The Top 3 Trends in Phishing Right Now

Stefanie Ellis

Portfolio Marketing Manager

AntiFraud Services

MarkMonitor

2

What are the 2018 cybercrime trends?

3

What we’re talking about today

Most common phishing trends for 2018:

• SSL Certs used in phishing

• One-time use URLs

• BEC scams/spearphishing increasing

Proactive approach to disrupting a phisher’s business:

• Collection point emails address usage across multiple phish kits

Q&A

4

With the many data leaks of 2016 and 2017, sophisticated phishing and spear phishing attacks must be expected.

Vade Secure, https://www.vadesecure.com/en/cybersecurity-4-trends-watch-2018/

SSL Certs Used in Phishing

Trend #1

6

What is an SSL/TLS Cert?

• SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are the names for

technology used to encrypt a communication channel between a web server and a

browser

• Their purpose is to make sure transmitted data remains private, users are

protected and to serve as an industry standard

• SSL/TLS certs are purchased from a certificate authority (CA)

7

Types of certs

• Domain Validation (DV) validates that the applicant has control of the domain

• Organization Validated (OV) including validation of organization identity

• Extended Validation (EV) are the financial/ecommerce standard

https://www.digicert.com/news/choosing-an-ssl-tls-certificate/

8

What do consumers think of SSL Certs?

Responses from an informal poll question for non-industry folks:

“What does the padlock or the word “secure” mean in the address bar?”

• “I don’t know”

• “It means the website I’m visiting is secure”

• “It’s why there is an ‘s’ in https.”

False assumptions:

• The site is legitimate and secure

• Our communication with the website is secure/encrypted AND protected

• Only legitimate organizations can purchase an SSL Cert

9

SSL Certs do not protect against phishing

• Services like Let’s Encrypt and Comodo provide short term domain certs for FREE

• This lends legitimacy to websites for consumers

https://www.zscaler.com/blogs/research/february-2018-zscaler-ssl-threat-report

10

MarkMonitor detections

• Volume of MarkMonitor detected validated phishing sites with SSL Certs:

260% increase in 12 months

• In Fall 2017 MM added a new detection feed focused on new SSL/TLS certs

11

What is the impact?

• Increase in losses due to more victims

• Huge increase in certs and malicious domain registrations

• Impact corresponds to GDPR — measuring in relation to SSL may be difficult

• Distrust of SSL/TLS from consumers and/or increased awareness

One-Time Use URLs

Trend #2

13

What are one-time use URLs?

• Phishing sites that spawn multiple unique URLs intended for only one recipient,

or a “one-time use”

• All domains are legitimate, but have been compromised to host phishing content:

hxxp://connectedhomeltd.____/vendor/signin/83fbaa7453f3b02d65a6c6366278ff44/

hxxp://connectedhomeltd.____/vendor/signin/5cb97b2f907b49901cfbcc47daab75aa/

hxxp://connectedhomeltd.____/vendor/signin/bf7663dfc59c1cc4a1ffbf6029f9bed8/

hxxp://nelsonchiropracticclinic.____/nelsonchiropracticcenter.com/wp-admin/Cooom/44aba7cd8808626221dffc2d93697001/

hxxp://nelsonchiropracticclinic.____/nelsonchiropracticcenter.com/wp-admin/Cooom/4dc68f42734b4dc321a249084da3516d/

hxxp://nelsonchiropracticclinic.____/nelsonchiropracticcenter.com/wp-admin/Cooom/44aba7cd8808626221dffc2d93697001/

hxxps://centralwavex.____/UKBUSSINESFORUM01/Ad/Ad/ad/6c57a1f1da9afa706e4722d76a0c9dac/

hxxp://centralwavex.____/UKBUSSINESFORUM01/Ad/Ad/ad/5c9c4f60b330bf585980d616aa5d8642/

hxxps://centralwavex.____/UKBUSSINESFORUM01/Ad/Ad/ad/ec099490c2a65be6fbbb4529aac7f75c/

14

How does it work?

The root of the phishing site auto-generates a unique path for each visitor:

• Line 22 is the name of the source folder:

“$src=“ok”

• Line 23 copies the “ok” folder into a randomly

named folder

• Line 24 redirects the visitors to the new

folder/site

15

How does this affect compliance?

• Going to the root phishing site will generate a new URL, so proof shouldn’t be too

much of a challenge

• Enforcement will need to go to the host for the source folder and will knock out all

unique URLs

• Clustering reduces shutdown effort; however, at MarkMonitor, each URL is

Fraudcasted for consumer blocking

16

URL vs. Domain Detections

0

10000

20000

30000

40000

50000

60000

URLs vs Domains

ALL Detecions Unique Domains Linear (ALL Detecions) Linear (Unique Domains)

17

What is the impact?

• Another obfuscation technique by phishers

• An indication of increased sophistication

• Makes compliance more challenging – but not impossible

• At MarkMonitor:

• All URLs are logged for Fraudcasting for consumer blocking

• Shutdowns are at the domain level to cluster mitigation efforts

BEC/Spearphishing Scams

Trend #3

19

What are BEC/EAC/employee spearphishing scams?

• Business Email Compromise (BEC), and Email Account Compromise (EAC) scams

often target businesses who perform wire transfers.

• Also known as Executive Impersonation: False executive requests non-legitimate wire

transfer as direct spearphishing attempt on an employee.

• HR/Payroll scams: Executive is impersonated for stealing employee tax records.

• IC3 reports that BEC/EAC type fraud can also include email-based scams related to

romance, lottery, employment, and rentals.

• Employment scams often relate to “money mule” jobs used in “laundering” money obtained

illegally, often through phishing sites.

20

BEC Scams/Employee spearphishing is NOT going away

• January 2015 to December 2016: 2,370% increase in identified, exposed losses

• Reported to IC3, October 2013 and December 2016:

• Domestic and international incidents: 40,203

• Domestic and international exposed dollar loss: $5,302,890,448

• The following BEC/EAC statistics were reported in victim complaints to the IC3 from October 2013 to December 2016:

• Total U.S. victims: 22,292

• Total U.S. exposed dollar loss: $1,594,503,669

https://www.ic3.gov/media/2017/170504.aspx

21

What is the impact?

• More data breaches

• Early awareness of lookalike domain registrations is helpful for email blocking or re-routing

• Employee education and awareness is paramount

• Additional checks and balances so that a single employee cannot initiate payable

changes or a wire transfer on their own

• Recommend hitting “forward” so the return email has to be typed in, rather than hitting

reply in case of a lookalike email address

Collection Points Email Addresses

Let’s be proactive!

23

Phish Kit harvesting make your organization a harder target

• Phish Kit fingerprinting categorizes kits into families and expedites future handling of similar phish

• Email collection point detection & mitigation can prevent access to stolen credentials

• Exploit detection can expedites takedowns and uncovers hidden data

24

What does it look like?

The collection point email address is embedded

in the phish kit:

• Line 29 has the email address

• Line 34 calls the mail function to send the

collected info to the phisher

• Upon success, line 37 redirects the visitor to

the legitimate site

25

Why is knowing the Collection Point address helpful?

• Shutting down the phisher’s collection point can

protect your consumer’s PII

• Collection points are often reused or used

concurrently across multiple phish kits

• It can also disrupt their other business interests;

some phishers use the email addresses for other

business correspondence

Summary

27

Takeaways

SSL Certs are can be misused

One-time use URLs prevalent

BEC scams not going away

Phish Kits & Collection Points are important

o Confusing to the consumer

o Could cause increased losses

o Unique URL volumes high, but unique domains mostly flat

o We’ll see an increase in unique domains following GDPR

o Enforcement is slightly more complicated, but compliance should be okay

o Targeted attacks are lucrative

o Employee education and internal processes are most important to make attacks ineffective

o Watch domain registrations

o Using phish kit collection to identify and shutdown collection points makes an organization a harder target

o Being proactive is the opposite of whack-a-mole

28

Mike Tyson has said, “Everybody has a plan until they get punched in the mouth.”

Q&A

Thank you!

Stefanie Ellis

Portfolio Marketing Manager

AntiFraud Services

MarkMonitor