Gone Phishing
Phishing
As of 2024, phishing is one of the main IT security-related challenges. As we gain insight into the developments of high-profile security incidents of recent years, a common trend seems to emerge – things tend to start with a well-crafted phishing e-mail.
An employee clicks on the link and fills in their login credentials, which in turn can be leveraged to log in to various, remotely accessible IT systems. The attackers log in, impersonate the employee, and plant a stager that will allow the machine to be accessed later.
Depending on the level of stealth, the connection attempt can take place days or even weeks later, but when it is done, a command-and-control (C2) framework allows attackers to increase their initial foothold within the IT infrastructure. At the end of the day, attackers exit the scene with loads of valuable data, leaving the victim’s IT staff with many months of serious work in incident response and forensic investigation.
This is all too easy, with a frightening truth – attackers know that should today’s campaign yield no results, no need to worry. They will try again tomorrow or the day after. Eventually someone *will* fall for it.
From a protection perspective, phishing campaigns need to be stopped as soon as possible since, like it or not, the attackers’ main argument holds: eventually someone will fall for the scam and click on the link if the emails make it to the inboxes.
An anti-virus can only be the last line of defence. Even with the best security training in place, attackers need to win only once.
Protection Approaches
In phishing attack taxonomy, there are many different subtypes. However, most boil down to a malicious website mimicking a legitimate login page, calling the victim to fill in their credentials. Should the Endpoint Protection Platform (EPP) detect the malicious page harvesting user credentials, the attack is unsuccessful. Otherwise, it is a win for the attackers.
As with everything IT, there are several known ways to implement an attack, ranging widely in complexity and the effort required to succeed. In order to provide dependable protection, AVs have several tricks up their sleeve.
URL Pattern Detection
URL pattern detection is probably the most widespread method, as any decent AV needs to reliably block known malicious phishing URLs. To thwart phishing campaigns, coordinated lists of phishing URLs are maintained among members of the AV community. Should an incoming e-mail point to a known URL on the list, the anti-virus will intervene.
In most cases, where attackers do not put too much effort into the campaign, this method of protection is suitably reliable. However, a major shortcoming of this approach is that it cannot detect zero-second URLs with neutral domains – as a result, should the attackers do their homework, URL pattern detection mechanisms are easy to circumvent.
To their credit, Google, Microsoft and other major players in the IT industry do their best to detect phishing sites as soon as they become active. For instance, when a new certificate is obtained through Let’s Encrypt / Certbot, the certificate generation and domain verification phases are immediately followed by a curious visit from a Google bot for the actual content of the site. Should the bot identify the newly created page as a phishing site, the domain is immediately included in the list of known malicious URLs, and this information is circulated in a couple of minutes. A very handy and efficient feature indeed, which all Red Teams realise at their first campaign.
Content Analysis
Content analysis is a method that analyses the context and the content of the web page to make its decisions. This approach is way more flexible and can be able to detect new phishing sites that no one has ever encountered before. Such URLs are not on any block lists, yet submission of sensitive credentials can be prevented, provided the detection mechanisms are up to the task. When done correctly, content analysis can be used to detect phishing sites to provide protection to high profile users (e.g. CEOs, politicians) in targeted spear phishing attempts.
Phishing Tests in the 360°
Since last year we have been putting our 360° Assessment participants to the test in both regards in the Phishing Test and Certification.
We use several test cases to check the participating products’ protection against recent phishing URLs, as well as techniques of varying levels of sophistication to create phishing sites. We use the following techniques to create phishing sites throughout the test:
Hand-crafted login forms
We hand-craft an HTML page that resembles a login page sufficiently enough to fool an unsuspecting victim into entering their credentials. The internal structure (HTML, JavaScript/CSS components, etc.) is usually created from scratch, and it is usually pretty easy to spot the differences from the usual login sites. The logo, the colors, the styles and other brand elements will be at least slightly off, however, with the proper pretext, such login forms are surprisingly effective.
Mirrored login sites
From an attacker’s perspective, this involves a specialised tool to create a simplified HTML version of the target login page, maintaining the look and feel of the legitimate one, but its internal structure and its internal operations are vastly different. When done properly, the user experience will be identical to the legitimate site.
Evilginx
This is one of the most sneaky methods involving an invisible HTTP proxy running on the phishing infrastructure and seamlessly transferring data back and forth between the target site and the victim machine. Unless the target page is prepared for this attack, the phished site has identical internal operations. Note that setting up and evading Evilginx is a huge topic, as more and more pages are prepared to detect being rendered in a different domain than what is expected (the main login interface for gmail, for instance, has this feature).
To see how our participating enterprise EPP products handle the phishing challenge, check out our latest 360° report.
Contact us
Read more about the cutting-edge work we do with cybersecurity vendors and enterprises
Sign up
to receive advance copies of our 360° reports
Sign up to receive news and reports or follow us on LinkedIn and X