of sandboxed
play

of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing - PowerPoint PPT Presentation

Aug 16, 2023 •316 likes •921 views

PhishEye: Xiao Han Nizar Kheir Live Monitoring Davide Balzarotti of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results [APWG Phishing Activity Trends Report 2 nd Quarter 2016] All time high record

  1. PhishEye: Xiao Han Nizar Kheir Live Monitoring Davide Balzarotti of Sandboxed Phishing Kits

  2. Summary Motivation Sandboxed phishing kits Implementation Results

  3. [APWG Phishing Activity Trends Report 2 nd Quarter 2016]

  4. All time high record [APWG Phishing Activity Trends Report 2 nd Quarter 2016]

  5. Motivation • PKs monitored only after being detected by anti-phishing services

  6. Motivation • PKs monitored only after being detected by anti-phishing services • Details about entire lifecycle of a phishing kit are still missing

  7. Motivation • PKs monitored only after being detected by anti-phishing services • Details about entire lifecycle of a phishing kit are still missing • 71.4% of the domains that hosted phishing pages were compromised websites [APWG global phishing report 2014]

  9. Know your enemy: Phishing [Honeynet 05] Evil searching [FC 09]

  10. Browser plugin: N. Chou [NDSS 04] User education: P. Kumaraguru [TOIT 10]

  11. Learning to detect phishing emails [WWW 07] Discovering phishing dropboxes using email metadata [eCrime 12]

  12. Detection: Cantina [WWW 07] , C. Whittaker [NDSS 10] Blocking : Google Safe Browsing (GSB), Phish Tank, … Take down: Examining the impact of website take-down on phishing [eCrime 07]

  13. Handcrafted fraud and extortion [IMC 14]

  15. Incomplete and fragmented view of PKs lifecycle

  16. Web honeypot Attacker identification Privacy protection [Credits: Idea Sandbox, Neutronis ]

  17. Sandboxed Phishing Kits Global Picture: • Attackers, victims, and security researchers • Phishing blacklist services • Complete privacy protection

  18. Implementation Web Honeypot 5 vulnerable web applications x 100 domain names D. Canali [NDSS 13]

  19. Implementation Web Honeypot 5 vulnerable web applications x PK installation 100 domain names D. Canali [NDSS 13]

  20. Implementation Web Honeypot 5 vulnerable web applications x PK installation Attacker 100 domain names Identification D. Canali [NDSS 13]

  21. Implementation Web Honeypot 5 vulnerable web applications x Attacker 100 domain names Identification D. Canali [NDSS 13] Attacker Tracking

  22. Implementation Web Honeypot 5 vulnerable web applications x Attacker 100 domain names Identification D. Canali [NDSS 13] YES Attacker Tracking

  23. Implementation Web Honeypot 5 vulnerable web applications x Attacker 100 domain names Identification D. Canali [NDSS 13] Checking YES Attacker Tracking

  24. Implementation Web Honeypot 5 vulnerable web applications x Attacker 100 domain names Identification D. Canali [NDSS 13] Checking YES Attacker Tracking

  25. Implementation Web Honeypot 5 vulnerable web applications Victims x 100 domain names D. Canali [NDSS 13]

  26. Implementation Web Honeypot 5 vulnerable web applications Victims x 100 domain names Attacker D. Canali [NDSS 13] Tracking

  27. Implementation Web Honeypot 5 vulnerable web applications Victims x 100 domain names Attacker D. Canali [NDSS 13] Tracking NO Client-side Data Mangling

  28. Implementation Web Honeypot 5 vulnerable web applications Victims x 100 domain names Attacker D. Canali [NDSS 13] Tracking Inject NO JavaScript to prevent data leakage Client-side Data Mangling

  29. Implementation Web Honeypot 5 vulnerable web applications Victims x 100 domain names Attacker D. Canali [NDSS 13] Tracking Inject NO JavaScript to prevent data leakage Client-side Data Mangling

  30. Implementation Web Honeypot 5 vulnerable web applications Victims x 100 domain names Attacker D. Canali [NDSS 13] Tracking Inject NO JavaScript to prevent data leakage Server-side Client-side Protection Data Mangling

  31. Overview • Five months from September 2015 to the end of January 2016 • 474 phishing kits (PayPal, Apple, Google, Facebook …) Installation Upload 1min

  32. Overview • Five months from September 2015 to the end of January 2016 • 474 phishing kits (PayPal, Apple, Google, Facebook …) Installation Testing Upload 1min 10min

  33. Overview • Five months from September 2015 to the end of January 2016 • 474 phishing kits (PayPal, Apple, Google, Facebook …) First victim Installation Testing Upload 2 days 1min 10min

  34. Overview • Five months from September 2015 to the end of January 2016 • 474 phishing kits (PayPal, Apple, Google, Facebook …) First victim Last victim Installation Testing Upload 2 days 10 days 1min 10min

  35. Overview • Five months from September 2015 to the end of January 2016 • 474 phishing kits (PayPal, Apple, Google, Facebook …) First victim Last victim Blacklist Installation Testing Upload 2 days 10 days 12 days 1min 10min

  36. Phishing Attack Global Picture

  37. Phishing Attack Global Picture

  38. Phishing Attack Global Picture

  39. Phishing Attack Global Picture

  40. Phishing Attack Global Picture Installation was very quick

  41. Phishing Attack Global Picture 471 attackers (IP, User Agent) 70% visited the phishing pages 58% submitted fake credentials

  42. Phishing Attack Global Picture Only one attempt to use the compromised system to send the phishing emails

  43. Phishing Attack Global Picture 2,468 potential victims connected to 127 distinct phishing kits 215 users (9%) posted credentials

  44. Phishing Attack Global Picture Estimated lifetime is eight days on average.

  45. Phishing Attack Global Picture 98% blacklisted by GSB and Phish Tank Average detection latency is 12 days Fire-and-forget approach

  46. Blacklist Evasion $random=rand(0,100000000000); $md5=md5("$random"); $base=base64_encode($md5); $dst=md5("$base"); New connection

  47. Blacklist Evasion $random=rand(0,100000000000); $md5=md5("$random"); $base=base64_encode($md5); $dst=md5("$base"); New connection $src =“source"; recursive_copy( $src, $dst ); Copy

  48. Blacklist Evasion $random=rand(0,100000000000); $md5=md5("$random"); Redirection $base=base64_encode($md5); $dst=md5("$base"); $src =“source"; recursive_copy( $src, $dst ); header("location:$dst"); Copy

  49. Blacklist Evasion [12/Nov/2015:18:57:41] 14.xx.xxx.198 GET /kit/ 302 First connection User-Agent: curl/7.25.0

  50. Blacklist Evasion [12/Nov/2015:18:57:41] 14.xx.xxx.198 GET /kit/ 302 First connection User-Agent: curl/7.25.0 [12/Nov/2015:19:01:35] 213.xx.xxx.100 GET /kit/8c5fcf4518e94a9f272d60ee75c309a7 301 User-Agent: Mozilla/4.0 [12/Nov/2015:19:20:45] 213.xx.xxx.100 GET /kit/8c5fcf4518e94a9f272d60ee75c309a7/redirection.php 200 User-Agent: Mozilla/4.0 Reported phishing URL

  51. Early Victims After After blacklisting blacklisting ? ?

  52. Early Victims Before After Before After blacklisting blacklisting blacklisting blacklisting

  53. Flash Crowd Effect After blacklisting ?

  54. Flash Crowd Effect After Before blacklisting blacklisting Third party visitors: • Universities • Security vendors

  55. Real-time Drop Email Detection 68 distinct drop email addresses (Gmail, Yahoo, …) Only 4 were disabled or unreachable

  56. Conclusion • Novel approach to sandbox live phishing kits • Observe the entire lifecycle of a phishing kit • Findings • Attackers manually test their PKs • Separate hosting and spamming infrastructures • Many PKs with few victims each • Blacklist very effective to protect users, but detection is not fast enough • Attackers move quickly between PKs once they get blacklisted

  58. Appendix Elimination of Other Malicious Files • Heuristics • Manual classification

  59. Appendix Data Exfiltration by Client-Side Side Channels • Disguised as a HTML img • Defeated by our client-side protection

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Solo5: A sandboxed, re-targetable execution environment for unikernels Dan Williams (IBM

Solo5: A sandboxed, re-targetable execution environment for unikernels Dan Williams (IBM

03/02/2019 Solo5: A sandboxed, re-targetable execution environment for unikernels Solo5: A sandboxed, re-targetable execution environment for unikernels Dan Williams (IBM Research), djwillia@us.ibm.com Martin Lucina (robur.io / CCT),

679 views • 32 slides
Selfie: Sandboxed Concurrency Christoph Kirsch, University of Salzburg, Austria OPCT 2017, Maria

Selfie: Sandboxed Concurrency Christoph Kirsch, University of Salzburg, Austria OPCT 2017, Maria

Selfie: Sandboxed Concurrency Christoph Kirsch, University of Salzburg, Austria OPCT 2017, Maria Gugging, Austria Joint Work Alireza Abyaneh Martin Aigner Sebastian Arming Christian Barthel Michael Lippautz Cornelia Mayer

557 views • 31 slides
Creating truly decentralized browser applications Aragon is a project to empower freedom by

Creating truly decentralized browser applications Aragon is a project to empower freedom by

Creating truly decentralized browser applications Aragon is a project to empower freedom by creating tools for decentralized governance Ethereum CHAPTER ONE Architecture Client Sandboxed app Client Sandboxed app Iframe Web worker

738 views • 31 slides
Brett Sun @sohkai Building Modular Organizations and the governance structures

Brett Sun @sohkai Building Modular Organizations and the governance structures

Brett Sun @sohkai Building Modular Organizations and the governance structures underlying them Experiment at the speed of software Core Sandboxed app But thats not all Factory:

461 views • 44 slides
Investor Presentation August 12, 2019 Safe Harbour Disclosure: Forward-looking Information 2

Investor Presentation August 12, 2019 Safe Harbour Disclosure: Forward-looking Information 2

Investor Presentation August 12, 2019 Safe Harbour Disclosure: Forward-looking Information 2 Leading Canadian Media and Content Company Great portfolio of assets Leader in Canadian broadcasting Powerful brands and content Valuable

338 views • 21 slides
Roadmap Presentation Ruth Wells Head of Engineering Introduction Recent Achievements

Roadmap Presentation Ruth Wells Head of Engineering Introduction Recent Achievements

Roadmap Presentation Ruth Wells Head of Engineering Introduction Recent Achievements Plans for 2013 Mobile Shibboleth Federations Fine Grained Access Control COUNTER 4 Discussion Relating to 2014 Recent

658 views • 46 slides
ENERGY OPTIMIZATION March 20, 2019 PRESENTATION OBJECTIVES Provide summary of elements

ENERGY OPTIMIZATION March 20, 2019 PRESENTATION OBJECTIVES Provide summary of elements

ENERGY OPTIMIZATION March 20, 2019 PRESENTATION OBJECTIVES Provide summary of elements Consultants view are most essential to the energy optimization framework Demonstrate alignment of PAs and Consultants on most of these elements

469 views • 11 slides
How HEMs Multilingual SEO Framework Impacted our ur Web Traffic and nd Strategic

How HEMs Multilingual SEO Framework Impacted our ur Web Traffic and nd Strategic

How HEMs Multilingual SEO Framework Impacted our ur Web Traffic and nd Strategic Recommendations fo for Continued Growth Todays Presentation Part 1: The Website Project - Defining the issues facing the CAPS-I website - Implementing

952 views • 69 slides
An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017 Management Summary Research Approach: Overview of the main research topics in the fields of cyber risk and

579 views • 12 slides
NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana

NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana

NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana Medkov Martin Husk, Martin Draar Introduction optimal strategy to defend network infrastructure no standard for benchmarking Network Defence

574 views • 18 slides
Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

505 views • 31 slides
Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani Name Here About Serianu Limited Serianu is a Pan Africa based Cyber Security and business consulting firm. We are an award winning company in the

759 views • 46 slides
Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin Neumann University of Connecticut The role of the honeypot The limitations Low-interaction honeypots: "Artificial" attack surface

846 views • 13 slides
Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik Kinkel Jon Osborne Korbin Stich http://may1601.sd.ece.iastate.edu Client : Alliant Energy Advisor : Dr. Doug Jacobson April 28, 2016 May1601 ICS

384 views • 15 slides
NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2.

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2.

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2. SBIR 3. Cuckoo Sandbox 4. Project 5. Architecture 6. Offline demo 7. Roadmap Introduction Pieter Jansen - CEO @ Cybersprint -

859 views • 42 slides
Towards malware inspired management frameworks J er ome Fran cois, Radu State and

Towards malware inspired management frameworks J er ome Fran cois, Radu State and

April, 8 2008 http://madynes.loria.fr/ Towards malware inspired management frameworks J er ome Fran cois, Radu State and Olivier Festor Introduction Malware for management Models Results Conclusion Outline 1 Introduction 2

513 views • 34 slides
@lady_nerd laura@safestack.io https://safestack.io In this talk Fear and loathing Examining

@lady_nerd laura@safestack.io https://safestack.io In this talk Fear and loathing Examining

@lady_nerd laura@safestack.io https://safestack.io In this talk Fear and loathing Examining the root of fear and its effects Fear-based architecture and antipatterns Fear leads to anger, anger leads to hatred. Fearless security

765 views • 40 slides
UKinbound and working with the Travel Trade Andrew Macnair Business Development Manager,

UKinbound and working with the Travel Trade Andrew Macnair Business Development Manager,

UKinbound and working with the Travel Trade Andrew Macnair Business Development Manager, Scotland What we will cover today Who UKinbound is and what we do What do we mean by Travel Trade and why is it important ? Scotland from the

381 views • 19 slides
Timeless Testing Skills for Modern Testers Presented by: Gerie

Timeless Testing Skills for Modern Testers Presented by: Gerie

W8 Personal Development 2019-05-01 13:30 Timeless Testing Skills for Modern Testers Presented by: Gerie Owen , Technology Strategy Research Peter Varhol, Exoprise

712 views • 24 slides
Northern Farming Conference 13 th November 2013 Rob Sanderson: Head of Central Store Development

Northern Farming Conference 13 th November 2013 Rob Sanderson: Head of Central Store Development

Northern Farming Conference 13 th November 2013 Rob Sanderson: Head of Central Store Development About Us Openfield markets 4.5m tonnes of grain per annum. This is 20% of UK grain market. This activity generates over 70% of our income.

589 views • 22 slides
Strategic Plan for Tourism 2016-2021 Stage 1 - Situation Analysis June 2016 Prepared for

Strategic Plan for Tourism 2016-2021 Stage 1 - Situation Analysis June 2016 Prepared for

Prince Edward Island Strategic Plan for Tourism 2016-2021 Stage 1 - Situation Analysis June 2016 Prepared for Contents Objectives Methodology Market Research Emerging Trends in North American Tourism Market External Trade

619 views • 39 slides
Annotation for Arabic Information Retrieval Ashraf I. Kaloub Rebhi S. Baraka Alaqsa-Community

Annotation for Arabic Information Retrieval Ashraf I. Kaloub Rebhi S. Baraka Alaqsa-Community

Automatic Ontology-Based Document Annotation for Arabic Information Retrieval Ashraf I. Kaloub Rebhi S. Baraka Alaqsa-Community College Faculty of Information Technology Khan Younis, Gaza Strip Islamic University of Gaza 1 The 3rd Palestinian

536 views • 31 slides
Hayes Park School Welcome to our Nursery! 07/06/2017 2 The Nursery Team Mrs

Hayes Park School Welcome to our Nursery! 07/06/2017 2 The Nursery Team Mrs

Hayes Park School Welcome to our Nursery! 07/06/2017 2 The Nursery Team Mrs Lorraine Rafferty Mrs Carly Skippins Ms Sarah Blakey Mrs Penny Woodman Nursery Nurse Nursery Nurse

477 views • 24 slides

More recommend