george mason university and sonicwall the phishing ecosystem analyzing the dynamics for maximum...
TRANSCRIPT
George Mason University and SonicWALLThe Phishing Ecosystem
Analyzing the Dynamics for Maximum Defense
Tuesday, April 11th 2006 – 2:45pm
2
Agenda
Overview of the Phishing Ecosystem
Questions for the panel Scope of the problem What did GMU do Results Phishing education Other email issues
Ask questions as we go
Wrap up & lessons learned
Let’s Go Phishing
4
The Phishing Checklist
1. Get an email list
2. Develop the attack
3. Locate sites to send phishing email from
4. Locate sites to host the phishing site
5. Launch the attack
6. Collect the information
7. Transform into cash
5
A bad day phishin’, beats a good day workin’
2,000,000 emails are sent
5% get to the end user – 100,000 (APWG)
5% click on the phishing link – 5,000 (APWG)
2% enter data into the phishing site –100 (Gartner)
$1,200 from each person who enters data (FTC)
Our potential reward: $120,000
In 2005 David Levi made over $360,000 from 160 people using an eBay Phishing scam
6
A little phishing gang
The David Levi phishing gang – UK
6 members
Operated for 12 months
At least $360,000 from 160 people
Segmentation of jobs Techie Creative designer Money laundering – mule driver
Caught – received sentences from 1 to 4 years each
7
Tools to the Trade
The Malware Community
Email list
SendingMachines
Hosting Sites
Email & Web site
Construct Launch Collect
• Account Info• Credit Info• Identity Info• Logins &
Passwords
Phished information turned into
Cash
PhishingKit
The phishing ecosystem
• DHA
• Site Crawlers
• Spyware
Harvested Information
$
• Templates
• Sitecopy & wget
• Botnets
• Trojans
• Worms
• Keyloggers
• Hacks & Attacks
• “Real” Domain Names
ThePhisher
$
8
The money laundering “Mule”
“Make Money at Home” Recruits receive funds in their accounts Transfer funds from their account via Western Union wire
transfers to a 2nd (phishers) account Paid 10% of the sum of each money transfer One or two transfers each week - $3,000 to $5,000 each
“Nations Welfare Foundation” Looking for a “Financial Operations Manager” Transfer money for young cancer patients in USSR Real looking web site complete with pictures Paid 7% - can make $500 to $2,000 per week
9
Botnets
Botnet: A collection of compromised computers that are run under a common control structure
Functions Email senders
DHA, spam, phishing, virus
DOS attacks
Rented out for $300 to $700 per hour
Jeanson James Ancheta made $60,000 by selling access
Over 10,000 botnets become active each day (Symantec)
10
Hacks and Attacks
9,715 – Number of phishing sites operational in January 2006 (APWG)
34% – The percentage of phishing sites hosted in the United States for December 2005 (APWG)
31% - The percentage of phishing sites that are being hosted on “real” web servers (SonicWALL)
Hacked bank server hosts phishing sites
March 13, 2006 (IDG News Service) – Criminals appear to have hacked a Chinese bank’s server and are using it to host phishing sites to steal personal data from customers of eBay Inc. and a major U.S. bank.
11
Scaling a phishing gang
The Campina Grande - Brazil
65 members
Operated for at least 3 months
200 accounts in six banks
$4.7 million stolen from bank accounts
Feb 2006 – 41 members caught, 24 more still on the run
12
Tools to the Trade
The Malware Community
Email list
SendingMachines
Hosting Sites
Email & Web site
Construct Launch Collect
• Account Info• Credit Info• Identity Info• Logins &
Passwords
Phished information turned into
Cash
PhishingKit
The phishing ecosystem
• DHA
• Site Crawlers
• Spyware
Harvested Information
$
• Templates
• Sitecopy & wget
• Botnets
• Trojans
• Worms
• Keyloggers
• Hacks & Attacks
• “Real” Domain Names
ThePhisher
13
Roles of the Education in Phishing
Victim Receive and respond to phishing attack Bad for victim / Bad for you
Labor Mules Coders Phisher Organized cooperative environment
Participant Hosting phishing sites Sending email – Botnets
GMU Slides
15
Email and Academia: The Challenge
Email supports communications, academic projects and business administration, but also makes you vulnerable
Diverse user needs
Limited resources and need to reduce operating costs
16
Email At George Mason University
30,000 active email accounts
400,000 inbound messages/day (82% junk)
Decentralized, ineffective protection for spam
No protection from phishing
Six AV appliances
Costly maintenance
17
Determine The Requirements
User Town Hall Meetings Quarantine is required Ability to opt-out
Systems Management No new staff – minimize daily tasks Solaris-based Management reporting
18
Evaluation Requirements
Effective - we receive only the emails we want to receive
Easy to manage – something that doesn’t require additional IT time (actually, less time than what we’re spending is better)
Easy for end users – little to no training required, also something they can self-manage
19
The Process…
Product analysis, review requirements
Vendor questionnaire
Review responses
Invitation to technology day Each vendor given 50 minutes Present same info in specified order Must include pricing and references Q&A Vendors cannot see other vendor presentations
20
Evaluation
All vendors that satisfied all requirements invited
Solutions placed in production mail flow for 15 days
21
spam, spam, spam, spam, spam, spam
12/04 01/05 02/05 03/05 04/05 05/05 06/05 07/05 08/05 09/05 10/05 11/05 12/05 01/06 02/06
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
# M
es
sa
ge
s
Month/Year
Monthly E-Mail and SPAM VolumeGeorge Mason University
SPAM Total Mail Volume
Wrap-up
23
Wrap-up
Overview of the Phishing Ecosystem
Phish School Scope of the problem What did GMU do Results Phishing education Other email issues
The Four Parts of the Solution
26
The email process
The BrandA company that sends email to
it’s customers or employees and therefore is a target for
phishing scams
The Web SiteThe web site where you are
directed to by the email
YouThe person who receives email
The MailmanA company that receives email and delivers it to its
employees/customers
27
The brand
Cut-and-Paste links, minimize links
Use personal information where possible Dear John J. Smith Account ending in 1234 Your zip code is 94304
Provide non-email ways to verify
Use standard company domain names
Identify your partners
Set and follow standard communication practices Internally and externally
28
The mailman
Preemptive Protect your email address Phishing is more than spam – think Virus
Technology Multi-faceted solution – No silver bullet
Sender authentication and reputation, content, contact point divergence, URL exploits, real-time phish lists, etc.
World-wide community collaboration Change is part of the business
Psychology Educate your customers/employees – their PhishingIQ Email is still Good! Really it is!
29
The web site
Company and personal sites Monitor your site Know your content Practice good passwords Keep logs, report phishing to authorities
Hosting services Monitor new customers Take phishing seriously
Unless they are eBay, assume they are not eBay!
Domain name registration services Be diligent about domain registrations Actively work to shut down phishing sites
30
You
Know your senders Is this someone I do business with? Is this something I was told I’d receive? Look for other ways to respond
Be aware Look for clues – improve your PhishingIQ Don’t be afraid to ask Protect your system Know how your system is updated Check your records