© Copyright 2015 PhishMe, Inc. All rights reserved. © Copyright 2015 PhishMe, Inc. All rights reserved.
The Humanity of Phishing Attack and Defense
2016 Alabama Cyber Now
Aaron Higbee
Co-Founder & CTO of PhishMe
@higbee @phishme
© Copyright 2015 PhishMe, Inc. All rights reserved.
What you are in for…
• A LOT of slides – don’t worry, they will be on Slideshare.
• Is Phishing easy? The operation examined from the Attackers perspective
• Multiple data points – Highlights from our Enterprise Susceptibility Report
– Examples of effective and popular phishing themes
– How much time do users spend consuming phishing education?
• Does it matter?
– New data from recent survey. Do we have an awareness problem?
• Why do humans fall for phishing?
© Copyright 2015 PhishMe, Inc. All rights reserved.
A TALE OF WOE
OPM
© Copyright 2015 PhishMe, Inc. All rights reserved.
Notice anything interesting?
© Copyright 2015 PhishMe, Inc. All rights reserved.
What likely caused the breach…
© Copyright 2015 PhishMe, Inc. All rights reserved.
The DHS Response…
“The campaign will feature short videos,
posters and literature on the do’s and
don’ts for better cyber hygiene”
© Copyright 2015 PhishMe, Inc. All rights reserved.
OPM Needs an extra 21 million (for encryption)
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
2002
• Incident Response
• Penetration Testing
• Taught a lot of Ultimate Hacking Classes
– Hands on, learn by doing
• Met a lot of these types
© Copyright 2015 PhishMe, Inc. All rights reserved.
Attackers Perspective: Is phishing easy?
The classic Attackers vs. Defenders arguments seem to
gloss over the effort involved…
© Copyright 2015 PhishMe, Inc. All rights reserved.
Phishing operations examined: Recon
• Reconnaissance for targeting
– Email addresses from simple internet searches
– Mining social networks
– Spam lists
– Paid private lists
*Image created by Seculert
© Copyright 2015 PhishMe, Inc. All rights reserved.
Phishing operations examined: Weaponization
• Exploit writers
• JavaScript expertise
• Code packers and obfuscation
• Remote Administration Tools – Custom or Modified
• Data-Entry credential stealing phishing?
*Image created by Seculert
© Copyright 2015 PhishMe, Inc. All rights reserved.
Phishing operations examined: Delivery
• Send email collect shells. Easy right?
• Brand protection & site take down. E.g. login.peypal.net
• Spoofing still viable? SPF, DKIM, …
• Attachment delivery? Zip it? Password zip it?
• Anti-Spam products are a problem…
– Attackers using gmail.com, yahoo.com, hotmail.com, etc..
• Time of day?
• Mobile devices?
*Image created by Seculert
© Copyright 2015 PhishMe, Inc. All rights reserved.
Phishing operations examined: Exploit
• x86 Win32 – time of day matters
• Advances in end-point protection
• Application whitelisting
• Email scanning gateways
• URL detonation
• Sandboxes
• Phishing with only links? – Site categorization
– Evolving browser protections
*Image created by Seculert
© Copyright 2015 PhishMe, Inc. All rights reserved.
Phishing operations examined: Recap
Let’s recap…
We found targets, prepared our email sending environment to ensure delivery and we’ve overcome the problems of exploitation. We can either get exploit attachments in, or lure phishing victims to our prepared, whitelisted, categorized site designed to deliver the payload. We are either defeating sandboxes or our malware is designed in such a way that analysis either takes too long or provides inconclusive results in the sandbox to set off alerts. Game Over?...
*Image created by Seculert
© Copyright 2015 PhishMe, Inc. All rights reserved.
Phishing operations examined
… But you are still not done.
Plant backdoors, connect outbound, exfiltration
*Image created by Seculert
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
Now let’s look at some Crimeware examples
Common themes: – Faxes, Voicemails, ACH notices, Package Delivery
– The PhishMe blog has many examples
– Cryptolocker
© Copyright 2015 PhishMe, Inc. All rights reserved.
Locky Message
© Copyright 2015 PhishMe, Inc. All rights reserved.
Notice the variations
© Copyright 2015 PhishMe, Inc. All rights reserved.
MOST USED AND HIGHEST
SUSCEPTIBILITY
© Copyright 2015 PhishMe, Inc. All rights reserved.
Introduction – Study Demographics • 400 PhishMe customers
• Fortune 500 and public sector organizations across 23 verticals
• 8 million simulation emails over a 13-month span
• 75% of organizations training 1000+ employees
© Copyright 2015 PhishMe, Inc. All rights reserved.
Questions Asked • Are certain themes or levels of complexity more difficult than others for
employees to recognize?
• What is the impact of emotional motivators on the likelihood of phishing
responses?
• Does timing of the phish influence user vulnerability?
• Can we see positive trend success metrics over time?
• What makes a phishing simulation program successful?
© Copyright 2015 PhishMe, Inc. All rights reserved.
Key Findings
• 87% of the employees who opened a phishing simulation email
opened it the SAME DAY it was sent.
• Most employees responded to a phishing email in the morning hours,
particularly at 8:00 AM local time.
• Employees who open a phishing email are 67% more likely to
respond to another phishing attempt.
• The most effective phishing emails contain a business communication
theme.
• Behavioral conditioning decreased susceptible employees’
likelihood to respond to malicious email by 97.14% after just 4
simulations.
© Copyright 2015 PhishMe, Inc. All rights reserved.
Scenario Themes and Complexity
What is a Phishing
Theme? PhishMe’s term for a collection of email
scenario templates that use the same context,
motivation, or topic to elicit user action.
– Office Communication
– Employee Wellness
– Computer Updates
© Copyright 2015 PhishMe, Inc. All rights reserved.
Theme Averages and Benchmarks
© Copyright 2015 PhishMe, Inc. All rights reserved.
Top Emotional Motivators
The strongest emotional motivators (above 20% average) were related to connection and reward (e.g.,
winning a prize).
Top Motivators: • Connection
• Reward
• Curiosity
• Urgency
• Fear
© Copyright 2015 PhishMe, Inc. All rights reserved.
Most Popular Simulations…
Type % Popularity Primary Motivators
Sent From Phone Attach (DB) 13.9 High Curiosity, Urgency
Package Delivery Click (BM) 18.43 High Curiosity
Inbox Over the Limit Click 19.7 High Fear, Urgency
eCard Alerts Click 25.98 High Curiosity, Reward, Social
File from Scanner Click 24.05 High Curiosity
Order Confirmation Click 17.38 High Curiosity, Fear
Unauthorized Access Data 29.16 High Curiosity, Fear, Urgency
Password Survey Data 16.58 Medium Fear, Urgency
Awards Season Click 5.6 Medium Entertainment
Scanned File Attach
(BM)
16.95 Medium Curiosity
© Copyright 2015 PhishMe, Inc. All rights reserved.
Highly Susceptible Themes
Type % Popularity Primary Motivators
Manager Evaluation Data 31.55 Low Curiosity, Fear, Reward
Time Off Request - Negative
Balance
Click 30.92 Medium Fear, Urgency
Unauthorized Access (Adult-
Oriented)
Data 30.02 Low Curiosity, Fear, Urgency
Unauthorized Access Data 29.16 Medium Curiosity, Fear, Urgency
Browser Update Required Data (DB) 26.8 Low Fear, Urgency
eCard Alerts Click 25.98 High Curiosity, Reward, Social
Employee Raffle Data 25.85 Low Reward
Financial Information Attach 25.5 Medium Curiosity
© Copyright 2015 PhishMe, Inc. All rights reserved.
Unauthorized Access 29.16% - Popular
© Copyright 2015 PhishMe, Inc. All rights reserved.
Unauthorized Web Use: 30% - Low popularity
© Copyright 2015 PhishMe, Inc. All rights reserved.
eCard Alerts – 29.58% - Popular
© Copyright 2015 PhishMe, Inc. All rights reserved.
Manager Evaluation 31.55% - Low popularity
© Copyright 2015 PhishMe, Inc. All rights reserved.
CREATING PHISHING AWARENESS
© Copyright 2015 PhishMe, Inc. All rights reserved.
“Sit down, let me aware you about Phishing…”
© Copyright 2015 PhishMe, Inc. All rights reserved.
Dear Awareness Professional, it’s not you…
© Copyright 2015 PhishMe, Inc. All rights reserved.
PhishMe Content Team
© Copyright 2015 PhishMe, Inc. All rights reserved.
Too Chinese…
© Copyright 2015 PhishMe, Inc. All rights reserved.
Too Alluring…
© Copyright 2015 PhishMe, Inc. All rights reserved.
Too American…
© Copyright 2015 PhishMe, Inc. All rights reserved.
27 seconds…
© Copyright 2015 PhishMe, Inc. All rights reserved.
Time spent improving “Awareness”
© Copyright 2015 PhishMe, Inc. All rights reserved.
How is it that susceptibility rates decline?
• People don’t read the education
• Yet there is a consistent reduction in susceptibility
© Copyright 2015 PhishMe, Inc. All rights reserved.
How is it that susceptibility rates decline?
• People don’t read the
education
• Yet there is a consistent
reduction in susceptibility
• People respond to emails
quickly
• Empowered and encouraged
users report
• IR & SOC teams get relevant
and timely threat intelligence
Potential threat intelligence
Can resilient humans be threat detectors?
© Copyright 2015 PhishMe, Inc. All rights reserved.
What customers tend to focus on
© Copyright 2015 PhishMe, Inc. All rights reserved.
Results: Conditioning vs. Awareness
© Copyright 2015 PhishMe, Inc. All rights reserved.
Yes!
© Copyright 2015 PhishMe, Inc. All rights reserved.
IS PHISHING AWARENESS THE
PROBLEM?
A survey conducted on the basics of Phishing…
© Copyright 2015 PhishMe, Inc. All rights reserved.
Introduction – Survey Demographics • PhishMe carried out a contracted survey in March 2016
• Sample: 216 US office workers who use email (outside of the IT & Security department)
Opening Question: Phishing is a term used to describe a deceptive email designed to infect your computer or steal your passwords. Were you already aware of that before reading this definition?
– Four follow-up questions about phishing tactics • Did you know that clicking a misleading link in an email has the potential to infect your
computer?
• Did you know an email taking you to a deceptive website designed to trick you into entering your username and password is also known as phishing?
• Did you know opening an attachment has the potential to infect your computer?
• How far do you agree / disagree with the following statement? ‘Mobile devices are equally susceptible to phishing as PCs’
© Copyright 2015 PhishMe, Inc. All rights reserved.
Spoiler: They are aware of phishing
‘Phishing’ is a term used to describe a deceptive email
designed to infect your computer or steal your passwords.
Were you already aware of that before reading this
definition?
0 10 20 30 40 50 60 70 80 90 100
6%
94%
Yes
No
94.4% aware
5.6% not
© Copyright 2015 PhishMe, Inc. All rights reserved.
Based on your knowledge of phishing emails today, please answer the following:
Did you know that clicking a misleading link in an email has the potential to infect your computer?
– Yes 98.1%
– No 1.9%
Did you know an email taking you to a deceptive website designed to trick you into entering your username and password is also known as phishing?
– Yes 91.2%
– No 8.8%
Did you know opening an
attachment has the potential
to infect your computer? – Yes 97.2%
– No 2.8%
© Copyright 2015 PhishMe, Inc. All rights reserved.
Bonus Question
How far do you agree / disagree
with the following statement?
‘Mobile devices are equally
susceptible to phishing as PCs’ – Strongly agree 58.8%
– Slightly agree 31.5%
– Slightly disagree 9.3%
– Strongly disagree .5%
90.3%
© Copyright 2015 PhishMe, Inc. All rights reserved.
Key Findings: Aware, but vulnerable
• 94.4% are aware of phishing – Some confusion remains about mobile and other attack vectors
Awareness is not the problem
© Copyright 2015 PhishMe, Inc. All rights reserved.
What do phishing simulations accomplish?
So you do awareness, but better?...
© Copyright 2015 PhishMe, Inc. All rights reserved.
Changing Behavior Ain’t Eazy…
© Copyright 2015 PhishMe, Inc. All rights reserved.
K3wp doesn’t like me… reddit/r/netsec
Aaronhigbee wrote: If you think that conditioning humans to avoid phishing should be part of every organizations security hygiene.... I'll raise a beer and toast you. Not everyone agrees.
K3wp responds:
I absolutely do not agree. You should be designing systems and networks that cannot be compromised via phishing attacks vs. trying to train a bunch of useless meat tubes to be competent.
© Copyright 2015 PhishMe, Inc. All rights reserved.
Security Engineers want to Engineer
© Copyright 2015 PhishMe, Inc. All rights reserved.
Behave Humans!
• For many it’s an intellectual challenge
– When the human doesn’t conform to the system as designed, they
want to fix their Engineering mistake. They want to contain it.
When they can’t, they get upset. They blame the human. Not their
system.
© Copyright 2015 PhishMe, Inc. All rights reserved.
What does history say?
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
Optical Sensors
Defeating coin optical sensors: Shaved Coins
© Copyright 2015 PhishMe, Inc. All rights reserved.
Defeating Optical sensors
Light Wand aka Monkey Paw
© Copyright 2015 PhishMe, Inc. All rights reserved.
• File.exe
• File.scr
• File.zip
• File.cab
• …
• http://Dropbox.com/file.exe
© Copyright 2015 PhishMe, Inc. All rights reserved.
Consider the malware sandbox…
© Copyright 2015 PhishMe, Inc. All rights reserved.
My Reaction
(sure you do)
“We STOP Phishing!”
© Copyright 2015 PhishMe, Inc. All rights reserved.
How does your security sandbox stop this?
Or This?
© Copyright 2015 PhishMe, Inc. All rights reserved.
Predictable response
After the tantrum is over… they blame the user
“the human is the weakest link”
“PEBKAC”
© Copyright 2015 PhishMe, Inc. All rights reserved.
Thinking Fast and Slow
• Nobel Prize Winner in Behavioral Economics
• System 1: Intuitive brain process
– Operates automatically
• System 2: Deliberate thinking process
– Requires effort
*Not Bernie Sanders
© Copyright 2015 PhishMe, Inc. All rights reserved.
How many emails do we process daily? • Receive ~71 legit emails
• Send 41 emails
• Must mentally discard 13 emails
• Assume 2 hours of meetings and 1 hour lunch break
• We perform 33 email related tasks per hour
• Source: http://www.radicati.com/wp/wp-content/uploads/2014/01/Email-Statistics-Report-2014-2018-Executive-Summary.pdf
© Copyright 2015 PhishMe, Inc. All rights reserved.
Consider the following…
2+2 = ? 10 x 2 = ?
1+8 = ?
7+4 = ?
5+5 = ?
85 x 97 = ?
© Copyright 2015 PhishMe, Inc. All rights reserved.
Another example…
LEFT
LEFT LEFT
LEFT
LEFT
Right
Right Right
Right
Right
© Copyright 2015 PhishMe, Inc. All rights reserved.
Another example…
LEFT
LEFT
LEFT
Right LEFT
Right
Right LEFT
LEFT
Right
© Copyright 2015 PhishMe, Inc. All rights reserved.
System 1 and 2 are always active
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
This should not trigger System 2
© Copyright 2015 PhishMe, Inc. All rights reserved.
This should trigger System 2
© Copyright 2015 PhishMe, Inc. All rights reserved.
System 1 to System 2 Success!
© Copyright 2015 PhishMe, Inc. All rights reserved.
So what you are saying is…
Simulations creates experiences using tactics similar to real
phishing emails to jolt repetitive lazy intuitive cognitive
functions into a deliberate thinking process that requires
effort!
© Copyright 2015 PhishMe, Inc. All rights reserved.
System 1 Recently Failed Me
© Copyright 2015 PhishMe, Inc. All rights reserved.
Failure in System 1
• Wow, This is a nice hotel! The bathroom is so clean.
• (washing my hands now)
– Hrm, no urinals?
• Hrm, what is this thing for?
• I have made a critical mistake
© Copyright 2015 PhishMe, Inc. All rights reserved.
You admit some useless meet
tubes will fail!
© Copyright 2015 PhishMe, Inc. All rights reserved.
“Can’t fix stupid” “The weakest link”
© Copyright 2015 PhishMe, Inc. All rights reserved.
Conclusions
• Good news! Phishing Awareness is solved
• Bad news! We are still susceptible to phishing -
• Somewhere, some technology vendor is creating an
Advanced Machine Learning - Hadoop clustering
engine to perform User Behavior Analytics to end the
Phish Du Jour.
• Or you could consider conditioning the user to avoid
and detect tomorrows attacks, today.