InfoSec Research and Outreach: Anti-Phishing

Launched in 1999

295 million active accounts

Available in 200+ markets

100+ currencies

PayPal

PayPal is at the forefront of the digital payment revolution. By leveraging technology to make financial services more convenient, affordable, and secure, the PayPal platform is empowering 295 million people and businesses in more than 200 countries to join and thrive in the global economy.

© 2019 PayPal Inc. Confidential and proprietary.

A Digital payments leader

An unrivaled two-sided platform

Provide solutions to help people manage and move money

Offer credit services that are accessible and cost effective

Facilitate simple, secure payments across devices

Deliver flexibility with payment options globally, across platforms and merchants

Power all aspects of digital checkout online, on mobile and, in store

Provide seamless credit solutions to enable growth

Help identify fraud and improve risk management

Offer tools and insights to attract new customers and increase sales

CONSUMERS MERCHANTS

Designed to drive growth and differentiate us from our competitors


Unique perspectives on the evolving Information Security landscape


DataProtection

Global ExpandingRisks

Profitable Cybercrime

Continual adaptation is critical to meeting scale and pace of change

Phishing continues to top the list of attack-vectors


Leading the pack

https://smallbiztrends.com/2019/07/phishing-statistics.html

https://smallbiztrends.com/2019/07/phishing-statistics.html

Current Phishing Trends• Advanced phishing kits harvest more than just account

credentials

• Full identity

• Credit cards

• Bank details

• ID documents

• Heavy use of redirection links (bit.ly, tinyurl.com, etc.)

• Makes detection of phishing e-mails more difficult

• Attackers can change landing pages retroactively to bypass mitigations

• Attackers exploit gaps in the response time and detection capabilities of browser blacklists


Img src: QuickHeal Security

Primary Detection Methodology


Reported [email protected]

External intelligence

Internal data sources Phishing URLs Manual ReviewPriority threats

Automated Review

Blacklists / AV Vendors Takedown

Sophisticated threats

Research & Investigation

All threats

General Anti-phishing Mitigations• Malicious URL blacklisting (Google Safe Browsing, Microsoft

SmartScreen, enterprise AV vendors)

• Report URLs to the ecosystem

• Malicious infrastructure takedown

• Contact web hosts, domain registrars, or site owners

• Account flagging

• Use threat intelligence to secure potentially-phished accounts before damage happens

• Credential flagging

• Secure affected accounts once credentials are exposed on the dark net

• Criminal investigations

• User awareness


Sophisticated Phishing Site Example

Modern Phishing Sites Copy Full Homepage


Example Flow


Fake transaction confirmation w/ dispute link

hxxps://kapsadokyatatil.com/aserdoun.php

(differs from landing page)

Example Flow


Advanced Phishing Kits

• Language and questions automatically change based on the user’s location / browser settings

• At the end of the flow, the user is shown a success message to eliminate suspicion

• Victims often redirected to PayPal.com’s anti-phishing resource pages

© 2019 PayPal Inc. Confidential and proprietary. https://research.checkpoint.com/a-phishing-kit-investigative-report/

https://research.checkpoint.com/a-phishing-kit-investigative-report/

Ecosystem Outreach

Anti-Phishing Ecosystem Vulnerabilities

• Google Safe Browsing susceptible to evasion

• Phishing kits commonly include IP filters which redirect non-victims (i.e. crawlers) to benign sites

• Lag time of up to 2 hours before blacklisting occurs

• Mobile browsers still do not receive the full phishing blacklist

• Re-exploitable infrastructure / bulletproof hosting effectively defeats blacklisting

• Lack of protocols to provide ecosystem with actionable evidence when automated detection fails

• Limited controls and reporting for SMS / phone phishing

• Takedowns are slow

• Cooperation of web hosts / ISPs required

• Grace period exploited by criminals

• Free SSL certificates easy to obtain

• No checking for blacklisted domains (LetsEncrypt)


Ecosystem Security Innovation

DMARC prevents this type of attack!

1. Sender policy Fwk: servers authorized to send email

2. Domain Keys: digitally signing of all email

3. DMARC policy published: request verification of all emailpurporting to be from PayPal.


Phishing – DMARC

Support Services & Tools

Mailbox Provider

Sender

Spoof

End User

DMARC Policy Enforcement

DMARC Reports

Analytics Alerting Auditing etc.. . .

Actionable Intelligence

DMARC

PayPal• Authenticating all email sent by or on behalf of PayPal (RFC 7489)

• Operationalized – Customers and Employees

• DMARC had rejected over 275,000 messages in only 15 days

PP Research & Emerging Phishing Detection Methodologies1. “PhishFarm”

• Empirically test anti-phishing detection/reporting systems

• Empirically test criminals’ evasion techniques

• Motivate improved phishing detection and performance at the ecosystem level (e.g. new standards)

• Research collaboration with Arizona State University (ASU)and APWG (Anti-phishing Working Group), published at IEEE S&P 2019


https://www.adamoest.com/phishfarm_ieee_sp_2019_oest.pdf

Victim Traffic by BrowserMobile browsers still poorly mitigate phishing

0%

10%

20%

30%

40%

50%

60%

Chrome MobileChrome

Firefox Safari MobileSafari

SamsungBrowser

IE Edge

Before attack detection After attack detection






• Research collaboration with ASU and APWG, published at IEEE S&P 2019

2. “Golden Hour”

• Leverage web events to identify phishing sites before and during deployment

• Proactively identify affected customers before they realize they have fallen victim

• High visibility into known attacks



“Golden Hour” Methodology


PP JS/resource web events(on phishing sites)

Phishing domains

Event URLs

Phishing victim traffic

Known PP phishing sites





• Research collaboration with ASU and APWG, published at IEEE S&P 2019

2. “Golden Hour”

• Leverage web events to identify phishing sites before and during deployment

• Proactively identify affected customers before they realize they have fallen victim

• High visibility into known attacks

3. “FuturePhish”

• Leverage threat intelligence feeds to identify defaced websites

• Use passive DNS to detect other hostnames associated with the defaced (malicious) infrastructure

• Augment existing phishing URL feeds and expedite mitigation



FuturePhish: At time of defacement


IP

Associated Domains (potentially malicious)

FuturePhish: 14 days later


IP

Associated Domains (potentially malicious) Associated Domains (confirmed malicious)

FuturePhish


Associated Domains (predicted malicious)

Use machine learning to predict which associated domains turn malicious


Summary

InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing...

Documents

Transcript of InfoSec Research and Outreach: Anti-Phishing · 2019-12-04 · • Empirically test anti -phishing...