A PRESENTATION ON

UNDERSTANDING & MITIGATING SPEAR PHISHING ATTACKS

L. Chandrahas III B.Tech (CSE) MITS, Madnapalle

Contents
Introduction Level of Threat Spear Phishing Life Cycle of a Phishing Attack Deception Mitigation Conclusion

INTRODUCTION

Level of Threat
There were at least 93,462 unique phishing attacks worldwide, in 202 top-level domains (TLDs) in the year 2012. They make up a about 10% of all cyber attacks worldwide. CERT-IN states that about 5% of all the attacks handled by them in the year 2011 are phishing attacks.

Spear Phishing
Spear phishing is based on social engineering. Unlike normal phishing attacks, spear phishing attacks are targeted towards specific individuals or organizations.

Advanced persistent threat campaigns frequently make use of spear-phishing tactics because these are essential to get highranking targets to open phishing emails. Spear-phishing significantly raises the chances that targets will read a message that will allow attackers to compromise their networks. -Trend Micro
Spear-Phishing Email: Most Favored APT Attack Bait

Kinds of Phishing Attacks

In the attackers perspective, phishing attacks can be classified into 1. Deceptive Attacks: Users are tricked by fraudulent messages. 2. Malware Attacks: Data is compromised using malware. 3. DNS Based Attacks: Domain name lookup is altered to redirect information to attacker.

LIFE CYCLE OF A PHISHING ATTACK

Life Cycle of a Phishing Attack

Planning Setup Attack

PostAttack

Fraud

Collection

Planning
Information gathering phase. Information can be gathered either online or offline. Collection of details like email addresses, telephone numbers, account numbers, etc. Selection of an attack path. Social networking websites are a major source of information to the attackers.

The methods criminals use to gather information for spear-phishing emails are surprisingly simple. The amount of free information available to the public over the Internet is staggering and a few simple searches through Google, Facebook, LinkedIn, etc., can reveal enough information to craft a welldisguised spear-phishing email. -Scott Greaux, PhishMe

Setup
Pre-attack setup by the attacker. Varies with the type of attack selected by the attacker. Creation of phishing emails, forging email IDs and websites. Development of Trojans and backdoors. Manipulation of URLs, DNS spoofing.

Attack
Attacker poses as a legitimate organization and casts the bait. Most common methods of attack are:
Sending emails Sending IMs (Instant Messages)

Collection
Attackers collects the data disclosed by the user. Collection methods also depend on the type of attack chosen by the attacker. Collected data will be used almost immediately.

Fraud
Main motive for phishing is financial gain. Most common fraud is misuse of credit cards. Spear phishing may also be done by rival companies or for personal revenge.

Post-Attack
Attacker covers his tracks. Tries to eliminate evidence that reveals his identity.

DECEPTION

Link Manipulation
Basic HTML and JavaScript tricks.
<a href= "www.attack.com ">www.example.com</a> www.example.com <a id=link " href= "www.example.com ">www.example.com</a> www.example.com <script type="text/javascript"> .... getElementById("link").onClick(){ window.location("http://www.attack.com"); } .... </script>

Homograph Attack
www.gmail.com www.gmai1.com

www.gmail.com www.gmaiI.com

IDN Homograph Attack

IDNs (Internationalised Domain Name) introduced in 2010 to provide l10n and i18n. www.citibank.com www.itibank.com
(http://www.xn--itibank-xjg.com)

Latin Alphabet Cyrillic Alphabet

MITIGATION

Automated Solutions
Phishing filters
User ID based Stylometry based

Banks and organizations never ask their users to resubmit their registration forms or provide usernames and passwords for verification purposes. If this fact is kept in mind, almost 50% of the phishing attacks can be mitigated.

Social Engineering
Avoid being a potential target! Never use public PCs for online transactions. Remove sensitive information from social networking sites. Adjust privacy settings properly. Use standard and secure browsers. Avoid clicking on links in emails. Type URLs manually rather than saving them as bookmarks.

Security Trust?
http or https?? SSL/TLS Security

Certificates

Security Exceptions

WHAT TO DO IF YOU GET PHISHED???

Post-Attack Measures
Immediately inform Law Enforcement Agencies without losing time. Inform the organization whose site was spoofed/forged. Inform the webmaster of the site. IMPORTANT: CONTACT THEM OFFLINE!

CONCLUSION

References
Anti-Phishing Working Group, Global Phishing Survey: Trends and Domain Name Use in 1H2012, 2012. Trend Micro, Spear-Phishing Email: Most Favored APT Attack Bait, 2011-12 PhishMe, http://www.phishme.com Indian Computer Emergency Response Team, Annual Report -2011. Indian Computer Emergency Response Team, http://www.cert-in.org.in/knowledgebase/SecurityBulletin/

Thank you!
People often represent the weakest link the security chain and are chronically responsible for the failure of security systems. Amateurs hack systems, professionals hack people. -Bruce Schneier