Phishing Incident Response Playbook

PHISHING INCIDENT
RESPONSE
PLAYBOOK
Naushad
MSc in Cyber Security, Ph.D Student -Enterprise Security Specialist with expertise in Cyber Defence, Cyber
SecurityOperations,ThreatAnalysis, Incident Response, Forensic investigations, Malware Analysis, 0-Day
Hunter, DarkWeb & DeepWebThreat Intelligence Analytics, SOC and REDTeam Lead.
www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter ||
|| Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||

Content
1. Phishing and its evolution
2. Purpose of phishing
3. Impact of phishing
4. Types of Phishing
5. Techniques used in phishing
6. Defence mechanism
7. Incident Response

About phishing?
■ Word “Phishing” originated from “Password Harvesting ” or “fishing for Passwords”
■ The “Ph” is linked to word “phreaking” – the hacking of telephone systems and early
hackers who were called “phreaks”.
■ Phishing is an online pretexting or deception where the attacker tries to obtain
sensitive information from the victim pretending as someone else.
■ The methodology used is social engineering and technical subterfuge
■ The basic trick is to send official looking messages to trick user towards counterfeit
websites and acquire sensitive information from the user

Phishing Evolution
■ Started with attackers stealing user passwords and creating randomized credit card
numbers to open AOL account to send spam to other users in 1995.
■ Usenet newsgroup called AOHell mentioned the word “phishing for first time in 1996.
■ Real phishing attacks started when attackers started sending messages through AOL
messenger and email posing asAOL employees
■ Hacked accounts were called "phish“ in 1996
■ By 1997 phish were traded actively between hackers as a form of electronic currency
■ 10 AOL phish were traded for a piece of hacking software or warez.
■ Phishing started in big way in 2004 with attackers successfully making huge money
including that from banking sites and their customers
■ Social engineering is most used source of phishing accounting for over 30% message in
(Verizon’s Data Breach Investigations Report 2016)

Phishing attacks by category, Q1 2017
■ Maximum attacks on financial sector

Spam emails with malicious attachments
■ Substantial rise in Spam emails containing malicious attachments
■ Spam is nuisance as well as the primary delivery mechanisms for attacks
Source: IBM Threat Intelligence Index 2017

PURPOSE AND
METHODOLOGY OF
PHISHING

Purpose of Phishing
■ Theft of identity and users’ confidential details such as personal, bank, and credit
information using forged email and fake web site
– Cause financial losses to users
– Lock them out from their own accounts
■ Theft of trade secrets
■ Distribution of botnet and DDoS agents
– Loss of productivity.
– Excessive resource consumption on corporate networks (bandwidth, saturated email
systems, etc.).
■ Attack Propagation:Compromise host and install botnet for future attack.
■ Attackers leverage vulnerabilities in client software (mail user agents and web
browsers) as well as design vulnerabilities in targeted website applications.

Prompts for opening email attachments
■ Fake invoices as disguising malicious attachments most popular method for tricking
users into opening phishing emails and taking the bait.
Source: Symantec 2017 Internet Security Threat Report (ISTR)

Phishing emails designed to steal credentials
■ Apple IDs targeted maximum
Source: Proofpoint 2017 Human Factor Report

Major Financial losses
■ Fortune Apr 27, 2017
– Facebook andGoogle were victims of a $100 million dollar phishing scam
– Evaldas Rimasauskas, a Lithuanian, forged email addresses, invoices, and
corporate stamps to impersonate a large Asian-based manufacturer with whom the
tech firms regularly did business.Tricked companies into paying for computer
supplies for over 2 years.
■ 2017 GlobalThreat Intelligence Report (GTIR)by NTT Security
– 53% of the world’s phishing attacks originated in EMEA:
■ FBI Report
– From October 2013 to December 2016 in 22,000 incidents investigated losses
amounted to $1.6 billion
https://www.nttcomsecurity.com/en/gtir-2017/
https://www.forbes.com/sites/leemathews/2017/05/05/phishing-scams-cost-american-businesses-half-
a-billion-dollars-a-year/#4041d0e93fa1

Cost of phishing
■ As per IBM Security Services report: 1.5 million cyber-attacks reported in 2013
■ Joint 2013 study from Symantec and the Ponemon Institute indicates the average total
cost to an organization of a data breach was $5,403,644
■ As 2013 UK study Range of total cost of a security breach:
– Small businesses: $55,000 to $100,000
– Large businesses: $700,000 to $1,300,000
■ About 64% of data breaches due to system problems and human mistakes

PhishingThreat
■ Phishing attacks use a mix of technical deceit and social engineering practices.
■ The most popular channel are e-mail, web-pages, IRC and instant messaging services
are popular
■ Phisher impersonates a trusted source for the victim to believe
■ The trusted source can be:
– helpdesk of their bank,
– automated support response from retailer use by the user
– Government site

Phases of Phishing attacks
Criminalizing
the information
stolen
Go to fake web
site or send
sensitive
information or
down load
malware
Victim taking
suggestion in
message or
banner
PotentialVictim
Gets a phish

Phishing attacks

Types of Phishing attacks
Spear Phishing
• Targets specific group of individuals or organizations
Whaling
• Targeted at executive level individual
Cloning
• Duplicates legitimate email but the content is replaced with
malicious attachment or links

Spear Phishing
■ Targets particular company, organization, group or government agency
■ First, criminals gathers some inside information on their targets to convince them the
e-mails are legitimate.
■ Obtain personal information by hacking into an organization’s computer network or,
blogs, and social networking sites (Facebook, Linkdin etc.).
■ Send e-mails that look like the real thing to targeted victims, offering all sorts of
urgent and legitimate-sounding explanations as to why they need your personal data.
■ Victims asked to click on a link inside the e-mail that takes them to a phony but
realistic-looking website, where they are asked to provide passwords, account
numbers, user IDs, access codes, PINs, etc.

Spear Phishing

Spear Phishing e-mail

Whaling
■ Comes fromWhales and target big fish
■ Targeted attacks against small groups of high-level executives within a single
organization, or executive positions common to multiple organizations
■ Tries to steal credentials using the installation of malware that provides back-door
functionality and keylogging.

Cloning
■ A legitimate, and previously delivered, email containing an attachment or link has is
used to create an almost identical email.
■ The attachment or Link within the email is replaced with a malicious version and then
sent from an email address spoofed to appear to come from the original sender.
■ May claim to be a re-send of the original or an updated version to the origin
■ Hacker may also clone a website that his victim usually visits.
■ Cloned website usually asks for login credentials, mimicking the real website and then
steal these.

Cloning website

Phishing Methods

E-mail and Spam
■ Most common Phishing attacks initiated by e-mail
■ Attacker can send specially crafted e-mails to millions of legitimate “live” e-mail
addresses within a few hours
■ Normally phishing e-mails are purchased
■ Create e-mails with fake “Mail From:” headers and impersonate any organization
using flaws in SMTP protocol used for email.
■ Also in some cases “RCPTTo:” field to an e-mail address to attacker's choice

Techniques used within Phishing E-mails
■ Official looking and sounding e-mails
– Sophisticated phishers send very legitimate looking mail with proper syntax and
structure.
■ HTML based e-mail to obfuscate destination URL information
– Use a text color the same as the background to hide suspect parts of the URL.
– use a legitimateURL as the textual string, while the actual hyperlink points to the
phishing URL
– inclusion of graphics to look like a text message

■ Attachments to e-mails referenced within the text of the e-mail with instructions to
open attachment in order to verify some transactional detail.
– Attachments areTrojan keyloggers or other dangerous spyware
■ Anti spam-detection inclusions
– Headers and references in email designed to bypass anti spasm software
– use of deliberate spelling mistakes and spacing characters inside key words
■ Fake postings to popular message boards and mailing lists
■ Use of fake “Mail From:” addresses to fool the recipient into thinking that the e-mail
has come from a legitimate source.

■ Use of font differences
– Use of font that causes lowercase and uppercase characters to be used and appear
as a different character to bypass anti-spam keyword filters
– Example: substitution of uppercase “i” for lowercase “L”, and the number zero for
uppercase “O”
■ Use of credit card digits
– use the first four digits of a credit card number within the e-mail instead of last four
digits which are unique to fool customers that mail is intended for them
■ Use of local language

Characteristics of Phishing email
■ The content of a phishing e-mail intended to trigger a quick reaction from user
■ Uses upsetting or exciting information, demand an urgent response or employee a
false pretence or statement.
■ Phishing messages are normally not personalized.
■ Typically, phishing messages will ask user to "update", "validate", or "confirm" their
account information or face dire consequences.
■ Message even ask to make a phone call.
■ Often, the message or website includes official-looking logos and other identifying
information taken directly from legitimate websites.

Spotting a phishing email
https://techviral.net/wp-content/uploads/2016/07/Identify-phishing-emails.jpg

Spotting a phishing email

Typical Phishing email Messages
■ E-mail MoneyTransfer Alert: Please verify this
payment information below…
■ It has come to our attention that your online
banking profile needs to be updated as part of our
continuous efforts to protect your account and
reduce instances of fraud…
■ DearOnline Account Holder, AccessToYour Account
Is Currently Unavailable…
■ Important Service Announcement from…,You have
1 unread Security Message!
■ We regret to inform you that we had to lock your
bank account access.Call (telephone number) to
restore your bank account.

Web-based Delivery
■ Another popular method of conducting phishing attacks is through malicious website
content
■ Use of HTML disguised links within popular websites, and message boards.
■ Use of third-party supplied, or fake, banner advertising graphics to lure customers to
the phisher’s website
■ The use of web-bugs (hidden items within the page – such as a zero-sized graphic) to
track a potential phishing customer
■ Use of pop-up or frameless windows to disguise the true source of the phisher’s
message
■ Embedding malicious content in web page to exploits a known vulnerability within the
customer’s web browser software to installs software of the phisher’s choice
■ Disguising the true source of the fake website by exploiting crosssite scripting flaws in
a trusted website

Paypal Fishing Flow
https://umbrella.cisco.com/blog/blog/2015/02/11/paypal-phishing-sophistication-growing/

Phishing using Paypal account

PayPal fake site
Real Site
Fake Site

Spoofing an Apple IDVerification page

PhishingWarning Posters

Phishing AttackVectors
Man-in-the-middle Attacks
URL Obfuscation Attacks
Cross-site Scripting Attacks
Preset Session Attacks
Observing Customer Data
Client-sideVulnerability Exploitation

Man-in-the-middleAttacks
■ Man-in-the-middle attacks is used to gaining control of customer information and
resources
■ The attackers situate themselves between the customer and the real web-based
application, and proxy all communications between the systems.
■ Thus they can monitor all transactions.
■ Methods used for directing customer to proxy server instead of real server are:
– Transparent Proxies
– DNS Cache Poisoning
– URL Obfuscation
– Browser Proxy Configuration

Man-in-the-middleAttacks

URL ObfuscationAttacks
■ Make user follow a hyperlink (URL) to the attacker’s server without realizing that they
have been duped
■ Most common methods of URL obfuscation include
– Bad domain names
– Friendly login URLs
– Third-party shortened URLs
– Host name obfuscation
– URL obfuscation

PayPal fake site
Real Site
Fake Site

Real & Fake (Issued by BOA for their clients)
Real Fake
All information with ‘%’ is used to customize the emails with personal information

Cross-site Scripting Attacks (CSS or XSS)
■ Make use of custom URL or code injection into a valid
web-based application URL or imbedded data field.
■ Customer has received the following URL via a phisher’s
e-mail:
http://mybank.com/ebanking?URL=http://evilsite.com/phis
hing/fakepage.htm
■ While the customer is indeed directed and connected to
the real MyBank web application, due to poor application
coding by the bank, the e-banking component will accept
an arbitrary URL for insertion within the URL field the
returned page
■ Instead of the application providing a MyBank
authentication form embedded within the page, the
attacker manages to reference a page under control on
an external server

Cross Site Scripting

■ Phishing message contains a web link to the real application server, but also
contains a predefined SessionID field.
■ The attacker’s system constantly polls the application server for a restricted
page using the preset SessionID
■ Phishing attacker waits until a message recipient follows the link and authenticates
themselves using the SessionID.
■ Once authenticated, the application server will allow any connection using the
authorized SessionID to access restricted content
■ Attacker uses the preset SessionID to access a restricted page and carryout his attack

• Phisher has e-mailed potential MyBank
customers a fake message containing the URL
https://mybank.com/ebanking?session=3V1L5e5
510N&Login=True containing a preset
SessionID of 3V1L5e5510N
• Attacker continually polls the MyBank server
every minute for a restricted page that will
allow customer FundTransfers
(https://mybank.com/ebanking?session=3V1L5e
5510N&Transfer=True).
• After the customer authenticates themselves
the SessionID becomes valid, and the phisher
can access the FundTransfer page

Observing Customer Data
■ Attacker us key-loggers and screen-grabbers to observe confidential customer data as
it is entered into a webbased application
■ Key loggers observes and record all key presses by the customer.
■ Screen-grabbers take screen shot of data that has been entered into a web-based
application

Client-sideVulnerability Exploitation
■ Attacker exploits browser’s to gain access to, or observe, confidential information of
the customer.
■ Use of add on to browsers such as Flash, RealPlayer and other embedded applications
adds more opportunities for attack
■ Example
– A vulnerability existed within Microsoft Media Player that was exploitable through
java coding with Microsoft Internet Explorer. It enabled remote servers to read local
customer files, browse directories and finally execution of arbitrary software
– The problem was the method used by Media Player to download customized skins
and stored them.

DEFENCE MECHANISMTO
COMBAT PHISHING
ATTACKS

Defense Mechanisms
■ Mix of information security technologies and techniques required.
■ Techniques deployment required at three locations:
1. The Client-side – User’s PC.
2. The Server-side –The business’ Internet visible systems and custom applications.
3. Enterprise Level – distributed technologies and third-party management
services

Client-side
■ Desktop protection technologies:
– Antivirus, antispam, persona firewall, spyware detection etc.
■ Avoid html based email client to avoid clicking embed scripting elements.
■ Utilization of appropriate communication settings
■ User application-level monitoring solutions

Client-side
■ Locking-down browser capabilities
– Browser need to be configured security
– Extended facilities may be avoided as these are exploited.
– Disable all pop-up window functionality
– DisableJava runtime support
– Disable ActiveX support
– Disable all multimedia and auto-play/auto-execute extensions
– Prevent the storage of non-secure cookies
– Ensure that any downloads cannot be automatically run from the browser
– Use anti-phishing plugins

Client-side
■ Digital signing and validation of email
– This will ensure that mail received is from know source
■ General security vigilance
– Carefully inspecting email content as per guidelines provided in previous slides
– No response to HTML e-mail with embedded submission forms
– Avoid e-mailing personal and financial information unless website lock icon is seen
– For sites that indicate they are secure, review the SSL certificate that has been
received and ensure that it has been issued by a trusted certificate authority.
– SSL certificate information can be obtained by double-clicking on the “lock” icon at
the bottom of the browser, or by right-clicking on a page and selecting properties
– Review credit card and bank account statements fro any unauthorised charges

Server-side
■ Intelligent anti-phishing techniques into the organization’s web application security,
■ developing internal processes to combat phishing vectors and educating customers
■ Improving customer awareness
– Repeatedly and constantly inform all users and customers of the dangers from
phishing attacks and what preventative actions are available
– Provide easy reporting of phishing scam noticed or fraudulent email received
– Establish company’s security policy and enforce then strictly
– Quick response to phishing scams identified.

Server-side
■ Providing validation information for official communications
– This will help in identifying phishing attacks
– Try to send only personalized emails
– Referencing previous mail to instill trust
– Use digital signatures where feasible
■ Ensuring that the Internet web application is securely developed and doesn’t include
easily exploitable attack vectors
– Strong implementation of content validation processes
– Never present submitted data directly back to an application user without sanitizing
it first.
– Always sanitize data before processing or storing it.
– Remove html characters that can be exploited by safe characters.

Server-side
■ Using strong token-based authentication systems
– Minimum two phase login process should be used
– Provide Use of anti key-logging processes such as onscreen keyboard
– Use of personalized content to identify fake websites
– Keeping naming systems simple and understandable
– Keep authentication process simple
– Use one time password or token based authentication.
■ Use simple DNS naming system that can be easily identified by customer/user
– Use only root domain
– Automatically redirect regional or other registered domain names to the main corporate
domain.
– Never keep session information in a URL format
– Use host names that represent the nature of the web-based application.
– For example: https://secure.mybank.com instead of https://www.mybank.com

Enterprise Level
■ Automatic validation of sending e-mail server addresses
■ Digital signing of e-mail services
■ Monitoring of corporate domains and notification of “similar” registrations
■ Perimeter or gateway protection agents
– To monitor and control both inbound and outbound communications to identify
malicious phishing content
■ Third-party managed services
– Can analyze e-mail messages delivered at a global level, and identify common
threads between malicious e-mail
– agent-based bots to monitor URLs and web content from remote sites, actively
searching for all instances of an organization’s logo, trademark, or unique web
content

Incident Response
Prepare
Detect
Analyze
Contain
Eradicate
Recover
• Most important part of security system

Prepare
■ Identify the IT security manager responsible and advertise his contact and email for
reporting incident to every staff and customers
■ Ensure that IT Manager selected is trained in handing phishing
■ Prepare internal escalation list, including names, contact information, and responsibilities
for all staff involved in incident response and management
■ Create a methodology for user to inform security manager immediately using email as well
as phone about the incident.
■ The IT manager need to check the mail regularly for any urgent messages.
■ Keep list of contact information for external resources that may be involved in handing
incident response for ready reference.
■ Keep list of all Internet domains owned by the company
■ Prepare informational web page that warns partners and customers about an active
phishing attack

Detect
■ On receiving the information about incident the IT manager should get all phishing
email or URLs from user
■ These emails, URLs and another information provided need to be investigated on
priority
■ As standard practice the IT manager need to keep watch on:
– E-Mails flagged by various filters
– Non returnable and non deliverable emails
– Notification by third part of suspicious emails
– Emails linked to internal and external URLs
– Notification from ISP and law enforcement agencies about emails
– Suspicious activity on organization’s web site.

Analyze
■ The suspicious activity once detected should be analyzed using available tools or
external help as the case may be.
■ Once suspicious activity is confirmed to be attack related to phishing it should be
categorized according to threat it poses to organization
■ Use various means including logs and tools to gather information and analyze to:
– Identify the protected information that has been compromised
– Identify the information exposed
– Users, customers, public likely to get exposed
– Who might have launched the activity
– Who all have knowledge of this activity
– Worst case impact on the system
– If this can be exploited for any criminal activity

Contain
■ Identify the system effected and how wide spread the attack is.
■ Isolate system including user or servers effected by the attack
■ Inform all users of the problems and immediate action need to be taken by them to
contain the attack

Eradicate
■ Use various tools to get the system free from the malware etc. installed during the
attack
■ Install patch, update rules and modify content filter to avoid problem in future
■ Test the system to ensure the problem does not occur again
■ Modify or change the affected system/site/network
■ Co-ordinate with ISP to initiate counter measures
■ Co-ordinate with any third party to take down the site if required
■ Add problem to incident database along with all details for future reference

Recover
■ Updated system, firewall, IDS and remove temporary containment
■ Wipe and Baseline the system
■ Update system with fresh signatures
■ Prepared detailed advisory and publicize it widely to avoid future such attacks.
■ Review the incident in detail
■ Update policy and processes
■ Document problem and actions taken including policy changes, process modifications
and configuration changes.
■ Get ready for any new attack

THANKYOU
www.naushad.co.uk | || Computer Forensic Analyst || Information SecurityAnalyst ||Vulnerability Detective ||
Network Examiner || Digital Data Interpreter ||

Phishing Incident Response Playbook

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Phishing Incident Response Playbook

Ähnlich wie Phishing Incident Response Playbook (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Phishing Incident Response Playbook