Here we go. Yeah, yeah. Hello. Hello.
Sorry, I'm speaking as the second speaker. Unfortunately, Constantinos is on the plane. I don't know if he can get here in time. But it's no problem because I'm presenting also at work. So there is no issue. Okay. Then a quick introduction. So we have Anagyros. Okay. Chrysantho. I hope this is someone resembles your name from University of Piraeus. So we are talking about Phishing Unmasked, Decoding Human Vulnerability in an AI-Driven Cybersecurity Landscape. Since you are a stand-in at last minute, you need to introduce yourself. But I think you can do that much better than I do anyway.
So please welcome Anagyros. I have put something after that in the next slide or so. So before I introduce myself, this work that is presented was supported by the commission in the project Lazarus.
Of course, as an always-on disclaimer, it doesn't reflect any official opinion of the European Union. Any responsibility for anything you see lies within me and Kostas. So who we both are. I'm an ex-ICT auditor. I was working for the Hellenic Data Protection Authority for 10 years. I was chasing spammers, data protection violators, and so on. Then I passed to the private sector again. I led for three and a half years the managed security service in a big Greek security company. And alongside, I was serving as an expert witness.
And post that, I started working with Kostas, which we are joined with friends also, as a PhD candidate. And I founded my own company, which provides digital forensic services, threat hunting, and many other stuff, which are mentioned on our site or not. So this work is a part of my PhD, of my work with Kostas, and of my everyday work. So what it has to do is that around two and a half years ago, I noticed that many strange phishing mails were reaching my inbox.
My inbox, not exactly my inbox. As you understand, it was inbox that I monitored. So these emails had strange similarities, as you can see from the pictures. And they were all targeting Meta.
Meta, of course, is Facebook. So these phishing guys wanted to attack mainly marketing departments and people that give value to advertisement. And actually, what they did was that they informed them that they violated the ad account rule policies on whatever of Facebook. So the point is to say to them that you have these accounts that are valued of a lot of money, because that's why you earn money. So I will send you a very formal mail. You will believe it is from Facebook, although the signs are there. If you notice, there are emails above that is not Facebook, strange titles.
Meta will never inform you like this. But it was really well structured as a text and as a mail. So many people fall for this. So the question was at the moment, at the time, why were these not filtered? Although we had the tight email filtering policy. So we started analyzing the emails. First of all, we saw the links. So the scam seemed straightforward. They wanted to get the victim's data.
Of course, the nice part or strange part, however you want to name it, is that it had a valid certificate. So we always say to the victims, be careful if the certificate is valid in the site. This is a sign of trustworthiness.
Well, in this case, not. Also, they used a white-listed domain. Do you notice this web app on the right? This is the official TLD of Google Firebase. So they used Google Firebase and the legit technology to host their sites there. Nobody would block a Google TLD. Nobody would blacklist it. So they had a way to pass undetected.
And also, they used a lot of things. Another thing, they used Salesforce. So they paid a very big company, which, if your account did violate policies, will be very bad for you because we need your account. They used Salesforce for the mail. So Salesforce is a very big company. Nobody would actually block Salesforce IPs. And then they used Google for hosting their certificates. So using these combinations, they had an attractive target and also an infrastructure that would allow them to get to the user's mailbox. So the goal was to harvest user credentials and take over their accounts.
And how did they make money? They launched that campaign, start with the victims. So I get to the meta account, which belongs to the marketing department of company A. So a debit credit card is connected to that account. So I start charging money or requesting money to give accounts back. So you want your account back. It's of value to you. Pay me money, and I will give it back to you.
So this, I'm going to go for the features in the end. But this is something that remains to be seen. Analyzing the pages, and I'm not sharing, of course, the whole thing, we saw many, many things. Like that you could identify emails. We could identify, we could find victims' data. And we started looking for more. And more we found. So as soon as we had very, many data regarding victims of these campaigns, we did an analysis. The goal first was to analyze the origin of the victims. As you see, there are a lot in the States and a lot in Australia and Europe.
Are you, Russia is targeted, exactly not targeted, because right now I think that refers to possibly actual perpetrators. And other countries we believe that are involved also do not appear on the map. So you see the classic pattern where they target big countries and the countries of origin are not there. The second part was to see how the victims increased. So until the moment the paper was written, or a little more earlier, you had huge spikes in June and July and May of 2023. And then you had the victims' profile. As you see, there are a lot of OSX there.
That's because marketing tends to use Microsoft computers. So you had a lot of such systems, and of course Windows systems as expected, and many other stuff. And you can see also again, which probably belongs to researchers trying to find out what was happening, and so on. Then we analyzed the victims' passports.
Well, their strength was not so bad. You had many passports in the upper scale, and upper scale is four, based on a ZX-series VML library.
But still, these emails can now be considered leaked. And here we see the passport entropy. Then we checked the passports with the ROKQ 2021 dataset. Now there is ROKQ 2023, I think, online, and with extended ROKQ that has more than 8 billion leaked passports. And 58% of the passports, and a little more, were recorded in ROKQ 2001. So although passports are getting leaked, users are informed that passports can be checked if they have been leaked, still 58% of the users were using leaked passports, which is a huge percent. And then many people provided two-factor authentication.
70,000 people, victims, provided the first two-factor authentication. So the phishing pages initially asked for three-factor authentication to use to perform various things and actually gain full access to the account. Most people provided, most victims provided the first two-factor authentication. When it got to the second two-factor authentication, only 11,000 provided it.
And much, much less provided the third two-factor authentication. That's because at that point I think most people were understanding that something was not going well, and this was not normal. And then most people seem to have been phished on Monday, which is considered normal, because on Monday you get back to your office, you find your email full of these campaigns, and imagine if I could see per monitored instance in Office 365 like 15 to 20 mails per day or more.
So in the weekend, 40 employees got back on their offices and found that they have received mails that said, you have violated Facebook policies, maybe they have drank their coffee, maybe not, maybe they were tired, maybe they opened it in the end of the day or on the midday. I mention all these days because, all this time because it's the time where usually you are prone to errors.
Still, they opened their mail and gave their credentials. And as you see, you had victims all day-wise, even on Saturday and Sunday, because this phishing didn't stop. Here you can see victims across the continents, with the largest set of victims in Europe and in Africa.
And then, do we have people that got phished more than once? Yes, of course. So there was 1,153 mails that responded to more than one complaint. What this means is that they got one phishing site like five days ago, then three days ago they went to a second one, and so on and so on. So there are more than 2,000 that interacted twice with the phishing site, with the same phishing site. 371 that interacted three days long, and 97 that interacted four days long. So they went back because they were not sure that the page was not working, and they were keep giving their passwords.
And probably, I don't remember that exactly, not the same password, different passwords they have. So if these passwords were used in different accounts, they gave access also to possible other accounts that the attackers would find. And only a very small fragment of them was researchers. So the other thing we did was analysis on how the people work.
Most of the people believe so much that these violations were true, that instead of getting angry, which as you see was a very small percent, they were calm in what they were writing because there was a comment section where you wrote something to Facebook, supposedly, to ask for this violation to not apply for this restriction of the account or disabling the account to not apply because that was what you were threatened with. So they were either calm or defensive or formal, and they were trying to get their account not closed. Many people were pessimistic.
Also, there are many people that were urgent because all these templates had the sense of urgency, and at the same time, the people that were opening the phishing sites and giving their passwords valued so much their accounts in beta that they needed their account SAP working, so this urgency appeared on their replies. So here you can see how many texts we found per emotion. More than 6,000 users showed gratitude. More than 5,000 were confused with what they received.
Sorry, there was a noise. And more than 4,000 approved what appeared to try to get their account.
Okay, some were curious, some were neutral, and a very, very small percent were the ones that were angry with what they received and said angry words in their reply. And this is how their emotions scored in terms of disapproval, gratitude, and so on. So what happens next? These campaigns are still ongoing. Their victims are growing linearly, and it's like you have a hydra. Every time we check, you have new sites appearing up, new accounts in the platforms they use for sending emails or collecting the victims' data.
So unless these people are taken down, and this can only be done by the police, this will continue going on because they are getting, they are making more and more money. They are getting, they are making money. And if you make money and nobody catches you, then it's okay. You can continue. Or if you don't have any ethical remorses, and you guess, as you guess in this case, they don't have any ethical remorse, you can continue on and on and on. So what can you do? You need to stay alert. If you see somebody saying you have violated Facebook policy, don't believe it.
If you are, for example, in the hotel industry, and somebody tells you, a customer left a packet in his room, please click on this link to see the photo. Please click on the, or a customer has a complaint, we are for booking. Click this, and you will see the complaint. Don't click it. Make sure it is from the person who says it said it, and verify it with a contact detail you actually have. Check the URL. If it says it's from DHL in Germany, check it's actually from DHL in Germany. The URL is there. It's not taking you to any weird site.
Even if you click it, go and check the URL above in the browser. Is it the one I'm expecting to see? Or is it some weird country that it shouldn't be there? Find your email filters. Make sure you block as much as you can from malicious activity. These people, and not only these people like we saw before the slides, many more like them that are targeting other brands that are trying to affect with malware, will keep coming on because they're making money. Educate your end users. What you take from here, what you hear on the Internet, try to pass to your fellow colleagues.
Try to tell them to be careful. If need be, raise awareness posters, make trainings, and so on. All the work seen before, and much more that I didn't say, are available in our paper, which is available in the URL in the presentation. If you want to reach us, we are available on LinkedIn and on the emails you see. That was really interesting. And thank you for the hard work, obviously. Thank you.
Thank you, too. So you're monitoring this continuously onwards, right?
Yeah, I'm monitoring like two and a half years now. And I will keep monitoring to the extent possible always, as you understand. Until hopefully somebody takes this down.
Yeah, hopefully. Thank you very much again. We're running late, but it was great that you stepped in and that you did the presentation. Thank you very much for the work. Thank you. Thank you very much.
Okay, so we gained a few minutes back, which is good. So getting closer to the coffee.
