Professional Phishers and Their Habits

Presented at VB2016, Oct. 5, 2016, 3 p.m. (30 minutes).

Phishing is a widespread phenomenon that is steadily growing. Professional individuals use advanced tools like phishing kits and automated mailers to cause substantial financial losses. There are even *Facebook* groups where they share mail lists and compromised servers or *GitHub* repositories with toolkits. Phishers' methods may be growing in sophistication, but we can use some of their own tools - such as various tracking services that check the impact of their phishing campaigns - to find ways to identify them. The first part of this paper aims to present the specifics of some of the most prolific phishers and fraudsters. We will analyse their preferences - what institutions, services or industries they choose to impersonate, whether they have servers hosted only in certain countries, whether they prefer certain TLDs. We will analyse their technical competencies - whether they prefer to hack websites or create new domains, whether the templates they use are simple or whether they use HTML obfuscation techniques (JavaScript encoding, images that replace words, frames), and whether they block the IPs of security companies. We will also learn if they are careful about their real identity or if we can find out who they are. The second part of the paper is focused on offering a possible solution for protection against phishing at browser level. We will see how generating a blacklist of tracking IDs used in malicious websites fares in detecting new phishing campaigns and the limits of this approach. We will also perform an analysis of the identified phishers, which includes the average usage time of the same ID, variation of phishing templates, frequency of new phishing domains launched, IPs and TLDs analysis, and so on.

Presenters:

  • Cristian Dantus - Bitdefender
    Cristian Dantus Cristian Dantus joined the Bitdefender team in 2015 as an online threat analyst. His research focuses mainly on phishing attacks. He has vast experience in data analysis, studying fraudulent websites and phishing trends.
  • Marius Tibeica - Bitdefender
    Marius Tibeica Marius Tibeica was born in Iasi, Romania, in 1987. He joined Bitdefender in 2008, while still a student, and is now leading the Online Threats and Web Filtering team. He is a science enthusiast and likes to build tools that help gaming communities.

Links:

Similar Presentations: