George Mason University and SonicWALLThe Phishing Ecosystem

Analyzing the Dynamics for Maximum Defense

Tuesday, April 11th 2006 – 2:45pm

2

Agenda

Overview of the Phishing Ecosystem

Questions for the panel Scope of the problem What did GMU do Results Phishing education Other email issues

Ask questions as we go

Wrap up & lessons learned

Let’s Go Phishing

4

The Phishing Checklist

1. Get an email list

2. Develop the attack

3. Locate sites to send phishing email from

4. Locate sites to host the phishing site

5. Launch the attack

6. Collect the information

7. Transform into cash

5

A bad day phishin’, beats a good day workin’

2,000,000 emails are sent

5% get to the end user – 100,000 (APWG)

5% click on the phishing link – 5,000 (APWG)

2% enter data into the phishing site –100 (Gartner)

$1,200 from each person who enters data (FTC)

Our potential reward: $120,000

In 2005 David Levi made over $360,000 from 160 people using an eBay Phishing scam

6

A little phishing gang

The David Levi phishing gang – UK

6 members

Operated for 12 months

At least $360,000 from 160 people

Segmentation of jobs Techie Creative designer Money laundering – mule driver

Caught – received sentences from 1 to 4 years each

7

Tools to the Trade

The Malware Community

Email list

SendingMachines

Hosting Sites

Email & Web site

Construct Launch Collect

• Account Info• Credit Info• Identity Info• Logins &

Passwords

Phished information turned into

Cash

PhishingKit

The phishing ecosystem

• DHA

• Site Crawlers

• Spyware

Harvested Information

$

• Templates

• Sitecopy & wget

• Botnets

• Trojans

• Worms

• Keyloggers

• Hacks & Attacks

• “Real” Domain Names

ThePhisher

$

8

The money laundering “Mule”

“Make Money at Home” Recruits receive funds in their accounts Transfer funds from their account via Western Union wire

transfers to a 2nd (phishers) account Paid 10% of the sum of each money transfer One or two transfers each week - $3,000 to $5,000 each

“Nations Welfare Foundation” Looking for a “Financial Operations Manager” Transfer money for young cancer patients in USSR Real looking web site complete with pictures Paid 7% - can make $500 to $2,000 per week

9

Botnets

Botnet: A collection of compromised computers that are run under a common control structure

Functions Email senders

DHA, spam, phishing, virus

DOS attacks

Rented out for $300 to $700 per hour

Jeanson James Ancheta made $60,000 by selling access

Over 10,000 botnets become active each day (Symantec)

10

Hacks and Attacks

9,715 – Number of phishing sites operational in January 2006 (APWG)

34% – The percentage of phishing sites hosted in the United States for December 2005 (APWG)

31% - The percentage of phishing sites that are being hosted on “real” web servers (SonicWALL)

Hacked bank server hosts phishing sites

March 13, 2006 (IDG News Service) – Criminals appear to have hacked a Chinese bank’s server and are using it to host phishing sites to steal personal data from customers of eBay Inc. and a major U.S. bank.

11

Scaling a phishing gang

The Campina Grande - Brazil

65 members

Operated for at least 3 months

200 accounts in six banks

$4.7 million stolen from bank accounts

Feb 2006 – 41 members caught, 24 more still on the run

12

Tools to the Trade

The Malware Community

Email list

SendingMachines

Hosting Sites

Email & Web site

Construct Launch Collect

• Account Info• Credit Info• Identity Info• Logins &

Passwords

Phished information turned into

Cash

PhishingKit

The phishing ecosystem

• DHA

• Site Crawlers

• Spyware

Harvested Information

$

• Templates

• Sitecopy & wget

• Botnets

• Trojans

• Worms

• Keyloggers

• Hacks & Attacks

• “Real” Domain Names

ThePhisher

13

Roles of the Education in Phishing

Victim Receive and respond to phishing attack Bad for victim / Bad for you

Labor Mules Coders Phisher Organized cooperative environment

Participant Hosting phishing sites Sending email – Botnets

GMU Slides

15

Email and Academia: The Challenge

Email supports communications, academic projects and business administration, but also makes you vulnerable

Diverse user needs

Limited resources and need to reduce operating costs

16

Email At George Mason University

30,000 active email accounts

400,000 inbound messages/day (82% junk)

Decentralized, ineffective protection for spam

No protection from phishing

Six AV appliances

Costly maintenance

17

Determine The Requirements

User Town Hall Meetings Quarantine is required Ability to opt-out

Systems Management No new staff – minimize daily tasks Solaris-based Management reporting

18

Evaluation Requirements

Effective - we receive only the emails we want to receive

Easy to manage – something that doesn’t require additional IT time (actually, less time than what we’re spending is better)

Easy for end users – little to no training required, also something they can self-manage

19

The Process…

Product analysis, review requirements

Vendor questionnaire

Review responses

Invitation to technology day Each vendor given 50 minutes Present same info in specified order Must include pricing and references Q&A Vendors cannot see other vendor presentations

20

Evaluation

All vendors that satisfied all requirements invited

Solutions placed in production mail flow for 15 days

21

spam, spam, spam, spam, spam, spam

12/04 01/05 02/05 03/05 04/05 05/05 06/05 07/05 08/05 09/05 10/05 11/05 12/05 01/06 02/06

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

# M

es

sa

ge

s

Month/Year

Monthly E-Mail and SPAM VolumeGeorge Mason University

SPAM Total Mail Volume

Wrap-up

23

Wrap-up

Overview of the Phishing Ecosystem

Phish School Scope of the problem What did GMU do Results Phishing education Other email issues

Thank you

Andrew Klein

aklein@sonicwall.com

www.sonicwall.com

The Four Parts of the Solution

26

The email process

The BrandA company that sends email to

it’s customers or employees and therefore is a target for

phishing scams

The Web SiteThe web site where you are

directed to by the email

YouThe person who receives email

The MailmanA company that receives email and delivers it to its

employees/customers

27

The brand

Cut-and-Paste links, minimize links

Use personal information where possible Dear John J. Smith Account ending in 1234 Your zip code is 94304

Provide non-email ways to verify

Use standard company domain names

Identify your partners

Set and follow standard communication practices Internally and externally

28

The mailman

Preemptive Protect your email address Phishing is more than spam – think Virus

Technology Multi-faceted solution – No silver bullet

Sender authentication and reputation, content, contact point divergence, URL exploits, real-time phish lists, etc.

World-wide community collaboration Change is part of the business

Psychology Educate your customers/employees – their PhishingIQ Email is still Good! Really it is!

29

The web site

Company and personal sites Monitor your site Know your content Practice good passwords Keep logs, report phishing to authorities

Hosting services Monitor new customers Take phishing seriously

Unless they are eBay, assume they are not eBay!

Domain name registration services Be diligent about domain registrations Actively work to shut down phishing sites

30

You

Know your senders Is this someone I do business with? Is this something I was told I’d receive? Look for other ways to respond

Be aware Look for clues – improve your PhishingIQ Don’t be afraid to ask Protect your system Know how your system is updated Check your records