ISC Stormcast For Thursday, February 28th 2019 https://isc.sans.edu/podcastdetail.html?id=6392

Phishing impersonations

Published: 2019-02-28
Last Updated: 2019-02-28 01:07:11 UTC
by Tom Webb (Version: 1)
6 comment(s)

Phishing is a constant cat and mouse game. Most organizations are now doing SPF, DMARC and other technologies to prevent spoofed emails from making it into your user's inbox.  Attackers have now been shifting to using real accounts from providers.

The type of attack we are seeing recently tries to bypass these more traditional protections by useing Impersonation attacks. This is where the displayed name in the email client is the same as the person of interest along with a plausible email address.  

Let say your CEOs name is Tony Stark and his legitimate address is Tony.Stark@Stark.com.  The attacker would set a display name as Tony Stark and address Tony.Stark@my.com. My.com has been used a lot in the past six months for these types of attacks. You can easily block any emails from the domain my.com in your mail filters.

Attackers are also using Gmail, Yahoo and other major domains with the same technique (e.g. Tony.Stark@gmail.com or Tstark@yahoo.com).  Unfortunately, in most cases you will not be able to block these domains. The way many email products are fighting this is by a feature most are calling impersonation detection. Setup a profile in the product for the display name of VIP’s and it tries to detect fake accounts.  My issue with these is that you are leaving it up to a “BlackBox” to determine if your VIP’s email is going to work.

If you have the option in your email solution to use Yara rules or nested if statements, this seems to be the best solution overall.  Once you have determined what VIP’s you want to place this on, you need to use their real personal address. After that, you do a nested if statement for blocking anything else.

 

If Display Name “ Tony Stark”

And  If addreess is  Ironman@gmail.com

Or Tony.Stark@stark.com    (Pass)

 

Else  (Junk)

If you start running into many false positives due to a common name of a VIP, you can start adding to the whitelist and continue to build it out.  This can be tedious and having a small number on the list is key. I would suggest at least your C-Levels, General Counsel and Finance/Payroll.

 

What techniques have been successful for you?  

--

Tom Webb @twsecblog

Keywords: Phishing
6 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives