The evolution of phishing attacks over the past couple of years has shown a growth in sophistication that is rendering traditional cybersecurity protocols insufficient. While traditional virus protection software still plays a role, it’s important to think holistically to defend against today’s threat actors. The Ponemon Institute shared research that showed 77 percent of phishing attacks are launched via file-less techniques that go undetected by standard endpoint security solutions. In other words, today’s phishing threat actors no longer solely rely on a simple email attachment to ensnare their victims.
We’ve shared several posts that examine these growing attack vectors and a recap is in order:
- Malicious browser extensions. Browser extensions by design have full access to most of the browser’s resources and information being entered and rendered within the browser. It was just a matter of time before cybercriminals realized that injecting malicious code inside browsers disguised as benign looking browser extensions would give them unlimited access to much of the data passing through the browser.
To add further complications, these plugins run inside browser memory, so SSL encryption is not a problem for them. And in order to bypass Two Factor Authentication (2FA), these plugins usually wait for the authentication phase to be completed before snooping on the authenticated session and stealing data to mount further attacks.
- Credential stealing. Perhaps the oldest form of phishing, credential stealing is designed to trick the user into giving up their login credentials via a spoof website or popup. The problem today is that many of these fake sites mirror legitimate trusted brands, tricking even the savviest professionals into falling victim.
- Technical support scams and scareware. Typically, scareware starts with a pop-up that displays a “scary” message prompting user action that will ultimately infect their device. the threat of a computer virus prompts users to click links which will download malware and infect a user’s device. At this point, it’s possible that credit card data can be captured, credentials stolen, or a device or computer compromised. In some instances, clicking the link to fix a fake virus may uninstall legitimate antivirus software, leaving a computer, mobile device, or network vulnerable to attack.
- Phishing callbacks, command-and-control (C2) attacks. They usually begin with a phishing attack that installs malicious code onto an unsuspecting employee’s device through a browser extension, weaponized document or rogue software. The attacks are often extremely targeted toward employees that control organizational personally identifiable information (PII) or financial data – typically in human resources or accounts payable departments. Once a machine is compromised, the hacker will ping the infected device for a callback to test the new connection and determine if the transmission will go undetected by the organization’s security. We often see these callback attempts in the form of zero-byte FTP file transfers or IRC communications. The majority of the time these test transmissions go undetected.
- Weaponized documents. These are an example of attacks that can come from a web download, a shared drive or a file attached to a legitimate looking email. PDFs, Excel, Word or other Microsoft Office documents can all be compromised to contain code, links, or even videos that covertly release malware, trojans, ransomware or even remote access software onto a system or network. Even though weaponized documents start with an email, most traditional anti-phishing email products won’t identify the malicious phishing attack when its downloaded through all the other vectors (shared drives, PDFs, Excel, Word or other Microsoft Office documents).
- Multi-stage phishing attacks. It starts with a link sent in email that is not malicious but leads to what appears to be a benign site. Once that website is opened, the user performs a task and a local HTML file is downloaded to their computer. When the user clicks on that file from their desktop, a local HTML page is launched with a link to continue which sends them to the final domain where the phishing content is delivered. The bad guys are forcing a rational human through multiple steps that security equipment would normally have trouble detecting. They don’t allow a phishing site to appear unless they can confirm that a human is interacting with the site. This means that even if the final phishing domain is on a blacklist, traditional anti-phishing security cannot protect users from it until someone or some technology follows the entire user process and reaches a point where the phishing site is baited.
These are just some of the many phishing attacks that do not rely on traditional email as the sole attack vector. When you factor in the speed and volume in which these phishing attacks unfold – tens of thousands of new phishing sites going live each day, most disappearing in 4 to 8 hours – and you can see the problem that organizations face in preventing these attacks.
It’s not possible to remember the millions of blacklisted URLs or take the time to cross verify the origins of a site. Most employees are not tech savvy users, they are not trained to detect these types of sophisticated phishing attacks, and they merely fall victim. Human vulnerability, human-vetted threat intelligence and traditional blacklists are no match for today’s fast-moving phishing threats.
Most of the industry is examining phishing URLs and domains. That data is often not accurate or fast enough to detect new and fast-moving phishing attacks. What’s needed is a new approach!
The optimal method for detecting phishing centers on the behavioral analysis of the content. If something looks suspicious, it’s loaded into a virtual browser session and renders the whole page, so our Session Emulation and Environment Reconnaissance™ (SEER) threat detection technology can detect threats missed by URL inspection and domain reputation analysis.
Through multiple live sources, we proactively scan billions of global internet transactions and millions of suspicious URLs daily. Suspect URLs are rendered with millions of virtual browsers in our threat detection cloud. SEER technology inspects the site with advanced computer vision, OCR, NLP, and active site behavior analysis. SEER analysis features are fed into machine learning algorithms which deliver a single definitive verdict: malicious or benign. There are no inconclusive threat scores and near zero false positives. Malicious URLs, Domains, and IPs are continuously added to our Real-Time Phishing Threat Intelligence feed and available in multiple machine-readable formats via Web APIs.
This approach is entirely different than other threat feed products that offer a probability of being malicious and suspicious. With a binary approach, we can offer our feed for automated blocking purposes through a firewall. It’s a continuously updated list of zero-hour phishing URLs, domains, IPs with IOCs that can stop an attack before it happens. Most threat feeds are not even suitable for blocking purposes and are usually used in research. We are marketing our threat feed for instant blocking because there are near-zero false positives, which offers little fear of blacklisting legitimate websites.
You can check this technology out yourself. Contact us to learn more or try SlashNext Real-Time Phishing Threat Intelligence free for 15 days.