Gen AI in Business - Global Trends Report 2024.pdf
Cred stealing emails bsides austin_2018 v1.0
1. Credential Stealing Emails
What YOU need to know
Michael Gough – Co-Founder
Brian Boettcher – Co-Founder
IMFSecurity.com
LOG-MD.com
2. Who are we
• Blue Team Defender Ninjas, Incident Responders
• Michael – Creator of all those Windows Logging Cheat Sheets and
the Malware Management Framework
• Brian – co-host of the “Brakeing Down Security Podcast”
• Creators of “Log-MD” – The Log and Malicious Discovery Tool
• NEW – Expanding the BDS podcast
– “Brakeing Down Incident Response”
LOG-MD.com
3. 2 years ago…
• We announced LOG-MD at this very
conference
• Today we would like to announce the release
of…
• LOG-MD ver 2.0
LOG-MD.com
5. The Problem or SERIOUS Challenge
• We have a fancy SMTP Gateway that does AV,
SPAM, Outbreaks, URL Scanning, and Malware
Sandboxing
• Credential Stealing Emails are on the rise
• And they are VERY difficult to defend against
• This is a HUGE gap that we get every week
LOG-MD.com
6. Typical Cred Stealing Email
• They come in to 1, 3, 5, dozens to hundreds of
recipients
• They can have a URL in the email or a PDF
with a URL to get by the scanners
– Silly Hackers
• And they look like any one of the following…
LOG-MD.com
33. Incoming !!!
• Started at 7:58am CST
• Ended at 8:05am CST
• We are an hour behind, so sent before we
were at work 7:58am CST
• 191 emails, batched in roughly 50 at a time
• 156 total delivered
• 35 failed to deliver
– Failed addresses went back as far as Mar 2016
LOG-MD.com
34. Incoming Exchange Splunk Query
• You should have a query ready to go for:
– Sender
– Subject
LOG-MD.com
35. What did we do?
• Once reported, or one of our odd email alerts trigger, which this
one did, we just had not seen it yet since we just got into the office
and people were already reporting it
– So yeah.. AHHHHHhhhhhhhhhhh
• We evaluate in a lab and click all the way through, including
entering Fake Creds to see what happens next, and use LOG-MD of
course to evaluate URL’s and Domains ;-)
• We Splunk the email details to identify ALL users that received it
– Now we know whom to notify
• We add the users to a lookup list in order to track their logins
LOG-MD.com
36. What did we do?
• We issued a recall of the email from Exchange
• Emailed all recipients – DO NOT OPEN!!!!
• Anyone who logged into any Internet-facing
system were asked to reset their passwords
• Some accounts disabled if the user did not
respond in a timely manner, like 1 hour
• We called a few people…
LOG-MD.com
37. Knock Knock… Hackers Knocking
• It didn’t take the
hackers 3 hrs to
attempt logins
• These Cred Stealing
actors are LIVE
LOG-MD.com
38. So what did Threat
Intel say about the
URL?
LOG-MD.com
39. FortiGuard Webfilter
• We checked these on the afternoon of the
16th, 10 days after the event
• They rated it Phishing on Feb 13th
LOG-MD.com
58. Example #2 - The Scenario
• This email came in at 12:10 EST
• We looked at it within an hour
• Ran Threat Intel within 2 hours
• Then ran Threat Intel again between 4:30-
5:00pm EST
• What do you think we found?
LOG-MD.com
60. What do the Browsers say?
• Tested this at the end of the day
• Chrome Safe Surfing – Deceptive Site
• FireFox - Deceptive Site
• Edge Browser – No warning
• Internet Explorer – No warning
LOG-MD.com
61. Sample #2 - FortiGuard Webfilter
• Winner Winner Chicken Dinner
• 9:34am (UTC) no data.. CLEAN
• 10 mins later at 9:44am - “Medium”
– So if you check early, this might say “OK” too
LOG-MD.com
63. Your only real options
• MFA
• 2 Factor Auth will cripple these attacks
• The creds won’t work anywhere on Internet
facing systems, so you have time to respond
– “Hopefully”
• Fast and Mass disable of accounts and/or
rotate passwords for ALL recipients
LOG-MD.com
64. Detect and Respond… FAST !!!!
1. The Alert – How you get notified
2. Evaluate the URL in a lab or manually
3. Block the URL and/or IP ASAP
4. Get a list of ALL recipients
5. Consider Fast and Mass password resets
– Yes, painful the larger the event it is…
6. Monitor your Internet logins with the list of
recipients
LOG-MD.com
65. Evaluating the URL
• On the 2nd sample FortiGuard was the only
one that flagged a recently received phish
within the first couple of hours
– Do not take this as an endorsement
– If you check fast enough, it may say it’s “OK”
• I checked all of the URL Threat Intel sites at
the end of the day… so 6 hours later
– 0, zippo, none, zilch changed… YUP, all good
LOG-MD.com
66. Evaluating the URL
• Pick a few of the ones we just blew through and collect the
following to make a quick evaluation
– Screen Shots – GREAT indicator a credential stealing site with an
authentication page
– Domain age - How old is the website in days or years. Is it new?
– Category – Lack of a category or has the site been categorized
(BLOG/Malware/etc.)
– Reputation – Is this a Bad, Neutral or Good site
– Blacklists – Is the domain in any blacklists, if so, why is the SMTP
gateway not catching it
– Country – Where is this URL from
– Alexa Rating - How known is it
• LOG-MD will give you the IPs and WhoIs lookup
LOG-MD.com
67. Other Possibilities
• Add an email warning on all Internet
originating emails
• You could temporarily turn off any non-
MFA/2-Factor systems when these hit
– Ouch !
– Would need buy-in from everyone
– And a good “repeatable” procedure
LOG-MD.com
68. Conclusion
• If you don’t have MFA
– You are screwed
• These actors are active within hours or a day
• You can’t trust your IDS/IPS as it can only see
HTTP (in the clear) traffic, or if the site is well
known as “Bad” could you get an alert
• Learn how to react FAST and reset creds
• Teach your team how to evaluate these quickly
– Evaluate the emails in a lab and click through the URLs
– Many will have re-directs to the Cred stealing site, this
is the URL you want to block!
LOG-MD.com
70. Questions
• You can find us on the Twitters
– @HackerHurricane
– @Boettcherpwned
• LOG-MD.com
• MalwareArchaeology.com
• Preso will be on SlideShare and linked on
MalwareArchaeology.com
• Listen to the PodCast to hear the rest of this topic
– http://www.brakeingdownir.libsyn.com/
LOG-MD.com