Phishing is not a new phenomenon. In fact, it has been around since 1996. Today, most people are familiar with phishing and what it looks like, so a regular phishing attack isn't much of an issue to most email users.
So why is it that hackers are still trying it? Didn't they get the memo that phishing is not working?
Unfortunately, just as technology itself is evolving, so is phishing and in 2020, phishing was the number one type of cybercrime according to FBI's Internet Crime Report 2020, ahead of Remote Desktop Protocol (RDP) and software vulnerabilities.
New Types of Phishing Scams
Most email-based phishing attacks are pretty obvious and follow the same formula:
- The attacker sends malicious emails pretending to be from a legitimate organization (email providers like Gmail and Outlook, airline companies and banks are all popular choices)
- They claim that there is a problem with your account or that an award is waiting for you
- You then need to click on the link, which takes you to a page on the phishing site that looks very similar to the real one where you're supposed to enter your username and password
- Voila! You've given the attacker all that they need.
So yeah, it's a pretty straightforward formula and with some small changes in approach (the type of organization the phisher pretends to be from, are they trying to threaten or "reward" the user, etc), it's all pretty much the same.
Well, before you start celebrating the great victory over phishing scams, take a look at these much more subtle phishing attacks:
When we said that phishing is evolving, one of the best examples of this has been the emergence of Phishing-as-a-Service kits that enable less experienced and tech-savvy hackers to create their own phishing campaigns.
A phishing kit can be purchased on the dark web for about $50-$100 and it can come with different security evasion mechanisms like content injection, HTML character encoding, URLs in attachments, injection blocking content encryption and even legitimate cloud hosting.
Script spoofing, or typo-squatted domain names is a phishing technique in which the hacker registers fake domain names using similar character scripts that look almost the same as the real website.
This isn't anything new and typo squatted domain names have been around for a few years (the most prominent example being "Goggle"), but a better look was usually enough to spot the difference between the fake and the real site.
Now, however, hackers have learned to exploit different letters in the Unicode to make their phishing sites less obvious. One such example is the fake Adoḅe.com site. As you can see, the domain name looks almost identical, but if you squint you can see the little dot under the 'b'. This is because that's a different 'b'. One is U+1E05 and the other is U+0062.
Phishing Sites Adopted HTTPS
On 24th July, 2018, Google Chrome started to mark all HTTP sites as "not secure."
Since then, most website owners have added the little lock icon and users have learned to trust HTTP sites less.
However, hackers have picked up on this and are starting to use free certificate services to create their own HTTPS sites. This, of course, has the effect of making their sites look more "legitimate" and "trustworthy" and as a result, users are more likely to fall for their scheme.
Hosting Phishing Landing Pages on Public Cloud Infrastructure
Hackers have also started using the public cloud to expand their reach. In 2020, for instance, they have leveraged Oracle and Amazon public cloud services to leverage an Office 365 phishing campaign which targeted small and medium businesses.
In particular, the cybersecurity company Mitigate found that the hackers were sending phishing messages from compromised Office 365 accounts and used Oracle and AWS in the redirect chain.
According to Offer Rozmann, threat intelligence from Mitiga:
Once the link was clicked, the user is redirected through several proxies, including AWS load balancers, all the way to a legitimate but compromised website.
Inverted Landing Page Backgrounds
Another evolved phishing scam that involves landing pages is the use of landing page background images.
This is actually a clever way for a threat actor to evade detection by security tools.
According to the security firm WMC Global:
Because image recognition software is improving and becoming more accurate, this new technique aims to deceive scanning engines by inverting colors of the image, causing the image hash to differ from the original. This technique can hinder the software's ability to flag this image altogether.
Polymorphic Phishing Attack
A polymorphic phishing attack alters the email element that email security tools use to scan for phishing and spam, like the sender name, address, body, subject line, email signature, etc just enough so it can evade detection and avoid being blacklisted.
This type of phishing campaign usually hoes for a small group of employees in target organizations and once they leave their credentials on the fake login page, the hacker can use their stolen credentials to launch attacks against other users in the same network.
How to Protect Your Organization from Evolved Phishing Attacks?
The most obvious way to protect against phishing attacks is to pay close attention to any suspicious emails that you might receive and see if you can detect malicious activity in them.
However, since threat actors have evolved their phishing campaigns, that's often no longer enough often.
Instead, you need to do the following to protect your sensitive information:
- Make sure you have MFA enabled. Multifactor authentication will prevent account takeovers in those situations where the attacker has managed to get the login information via social engineering or some other method
- Check the domain name for typos and misspellings. Especially pay attention to different Unicode (see the Adobe example above)
- Use Domain-based Message Authentication, Reporting and Conformance (DMARC), DKIM (Domain Keys Identified Mail) and SPF (Sender Policy Framework) protocols to detect spam emails
- Keep anomaly detection active at the network level for inbound and outbound emails
- Raise security awareness with your employees and ensure that they know how to identify a malicious email. A good idea is to run a simulated phishing campaign to gauge their response
- Have clear policies and procedures for handling sensitive information in your organization, especially if you're have large amounts of customer data
- Make sure auto execution of code, macros, graphic rendering and link preloading at email clients is disabled
- Use a secure email service with strong anti-malware, anti-spam and other security measures, such as Liverado
Phishing attacks aren't going anywhere and as long as people use email, there will be phishing attempts and they will keep evolving.
The best defense is to make sure that you are alert and that you don't fall easy prey to them.