How to Detect that Your Domains are Being Abused for Phishing by Using DNS

Presented at Black Hat USA 2019, Aug. 8, 2019, 5 p.m. (60 minutes)

As a high-profile public-sector organization, the Dutch Tax and Customs Administration deals with criminals claiming to be representatives of the organization and contacting the public with phishing e-mails every day. By using RFC's like, RFC7208 – Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, we have developed a technique to identify phishing attacks that are carried out under the disguise of the Dutch Tax and Customs Administration. This technique is universally applicable. A precondition is access to the DNS logging. By means of this technique, insight can be obtained where the phishing e-mails are sent from and to whom the phishing e-mails are sent. In this talk we will start by explaining which standards are available to increase e-mail security. We will briefly discuss protocols such as: STARTTLS, SPF, DKIM, DMARC, DANE and MTA-STS. We also discuss advanced SPF options. Finally, we will link all of those protocols to detect if our domains are being abused for phishing attacks. The framework we have developed gives you more insight in phishing attacks conducted under the disguise of your organization's name. We firmly believe that if these techniques are used everywhere, it would lead to a significant decrease of phishing e-mails.

Presenters:

• Karl Lovink - Lead Security Operations Center, Dutch Tax and Customs Administration
  Karl Lovink is the Technical Lead of the Security Operations Center (SOC) of the Dutch Tax and Customs Administration. He must ensure that the security analysts of the SOC can do their job well in the technical field. In addition, he is responsible, among other things, for strengthening the network of governments and companies, so that the right information is quickly available in the event of threats and incidents. Karl obtained the title Master of Security in Information Technology (MSIT) at Eindhoven University of Technology. He completed the post-graduate course Judicial Expert at Leiden University, holds several GIAC certificates and furthered his knowledge in the field of ICT and security through courses such as Splunk, Taranis and Information Technology Architecture. He loves technology and has five RFID / NFC chips implanted in his body.
• Arnold Hölzel - Senior Security Consultant, SMT
  Arnold Hölzel is a senior security consultant working with SMT, a data-driven solution provider in the Benelux, and is mostly operating within the governmental SOC's. He is been doing all sorts of security related work for about 15 years now, but sees it more as an out-of-control hobby. He loves to analyze and dig through multiple terabytes of data each day, to find that one outlier of hidden treasure. He always tries to broaden his knowledge, either through training or self-study. Plain text only.

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#how-to-detect-that-your-domains-are-being-abused-for-phishing-by-using-dns-15159
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/How to Detect that Your Domains are Being Abused for Phishing by Using DNS.mp4
• https://www.youtube.com/watch?v=yo7eFdTzxNI

Similar Presentations:

• DerbyCon 3.0 All in the Family (2013) / Phishing Like The Pros
• DerbyCon 3.0 All in the Family (2013) / Phishing Frenzy: 7 seconds from hook to sinker
• THOTCON 0x5 (2014) / Phishing Frenzy: 7 seconds from hook to sinker