NLIT 2009 Philip Arwood John Gerber Development of a Process for Phishing Awareness Activities.

NLIT 2009

Philip Arwood

John Gerber

Development of a Process for Phishing Awareness Activities

2 Managed by UT-Battellefor the U.S. Department of Energy

Protecting Your Information

What Will We Discuss?

• Phishing and related Problems– Real world examples

• Goals and Challenges of Phishing Awareness– Early process – Examples (early and current)– Stats gathered

• Phishing Technical: Getting Under the Hood

If Only Life Was Simple

View Point Of The Problem

• The following is an excerpt from speech by Mr. George Tenet, Director, CIA, delivered at the Georgia Institute of Technology, Atlanta, Georgia.– “The number of known adversaries conducting research on

information attacks is increasing rapidly and includes intelligence services, criminals, industrial competitors, hackers, and aggrieved or disloyal insiders”.

Common Weaknesses

• Here are some of the most common visible or known weaknesses an adversary can exploit to obtain critical information: – Inappropriate use of email / attachments / web– Lack of awareness: don’t know what to protect, or who to

protect it from– Poor access controls– Failure to practice need to know– Failure to comply with security policies

SANS Top Ten List (what people do to mess up their computer)

• Number 10 – Don’t bother with backups

• Number 9 – Use Easy, Quick Passwords

• Number 8 – Believe that Macs don’t get viruses

• Number 7 – Click on Everything

• Number 6 – Open ALL Email attachments

• Number 5 – Keep Your hard drive full and fragmented

• Number 4 – Install and Uninstall lots of programs (especially freeware)

• Number 3 – Turn off the Antivirus because it slows down your system

• Number 2 – Surf the Internet without a Hardware Firewall and a Software Firewall

• Number 1 – Plug into the Wall without Surge Protection

Phishing Stats

• According to Gartner, December 17, 2007– The average dollar loss per Phishing Victim is $866– The total dollar loss of all phishing victim over a 1 year period is

$3.6 Billion– The number of people who fell victims to phishing scams over that

same 1 year period is 3.2 Million

• According to a Gartner Survey– More than 5 million U.S. consumers lost money to phishing attacks

in the 12 months ending in September 2008, a 39.8 percent increase over the number of victims a year earlier

– Survey indicated a trend toward higher-volume and lower-value attacks

Phishing Stats (cont.)

• According to SonicWall, 2008– The estimated number of phishing e-mails sent world-wide

each month is 8.5 Billion

• According to Anti-Phishing Working Group– The number of phishing web sites that were operational in

May 2008 is 32,414

According to Gartner, April 2, 2009– More than 5 million consumers lost to phishing attacks in the 12

months ending in September 2008, a 39.8 increase over the number of victims a year earlier.

– The average consumer loss in 2008 per phishing incident was $351, a 60% decrease from the year before. Gartner believes the criminals are intentionally engaging in higher volume and lower-value attacks to stay under the radar of fraud detection systems that have become pervasive at banks and other financial services providers.

– About 4.33% of phishing e-mail recipients recalled giving away sensitive information after they clicked on a phishing e-mail link, which is a 45% increase over the prior year.

Phishing Stats (cont.)

Phishing (Real World) Example 1a

• Point One

• Point Two

• Point Three

• Point Four

Phishing (Real World) Example 1b

• Point One

• Point Two

• Point Three

• Point Four

Phishing (Real World) Example 1c

• Point One

• Point Two

• Point Three

• Point Four

Phishing (Real World) Example 2

• Point One

• Point Two

• Point Three

• Point Four

• Point One

• Point Two

• Point Three

• Point Four

• Point One

• Point Two

• Point Three

• Point Four

• Point One

• Point Two

• Point Three

• Point Four

• Point One

• Point Two

• Point Three

• Point Four

Why Phish?

• Benefits:– Training tool for raising user awareness regarding phishing

and the dangers.– Serves as a self assessment tool.

• The Challenge:– To develop phishing emails for monthly assessments– To develop repeatable and reliable delivery methods– To gather meaningful statistics for management

Summary of Early Phishing Process

• Phishing Email was developed

• Researched URL to ensure no “real” sites were used, local redirect created to point to “gotcha” page

• Recipient list was created

• UNIX script was used to queue / send email.

• “Gotcha” page was monitored for network traffic, harvested IPs and times of connections

Phishing Emails

• The early emails were developed to appear plain and contain obvious clues such as misspelled words, hyphenated URLS, etc.

• As the process evolved the emails contained less obvious clues.

• Following are examples of emails used early on and a few current examples.

Early Phishing Example

Early Phishing Example (cont)

Current Phishing Example

Current Phishing Example (cont)

Gotcha Page

• URL points to a web page that states:– Exercise was initiated by security– Gives information regarding what could have happened– Encourages user to re-take Cyber Awareness training

(phishing awareness is reinforced in cyber awareness training)

Gotcha Page

What Data Do We Gather?

• End-User Response Time– The time between sending email and notification to security

via email, phone, SPAM folder, …– Total number of responses

• End-User Click Rates– When the first click occurred– Total number of clicks– Who clicked

Suggestions for Topics?

• End-Users appear to be more interested in:– E-Cards (Valentines, Holiday cards, etc.)– Local News (highway construction, etc.)– Sports– Humor

• End-Users appear to be less interested in:– Technology related topics– Surveys

Results

Result summary for 2008Category Average PercentageResponse to Security in Minutes 22 (Minutes)

Number of Individuals Who Clicked Before Response to Security Was Received 7 1.6%

Number of Responses Sent To Security 11 2.7

Number Of Responses Placed In SPAM Folder 8 1.8%

Number Of Responses Received Other Ways 1 0.3%

Total Response 20 4.8%

Total Clickers 42 10.0%

Category Average Percentage

Response to Security in Minutes 28 (Minutes)

Number of Individuals Who Clicked Before Response to Security Was Received 8 1.5%

Number of Responses Sent To Security 4 1.0%

Number Of Responses Placed In SPAM Folder 5 1.0%

Number Of Responses Received Other Ways 0 -

Total Response 9 1.6%

Total Clickers 42 6.8%

Result summary for 2009 to date

Phishing Technical: Getting Under the Hood

John J. GerberCISSP, GCFA, GCIH, GISP, GSNA

Phishing Technical

A Presentation of Interest

“Spear Phishing: Real Cases, Real Solutions”

Rohyt Belani, Intrepidus Group. Wednesday, 11:00-11:45.

What Will We Discuss?

• Basic System Setup

• Configuration Files

• Database Tables

• Programs Involved

• Walk Through

• Show Sample Results

Phishing Technical

System Configuration• Classic LAMP System

– Linux– Apache– MySQL– Perl

• ModSecurity

• Request Tracker

• Thunderbird

Phishing Technical

Create Data Files

We keep each anti-phishing exercise in its own directory. In each directory create:

· Phishing Email

· Employee List

· LUP Exceptions

· Previous Clickers

· Exempt List

· Images

Phishing Technical

Sample Configuration FileTEMPLATE::test::template.htmlTEMPLATE::whole::template.htmlTEMPLATE::lup::template.htmlTEMPLATE::clickers::template.html

SENDER::test::jennifer_james@upostfun.comSENDER::whole::jennider_james@upostfun.comSENDER::lup::Jennifer_James@upostfun.comSENDER::clickers::Jen_James@upostfun.com

SUBJECT::test::FWD: FWD: FWD: HilariousSUBJECT::whole::FWD: FWD: FWD: HilariousSUBJECT::lup::FWD: FWD: FWD: This is HilariousSUBJECT::clickers::FWD: FWD: FWD: That is Hilarious

WEB_HOST::test::upost.comWEB_HOST::whole::upost.comWEB_HOST::lup::upost.comWEB_HOST::clickers::upost.com

EMAIL_FILE::test::test_pool.txtEMAIL_FILE::whole::whole_pool.txtEMAIL_FILE::lup::lup_pool.txtEMAIL_FILE::clickers::clickers_pool.txt

REMOVE_EMAIL_FILE::whole::received_pool.txtEMAIL_NUM::test::999EMAIL_NUM::whole::550EMAIL_NUM::lup::999EMAIL_NUM::clickers::999

Phishing Technical

SCF: Template<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01

Transitional//EN">

<html>

<head>

<title>FWD: FWD: FWD: Hilarious</title>

</head>

<big><big>Check it out!</big></big>

<span

style="font-size: 11pt; font-family: "Tahoma","sans-serif";">

From:<span

style="font-size: 11pt; font-family: "Tahoma","sans-serif";">

Castle, Frank

Sent: Tuesday, March 17, 2009 9:50 AM

To: Barton, Clint; Smith, Travis N.; Jones, Cora M.; James,

Jennifer; Redman, Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; Farner

Mark K.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.;

Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H.

Create · HTML Editor:

Thunderbird· Text Based Editor· TAGS

http://REPLACEWITHHOST/REPLACEWITHID/href="mobile.html“href="“img src="opening.jpg"

Phishing Technical

Database: Tables

attack+-------------+---------------------------------------+

| Field | Type |

+-------------+---------------------------------------+

| aid | int(10) unsigned |

| attack_type | enum('lup','test','whole','clickers') |

| started | datetime |

| ended | datetime |

| first_view | datetime |

| last_view | datetime |

| first_click | datetime |

| last_click | datetime |

| sent_user | varchar(50) |

| sent_host | varchar(50) |

| subject | varchar(50) |

| body | mediumtext |

| sent_count | int(5) unsigned |

| click_count | int(5) unsigned |

| name | varchar(15) |

+-------------+---------------------------------------+

Phishing Technical

+------------+-------------+| Field | Type |+------------+-------------+| username | varchar(25) || dcso | varchar(25) || last_name | varchar(50) || first_name | varchar(50) || user_phone | varchar(12) |+------------+-------------+

gerberjjarwoodpcGerberJ J (John)865-574-9756

victims

Database: Tables (2)

Database: Tables (3)

+----------+------------------+| Field | Type |+----------+------------------+| uid | varchar(25) || aid | int(10) unsigned || username | varchar(25) || added | datetime |+----------+------------------+

ibYyK1x8lstu1KseMrkpdJaHv

gerberjj

2009-03-24 10:32:30

victim_pool

Phishing Technical

ibYyK1x8lstu1KseMrkpdJaHv2009-03-24 13:45:57NULLNULL2009-03-25 10:36:04

user123.ornl.govno

+--------------+------------------+| Field | Type |+--------------+------------------+| uid | varchar(25) || sent | datetime || viewed_time | datetime || viewed_log | varchar(255) || clicked_time | datetime || clicked_log | varchar(255) || ip | varchar(50) || email_sent | enum('yes','no') |+--------------+------------------+

session

Database: Tables (4)user123.ornl.gov - - [25/Mar/2009:10:36:04 -0400] "GET /photo/ibYyK1x8lstu1KseMrkpdJaHv/showalbulm.pl?albulm=new HTTP/1.1" 200 2577 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081204 SeaMonkey/1.1.14“

Phishing Technical

Sample Initial Setup

[hilarious]# ls -1clickers_pool.txtlup_pool.txtphish.confreceived_pool.txttemplate.htmltest_pool.txtwhole_pool.txt

No File

gerberjj@ornl.govarwoodpc@ornl.govgoffy@ornl.govduckd@ornl.govmousem@ornl.gov

00007 GERBERJJ@ORNL.GOV "Gerber, John J" 1231231200009 PIKEC@ORNL.GOV "Pike, Christopher" 2312312300010 COLTJM@ORNL.GOV "Colt, J M" 2312312300011 BOYCEP@ORNL.GOV "Boyce, Phillip" 2312312300012 TYLEYJ@ORNL.GOV "Tyler, Jose" 23123123

TEMPLATE::test::template.htmlTEMPLATE::whole::template.htmlTEMPLATE::lup::template.htmlTEMPLATE::clickers::template.htmlSENDER::test::Jennifer_James@upostfun.comSENDER::whole::Jennifer_James@upostfun.comSENDER::lup::Jen_James@upostfun.comSENDER::clickers::jennifer_james@upostfun.comSUBJECT::test::FWD: FWD: FWD: HilariousSUBJECT::whole::FWD: FWD: FWD: HilariousSUBJECT::lup::FWD: FWD: FWD: That is HilariousSUBJECT::clickers::FWD: FWD: FWD: This is HilariousWEB_HOST::test::www.upostfun.comWEB_HOST::whole::www.upostfun.comWEB_HOST::lup::www.upostfun.comWEB_HOST::clickers::www.upostfun.comEMAIL_FILE::test::test_pool.txtEMAIL_FILE::whole::whole_pool.txtEMAIL_FILE::lup::lup_pool.txtEMAIL_FILE::clickers::clickers_pool.txtREMOVE_EMAIL_FILE::whole::received_pool.txtEMAIL_NUM::test::999EMAIL_NUM::whole::550EMAIL_NUM::lup::999EMAIL_NUM::clickers::999

No File

kirckjt@ornl.gov

mccoylb@ornl.gov

suluh@ornl.gov

chekov@ornl.gov

<html><head> <title>FWD: FWD: FWD: Hilarious</title></head><body bgcolor="#ffffff" text="#000000"><big><big>Check it out!</big></big> From:Castle, Frank Sent: Tuesday, March 17, 2009 9:50 AM To: Barton, Clint; Smith, Travis N.; Jones, Cora M.; James,Jennifer; Redman,Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; FarnerMarkK.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.;Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H. Subject: FWD: FWD: Hilarious

gerberjjarwoodpcUID PRIM TYPE PRO_DT UID_DT EMPSTAT UIDSTAT

JLP Y NON 9/8/2005 14:18 9/8/2005 15:09 ACT ACTWTR Y NON 10/26/2004 2:00 9/14/2005 15:21 ACT ACTGLF Y NON 3/15/2005 2:00 8/31/2007 14:04 ACT ACTDKP Y NON 7/18/2005 15:03 7/19/2005 15:52 ACT ACT

Phishing Technical

Sample Initial Setup

[hilarious]# ls -1clickers_pool.txtlup_pool.txtphish.confreceived_pool.txttemplate.htmltest_pool.txtwhole_pool.txt

No File

gerberjj@ornl.govarwoodpc@ornl.govgoffy@ornl.govduckd@ornl.govmousem@ornl.gov

00007 GERBERJJ@ORNL.GOV "Gerber, John J" 1231231200009 PIKEC@ORNL.GOV "Pike, Christopher" 2312312300010 COLTJM@ORNL.GOV "Colt, J M" 2312312300011 BOYCEP@ORNL.GOV "Boyce, Phillip" 2312312300012 TYLEYJ@ORNL.GOV "Tyler, Jose" 23123123

TEMPLATE::test::template.htmlTEMPLATE::whole::template.htmlTEMPLATE::lup::template.htmlTEMPLATE::clickers::template.htmlSENDER::test::Jennifer_James@upostfun.comSENDER::whole::Jennifer_James@upostfun.comSENDER::lup::Jen_James@upostfun.comSENDER::clickers::jennifer_james@upostfun.comSUBJECT::test::FWD: FWD: FWD: HilariousSUBJECT::whole::FWD: FWD: FWD: HilariousSUBJECT::lup::FWD: FWD: FWD: That is HilariousSUBJECT::clickers::FWD: FWD: FWD: This is HilariousWEB_HOST::test::www.upostfun.comWEB_HOST::whole::www.upostfun.comWEB_HOST::lup::www.upostfun.comWEB_HOST::clickers::www.upostfun.comEMAIL_FILE::test::test_pool.txtEMAIL_FILE::whole::whole_pool.txtEMAIL_FILE::lup::lup_pool.txtEMAIL_FILE::clickers::clickers_pool.txtREMOVE_EMAIL_FILE::whole::received_pool.txtEMAIL_NUM::test::999EMAIL_NUM::whole::550EMAIL_NUM::lup::999EMAIL_NUM::clickers::999

No File

kirckjt@ornl.gov

mccoylb@ornl.gov

suluh@ornl.gov

chekov@ornl.gov

<html><head> <title>FWD: FWD: FWD: Hilarious</title></head><body bgcolor="#ffffff" text="#000000"><big><big>Check it out!</big></big> From:Castle, Frank Sent: Tuesday, March 17, 2009 9:50 AM To: Barton, Clint; Smith, Travis N.; Jones, Cora M.; James,Jennifer; Redman,Doug S.; Schrof, Tina; Tillman, Edward E.; Van Dyke, Richard L.; FarnerMarkK.; Jamison, Hollie; Stewart, Greg; Young, Justin M.; Pierce, James G.;Spencer, Tim; Alexander, Charles B.; Gordon, Dale E.; Keen, Robert H. Subject: FWD: FWD: Hilarious

gerberjjarwoodpcUID PRIM TYPE PRO_DT UID_DT EMPSTAT UIDSTAT

JLP55 Y NON 9/8/2005 14:18 9/8/2005 15:09 ACT ACTWTR21 Y NON 10/26/2004 2:00 9/14/2005 15:21 ACT ACTGLF45 Y NON 3/15/2005 2:00 8/31/2007 14:04 ACT ACTDKP72 Y NON 7/18/2005 15:03 7/19/2005 15:52 ACT ACT

Phishing Technical

Program: prepare.plRun: prepare.pl <attack_name>

#!/usr/local/bin/perl -wuse DBI;use POSIX qw(strftime);

BEGIN{push @INC, "/home/ger/projects/phish/perl"}use ornl_phish qw($db_host $db $mysql_user $mysql_passwd logit runcommand mailit generate_html user_exist check_attack_type read_config find_attack_name );

sub update_received { my($datafile, $rm_min_date, $dbh) = @_; $error = "";

my %user_list; # Make sure we add back only unqiue ids (no duplicates)

if ( -e $datafile) { my $results = ""; # Pull out the content of previous clickers $/ = "\n"; open(INFILE,$datafile) || ( $error = "ERROR: Problem opening file $datafile: $!\n" );

*.orig - the original files.*_pool.txt - theses are the updated files which the system will use in the next step. Make sure they look correct.received_pool.txt - This file will be updated with unique values that previously existed and data from the database of those who received email under a "whole" attack.sample_*.html - sample emails. Check them out and make sure they look appropriate. Open file in browser and confirm no format problems.

Results

Phishing Technical

Results: prepare.pl [hilarious]# ls -1

phish.conf

received_pool.txt

sample_test.html

template.html

test_pool.txt

test_pool.txt.orig

File: received_pool.txtuser1@ornl.gov

user2@ornl.gov

user3@ornl.gov

user4@ornl.gov

user5@ornl.gov

File: sample_text.html<html><head><title>FWD: FWD: FWD: Hilarious</title>

</head><body bgcolor="#ffffff" text="#000000">

This is hilarious, check it out!

<a href="http://upostfun.com/hilarious/0123456789/">http://upostfun.com/hilarious/0123456789/2009/04/11/</a>

File: test_pool.txt

arwoodpc@ornl.gov

gerberjj@ornl.gov

Phishing Technical

View sample_text.htmlUse your

favorite

browser to

pull up

sample_text.html

Phishing Technical

Inform and Authorize• CIO Authorization

• Helpdesk

• Mail Administrator

• DNS Administrator

Phishing Technical

Program: go_phishing.plRun: go_phishing.pl

#!/usr/local/bin/perl -w# Perl Modules #use DBI;use POSIX qw(strftime);

BEGIN{push @INC, "/home/ger/projects/phish/perl"}use ornl_phish qw($db_host $db $mysql_user $mysql_passwd logit runcommand mailit generate_html user_exist check_attack_type read_config find_attack_name);

sub modify_apache { my($apache_conf,$apache_temp,$attack_name,$logfile) = @_; my $error = ""; local($datetime) = strftime("%Y%m%d%H%M%S", localtime);

undef $/; open(INFILE,$apache_temp) || ( $error = "ERROR: Problem opening file $apache_temp: $!\n" );

if ($error eq "") {

my $conf_body = <INFILE>; $conf_body =~ s/RewriteEngine On.*/RewriteEngine On/s; my $rc = &runcommand($logfile,"/bin/cp","$apache_conf/httpd.conf","$apache_conf/httpd.conf.$datetime");

· Emails are sent.

· A 30 minute break between groups.

· Web areas created.– images– web page people see when they click– report web area created to watch the progress

· Modify httpd.conf, clear logs, restart server.

Results

Uses: /usr/bin/nc -vv smtpserver.ornl.gov 25

2009-04-29 19:10:28 INFO: Started.

Sending email to gerberjj

smtpserver.ornl.gov [160.91.4.118] 25 (smtp) open

220 mailserver.ornl.gov -- Server ESMTP (PMDF V6.4#31561)

251 mailserver.ornl.gov system name not given in HELO command, phishingphil.ornl.gov [160.91.218.210].

250 2.5.0 Address Ok.

250 2.1.5 gerberjj@ornl.gov OK.

354 Enter mail, end with a single ".".

250 2.5.0 Ok.

221 2.3.0 Bye received. Goodbye.

sent 4340, rcvd 301

Phishing Technical

Modifications to httpd.confRewriteEngine On

RewriteRule ^/hilarious$ /usr/local/apache/htdocs/hilarious/index.html [L]

RewriteRule ^/hilarious/images/[^/]+/(.*)$ /work/software/apache/htdocs/hilarious/images/$1 [L]

RewriteRule ^/hilarious/[^/]+/(.*)$ /work/software/apache/htdocs/hilarious/index.html [L]

RewriteRule ^/hilarious/(.*)$ /work/software/apache/htdocs/hilarious/index.html [L]

Phishing Technical

Monitoring the Results: Summary

Phishing Technical

Future

• Request Tracker

• Additional Reports for Management

• Possibly Front End– Easier: Is that a good or bad thing?– HTML editor interface– Grab required information from ORNL DBs– Schedule

Final Words

Thank you for the opportunity to discuss our phishing awareness work.

Philip Arwood John Gerberarwoodpc@ornl.gov gerberjj@ornl.gov

Source: http://SecurityCartoon.com

Source: http://wombatsecurity.com/antiphishingphilzSource: http://education.apwg.org/r/en

NLIT 2009 Philip Arwood John Gerber Development of a Process for Phishing Awareness Activities.

Documents

Transcript of NLIT 2009 Philip Arwood John Gerber Development of a Process for Phishing Awareness Activities.

THE GERBER BLOCK

Stiaan Gerber Paper

Life As Taylar by Taylar Arwood

Gerber Architekten Magazine

Solutions - Gerber Scientific

SharePoint at ORNL NLIT Summit June 2009

Gerber Military Catalog

Gerber Technology Powerpoint

Gerber Ppt03

Media Sanitization at the Idaho National Laboratory Jonathan Bates NLIT 2009.

Gerber equipamiento

Kim Gerber Ignite

Gerber D200_Users_Manual

Funke Gerber Catalog

Gerber Workbook - Sleeve

2013 GERBER PRODUCT REFERENCE GUIDE … · 2013 GERBER PRODUCT REFERENCE GUIDE SUPPLEMENT. ... From small game to trophy quarry, Gerber products can handle ... Gerber knives, tools

Gerber herramientas

Yourguruspace Gerber

IT at Argonne (NLIT 2008)

Lighting up “Fermidash” – Fermilab’s Executive Dashboard NLIT 2012.