SLIDE 1
PhishEye: Live Monitoring
- f Sandboxed
Phishing Kits
Xiao Han Nizar Kheir Davide Balzarotti
Summary
Motivation Sandboxed phishing kits Implementation Results
of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing - - PowerPoint PPT Presentation
of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing - - PowerPoint PPT Presentation
PhishEye: Xiao Han Nizar Kheir Live Monitoring Davide Balzarotti of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results [APWG Phishing Activity Trends Report 2 nd Quarter 2016] All time high record
SLIDE 2
SLIDE 3
[APWG Phishing Activity Trends Report 2nd Quarter 2016]
SLIDE 4
[APWG Phishing Activity Trends Report 2nd Quarter 2016]
All time high record
SLIDE 5
Motivation
- PKs monitored only after being detected by anti-phishing
services
SLIDE 6
Motivation
- PKs monitored only after being detected by anti-phishing
services
- Details about entire lifecycle of a phishing kit are still missing
SLIDE 7
Motivation
- PKs monitored only after being detected by anti-phishing
services
- Details about entire lifecycle of a phishing kit are still missing
- 71.4% of the domains that hosted phishing pages were
compromised websites [APWG global phishing report 2014]
SLIDE 8
SLIDE 9
Know your enemy: Phishing [Honeynet 05] Evil searching [FC 09]
SLIDE 10
Browser plugin: N. Chou [NDSS 04] User education: P. Kumaraguru [TOIT 10]
SLIDE 11
Learning to detect phishing emails [WWW 07] Discovering phishing dropboxes using email metadata [eCrime 12]
SLIDE 12
Detection: Cantina [WWW 07], C. Whittaker [NDSS 10] Blocking: Google Safe Browsing (GSB), Phish Tank, … Take down: Examining the impact of website take-down on phishing [eCrime 07]
SLIDE 13
Handcrafted fraud and extortion [IMC 14]
SLIDE 14
SLIDE 15
Incomplete and fragmented view of PKs lifecycle
SLIDE 16
[Credits: Idea Sandbox, Neutronis ]
Web honeypot Attacker identification Privacy protection
SLIDE 17
Sandboxed Phishing Kits
Global Picture:
- Attackers, victims, and security researchers
- Phishing blacklist services
- Complete privacy protection
SLIDE 18
Web Honeypot 5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Implementation
SLIDE 19
5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Web Honeypot PK installation
Implementation
SLIDE 20
5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Web Honeypot PK installation
Implementation
Attacker Identification
SLIDE 21
5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Web Honeypot
Implementation
Attacker Identification Attacker Tracking
SLIDE 22
5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Web Honeypot
Implementation
Attacker Identification Attacker Tracking YES
SLIDE 23
5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Web Honeypot Checking
Implementation
Attacker Identification Attacker Tracking YES
SLIDE 24
5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Web Honeypot Checking
Implementation
Attacker Identification Attacker Tracking YES
SLIDE 25
5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Victims Web Honeypot
Implementation
SLIDE 26
5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Web Honeypot
Implementation
Attacker Tracking
Victims
SLIDE 27
5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Web Honeypot
Implementation
Attacker Tracking Client-side Data Mangling NO
Victims
SLIDE 28
5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Web Honeypot
Implementation
Attacker Tracking Client-side Data Mangling NO
Victims Inject JavaScript to prevent data leakage
SLIDE 29
5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Web Honeypot
Implementation
Attacker Tracking Client-side Data Mangling NO
Victims Inject JavaScript to prevent data leakage
SLIDE 30
5 vulnerable web applications x 100 domain names
- D. Canali [NDSS 13]
Web Honeypot Inject JavaScript to prevent data leakage
Implementation
Attacker Tracking Client-side Data Mangling NO Server-side Protection
Victims
SLIDE 31
- Five months from September 2015 to the end of January 2016
- 474 phishing kits (PayPal, Apple, Google, Facebook …)
Overview
1min Installation Upload
SLIDE 32
- Five months from September 2015 to the end of January 2016
- 474 phishing kits (PayPal, Apple, Google, Facebook …)
Overview
1min Installation Upload 10min Testing
SLIDE 33
- Five months from September 2015 to the end of January 2016
- 474 phishing kits (PayPal, Apple, Google, Facebook …)
Overview
1min Installation Upload 10min Testing 2 days First victim
SLIDE 34
- Five months from September 2015 to the end of January 2016
- 474 phishing kits (PayPal, Apple, Google, Facebook …)
Overview
1min Installation Upload 10min Testing 2 days First victim 10 days Last victim
SLIDE 35
- Five months from September 2015 to the end of January 2016
- 474 phishing kits (PayPal, Apple, Google, Facebook …)
Overview
1min Installation Upload 10min Testing 2 days First victim 10 days Last victim 12 days Blacklist
SLIDE 36
Phishing Attack Global Picture
SLIDE 37
Phishing Attack Global Picture
SLIDE 38
Phishing Attack Global Picture
SLIDE 39
Phishing Attack Global Picture
SLIDE 40
Phishing Attack Global Picture
Installation was very quick
SLIDE 41
Phishing Attack Global Picture
471 attackers (IP, User Agent) 70% visited the phishing pages 58% submitted fake credentials
SLIDE 42
Phishing Attack Global Picture
Only one attempt to use the compromised system to send the phishing emails
SLIDE 43
Phishing Attack Global Picture
2,468 potential victims connected to 127 distinct phishing kits 215 users (9%) posted credentials
SLIDE 44
Phishing Attack Global Picture
Estimated lifetime is eight days on average.
SLIDE 45
Phishing Attack Global Picture
98% blacklisted by GSB and Phish Tank Average detection latency is 12 days Fire-and-forget approach
SLIDE 46
Blacklist Evasion
$random=rand(0,100000000000); $md5=md5("$random"); $base=base64_encode($md5); $dst=md5("$base");
New connection
SLIDE 47
Blacklist Evasion
$random=rand(0,100000000000); $md5=md5("$random"); $base=base64_encode($md5); $dst=md5("$base"); $src=“source"; recursive_copy( $src, $dst );
New connection Copy
SLIDE 48
Blacklist Evasion
$random=rand(0,100000000000); $md5=md5("$random"); $base=base64_encode($md5); $dst=md5("$base"); $src=“source"; recursive_copy( $src, $dst ); header("location:$dst");
Copy Redirection
SLIDE 49
Blacklist Evasion
[12/Nov/2015:18:57:41] 14.xx.xxx.198 GET /kit/ 302 User-Agent: curl/7.25.0
First connection
SLIDE 50
Blacklist Evasion
[12/Nov/2015:18:57:41] 14.xx.xxx.198 GET /kit/ 302 User-Agent: curl/7.25.0 [12/Nov/2015:19:01:35] 213.xx.xxx.100 GET /kit/8c5fcf4518e94a9f272d60ee75c309a7 301 User-Agent: Mozilla/4.0 [12/Nov/2015:19:20:45] 213.xx.xxx.100 GET /kit/8c5fcf4518e94a9f272d60ee75c309a7/redirection.php 200 User-Agent: Mozilla/4.0
First connection Reported phishing URL
SLIDE 51
Early Victims
? ?
After blacklisting After blacklisting
SLIDE 52
Early Victims
Before blacklisting After blacklisting Before blacklisting After blacklisting
SLIDE 53
Flash Crowd Effect
?
After blacklisting
SLIDE 54
Flash Crowd Effect
Third party visitors:
- Universities
- Security vendors
After blacklisting Before blacklisting
SLIDE 55
Real-time Drop Email Detection
68 distinct drop email addresses (Gmail, Yahoo, …) Only 4 were disabled or unreachable
SLIDE 56
Conclusion
- Novel approach to sandbox live phishing kits
- Observe the entire lifecycle of a phishing kit
- Findings
- Attackers manually test their PKs
- Separate hosting and spamming infrastructures
- Many PKs with few victims each
- Blacklist very effective to protect users, but detection is not fast enough
- Attackers move quickly between PKs once they get blacklisted
SLIDE 57
SLIDE 58
Appendix
Elimination of Other Malicious Files
- Heuristics
- Manual classification
SLIDE 59
Appendix
Data Exfiltration by Client-Side Side Channels
- Disguised as a HTML img
- Defeated by our client-side protection