Basics of Phishing: The Phishing Killchain
How would you go about creating a strategy to protect against phishing attacks?
In this blog post, we’re going to look at a framework that we refer to as the Phishing Killchain. The basic premise is to use a multi-faceted approach to achieve defence in-depth, rather than using a single security control to act as a silver bullet. The goal of this framework is to better understand existing defensive controls, identify weak spots in your current strategy, and perhaps identify new defensive techniques altogether.
It’s important to note that the Phishing Killchain focuses on broad-based attacks against users, rather than attacks targeting individuals, such as spear phishing or whaling attacks. Broad-based attacks commonly target users or clients of a system, while targeted attacks normally target the organizations that run the system. The Phishing Killchain is based on the eight steps that an attacker goes through when performing this class of phishing attack.
The reason for approaching the problem from this angle is to reframe your thinking to an offensive perspective, each step being an opportunity to apply defensive controls. In the world of phishing, where punitive recourse is limited and anyone can be a target, it’s important to have a higher wall than your neighbour.
1. Target Selection
The first stage involves selecting the target of the attack. This is important from a defensive perspective, as it requires you to consider your risk profile. Are you holding monetary assets that can anonymously and instantaneously be transferred across borders? If you are, you’re probably more likely to be targeted by phishing attacks. If you’ve got landmark events coming up, attacks will be coordinated in line with your marketing campaigns to maximize their effectiveness. From our experience of token sales, attacks start to appear around a week before the sale launches and continue for up to three months after the sale has ended.
In the past, we've helped platforms whose users were required to authenticate to a portal via the Civic app. We noticed that phishers trying to clone the website struggled to mimic the authentication workflow of the website. Phishers had to modify the code extensively to get their clones operating correctly. With the low barrier to entry for conducting phishing attacks, it can help to throw a technical spanner in the works to act as a deterrent.
To improve the results of launching a phishing attack, phishers will often try to collect data on their target prior to launching an attack. For instance, a list of users in a Slack channel is vital information for an attacker, as it provides a way to directly communicate with potential victims. This extends to collecting information about specific events or timelines. Timing attacks well can dramatically increase the effectiveness of an attack, for example claiming to give early access to some highly anticipated event, such as a pre-sale event.
If you have high value investors, it may be worth investigating whether their credentials have appeared in places where they shouldn’t be. Credential dumps (e.g. haveibeenpwned.com) are a good place to start.
While it’s very difficult to prevent attackers from getting their hands on this type of information, it’s worth considering what information is exposed to have insight into when and where to deploy controls.
The next stage entails setting up the infrastructure. During this stage, cloning tools such as HTTrack are used to duplicate the contents of a target website. Now it becomes possible to start detecting the attacks. Domain registrars and SSL certificates can be monitored to identify potential homograph or typosquatting attacks. The attacker could alternatively use a compromised or rogue third-party website to host the infrastructure, which can be harder to detect. Referrer link monitoring can be used to detect this type of infrastructure by noting abnormalities in the server requesting resources. Get in touch with us if you’d like to hear more about how to do this.
Once the infrastructure is operational, the content needs to be delivered to the victims. In the case of email being the attack vector, spam filters and email firewalls generally need to be bypassed. However, with newer technologies, such as Slack or Telegram, these defences don’t currently exist. To protect users on these mediums it’s necessary to use innovative techniques, such as bots that will detect ongoing attacks. These bots can monitor for suspicious links being posted on open channels, or honeypot accounts can be used to receive messages sent directly to users.
Beyond detecting when the attack is happening, detection of phishing infrastructure provides insight into the modus operandi of the attack. Are they phishing credentials for a website, giving users fraudulent deposit addresses, or trying to steal private keys? Are they registering similar domain names or are they using compromised websites? This information can help mold a strategy to protect against specific threats or campaigns.
The user has taken the call to action and clicked on the link. Not all hope is lost, even at this late stage. This is where user education comes into full effect. If the user hasn’t already realized that the link is suspicious, hopefully they will recognize faults in the way that the site is rendered or the workflow of the authentication, or perhaps the lack of an Extended Validation SSL certificate. If they do detect the risk, they may report the link, in which case it’s useful to have an effective response plan.
Unless the victim directly deposits funds into the attackers address, the attacker is tasked with authenticating as the user with the phished credentials. In the case of stealing private keys, this risk is largely mitigated by users using hardware wallets. Controls such as 2FA and fraud detection algorithms (e.g. such as logging in from a foreign country or transferring a large sum of money to a newly added beneficiary) can be used at an application level, and potentially in the future even on an on-chain level.
The final stage involves turning the phished data into a financial profit for the attacker. This is particularly simple in the event that cryptocurrencies are stolen. Tumbling services or simply converting funds through a service such as shapeshift.io into privacy based currencies (e.g. Monero) can be used to remove any trace of where the money came from or went. In the event of personal data being stolen, this information can be monetized by selling it on the dark web.
This stage is difficult to defend against, unless you’re the DAO, where the Ethereum protocol was forked to prevent funds from being stolen. It’s been suggested that blacklisting addresses on exchanges or other platforms can help, however this approach can generally be bypassed by washing the funds through multiple addresses.
If you would like help with developing your phishing countermeasures, get in touch with us at [email protected]