Spear Phishing. October 12, 2015 TLP: WHITE. www.excellium-services.com

Spear Phishing October 12, 2015 TLP: WHITE www.excellium-services.com

Agenda How it s made Soo easy to find victims Inventory of evils documents The art of spoofing How to react to phishing Basics things to do Security awareness EyeMail Questions & Answers

How it s made How to phish an organisation? 1. Find victims emails 2. Send a mail to a victim with an evil payload 3. If needed convince him to execute the payload

Soo easy to find victims Email is based on old protocols No security in mind No trust anywhere in the protocol Some protocol patches

Soo easy to find victims Google, Bing, Exalead, etc Instantly with tools $./theharvester.py -b all -d excellium-services.com Full harvest.. [-] Searching in Google.. Searching 0 results... Searching 100 results... [-] Searching in PGP Key server.. [-] Searching in Bing.. Searching 50 results... Searching 100 results... [-] Searching in Exalead.. Searching 50 results... Searching 100 results... Searching 150 results... [+] Emails found: ------------------ contact@excellium-services.com cbianco@excellium-services.com ctessaro@excellium-services.com jgayet@excellium-services.com pruaro@excellium-services.com xvincens@excellium-services.com fdemkiw@excellium-services.com mgrandcolas@excellium-services.com gcomunello@excellium-services.com ajolibert@excellium-services.com pjung@excellium-services.com rsinicco@excellium-services.com skaiser@excellium-services.com crosenkranz@excellium-services.com lhernandez@excellium-services.com

Soo easy to find victims With one valid email you got the «format», If not usually; christophe.bianco@excellium-services.com c.bianco@excellium-service.com cbianco@excellium-services.com

Soo easy to find victims got the «format»? Linkedin do the rest

How it s made Sometimes, you just have to ask to the mail gateway Who look s to the external gateway log anyway! $ nc smtp.victim.org 25 220 smtp.victim.org ESMTP Postfix ehlo ns2.attacker.org 250-smtp.victim.org mail from: pentester@excellium-services.com 250 2.1.0 Ok rcpt to:abianco@victim.org 550 5.1.1 <abianco@victim.org>: Recipient address rejected: User unknown in local recipient table rcpt to:bbianco@victim.org 550 5.1.1 <bbianco@victim.org>: Recipient address rejected: User unknown in local recipient table rcpt to:cbianco@victim.org 450 4.2.0 <cbianco@victim.org>: Recipient address rejected: Greylisted

How it s made If you use tri/quadgram, it s also bruteforcable cbi@excellium-services.com chbi@excellium-services.com 9

Inventory of evil documents A website or a File.

Inventory of evil documents «Classical phising» Credentials stealing 11

Inventory of evil documents Software exploitation is a reality Flash Player

Inventory of evil documents Sometime just KISS Send executables (exe, cpl, scr, pif, etc ) Send scripts (vbs, bat, cmd, etc ) The матрёшка solution (zip, cab, 7zip, zip in zip, etc ) Encrypt the file with a password Use an office document 13

Inventory of evil documents Sometime just KISS

Inventory of evil documents Office document have macros! How to convice a user to activate macros?

Inventory of evil documents

The art of spoofing How to convice someone to open something? Ascii homographic attack cbianco@excellium.lu -> cbianco@exce11ium.lu

The art of spoofing How to convice someone to open something? Unicode homographic attack Use internationalized domain (IDN) Use cyrillic, greek, hebrew or roman letters.

The art of spoofing How to convice someone to open something? pjung@xn--llm-rv-2ofaec7ji6b9pfhg714c.com

The art of spoofing How to convice someone to open something? SMTP PART BODY PART 20

The art of spoofing How to convice someone to open something? Body «from» field manipulation test@eyeguard.lu 21

The art of spoofing Some statistics 34,40% Follow the link 65,60% Don't click

Spear phishing How to react to phishing

How to react to phishing Control/Harden what you have in place Sensible files should be blocked Crypted file should warn Spoofing should be blocked Deploy Spf / Dkim / Dmarc Mail gateway should be monitored Deploy Anti-exploitation tool

How to react to phishing Train people to recognize phising Learn them what is possible Learn them to detect key points. Learn them to report incidents.

How to react to phishing Reduce response time Setup policies and processes Incident Response plan Continuus integration

1 11 21 31 41 51 61 71 81 91 101 111 121 131 141 151 161 171 181 191 EyeMail assessment Spoofing Tests File extension Phishing Communiaction with C&C User Awareness Top 10 Clickers 11/03/2015 12:00 11/03/2015 02:24 10/03/2015 16:48 10/03/2015 07:12 09/03/2015 21:36 09/03/2015 12:00 Clicks over the time Andy.YYYYY@lu.XXXXXX.com luca.yyyyy@lu.xxxxxx.com Franz.YYYYY@lu.XXXXXX.com

EyeMail assessment Aware people reduce risk and increase detection; 34,40% 21,75% 28

EyeMail assessment Validate gateway configuration Spoofing tests (Email + Body) Attachements and variations Who block s.wsf and.hta? + 20 File types x 18 Variations per files More than 350 security controls 29

EyeMail assessment Spear as an exercise; Perform a spear phishing in your infrastructure Evaluate your staff security awareness Evaluate your detection and alerts process Assess Browser and plugins versions 30

EyeWeb assessment Web Surfing Security Review: EyeWeb Bypass web proxy Fingerprint Patch/plugin management Workstation attack Authentication spoofing Administrator awarness 31

EyeWeb assessment 32

Thanks!