According to a new report, an average of 1.385 million unique new phishing sites are created every month, peaking at 2.3 million in May 2017. The majority of these are online and active for an average of just 4 to 8 hours. This combination of volume and brevity makes it effectively impossible to counter phishing — especially targeted spear-phishing and whaling — with block lists. By the time the site is included on a block list, the damage is done and the phishing site is no longer used.
Webroot’s latest Quarterly Threat Trends (PDF) report chronicles the increasing sophistication and danger in targeted spear-phishing. According to the Verizon 2017 Data Breaches Investigation Report (DBIR), phishing was found in 90% of security breaches and incidents. And according to the FBI, phishing scams have cost American businesses almost $500 million per year over the last three years.
Phishing emails are becoming more sophisticated. Mass phishing campaigns are being replaced by targeted and tailored campaigns. “Phishing emails see increased impact by using social media to tailor their attacks to the individual target — sometimes even senior executives — with messages that are likely to resonate with the individual.”
Phishing revolves around social engineering — which has always appealed to mankind’s basic emotions: greed (something for nothing); compassion (over recent natural disasters); fear (respond to this or something dire will happen); and anxiety/panic (instils the need to respond urgently). According to Webroot, the two emotions most frequently used in current phishing emails are fear and panic.
“Typical subjects may imply that there has been unusual activity on an account, a recent purchase must be verified, an account is in danger of being closed, or urgent invoices or tax bills are waiting,” warns Webroot. “Often, terms such as ‘error’, ‘warning’, ‘account closed’, ‘Microsoft-toll-free’, and ‘official alert’ are included in the subject line.”
While the quality of the emails has improved with fewer tell-tale typographical and grammatical errors, so too has the design and implementation of the phishing pages. Webroot provides two example mimicking Microsoft and PayPal. The Microsoft example includes a realistic Windows page combined with the message that the target should telephone support (rather than enter credentials online).
The PayPal example accurately mimics the PayPal login page. The login field tags, however, have been replaced by graphics. This makes it hard for traditional anti-phishing techniques to detect the fraud since web crawlers cannot ‘read’ the graphics.
Attackers try to fool their targets by using domains and URLs that appear to be related to legitimate and benign organizations. According to Webroot, the most used and abused names are Google, Chase, Dropbox, PayPal and Facebook.
The extent of this problem is verified by High-Tech Bridge’s free Trademark Abuse Radar service. This uses its own AI engine to help check how a legitimate domain can be, or is being, abused on the internet. Checking the domains highlighted by Webroot, we find from High-Tech Bridge that 1,426 Google-related websites currently seem to be used to conduct phishing attacks. Chase has 347 websites similarly used, while Dropbox has 3,579; PayPal has 1,162, and Facebook has 3,282.
The report notes that phishing is no longer used simply to steal credentials, but is also increasingly being used to deliver malicious payloads. “Locky ransomware infected more than 400,000 victims in 2016,
and the WanaCrypt0r attack used a combination of phishing, ransomware, and a fast-moving worm to spread rapidly across hundreds of thousands of computers around the globe,” says Webroot. “These extended capabilities have increasingly made phishing a vector for advanced threats: some 93% of all phishing emails now lead to ransomware.”
Webroot’s message is that phishing has become too sophisticated to be detected by traditional block list methods, but too dangerous to ignore. “Today’s phishing attacks are incredibly sophisticated, with hackers obfuscating malicious URLs, using psychology, and information gleaned from reconnaissance to get you to click on a link,” said Hal Lonas, CTO at Webroot. “Even savvy cybersecurity professionals can fall prey. Instead of blaming the victim, the industry needs to embrace a combination of user education and organizational protection with real-time intelligence to stay ahead of the ever-changing threat landscape.”
Webroot’s own solution is to employ machine-learning heuristics to provide a verdict on every visited web page within milliseconds of the user’s request. “When speed and accuracy are everything, machine learning delivers highly accurate, real-time protection against phishing attacks, as well as contextual threat insights that drive strategic intelligence,” says the report.