• Article
  • April 12, 2023

The Rise of Phishing

As of early 2023, phishing is one of the main corporate IT security-related challenges that organisations face. As we gain insight into the developments of the high-profile security incidents of 2022, a common trend seems to be emerging; attacks often start with a well-crafted phishing e-mail.

With this in mind, we are updating the 360° Efficacy Assessment for 2023 to include a phishing test and certification, which we are currently beta testing.

How Phishing Works

An employee receives an email, clicks on the link and fills in their login credentials, which are then leveraged to log in to various remotely accessible IT systems. The attackers log in, impersonate the employee and increase their initial foothold within the IT infrastructure. Ultimately, the attackers exit the scene with lots of valuable data, leaving the victims’ IT staff with many months of serious work in incident response and forensic investigation, not to mention damage to the organisations’ reputations.

This is all too easy, with a frightening truth that encourages the attackers – should today’s campaign yield no results, no need to worry. They will try again tomorrow or the day after and eventually someone “will” fall for it.

From a protection perspective, phishing campaigns need to be detected and stopped as quickly as possible because, like it or not, the attackers’ main argument holds and eventually someone will fall for the scam and click on the link if the mail makes it to the inbox.

An Anti-malware product offers the last line of defense, therefore, it is essential to detect when a victim clicks on a phishing e-mail as, by this stage, there is much at stake.

Protection Approaches

In phishing attack taxonomy, many different subtypes are defined, however, most boil down to a malicious website mimicking a legitimate login page, calling the victim to fill in their credentials. Should the Anti-malware product detect the case of a malicious page harvesting user credentials, the attack is unsuccessful. Otherwise, it is a win for the attackers.

As with everything IT, there are multiple ways to implement an attack, ranging wildly in complexity and effort on behalf of the attacker. To provide dependable protection, Anti-malware products have several tricks up their sleeve.

URL Pattern Detection

URL Pattern Detection is probably the most widespread method, as any decent Anti-malware product needs to reliably block known malicious phishing URLs. To thwart widespread phishing campaigns, coordinated lists of phishing URLs are maintained among the Anti-malware community. Should an incoming e-mail point to a known URL on the list, the Anti-malware product needs to intervene. A major shortcoming of this approach is that it cannot detect 0-second URLs with neutral domains.

To their credit, Google, Microsoft, and other major players in the IT industry do their best to detect phishing sites as soon as they become active. For instance, when a new certificate is obtained through Let’s Encrypt / Certbot, the certificate generation and domain verification phases are immediately followed by a curious visit from a Google bot to review the actual content of the site. Should the bot identify the newly created page as a phishing site, the domain is immediately included in the list of known malicious URLs, and this information is circulated in a couple of minutes.

Content Analysis

Content analysis is a method in which awareness of the context and the content of the web page informs the software’s decisions. This approach is a lot more flexible and allows the detection of phishing sites that no one has encountered before, and therefore the URL is not on any block lists, provided the detection mechanisms are up to the task.

When done correctly, content analysis can be used to detect phishing sites to provide protection to high-profile users (e.g., CEOs and politicians) in targeted spear phishing attempts.

Phishing Tests in the 360° Assessment

Given the increased threat from phishing, we are introducing a phishing test and certification in our 360° efficacy assessment for 2023 and we will put our participants’ detection abilities to the test using both methods.

We will use several test cases to check protection against recent phishing URLs, as well as several techniques of varying levels of sophistication to create phishing sites. We use the following techniques to create phishing sites throughout the test.

Hand-crafted login forms – we hand-craft an HTML page, which resembles a login page to an extent that can be sufficient to fool an unsuspecting victim into entering their credentials.
Mirrored login sites – from an attacker’s perspective, this involves a specialized tool to create a simplified HTML version of the target login page, maintaining the look and feel of the legitimate one, but its internal structure and its internal operations are vastly different.
Evilginx – this is one of the sneakiest methods, involving an invisible HTTP proxy running on the phishing infrastructure, and seamlessly transferring data back and forth between the target site and the victim machine. Unless the target page is prepared for this attack, the phished site has identical internal operations.

It will be interesting to see how our participants handle the challenges.

Look out for the results in our future 360° Efficacy Test reports and sign up here to receive advanced copies of our quarterly reports as they are published.