550 likes | 667 Views
Development of a Process for Phishing Awareness Activities. Philip Arwood John Gerber. What Will We Discuss?. Phishing and related Problems Real world examples Goals and Challenges of Phishing Awareness Early process Examples (early and current) Stats gathered
E N D
Development of a Process for Phishing Awareness Activities Philip Arwood John Gerber
What Will We Discuss? Phishing and related Problems Real world examples Goals and Challenges of Phishing Awareness Early process Examples (early and current) Stats gathered Phishing Technical: Getting Under the Hood Protecting Your Information
If Only Life Was Simple Protecting Your Information
View Point Of The Problem The following is an excerpt from speech by Mr. George Tenet, Director, CIA, delivered at the Georgia Institute of Technology, Atlanta, Georgia. “The number of known adversaries conducting research on information attacks is increasing rapidly and includes intelligence services, criminals, industrial competitors, hackers, and aggrieved or disloyal insiders”. Protecting Your Information
Common Weaknesses Here are some of the most common visible or known weaknesses an adversary can exploit to obtain critical information: Inappropriate use of email / attachments / web Lack of awareness: don’t know what to protect, or who to protect it from Poor access controls Failure to practice need to know Failure to comply with security policies Protecting Your Information
SANS Top Ten List (what people do to mess up their computer) Number 10 – Don’t bother with backups Number 9 – Use Easy, Quick Passwords Number 8 – Believe that Macs don’t get viruses Number 7 – Click on Everything Number 6 – Open ALL Email attachments Number 5 – Keep Your hard drive full and fragmented Number 4 – Install and Uninstall lots of programs (especially freeware) Number 3 – Turn off the Antivirus because it slows down your system Number 2 – Surf the Internet without a Hardware Firewall and a Software Firewall Number 1 – Plug into the Wall without Surge Protection Protecting Your Information
Phishing Stats According to Gartner, December 17, 2007 The average dollar loss per Phishing Victim is $866 The total dollar loss of all phishing victim over a 1 year period is $3.6 Billion The number of people who fell victims to phishing scams over that same 1 year period is 3.2 Million According to a Gartner Survey More than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008, a 39.8 percent increase over the number of victims a year earlier Survey indicated a trend toward higher-volume and lower-value attacks Protecting Your Information
Phishing Stats (cont.) According to SonicWall, 2008 The estimated number of phishing e-mails sent world-wide each month is 8.5 Billion According to Anti-Phishing Working Group The number of phishing web sites that were operational in May 2008 is 32,414 Protecting Your Information
Phishing Stats (cont.) According to Gartner, April 2, 2009 • More than 5 million consumers lost to phishing attacks in the 12 months ending in September 2008, a 39.8 increase over the number of victims a year earlier. • The average consumer loss in 2008 per phishing incident was $351, a 60% decrease from the year before. Gartner believes the criminals are intentionally engaging in higher volume and lower-value attacks to stay under the radar of fraud detection systems that have become pervasive at banks and other financial services providers. • About 4.33% of phishing e-mail recipients recalled giving away sensitive information after they clicked on a phishing e-mail link, which is a 45% increase over the prior year.
Phishing (Real World) Example 1a Point One Point Two Point Three Point Four Protecting Your Information
Phishing (Real World) Example 1b Point One Point Two Point Three Point Four Protecting Your Information
Phishing (Real World) Example 1c Point One Point Two Point Three Point Four Protecting Your Information
Phishing (Real World) Example 2 Point One Point Two Point Three Point Four Protecting Your Information
Phishing (Real World) Example 3 Point One Point Two Point Three Point Four Protecting Your Information
Phishing (Real World) Example 4 Point One Point Two Point Three Point Four Protecting Your Information
Phishing (Real World) Example 5 Point One Point Two Point Three Point Four Protecting Your Information
Phishing (Real World) Example 6 Point One Point Two Point Three Point Four Protecting Your Information
Why Phish? Benefits: Training tool for raising user awareness regarding phishing and the dangers. Serves as a self assessment tool. The Challenge: To develop phishing emails for monthly assessments To develop repeatable and reliable delivery methods To gather meaningful statistics for management Protecting Your Information
Summary of Early Phishing Process Phishing Email was developed Researched URL to ensure no “real” sites were used, local redirect created to point to “gotcha” page Recipient list was created UNIX script was used to queue / send email. “Gotcha” page was monitored for network traffic, harvested IPs and times of connections Protecting Your Information
Phishing Emails The early emails were developed to appear plain and contain obvious clues such as misspelled words, hyphenated URLS, etc. As the process evolved the emails contained less obvious clues. Following are examples of emails used early on and a few current examples. Protecting Your Information
Early Phishing Example Protecting Your Information
Early Phishing Example (cont) Protecting Your Information
Early Phishing Example (cont) Protecting Your Information
Current Phishing Example Protecting Your Information
Current Phishing Example (cont) Protecting Your Information
Current Phishing Example (cont) Protecting Your Information
Current Phishing Example (cont) Protecting Your Information
Gotcha Page URL points to a web page that states: Exercise was initiated by security Gives information regarding what could have happened Encourages user to re-take Cyber Awareness training (phishing awareness is reinforced in cyber awareness training) Protecting Your Information
Gotcha Page Protecting Your Information
What Data Do We Gather? End-User Response Time The time between sending email and notification to security via email, phone, SPAM folder, … Total number of responses End-User Click Rates When the first click occurred Total number of clicks Who clicked Protecting Your Information
Suggestions for Topics? End-Users appear to be more interested in: E-Cards (Valentines, Holiday cards, etc.) Local News (highway construction, etc.) Sports Humor End-Users appear to be less interested in: Technology related topics Surveys Protecting Your Information
Results Result summary for 2008 Result summary for 2009 to date Protecting Your Information
Phishing Technical: Getting Under the Hood John J. Gerber CISSP, GCFA, GCIH, GISP, GSNA
A Presentation of Interest “Spear Phishing: Real Cases, Real Solutions” Rohyt Belani, Intrepidus Group. Wednesday, 11:00-11:45. Phishing Technical
What Will We Discuss? Basic System Setup Configuration Files Database Tables Programs Involved Walk Through Show Sample Results
System Configuration Classic LAMP System Linux Apache MySQL Perl ModSecurity Request Tracker Thunderbird Phishing Technical
Create Data Files • We keep each anti-phishing exercise in its own directory. In each directory create: • Phishing Email • Employee List • LUP Exceptions • Previous Clickers • Exempt List • Images Phishing Technical
Sample Configuration File TEMPLATE::test::template.html TEMPLATE::whole::template.html TEMPLATE::lup::template.html TEMPLATE::clickers::template.html SENDER::test::jennifer_james@upostfun.com SENDER::whole::jennider_james@upostfun.com SENDER::lup::Jennifer_James@upostfun.com SENDER::clickers::Jen_James@upostfun.com SUBJECT::test::FWD: FWD: FWD: Hilarious SUBJECT::whole::FWD: FWD: FWD: Hilarious SUBJECT::lup::FWD: FWD: FWD: This is Hilarious SUBJECT::clickers::FWD: FWD: FWD: That is Hilarious WEB_HOST::test::upost.com WEB_HOST::whole::upost.com WEB_HOST::lup::upost.com WEB_HOST::clickers::upost.com EMAIL_FILE::test::test_pool.txt EMAIL_FILE::whole::whole_pool.txt EMAIL_FILE::lup::lup_pool.txt EMAIL_FILE::clickers::clickers_pool.txt REMOVE_EMAIL_FILE::whole::received_pool.txt EMAIL_NUM::test::999 EMAIL_NUM::whole::550 EMAIL_NUM::lup::999 EMAIL_NUM::clickers::999 Phishing Technical
SCF: Template <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>FWD: FWD: FWD: Hilarious</title> </head> <body bgcolor="#ffffff" text="#000000"> <big><big>Check it out!</big></big><br> <p class="MsoNormal" style="margin-bottom: 12pt;"><b><span style="font-size: 11pt; font-family: "Tahoma","sans-serif";"><br> From:</span></b><span style="font-size: 11pt; font-family: "Tahoma","sans-serif";"> Castle, Frank <br> <b>Sent:</b> Tuesday, March 17, 2009 9:50 AM<br> <b>To:</b> Barton, Clint; Smith, Travis N.; Jones, Cora M.; James, Jennifer; Redman, Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; Farner Mark K.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.; Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H.<br> Create • HTML Editor: Thunderbird • Text Based Editor • TAGS http://REPLACEWITHHOST/REPLACEWITHID/ href="mobile.html“ href="“ img src="opening.jpg" Phishing Technical
Database: Tables attack +-------------+---------------------------------------+ | Field | Type | +-------------+---------------------------------------+ | aid | int(10) unsigned | | attack_type | enum('lup','test','whole','clickers') | | started | datetime | | ended | datetime | | first_view | datetime | | last_view | datetime | | first_click | datetime | | last_click | datetime | | sent_user | varchar(50) | | sent_host | varchar(50) | | subject | varchar(50) | | body | mediumtext | | sent_count | int(5) unsigned | | click_count | int(5) unsigned | | name | varchar(15) | +-------------+---------------------------------------+ Phishing Technical
Database: Tables (2) victims • +------------+-------------+ • | Field | Type | • +------------+-------------+ • | username | varchar(25) | • | dcso | varchar(25) | • | last_name | varchar(50) | • | first_name | varchar(50) | • | user_phone | varchar(12) | • +------------+-------------+ gerberjj arwoodpc Gerber J J (John) 865-574-9756 Phishing Technical
Database: Tables (3) victim_pool • +----------+------------------+ • | Field | Type | • +----------+------------------+ • | uid | varchar(25) | • | aid | int(10) unsigned | • | username | varchar(25) | • | added | datetime | • +----------+------------------+ ibYyK1x8lstu1KseMrkpdJaHv 14 gerberjj 2009-03-24 10:32:30
Database: Tables (4) user123.ornl.gov - - [25/Mar/2009:10:36:04 -0400] "GET /photo/ibYyK1x8lstu1KseMrkpdJaHv/showalbulm.pl?albulm=new HTTP/1.1" 200 2577 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081204 SeaMonkey/1.1.14“ session +--------------+------------------+ | Field | Type | +--------------+------------------+ | uid | varchar(25) | | sent | datetime | | viewed_time | datetime | | viewed_log | varchar(255) | | clicked_time | datetime | | clicked_log | varchar(255) | | ip | varchar(50) | | email_sent | enum('yes','no') | +--------------+------------------+ ibYyK1x8lstu1KseMrkpdJaHv 2009-03-24 13:45:57 NULL NULL 2009-03-25 10:36:04 user123.ornl.gov no Phishing Technical
Sample Initial Setup <html> <head> <title>FWD: FWD: FWD: Hilarious</title> </head> <body bgcolor="#ffffff" text="#000000"> <big><big>Check it out!</big></big><br> <p class="MsoNormal" style="margin-bottom: 12pt;"><b><span style="font-size: 11pt; font-family: "Tahoma","sans-serif";"><br> From:</span></b><span style="font-size: 11pt; font-family: "Tahoma","sans-serif";"> Castle, Frank <br> <b>Sent:</b> Tuesday, March 17, 2009 9:50 AM<br> <b>To:</b> Barton, Clint; Smith, Travis N.; Jones, Cora M.; James, Jennifer; Redman, Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; Farner Mark K.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.; Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H.<br> <b>Subject:</b> FWD: FWD: Hilarious No File gerberjj@ornl.gov arwoodpc@ornl.gov goffy@ornl.gov duckd@ornl.gov mousem@ornl.gov • [hilarious]# ls -1 • clickers_pool.txt • lup_pool.txt • phish.conf • received_pool.txt • template.html • test_pool.txt • whole_pool.txt TEMPLATE::test::template.html TEMPLATE::whole::template.html TEMPLATE::lup::template.html TEMPLATE::clickers::template.html SENDER::test::Jennifer_James@upostfun.com SENDER::whole::Jennifer_James@upostfun.com SENDER::lup::Jen_James@upostfun.com SENDER::clickers::jennifer_james@upostfun.com SUBJECT::test::FWD: FWD: FWD: Hilarious SUBJECT::whole::FWD: FWD: FWD: Hilarious SUBJECT::lup::FWD: FWD: FWD: That is Hilarious SUBJECT::clickers::FWD: FWD: FWD: This is Hilarious WEB_HOST::test::www.upostfun.com WEB_HOST::whole::www.upostfun.com WEB_HOST::lup::www.upostfun.com WEB_HOST::clickers::www.upostfun.com EMAIL_FILE::test::test_pool.txt EMAIL_FILE::whole::whole_pool.txt EMAIL_FILE::lup::lup_pool.txt EMAIL_FILE::clickers::clickers_pool.txt REMOVE_EMAIL_FILE::whole::received_pool.txt EMAIL_NUM::test::999 EMAIL_NUM::whole::550 EMAIL_NUM::lup::999 EMAIL_NUM::clickers::999 00007 GERBERJJ@ORNL.GOV "Gerber, John J" 12312312 00009 PIKEC@ORNL.GOV "Pike, Christopher" 23123123 00010 COLTJM@ORNL.GOV "Colt, J M" 23123123 00011 BOYCEP@ORNL.GOV "Boyce, Phillip" 23123123 00012 TYLEYJ@ORNL.GOV "Tyler, Jose" 23123123 No File kirckjt@ornl.gov mccoylb@ornl.gov suluh@ornl.gov chekov@ornl.gov gerberjj arwoodpc UID PRIM TYPE PRO_DT UID_DT EMPSTAT UIDSTAT JLP Y NON 9/8/2005 14:18 9/8/2005 15:09 ACT ACT WTR Y NON 10/26/2004 2:00 9/14/2005 15:21 ACT ACT GLF Y NON 3/15/2005 2:00 8/31/2007 14:04 ACT ACT DKP Y NON 7/18/2005 15:03 7/19/2005 15:52 ACT ACT Phishing Technical
Sample Initial Setup <html> <head> <title>FWD: FWD: FWD: Hilarious</title> </head> <body bgcolor="#ffffff" text="#000000"> <big><big>Check it out!</big></big><br> <p class="MsoNormal" style="margin-bottom: 12pt;"><b><span style="font-size: 11pt; font-family: "Tahoma","sans-serif";"><br> From:</span></b><span style="font-size: 11pt; font-family: "Tahoma","sans-serif";"> Castle, Frank <br> <b>Sent:</b> Tuesday, March 17, 2009 9:50 AM<br> <b>To:</b> Barton, Clint; Smith, Travis N.; Jones, Cora M.; James, Jennifer; Redman, Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; Farner Mark K.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.; Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H.<br> <b>Subject:</b> FWD: FWD: Hilarious No File gerberjj@ornl.gov arwoodpc@ornl.gov goffy@ornl.gov duckd@ornl.gov mousem@ornl.gov • [hilarious]# ls -1 • clickers_pool.txt • lup_pool.txt • phish.conf • received_pool.txt • template.html • test_pool.txt • whole_pool.txt TEMPLATE::test::template.html TEMPLATE::whole::template.html TEMPLATE::lup::template.html TEMPLATE::clickers::template.html SENDER::test::Jennifer_James@upostfun.com SENDER::whole::Jennifer_James@upostfun.com SENDER::lup::Jen_James@upostfun.com SENDER::clickers::jennifer_james@upostfun.com SUBJECT::test::FWD: FWD: FWD: Hilarious SUBJECT::whole::FWD: FWD: FWD: Hilarious SUBJECT::lup::FWD: FWD: FWD: That is Hilarious SUBJECT::clickers::FWD: FWD: FWD: This is Hilarious WEB_HOST::test::www.upostfun.com WEB_HOST::whole::www.upostfun.com WEB_HOST::lup::www.upostfun.com WEB_HOST::clickers::www.upostfun.com EMAIL_FILE::test::test_pool.txt EMAIL_FILE::whole::whole_pool.txt EMAIL_FILE::lup::lup_pool.txt EMAIL_FILE::clickers::clickers_pool.txt REMOVE_EMAIL_FILE::whole::received_pool.txt EMAIL_NUM::test::999 EMAIL_NUM::whole::550 EMAIL_NUM::lup::999 EMAIL_NUM::clickers::999 00007 GERBERJJ@ORNL.GOV "Gerber, John J" 12312312 00009 PIKEC@ORNL.GOV "Pike, Christopher" 23123123 00010 COLTJM@ORNL.GOV "Colt, J M" 23123123 00011 BOYCEP@ORNL.GOV "Boyce, Phillip" 23123123 00012 TYLEYJ@ORNL.GOV "Tyler, Jose" 23123123 No File kirckjt@ornl.gov mccoylb@ornl.gov suluh@ornl.gov chekov@ornl.gov gerberjj arwoodpc UID PRIM TYPE PRO_DT UID_DT EMPSTAT UIDSTAT JLP55 Y NON 9/8/2005 14:18 9/8/2005 15:09 ACT ACT WTR21 Y NON 10/26/2004 2:00 9/14/2005 15:21 ACT ACT GLF45 Y NON 3/15/2005 2:00 8/31/2007 14:04 ACT ACT DKP72 Y NON 7/18/2005 15:03 7/19/2005 15:52 ACT ACT Phishing Technical
Program: prepare.pl Run: prepare.pl <attack_name> Results #!/usr/local/bin/perl -w use DBI; use POSIX qw(strftime); BEGIN{push @INC, "/home/ger/projects/phish/perl"} use ornl_phish qw($db_host $db $mysql_user $mysql_passwd logit runcommand mailit generate_html user_exist check_attack_type read_config find_attack_name ); sub update_received { my($datafile, $rm_min_date, $dbh) = @_; $error = ""; my %user_list; # Make sure we add back only unqiue ids (no duplicates) if ( -e $datafile) { my $results = ""; # Pull out the content of previous clickers $/ = "\n"; open(INFILE,$datafile) || ( $error = "ERROR: Problem opening file $datafile: $!\n" ); *.orig - the original files. *_pool.txt - theses are the updated files which the system will use in the next step. Make sure they look correct. received_pool.txt - This file will be updated with unique values that previously existed and data from the database of those who received email under a "whole" attack. sample_*.html - sample emails. Check them out and make sure they look appropriate. Open file in browser and confirm no format problems. Phishing Technical
Results: prepare.pl [hilarious]# ls -1 phish.conf received_pool.txt sample_test.html template.html test_pool.txt test_pool.txt.orig File: received_pool.txt user1@ornl.gov user2@ornl.gov user3@ornl.gov user4@ornl.gov user5@ornl.gov File: test_pool.txt arwoodpc@ornl.gov gerberjj@ornl.gov File: sample_text.html <html><head><title>FWD: FWD: FWD: Hilarious</title> </head><body bgcolor="#ffffff" text="#000000"> This is hilarious, check it out!<br> <br> <a href="http://upostfun.com/hilarious/0123456789/">http://upostfun.com/hilarious/0123456789/2009/04/11/</a><br> Phishing Technical
View sample_text.html Use your favorite browser to pull up sample_text.html Phishing Technical
Inform and Authorize CIO Authorization Helpdesk Mail Administrator DNS Administrator Phishing Technical
Program: go_phishing.pl Results Run: go_phishing.pl #!/usr/local/bin/perl -w # Perl Modules # use DBI; use POSIX qw(strftime); BEGIN{push @INC, "/home/ger/projects/phish/perl"} use ornl_phish qw($db_host $db $mysql_user $mysql_passwd logit runcommand mailit generate_html user_exist check_attack_type read_config find_attack_name); sub modify_apache { my($apache_conf,$apache_temp,$attack_name,$logfile) = @_; my $error = ""; local($datetime) = strftime("%Y%m%d%H%M%S", localtime); undef $/; open(INFILE,$apache_temp) || ( $error = "ERROR: Problem opening file $apache_temp: $!\n" ); if ($error eq "") { my $conf_body = <INFILE>; $conf_body =~ s/RewriteEngine On.*/RewriteEngine On/s; my $rc = &runcommand($logfile,"/bin/cp","$apache_conf/httpd.conf", "$apache_conf/httpd.conf.$datetime"); • Emails are sent. • A 30 minute break between groups. • Web areas created. • images • web page people see when they click • report web area created to watch the progress • Modify httpd.conf, clear logs, restart server. Uses: /usr/bin/nc -vv smtpserver.ornl.gov 25 2009-04-29 19:10:28 INFO: Started. Sending email to gerberjj smtpserver.ornl.gov [160.91.4.118] 25 (smtp) open 220 mailserver.ornl.gov -- Server ESMTP (PMDF V6.4#31561) 251 mailserver.ornl.gov system name not given in HELO command, phishingphil.ornl.gov [160.91.218.210]. 250 2.5.0 Address Ok. 250 2.1.5 gerberjj@ornl.gov OK. 354 Enter mail, end with a single ".". 250 2.5.0 Ok. 221 2.3.0 Bye received. Goodbye. sent 4340, rcvd 301 Phishing Technical