SlideShare une entreprise Scribd logo

Cred stealing emails bsides austin_2018 v1.0

Michael Gough
Michael Gough

How to evaluate credential stealing emails and what you can do about it. From BSides Austin 2018 Malware Archaeology LOG-MD

Technologie
1  sur  70
Télécharger pour lire hors ligne
Credential Stealing Emails What YOU need to know Michael Gough – Co-Founder Brian Boettcher – Co-Founder IMFSecurity.com LOG-MD.com
Who are we • Blue Team Defender Ninjas, Incident Responders • Michael – Creator of all those Windows Logging Cheat Sheets and the Malware Management Framework • Brian – co-host of the “Brakeing Down Security Podcast” • Creators of “Log-MD” – The Log and Malicious Discovery Tool • NEW – Expanding the BDS podcast – “Brakeing Down Incident Response” LOG-MD.com
2 years ago… • We announced LOG-MD at this very conference • Today we would like to announce the release of… • LOG-MD ver 2.0 LOG-MD.com
The Challenge LOG-MD.com
The Problem or SERIOUS Challenge • We have a fancy SMTP Gateway that does AV, SPAM, Outbreaks, URL Scanning, and Malware Sandboxing • Credential Stealing Emails are on the rise • And they are VERY difficult to defend against • This is a HUGE gap that we get every week LOG-MD.com
Typical Cred Stealing Email • They come in to 1, 3, 5, dozens to hundreds of recipients • They can have a URL in the email or a PDF with a URL to get by the scanners – Silly Hackers • And they look like any one of the following… LOG-MD.com
What the emails look like LOG-MD.com
A PDF Adobe/Dropbox version LOG-MD.com
Another PDF LOG-MD.com
Or an Dropbox looking email LOG-MD.com https://www.millionauto.com/doc.htm
PDF with link But it is safe AVAST says so LOG-MD.com https://toppingcloths.id/scripts_mwi/onenew/ b9909ec9f947e4f86a71e8eb07339d39/
PDF - Scanned Document from your HP Scanner LOG-MD.com
DocuSign of course… LOG-MD.com
The Lawyer says Click Here… LOG-MD.com https://firstlink-jo.com/jac/font/index.php
Embedded Image with URL LOG-MD.com
Let’s look at the Cred Stealing website LOG-MD.com
PDF Dropbox looking LOG-MD.com • Federation ???
OneDrive needs your login LOG-MD.com
And your PIN… maybe MFA attempt? LOG-MD.com
DocuSign from a URL LOG-MD.com
But WAIT – There’s MORE Federation! LOG-MD.com
And they even want your Telephone and Recovery Email LOG-MD.com
PDF brings you here.. Login Please LOG-MD.com
Dang It… Wrong Password – Try Again ! LOG-MD.com
WeTransfer your Credentials… LOG-MD.com
And then send you to OneDrive LOG-MD.com
Let’s Look at a Targeted Attack LOG-MD.com
Targeted Phish – From Retail Supplier LOG-MD.com https://adinshawandco.com/auth/scan.html
The website LOG-MD.com
Enter your Creds… LOG-MD.com
After you try logging in they redirected to an industry article LOG-MD.com
So what does the attack look like? LOG-MD.com
Incoming !!! • Started at 7:58am CST • Ended at 8:05am CST • We are an hour behind, so sent before we were at work 7:58am CST • 191 emails, batched in roughly 50 at a time • 156 total delivered • 35 failed to deliver – Failed addresses went back as far as Mar 2016 LOG-MD.com
Incoming Exchange Splunk Query • You should have a query ready to go for: – Sender – Subject LOG-MD.com
What did we do? • Once reported, or one of our odd email alerts trigger, which this one did, we just had not seen it yet since we just got into the office and people were already reporting it – So yeah.. AHHHHHhhhhhhhhhhh • We evaluate in a lab and click all the way through, including entering Fake Creds to see what happens next, and use LOG-MD of course to evaluate URL’s and Domains ;-) • We Splunk the email details to identify ALL users that received it – Now we know whom to notify • We add the users to a lookup list in order to track their logins LOG-MD.com
What did we do? • We issued a recall of the email from Exchange • Emailed all recipients – DO NOT OPEN!!!! • Anyone who logged into any Internet-facing system were asked to reset their passwords • Some accounts disabled if the user did not respond in a timely manner, like 1 hour • We called a few people… LOG-MD.com
Knock Knock… Hackers Knocking • It didn’t take the hackers 3 hrs to attempt logins • These Cred Stealing actors are LIVE LOG-MD.com
So what did Threat Intel say about the URL? LOG-MD.com
FortiGuard Webfilter • We checked these on the afternoon of the 16th, 10 days after the event • They rated it Phishing on Feb 13th LOG-MD.com
BrightCloud • Nothing bad LOG-MD.com
Cisco Talos • Nothing Bad LOG-MD.com
McAfee • Phishing • Checked 10 days later LOG-MD.com
MXToolbox • Blacklists all clean LOG-MD.com
RiskIQ - PassiveTotal • Nothing bad LOG-MD.com
PhishTank Didn’t Have Anything LOG-MD.com
Sucuri • Blacklisted by Norton and McAfee LOG-MD.com
Symantec • Suspicious 7 Days ago LOG-MD.com
Trend Micro • Dangerous LOG-MD.com
Unmask Parasites • Nothing bad LOG-MD.com
URLQuery • Nothing bad… But wait there’s more !!! LOG-MD.com
URLQuery • SCREEN SHOT !!!! LOG-MD.com
URLScan • Nothing bad… SCREEN SHOT !!! LOG-MD.com
URL Void • Nothing bad • Domain is 2 years old • Is from India • Safety Reputation - 0 LOG-MD.com
Google VirusTotal • Nothing bad… Seriously ??? LOG-MD.com
WatchGuard • Nothing bad LOG-MD.com
Zscaler • Nothing bad LOG-MD.com
Example #2 Investigate within a couple hours to the end of the same day LOG-MD.com
Example #2 - The Scenario • This email came in at 12:10 EST • We looked at it within an hour • Ran Threat Intel within 2 hours • Then ran Threat Intel again between 4:30- 5:00pm EST • What do you think we found? LOG-MD.com
What does Threat Intel think? • Alexa – No rank available • Cisco Talos – No Score • DomainTools – Nothing • ForcePoint – Nothing • Symantec – Nothing • Trend Micro – Nothing • McAfee TrustedSource – Nothing • URLVoid – Nothing • URLQuery – Nothing & Screen Shot • URLScan - Nothing & Screen Shot • VirusTotal - Nothing LOG-MD.com
What do the Browsers say? • Tested this at the end of the day • Chrome Safe Surfing – Deceptive Site • FireFox - Deceptive Site • Edge Browser – No warning • Internet Explorer – No warning LOG-MD.com
Sample #2 - FortiGuard Webfilter • Winner Winner Chicken Dinner • 9:34am (UTC) no data.. CLEAN • 10 mins later at 9:44am - “Medium” – So if you check early, this might say “OK” too LOG-MD.com
So what should you do? LOG-MD.com
Your only real options • MFA • 2 Factor Auth will cripple these attacks • The creds won’t work anywhere on Internet facing systems, so you have time to respond – “Hopefully” • Fast and Mass disable of accounts and/or rotate passwords for ALL recipients LOG-MD.com
Detect and Respond… FAST !!!! 1. The Alert – How you get notified 2. Evaluate the URL in a lab or manually 3. Block the URL and/or IP ASAP 4. Get a list of ALL recipients 5. Consider Fast and Mass password resets – Yes, painful the larger the event it is… 6. Monitor your Internet logins with the list of recipients LOG-MD.com
Evaluating the URL • On the 2nd sample FortiGuard was the only one that flagged a recently received phish within the first couple of hours – Do not take this as an endorsement – If you check fast enough, it may say it’s “OK” • I checked all of the URL Threat Intel sites at the end of the day… so 6 hours later – 0, zippo, none, zilch changed… YUP, all good LOG-MD.com
Evaluating the URL • Pick a few of the ones we just blew through and collect the following to make a quick evaluation – Screen Shots – GREAT indicator a credential stealing site with an authentication page – Domain age - How old is the website in days or years. Is it new? – Category – Lack of a category or has the site been categorized (BLOG/Malware/etc.) – Reputation – Is this a Bad, Neutral or Good site – Blacklists – Is the domain in any blacklists, if so, why is the SMTP gateway not catching it – Country – Where is this URL from – Alexa Rating - How known is it • LOG-MD will give you the IPs and WhoIs lookup LOG-MD.com
Other Possibilities • Add an email warning on all Internet originating emails • You could temporarily turn off any non- MFA/2-Factor systems when these hit – Ouch ! – Would need buy-in from everyone – And a good “repeatable” procedure LOG-MD.com
Conclusion • If you don’t have MFA – You are screwed • These actors are active within hours or a day • You can’t trust your IDS/IPS as it can only see HTTP (in the clear) traffic, or if the site is well known as “Bad” could you get an alert • Learn how to react FAST and reset creds • Teach your team how to evaluate these quickly – Evaluate the emails in a lab and click through the URLs – Many will have re-directs to the Cred stealing site, this is the URL you want to block! LOG-MD.com
Recommend Sites • Screen Shots – URLScan.io – URLQuery.net • Blacklist lookup – FortiGuard.com/webfilter – global.sitesafety.trendmicro.com – safeweb.norton.com – trustedsource.org – URLVoid.com – TalosIntelligence.com • Reputation – URLVoid.com – TalosIntelligence.com • WhoIS – DomainTools.com – LOG-MD.com (We have WhoIs lookups now ;-) • Alexa – URLVoid.com – Alexa.com LOG-MD.com
Questions • You can find us on the Twitters – @HackerHurricane – @Boettcherpwned • LOG-MD.com • MalwareArchaeology.com • Preso will be on SlideShare and linked on MalwareArchaeology.com • Listen to the PodCast to hear the rest of this topic – http://www.brakeingdownir.libsyn.com/ LOG-MD.com

Recommandé

Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 

Recommandé

Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 

Contenu connexe

Tendances

Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 

Tendances (20)

Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 

Similaire à Cred stealing emails bsides austin_2018 v1.0

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUPWill Pearce
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Positive Hack Days
 
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016Tim Butler
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and YouMary Kelly Rich
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
Defending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itDefending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itJoAnna Cheshire
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 

Similaire à Cred stealing emails bsides austin_2018 v1.0 (20)

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUP
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
 
Phd final
Phd finalPhd final
Phd final
 
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and You
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Dmk bo2 k8_ccc
Dmk bo2 k8_cccDmk bo2 k8_ccc
Dmk bo2 k8_ccc
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
 
Defending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itDefending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about it
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 

Dernier

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Dernier (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Cred stealing emails bsides austin_2018 v1.0

  • 1. Credential Stealing Emails What YOU need to know Michael Gough – Co-Founder Brian Boettcher – Co-Founder IMFSecurity.com LOG-MD.com
  • 2. Who are we • Blue Team Defender Ninjas, Incident Responders • Michael – Creator of all those Windows Logging Cheat Sheets and the Malware Management Framework • Brian – co-host of the “Brakeing Down Security Podcast” • Creators of “Log-MD” – The Log and Malicious Discovery Tool • NEW – Expanding the BDS podcast – “Brakeing Down Incident Response” LOG-MD.com
  • 3. 2 years ago… • We announced LOG-MD at this very conference • Today we would like to announce the release of… • LOG-MD ver 2.0 LOG-MD.com
  • 5. The Problem or SERIOUS Challenge • We have a fancy SMTP Gateway that does AV, SPAM, Outbreaks, URL Scanning, and Malware Sandboxing • Credential Stealing Emails are on the rise • And they are VERY difficult to defend against • This is a HUGE gap that we get every week LOG-MD.com
  • 6. Typical Cred Stealing Email • They come in to 1, 3, 5, dozens to hundreds of recipients • They can have a URL in the email or a PDF with a URL to get by the scanners – Silly Hackers • And they look like any one of the following… LOG-MD.com
  • 7. What the emails look like LOG-MD.com
  • 8. A PDF Adobe/Dropbox version LOG-MD.com
  • 10. Or an Dropbox looking email LOG-MD.com https://www.millionauto.com/doc.htm
  • 11. PDF with link But it is safe AVAST says so LOG-MD.com https://toppingcloths.id/scripts_mwi/onenew/ b9909ec9f947e4f86a71e8eb07339d39/
  • 12. PDF - Scanned Document from your HP Scanner LOG-MD.com
  • 14. The Lawyer says Click Here… LOG-MD.com https://firstlink-jo.com/jac/font/index.php
  • 15. Embedded Image with URL LOG-MD.com
  • 16. Let’s look at the Cred Stealing website LOG-MD.com
  • 18. OneDrive needs your login LOG-MD.com
  • 19. And your PIN… maybe MFA attempt? LOG-MD.com
  • 20. DocuSign from a URL LOG-MD.com
  • 21. But WAIT – There’s MORE Federation! LOG-MD.com
  • 22. And they even want your Telephone and Recovery Email LOG-MD.com
  • 23. PDF brings you here.. Login Please LOG-MD.com
  • 24. Dang It… Wrong Password – Try Again ! LOG-MD.com
  • 26. And then send you to OneDrive LOG-MD.com
  • 27. Let’s Look at a Targeted Attack LOG-MD.com
  • 28. Targeted Phish – From Retail Supplier LOG-MD.com https://adinshawandco.com/auth/scan.html
  • 31. After you try logging in they redirected to an industry article LOG-MD.com
  • 32. So what does the attack look like? LOG-MD.com
  • 33. Incoming !!! • Started at 7:58am CST • Ended at 8:05am CST • We are an hour behind, so sent before we were at work 7:58am CST • 191 emails, batched in roughly 50 at a time • 156 total delivered • 35 failed to deliver – Failed addresses went back as far as Mar 2016 LOG-MD.com
  • 34. Incoming Exchange Splunk Query • You should have a query ready to go for: – Sender – Subject LOG-MD.com
  • 35. What did we do? • Once reported, or one of our odd email alerts trigger, which this one did, we just had not seen it yet since we just got into the office and people were already reporting it – So yeah.. AHHHHHhhhhhhhhhhh • We evaluate in a lab and click all the way through, including entering Fake Creds to see what happens next, and use LOG-MD of course to evaluate URL’s and Domains ;-) • We Splunk the email details to identify ALL users that received it – Now we know whom to notify • We add the users to a lookup list in order to track their logins LOG-MD.com
  • 36. What did we do? • We issued a recall of the email from Exchange • Emailed all recipients – DO NOT OPEN!!!! • Anyone who logged into any Internet-facing system were asked to reset their passwords • Some accounts disabled if the user did not respond in a timely manner, like 1 hour • We called a few people… LOG-MD.com
  • 37. Knock Knock… Hackers Knocking • It didn’t take the hackers 3 hrs to attempt logins • These Cred Stealing actors are LIVE LOG-MD.com
  • 38. So what did Threat Intel say about the URL? LOG-MD.com
  • 39. FortiGuard Webfilter • We checked these on the afternoon of the 16th, 10 days after the event • They rated it Phishing on Feb 13th LOG-MD.com
  • 41. Cisco Talos • Nothing Bad LOG-MD.com
  • 42. McAfee • Phishing • Checked 10 days later LOG-MD.com
  • 43. MXToolbox • Blacklists all clean LOG-MD.com
  • 44. RiskIQ - PassiveTotal • Nothing bad LOG-MD.com
  • 45. PhishTank Didn’t Have Anything LOG-MD.com
  • 46. Sucuri • Blacklisted by Norton and McAfee LOG-MD.com
  • 47. Symantec • Suspicious 7 Days ago LOG-MD.com
  • 50. URLQuery • Nothing bad… But wait there’s more !!! LOG-MD.com
  • 51. URLQuery • SCREEN SHOT !!!! LOG-MD.com
  • 52. URLScan • Nothing bad… SCREEN SHOT !!! LOG-MD.com
  • 53. URL Void • Nothing bad • Domain is 2 years old • Is from India • Safety Reputation - 0 LOG-MD.com
  • 54. Google VirusTotal • Nothing bad… Seriously ??? LOG-MD.com
  • 57. Example #2 Investigate within a couple hours to the end of the same day LOG-MD.com
  • 58. Example #2 - The Scenario • This email came in at 12:10 EST • We looked at it within an hour • Ran Threat Intel within 2 hours • Then ran Threat Intel again between 4:30- 5:00pm EST • What do you think we found? LOG-MD.com
  • 59. What does Threat Intel think? • Alexa – No rank available • Cisco Talos – No Score • DomainTools – Nothing • ForcePoint – Nothing • Symantec – Nothing • Trend Micro – Nothing • McAfee TrustedSource – Nothing • URLVoid – Nothing • URLQuery – Nothing & Screen Shot • URLScan - Nothing & Screen Shot • VirusTotal - Nothing LOG-MD.com
  • 60. What do the Browsers say? • Tested this at the end of the day • Chrome Safe Surfing – Deceptive Site • FireFox - Deceptive Site • Edge Browser – No warning • Internet Explorer – No warning LOG-MD.com
  • 61. Sample #2 - FortiGuard Webfilter • Winner Winner Chicken Dinner • 9:34am (UTC) no data.. CLEAN • 10 mins later at 9:44am - “Medium” – So if you check early, this might say “OK” too LOG-MD.com
  • 62. So what should you do? LOG-MD.com
  • 63. Your only real options • MFA • 2 Factor Auth will cripple these attacks • The creds won’t work anywhere on Internet facing systems, so you have time to respond – “Hopefully” • Fast and Mass disable of accounts and/or rotate passwords for ALL recipients LOG-MD.com
  • 64. Detect and Respond… FAST !!!! 1. The Alert – How you get notified 2. Evaluate the URL in a lab or manually 3. Block the URL and/or IP ASAP 4. Get a list of ALL recipients 5. Consider Fast and Mass password resets – Yes, painful the larger the event it is… 6. Monitor your Internet logins with the list of recipients LOG-MD.com
  • 65. Evaluating the URL • On the 2nd sample FortiGuard was the only one that flagged a recently received phish within the first couple of hours – Do not take this as an endorsement – If you check fast enough, it may say it’s “OK” • I checked all of the URL Threat Intel sites at the end of the day… so 6 hours later – 0, zippo, none, zilch changed… YUP, all good LOG-MD.com
  • 66. Evaluating the URL • Pick a few of the ones we just blew through and collect the following to make a quick evaluation – Screen Shots – GREAT indicator a credential stealing site with an authentication page – Domain age - How old is the website in days or years. Is it new? – Category – Lack of a category or has the site been categorized (BLOG/Malware/etc.) – Reputation – Is this a Bad, Neutral or Good site – Blacklists – Is the domain in any blacklists, if so, why is the SMTP gateway not catching it – Country – Where is this URL from – Alexa Rating - How known is it • LOG-MD will give you the IPs and WhoIs lookup LOG-MD.com
  • 67. Other Possibilities • Add an email warning on all Internet originating emails • You could temporarily turn off any non- MFA/2-Factor systems when these hit – Ouch ! – Would need buy-in from everyone – And a good “repeatable” procedure LOG-MD.com
  • 68. Conclusion • If you don’t have MFA – You are screwed • These actors are active within hours or a day • You can’t trust your IDS/IPS as it can only see HTTP (in the clear) traffic, or if the site is well known as “Bad” could you get an alert • Learn how to react FAST and reset creds • Teach your team how to evaluate these quickly – Evaluate the emails in a lab and click through the URLs – Many will have re-directs to the Cred stealing site, this is the URL you want to block! LOG-MD.com
  • 69. Recommend Sites • Screen Shots – URLScan.io – URLQuery.net • Blacklist lookup – FortiGuard.com/webfilter – global.sitesafety.trendmicro.com – safeweb.norton.com – trustedsource.org – URLVoid.com – TalosIntelligence.com • Reputation – URLVoid.com – TalosIntelligence.com • WhoIS – DomainTools.com – LOG-MD.com (We have WhoIs lookups now ;-) • Alexa – URLVoid.com – Alexa.com LOG-MD.com
  • 70. Questions • You can find us on the Twitters – @HackerHurricane – @Boettcherpwned • LOG-MD.com • MalwareArchaeology.com • Preso will be on SlideShare and linked on MalwareArchaeology.com • Listen to the PodCast to hear the rest of this topic – http://www.brakeingdownir.libsyn.com/ LOG-MD.com