Bringing the Fight to Them: Exploring Aggressive Countermeasures to - - PowerPoint PPT Presentation

Bringing the Fight to Them:

Exploring Aggressive Countermeasures to Phishing and other Social Engineering Scams

Allen Zhou Comp116 Final Presentation

What is Phishing?

• Social Engineering
• Steal credentials, data, or money
• Infect target machine with malware
• Over email, IM, or social media

History of Phishing

• Coined in 1992 on AOL
• Malicious actors asked users to confirm billing info or

credentials

• Originally identifiable through poor grammar, shoddily built

websites, overly urgent subject matters

The Nigerian 419 Scam

• Name comes from the section of the Nigerian Criminal Code

that outlaws it

• Out of the blue email arrives from international individual,

asking for help to transfer money

• Victim is promised large sum of money if they can help with the

transfer by paying a fee to a “trusted” organization

What is Scambaiting?

• Began in early 2000’s
• Intentionally respond to phishing schemes, especially 419 scams
• Try to waste phisher’s time and resources as much as possible
• Ask phishers to take embarrassing/funny photos

Phishing is Evolving

• Increasingly intelligent, targeted, and harmful
• Now represents a billion dollar criminal industry
• Phishing kits and mailer programs openly available to criminals

Clone Phishing

• Replicate emails sent from trusted organizations
• Pose as an “update” to previous email, with malicious payload

Spear Phishing

• Context aware phishing
• Specifically crafted for a victim
• Pretend to be an organization or individual the victim trusts

Whaling

• One form of Spear Phishing
• Aimed at high profile targets
• Administrators, Business executives, Government officials
• If successful, incredibly destructive

General Reactionary Approach to Phishing

• Avoid phishing links
• Last line of defense is the victim’s own intuition
• Programs to educate employees on how to spot phishing attacks

Machine Learning in Phishing

• In theory, allows Spear Phishing attacks to become scalable
• Precision of Spear Phishing with broad nature of older phishing

attacks

• Already in widespread use today

SNAP_R

• Developed by John Seymour and Philip Tully
• Sample prototype of how machine learning can generate custom

tweets for use in Spear Phishing

• Uses Markov models and Long-Term Short Memory neural

networks

Current Anti-Phishing Practices are not Enough

• SNAP_R demonstrated a doubled success rate compared to

traditional large scale phishing attacks

• Reactionary approach does not do enough for these tailored

phishing attacks

• Being cautionary on traditional phishing platforms no longer

enough

What is today’s Scambaiting?

• As social engineering techniques become more sophisticated, so

has Scambaiting

• Less focussed on wasting time, more on actually hacking back

Tech Support Scam

• Reports of scam from U.S. began in 2008
• Cold call the victim, saying computer is vulnerable and must be

fixed

• Use Ammyy Admin to perform a remote connection
• Install keyloggers, malware, or steals data and credentials

Hacking Back using Ammyy Admin

• Turn tables on scammer by taking advantage of security flaw in

Ammyy Admin

• Used by today’s scambaiters to hack scammers back

The 0 Day

• Developed by Matt Weeks AKA scriptjunkie in 2014
• Available as a module on Metasploit
• Allows arbitrary code to be run on scammer’s machine once

connection is established

Ethicacy and Legality of Hack Back

• Very risky, especially when botnet systems come into play
• Attribution problem
• How much hack back is too much?

Active Cyber Defense Certainty Act

• Presented by Georgia Congressman Tom Graves in October, 2017
• Allows victims of cyber attacks to perform vigilante justice

(hack-back)

• Highly controversial, most security professionals deem it too open

ended

• Attribution problem inherent in the act

How should Active Solutions be Constructed?

• Solutions must be ethical, as well as effective
• Must work at the same or greater speed as phishing attacks are

being implemented

• Must be intelligent

Honey-Phish

• Prototype presented at ShmooCon 2016 by Robbie Gallagher
• Automates replies to phishing emails with own phishing link
• When clicked, logs as much info from phisher as possible
• Messages are built using Markov chains
• Corpus pulled from Reddit’s personal finance forum

Phish Feeding

• Proposed by John Brozycki
• Pump phishing websites full of realistic but fake credentials
• Value of real data is decreased
• More time is available to shut site down

Honey Tokens

• Either leave fake tokens in databases so that they can be tracked
• nce a phishing attack occurs, or submit it directly
• Allows law enforcement to track the path of the token and find

the original perpetrator of phishing attack

Closing Mailer Programs

• Phishers depend on illegal mailer programs to distribute

phishing attacks

• Can track down these programs and prevent its ease of access to

criminals

Closing Phish Kits

• Phishers rarely write their own packages to perform phishing
• If information about phishing attack can be compiled, feasible to

hunt down origins of phishing kits and shut them down

Action Items

• Still not enough research and development in slowing rise of

social media phishing attacks

• Adopt more aggressive anti-phishing campaigns
• Keep up reactionary educational model
• Be careful out there!