main

Attack Types & VectorsSecuritySSL

Ways to Protect Against Modern Day Spear Phishing

January 13, 2016 — by Snir Karat2

Anyone who works in the cyber-security field knows that phishing attacks – especially those against large enterprises – are on the rise.  The odd of success are in the attacker’s favor because these attacks rely on uniquely human factors that are notoriously exploitable.

Phishing attacks have evolved throughout the years and in the past, they were simple attacks.  Attackers would send a message with a link to a bogus site to trick a user into running malicious code on their computer.  Today, however, phishing attacks are highly complex and the damage to the victim can be extremely severe and even irreversible.

The most effective phishing attack that exists in the anti-security world today, the attack that can infiltrate all layers of defense, is spear phishing. The vast majority of headline-making data breaches in recent years all started with spear phishing attacks.

Spear Phishing:   The Art of Seduction

First, the attacker chooses a victim, let’s say www.contoso.com.  The attacker then uses a dynamic DNS service and a virtual server, so they can publish their own similar site.  Something similar in name like www.comtoso.com, assuming that users may not notice the minor change in the URL.

In the second phase, the attacker copies the www.contoso.com site using scraping tools or data-harvesting tools such as Automation Anywhere or Ion.  Now the attacker has a lookalike site under the name www.comtoso.com.  All that is left for them to do, is to draw victim users to the fake site so visitors can insert their credentials.  The attacker’s next step is to collect as many email addresses as possible by using fingerprinting tools like Foca and Maltego.

Now the attacker has to wait for a user to log in to the bogus site using valid Contoso credentials and they can collect them. Then, as attackers often say, it’s game over.

[You might also like: DNS and DNS Attacks]

Anti-Phishing Techniques

Anti-phishing products and services have also been around for quite some time and they occupy a significant area of the cyber security industry. Antivirus programs now often include anti-phishing features and most browsers are automatically equipped with Google Safe Browsing; this combination provides a moderate level of anti-phishing protection, but is not enough to protect a company against a sophisticated attack.

Anti-phishing solutions can be integrated into web browsers or can operate in a standalone way and frequently they use similar methods to detect phishing attacks.

Domain reputation

All anti-phishing vendors collect intelligence about URL blacklists.  They do this by using reputation analysis technology for domain reputation and data information, such as black-listed top level domains (TLDs). There are some sites that will provide you with this information for free – http://www.borderware.com/ is one example. The information from these services can also come from mailing block lists and reported sites.

The downside to this method is that most attackers will use techniques like ‘throw-away’ in which they obtain domain names to employ malicious URLs, but for only brief periods of time. This enables them to fly under the radar of URL blacklists and reputation analysis technology.

Phishing Alerts for Registrars and Hosting Providers

Registrars, hosting providers and ISPs are able to provide a footprint of their IP addresses, name servers and Whois servers.  Their anti-phishing software is continuously updated and can provide alerts to users based on this information.

[You might also like: 5 Cyber Attack Developments Worth Your Attention]

Toolbars

There are different toolbars that can be installed on today’s most popular browsers. These toolbars constantly monitor the URL searches and report back to the software in order to match the rule-based policy.

DNS Search Protection

Using this method of protection, domains that are deceptively similar to legitimate websites are logged in repositories.  The software monitors DNS registrations daily for specific alert patterns and also probes potential domains at common TLDs and register points like .com, .net, .free.fr.

SSL Site Search Protection

Phishing attacks that make use of SSL certificates are especially dangerous, as most users associate the presence of a valid SSL certificate with an increased level of assurance. Some products have the ability to search over five million SSL certificates for forgeries.

Awareness

The most important and effective way to safeguard against phishing attacks is through the education of employees and the heightening of their awareness of social engineering attacks.  Many organizations offer education programs abut security and these enable users to become more aware of the most current risks and threats.

The bottom line is that the problem lies somewhere between the chair and the keyboard.  It is ultimately up to the end user to read all emails and alerts with a critical eye and decide whether the information and the links are safe or not.  As long as the decision is in the hands of the user, the chances of success in phishing attacks will remain high and that’s exactly what keeps the anti-phishing industry growing.  Organizations will keep searching for solutions, and anti-phishing technology must continue to develop in accordance with this demand.

DDoS_Handbook_glow

Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.

Download Now

Snir Karat

Snir Karat is an information security expert for the Radware Emergency Response Team with vast experience in information technology, network analysis, and application security risks. He specializes in network and application security for Radware’s premium customers. Prior to working at Radware, Mr. Karat was an information security consultant at EY and a manager of CISO services for various industries where he handled penetration tests and incident response.

2 comments

  • Mackenzie Fribance

    January 14, 2016 at 4:03 pm

    Another solution emerging is in the field of UEBA (User and Entity Behavioral Analytics) that overlays behavior as a second factor authentication. Devalue the hack by making a username and password combination insufficient to gain access to your valuable information. Only you type your password the way you do. With @Tickstream from Intensity Analytics, for example, even if a hacker has your password they cannot replicate your behavior and your information remains secure.

    Reply

    • Snir Karat

      January 17, 2016 at 2:36 pm

      Hi Mackenzie Fribance,
      UEBA is indeed an emerging technology but as far as I know this technology is not yet matured.
      When hackers attack with spear-phishing method and collects employees credentials, they will try to use these against an internet facing assets such as VPN connection or web application. Two factor authentication on these assets will indeed reduce dramatically the odds of infiltrating the organization. However there are many other ways to get in, and users often uses the same set of credentials for their private email, social networks, etc.
      I do believe that in the future UEBA will develop in a way that can prevent the users from inserting their credentials into such emails.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *