What Happens After You Leak Your Password - PowerPoint Presentation

Slide1

What Happens After You Leak Your Password: Understanding Credential Sharing on Phishing Sites

Peng Peng, Chao Xu, Luke Quinn, Hang Hu, Bimal Viswanath, Gang WangDepartment of Computer Science, Virginia Techpengp17@vt.edu

2

Growing Prevalence of Phishing

Growing Prevalence of Spear Phishing

3

Phishing Workflow

Standard phishing processLure users to visit phishing websites, leak sensitive info (e.g., password)Send sensitive info to the attacker

4

Victim

Phishing Page

Phishing Server

Attacker

Most existing works focuses on

front-end

Phishing web page (text, JavaScript, images)

Phishing URLs

Security indicators

Recent studies start to look at

back-end

Phishing kits analysis

Compromise servers for phishing

A lack of empirical understanding of the end-to-end information flow

This Study: End-to-End Analysis of Credential Sharing

Empirically understanding the end-to-end credential collection processCharacterizing 3rd-party sharing of collected credentials

5

Victim

Phishing Page

Phishing Server

1

st

-party Collector

Post-phishing exploitation

…

3

st

-party Collector

Client-side sharing

Server-side sharing

Outline

BackgroundClient-side sharingAuto login tool to feed passwordNetwork traffic analysisServer-side analysisPost-phishing exploitation

6

Victim

Phish Page

Server

1

st

-party

3

st

-party

4 Phishing Blacklists

Data Collection

Developed a

browser-based

measurement tool using

SeleniumGiven a phishing page, submit fake passwordDetect traffic follow that send fake password to remote hosts

7

Auto fill in fake uname and passwd

Detect login form

- OCR + HTML + JS analysis

Activate login

- handle 2-step login

Auto “Log-in” + traffic Recording

Identify live pages

Aug.18 – Jan.19

179,000

+ Phish URLs

Final Dataset

41,986

Phishing sites over 5 months

Basic Observations

8

HTTPS or HTTP?

16,000+ (33%) phishing sites are hosted under HTTPS Deceive the users with the green padlock

Target Brands

Most sites are targeting financial or IT companies

Compromised Domains Hosting Phishing Pages

iccps.acm.org/admin/***Fake FedEx page under ICCPS conference site

conferences.sigcomm.org/css/***Fake French tax agency webpage under SIGCOMM conference site

councillorportal.ashfield.nsw.gov.au/Service/***Fake PayPal webpage under Australia government website

9

Client Side Third-party Credential Collectors

10

Web page from:

phishing.com

phishing.com

others.com

1st-party

3rd-party

Auto-login with an uniquely random password

Network flows that contain the plaintext/hashed password (31 hash/encode functions considered)

Findings on Third-Party Credential Sharing

About 5% (2,019) phishing URLs in our dataset have third-party collectors

11

Prevalence

Are they flagged?

30% collector domains have a “poor” reputation according to Talos IP, Cisco Domain Reputation 80% collector URLs are labeled as “Phishing” by VirusTotal But most of them are still alive

The majority of collectors (56%) are hosted in a different country from the phishing domain

Where are they?

Examples: Client Side 3rd-party Collectors

12

Case StudyDomain# Phish URLsDescriptionw32.info731Once hosted many phishing kits for downloadingip-api.org89Might be compromisedserveirc.com57Dynamic DNS service

Outline

BackgroundClient-side sharingServer-side analysisPhishing kits collectionSandbox analysisPost-phishing exploitation

13

Victim

Phish Page

Server

1

st

-party

3

st

-party

Data Collection on Phishing Kits

Phishing kits: software kits used to deploy and operate phishing sitesGreedy method to collect phishing kits from phishing servers/URLsSearch for “open” directories (directory listing enabled)Check every path segment in the phishing URLsDownload compressed files (e.g., .zip)Try known phishing kits names against all phishing URLs2,064 phishing kits downloaded

14

Server Side 3rd-party Collectors

15

Phishing Kitscredentials sent to various email addresses

First-party@gmail.com

Phisher who deployed the phishing websites

Third-party@gmail.com

Backdoor hidden in the phishing kits

Static analysis:

1st-party

Dynamic analysis [1]3rd-party

Plaintext Searching

Running in a sandbox

[1] Marco et al. WOOT’08

Prevalence of Third-Party Collectors

16

Number of Collectors per Phishing Kit

CDF (%)

4.6% kits have third-party collectors

Most kits have a first-party collector

One kit has 20 third-party collectors

Server-side third-party sharing exists but is not very prevalent

Outline

BackgroundClient-side sharingServer-side analysisPost-phishing exploitationCreate honey-account, leak them to attackersWait attackers to exploit the email account

17

Victim

Phish Page

Server

1

st

-party

3

st

-party

Honey Email Accounts

100 Gmail and 50 ProtonMail accountsPopulated them with emails from the public Enron email dataset

18

Setup Honey Accounts

Account Leakage

Leaked the email address and password to different phishing sites (one per site)

Account Activity Monitoring

Gmail: “Last account activity” pageProtonMail: login logs

7 accounts (out of 150) received logins within 50 days of leakage

Case Study 1

19

Phishing site target: PayPalAccount type: GmailFirst Login: 30 mins# login attempts: 9# login IPs: 1Register AWS services and try to pay bills

Case Study 2

20

Target brand: LinkedInAccount type: ProtonMailFirst Login: 5 hours# login attempts: 6# login IPs: 4# Emails read: 2Credentials are widely shared in near real-time

Phishing site hosted in the US

5 hours: Attacker 1 logged in from Nigeria

3 days: Attacker 2 in logged in from China

15 days: Attacker 1 checked in again

Conclusion

Empirical measurement on credential sharing during phishing attacksAnalysis on 179,000 phishing URLs (47,000 live phishing sites)Credentials sharing happens at both client and server sides, exposing the credentials to more attackers, but the good news is it is not yet very prevalentThird-party collectors are often flagged by blacklists, but they are rarely taken downThoughts: leveraging third-party collectors for defense Defenders (service providers) take over the detected 3rd party collector emails/domainsKeep them alive, use them as vantage point to monitor the phishing activitiesPinpoint future attacks and alert victims

21

Thank You

22

pengp17@vt.edu

Please kindly forward your questions to the author