Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Phishing impersonations - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phishing impersonations

Phishing is a constant cat and mouse game. Most organizations are now doing SPF, DMARC and other technologies to prevent spoofed emails from making it into your user's inbox.  Attackers have now been shifting to using real accounts from providers.

The type of attack we are seeing recently tries to bypass these more traditional protections by useing Impersonation attacks. This is where the displayed name in the email client is the same as the person of interest along with a plausible email address.  

Let say your CEOs name is Tony Stark and his legitimate address is Tony.Stark@Stark.com.  The attacker would set a display name as Tony Stark and address Tony.Stark@my.com. My.com has been used a lot in the past six months for these types of attacks. You can easily block any emails from the domain my.com in your mail filters.

Attackers are also using Gmail, Yahoo and other major domains with the same technique (e.g. Tony.Stark@gmail.com or Tstark@yahoo.com).  Unfortunately, in most cases you will not be able to block these domains. The way many email products are fighting this is by a feature most are calling impersonation detection. Setup a profile in the product for the display name of VIP’s and it tries to detect fake accounts.  My issue with these is that you are leaving it up to a “BlackBox” to determine if your VIP’s email is going to work.

If you have the option in your email solution to use Yara rules or nested if statements, this seems to be the best solution overall.  Once you have determined what VIP’s you want to place this on, you need to use their real personal address. After that, you do a nested if statement for blocking anything else.

 

If Display Name “ Tony Stark”

And  If addreess is  Ironman@gmail.com

Or Tony.Stark@stark.com    (Pass)

 

Else  (Junk)

If you start running into many false positives due to a common name of a VIP, you can start adding to the whitelist and continue to build it out.  This can be tedious and having a small number on the list is key. I would suggest at least your C-Levels, General Counsel and Finance/Payroll.

 

What techniques have been successful for you?  

--

Tom Webb @twsecblog

Tom

55 Posts
ISC Handler
We've been doing this as well for our high level targets since we see it across the board. Also we have noticed a couple of different forms that need to be filtered, e.g. //From: Tony Stark// and //From: "Tony Stark"// in headers may not match the same in your spam filter.

The biggest issue we see with these is that mobile devices do not typically display the email address, only the display name in emails so adding the filters in manually is all we can do at this point.
Anonymous
I had a dashboard in kibana (searching my logs) and had a canned search that would look for various name permutations for our CEOs, their executive assistants and a few VIPs in HR and Finance. So the search filter in my case would look something like:

type:mail AND NOT srcHost:*.mydomain.com AND fromUser:(tstark tony.stark tony-stark starkt) AND toDomain:*mydomain.com

I searched not only for emails that passed our spam filters but those that didn't too. The reason is that I'd get a peek at message bodies on phish that people were trying to get through, and that often gave me other things in the headers/bodies I could block by.

Also, if I saw a nicely formed spearphish I'd sanitize it and send it to the recipient with an email saying "Watch out for things like this". This served to remind the targets of spearphish that they were high value targets AND that I was looking out for them - help inoculate your spearphing targets and possibly make that next capital expenditure for a SIEM or something else needed a little easier.
Brent

118 Posts
I'm probably not understanding the nested if completely but "And if address is ironman@gmail.com," seems to be implying that you'd have to do this for every single email address that isn't the legit? address?
Anonymous
type:mail AND NOT srcHost:*.mydomain.com AND fromUser:(tstark tony.stark tony-stark starkt) AND toDomain:*mydomain.com

The way to read this is, an email where the hostname it's coming from isn't my company (ie, we had some DMZ servers that had to use our barracuda spam filters to send any email, so I'm excluding those emails from our server), AND the from username was some permutation of the names of my targeted users (ie, it's claiming to be from one of them), AND it's addressed to our company meaning it's not outbound email. Our outbound and inbound email went through the same barracuda spam firewalls so I was culling through the logs looking for inbound email where it came from some outside source and had a from username that was some (possibly wrong) permutation of our CEO, our finance director, a few other VPs and several executive admins.

So if our CEO was Tony Stark it would be common to find an email from tstark@yahook.com or tonyt@gmail.com pretending to be the CEO and addressed to the head of finance saying "Send me everyone's W2's!" or whater the spear-phish du-jour was. I obviously had to find, and filter out, a few legit email addresses bot not many. And it also uncovered a VIP who was using his personal gmail account for work related email which was a violation of policy (and not very bright in this day and age - grin).
Brent

118 Posts
I would also search for inbound email where the To username was one of the permutations of names but the address was wrong. So if Tony Stark's corporate address was tstark@mycompany.com, I would search for tonyt@mycompany.com, tony.stark@mycompany.com and tone-stark@mycompany.com, and maybe anthony.startk@mycompany.com, etc. These are all going to be undeliverable, of course, but it's interesting to see who is trying to guess at the email addresses of VIPs (and not just guessing at all recipient addresses in a dictionary attack).

In my environment, all email rejections happened after the sender gave me both a rcpt to and mail from address in the SMTP transaction. That would sometimes yield some interesting IPs/subnets to search my logs for any other activity.
Brent

118 Posts
thank you
Anonymous

Sign Up for Free or Log In to start participating in the conversation!