Post on 26-Sep-2020
© 2017 Agari. All rights reserved. Confidential and Proprietary.
The Rising Threat of Email Based Attacks, and How To Counter It
October 9, 2017
Markus Jakobsson
© 2017 Agari. All rights reserved. Confidential and Proprietary.2
The last fifteen years in one minute
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Email Identity Deception, circa 2004
3
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Email Identity Deception, circa 2004
4
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Email Identity Deception, circa 2004
5
L\
Look for misspellingsLook for poor grammar
Is it not addressed to you?Does it look unprofessional?
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Email Identity Deception, 2016
6
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Email Identity Deception, 2016
7
Hi John
CHANGE PASSWORD
Slick logos
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Email Identity Deception, 2016
8
Hi John
CHANGE PASSWORD
Slick logos
L\
Look for misspellingsLook for poor grammar
Is it not addressed to you?Does it look unprofessional?
L\
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Email Identity Deception, 2016
9
Cyrillic o
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Email Identity Deception, 2016
10
Spoofed partially
protected subdomain
© 2017 Agari. All rights reserved. Confidential and Proprietary.11
The amount of emailin one minute
© 2017 Agari. All rights reserved. Confidential and Proprietary.12
Wanted email: ~60 million
The amount of emailin one minute
© 2017 Agari. All rights reserved. Confidential and Proprietary.13
Wanted email: ~60 millionScattershot attacks: ~3000
The amount of emailin one minute
© 2017 Agari. All rights reserved. Confidential and Proprietary.14
Wanted email: ~60 millionScattershot attacks: ~3000
Targeted enterprise attacks: ~55
The amount of emailin one minute
© 2017 Agari. All rights reserved. Confidential and Proprietary.15
Targeted enterprise attacks: ~55
The amount of emailin one minute
2370% increase 2015-2016 (FBI/IC3)
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedimproved psychologybetter design competenceand a confluence of attack tools
16
$5Bn
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychologybetter design competenceand a confluence of attack tools
17
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychologybetter design competenceand a confluence of attack tools
18
16%
“Social Phishing”, Jagatic et al.
Yield of generic attack
16%
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychologybetter design competenceand a confluence of attack tools
19
16%
“Social Phishing”, Jagatic et al.
16%
Yield of targeted attack
73%
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychologybetter design competenceand a confluence of attack tools
20
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychologybetter design competenceand a confluence of attack tools
21
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychology
22
Incoming eFax: Elections Outcome Could Be revised [Facts of Elections Fraud]
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychology
23
Taylor Fax <securefaxsolutions@gmail.com>
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychology
24
PIN CODE: 3209
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychologybetter design competenceand a confluence of attack tools
25
PhishMe 2016 Enterprise Phishing Susceptibility and Resiliency Report
20.2%
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychologybetter design competenceand a confluence of attack tools
26
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychologybetter design competenceand a confluence of attack tools
27
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychologybetter design competenceand a confluence of capabilities
28
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychologybetter design competenceand a confluence of capabilities
29
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychologybetter design competenceand a confluence of capabilities
30
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Trend: increasing sophistication
greedmore targetingimproved psychologybetter design competenceand a confluence of capabilities
31
© 2017 Agari. All rights reserved. Confidential and Proprietary.32
Things can (and will)
get worse
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Why do people look in their spam folders?
33
1 3 1 4
11
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Why do people look in their spam folders?
34
1 3 1 4
11
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Why do people look in their spam folders?
35
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Why do people look in their spam folders?
36
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Why do people look in their spam folders?
37
your spam filter is not tuned correctly
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Why do people look in their spam folders?
38
your spam filter is not tuned correctly
look for a message sent by Google
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Why do people look in their spam folders?
39
your spam filter is not tuned correctly
look for a message sent by Google
If the message is in your spam folder
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Why do people look in their spam folders?
40
your spam filter is not tuned correctly
look for a message sent by Google
If the message is in your spam folder
Make sure to review the alert first
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Why do people look in their spam folders?
41
From: spam.notification@googlemail.com
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Why do people look in their spam folders?
Inbox
42
Spam folder (quarantine)
~0%
~10%
~20%
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Why do people look in their spam folders?
43
trust transfer trick(For more details, look for my upcoming paper with
Hossein Siadati, Toan Nguyen, Nasir Memon)
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
44
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
45
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
46
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
47
There’s no account associated with this email.
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
48
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
49
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
50
You may need to check your Junk or Spam folder.
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
51
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
52
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
53
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
54
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
55
Compromise@paypal.alert1822.com
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
56
Compromise@paypal.alert1822.com
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
57
Compromise@paypal.alert1822.com
Att_Update <att-services.2072668872@emailff-att-mail.com>
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
58
Compromise@paypal.alert1822.com
Click here
© 2017 Agari. All rights reserved. Confidential and Proprietary.
How attackers can turn services into opportunity
59
just anothertrust transfer trick
© 2017 Agari. All rights reserved. Confidential and Proprietary.60
use yourknowledgeagainst you
Another way attackers can
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Did you know this?
61
bank checks can bounce
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Did you know this?
62
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Did you know this?
63
wirescan not
bounce
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Attacker does: Victim thinks:
64
Ask victim for wire information
Drop fake checkin night deposit
I will receive money
Money was wired
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Attacker does: Victim thinks:
65
Ask victim for wire information
Drop fake checkin night deposit
I will receive money
Money was wired
To sum it up:You may think you were paid. Maybe you were not.
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Account Take Over on the rise
66
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Account Take Over on the rise
67
© 2017 Agari. All rights reserved. Confidential and Proprietary.68
Account Take Over on the rise
corrupt
© 2017 Agari. All rights reserved. Confidential and Proprietary.69
monetize
corrupt
Account Take Over on the rise
© 2017 Agari. All rights reserved. Confidential and Proprietary.70
corrupt
collect + launch
Account Take Over on the rise
monetize
© 2017 Agari. All rights reserved. Confidential and Proprietary.71
Understandthensolve
© 2017 Agari. All rights reserved. Confidential and Proprietary.72
Impostor Authentic
Spoof Look-alike Domain Display Name Deception Account OwnerCompromiseSender
Source Internal External
Classification
Fraud Legitimate Email
URL Attachment
Social Engineering
Unsolicited Email
Grey Mail
Con
TargetedScattershot
SPAM
Destination Internal External
StrangerTrusted partyEmployee webmail
Objective Monetary Data/Credential Theft Denial of Service
First understand the problem – then solve it
© 2017 Agari. All rights reserved. Confidential and Proprietary.73
Impostor
Spoof Look-alike Domain Display Name Deception CompromiseSender
First understand the problem – then solve it
6%
10% 84%puny
but
exploding
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Addressing deceptive display names
1.List of trusted parties.“Bo Bigboss <bb@yourcompany.com>”
2.Incoming email “Bo BigBoss <joe123@aol.com>”
3.High risk? Warn-and-deliver!“Stranger Danger! <joe123@aol.com>”74
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Addressing deceptive display names
1.List of trusted parties.“Bo Bigboss <bb@yourcompany.com>”
2.Incoming email. “Bo BigBoss <joe123@aol.com>”
3.High risk? Warn-and-deliver!“Stranger Danger! <joe123@aol.com>”75
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Addressing deceptive display names
1.List of trusted parties.“Bo Bigboss <bb@yourcompany.com>”
2.Incoming email. “Bo BigBoss <joe123@aol.com>”
3.High risk? Warn-and-deliver!“Stranger Danger! <joe123@aol.com>”76
© 2017 Agari. All rights reserved. Confidential and Proprietary.77
Impostor Authentic
Spoof Look-alike Domain Display Name Deception Account OwnerCompromiseSender
Addressing compromised accounts
OriginCompromised device Compromised credentials Compromised API access
Local scriptOAuth
Easiest for the attackersEasiest for the defenders
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Addressing compromised accounts
78
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Addressing compromised accounts
79
SMS to associated phone number
Proprietary
© 2017 Agari. All rights reserved. Confidential and Proprietary.80
but filteringis not everything
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Our view Attacker’s view
Filtering?keeps us safe
81
Filtering? press pedal harder!
Malicious emails sentrisk: loss/threat
Malicious emails sentopportunity: money
© 2017 Agari. All rights reserved. Confidential and Proprietary.
Our view Attacker’s view
Filtering?keeps us safe
82
Filtering? press pedal harder!
Malicious emails sentrisk: loss/threat
Malicious emails sentopportunity: moneyrisk: loss/threat opportunity: intelligence
(Look out for upcoming papers, one of which is with Hossein Siadati and Yifan Tian)
© 2017 Agari. All rights reserved. Confidential and Proprietary.83
Want to talk?
mjakobsson@agari.com