Wire Me Through Machine Learning

Presented at Black Hat USA 2017, July 26, 2017, 10:30 a.m. (25 minutes).

In this world of technology where communication through email plays an important role, vicious threats also follow. One of the most beautifully crafted email threat commonly known as Business email compromise (BEC) scam or CEO fraud has shown its impact on more than 400 Organizations resulting in loss of over US $3 billion. Business email compromise (BEC) scam, also known as whaling, is a targeted attack sent to higher level management specifically to C level executives masquerading as an email communication from a CEO to a CFO. These emails are designed in a way that they have the power to influence the target to perform financial transactions such as wire transfers on a short notice. These attacks are successfully carried out by first building trust of the target.

This paper will throw light on one of the most important tactics used by attacker(s) to design and execute a BEC attack through machine learning. BEC attacks are highly targeted attacks and involve high level of research through skillful social engineering. Attackers have access to more than enough data through social media accounts of high level executives or financially responsible member of the target organization, official websites, news, current affairs, travel plans, data breaches and insider(s). All this vital information can be used to build and train machine learning algorithms.

In this talk, we shall provide a demo on how an attacker's machine learning model can train itself with the help of the information provided to it as a feed to execute a successful attack. After data collection, features extraction and selection is performed. Tools to perform complex data analysis are readily available. By applying regression algorithms to predict values or by using clustering algorithms to expose structure in data sets, the attacker can systematically plan for the next phase. After implementation of the algorithms, the attacker can train the machine to predict the output and check the working of the model. Thus, in the final phase the attacker instructs the machine to launch an attack by skillfully crafting emails with spoofed header fields. These emails are able to bypass the anti-spam filter as they highly resemble legit emails. We expect these methods to be used like "Target Accession as a Service" in 2017. We will also talk about mitigation steps that can be achieved with the help of machine learning.


Presenters:

  • Ankit Singh - Threat Analyst Engineer, Symantec
    Ankit Singh has been working with Symantec since 2013 as a security response engineer with the IPS OPS Team. His research areas of interest include exploit and malware analysis. In his work with Symantec he deals with providing network base coverage for server-side as well as client-side attacks on network layer. He has spoken at numerous engineering colleges and provided training to different Government officials.
  • Vijay Thaware - Security Response Lead, Symantec
    Vijay Thaware has been working at Symantec's STAR Anti-Spam Team for the last five years as Security Response Lead. He is involved in anti-spam, anti-fraud and anti-malware content development and automation. His day-to-day work involves investigation and research on latest email threats in order to present effective solutions.

Links:

Similar Presentations: