New phishing trends, old tactics and security awareness

Chris: Hello and welcome to today's episode of Cyber Speak with Infosec Institute. Today on the show is Pedram Amini the creator of the zero day initiative and the CTO of inquest.net. He's presented a variety of research at security conferences such as Black Hat, Def Con, Rec Con, Echo party, Microsoft Blue Hat, Schmu Con, Tour Con, and Virus Bulletin and he's taught numerous courses on reverse engineering. Pedram, today is going to talk to us about the current state of email phishing attacks and how to prevent being tricked by them. Pedram thank you for joining us today.

Pedram Amini: Thank you for having me.

Chris: So it seems like, in the news, that email phishing as an issue really kind of caught fire in the public imagination about three or four years ago. It had kind of a moment in terms of coverage with high level attacks coming from simple phishing techniques like the Target credit card take over and the security breaches around The interview, that movie. So how, if at all, have high level phishing tactics changed since then?

Pedram: You know, first of all, I really want to define phishing overall. It seems like the umbrella that we have it falling under is phishing by way of malicious content, phishing by way of credential harvesting, generally it seems like we're talking about business email compromise and malware carries of that nature. It's interesting that the news really kind of picked up in the past couple years because this has been a problem for well over ten years.

Chris: Of course, yeah.

Pedram: Fundamentally, I have to say that much hasn't really changed by way of the attacker tactics. What we certainly have seen is improvements in the leg work leading up to these campaigns, better creativity in the lures. You look at phishing campaigns from over a decade ago and the fidelity was something to be left wanting. The English was broken, demands were poorly chosen, they really kind of stood out. Whereas now, it's the same kind of tactics but a lot more polish on it and the sophistication in general has gone up.

Chris: Do you think that these sort of high level and well reported attacks have managed to change the method of attack at all? You said that they're a little more subtle but do you think in general that people are more careful now around suspicious emails after hearing about how one person who wanted a free pizza coupon compromised 1.5 million credit card numbers?

Pedram: It depends, it seems like there certainly is, when the scare happens, there's certainly an immediate increase in awareness but as with anything else I think over time people just become lackadaisical and the threat just becomes real again and this is evident in just time after time again high profile case after high profile case.

You see these massive compromises based off such a relatively simple tactic. So you know, while there might be a lull at the moment that's just going to be until the next major event happens. The DNC hack was shocking in many ways. I'm sure it was a gut check for future campaigns but let's just give it time and see what happens. I think we'll see it again.

Chris: Right, and certainly there's so many campaign offices that could be hit. We were talking to someone else about issues around the mid-terms and they were saying it's not just the DNC it's every single local organization. All it takes is one person.

Pedram: The attack surface is so huge, not just in the sense of technical attack surface, but the human attack surface. Where you've got new people joining every day. You've got people who might be tired or over worked. That increases the attack surface temporally and with time the chance of success seems to be one. You are going to get it at one point or another.

Chris: You're wearing people down. How does one change that thinking that drives people to click suspicious links or give their information away in a moment of weakness? What's the mental mechanism that needs to change to bring these types of phishing attacks down?

Pedram: It's tough to say. Certainly education is a portion of it. I think in the corporate sector you've seen huge strides and improvement and there's plenty of vendors out there who are trying to solve this problem. Personally, I think education only goes so far. It's hard to make the user be the end all stop gap. A proper technology should get out of your way.

At some point regardless of what sort of measures have been put in place, you're going to have someone who's tired. Someone who had enough inside information to make the attack or the lure look right. I love this anecdotal story that social engineers give where if you put on suit and your hard hat and grab a clip board you're pretty much gonna have all access to almost any environment and that same kind of thing applies with these email lures. If it looks right, if it sounds right at some point it's probably going to fool somebody.

Chris: What are some of the most unusual phishing attacks that you've heard of that actually worked?

Pedram: Unfortunately, the most unusual and the ones that you think that wouldn't really work are the most common. It's amazing to me that there's an actual business behind sending fake invoices and these invoices actually getting paid. This kind of compromise, the fake invoice, the fake package delivery. The things that you really think would stand out in terms of this is suspect or abnormal, those are apparently the most common.

On the flip side you see some really well thought out well researched attacks. I have a colleague I worked with today and he was telling me the story of how a previous firm that he was at, a large portion of the employees were successfully phished and it was because the attackers took such great detail in replicating even down to, it was like an HR system and then another system that was AS400 based that mimics the background colors. They were able to figure out who the IT guys were. They really did a good job in pitching the entire story. Then creating the urgency, launching the campaign, grabbing those credentials and making kind of like a smash and grab.

Chris: And it worked out for them?

Pedram: Yeah, for the attackers it worked out, didn't work out for the company. It was a highly successful campaign.

Chris: Right, right. So we think of phishing as a sort of consolation of different types of attacks like you mentioned invoices but you can also have misspelled URLs or similarly spelled URLs or unsafe attachments. Based on sort of being out there right now, what are the most common types at the moment? Have any of the attack types that we think of sort of declined due to advances in patching upgrades or intrusion detection or anything like that?

Pedram: Good question. I think it probably depends on the environment. I know that attachment, by way of just pure numbers when you look at reports across the boards from companies like Symantec or Verizon it seems like the email attachment is the more common vector but if your goal for example is to compromise someone's Gmail or someone's Dropbox or someones Docu-sign chances are the better route to go there might be a URL. A URL that they click on and it looks similar, maybe it uses the Unicode trick where they're using internationalized characters that at the end they look like you know, Onedrive.com but really it's DR with some odd acrylic letter that looks like an I.

There's a number of different methods that they could use to kind fool the user into thinking that something is legitimate. So it really depends, if your goal is to grab a credential perhaps it's a URL. If your goal is to actually compromise a node on the inside of the enterprise then probably you're going to go with some form of malicious attachment because your end goal is different.

The environment also is going to play a factor. There are some institutions that if you're sending a URL from the outside, from the US Ingress they simply remove it. They de-fang it so it's no longer clickable or they put a huge warning on it. Depending the target environment I would suspect that a more advanced phisher would do some probing, some checking to see what kind of things would go through. Kind of doing a reconnaissance on the environment and the policies that they have set forth and then choosing the angle that's going to actually get to the target user.

Chris: Now so moving sort of one level more subtle to that, how do you educate people about things like high jacked emails, because the usual line is that, there's usually a tell, there's language barrier, there's an address that looks off, but how do you combat a situation where the message is actually coming from your bosses actual email because your boss has been legitimately compromised?

Pedram: So you're using for example, his account was popped and someone actually logged into and sending an email?

Chris: Exactly.

Pedram: It's going to be tough, right because that's even one level of increased trust that you have there. Perhaps there's some words that may stand out or some words that he doesn't use regularity that strikes you as odd. Perhaps the time of day might stand out. If there's any sense of urgency to the message, which seems to be a pretty common. I mean it's a good sales pack, right? It works for salesmen, it's going to work for phishing words as well. In essence they're trying to sell you the user on either opening the attachment or clicking on the URL. So if there's a sense of urgency to it perhaps that would sign out, that would stand out rather.

As general recommendation, for example I was working in an environment where, I was with financial people who were constantly being targeted. I would ask them to follow up with me. If it sounds odd, even a little bit, let's get a second communication line out there. Hit me on IM, give me a call. Delay it for a minute. Respond to it and ask me to call you. Something that adds a secondary level of communication.

A better way technologically to remove these problems and of course any time you add a security measure it's taking away from usability and adding difficulty but email signing. If there's a corporate wide policy where everybody's email is signed and therefore even if the person's emails compromised, it's not going to have a valid signature because the attacker wouldn't know the signing key and then you receive an unsigned email with some sort of link or attachment or any kind of instructions to wire money or change some credentials, that would stand out immediately. Something to ignore, or at least to follow up with.

Chris: Are malicious macros still a going concern or have patches and automatic updates and real time malware detection and such make that less prevalent?

Pedram: It's amazing, it's the gift that keeps on giving for attackers. This is decades old, decades old malware technique. We've been seeing this problem coming for years. As researchers, both on offensive and defensive perspective, we know that the clients side is the last place that vulnerabilities are going to die, and the attack surface is just constantly changing so yes.

The short answer is malicious macros are most certainly a common attack vector. I think they will continue to be a common attack vector. Lot of security guys will, right off the bat, say that you should just disable any kind of active content. Like Javascript, and PDF, disabling Java in the browsers, disabling macros for documents and while that may be, it's an excellent device for environments where that's plausible, for the vast majority of enterprise environments I'd venture to say that's just not feasible.

It's a complicated area. We focus not just static signature detection and writing but we mean on machine running or signature list capabilities detecting malicious macros and malicious active content in documents and I'll tell you there's some legitimate documents out there, especially in the spreadsheet world, that look pretty bad. How do you tell the difference between a corporate required spreadsheet which has a macro that's actually pulling localized info for like a UMC share, it's valid but it from my perspective it looks very malicious. Drawing the line in the sand between what's bad and what's good whether you're looking at it from statically or dynamically, it's hard to do from a vendor perspective.

Chris: Yes and that seems like that's something that's going to have be sort of dealt internally with, with enterprises in general, that saying you know. Maybe find another way to generate that report without having that macro.

Pedram: Or there's the option of having signed macros or you can have some form of watermark. That can be used to white list, there's certainly methods of sidestepping the issues or making life a little bit easier from the detection realm.

The other thing that you have is the game is constantly changing. On the one hand, this year Microsoft for example has introduced new instrumentation capabilities for AV providers so that you can actually see inside macro execution. This allows AV vendors who have like a local desktop agent to do things like bypass any kind of obfuscation. There's a myriad of ways where attackers can piece strings together but in the end what Microsoft is doing providing a runtime layer that will show you the actual string that's being executed for example. So you know how nice, what a gift from Microsoft on the one front for defenders but on the other hand they just added Javascript to Excel.

It's a constantly changing dynamical attack surface and new things are discovered everyday. One of the big finds of last year, which it's an arguably older architectural exposure was this Microsoft DDE, the dynamic date exchange. Very low, low technical aptitude like you can essentially point and click to create the exploit just straight up command execution. These techniques, they require some user interaction. Especially the DDE one, there's some tricks you can do to reduce the interaction from just opening and having to go through two or thee dialogues to opening and going through one dialogue but there's, in this day and age, there's a benefit to these interactive steps as well.

In my past life, running vulnerability brokage programs with Zeroed Initiative or with Idefense VCP, we put less value in vulnerabilities that required interaction from the user to actually successfully exploit but now these things with the advent of sandboxing technology sitting in the middle, dynamic execution, all these other things, having interaction required for an attacker or for a victim to fall. To get a code exec from an attacker payload is actually beneficial.

I've seen real world scenarios where the actual malware carrier is a document with another document inside of it. You have to find it and double click on it. In some cases what they'll do is they'll make like an active pixel and draw this huge picture around it that says click here to activate this content. Inside there is another document, inside there is another document, you're talking like this Russian nesting doll, these Matryoshka dolls, and if you want to get to that payload you've got to open each and every single one of these things to get to that final piece. This is one of the things that we focus a lot of our efforts and time on, is just that kind of attack. Peering deep into this layer seven, layer seven plus is what I like to call it.

Chris: I saw a stat on the number of new internet users and it said that it will possibly triple to over three-billion in the coming years and a lot of those are obviously relative new comers to the technology and thus extra sense susceptible to attack, so with that in mind, how are low level attacks shifting in style these days at all to sort of accommodate that ?

Pedram: Low level attacks, like non-phishing style attacks you mean?

Chris: Yeah, and just sort of attacks aimed at new users and sort of very non-tech savvy people who are just getting into the world?

Pedram: There's two forms, one is your more technical, like some kind of payload delivery and in this case a lot of low tech things work. I'll give you a very simple example is email somebody a virus, like a backdoor, a remote access Trojan. Probably, it will get blocked, in transit. Email someone a compressed copy of that file, of that executable, maybe, probably it will also get blocked. Encrypt that archive and put the password in the email describing to the user, hey open this cool screensaver or whatnot and the password for it is X. It will bypass every single network security product, probably get to that users in point. At least one of these myriad of users are going be conned into the scam. They're going to open it, put the password in and launch this thing. It's very very low value in terms of tech but high success rate.

On the other hand, more of the social engineering side of the front. I've seen attacks that this happens, everyone has heard of the IRS scam where you get phone calls or emails or whatnot scaring you into thinking you owe some debt. The way to get out of it is to pay up front fast. A more interesting version of that I've heard about recently is a friend's grandmother had received contact from allegedly her grandson who was in Mexico at the time on vacation, didn't have access to a computer but because of publicly available information on social media, attackers saw this relationship, contacted the grandma pretending to be the grandson, sending please wire money. I'm in trouble here down in Mexico and because the appropriate facts have been laid out. It made it very easy for her to fall victim to it, to think that it was real.

Chris: That happened to my dad actually. He got a call from someone saying that I was calling collect and he needed to give his credit card and it worked, unfortunately. In the other direction, considering the stakes, have there been any indication that C-suite executives are receiving better security awareness training? Are they changing tactics at all with whale-hunting, spear fishing, that kind of thing?

Pedram: It's hard to know exactly what's, behind the scenes is going on in terms of prevalence there. I imagine that a fortune one-hundred CEO, there was successful campaign against them. Probably not something that the team is going to be advertising. That said there's handedly an improvement in the corporate world, with consumers also improving but a distant second in terms of like the rate of improvement. I would say, sure the chances of getting a CEO to click on malicious attachment or go through a malicious link is going to be lower. It's hard to get these guys contact information off the bat, getting them an email that will actually end up in their inbox and then bypassing their security training and at this stage you've got some CEOs that have been in this game for a lot longer. They've seen these attacks for decades and they're a lot more familiar with it.

Chris: So that suggests basically that if the stakes are high enough that people can be successfully educated I suppose?

Pedram: You say that, and then you look at the DNC for example. You can put things in place but there's always going to be a weak link and from the perspective of an attacker, they also have the benefit. It's not every day that someones going specifically, for I want to attack Laheed Martin to steal whatever, the F35 plans. In general, they have a much bigger scope in terms of either corporate espionage or financial gain, so they can attack dozens of companies and find the one that has a softer outer shell. It's essentially, the anecdote about you don't have to be faster than the bear, you just have to be faster than the next person running away from the bear. I think that applies here quite well.

Chris: So how about remote workers and sort of issues, sort of off site work. How do you ensure that off-site computer hygiene is as strong as it is on site?

Pedram: A lot of that I think is going to come down to policy. As an example, only allowing a corporate laptop to be on talking to corporate assets. That corporate laptop has to have a virtual private network so even when they're at home, despite whatever nastiness might be going on around them, maybe they have compromised DNS hygiene. Who knows what kind of state they're in, or coffee shop, or hotel that they're traveling to. So having dedicated hardware, where the software is controlled and monitored by the security team, all their traffic is routed through perhaps the company SOC so they can monitor not just what's on the in point but what's going in the coms. Seeing the whole picture really is important. We always said that there's no silver bullet. It takes everything and the kitchen sink to find out the badness that's going on and monitoring on both in point and network is valuable.

Chris: How about with the rise of mobile and so forth? There's so many sharing based apps these days, and sort of, social networking being tied into mobile use and so forth has mobile use shifted phishing in any way or is it mostly using the same techniques?

Pedram: I think for sure that it has. We still see that the number one is email attachment but if you're going to be phishing someone on mobile probably your route is going to be a URL to a fake looking page. I would suspect, when you're on the desktop you have a lot more visibility. It's a lot easier to examine a certificate. I think some of the nuances, some of the heuristic, visible signs of a tell tale phishing campaign might be a little more obvious when you look at it from a desktop browser, than from a mobile browser.

That said though, mobile, IOS specifically for example that's one of the hardest to compromise systems in terms of like code execution. There's no difference whether you're IOS, Android, or desktop in the terms of clicking on a URL, being convinced that this fake Docu-signed website is the actual Docu-sign and entering your information, but when it comes down to actual code exec you're talking about a million dollar capability for breaking into the Iphone. Whereas to get a capability to actually do code execute on my Mac you're probably talking like five grand. It's a huge scale difference in terms of the economy of what it costs to do that. It's a walled garden, it's signed code. There's multiple security layers you have to break out of to get full compromise.

Chris: That sort of suggests that, this is sort of an issue that could theoretically, we could throw money at? Is it possible to sort build up PC or Android capabilities to the point that they are sort of as strong as IOS?

Pedram: It's all a trade off. The more secure you make something, the less access you have to your own device. That's a common trade off in the religious way between the guys that are pro Android, pro IOS. My mom for example, the Ipad is the perfect solution for her. That thing is not going to get infected. Granted, she's still going to be vulnerable to a potential phishing attack but at least I don't have to worry about malware infecting her system. If I were to give her a desktop, forget about it. I'd never talk to her again. Every time I was home I'd be working on her computer cleaning.

Chris: That team viewer, it's a life saver.

Pedram: Another favorite of some of these phishing guys by the way.

Chris: Yeah? Oh sure yeah.

Pedram: Hey sir, can you go to your event viewer in Windows and you see those yellow marks. I can help you fix that. Install this team viewer. I'm such and such from Microsoft. Let me connect to your computer and fix it for you.

Chris: Just need your four digits, yep. So what are some best practices of insuring that outside vendors that you work with, who need access to your information are less likely to accidentally or intentionally compromise your network?

Pedram: I'd say privilege control, separation, need to know, not exposing everything. Having limited access would be a key thing there. Potentially, require them to use your own, like if you're going to be accessing this data, you either have to be on site or this is the path you come down or this the gear you have to use. Monitoring it carefully, not just in terms of security monitoring but even just like IO monitoring could help you. Perhaps you give access to personal records and you monitor their patterns and suddenly there's a huge spike in the number of records they're accessing. Rate limiting that, noticing it, bringing it up, having the audit trail, all these things would be key to protecting it.

The true solution to all that, technology to look forward to in the future is what's known as homomorphic encryption. Where you can actually query data but not get access to it. So if you are an HR company for example for a financial services company you might be able to still gain access to the actual data you need without revealing the true source of the data or the full content of the data.

Chris: Is that something that's available now or is that sort of down the line?

Pedram: It's a down the line kind of thing. It's more in the theoretical phase. There's some companies that are kind of scratching the surface and sure there's some limitations out there but that's going to be one of those big paradigm shifts, is this homomorphic encryption and homomorphic data base access.

Chris: So let's talk about the future a little bit. Where do you see phishing in five to ten years from now? How's it going to change do you think?

Pedram: Probably still in the same place. It looked the same ten years ago? Why do we think it's going to look any different ten years from now. I'm sure we'll see continued polish. Less of like the shotgun approach of phishing where people are just spraying and hoping to get someone. Maybe some more long term phishing, where you do a lot more reconnaissance. I here this new term called pretexting where there's no actual active payload. You're not getting, either by malicious file or malicious URL to collect credentials.

It's more of a social engineering espionage kind of thing, just phishing for information maybe for financial gain. Trying to figure out if a companies financials are going to look strong before an earnings call for example. I can see some of that pretexting as it's called being used to set up your eventual delivery of something malicious. Whether it's to steal credentials or to delivery malicious content.

Chris: If you had a magic gavel and you were able in enact some form of legislation named at reducing issues of security breaches and phishing, what would you do?

Pedram: Obviously, I would make them force the delivery of my product globally to everybody. Have to throw that capitalist thing in there.

Chris: Sure, that'll work.

Pedram: It's hard to say, perhaps maybe, this is a fun thing to brainstorm right?

Chris: Right.

Pedram: Kind of like fun, fire side chat over beers. Maybe liability would be a place to start. When you have somebody like Equifax, exposed more than of half American's Social Security numbers and whatnot some kind of liability, some punitive damages would be good to have there. It's a tough thing to legislate your way through. It's a tough thing to educate your way through. It's a tough thing to solve your way through. From an in users perspective I think there are immediate steps that you can take to make life more difficult. Things you can do in terms of just general hygiene. Using a password safe, ensuring that you're rotating your passwords, having two-factor, that's crucial.

Even if someone's able to get your password, if there's a second factor associative that's going to reduce the chances of successful compromise. Not just using two-factor through your cell phone which some people are able to social engineer the Telecom companies into swinging your SMS messages to another target and suddenly they're able to get your two-factors from there too so using something, a third party, like a Uba key or some other token that's separate from your actual phone. These kind of things can help. Keeping credentials, rather monitoring sessions, if you log into Facebook or Google all these providers now, they have the option to show you here's the other places you're logged in from. Here's a new device that just signed in, are you sure you want to allow it? These kind of things, I think are going to help harden the environment for the typical user.

I think Apple's doing a great job with that for example. Whenever I get a new device and I'm signing in with it, one of my other devices gets a notification. So if that happened without me having something new I know that something is up. I can more quickly stop the bleeding, change the password, rotate things around, pull data off, pull the plug so to speak.

Chris: Education and two-factor are really kind of the way forward at this point?

Pedram: And a lot of it has to be vendor driven. At the end of the day you just can't expect this thing from a consumer. Who wants to deal with that? The easier it is for the user the better it's gonna be. I think the machine running will probably go a long way in this regard too. We're only scratching the surface of the kinds of things that it can do and over time it's just going to get smarter and more tailored to the specific users.

Earlier we were talking about for example, my boss's email got compromised. How do I know the email he sends is real or not, because you get tired, because you don't have a thousand point dimensional vector in your mind for every single email that comes in. You might not, it might slip, with the machine though, the machine learning aspects and with the automotive classification based on time of day, frequency, where it came from, small minute heuristics, they add up to tell a big story.

It's fascinating, it's one of the research subjects that fascinates me the most because in essence what you can do is sit down and really think about the fundamental tenets of a seemingly hard problem and then once you put all those things down into a nice long list of features and feed it through these models, it's amazing the kind of stuff that comes out of it.

I'm continually impressed by the kinds of new malware, not zero day malware in the sense that they're exploiting zero day vulnerability but zero day malware in the sense that there's no detection for it. No one written like a hard signature for it, it's a new sample. How often we're able to catch those things with a machine running based signatures. It's neat to see and only thing that's going to continue to improve.

Chris: That's great and on that note I think we are going to wrap up today. Pedram Amini, thank you very much for being here today.

Pedram: Thank you Chris, I appreciate the time.

Chris: And thank you all for listening and watching. If you enjoyed today's video you can find many more on our YouTube page just go to YouTube and type in Infosec institute to check out our selection of tutorials, interviews, and passed webinars. If you'd rather have us in your ears during your work day, all of our videos are also available as audio Podcasts. Please visit Infosecinstitue.com/cyberspeak for the full list of episodes. If you'd like to qualify for a free pair of headphones with a class sign up, Podcast listeners can go to Infosecinstitue.com/podcast to learn more and if you'd like to try our free security IQ package which includes phishing simulators you can use to fake phish and then educate your colleagues and friends in the ways of security awareness please visit Infosecinstitute.com/secuirtyIQ. Thanks once again to Pedram Amini and thank you all for watching and listening. We'll speak to you next week.