfun.com SENDER::clickers::jennifer_james@upostfun.com SUBJECT::test::FWD: FWD: FWD: Hilarious SUBJECT::whole::FWD: FWD: FWD: Hilarious SUBJECT::lup::FWD: FWD: FWD: That is Hilarious SUBJECT::clickers::FWD: FWD: FWD: This is Hilarious WEB_HOST::test::www.upostfun.com WEB_HOST::whole::www.upostfun.com WEB_HOST::lup::www.upostfun.com WEB_HOST::clickers::www.upostfun.com EMAIL_FILE::test::test_pool.txt EMAIL_FILE::whole::whole_pool.txt EMAIL_FILE::lup::lup_pool.txt EMAIL_FILE::clickers::clickers_pool.txt REMOVE_EMAIL_FILE::whole::received_pool.txt EMAIL_NUM::test::999 EMAIL_NUM::whole::550 EMAIL_NUM::lup::999 EMAIL_NUM::clickers::999 00007 GERBERJJ@ORNL.GOV "Gerber, John J" 12312312 00009 PIKEC@ORNL.GOV "Pike, Christopher" 23123123 00010 COLTJM@ORNL.GOV "Colt, J M" 23123123 00011 BOYCEP@ORNL.GOV "Boyce, Phillip" 23123123 00012 TYLEYJ@ORNL.GOV "Tyler, Jose" 23123123 No File kirckjt@ornl.gov mccoylb@ornl.gov suluh@ornl.gov chekov@ornl.gov gerberjj arwoodpc UID PRIM TYPE PRO_DT UID_DT EMPSTAT UIDSTAT JLP55 Y NON 9/8/2005 14:18 9/8/2005 15:09 ACT ACT WTR21 Y NON 10/26/2004 2:00 9/14/2005 15:21 ACT ACT GLF45 Y NON 3/15/2005 2:00 8/31/2007 14:04 ACT ACT DKP72 Y NON 7/18/2005 15:03 7/19/2005 15:52 ACT ACT Phishing Technical

  46. Program: prepare.pl Run: prepare.pl <attack_name> Results #!/usr/local/bin/perl -w use DBI; use POSIX qw(strftime); BEGIN{push @INC, "/home/ger/projects/phish/perl"} use ornl_phish qw($db_host $db $mysql_user $mysql_passwd logit runcommand mailit generate_html user_exist check_attack_type read_config find_attack_name ); sub update_received { my($datafile, $rm_min_date, $dbh) = @_; $error = ""; my %user_list; # Make sure we add back only unqiue ids (no duplicates) if ( -e $datafile) { my $results = ""; # Pull out the content of previous clickers $/ = "\n"; open(INFILE,$datafile) || ( $error = "ERROR: Problem opening file $datafile: $!\n" ); *.orig - the original files. *_pool.txt - theses are the updated files which the system will use in the next step. Make sure they look correct. received_pool.txt - This file will be updated with unique values that previously existed and data from the database of those who received email under a "whole" attack. sample_*.html - sample emails. Check them out and make sure they look appropriate. Open file in browser and confirm no format problems. Phishing Technical

  47. Results: prepare.pl [hilarious]# ls -1 phish.conf received_pool.txt sample_test.html template.html test_pool.txt test_pool.txt.orig File: received_pool.txt user1@ornl.gov user2@ornl.gov user3@ornl.gov user4@ornl.gov user5@ornl.gov File: test_pool.txt arwoodpc@ornl.gov gerberjj@ornl.gov File: sample_text.html <html><head><title>FWD: FWD: FWD: Hilarious</title> </head><body bgcolor="#ffffff" text="#000000"> This is hilarious, check it out!<br> <br> <a href="http://upostfun.com/hilarious/0123456789/">http://upostfun.com/hilarious/0123456789/2009/04/11/</a><br> Phishing Technical

  48. View sample_text.html Use your favorite browser to pull up sample_text.html Phishing Technical

  49. Inform and Authorize CIO Authorization Helpdesk Mail Administrator DNS Administrator Phishing Technical

  50. Program: go_phishing.pl Results Run: go_phishing.pl #!/usr/local/bin/perl -w # Perl Modules # use DBI; use POSIX qw(strftime); BEGIN{push @INC, "/home/ger/projects/phish/perl"} use ornl_phish qw($db_host $db $mysql_user $mysql_passwd logit runcommand mailit generate_html user_exist check_attack_type read_config find_attack_name); sub modify_apache { my($apache_conf,$apache_temp,$attack_name,$logfile) = @_; my $error = ""; local($datetime) = strftime("%Y%m%d%H%M%S", localtime); undef $/; open(INFILE,$apache_temp) || ( $error = "ERROR: Problem opening file $apache_temp: $!\n" ); if ($error eq "") { my $conf_body = <INFILE>; $conf_body =~ s/RewriteEngine On.*/RewriteEngine On/s; my $rc = &runcommand($logfile,"/bin/cp","$apache_conf/httpd.conf", "$apache_conf/httpd.conf.$datetime"); • Emails are sent. • A 30 minute break between groups. • Web areas created. • images • web page people see when they click • report web area created to watch the progress • Modify httpd.conf, clear logs, restart server. Uses: /usr/bin/nc -vv smtpserver.ornl.gov 25 2009-04-29 19:10:28 INFO: Started. Sending email to gerberjj smtpserver.ornl.gov [160.91.4.118] 25 (smtp) open 220 mailserver.ornl.gov -- Server ESMTP (PMDF V6.4#31561) 251 mailserver.ornl.gov system name not given in HELO command, phishingphil.ornl.gov [160.91.218.210]. 250 2.5.0 Address Ok. 250 2.1.5 gerberjj@ornl.gov OK. 354 Enter mail, end with a single ".". 250 2.5.0 Ok. 221 2.3.0 Bye received. Goodbye. sent 4340, rcvd 301 Phishing Technical

More Related