Phishing, an email-borne malicious technique aimed at wheedling out users’ sensitive credentials or spreading malware, has been on the list of the top cyber threats to individuals and businesses for years.
According to the latest Phishing Activity Trends Report (PDF) by APWG, the total number of new phishing sites identified in Q1 2020 exceeded 165,000. More than 60,000 such pages surfaced in March alone.
The FBI’s Internet Crime Complaint Center (IC3) estimated the annual losses over business email compromise (BEC) attacks at roughly $5 billion. For the record, this is merely one of the common types of phishing.
Obviously, this hoax is among the strongholds of the global cybercrime economy. It comes as no surprise that there are plenty of security companies whose area of expertise is isolated to anti-phishing services that prevent rogue emails from reaching their customers’ inboxes.
Because orchestrating these campaigns is becoming a bumpier road for crooks over time, they keep coming up with more sophisticated attack vectors that get around mainstream defenses in a snap.
Phishers are thinking out of the box
Malicious actors leverage quite a few effective evasion techniques to make sure their misleading messages arrive at their destination. Here are several common stratagems used to obfuscate evil intentions and circumvent automated protection tools.
Elusive emails impersonate major banks
This is the latest hoax in phishing operators’ repertoire. The spoof email pretends to come from a popular financial institution such as the Bank of America or Citigroup.
It asks the recipient to update their email address and provides a link leading to a credential phishing page camouflaged as the bank’s official site. To feign legitimacy, the scam includes an extra page where the victim is supposed to enter their security challenge question.
Although the message is sent from a “@yahoo.com” email address rather than the real domain of the mimicked bank, many anti-phishing tools cannot identify it as potentially malicious.
One of the reasons is that this fraud zeroes in on only several people in an organization rather than maximizing its reach. Filtering technologies mainly inspect large volumes of similar emails and may ignore messages coming in small quantities.
Secondly, the email passes security checks with flying colors because it is sent from a personal Yahoo account. Traditional verification instruments such as the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) confirm that the message does not spoof the domain it is coming from.
Thirdly, the linked-to replica of the bank’s page is not blacklisted due to its recent registration. Security databases simply do not identify it as suspicious yet. Furthermore, the domain uses a valid SSL certificate issued by a trusted authority such as COMODO.
This combo of techniques, plus subtle elements of urgency and pressure imposed upon a recipient via social engineering, makes this ostensible simple phishing wave highly effective.
A ZIP archive with a catch
One of the clever tricks in malefactors’ handbook is to cloak a malicious email attachment within a dodgy ZIP archive. The structure of a benign ZIP file normally includes a single “End of Central Directory” (EOCD) value that denotes the final component of the archive composition.
Attackers are increasingly leveraging ZIP archives that contain two EOCD entries rather than one, which means that the attachments contain an extra archive structure hidden in plain sight.
The decompression engines built into some Secure Email Gateways (SEGs) will only identify and vet the harmless “decoy” element while failing to detect and inspect the malicious sub-hierarchy of the archive. As a result of the furtive file extraction, a strain of info-stealing malware infects the victim’s computer.
The foreign language artifice
Many phishing scams pull off the foreign language hoax to slip below the radar of email filters. Whereas protection systems might be tuned for manipulative content in English or another language depending on the customer’s location, cybercriminals include Russian text instead.
A phrase in big, bold font saying “Use Google translator” clarifies the way the user is supposed to read the message. These materials may end up in the intended victim’s inbox without raising any red flags.
Skewing an email’s HTML code
Yet another mechanism for getting around SEGs is to reverse the text in the source code of a message and then render it forwards in the email itself. This way, security filters may allow the message to get through because its raw HTML content does not match any known phishing templates. Meanwhile, the email will be shown to the would-be victim in a perfectly readable form.
A particularly tricky strand of this ruse involves Cascading Style Sheets (CSS), a programming tool designed for adding style elements to HTML documents. Attackers mishandle it to combine Latin and Arabic scripts in an email’s code. Since these scripts flow in different directions (left-to-right vs. right-to-left), this method facilitates text reversing.
Compromised SharePoint accounts
One more way for phishing scams to slide unnoticed into users’ inboxes is to piggyback on previously hacked SharePoint accounts. Email filters trust the domains used by this cloud-based collaborative service from Microsoft.
The messages ask the recipients to click on an embedded secondary URL that leads to a malicious OneNote document disguised as OneDrive for Business sign-in page. The credentials entered in this fake login form automatically go to the fraudsters.
Phishing prevention best practices
The modern advanced filtering mechanisms can stop most phishing scams in their tracks, but not all of them. Therefore, relying entirely on these technologies is a slippery slope that might not be enough to stay safe. The following additional precautions will boost your efforts to avoid falling victim to phishing attacks.
- Do not click on hyperlinks embedded in emails.
- Never open attachments received from unknown senders.
- When entering credentials in a login form, make sure it is HTTPS rather than HTTP.
- Check the linked-to URLs for authenticity (pay attention to typos and other inaccuracies).
- Scrutinize emails for grammar, spelling, and punctuation mistakes. Many phishers do not proofread their text.
- Ignore messages that specify a deadline for doing something or otherwise imply urgency.
- Know your business to identify messages that do not fit the mold of your normal email correspondence.
- If you receive a wire transfer request (ostensibly from your boss), confirm it in person. A phone call is usually enough to double-check its legitimacy.
- Do not overshare personal information on social networks.
- Use a reliable Internet security suite and a firewall.
- If you are a business owner, set up a phishing awareness training program if you have not already.
A growing trend and arguably the next big thing in the area of thwarting these attacks is to leverage techniques based on machine learning and artificial intelligence (AI). A mix of this approach and long-standing traditional methods can detect phishing attempts much more effectively.
Author bio: David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. LinkedIn.
Be the first to comment