Anyone who works in the cyber-security field knows that phishing attacks – especially those against large enterprises – are on the rise. The odd of success are in the attacker’s favor because these attacks rely on uniquely human factors that are notoriously exploitable.
Phishing attacks have evolved throughout the years and in the past, they were simple attacks. Attackers would send a message with a link to a bogus site to trick a user into running malicious code on their computer. Today, however, phishing attacks are highly complex and the damage to the victim can be extremely severe and even irreversible.
The most effective phishing attack that exists in the anti-security world today, the attack that can infiltrate all layers of defense, is spear phishing. The vast majority of headline-making data breaches in recent years all started with spear phishing attacks.
Spear Phishing: The Art of Seduction
First, the attacker chooses a victim, let’s say www.contoso.com. The attacker then uses a dynamic DNS service and a virtual server, so they can publish their own similar site. Something similar in name like www.comtoso.com, assuming that users may not notice the minor change in the URL.
In the second phase, the attacker copies the www.contoso.com site using scraping tools or data-harvesting tools such as Automation Anywhere or Ion. Now the attacker has a lookalike site under the name www.comtoso.com. All that is left for them to do, is to draw victim users to the fake site so visitors can insert their credentials. The attacker’s next step is to collect as many email addresses as possible by using fingerprinting tools like Foca and Maltego.
Now the attacker has to wait for a user to log in to the bogus site using valid Contoso credentials and they can collect them. Then, as attackers often say, it’s game over.
Anti-phishing products and services have also been around for quite some time and they occupy a significant area of the cyber security industry. Antivirus programs now often include anti-phishing features and most browsers are automatically equipped with Google Safe Browsing; this combination provides a moderate level of anti-phishing protection, but is not enough to protect a company against a sophisticated attack.
Anti-phishing solutions can be integrated into web browsers or can operate in a standalone way and frequently they use similar methods to detect phishing attacks.
All anti-phishing vendors collect intelligence about URL blacklists. They do this by using reputation analysis technology for domain reputation and data information, such as black-listed top level domains (TLDs). There are some sites that will provide you with this information for free – http://www.borderware.com/ is one example. The information from these services can also come from mailing block lists and reported sites.
The downside to this method is that most attackers will use techniques like ‘throw-away’ in which they obtain domain names to employ malicious URLs, but for only brief periods of time. This enables them to fly under the radar of URL blacklists and reputation analysis technology.
Phishing Alerts for Registrars and Hosting Providers
Registrars, hosting providers and ISPs are able to provide a footprint of their IP addresses, name servers and Whois servers. Their anti-phishing software is continuously updated and can provide alerts to users based on this information.
There are different toolbars that can be installed on today’s most popular browsers. These toolbars constantly monitor the URL searches and report back to the software in order to match the rule-based policy.
DNS Search Protection
Using this method of protection, domains that are deceptively similar to legitimate websites are logged in repositories. The software monitors DNS registrations daily for specific alert patterns and also probes potential domains at common TLDs and register points like .com, .net, .free.fr.
SSL Site Search Protection
Phishing attacks that make use of SSL certificates are especially dangerous, as most users associate the presence of a valid SSL certificate with an increased level of assurance. Some products have the ability to search over five million SSL certificates for forgeries.
The most important and effective way to safeguard against phishing attacks is through the education of employees and the heightening of their awareness of social engineering attacks. Many organizations offer education programs abut security and these enable users to become more aware of the most current risks and threats.
The bottom line is that the problem lies somewhere between the chair and the keyboard. It is ultimately up to the end user to read all emails and alerts with a critical eye and decide whether the information and the links are safe or not. As long as the decision is in the hands of the user, the chances of success in phishing attacks will remain high and that’s exactly what keeps the anti-phishing industry growing. Organizations will keep searching for solutions, and anti-phishing technology must continue to develop in accordance with this demand.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Snir Karat is an information security expert for the Radware Emergency Response Team with vast experience in information technology, network analysis, and application security risks. He specializes in network and application security for Radware’s premium customers. Prior to working at Radware, Mr. Karat was an information security consultant at EY and a manager of CISO services for various industries where he handled penetration tests and incident response.