Phishing: Defense and Response

Agenda • • • • • • • •

Intro \ Program overview Definitions Phishing attack history Threat changes History of phishing Examples of phishing events Phishing defense and response Q&A

Introductions

• Ken Schaeffler, CISO Corporate Information Security Services. Comerica Bank • K. Scott Vowels, VP, Architecture and Engineering, Corporate Information Security Services. Comerica Bank

Information Security Program Management Model

Key Drivers Threats

Changes in Technology

Regulatory/ Compliance

Business Practices

Audit & Exam Findings

Security Organization/Resources Management/Staffing

Acquisition/Retention

Key Roles / Skills

Security Policy & Process Corporate Security Policy

Security Standards

Security Procedures

Security Technology Protection

Detection

Response

Security Program Management Automation

Sourcing

Standardization

Resource Management

Workload Management

Security Program Overview Pr

• Authentication Controls • Authorization Controls • Encryption • Virus Protection • Spyware Protection • Site Filtering • Firewalls

n

Corporate Information Protection Policy

D et ec tio

Pr y er ov ec R

• Incident Response Plan • Business Continuity / Disaster Recovery Plans • Event Management

n

ev

tio

en

ec

tio

n

ot

• Awareness Program • Risk Management Process • Security Intelligence • Third Party Risk Assessment • Security Architecture • Security Policy/Standards • Vulnerability Assessments • Patch Management

• Intrusion Detection • Event Log Monitoring • Penetration Testing • Security Policy Compliance Testing • Forensic Analysis • Phishing Monitoring • Event Correlation

Common Terminology • Phishing- A scam that uses a legitimate company as a disguise to entice users to respond to an e-mail and share confidential information. (e.g., passwords, credit card numbers, social security numbers, etc.) • Pharming- A scam that uses domain hijacking or malicious code to reroute a victim’s browser to a phony website where confidential information can be entered and “harvested.” • Vishing – A phishing scam that leverages Voice over Internet Protocol (VoIP).

Phishing Attack History

Phishing Attack History

Putting Phishing into perspective • It’s a social engineering attack blended with other components: – – – –

Server compromises Spam Credit card fraud Cyber-squatting

• Previous attacks on consumers – Telephone based social engineering to gain personal information – Nigerian Email scan, etc…

New overall threat • Phishing does constitute a new threat – Electronic Fraud vs. Traditional Hacking – The attack is low risk, high benefit – Exploiting existing consumer awareness issues

A Brief History… • Phishing history – Progression of the attacks: • • • •

Bad grammar Misspelled words Sites didn’t look like the legitimate corporate websites First asking for an array of personal information, now focused on web banking credentials

– Quick moving attack focus: • Started with CitiGroup, then to Comerica, on to UMCU – The top 10 hasn’t changed; eBay, Paypal, etc…

Life Cycle of Phish

Significant Incident at Comerica March 2005: Domain Name Services (DNS) Phishing- China Threat: •Comerica-banking.com website domain name is registered by someone in Washington. •A server located in Beijing, China was compromised and becomes the phisher website. •Bogus e-mails were sent to customers and non-customers directing them to the phisher website. •The phisher website requests confidential ATM information and then links back to Comerica’s website.

Impact: •Potential fraudulent activity if customers respond to the phishing e-mail. •Affected information: -Personal- home address, e-mail address, etc. -Credentials- ATM card number, PIN, expiration date, etc.

•Increased e-mail volume as a result of responses to the phishing e-mail. •Non-Comerica spam filters flagged Comerica as a source of spam and blocked our e-mail address.

•Some customers were not able to communicate with Comerica via e-mail.

DNS Phishing- China

Significant Incident at Comerica March 2005: Internet Protocol (IP) Phishing- Chile Threat: A server in Santiago, Chile is compromised and becomes the phisher website. Bogus e-mails were sent to customers and non-customers directing them to the phisher website. The phisher website contained a copy of our Web Banking pages. •Prompted for Web Banking credentials to login to phisher website. •Prompted for credit card number, expiration date, and PIN. •Confirmation message is presented. •Redirect the browser to the legitimate Comerica Web Banking site.

Impact: Potential fraudulent activity if customers respond to the phishing e-mail. •Affected information: -Personal- home address, e-mail address, etc. -Credentials- ATM card number, PIN, expiration date, etc. Increased e-mail volume as a result of responses to the phishing e-mail. Non-Comerica spam filters flagged Comerica as a source of spam and blocked our e-mail address. Some customers were not able to communicate with Comerica via e-mail.

IP Phishing-Chile

IP Phishing-Chile

IP Phishing-Chile

IP Phishing-Chile

Ever herd☺ of spell check?

Abnormal vs. Unnormal

Strong Auth Phish

Thoughts on Prevention, Detection, and Response PREVENTION These activities focus on: – 1)Reducing the number of phishing attempts our customers receive – 2)Educationg consumers so that they are less likely to respond to phishing scams:

• Employee and customer awareness/education • Security 'best practices' and threat information on our websites • Monitoring the registration of internet domain names containing 'Comerica' • Monitoring and blocking of suspicious/malicious network addresses • Use of web application security standards and firewalls • Implement the appropriate levels of authentication and authorization controls

Thoughts on Prevention, Detection, and Response DETECTION Our detection mechanisms focus on: – 1) The discovery of phishing emails that have been sent – 2) Monitoring the Internet for possible web sites containing Comerica web pages • • • •

Customer calls and inquiries into our call center, branches, or email queries Anti-phishing services that monitor suspicious email traffic, possible phishing web sites, and chat room topics Monitoring of our email systems for 'email bounce-back' Web application security event monitoring and analysis

Thoughts on Prevention, Detection, and Response RESPONSE We have a comprehensive set of response procedures to address security events which includes phishing attacks. • • • • • •

Engage anti-phishing response services to shut down the web site and monitor for site reactivation Communication/coordination with law enforcement, legal, and other financial institutions Communicate with bank management, customers, and the media Heightened awareness for primary customer contact points and business application support areas Update web pages to include pertinent warnings and alerts Monitoring of systems for fraudulent activity

Thoughts on Prevention, Detection, and Response What's the impact to affected organizations? • • • • • •

Direct loss from fraud Litigation and prosecution costs Tools and personnel to prevent, detect, and respond Education and awareness costs Brand damage Customer fear and lost business

Phishing Response- Key Elements Technical Response Corporate Information Security Services –

Leads/coordinates technical activities and overall response.

–

Analyzes phishing technology components and methodology.

–

Increases monitoring of intrusion detection sensors and targeted systems.

–

Engages external phishing response services and coordinates related activities. •

Shut down the phisher website

•

Monitor for site reactivation

– Addresses e-mail and spam (black list) as required.

Fraud Investigation Activities Fraud Prevention & Investigation Services – Leads/coordinates non-technical portion of response. – Communicates with law enforcement and other financial institutions. – Coordinates required activities with Legal. – Files appropriate incident report.

Phishing Response- Key Elements Communication Corporate Communication Leads/coordinates communication activities. – Executive management – Comerica staff – The media – Comerica customers

Customer Services A number of areas are involved in supporting our customers. – Scripts for primary customer contact points - Branches, PIC, Call Center, etc. – Awareness for affected business applications- Card Services, Web Banking, etc. – Modifications to Comerica web pages- warnings, alerts, etc. – Tracking of customer impact by Quality.

Looking forward… •

Providers –

•

Enhanced authentication –

•

Telcos and ISPs should focus on delivering clean bits May be part of the solution but the attack methods will change

Secured email Trusted email channels make it more difficult to send ‘fake’ emails. Build trust in email. (Good news bad news)

–

•

Better cooperation between Financial Service Organizations and other companies

•

Issues to consider – – – – – –

Phish response should be like worm\virus response Don’t focus on this one, it’s the NEXT one we should be thinking about Cyber squatting used to be a legal problem, not anymore. Private registration Whois Server integrity In many cases the US is harder in the short term, better when you get LE involved

Questions? Contact us: [email protected] [email protected]