A fresh look at phishing Ken Takahashi General Manager, Anti-Phishing Solutions Return Path, Inc.

• Defining the problem space • Threat scenario assessments – the tip of the iceberg • What can companies do about it? • Real cost of phishing (direct & indirect) • Conclusion

Agenda

WITHIN  YOUR  CONTROL  

Valuable information outside your control

OUTSIDE  YOUR  CONTROL  

*

*

• Profiled 3 separate attacks • Target was a UK bank •  Incidents selected from August to October 2013

Analysis of fraudulent activity

Detail   Ini6al  assessment  

Type  of  a=ack   Phishing  

Threat  detected  (GMT)   Fri  Sep  13  2013  14:40  

Shut  down  (GMT)   Fri,  Sep  13  2013  22:37  

Dura6on  (hours)   7.95  

URL   h8p://  aaual.ual.pt/…  www.{bank}.com/login.htm  

Hosted   US  

Total  emails  sent  (est.)   ?  

First  email  sent  (GMT)   ?  

Last  email  sent  (GMT)   ?  

Subject   ?  

Reported  URLs   ?  

Severity   MEDIUM  

Attack A – initial assessment

+1  Contribution to industry statistics

Attack A – detailed analysis

Timestamp of email delivery

URLs included in email

“Friendly from” From email address Subject

1.05M  

Emails sent (est.)

Attack A – updated assessment

Detail   Ini6al  assessment   New  assessment  

Type  of  a=ack   Phishing   Phishing  

Detected  (GMT)   Fri  Sep  13  2013  14:40   Fri  Sep  13  2013  13:19  

Shut  down  (GMT)   Fri  Sep  13  2013  22:37   Fri  Sep  13  2013  22:37  

Dura6on  (hours)   7.95   9.30  

URL   h8p://  aaual.ual.pt/…  www.{bank}.com/login.htm  

h8p://  aaual.ual.pt/…  www.{bank}.com/login.htm  

Hosted   US   US  

Total  emails  sent  (est.)   ?   1.05M  

First  email  sent  (GMT)   ?   Fri  Sep  13  2013  13:19  

Last  email  sent  (GMT)   ?   Sat  Sep  21  2013  23:38  

Subject   ?   Account  reveiw..  [sic]  

Reported  URLs   ?   4  

Severity   MEDIUM   HIGH  

Detail   Ini6al  assessment  

Type  of  a=ack   Malware  

Detected  (GMT)   Sat  14  Sep  2013  00:32  

Shut  down  (GMT)   N/A  

Dura6on  (hours)   N/A  

A=achments   1  

Subject   Important  –  Documents  A8ached  

Hosted   N/A  

Total  emails  sent  (est.)   ?  

First  email  sent  (GMT)   ?  

Last  email  sent  (GMT)   ?  

Reported  URLs   ?  

Severity   HIGH  

Attack B – initial assessment

+1  Contribution to industry statistics

Attack B – detailed assessment

Timestamp of email delivery

File name

URLs included

10.9M  

Emails sent (est.)

Attack B – updated assessment

Detail   Ini6al  assessment   New  assessment  

Type  of  a=ack   Malware   Malware  

Detected  (GMT)   Sat  14  Sep  2013  00:32   Fri  13  Sep  2013  22:05  

Shut  down  (GMT)   N/A   N/A  

Dura6on  (hours)   N/A   N/A  

A=achments   1   1  

Subject   Important  –  Documents  A8ached   Important  –  Documents  A8ached  (etc.)  

Hosted   N/A   N/A  

Total  emails  sent  (est.)   ?   10.9M  

First  email  sent  (GMT)   ?   Fri  13  Sep  2013  22:05  

Last  email  sent  (GMT)   ?   Wed  16  Oct  2013  08:15  

Reported  URLs   ?   1  

Severity   HIGH   HIGH  

Detail   Ini6al  assessment  

Type  of  a=ack   Advanced  fee  fraud  

Detected  (GMT)   Fri  02  Aug  2013  06:15  

Shut  down  (GMT)   N/A  

Dura6on  (hours)   N/A  

Subject   DIPLOMAT  WITH  YOUR  MONEY  

Hosted   N/A  

Reported  URLs   0  

Total  emails  sent  (est.)   ?  

First  email  sent  (GMT)   ?  

Last  email  sent  (GMT)   ?  

Severity   LOW  

Attack C – initial assessment

+1  Contribution to industry statistics

Attack C - detailed assessment

Reply-to “Friendly from” From address Subject Timestamp

83.5K  

Emails sent (est.)

Attack C – updated assessment

Detail   Ini6al  assessment   New  assessment  

Type  of  a=ack   Advanced  fee  fraud   Advanced  fee  fraud  

Detected  (GMT)   Fri  02  Aug  2013  06:15   Thu  01  Aug  2013  23:58  

Shut  down  (GMT)   N/A   N/A  

Dura6on  (hours)   N/A   N/A  

Subject   DIPLOMAT  WITH  YOUR  MONEY   DIPLOMAT  WITH  YOUR  MONEY  

Hosted   N/A   N/A  

Reported  URLs   0   0  

Total  emails  sent  (est.)   ?   83.5K  

First  email  sent  (GMT)   ?   Thu  01  Aug  2013  23:58  

Last  email  sent  (GMT)   ?   Fri  18  Oct  2013  23:55  

Severity   LOW   LOW  

• “Traditional” metrics do not account for: –  Size of attack –  Start of attack –  Recurrence/duration of attack –  Target users by ISP –  Nature of attack (e.g. distributed) –  Unreported attacks

• How are we able to discover this information? –  Access to relevant data sources –  All of the scams were sent from an email address spoofed to

match that of the bank in question!

Additional information we can discover

• Exercise your domain rights to manage risk outside of your network: •  Gain insights to understand true scale & nature of attacks •  Block spoofed attacks at the biggest ISPs •  Use information to shut down attacks more quickly

What can you do about spoofing?

The Full Spectrum of Phishing Threats

• Growth of mobile email –  Cannot see full email addresses –  No concept of mousing over links

• New gTLDs –  500+ more domain choices –  Lower prices

Emerging threats

Addressing email-borne threats

Real cost of phishing

Direct  Costs  to  your  operaaons  Costs  to  your  customer  

Indirect  Long-­‐term  impact  Immediate  impact  

A look from inside the inbox

• Significant security risks exist outside your network • Historical solutions lack: –  Valuable information (tip of the iceberg) –  Prevention

• Companies can use latest technology to: –  Understand the true threat landscape –  Eliminate risk

• Drive quantifiable benefits to your company and your customers

• All of this is available to you today…

Conclusion