Email-based Threat Intelligence: Industrial Phishing Tactics (New Series)By Mike Rothman
Threat Intelligence comes in many shapes and sizes, all of which are helpful for Early Warning of imminent attack. After introducing the initial Early Warning concepts, we recently delved into how network telemetry and other information about your pipes can help to identify compromised devices in Network-based Threat Intelligence. We continue discussing all sorts of threat intel by focusing on phishing in our new series, Email-based Threat Intelligence. We stay true to our naming conventions.
But in all seriousness, if you are targeted by phishing attacks, you probably know what we’re talking about. Attackers target your brand, they stage high-volume attacks to steal personal information from customers, and then ultimately they monetize stolen personal data – typically by looting the accounts of your customers. All of which cost your organization big money.
So what we will do in this series is dig into the seedy underbelly of the phishing trade, starting with an explanation of how large-scale phishers operate. Then we’ll jump into threat intelligence on phishing – basically determining what kind of trail phishers leave – which gives us data to pump into the Early Warning system. Finally we will cover how to get quick wins with email-based threat intelligence. If you can stop an attack, go after the attackers, and ultimately disrupt attempts to steal personal data, you’d do that, right? So we will wrap up this short series by quickly showing impact.
Before we get started I want to thank Malcovery for agreeing to potentially license the content at the end of the project. As with all our research, we will produce Email-based Threat Intelligence using Totally Transparent Research. That means we build the content independently and objectively, and tell you what you need to hear. Not what any vendor wants you to hear.
Sizing up Targets
Why do phishers target specific brands? To harvest and ultimately monetize personal information. Obviously targeting financial institutions is a no-brainer. So you probably see phishing attempts targeting every major bank, brokerage, and other financial institution like PayPal fly into your inbox all the time. Retailers are also low-hanging fruit – once phishers gain access to an online shopping account they can buy all sorts of stuff using your customer’s credit. And you get left holding the bag. Fun!
But lately we have been receiving phishing attempts for other major consumer brands such as shipping companies, phone companies, and airlines. Huh? If someone owns a frequent flyer account, the risk is having them see how close until the next FF tier, right? No, not exactly. When you (or someone who works for your organization) clicks on a phish, they may enter account information into the phishing site, which is the first win for the attacker. But it’s not the only opportunity for pwnage. Attackers also systematically install malware on the device, and that’s where the real monetization happens. Once they have a foothold they mine the data for as long as they can. Attackers collect bank accounts, passwords, and other sensitive information.
So basically every large consumer brand has been and will continue to be a serious phishing target. These companies have millions of customers, which means millions of potentially compromised devices for attackers to mine. Obviously the highest value phishing attacks target financials, where the victim can be monetized immediately. But the endgame involves installing malware which is why we see secondary brands emerge as phishing targets.
It is outside of the scope of this research, but we would be negligent if we didn’t at least mention that it’s a very bad idea to save financial information in the website of any retailer or other services company. Sure, one-click buying is convenient, as is not enter that pesky credit card number with every purchase. But it also leaves you at the mercy of the website’s security – not a good place to be. If you do need to save personal information on these sites, at least use very strong unique passwords with a password manager, as Rich has described numerous times in places like MacWorld.
Phishing is the front end of a multi-faceted attack, so let’s take a look at the first set of steps in Cloppert’s Kill Chain and show how these concepts apply to phishing. First let’s look at recon, which starts with picking the brand to target, typically a financial or payment company. The APWG’s statistics (PDF) show that upwards of 65% of phishing targets are financial and payment organizations. Duh. But let’s be clear about why many of the phishing campaigns target only a few popular brands. Is this just Pareto at work? The real reason is the advent of the phishing kit. Just like malware kits, phishing kits offer a packaged phishing campaign for a very modest price. This takes care of the weaponization step in the kill chain – these kits include everything you need to phish, with the exception of domains to host the phishing site. Images, emails, designs, and even a few malware variants are included, which is driving down the average IQ of phishers.
You might think phishing kits need to be constantly updated to keep pace with the constant web site changes undertaken by the major consumer brands. Not so much – most consumer victims wouldn’t be able to tell a vintage 2009 Wells Fargo site from the latest and greatest. The images and code used on the phishing site tell a story about the attacker and can provide significant intelligence to disrupt the attack, so we will delve into that in the next post.
The other key aspect of the kill chain for to phishing is delivery. The primary delivery mechanism for phishing is email, which requires the attacker to evade spam filters. Discussing those tactics is a bit beyond what we can do in this series, but suffice it to say that attackers are rather sophisticated in how they test both delivery of email and the domain names they drive victims to. Similarly to the way attackers use VirusTotal and other AV test harnesses, phishing professionals focus quite a bit of effort on testing against common anti-spam engines, because increasing increasing the successful delivery rate has a dramatic impact on the profitability of the campaign. At the end of the day phishing, like all email attacks, remains a numbers game. Social networks are also increasingly used to deliver links to phishing networks. This gets even more diabolical in constrained environments like Twitter with built-in link shorteners, because those opaque shortened links can easily lead to phishing sites.
We will talk about other technology advances impacting delivery of phishing and spam email such as DMARC later in this series, as they are one of the key defenses for organizations to blunt the impact of phishing.
Monetizing the Phish
Once the phishing email is delivered and the victim clicks the link the fun begins. The first private information capture point is authentication to the phishing website which impersonates the target site. This sets the stage for the initial monetization, using credentials to loot the victim’s account (if it’s a financial or payment site). Obviously there are backend processes to launder the stolen money but we won’t get into them. The attack cycle doesn’t end there. Attackers want to maintain a presence on compromised machines and to steal every credential they can. They have a few tactics for that:
- MITM: Many phishing sites are really just pass-throughs, running a man-in-the-middle (MITM) attack. They capture authentication credentials, and then pass them through to the real site as part of their camouflage. The victim sees the web site they expect, but all their traffic is being routed through the attacker’s network. Attackers can then sniff all network traffic for authentication credentials and other interesting data to steal. Even better, the malware downloaded once the victim hits the phishing site will permanently redirect traffic to the attacker, so they subsequently see everything the victim does.
- Key logging: The attacker may also install a key logger on the victim’s device to capture all keystrokes. Keystroke data is handy for harvesting account credentials as the victim goes about their business. This is possible thanks to the malware installed on the victim’s device during the initial drive-by click.
- Screen grabbing: Finally, the malware may also take screen captures at certain times, such as when hitting Submit on banking or payment sites. Again, this allows them to capture account information, balances, etc. to help determine where efforts are best spent. They don’t want to go through the hassle to access an empty bank account.
Besides monetizing the victim’s account credentials, many phishers get ‘commissions’ from bot networks for installing malware kits and adding devices to botnets. We have recently seen phishing attacks install multiple malware packages on a victim device so phishers can double or triple on the value the compromised device. That’s free enterprise at work, folks. But it’s not really free, so let’s delve into costs to the business.
Cost of Phishing to Your Organization
Phishing is predominately a consumer attack, so many companies don’t feel a compelling need to deal with it, especially given the kinds of direct attacks most organizations deal with. But there are clear costs of phishing to an enterprise, so let’s break them down.
- Financial loss: The most obvious are direct losses due to account compromise. Most easily quantified by financials and payment brands (which is why they are targeted by a majority of phishing attacks), other consumer brands do not escape direct costs. For example, retailers may ship fraudulently purchased goods and not be able to collect payment or recover the goods.
- Clean-up costs: There are costs involved in taking down phishing sites or cleaning customer device if they are compromised clicking a message they thought came from you. There is likely no legal requirement to help these customers clean their devices, but in competitive markets (including banking, retail, and telecom) alienating customers is not good for customer satisfaction.
- Brand damage: There is always the very difficult-to-quantify damage to an organization’s brand. When a customer has a problem, they blame the phishing target/consumer brand, whether they deserve it or not. Obviously the bigger the brand footprint, the more frequently targeted, the more compromised customers, and thus the greater the brand damage from phishing. The data is generally inconclusive but there are clear costs resulting from a tarnished brand, particularly in highly competitive industries.
Phishing remains a huge problem, with which the broader technology ecosystem continues to struggle. The bar to successfully waging a phishing attack continues to descend with the advent of more sophisticated phishing kits, and increasingly advanced malware allows attackers to monetize victims over and over again. Our next post will look at the types of indicators that can identify a phishing attack (from the corporate perspective) to provide a handle on who is attacking, using what tools, and determine the impact of attacks. Email-based threat intelligence can then be used to disrupt attacks and provide quick wins. But one step at a time – let’s first dig into the different ways to identify phishing attacks in the aggregate.