It seems today that threat actors can access almost any tool they need to wreak havoc on the unprotected, and now there’s Phishing-as-a-Service (PHaaS) available on the dark web for all the newbies who want to add phishing to their arsenal. You can purchase PHaaS as a kit, complete with website and hosting for a month! According to a ZDNet article, one particular PHaaS operation has over 67,000 users who have stolen data from over 750,000 accounts, an average of 1,700 per day – certainly no small operation.
What makes Phishing-as-a-Service even more of a threat, besides the ease of use and cost (as low as $50 for a download), is how evasive it is. According to a report by security provider, Cyren, 87 percent of phishing kits include evasive techniques that make traditional security methods ineffective. Many kits are hosted on public cloud services, such as Microsoft Azure, which present legitimate domains and SSL certificates. Because these domains are whitelisted, they present a false sense of security that even security experts have difficulty detecting. Besides legitimate cloud hosting, Cyren identified five other popular evasion methods:
HTML Character Encoding – allows an email’s HTML code to display properly in web browsers but hides certain trigger words that most email security systems flag.
Content Encryption – the content of the email is encrypted along with the attachments, preventing them from being seen by security solutions until it’s too late.
Inspection Blocking – perhaps the most popular evasion technique included in phishing kits, it uses block list to prevent connections from specific IP addresses and hosts that associated with certainly security providers.
Phishing URLs in Attachments – by hiding the phishing URLs in attachments instead of the email itself, detection becomes more difficult. We blogged a while back about weaponized documents, which would fall into this category. Weaponized documents have also become the phishing scheme of choice for nation states that target rival embassies, governmental offices, and agencies.
Content Injection – phishing threat actors include links to legitimate but vulnerable webpages or apps which redirect users to phishing sites.
These evasion methods are designed to get around traditional anti-phishing security solutions, and they are working! SlashNext’s SEER™ threat detection technology (Session Emulation & Environment Reconnaissance) goes beyond traditional solutions and can stop all of the above evasive maneuvers. Here’s how…
SlashNext Targeted Phishing Defense monitors Internet traffic with a Real-Time Page Scanning (RPS) appliance that connects to a SPAN port. The appliance selects traffic for further analysis and sends anonymized session header and meta info to the SlashNext threat detection cloud for real-time SEER analysis.
Suspicious pages are rendered with virtual browsers in the SlashNext threat detection cloud. SlashNext SEER technology inspects the site using advanced computer vision, OCR, NLP, and active site behavior analysis.
SEER analysis features are fed into machine learning algorithms which deliver a single, accurate, definitive verdict: malicious or benign. There are no inconclusive threat risk scores and near-zero false positives.
Malicious URLs, domains, IPs, and IOC metadata are sent to the appliance and viewable in the local SlashNext console. They are also added to the global SlashNext Real-Time Phishing Threat Intelligence feed, which can be accessed via Web APIs for automated ingestion by security infrastructure.
Are you protected from these evasive phishing tactics? You can check this technology out yourself. Contact us to learn more