Detecting and Characterizing Lateral Phishing at Scale

Author(s): Ho, G; Cidon, A; Gavish, L; Schweighauser, M; Paxson, V; Savage, S; Voelker, GM; Wagner, D | Abstract: © 2019 by The USENIX Association. All rights reserved. We present the first large-scale characterization of lateral phishing attacks, based on a dataset of 113 million employee-sent emails from 92 enterprise organizations. In a lateral phishing attack, adversaries leverage a compromised enterprise account to send phishing emails to other users, benefit-ting from both the implicit trust and the information in the hijacked user's account. We develop a classifier that finds hundreds of real-world lateral phishing emails, while generating under four false positives per every one-million employee-sent emails. Drawing on the attacks we detect, as well as a corpus of user-reported incidents, we quantify the scale of lateral phishing, identify several thematic content and recipient targeting strategies that attackers follow, illuminate two types of sophisticated behaviors that attackers exhibit, and estimate the success rate of these attacks. Collectively, these results expand our mental models of the 'enterprise attacker' and shed light on the current state of enterprise phishing attacks.

[1]  J. Metcalfe I don't like Mondays... , 1993 .

[2]  Jacob Palme,et al.  Common Internet Message Headers , 1997, RFC.

[3]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[4]  Niels Provos,et al.  A framework for detection and measurement of phishing attacks , 2007, WORM '07.

[5]  Suku Nair,et al.  A comparison of machine learning techniques for phishing detection , 2007, eCrime '07.

[6]  Gerhard Paass,et al.  Improved Phishing Detection using Model-Based Features , 2008, CEAS.

[7]  T. Karagiannis,et al.  Email Information Flow in Large-Scale Enterprises , 2008 .

[8]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[9]  Brian Ryner,et al.  Large-Scale Automatic Classification of Phishing Pages , 2010, NDSS.

[10]  Youssef Iraqi,et al.  Mitigation of spear phishing attacks: A Content-based Authorship Identification framework , 2011, 2011 International Conference for Internet Technology and Secured Transactions.

[11]  Yoshua Bengio,et al.  Random Search for Hyper-Parameter Optimization , 2012, J. Mach. Learn. Res..

[12]  Gianluca Stringhini,et al.  COMPA: Detecting Compromised Accounts on Social Networks , 2013, NDSS.

[13]  Engin Kirda,et al.  A Look at Targeted Attacks Through the Lense of an NGO , 2014, USENIX Security Symposium.

[14]  Vern Paxson,et al.  When Governments Hack Opponents: A Look at Actors and Technology , 2014, USENIX Security Symposium.

[15]  Stefan Savage,et al.  Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild , 2014, Internet Measurement Conference.

[16]  Vern Paxson,et al.  Consequences of Connectivity: Characterizing Account Hijacking on Twitter , 2014, CCS.

[17]  Jacques Klein,et al.  Are Your Training Datasets Yet Relevant? - An Investigation into the Importance of Timeline in Machine Learning-Based Malware Detection , 2015, ESSoS.

[18]  Gianluca Stringhini,et al.  That Ain't You: Blocking Spearphishing Through Behavioral Modelling , 2015, DIMVA.

[19]  Ling Huang,et al.  Reviewer Integration and Performance Measurement for Malware Detection , 2015, DIMVA.

[20]  Bo An,et al.  Optimizing Personalized Email Filtering Thresholds to Mitigate Sequential Spear Phishing Attacks , 2016, AAAI.

[21]  Yang Zhang,et al.  Detecting Compromised Email Accounts from the Perspective of Graph Topology , 2016, CFI.

[22]  Gianluca Stringhini,et al.  What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild , 2016, Internet Measurement Conference.

[23]  William K. Robertson,et al.  EmailProfiler: Spearphishing Filtering with Header and Stylometric Features of Emails , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[24]  Grant Ho,et al.  Detecting Credential Spearphishing Attacks in Enterprise Settings , 2017 .

[25]  Utkarsh Upadhyay,et al.  A Broad View of the Ecosystem of Socially Engineered Exploit Documents , 2017, NDSS.

[26]  Konrad Rieck,et al.  Reading Between the Lines: Content-Agnostic Detection of Spear-Phishing Emails , 2018, RAID.

[27]  Asaf Cidon,et al.  High Precision Detection of Business Email Compromise , 2019, USENIX Security Symposium.

[28]  Lorenzo Cavallaro,et al.  TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time , 2018, USENIX Security Symposium.