1. No category

phishing scams were “successful”

Winning the Battle Against Phishing
Scams (as the war rages on)
Harvard Townsend
Chief Information Security Officer
Kansas State University
[email protected]
EDUCAUSE SPC 2012
May 16, 2012
“Don’t let anybody tell ya it’s easy!”
Agenda
• History (ah, that fateful day in January
2008 when the first phishing scam arrived)
• Examples
• The statistics
• The battle plan
• What has worked for you?
First
Phishing
Scam
Received
at K-State
Jan. 2008
(yielded 4
replies)
Most Effective
Spear Phishing
Scam - resulted in
62 stolen
accounts, 53 of
which were used
to send spam from
our Webmail; can
you say “spam
block lists,”
anyone?
37 were newly
admitted freshman
who had not yet
stepped foot on
campus.
6
Most
Effective
Spear
Phishing
Scam
7
Most
Effective
Spear
Phishing
Scam
8
Another effective spear
phishing scam
This one
also tricked
62 KStaters into
giving away
their eID
password
9
Another effective spear
phishing scam
Actually did
come from a
K-State email
account…
one that was
compromised
because the
user gave
away her eID
password in
another
phishing
scam!
10
Spear phishing scam received by K-Staters in January 2010
If you clicked on the link…
11
The malicious link in the scam email took you to an exact replica
of K-State’s single sign-on web page, hosted on a server in the Netherlands,
that will steal their eID and password if they enter it and click “Sign in”.
Clicking on “Sign in” then took the user to K-State’s home page.
Note the URL – “flushandfloose.nl”, which is obviously not k-state.edu
12
Fake SSO
web page
Real SSO
web page
13
Fake SSO
web page –
site not
secure (http,
not https) and
hosted in the
Netherlands
(.nl)
Real SSO
web page –
note “https”
14
Fake SSO
web page
Real SSO
web page –
Use the eID
verification
badge to
validate
15
Result of clicking on eID verification badge on the fake SSO web site, or
any site that is not authorized to use the eID and password
16
Result of clicking
on eID
verification badge
on a legitimate KState web site
that is authorized
to use the eID
and password for
authentication
17
Real K-State Federal Credit
Union web site
Fake K-State Federal Credit
Union web site used in spear
phishing scam
18
Phun Phishing Phacts
• Significant shift in the form of phishing
since September 2010
– Before, was 60-70% “reply to this email
with your password”
– Since September 2010, 60+% are “click
on this link and fill out the form”
– 81% were form-based in 2011
– 84% YTD in 2012
• 36% of those in Google Docs
19
Typical phishing form
• Usually hosted on compromised server
• Use of PHP Form Generator very common
20
Typical phishing form
Sometimes we can get administrative access to the form
and delete or modify it, even view list of people who filled it
out in order to identify who from K-State was duped by the
phishing scam.
21
Use of Google Docs
Recent trend of using forms in spreadsheets.google.com
https://spreadsheets.google.com/viewform?formkey=dEJhZ2RwTHRpakJ0RmNJcmZhX0EyWkE6MQ
22
Even have form-based AND reply-to
method in the same phishing scam email!
23
Phishing by the Numbers
• K-State IT security Incidents in 2011
– 223 Spear phishing
– 125 Malicious code activity
– 101 Unauthorized access
– 84 Spam source
– 56 Policy violation
– 56 DMCA violation
–
6 Criminal activity/investigation
–
9 Reconnaissance activity
–
3 Denial of Service
–
2 Web/BBS defacement
–
1 Confidential data exposure
–
1 Rogue server/service
–
0 Un-patched vulnerability
–
7 No incident
24
Phishing by the Numbers
• K-State IT security Incidents in 2011
– 223 Spear phishing
– 125 Malicious code activity Mostly due to spear
– 101 Unauthorized access
phishing scams (65%)
– 84 Spam source
– 56 Policy violation
– 56 DMCA violation
–
6 Criminal activity/investigation
–
9 Reconnaissance activity
–
3 Denial of Service
–
2 Web/BBS defacement
–
1 Confidential data exposure
–
1 Rogue server/service
–
0 Un-patched vulnerability
–
7 No incident
25
Phishing by the Numbers
• K-State IT security incidents in 2010
–
–
–
–
–
–
–
–
–
–
–
–
–
–
408 Spear phishing
Mostly due to spear
355 Spam source
phishing scams
344 Unauthorized access
(74% of all incidents!!)
103 Malicious code activity
93 Policy violation
83 DMCA violation
23 Criminal activity/investigation
10 Web/BBS defacement
8 Reconnaissance activity
3 Confidential data exposure
1 Rogue server/service
0 Un-patched vulnerability
0 Denial of Service
82 No incident
}
26
A good change in the last year (55% reduction)
largely due to reduced phishing-related incidents.
Note the 3.0 incidents per day in 2010.
27
0.5 incidents per day (in 2011) instead of 3.0 –
we could manage the load w/o phishing scams!
28
First phishing scam detected at K-State on January 31, 2008
Data at the end of 2011:
• 1,215 compromised eIDs since then and,
• 1,145 different phishing scams… that we know of
• 68% reduction in compromised eIDs in 2011
• 45% reduction in phishing scams
29
If extrapolate year-to-date statistics for 2012, it’s even more
apparent that the users are getting the message.
As of May 11, 2012:
• 47 compromised eIDs
• 186 unique phishing scams
30
Criminals on vacation
in March? Spring Break!
47 compromised eIDs used
to send spam on July 9;
hackers accumulated stolen
credentials and used them
all on the same day
We’re doing
something
right!
Are people more susceptible
at the start of each semester?
31
Demographics of Phishing
Scam Replies in 2011
• 125 Students (85% of total eIDs that replied to scams)
–
–
–
–
–
–
–
–
2 Newly admitted, have not attended yet
15 Freshmen
22 Sophomore
22 Junior
28 Senior
They should
33 Graduate (22 Master’s, 11 PhD)
know better!
1 Vet Med
2 non-degree
}
•
2 Alumni
• 11 Staff (8 current, 3 retired)
•
8 Faculty (5 current, 1 adjunct, 1 Instructor, 1 emeritus/retired)
•
1 Post-Doc
•
1 Senior administrator
•
1 repeat offender (faculty member who has now given away his
password 5 times over the last 3 years)
32
Demographics of Phishing
Scam Replies in 2010
• 390 Students (87% of total eIDs that replied to scams)
•
•
•
•
•
•
•
–
–
–
–
–
–
–
–
–
95 Newly admitted, have not attended yet
89 Freshmen
55 Sophomore
35 Junior
54 Senior
43 Graduate (31 Master’s, 12 PhD)
6 Vet Med
10 Alumni
9 non-degree
}
They should
know better!
26 Staff (24 current, 2 retired)
16 Faculty (6 current, 3 adjunct, 2 Instructor, 5 emeritus/retired)
1 Post-Doc
0 Senior administrators
0 Other (like a sorority house mom)
231 employees (i.e., lots of student employees duped)
13 Repeat offenders (retired HUMEC faculty wins the prize for
replying 5 times; barely beat retired music faculty @ 4 replies)
33
Demographics of Phishing Scam
Replies in 2011
• Gender
• Female: 83 (56%)
• Male:
65 (44%)
• (58/42 in 2010)
34
Demographics of Phishing Scam
Replies in 2011
• Students by academic college:
–
–
–
–
–
–
–
–
–
–
–
45 – Arts & Sciences
20 – Human Ecology
14 – Business
13 – Agriculture
9 – Education
8 – Engineering
4 – Architecture
4 – Technology & Aviation /Salina
2 – Non-degree students
1 – Veterinary Medicine
5 – Undecided/Unknown
35
Demographics of Phishing Scam
Replies in 2011*
* From the department of meaningless statistics
36
More Phun Phishing
Phacts
• In 2009, 79 of the 296 (27%)
phishing scams were “successful”
(i.e., got replies with passwords)
• Given this success rate, it’s no wonder
the hackers don’t stop!!
37
Our Phishing Defense Strategy!?
The Greatest Threat?!
• 96.5% of the security incidents at
K-State in 2010 attributed to user behavior
• Every one of the 1,262 stolen eIDs could
have been prevented by informed users
• In other words, we have to “thin the bozone!”
(bozone = “The substance surrounding stupid
people that prevents good ideas from
penetrating”)
• User awareness and training a major part of
our anti-phishing strategy
“There’s no patch for the stupid user”
• Started mandatory annual security training
for all employees in 2011
– Focused on phishing scams and
password management
– Developed in-house with K-State-specific info
and examples
– Refresher training in 2012 includes
more on phishing
– Had some positive effect in spite
of venomous push-back
Communicate! Communicate! Communicate!
•
•
•
•
•
•
•
•
•
•
•
Email
•
Web site
•
Blog
•
Twitter
•
RSS
•
Policies/procedures/guidelines/st
andards
•
Weekly IT newsletter articles
•
K-State Today news
•
Student newspaper articles
•
Advertisements
Video
Seminars
Online training
Face-to-face training
Monthly IT security roundtables
Annual day-long security
workshop
New student orientation
Notices on enterprise systems
IT employee email footer (“KState will never ask for...”)
Personal visits to committees,
councils, departments
And something new in fall 2011...
National Cyber Security
Awareness Month
Technical Defenses
• Leverage Procera PacketLogic 8720
(primary purpose is P2P filtering) installed
at campus border
– Block known malicious IPs since Oct. 2010
– Use Python API with web app to block
malicious links to phishing forms in scam
emails
Help from Trend Micro
• K-State uses Trend Micro OfficeScan
(TMOS) for endpoint security (AV, firewall,
host IDS)
• Includes Web Reputation Services (WRS)
– Blocks access to known disreputable sites,
including those used in phishing scams
– Enabled in both Windows and Mac versions
– K-State IT security team regularly reports new
malicious links to Trend to add to the block list,
especially those found in phishing scams
– Will soon be able to add malicious URLs to our
own “blacklist” in WRS so they’re blocked sooner
(feature in TMOS 10.5)
45
Technical Defenses
• Merit Network, Inc. hosts our Zimbra Collaboration
Suite (email, calendar, etc.)
• Addition of IronPort in Sept. 2010
– Reduced # of phishing scams received (although
many undetected since they come from reputable
sources – compromised accts at other edu
institutions)
– More placed in user Junk folders (but still have users
responding from there)
– If user forwards their ksu.edu email to an external
account, like Hotmail, Merit’s spam tagging is not
recognized, so the scam still appears in their inbox
– Only filters inbound email at this time
Technical Defenses
• Quick detection of compromised accounts
• Merit monitors for changes in user preferences,
identities, and signatures
– Changes made from known suspicious IP (41.0.0.0/8!)
– Spam-like keywords or domains (“barrister,” “lottery,”
“claimsdept,” 9.cn, yahoo.com.hk, live.hk, etc.)
– Email addresses in the anti-phishing-email-reply list
– Many sequential addresses added to Contact
List/AddressBook
• Patterns in sent mail
– First 3 letters of each recipient; sort; look for close
sequences ([email protected], [email protected], etc.)
– Large adds to “Emailed Contacts”
• And, of course, respond to external complaints
Technical Defenses
• Lock accounts that trigger any of these criteria
– Merit staff alerted of any faculty/staff acct, then manually
inspects it before locking
– Student accounts automatically locked during nonbusiness hours (also manually inspected during business
hours)
– Generates a notification email to K-State
• Security team verifies compromise by inspecting the account
preferences, signature block, INBOX, Sent folder
• Resets password so eID cannot be used for any services
• Creates a trouble-ticket (Service-Now) and assigns it to the IT
Help Desk
• Help Desk contacts user or waits until they call; assists with
changing their password; provides opportunistic “training”
• The user changing their password removes the Zimbra lock
Fillet-o-Phish
• Processing phishing scam emails to limit
the threat
– Growing number of users trained to submit
phishing scams to [email protected] – with full
headers!
– Is a priority to process them asap
Processing Phishing Scams
• Malicious URL in Procera
PacketLogic (campus
border only)
• Malicious URL in Trend
Micro Web Reputation
Services (all endpoints,
independent of location)
• Reply-to addr not blocked
Block
Notify
•
•
•
•
Origin of email
Host of web form
Host of Reply-to email address
Anti-phishing-email-reply list
• Post scam email to IT Security Threats
Blog
(automatically sends it via email, RSS,
or Twitter)
• threats.itsecurity.ksu.edu
• Provides examples from which users
can learn
• Users can check to see if we already
know about a phishing email
Inform
Log
• Incident ticket in Service-Now (resolved)
Processing Phishing Scams
Notify
• Malicious URL in Procera PacketLogic
(campus border only)
• Malicious URL in Trend Micro Web
Reputation Services (all endpoints,
independent of location)
• Reply-to addr not blocked
Block
• Origin of email
• Host of web form
• Host of Reply-to
email address
• Anti-phishing-emailreply list
• Post scam email to IT Security Threats
Blog
(automatically sends it via email, RSS, or
Twitter)
• threats.itsecurity.ksu.edu
• Provides examples from which users can
learn
• Users can check to see if we already
know about a phishing email
Inform
Log
• Incident ticket in Service-Now (resolved)
Processing Phishing Scams
• Malicious URL in Procera
PacketLogic (campus border
only)
• Malicious URL in Trend Micro
Web Reputation Services (all
endpoints, independent of
location)
• Reply-to addr not blocked
Block
Notify
•
•
•
•
Origin of email
Host of web form
Host of Reply-to email address
Anti-phishing-email-reply list
• Post scam email to IT
Security Threats Blog
(automatically sends it via
email, RSS, or Twitter)
• threats.itsecurity.ksu.edu
• Provides examples from
which users can learn
• Users can check to see if
we already know about a
phishing email
Inform
Log
• Incident ticket in Service-Now
(resolved)
Processing Phishing Scams
Log
• Malicious URL in Procera PacketLogic
(campus border only)
• Malicious URL in Trend Micro Web
Reputation Services (all endpoints,
independent of location)
• Reply-to addr not blocked
Block
Notify
•
•
•
•
Origin of email
Host of web form
Host of Reply-to email address
Anti-phishing-email-reply list
• Post scam email to IT Security Threats
Blog
(automatically sends it via email, RSS, or
Twitter)
• threats.itsecurity.ksu.edu
• Provides examples from which users can
learn
• Users can check to see if we already know
about a phishing email
Inform
• Create incident ticket in
Service-Now
(status=resolved)
Summary
• Combination of factors made us a less attractive target
– Focused user awareness and training
• Mandatory annual IT security training started in 2011
• Wide variety of communication
– More aggressive spam filtering (IronPort)
• More scams rejected from being delivered
• Those that get through put in Junk folders
– Quick processing of phishing scams
• Users trained to send us scams as they arrive
• Quickly block access to phishing forms
– Early detection/locking of compromised accounts
• Often lock the account before it’s used to send spam
• 148 compromised eIDs in 2011 still too many;
probably time to re-evaluate our strategy
Dealing with spam block lists
• Serious problem since so many people forward
their @ksu.edu email to external accounts
– 25% of current students forward
– 31,506 former students forward (!)
– 15,507 former employees forward
• Merit has to request removal; have had mixed
results
• Paid for subscription to RBLmon (rblmon.com,
$10/month) and MxWatch (mxtoolbox.com,
$20/month) to alert us when we’re added to a
block list
Other Strategies
• To PhishMe or not to PhishMe...
• Require annual IT security training for students
• Check logs for access to other enterprise systems by
compromised eIDs
– Submit bogus credentials to see how they’re used
•
•
•
•
•
•
•
Outbound spam filtering
Outbound mail rate limiting
Use IDS or SIEM to alert us of a spam run
DNS sinkhole malicious domains
SPF and DKIM validation
Remove scams from inboxes after delivery
What has worked for you?
Q&R – Question & Response
(i.e., I don’t have all the answers!)
What’s on your mind?
?
? ?
?
?
?
? ?
? ?

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz