Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Contents
Introduction Level of Threat Spear Phishing Life Cycle of a Phishing Attack Deception Mitigation Conclusion
INTRODUCTION
Level of Threat
There were at least 93,462 unique phishing attacks worldwide, in 202 top-level domains (TLDs) in the year 2012. They make up a about 10% of all cyber attacks worldwide. CERT-IN states that about 5% of all the attacks handled by them in the year 2011 are phishing attacks.
Spear Phishing
Spear phishing is based on social engineering. Unlike normal phishing attacks, spear phishing attacks are targeted towards specific individuals or organizations.
Advanced persistent threat campaigns frequently make use of spear-phishing tactics because these are essential to get highranking targets to open phishing emails. Spear-phishing significantly raises the chances that targets will read a message that will allow attackers to compromise their networks. -Trend Micro
Spear-Phishing Email: Most Favored APT Attack Bait
PostAttack
Fraud
Collection
Planning
Information gathering phase. Information can be gathered either online or offline. Collection of details like email addresses, telephone numbers, account numbers, etc. Selection of an attack path. Social networking websites are a major source of information to the attackers.
The methods criminals use to gather information for spear-phishing emails are surprisingly simple. The amount of free information available to the public over the Internet is staggering and a few simple searches through Google, Facebook, LinkedIn, etc., can reveal enough information to craft a welldisguised spear-phishing email. -Scott Greaux, PhishMe
Setup
Pre-attack setup by the attacker. Varies with the type of attack selected by the attacker. Creation of phishing emails, forging email IDs and websites. Development of Trojans and backdoors. Manipulation of URLs, DNS spoofing.
Attack
Attacker poses as a legitimate organization and casts the bait. Most common methods of attack are:
Sending emails Sending IMs (Instant Messages)
Collection
Attackers collects the data disclosed by the user. Collection methods also depend on the type of attack chosen by the attacker. Collected data will be used almost immediately.
Fraud
Main motive for phishing is financial gain. Most common fraud is misuse of credit cards. Spear phishing may also be done by rival companies or for personal revenge.
Post-Attack
Attacker covers his tracks. Tries to eliminate evidence that reveals his identity.
DECEPTION
Link Manipulation
Basic HTML and JavaScript tricks.
<a href= "www.attack.com ">www.example.com</a> www.example.com <a id=link " href= "www.example.com ">www.example.com</a> www.example.com <script type="text/javascript"> .... getElementById("link").onClick(){ window.location("http://www.attack.com"); } .... </script>
Homograph Attack
www.gmail.com www.gmai1.com
www.gmail.com www.gmaiI.com
MITIGATION
Automated Solutions
Phishing filters
User ID based Stylometry based
Banks and organizations never ask their users to resubmit their registration forms or provide usernames and passwords for verification purposes. If this fact is kept in mind, almost 50% of the phishing attacks can be mitigated.
Social Engineering
Avoid being a potential target! Never use public PCs for online transactions. Remove sensitive information from social networking sites. Adjust privacy settings properly. Use standard and secure browsers. Avoid clicking on links in emails. Type URLs manually rather than saving them as bookmarks.
Security Trust?
http or https?? SSL/TLS Security
Certificates
Security Exceptions
Post-Attack Measures
Immediately inform Law Enforcement Agencies without losing time. Inform the organization whose site was spoofed/forged. Inform the webmaster of the site. IMPORTANT: CONTACT THEM OFFLINE!
CONCLUSION
References
Anti-Phishing Working Group, Global Phishing Survey: Trends and Domain Name Use in 1H2012, 2012. Trend Micro, Spear-Phishing Email: Most Favored APT Attack Bait, 2011-12 PhishMe, http://www.phishme.com Indian Computer Emergency Response Team, Annual Report -2011. Indian Computer Emergency Response Team, http://www.cert-in.org.in/knowledgebase/SecurityBulletin/
Thank you!
People often represent the weakest link the security chain and are chronically responsible for the failure of security systems. Amateurs hack systems, professionals hack people. -Bruce Schneier