return path ecrime mid-year 2013 - a fresh look at phishing
DESCRIPTION
Return Path's presentation from the eCrime Mid-Year Meeting. This presentation takes a fresh look at phishing, examining new metrics to measure for proactive brand protection: • Moving from reactive to proactive phishing protection - using email authentication, DMARC and non-owned domain analysis • Preparing for the next generation of phishing threats - understanding the impact of mobile and new gTLDs • Protecting customers from malicious attacks sent in your brand’s name – the forgotten half of the phishing equation • Uncovering the true scale of phishing against brands - empirical analysis comparing existing and next generation reporting modelsTRANSCRIPT
A fresh look at phishing Ken Takahashi General Manager, Anti-Phishing Solutions Return Path, Inc.
• Defining the problem space • Threat scenario assessments – the tip of the iceberg • What can companies do about it? • Real cost of phishing (direct & indirect) • Conclusion
Agenda
WITHIN YOUR CONTROL
Valuable information outside your control
OUTSIDE YOUR CONTROL
*
*
• Profiled 3 separate attacks • Target was a UK bank • Incidents selected from August to October 2013
Analysis of fraudulent activity
Detail Ini6al assessment
Type of a=ack Phishing
Threat detected (GMT) Fri Sep 13 2013 14:40
Shut down (GMT) Fri, Sep 13 2013 22:37
Dura6on (hours) 7.95
URL h8p:// aaual.ual.pt/… www.{bank}.com/login.htm
Hosted US
Total emails sent (est.) ?
First email sent (GMT) ?
Last email sent (GMT) ?
Subject ?
Reported URLs ?
Severity MEDIUM
Attack A – initial assessment
+1 Contribution to industry statistics
Attack A – detailed analysis
Timestamp of email delivery
URLs included in email
“Friendly from” From email address Subject
1.05M
Emails sent (est.)
Attack A – updated assessment
Detail Ini6al assessment New assessment
Type of a=ack Phishing Phishing
Detected (GMT) Fri Sep 13 2013 14:40 Fri Sep 13 2013 13:19
Shut down (GMT) Fri Sep 13 2013 22:37 Fri Sep 13 2013 22:37
Dura6on (hours) 7.95 9.30
URL h8p:// aaual.ual.pt/… www.{bank}.com/login.htm
h8p:// aaual.ual.pt/… www.{bank}.com/login.htm
Hosted US US
Total emails sent (est.) ? 1.05M
First email sent (GMT) ? Fri Sep 13 2013 13:19
Last email sent (GMT) ? Sat Sep 21 2013 23:38
Subject ? Account reveiw.. [sic]
Reported URLs ? 4
Severity MEDIUM HIGH
Detail Ini6al assessment
Type of a=ack Malware
Detected (GMT) Sat 14 Sep 2013 00:32
Shut down (GMT) N/A
Dura6on (hours) N/A
A=achments 1
Subject Important – Documents A8ached
Hosted N/A
Total emails sent (est.) ?
First email sent (GMT) ?
Last email sent (GMT) ?
Reported URLs ?
Severity HIGH
Attack B – initial assessment
+1 Contribution to industry statistics
Attack B – detailed assessment
Timestamp of email delivery
File name
URLs included
10.9M
Emails sent (est.)
Attack B – updated assessment
Detail Ini6al assessment New assessment
Type of a=ack Malware Malware
Detected (GMT) Sat 14 Sep 2013 00:32 Fri 13 Sep 2013 22:05
Shut down (GMT) N/A N/A
Dura6on (hours) N/A N/A
A=achments 1 1
Subject Important – Documents A8ached Important – Documents A8ached (etc.)
Hosted N/A N/A
Total emails sent (est.) ? 10.9M
First email sent (GMT) ? Fri 13 Sep 2013 22:05
Last email sent (GMT) ? Wed 16 Oct 2013 08:15
Reported URLs ? 1
Severity HIGH HIGH
Detail Ini6al assessment
Type of a=ack Advanced fee fraud
Detected (GMT) Fri 02 Aug 2013 06:15
Shut down (GMT) N/A
Dura6on (hours) N/A
Subject DIPLOMAT WITH YOUR MONEY
Hosted N/A
Reported URLs 0
Total emails sent (est.) ?
First email sent (GMT) ?
Last email sent (GMT) ?
Severity LOW
Attack C – initial assessment
+1 Contribution to industry statistics
Attack C - detailed assessment
Reply-to “Friendly from” From address Subject Timestamp
83.5K
Emails sent (est.)
Attack C – updated assessment
Detail Ini6al assessment New assessment
Type of a=ack Advanced fee fraud Advanced fee fraud
Detected (GMT) Fri 02 Aug 2013 06:15 Thu 01 Aug 2013 23:58
Shut down (GMT) N/A N/A
Dura6on (hours) N/A N/A
Subject DIPLOMAT WITH YOUR MONEY DIPLOMAT WITH YOUR MONEY
Hosted N/A N/A
Reported URLs 0 0
Total emails sent (est.) ? 83.5K
First email sent (GMT) ? Thu 01 Aug 2013 23:58
Last email sent (GMT) ? Fri 18 Oct 2013 23:55
Severity LOW LOW
• “Traditional” metrics do not account for: – Size of attack – Start of attack – Recurrence/duration of attack – Target users by ISP – Nature of attack (e.g. distributed) – Unreported attacks
• How are we able to discover this information? – Access to relevant data sources – All of the scams were sent from an email address spoofed to
match that of the bank in question!
Additional information we can discover
• Exercise your domain rights to manage risk outside of your network: • Gain insights to understand true scale & nature of attacks • Block spoofed attacks at the biggest ISPs • Use information to shut down attacks more quickly
What can you do about spoofing?
The Full Spectrum of Phishing Threats
• Growth of mobile email – Cannot see full email addresses – No concept of mousing over links
• New gTLDs – 500+ more domain choices – Lower prices
Emerging threats
Addressing email-borne threats
Real cost of phishing
Direct Costs to your operaaons Costs to your customer
Indirect Long-‐term impact Immediate impact
A look from inside the inbox
• Significant security risks exist outside your network • Historical solutions lack: – Valuable information (tip of the iceberg) – Prevention
• Companies can use latest technology to: – Understand the true threat landscape – Eliminate risk
• Drive quantifiable benefits to your company and your customers
• All of this is available to you today…
Conclusion