Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2019-02-28 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Stormcast For Thursday, February 28th 2019 https://isc.sans.edu/podcastdetail.html?id=6392

Phishing impersonations

Published: 2019-02-28
Last Updated: 2019-02-28 01:07:11 UTC
by Tom Webb (Version: 1)
6 comment(s)

Phishing is a constant cat and mouse game. Most organizations are now doing SPF, DMARC and other technologies to prevent spoofed emails from making it into your user's inbox.  Attackers have now been shifting to using real accounts from providers.

The type of attack we are seeing recently tries to bypass these more traditional protections by useing Impersonation attacks. This is where the displayed name in the email client is the same as the person of interest along with a plausible email address.  

Let say your CEOs name is Tony Stark and his legitimate address is Tony.Stark@Stark.com.  The attacker would set a display name as Tony Stark and address Tony.Stark@my.com. My.com has been used a lot in the past six months for these types of attacks. You can easily block any emails from the domain my.com in your mail filters.

Attackers are also using Gmail, Yahoo and other major domains with the same technique (e.g. Tony.Stark@gmail.com or Tstark@yahoo.com).  Unfortunately, in most cases you will not be able to block these domains. The way many email products are fighting this is by a feature most are calling impersonation detection. Setup a profile in the product for the display name of VIP’s and it tries to detect fake accounts.  My issue with these is that you are leaving it up to a “BlackBox” to determine if your VIP’s email is going to work.

If you have the option in your email solution to use Yara rules or nested if statements, this seems to be the best solution overall.  Once you have determined what VIP’s you want to place this on, you need to use their real personal address. After that, you do a nested if statement for blocking anything else.

 

If Display Name “ Tony Stark”

And  If addreess is  Ironman@gmail.com

Or Tony.Stark@stark.com    (Pass)

 

Else  (Junk)

If you start running into many false positives due to a common name of a VIP, you can start adding to the whitelist and continue to build it out.  This can be tedious and having a small number on the list is key. I would suggest at least your C-Levels, General Counsel and Finance/Payroll.

 

What techniques have been successful for you?  

--

Tom Webb @twsecblog

Keywords: Phishing
6 comment(s)
Diary Archives