BSidesMCR 2019: Phishing Overboard - Elise Manna

hi good morning everybody fishing overboard I'm Elise madam director of thread operations for Nova Coast so we are floating around out there and the sponsor booths we do have an office in Manchester based out of Santa Barbara California and the whole premise of where it started with this talk was to teach you everything I know about fishing and more than you probably ever wanted to this really ended up becoming how can all malicious links bypass security tools and all your mail malware sandboxes and make you pretty miserable with very minimal effort on part of the fishing criminals the obligatory BIOS slide I started out in the sock I worked for an anti-fraud company out of

Charleston South Carolina where I dealt with thousands of 50 URLs a day at some point I just kind of cut my teeth really early and it was just a very good exposure I started learning about malware a little bit and it was a great place to start so for people that are looking to get into the security field it's a really good way to get yonce of exposure to the different areas of security and then moved over to being a malware analyst and it pretty much ended up being a better title and dealing with more fishing so it was spear fishing you'd have different types of payloads different types of URLs it's a little bit more

exciting but for the most part I was still doing a lot of email header and plusses and those types of things but again you're always seeing those new types of attacks when you're in it every day and you know you just develop almost alongside the criminals as they create a new technique as they come out with something different as they start abusing something old becomes new again you get to see it right on the forefront then I became a security engineer and guess what so still dealing with a lot of spearfishing in this case that was Title I was actually doing a lot of Incident Response and I kept finding that my clients were dealing with these

large-scale incidents they were dealing with reportable breaches and guess where they were starting malicious emails so I really have never gotten away from it and it's been interesting guns vol just keeps whip up with those techniques also frustrating because you see the same things working over and over again and nobody seems to do anything about it so yeah gives me a little bit of a reason to drink whiskey sometimes I became a director now I just have meetings about fishing so I haven't really gotten away from it if you can't tell by I'm from States I grew up in New York so I'm good I'm trying very hard not to speak too quickly right now so just wave me down

if you can't understand a word coming out of my mouth I now live here in sunny Santa Barbara California a lot different no snow it's fantastic so the goals of this talk ultimately we're going to define fishing I want to teach you how fish will evade detection so that's really on your email gateway anything that's looking at the users inbox anything that's trying to scrub that stuff coming in the way that the most effective techniques that I'm still seeing that are gonna have a detection and are gonna go right into a users mailbox I also want to discuss some techniques for baiting analysis so once it gets into the hand of that security analysts and they're testing it they're

putting in a sandbox so putting in their Cali VM whatever it is and maybe it looks soft lines looks like it's okay it's just going to google.com how do you even know if there was something bad there or not much easier to prove something's bad than / something's good and it's probably the most frustrating thing for an incident responder I want to discuss how you can have a phishing campaign see sticky so you know it's really for somebody that's more on the offensive side how can you have essentially persistence of this type of attack and how can you pull out the goodies in peace so different ways that these that phishing criminals will pull out the

information I'm not going to dive too too much into this because there's a handful of techniques they're used over and over again and again they continue to work really what I'd like you to get away from this is if you're a Red Team person how is the best way if you're on an engagement to be able to get a fish through to user inboxes if you're a blue team how do you determine if something's actually an active fish or just the nine is a spam is it not if your security vendor please stop allowing this crap into people's inboxes and for users for the love of God stop clicking on phishing emails give me something else to do okay

so defining from Google this is a very long verbose way of saying that is pretending to be a legitimate company to steal information from you for me I'm defining this for the purposes of this talk and something that doesn't drop a malware payload traditionally a computer virus we're gonna stick with kind of Perdition credential harvesters but that doesn't really mean anything I've actually seen fish that take a username password and they get really greedy and then they drop malware so anything's possible you can't just take something at face value so the terminology does get a little wishy-washy here and there so first we're starting out with defensive asian that's my tiny little disclaimer an upper left I am using live URLs in this

demo some of them might be offline by this point now that the decks been created for a couple of days but I'm they're not all sample URLs so just be careful in case you're looking at Waddy or Kerry as I'm typing in don't do it on worked advice of the minimum so the first technique when I discussed was abusing the Microsoft cloud I've been seeing this a lot where you're seeing fish come on with like as your website's nets or different variations of microsoft owns legitimate domains that are carrying fish on them as I started looking more into this because to me it was something actually I hadn't seen prior to painting the last year and as I

was reviewing it I was like okay well as your offers a 30-day trial of course that's gonna be attractive I'm gonna have free hosting it's gonna have a reputation on the domain that's gonna be fantastic nobody's gonna detect this thing and then I just move on to the next account after my 30 days when I learned my research is that this is technique is work since at least 2014 if not before that that is way too long for a vendor to not know vendor in this case Microsoft sorry if anybody's in the room that works for them that content stealing credentials is on their infrastructure that's pretending to being them so Microsoft knows with a

login page looks like it knows what that HTML source code looks like and yet these pages still continue to go up on their infrastructure and continue to steal login credentials for email so this is kind of an example of it that was an actual sub domain that was used sometimes they'll be variations of office mail or something that look a little bit more legitimate this gets a little tricky if you training users to hover over a link and their emails which is often what security awareness training is teaching users to do and they're gonna say oh I know a sure we're going to click that thing they're gonna go to a page that looks like that gonna

look exactly like their normal login page and the attackers happy because again they've got three hosts saying they're not having to spin up a domain they're not having to buy a domain from anything they just have this stuff ready at their disposal this is another example and I know that's a little askew right there abusing SharePoint so again how many organizations use SharePoint almost all of them at this point so when you pop a SharePoint account or office 365 account from one organization you use that SharePoint account to send fish to other organizations maybe a business partner provides some legitimacy to it and it'll go ahead and provide a document that is maybe this is a one

node example but it could be a word document word online Excel online you can do anything that can hold a hyperlink and it'll go past the filter because who blocked SharePoint comm and their email almost nobody so this tends to be a very effective technique the other piece is that a lot of scanning engines on the email gateways they don't really go far enough to say hey there's a link here let me simulate a click and see where that goes look at that reputation they're looking at the reputation for SharePoint or that subdomain and until a analyst or researcher has mucked that sub domain as compromised or potentially malicious virustotal and anything any threat intelligence students that are feeding

phishing detection aren't going to see this this is another one and this is kind of might give you a laugh but this is just an office form so in this case your reputations based on Florence office comm you use any office forms in your organization and you don't have SSL inspection you're not gonna be able to really see that full URL in your firewall so you can you can't block the full domain or that sub domain so you have to allow all of your users to go to that fish if you can't scrub it at the email level now Microsoft here you can see there is a warning on the top saying hey we think this is asking for

sensitive stuff there's a warning at the bottom never give out your password most users are not going to read that they're gonna just put it in they're not thinking about it they get a document maybe they're expecting a documents or something to that effect to put this in this is not the best fish in the world as you can see your email is one string it just says pass in my opinion there should be blocking and that's this realm that says if you have a strength email on a string pass or password in this page that you can't even upload this over to an office forums you can't create an office forum with those terms

they do limit that you can't have password but that's easily bypassed by truncating it putting dots in between every character putting spaces between every character leaving a character off changing one doing leet-speak these types of things although those techniques will set up more alarm bells with more users of somebody's rushing which they often armed they will sometimes still fall for these so even though for the people in the room it might look like garbage and how could anyone haven't put this stuff in think about Suzie Q over in accounting that probably will and to give you a better idea effectiveness can be so similarly box Dropbox we transfer any type of file transfer site suffer from the same fate

these can be walked down a little better by using web application whitelisting so if you're only using Dropbox in your organization or only using SharePoint then you can say well I don't want anyone going to wwp box comm and you just block it and if it sees you know your proxy see any traffic that looks like that but most times that whitelisting is difficult or most organizations have multiple file sharing services they use they might have customers of theirs or business partners of theirs that require them to access things outside of what is used in house an example here very similar to that one node example you'll see here you have packed up box comm so if you have any

legitimate box stuff how do you block that you can't you're gonna have to do it by URL or have the URL flagged by some security tool and in this case again it's just a PDF most scanning engines aren't going to sa most because I'm just hedging my bets all scanning engines aren't you see that a PDF has an embedded link and it's likely not gonna follow it to that phishing link there other ways to do this are you abusing marketing services so things like Mandrell SendGrid MailChimp's that you've probably seen I thought I saw a Gartner one the other day and then I couldn't find the sample for this but that was a new one for me too so Mozilla

is kind of nice because you see the domain at least in pieces at the end of the URL but some of these masks get completely tokenization or some sort of encoding so it will make it a little harder for the analyst to be able to determine oh is this batter this good then you're forced to put it into some sort of tool or run curl on it see where it goes is it redirecting where is it heading to does create just additional challenges and it also can tie up your workflow and it creates makes the analysis just flash longer I also wanted to touch on base tagging so this is a pretty creative technique this one actually so it'll have a tag in

the body of the email that's just the base domain it adds the rest of the URL as a separate piece so when you're scanning engine it's looking for HTTP in that case it's only gonna see example.com it's never gonna see this it's never going to run anything against that full URL it just doesn't concatenate it it doesn't understand that type of split up I'm using example.com in this part but actually I've seen a lot of this using Google api's com so it'd be like fire be storage dot or storage Google api's and then the rest of the URL just goes anywhere and it'll go to a page or it can go to a redirect and send you somewhere else I'll go into

multiple redirects a little bit later so this creates that full URL and I am referencing that bleeping computer articles I took those screenshots panel article but the you know the example is the same so you know you could do this combined with any of the other techniques you could use this for a box URL or SharePoint URL and the more techniques you add together of course the more effective your campaign is going to be we also have seen quite a few with HTML and coding this one kind of flummoxed ALS I was working with because you see a lot of these 60 blob most people can recognize that it's got two equal signs on the end

of it half time so it's easy to recognize we were looking at this and I was like I know I figured this one out but I didn't know off the top of my head and been a while since I'd seen it this was actually an HTML attachment so again you're thinking who would open the HTML attachment well anyone that's ever received an encrypted email is gonna open an HTML attachment because that sounds a lot of those comfort so in this case you're scanning engines just seeing a bunch of characters it doesn't often won't know what's going on again it doesn't even know that there's a full URL just sees that it stops and it has

random characters so it's there's very likelihood that a user is gonna be able to click this and visit through to that fish it's also going to be very much harder to you know search if you're doing anything endpoints and point same kind of applies a base64 so this is a payload or pen test team actually wrote for me for testing a proxy tool and I brought it to the provider and I said hey can you detect that do you know that that's a URL how do you detect that somebody's on a webpage to trigger that the proxy rule should be in effect is it traffic on port 80 is a HTTP is it that you know

there's a DNS request somewhere how do you even determine it or you're looking for ACP in the address bar big surprise I've never got a response if I ever get one I can do follow-up but this is basically all the HTML source code needed for the page and it's gonna show like that to the user they're gonna think it's a long URL in some cases you would hope they think that was suspicious it definitely doesn't look like a website but you never know and then just another example was that where the base64 is actually in the body of the page itself not in the URL bar this just makes it a little trickier for ALS

that's a pretty easy one to train on so talking about Google so this one is very effective and you can see it's very simple to construct so it doesn't require you to spin up any infrastructure as an attacker you just use Google you put the query parameter at the end of it and you put your fishing URL at the end of it now this one reputation because we keep coming back to that right a lot of standing engines and email gateways or looking at the reputation for me you feel lucky it's gonna look at the full URL how many things are gonna flag wwq Google calm as malicious nothing this is probably the most used website in the world so it's

this one gets passed pretty much everything this will also get passed your user security training because they're gonna hover over that but it's not cool click this is nothing bad ever on Google that's what they're gonna think they're gonna go right to that site this is another example so I just redacted out the recipients email address but you can see that this actually had multiple URLs you are all encoded at the end of it then it was redirecting to another fish and then this was randomizing the piece at the end of the URL - so there were a lot of things going on with that one now when I was testing this out for the

slides I was like okay well hoping Google does something about this and I tested it out and I always use lol - my testing stuff and it did bring me to a warning page say hey there's a redirect thing going on you might want to be aware do you really want to go to this site I then was resetting the password on my uber app as soon as they got to Manchester it uses this in its actual password resets there's no warning page so it brought me right to the uber accounts page via Google and I never got a pop-up like this requires more testing on my part to be frank that was kind of

a new discovery for me I thought it was all prepared and then that happens so the other thing you can do is if that doesn't work or it is presenting that warning page and you're like I don't want to have to deal with that because it's gonna cut down my click rate by 50% you're getting just put the malicious document on Google Docs or Google Drive it works the same way as a SharePoint attack so I wanted to go a little into anti analysis I'll try not to talk too fast while still getting through all my content so geo blocking this one I just wanted to point out where it says the blocker dot PHP says a lot of times the

Sun is inclusion I'll get into that the rest of that code in a second but a lot of times it's done through an HT access file or robots.txt file where it's gonna deny the scanning engines for security companies so when you are running this and frec bread if the threat grid IP address is known to the attacker all they do is block it give a false 404 page the records going to show you before a flower page vo there's nothing here for the score 0 and you go about your day and your user that's opening this from home gets right into it same thing works for user agent blocking this we kind of got some weird ones on it too

but you'll see like message Labs is semantics email URL i securities another security company so it's just trying to block you know fishtank and all these things and it just provides a false 404 page this is another example it's a little beefier same concept so other things and this is you know sorry for the defenders because now you're dealing with the red teamers in the room that are gonna think of these things things like hey is that your is the email address in the URL does that match somebody that that received it so most analysts will change it to something like user at example.com I like lol lol comm if I change that I might get a 404 back but if I use the

actual recipients email address maybe the fish shows up in that case I've now doxxed my recipient's email address the attackers said hey this is valid because they had to report it to me right so you know that's something you tried really don't want to do as an analyst something that dies after the first view so once your victim has gone to it you look at it you think it's offline you sit back on your laurels that thing's alive tracking refers so looking at multiple URLs that have gone and where it's coming from making sure it comes from the lore email and is going to the N fish we're using iframes where the actual content hosted is not domain that

you're looking at so we were kind of touched on fake 404s you'll have benign redirects so this is something where pay your IP address is coming from security company ABC and it's going to just send you to google.com or send you to you know Yahoo News or something to that effect you look at it and you just don't think twice you go on to the next thing everyone else from the other IP address can go to that fish sometimes the redirected PDFs that are just found out of an Internet so the user thinks nothing of what's going on they they were expecting a PDF and they put their creds in to get a PDF they get a PDF

it'll just be a random one I won't get too far into this because this kind of lengthy topic but wild card EMS creates challenges for blocking on your firewall so if you're just block you know example.com or you get one phishing URL and so you get that first one you know it could be that everybody that visits it from the embedded link in the email they get a different sub domain every time this can be very tricky to block if these example.com in this case is a site that your company is actually using so layered redirects I just grabbed this this PayPal fish right off a fish tank and I used some really random URL shorteners but to give you an

idea here a lot of scanning engines might might get to like this piece but they won't get all the way down there so that's another challenge to be faced the screenshots from where goes com it's one of my favorite tools it's just so much faster than using curl and double you get and having to do everything just use a web tool throw it in there see what the end target is so directory generators this is the one that's visiting us again basically all this code is on the bottom and this PHP file is saying every time that this is visited so it's usually an index dot PHP that's the link in the phishing email go

ahead and take a copy of all my fishing files create a new directory with a random md5 hash copy all those files in there and then half the person go to that what happens is you had to put with a very full compromised web server because every time somebody clicks it there's a new directory with a whole new set of phishing files I may or may not have heard of people just filling up the resource limit on a web server by just hitting that page over and over again but essentially that's what that's doing it becomes very difficult again from a blocking and analysis perspective so other things that can be done is hiding your files in multiple places so a fish

or my pop a web server some somebody's site and they'll put a copy and WP includes the admin removes it and there's still copying WP content maybe they change the redirect point to the one that's live some things that effect using a backdoor web shell they can go in and every time you remove the file they're going to put it right back up or doing forwarding rules this is kind of the best example of persistence in fishing I would say so they can intercept a password reset email they can intercept everything that that person is getting so the person calls the helpdesk hey I need to reset my password it's completed they're still getting every email from

the inbox without even having to log in so you'll see this a lot laughter this the email address is popped will add their own email address as a forward and so you know if you're investigating these check the inbox rules and this is really where you're taking the stuff out so oftentimes that's pulling things to an email account so it'll be a PHP file and that's part of the fish there's a post that goes to it and just sends out you know it'll kind of build out the email usually there's falsified header information and it'll use that compromised web server to send things out storing text files on there and then they'll go back and either just pull

down the text file of it's open Internet accessible or they can use a PHP or web shell backdoor and do this or this is cool if you're an analyst is sometimes you can actually grab that text file so if you can grab it before they clear it before an attacker clears it you can have a full list of people that have fallen for that fish including those that are part of your organization and everybody else and you can kind of go through that and it helps with the remediation process so that or one or over okay I already kind of covered the forwarding rules anyway so that's my last reminder is that the average time

it takes for a Fisher even not sophisticated Fisher about 15 minutes to get in back into an account and then abuse an account for whatever they're in purposes whether it's sending more payloads out or sealing information from that Inbox so knowing that these things can happen speed up the analysis process and allow you to be able to remediate the situation much faster I guess we have 30 seconds for questions I go through it all busy schedule either later in your email the annoying thing for me as a user is the the link is in my email when I hover over it just as Microsoft say Thanks tell me anywhere about where it's going right what's your opinion on that like

obviously how much do you drop myself to correctly identify this patient specifically Microsoft so just to be frank so and that isn't actually Microsoft specific so you I'll rewrite creates more challenges from the user training perspective because of exactly what you're explaining and you because it's not a hundred it's not catching a hundred percent because no tool is going to catch a hundred percent of fish you kind of you lose all that ability for the user to defend themselves without deeming full protection on the other side of it so it's good from a metric perspectives that sometimes those will tell you when you're doing the investigation that you had 30 people click it without you having to go

through your stand where your firewall logs so that effect it can be agreeing you know advantages but you know for the most part I don't find those protection tools to be very effective and I I'm a big fan of user education and training you know again it's not nothing's gonna be 100 percent but I think that there's a first layer of defense so anything you can give them that's a weapon versus relying on the tool to do the job is better in my opinion anyway else I've not faced it but I am familiar so I've seen that with SMS being the two-factor I've heard of it being done with other attacks but I haven't seen it in the

wild myself there we go I know I've read the article on it but I haven't caught one myself waiting on it there we go there's the solution so you should probably have that off anyway IMAP and POP um nothing really good ever comes from that so you know it's almost somebody's using Thunderbird today sir email most enterprises probably should have that off anybody else okay thank you