Security Features of Modern Phishing Prevention Products

In the early days, phishing emails were pretty straightforward.  A Nigerian prince would offer you a substantial sum of money for helping to move his money to the US if you didn’t mind covering a couple of fees. Or, you would win some contest that you don’t remember entering, and need to claim your prize.  With a little bit of user education, most of these attacks became ineffective and fell by the wayside.  By Andrew B Goldberg of Inky.

The Phishing Threat 

Modern phishing attacks are much more sophisticated. By personalizing emails to match their recipients, or precisely mimicking the look and feel of legitimate company emails, phishers induce their targets to do what they want. These emails have reached the point where it is impossible to expect users to be able to detect them unaided. Modern anti-phishing software is designed to use advanced machine learning, and other techniques, to detect and protect against subtle phishing attacks. In this post, we describe some of the capabilities of modern anti-phishing software.

Machine Learning for Spear Phishing Protection

While large-scale mass phishing attacks are still a threat for email users, targeted spear phishing attacks are an even greater danger. By using specific knowledge of an individual and their habits, a phisher can craft a malicious email to have the greatest probability of success. Through the clever use of machine learning algorithms, modern anti-phishing products can provide users with a higher level of protection against these more sophisticated phishing attacks.

Social Graph Analysis

Impersonation is at the center of all phishing attacks. A phishing email coming from someone that the target doesn’t know has a much lower probability of success than one appearing to come from someone that the recipient knows and trusts. People are also more likely to follow instructions from those they see as being in a position of authority over them. Phishers know this, and take advantage of the fact by masquerading as authority figures like C-Level executives in Business Email Compromise (BEC) attacks.

One flaw with this approach is that the recipient may not commonly correspond with the authority figure that the phisher is impersonating. An anti-phishing product that monitors the social graph of an organization can flag unusual communications as potentially suspicious. Since phishing emails rely on catching the target off-guard, a warning message to the recipient that the message is suspicious, and should be verified, is a powerful tool in protecting against this type of phishing attack.

User Profiling

Everyone has their own “voice” that comes across in verbal and written communications. This voice is shaped by where the person has lived (common expressions, grammar, etc.) and the situation in which the user is communicating (professional vs. casual, technical vs. non-technical, etc.). Voice can also be part of a brand, with companies trademarking certain phrases and developing a certain voice, to build a sense of familiarity with their users.

Using machine learning and Natural Language Processing, phishing protection products can learn the different voices of the various users within a company. When an email claiming to be from a profiled user moves through the system, the voice of the email can be compared to the stored profile, and a warning provided to the user if the email sounds anomalous. While a user may sound different when in a hurry or under stress, an email with the wrong voice may also be a spear phishing email, and warning the user to be cautious doesn’t hurt.

Email Structural Analysis

Emails contain a lot of information about the email’s sender. Some of this information is visible to the recipient, including the sender’s display name and email address, and any information contained within the body of the email. However, this is only a fraction of the information that can be stored within the email. A variety of required and optional headers contain information about the email’s path of travel, mail client, etc.

These headers, while typically invisible to the email’s recipient, are a treasure trove of information for an anti-phishing program. By observing the common headers included in a sender’s emails and their values, the program can build a fingerprint for a given sender. For example, a user may typically send emails from within the Western United States using a Gmail client. Once this fingerprint is created, the phishing protection software can compare each email allegedly originating from this sender to the fingerprint, and alert the recipient if any anomalies are detected. This form of anomaly detection is a powerful defense against spear phishing attacks, which rely on a user’s trust in a specific person or organization to cause them to take the action requested within the email.

Advanced Brand Forgery Protection

Brand forgery attacks take advantage of the differences between how humans see things, and how computers see things, to launch phishing attacks. Based upon the imagery and words included in an email, and how it appears in context, humans decide who is the likely sender of a particular email. This may not even involve checking the sender’s email address, and may be solely based on the fact that the email “looks and sounds right” for that brand.  
Computers, on the other hand, examine the sending address, the text, email headers, and similar features of the email to make a decision about its authenticity. The difference in these two approaches creates the opportunity for phishers to craft brand forgery emails capable of slipping past the computer into the user’s inbox, where they click on a link or open an infected attachment.

Computer Vision Applications

Computer vision has the potential to bridge the gap between how humans and machines react to brand forgery emails. Marketing teams put a great deal of money and effort into training people to associate certain images and phrases with their brand. This pays off by creating a sense of familiarity and trust in reader’s minds when receiving an email from the company that contains text and imagery that is familiar to them. Phishers use this familiarity with brand imagery for brand forgery attacks by crafting emails to have the same “look and feel” as legitimate emails, helping to ease them past users’ defenses and increase the probability of success.

Using computer vision, anti-phishing products can identify brand imagery and text within phishing emails and identify the supposed brand of the email in the same way that a user would. By identifying the brand in this way, the phishing protection software can take extra steps to verify that the email does in fact originate from where it claims.

Brand Indicative Text Detection

A telltale sign of a brand forgery email is that the email claims to belong to a certain brand but doesn’t originate from an address associated with this brand. Phishers know this and try to craft their emails to make it difficult for anti-phishing software to detect the alleged brand of brand forgery emails.  

The simplest way for a company to claim to be from a certain brand is to say so by signing the email with the brand name, or including trademarked words and phrases. To look authentic, phishers need to do this as well, but phishing protection software is aware of this and searches for common brand names within the text of emails. To defeat this, attackers take advantage of visually similar characters that will look the same to the reader but look different to the email protection software. Examples include substituting rn for m or a Greek alpha for a. To protect against this, email protection programs can use fuzzy string matching, or computer vision, to detect these visually similar but textually different pieces of brand indicative text.

Brand Domain Verification

Once anti-phishing software has identified the supposed brand from which an email claims to originate, detection of brand forgery attacks is fairly straightforward. Most brands own a limited number of domains, and the domains belonging to a given company are typically public since they are a part of a company’s marketing and branding strategy. The stability and low changeability of official brand domains makes it easy for a phishing protection product to maintain a database of the official domains associated with commonly forged brands. When an email is identified as claiming to originate from a brand, a simple comparison of the sending address of the email to a list of the official domains of the brand allows brand forgery emails to be quickly detected and blocked.

Automated Malware and Malicious Link Protection

The goal of all phishing emails is to convince the recipient to do something in the attacker’s interest. Some of the most common ways of accomplishing this are to craft an email that gets the user to click on a link, open an attachment, or run a script on their computer.  Done properly, a phishing email can infect a user’s computer with malware, or steal sensitive information, without them even noticing. A primary goal of email protection programs is the detection and blocking of the malicious content contained within phishing emails.

Domain Whitelisting and Blacklisting

Links are common in phishing emails. They are the simplest way to get a user to an attacker-controlled website and don’t run the risk of an antivirus detecting malware attached to an email. Phishing protection software commonly maintains a list of known malicious domains. If an email links to a domain on this blacklist, it is blocked, quarantined, or marked as suspicious. While this is an effective method of detecting phishing emails, it is a continual battle between attackers, who register or infect new domains, and defenders, who try to keep their blacklists up-to-date in order to catch the latest threats.

URL Rewriting

Malicious links are a common feature in phishing emails. Embedding links in emails is common practice for companies that want to give users quick and easy access to the company website or the user’s account. Phishers have taken advantage of this trend by including links in their phishing emails to websites under the phisher’s control that infect the user’s machine with malware, or harvest user credentials. Using malicious links, phishers can craft a phishing email virtually identical to that of official company correspondence, with the only difference being the targets of the email’s links.

A common protection against malicious links is maintaining a domain blacklist for known active phishing websites. If a phishing email contains a link that is included on the list, an anti-phishing program knows to take action.  This could include blocking the email or optionally performing URL rewriting. By rewriting the malicious URL to a benign version, the email phishing protection software can either redirect the user to the legitimate version of the site that the phisher is spoofing, or to a page educating the user about this type of threat.

Deep Link Inspection

URL blacklists are great if the phishing email comes from or links to a known malicious domain. But what about zero-day attacks using a brand-new domain?  Registering a new domain takes very little time and effort, and then a new phishing site can be created by copying over a few files from an existing phishing domain. This ease of updating means that defenders are constantly trying to hit a moving target, as current domains are retired and new domains are created or resurrected after they are dropped from blacklists.

Deep link inspection is a way by which anti-phishing products can protect against zero-day phishing attacks.  By simulating a click on each link in an email, the software can see the webpages that a user would be directed to by the phishing email. The software can then examine the resulting webpage for indications of phishing, and warn the user if the email appears to be suspicious.

HTML Sanitization

HTML-based emails provide users with a richer content experience by allowing emails to include images, animations, and other stylistic customizations not available in plaintext emails. However, this customization is mainly accomplished using scripts that allow senders to run code on the recipient’s computer.

Attackers take advantage of this functionality by embedding malicious code in emails to run when the recipient views the email. Anti-phishing products should be capable of analyzing script and preventing Cross-Site Scripting (XSS), JavaScript, and CSS attacks and warning the user of suspicious scripts with unknown functionality.

Choosing a Modern Anti-Phishing Solution

Phishing attacks have evolved since the original “Nigerian Letter” scams, and simple phishing protection based only on URL blacklists just doesn’t cut it anymore. Modern phishing products take advantages of advances in machine learning and computer vision to detect and protect against more sophisticated phishing schemes. 

With the average successful phishing attack costing businesses $1.6 million, choosing the right anti-phishing software is an important decision for businesses. Picking modern phishing protection can save a lot of money in the long run.

Andrew B. Goldberg is Chief Scientist at Inky Anti-Phishing Software, an enterprise communications security platform, working to protect corporate email from new breeds of sophisticated phishing attacks.

You Might Also Read: 

Which Phishing Messages Have A Near 100% Click Rate?:

‘Important Information About Your Credit Card’:

« In Ireland, 50% of Attacks On SMEs Go Unreported
Saudi Commission Signs Deal To Boost Cybersecurity Education »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

European Council on Foreign Relations (ECFR)

European Council on Foreign Relations (ECFR)

ECFR is a pan-European think-tank conducting research and promote informed debate on European foreign policy. Cyber security is becoming an intrinsic element of foreign policy debate.

Forcepoint

Forcepoint

Forcepoint provide a unified, cloud-centric platform that safeguards users, networks and data while eliminating the inefficiencies of managing multiple point security products.

CyberSource

CyberSource

CyberSource provides online payment and fraud management services for medium and large-sized merchants.

Lares Consulting

Lares Consulting

Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing and coaching.

Robert Bosch Centre for Cyber-Physical Systems (RBCCPS)

Robert Bosch Centre for Cyber-Physical Systems (RBCCPS)

RBCCPS is an interdisciplinary research and academic centre within the Indian Institute of Science focused on research in cyber-physical systems.

Applied Science and Technology Research Institute Company Limited (ASTRI)

Applied Science and Technology Research Institute Company Limited (ASTRI)

ASTRI's mission is to enhance Hong Kong’s competitiveness in technology-based industries through applied research in areas including Security & Data Sciences which encompasses cybersecurity.

Wizlynx PTE LTD

Wizlynx PTE LTD

Wizlynx PTE LTD is the Singapore branch of Wizlynx Group located in Singapore, offering Information and Cyber Security Services throughout the entire Asia Pacific (APAC) region.

EOL IT Services

EOL IT Services

EOL IT Services is the UK’s most accredited provider of IT Asset Disposal (ITAD), Lifecycle Services and Data Destruction.

CYBER.ORG

CYBER.ORG

CYBER.ORG's goal is to empower educators as they prepare the next generation to succeed in the cyber workforce of tomorrow.

Research Institute in Verified Trustworthy Software Systems (VeTSS)

Research Institute in Verified Trustworthy Software Systems (VeTSS)

The main purpose of VeTSS is to support program analysis, testing and verification, to achieve guarantees of software correctness, safety, and security.

Digital Identification & Authentication Council of Canada (DIACC)

Digital Identification & Authentication Council of Canada (DIACC)

DIACC is a non-profit coalition of public and private sector leaders committed to developing a Canadian framework for digital identification and authentication.

ThrottleNet

ThrottleNet

ThrottleNet provides world-class managed IT services and cybersecurity to organizations in St. Louis and throughout Missouri.

Redington

Redington

Redington offer products and services in solution areas including digital transformation, hybrid infrastructure and cybersecurity.

CYBHORUS

CYBHORUS

CYBHORUS are a team of Italian cyber security experts, specialized in cyber threat defense and strategic and organizational consulting.

Sri Lanka CERT

Sri Lanka CERT

Sri Lanka CERT is the National Centre for Cyber Security, which has the national responsibility of protecting the nation’s cyberspace from cyber threats.

Cylerian

Cylerian

Cylerian is a Next Generation SaaS Security Platform - One unified cloud platform to achieve your security, compliance, and operational objectives.