NLIT 2009 Philip Arwood John Gerber Development of a Process for Phishing Awareness Activities.

NLIT 2009

Philip Arwood

John Gerber

Development of a Process for Phishing Awareness Activities

2 Managed by UT-Battellefor the U.S. Department of Energy

Protecting Your Information

What Will We Discuss?

• Phishing and related Problems– Real world examples

• Goals and Challenges of Phishing Awareness– Early process – Examples (early and current)– Stats gathered

• Phishing Technical: Getting Under the Hood



If Only Life Was Simple



View Point Of The Problem

• The following is an excerpt from speech by Mr. George Tenet, Director, CIA, delivered at the Georgia Institute of Technology, Atlanta, Georgia.– “The number of known adversaries conducting research on

information attacks is increasing rapidly and includes intelligence services, criminals, industrial competitors, hackers, and aggrieved or disloyal insiders”.



Common Weaknesses

• Here are some of the most common visible or known weaknesses an adversary can exploit to obtain critical information: – Inappropriate use of email / attachments / web– Lack of awareness: don’t know what to protect, or who to

protect it from– Poor access controls– Failure to practice need to know– Failure to comply with security policies



SANS Top Ten List (what people do to mess up their computer)

• Number 10 – Don’t bother with backups

• Number 9 – Use Easy, Quick Passwords

• Number 8 – Believe that Macs don’t get viruses

• Number 7 – Click on Everything

• Number 6 – Open ALL Email attachments

• Number 5 – Keep Your hard drive full and fragmented

• Number 4 – Install and Uninstall lots of programs (especially freeware)

• Number 3 – Turn off the Antivirus because it slows down your system

• Number 2 – Surf the Internet without a Hardware Firewall and a Software Firewall

• Number 1 – Plug into the Wall without Surge Protection



Phishing Stats

• According to Gartner, December 17, 2007– The average dollar loss per Phishing Victim is $866– The total dollar loss of all phishing victim over a 1 year period is

$3.6 Billion– The number of people who fell victims to phishing scams over that

same 1 year period is 3.2 Million

• According to a Gartner Survey– More than 5 million U.S. consumers lost money to phishing attacks

in the 12 months ending in September 2008, a 39.8 percent increase over the number of victims a year earlier

– Survey indicated a trend toward higher-volume and lower-value attacks



Phishing Stats (cont.)

• According to SonicWall, 2008– The estimated number of phishing e-mails sent world-wide

each month is 8.5 Billion

• According to Anti-Phishing Working Group– The number of phishing web sites that were operational in

May 2008 is 32,414


According to Gartner, April 2, 2009– More than 5 million consumers lost to phishing attacks in the 12

months ending in September 2008, a 39.8 increase over the number of victims a year earlier.

– The average consumer loss in 2008 per phishing incident was $351, a 60% decrease from the year before. Gartner believes the criminals are intentionally engaging in higher volume and lower-value attacks to stay under the radar of fraud detection systems that have become pervasive at banks and other financial services providers.

– About 4.33% of phishing e-mail recipients recalled giving away sensitive information after they clicked on a phishing e-mail link, which is a 45% increase over the prior year.

Phishing Stats (cont.)



Phishing (Real World) Example 1a

• Point One

• Point Two

• Point Three

• Point Four



Phishing (Real World) Example 1b

• Point One

• Point Two

• Point Three

• Point Four



Phishing (Real World) Example 1c

• Point One

• Point Two

• Point Three

• Point Four



Phishing (Real World) Example 2

• Point One

• Point Two

• Point Three

• Point Four




• Point One

• Point Two

• Point Three

• Point Four




• Point One

• Point Two

• Point Three

• Point Four




• Point One

• Point Two

• Point Three

• Point Four




• Point One

• Point Two

• Point Three

• Point Four



Why Phish?

• Benefits:– Training tool for raising user awareness regarding phishing

and the dangers.– Serves as a self assessment tool.

• The Challenge:– To develop phishing emails for monthly assessments– To develop repeatable and reliable delivery methods– To gather meaningful statistics for management



Summary of Early Phishing Process

• Phishing Email was developed

• Researched URL to ensure no “real” sites were used, local redirect created to point to “gotcha” page

• Recipient list was created

• UNIX script was used to queue / send email.

• “Gotcha” page was monitored for network traffic, harvested IPs and times of connections



Phishing Emails

• The early emails were developed to appear plain and contain obvious clues such as misspelled words, hyphenated URLS, etc.

• As the process evolved the emails contained less obvious clues.

• Following are examples of emails used early on and a few current examples.



Early Phishing Example



Early Phishing Example (cont)



Early Phishing Example (cont)



Current Phishing Example



Current Phishing Example (cont)









Gotcha Page

• URL points to a web page that states:– Exercise was initiated by security– Gives information regarding what could have happened– Encourages user to re-take Cyber Awareness training

(phishing awareness is reinforced in cyber awareness training)



Gotcha Page



What Data Do We Gather?

• End-User Response Time– The time between sending email and notification to security

via email, phone, SPAM folder, …– Total number of responses

• End-User Click Rates– When the first click occurred– Total number of clicks– Who clicked



Suggestions for Topics?

• End-Users appear to be more interested in:– E-Cards (Valentines, Holiday cards, etc.)– Local News (highway construction, etc.)– Sports– Humor

• End-Users appear to be less interested in:– Technology related topics– Surveys



Results

Result summary for 2008Category Average PercentageResponse to Security in Minutes 22 (Minutes)

Number of Individuals Who Clicked Before Response to Security Was Received 7 1.6%

Number of Responses Sent To Security 11 2.7

Number Of Responses Placed In SPAM Folder 8 1.8%

Number Of Responses Received Other Ways 1 0.3%

Total Response 20 4.8%

Total Clickers 42 10.0%

Category Average Percentage

Response to Security in Minutes 28 (Minutes)

Number of Individuals Who Clicked Before Response to Security Was Received 8 1.5%

Number of Responses Sent To Security 4 1.0%

Number Of Responses Placed In SPAM Folder 5 1.0%

Number Of Responses Received Other Ways 0 -

Total Response 9 1.6%

Total Clickers 42 6.8%

Result summary for 2009 to date

Phishing Technical: Getting Under the Hood

John J. GerberCISSP, GCFA, GCIH, GISP, GSNA


Phishing Technical

A Presentation of Interest

“Spear Phishing: Real Cases, Real Solutions”

Rohyt Belani, Intrepidus Group. Wednesday, 11:00-11:45.


What Will We Discuss?

• Basic System Setup

• Configuration Files

• Database Tables

• Programs Involved

• Walk Through

• Show Sample Results


Phishing Technical

System Configuration• Classic LAMP System

– Linux– Apache– MySQL– Perl

• ModSecurity

• Request Tracker

• Thunderbird


Phishing Technical

Create Data Files

We keep each anti-phishing exercise in its own directory. In each directory create:

· Phishing Email

· Employee List

· LUP Exceptions

· Previous Clickers

· Exempt List

· Images


Phishing Technical

Sample Configuration FileTEMPLATE::test::template.htmlTEMPLATE::whole::template.htmlTEMPLATE::lup::template.htmlTEMPLATE::clickers::template.html

SENDER::test::[email protected]::whole::[email protected]::lup::[email protected]::clickers::[email protected]

SUBJECT::test::FWD: FWD: FWD: HilariousSUBJECT::whole::FWD: FWD: FWD: HilariousSUBJECT::lup::FWD: FWD: FWD: This is HilariousSUBJECT::clickers::FWD: FWD: FWD: That is Hilarious

WEB_HOST::test::upost.comWEB_HOST::whole::upost.comWEB_HOST::lup::upost.comWEB_HOST::clickers::upost.com

EMAIL_FILE::test::test_pool.txtEMAIL_FILE::whole::whole_pool.txtEMAIL_FILE::lup::lup_pool.txtEMAIL_FILE::clickers::clickers_pool.txt

REMOVE_EMAIL_FILE::whole::received_pool.txtEMAIL_NUM::test::999EMAIL_NUM::whole::550EMAIL_NUM::lup::999EMAIL_NUM::clickers::999


Phishing Technical

SCF: Template<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01

Transitional//EN">

<html>

<head>

<title>FWD: FWD: FWD: Hilarious</title>

</head>

<body bgcolor="#ffffff" text="#000000">

<big><big>Check it out!</big></big> 

 

From:

Castle, Frank 

Sent: Tuesday, March 17, 2009 9:50 AM 

To: Barton, Clint; Smith, Travis N.; Jones, Cora M.; James,

Jennifer; Redman, Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; Farner

Mark K.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.;

Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H. 

Create · HTML Editor:

Thunderbird· Text Based Editor· TAGS

http://REPLACEWITHHOST/REPLACEWITHID/href="mobile.html“href="“img src="opening.jpg"

http://replacewithhost/REPLACEWITHID/


Phishing Technical

Database: Tables

attack+-------------+---------------------------------------+

| Field | Type |

+-------------+---------------------------------------+

| aid | int(10) unsigned |

| attack_type | enum('lup','test','whole','clickers') |

| started | datetime |

| ended | datetime |

| first_view | datetime |

| last_view | datetime |

| first_click | datetime |

| last_click | datetime |

| sent_user | varchar(50) |

| sent_host | varchar(50) |

| subject | varchar(50) |

| body | mediumtext |

| sent_count | int(5) unsigned |

| click_count | int(5) unsigned |

| name | varchar(15) |

+-------------+---------------------------------------+


Phishing Technical

+------------+-------------+| Field | Type |+------------+-------------+| username | varchar(25) || dcso | varchar(25) || last_name | varchar(50) || first_name | varchar(50) || user_phone | varchar(12) |+------------+-------------+

gerberjjarwoodpcGerberJ J (John)865-574-9756

victims

Database: Tables (2)


Database: Tables (3)

+----------+------------------+| Field | Type |+----------+------------------+| uid | varchar(25) || aid | int(10) unsigned || username | varchar(25) || added | datetime |+----------+------------------+

ibYyK1x8lstu1KseMrkpdJaHv

14

gerberjj

2009-03-24 10:32:30

victim_pool


Phishing Technical

ibYyK1x8lstu1KseMrkpdJaHv2009-03-24 13:45:57NULLNULL2009-03-25 10:36:04

user123.ornl.govno

+--------------+------------------+| Field | Type |+--------------+------------------+| uid | varchar(25) || sent | datetime || viewed_time | datetime || viewed_log | varchar(255) || clicked_time | datetime || clicked_log | varchar(255) || ip | varchar(50) || email_sent | enum('yes','no') |+--------------+------------------+

session

Database: Tables (4)user123.ornl.gov - - [25/Mar/2009:10:36:04 -0400] "GET /photo/ibYyK1x8lstu1KseMrkpdJaHv/showalbulm.pl?albulm=new HTTP/1.1" 200 2577 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081204 SeaMonkey/1.1.14“


Phishing Technical

Sample Initial Setup

[hilarious]# ls -1clickers_pool.txtlup_pool.txtphish.confreceived_pool.txttemplate.htmltest_pool.txtwhole_pool.txt

No File

[email protected]@[email protected]@[email protected]

00007 [email protected] "Gerber, John J" 1231231200009 [email protected] "Pike, Christopher" 2312312300010 [email protected] "Colt, J M" 2312312300011 [email protected] "Boyce, Phillip" 2312312300012 [email protected] "Tyler, Jose" 23123123

TEMPLATE::test::template.htmlTEMPLATE::whole::template.htmlTEMPLATE::lup::template.htmlTEMPLATE::clickers::template.htmlSENDER::test::[email protected]::whole::[email protected]::lup::[email protected]::clickers::[email protected]::test::FWD: FWD: FWD: HilariousSUBJECT::whole::FWD: FWD: FWD: HilariousSUBJECT::lup::FWD: FWD: FWD: That is HilariousSUBJECT::clickers::FWD: FWD: FWD: This is HilariousWEB_HOST::test::www.upostfun.comWEB_HOST::whole::www.upostfun.comWEB_HOST::lup::www.upostfun.comWEB_HOST::clickers::www.upostfun.comEMAIL_FILE::test::test_pool.txtEMAIL_FILE::whole::whole_pool.txtEMAIL_FILE::lup::lup_pool.txtEMAIL_FILE::clickers::clickers_pool.txtREMOVE_EMAIL_FILE::whole::received_pool.txtEMAIL_NUM::test::999EMAIL_NUM::whole::550EMAIL_NUM::lup::999EMAIL_NUM::clickers::999

No File

[email protected]

[email protected]

[email protected]

[email protected]

<html><head> <title>FWD: FWD: FWD: Hilarious</title></head><body bgcolor="#ffffff" text="#000000"><big><big>Check it out!</big></big> From:Castle, Frank Sent: Tuesday, March 17, 2009 9:50 AM To: Barton, Clint; Smith, Travis N.; Jones, Cora M.; James,Jennifer; Redman,Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; FarnerMarkK.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.;Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H. Subject: FWD: FWD: Hilarious

gerberjjarwoodpcUID PRIM TYPE PRO_DT UID_DT EMPSTAT UIDSTAT

JLP Y NON 9/8/2005 14:18 9/8/2005 15:09 ACT ACTWTR Y NON 10/26/2004 2:00 9/14/2005 15:21 ACT ACTGLF Y NON 3/15/2005 2:00 8/31/2007 14:04 ACT ACTDKP Y NON 7/18/2005 15:03 7/19/2005 15:52 ACT ACT


Phishing Technical

Sample Initial Setup

[hilarious]# ls -1clickers_pool.txtlup_pool.txtphish.confreceived_pool.txttemplate.htmltest_pool.txtwhole_pool.txt

No File

[email protected]@[email protected]@[email protected]

00007 [email protected] "Gerber, John J" 1231231200009 [email protected] "Pike, Christopher" 2312312300010 [email protected] "Colt, J M" 2312312300011 [email protected] "Boyce, Phillip" 2312312300012 [email protected] "Tyler, Jose" 23123123

TEMPLATE::test::template.htmlTEMPLATE::whole::template.htmlTEMPLATE::lup::template.htmlTEMPLATE::clickers::template.htmlSENDER::test::[email protected]::whole::[email protected]::lup::[email protected]::clickers::[email protected]::test::FWD: FWD: FWD: HilariousSUBJECT::whole::FWD: FWD: FWD: HilariousSUBJECT::lup::FWD: FWD: FWD: That is HilariousSUBJECT::clickers::FWD: FWD: FWD: This is HilariousWEB_HOST::test::www.upostfun.comWEB_HOST::whole::www.upostfun.comWEB_HOST::lup::www.upostfun.comWEB_HOST::clickers::www.upostfun.comEMAIL_FILE::test::test_pool.txtEMAIL_FILE::whole::whole_pool.txtEMAIL_FILE::lup::lup_pool.txtEMAIL_FILE::clickers::clickers_pool.txtREMOVE_EMAIL_FILE::whole::received_pool.txtEMAIL_NUM::test::999EMAIL_NUM::whole::550EMAIL_NUM::lup::999EMAIL_NUM::clickers::999

No File

[email protected]

[email protected]

[email protected]

[email protected]

<html><head> <title>FWD: FWD: FWD: Hilarious</title></head><body bgcolor="#ffffff" text="#000000"><big><big>Check it out!</big></big> From:Castle, Frank Sent: Tuesday, March 17, 2009 9:50 AM To: Barton, Clint; Smith, Travis N.; Jones, Cora M.; James,Jennifer; Redman,Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; FarnerMarkK.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.;Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H. Subject: FWD: FWD: Hilarious

gerberjjarwoodpcUID PRIM TYPE PRO_DT UID_DT EMPSTAT UIDSTAT

JLP55 Y NON 9/8/2005 14:18 9/8/2005 15:09 ACT ACTWTR21 Y NON 10/26/2004 2:00 9/14/2005 15:21 ACT ACTGLF45 Y NON 3/15/2005 2:00 8/31/2007 14:04 ACT ACTDKP72 Y NON 7/18/2005 15:03 7/19/2005 15:52 ACT ACT


Phishing Technical

Program: prepare.plRun: prepare.pl <attack_name>

#!/usr/local/bin/perl -wuse DBI;use POSIX qw(strftime);

BEGIN{push @INC, "/home/ger/projects/phish/perl"}use ornl_phish qw($db_host $db $mysql_user $mysql_passwd logit runcommand mailit generate_html user_exist check_attack_type read_config find_attack_name );

sub update_received { my($datafile, $rm_min_date, $dbh) = @_; $error = "";

my %user_list; # Make sure we add back only unqiue ids (no duplicates)

if ( -e $datafile) { my $results = ""; # Pull out the content of previous clickers $/ = "\n"; open(INFILE,$datafile) || ( $error = "ERROR: Problem opening file $datafile: $!\n" );

*.orig - the original files.*_pool.txt - theses are the updated files which the system will use in the next step. Make sure they look correct.received_pool.txt - This file will be updated with unique values that previously existed and data from the database of those who received email under a "whole" attack.sample_*.html - sample emails. Check them out and make sure they look appropriate. Open file in browser and confirm no format problems.

Results


Phishing Technical

Results: prepare.pl [hilarious]# ls -1

phish.conf

received_pool.txt

sample_test.html

template.html

test_pool.txt

test_pool.txt.orig

File: [email protected]

[email protected]

[email protected]

[email protected]

[email protected]

File: sample_text.html<html><head><title>FWD: FWD: FWD: Hilarious</title>

</head><body bgcolor="#ffffff" text="#000000">

This is hilarious, check it out! 

 

<a href="http://upostfun.com/hilarious/0123456789/">http://upostfun.com/hilarious/0123456789/2009/04/11/</a> 

File: test_pool.txt

[email protected]

[email protected]


Phishing Technical

View sample_text.htmlUse your

favorite

browser to

pull up

sample_text.html


Phishing Technical

Inform and Authorize• CIO Authorization

• Helpdesk

• Mail Administrator

• DNS Administrator


Phishing Technical

Program: go_phishing.plRun: go_phishing.pl

#!/usr/local/bin/perl -w# Perl Modules #use DBI;use POSIX qw(strftime);

BEGIN{push @INC, "/home/ger/projects/phish/perl"}use ornl_phish qw($db_host $db $mysql_user $mysql_passwd logit runcommand mailit generate_html user_exist check_attack_type read_config find_attack_name);

sub modify_apache { my($apache_conf,$apache_temp,$attack_name,$logfile) = @_; my $error = ""; local($datetime) = strftime("%Y%m%d%H%M%S", localtime);

undef $/; open(INFILE,$apache_temp) || ( $error = "ERROR: Problem opening file $apache_temp: $!\n" );

if ($error eq "") {

my $conf_body = <INFILE>; $conf_body =~ s/RewriteEngine On.*/RewriteEngine On/s; my $rc = &runcommand($logfile,"/bin/cp","$apache_conf/httpd.conf","$apache_conf/httpd.conf.$datetime");

· Emails are sent.

· A 30 minute break between groups.

· Web areas created.– images– web page people see when they click– report web area created to watch the progress

· Modify httpd.conf, clear logs, restart server.

Results

Uses: /usr/bin/nc -vv smtpserver.ornl.gov 25

2009-04-29 19:10:28 INFO: Started.

Sending email to gerberjj

smtpserver.ornl.gov [160.91.4.118] 25 (smtp) open

220 mailserver.ornl.gov -- Server ESMTP (PMDF V6.4#31561)

251 mailserver.ornl.gov system name not given in HELO command, phishingphil.ornl.gov [160.91.218.210].

250 2.5.0 Address Ok.

250 2.1.5 [email protected] OK.

354 Enter mail, end with a single ".".

250 2.5.0 Ok.

221 2.3.0 Bye received. Goodbye.

sent 4340, rcvd 301


Phishing Technical

Modifications to httpd.confRewriteEngine On

RewriteRule ^/hilarious$ /usr/local/apache/htdocs/hilarious/index.html [L]

RewriteRule ^/hilarious/images/[^/]+/(.*)$ /work/software/apache/htdocs/hilarious/images/$1 [L]

RewriteRule ^/hilarious/[^/]+/(.*)$ /work/software/apache/htdocs/hilarious/index.html [L]

RewriteRule ^/hilarious/(.*)$ /work/software/apache/htdocs/hilarious/index.html [L]


Phishing Technical

Monitoring the Results: Summary

Phishing Technical


Phishing Technical

Future

• Request Tracker

• Additional Reports for Management

• Possibly Front End– Easier: Is that a good or bad thing?– HTML editor interface– Grab required information from ORNL DBs– Schedule


Final Words

Thank you for the opportunity to discuss our phishing awareness work.

Philip Arwood John [email protected] [email protected]

Source: http://SecurityCartoon.com

Source: http://wombatsecurity.com/antiphishingphilzSource: http://education.apwg.org/r/en


Other ORNL Presentations of Interest

SharePoint• Monday, 11:45-Using SharePoint UI to Deliver General Use Applications, Connie

Begovich• Tuesday, 11:45-SharePoint at ORNL, Brett Ellis

Cyber Security• Monday, 1:30-Development of a Process for Phishing Awareness Activities, Philip

Arwood & John Gerber• Monday, 2:15-How I Learned to Embrace the Chaos, Mark Lorenc• Monday, 4:15-TOTEM:The ORNL Threat Evaluation Method, John Gerber & Mark

Floyd

Desktop Management• Monday 4:15-On the Fly Management of UNIX Hosts using CFEngine, Ryan Adamson• Tuesday, 11:00-Implementation of Least User Privileges, Doug Smelcer• Wednesday, 11:45, Microsoft Deployment Using MDT and SCCM, Chad Deguira

Incident Management• Wednesday, 11:00-Helpdesk Operations for Clients Without Admin Privileges, Bob

Beane & Tim Guilliams

IT Modernization• Monday, 2:15-12 Months of Technology, Lara James

Date post:	27-Dec-2015
Category:	Documents
Upload:	joshua-elliott
View:	213 times
Download:	0 times

NLIT 2009 Philip Arwood John Gerber Development of a Process for Phishing Awareness Activities.

Documents