Phishing has a long history of being one of the underrated cyber attacks that can make our lives very difficult. Did you know, that the first phishing lawsuit was filed in 2004 against a Californian teenager, who created the imitation of the website “America Online”? Ever since we are constantly cautioned and warned against opening suspicious emails or messages. In this edition of Hakin9 we would like to focus on various phishing attacks, techniques, and how to defend against them.
In the main article, Phishing Secrets: Attack & Protection by Verónica Berenguer, you will have a chance to see the attacker perspective and learn how phishing attacks are done. This amazing guide is a must have for any cybersecurity specialist. Another article will take a closer look at spoofing emails, in which the attacker impersonates someone that the victim knows or trusts. Moving forward, in Generative Models for Spear Phishing Posts on Social Media you will see how the phishing works through social media posts, and many other aspects of this vicious attack.
We also highly recommend the article by Richard Azu, who recently become our instructor. In his article he presents creating a defensive VoIP setup using VLANs. Ahmed Ounouh and Benjamin Cohen came back with a new article, this time focused on Windows 10 and using the CHAOS Framework.
There are many other articles waiting for you in the May edition! Hope you will enjoy them all.
We would also like to thank you for all your support. We appreciate it a lot. If you like this publication, you can share it and tell your friends about it! Every comment means a lot to us.
Enjoy your reading,
TABLE OF CONTENTS
Towards the Adoption of Anti-spoofing Protocols Malware
Hang Hu, Peng Peng, Gang Wang
Email spoofing is a critical step in phishing attacks, where the attacker impersonates someone that the victim knows or trusts. In this article, we conduct a qualitative study to explore why email spoofing is still possible after years of efforts to design, develop, and promote anti-spoofing protocols (SPF, DKIM, DMARC). Previous research shows that the adoption rates of anti-spoofing protocols are still very low. To understand the reasons behind the slow adoption, we conduct a user study with nine email administrators from different institutions. The results show that email administrators are aware of the weaknesses of these protocols and believe the current protocol adoption lacks the crucial mass due to the protocol defects, weak incentives, and practical deployment challenges. Based on these results, we discuss the key implications to protocol designers, email providers and users, and future research directions to mitigate the email spoofing threats.
Attacking and Securing APIs
An API specifies how software components should interact with each other. An API performs functions like GET, PUT, POST, PATCH, DELETE, CREATE to serve the client requests by acting as a middleware. API’s responses are generally returned as JSON or XML data.
Generative Models for Spear Phishing Posts on Social Media
Phillip Tully, Ph.D., John Seymour
We aim to discover what capabilities an adversary might utilize in such a domain. We present a long short-term memory (LSTM) neural network that learns to socially engineer specific users into clicking on deceptive URLs. The model is trained with word vector representations of social media posts, and in order to make a click-through more likely, it is dynamically seeded with topics extracted from the target’s timeline. We augment the model with clustering to triage high value targets based on their level of social engagement, and measure success of the LSTM’s phishing expedition using click-rates of IP-tracked links. We achieve state of the art success rates, tripling those of historic email attack campaigns, and outperform humans manually performing the same task.
Can Blockchain Protect Internet-of-Things? A New Concept to Allow Blockchain to Protect Internet-of-Things
In the Internet-of-Things, the number of connected devices is expected to be extremely huge, i.e., more than a couple of ten billion. It is however well-known that the security for the Internet-of-Things is still open problem. In particular, it is difficult to certify the identification of connected devices and to prevent the illegal spoofing. It is because the conventional security technologies have advanced for mainly protecting logical network and not for physical network like the Internet-of-Things. In order to protect the Internet-of-Things with advanced security technologies, we propose a new concept (Physical-Logical Link layer) which is a well-designed combination of physical chip identification and blockchain. With a proposed solution of the physical chip identification, the physical addresses of connected devices are uniquely connected to the logical addresses to be protected by blockchain.
Revisiting Email Spoofing Attacks
Hang Hu, Gang Wang
The email system is the central battleground against phishing and social engineering attacks, and yet email providers still face key challenges to authenticate incoming emails. As a result, attackers can apply spoofing techniques to impersonate a trusted entity to conduct highly deceptive phishing attacks. In this work, we study email spoofing to answer three key questions:
How do email providers detect and handle forged emails?
Under what conditions can forged emails penetrate the defense to reach a user’s inbox?
Once the forged email gets in, how do email providers warn users? Is the warning truly effective?
Phishing Secrets: Attack & Protection
Verónica Berenguer Garrido
First we’re going to talk about how to do a phishing attack from an attacker perspective. Therefore, we will learn how to send mass emails through our own scripts, modifying the mail headers necessary to bypass the protection techniques of most sophisticated mail servers, such as Gmail or Outlook. Then, we’re going to adopt a user role who receives this fake email. For this, we will emphasize a series of checks to identify a possible identity spoofing.
Defending Against Backdooring Attacks on Deep Neural Networks
Siddharth Garg, Brendan Dolan-Gavitt, Kang Liu
Deep neural networks (DNNs) provide excellent performance across a wide range of classification tasks, but their training requires high computational resources and is often outsourced to third parties. Recent work has shown that outsourced training introduces the risk that a malicious trainer will return a backdoored DNN that behaves normally on most inputs but causes targeted mis-classifications or degrades the accuracy of the network when a trigger known only to the attacker is present. In this article, we provide the first effective defenses against backdoor attacks on DNNs.
Undetectable payload signature on Windows 10 with the CHAOS Framework
Ahmed Ounouh, Benjamin Cohen
The initial goal was a total takeover of a machine to interact concretely with a potential target. After having first tested different approaches based on the use of pre-existing techniques, such as the use of payloads created using software known to the world of hacking like Veil Evasion and Venom, we found that these different techniques were no longer effective.
Creating a defensive VoIP setup using VLANs
This article will break down all the complexities in VoIP by explaining in simple terms the main protocols it uses including the codecs. It will go further to review a basic call flow in SIP, its vulnerabilities and how identified risks can be minimized.
Compromising Active Directory using the pivot attack
Safwan Hnaien, Yousra Ben Youssef Boussetta
The Active Directory is a directory service that shares infrastructure information for locating, securing, managing, and organizing computer and network resources including files, users, groups, peripherals and network devices. In this article, we will compromise a Domain Controller (DC), which is the machine running Active Directory Domain Services. Once done, we can access sensitive data like user accounts, databases, applications, and all types of information.