Phishing
Exciting horror stories
and the very boring
antidote
EXPECTATIONS
WHAT YOU’LL KNOW, AND NOT KNOW, AFTER I’M DONE WITH YOU
WHAT YOU WILL KNOW
•
How the phishing attack is carried out
•
Some really embarrassing examples ..
(…and some less embarrassing ones)
•
How you can prevent phishing
•
… and why you probably won’t succeed
WHAT YOU WONT KNOW
•
How someone can be stupid enough the
wire $46.7 million to an offshore account
without making sure the mail asking you
to do so is legit.
•
Anything revolutionizing
BIO
OR – WHO AM I TO TELL YOU WHAT TO DO
HANNA LIDZELL
WORK?
•
SEC-T
•
Works with MSS Services
•
Collector of stories and images
•
IDS and SIEM solutions
•
Background in operations
. . . . SO WHAT DOES THIS MEAN?
. . . . meetings
CASE STUDIES
HORROR STORIES FROM THE REAL WORLD
CLARA THE CLASSMATE & the Facebook scam
FREDERICK THE FRIEND & the Netflix account
AN AUNT & the targeted attack
UBIQUITY & the really stupid wire transfer
THE FACEBOOK SCAM
CLARA THE CLASSMATE CLICKS AN UNFORTUNATE LINK
CLARA
hellu
CLARA
HANNA
Hi!
What’s up?
@home? thought I’d check if you’re up for helping me out real
quickly
HANNA
Sure thing. I’d love to help out if I can be of assistance.
CLARA
Thanks!
CLARA
HANNA
sooo.. What do you need?
I really need to pay a bill but my bank acount thingie has
stopped working, do you have yours close by?
Or, what’s your bank?
CLARA
Great. I have HSB too
HANNA
Handelsbanken.
THE FACEBOOK SCAM
CAUSE AND RESOLUTION
WHAT CLARA DID WRONG
WHAT CLARA DID RIGHT
• Clicked a clickbait link
• Told her friends
• Filled in her account information
• Logged out from all devices
• Changed her Facebook password
• Didn’t change the password everywhere
THE NETFLIX ACCOUNT
FREDERICK THE FRIEND HAS A CASE OF BAD LUCK
FREDERICK THE FRIEND
•
28 y/o
•
Tech-savvy
•
Slightly hung over
•
Bank troubles
•
New email client
•
Already logged in to Netflix
MY AUNT
MY AUNT IS TARGETED IN A MORE SOPHISTICATED WAY
MY AUNT
•
Works at large Swedish corporation
•
Indian tech support scam
UBIQUITY
UBIQUITY & THE STUPIDLY LARGE MONEY TRANSFER
"employee impersonation and fraudulent requests from an outside entity targeting the
Company's finance department.”
"The investigation uncovered no evidence that our systems were penetrated or that any
corporate information, including our financial and account information, was accessed.
The investigation found no evidence of employee criminal involvement in the fraud,"
$46,7 MILLION
BUSINESS EMAIL COMPROMISE
HOW IT MIGHT HAVE HAPPENED
SPOOFED EMAIL
TARGETED (SPEAR) PHISHING
A spoofed email impersonating a CEO/CIO Phishing targeting a CEO/CIO, resulting in
requesting/approving the transfer.
access to company email and the ability to
Continual follow up.
request/approve the transfer from a
legitimate account. Once the credentials to
the trusted account has been uncovered
the attacker can contact users within the
organization without triggering any alerts.
MASS-ATTACKS
SPEAR PHISHING
•
Wide spectrum attacks targeting a
•
Targeted attacks
large audience
•
Well researched
Hit or miss, active for short period of
•
Small attack surfaces
time.
•
Attack tailored to target
•
Low success rate (0,2% – 5%)
•
Specific goal
•
Low profit per success
•
Difficult to detect
•
Collecting and selling data
•
Often detected by IDS, threat
•
intelligence-, or host protection-tools
WHY PHISHING WORKS
LACK OF KNOWLEDGE…
… of computer systems
… of security indicators
VISUAL DECEPTION
… deceptive text
… deceptive images
… deceptive windows
… look & feel
BOUNDED ATTENTION
… lack of attention to security indicators
… lacking attention to absence of security indicators
Credit: Dhamija, R., Tygar, J.D., & Hearst, Marti. 2006
So how do we fix it?
You can’t
RISK MITIGATION






Awareness training
Good support systems
Be serious about your security policy
Help your users understand your security policy
Lead by example
Be a good person
LEADING BY EXAMPLE
https://privat.ib.seb.se/wow/1000/1000/wow1020.aspx
• Ridiculous URL
• Old copy right stamp (2011)
• Sloppy graphics
• Doesn’t adapt to screen
https://secure.handelsbanken.se/bb/glss/servlet/ssco_auth2?appAction=doAuthentication&path=ssse&entryId=privfor
mse&language=sv&country=SE
• Doesn’t adapt to screen
• Looks like my ‘make your own webpage’-project from fifth grade
• Crazy long URL
• https://internetbanken.privat.nordea.se/nsp/login
• Again, fifth grade project
• Inaccurate description of SSL/TLS padlock
https://internetbank.swedbank.se/idp/portal/identifieringidp/idp/dap1/ver=2.0/rparam=execution=e1s2
• No copy right date
LEADING BY EXAMPLE
BE A GOOD PERSON
POP QUIZ!
WHERE WILL WE END UP?
http://www.test/example.com/test/test2/destination
http://www.test.com/example.com/destination.url
http://www.test.com.example.com/example.com/destination.url
http://www.example∕domaine.com.name/test/test2/destination
http://testsite.com:[email protected]