Security Features of Modern Phishing Prevention Products

Uploaded on 2018-06-21 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

In the early days, phishing emails were pretty straightforward.  A Nigerian prince would offer you a substantial sum of money for helping to move his money to the US if you didn’t mind covering a couple of fees. Or, you would win some contest that you don’t remember entering, and need to claim your prize.  With a little bit of user education, most of these attacks became ineffective and fell by the wayside.  By Andrew B Goldberg of Inky.

The Phishing Threat 

Modern phishing attacks are much more sophisticated. By personalizing emails to match their recipients, or precisely mimicking the look and feel of legitimate company emails, phishers induce their targets to do what they want. These emails have reached the point where it is impossible to expect users to be able to detect them unaided. Modern anti-phishing software is designed to use advanced machine learning, and other techniques, to detect and protect against subtle phishing attacks. In this post, we describe some of the capabilities of modern anti-phishing software.

Machine Learning for Spear Phishing Protection

While large-scale mass phishing attacks are still a threat for email users, targeted spear phishing attacks are an even greater danger. By using specific knowledge of an individual and their habits, a phisher can craft a malicious email to have the greatest probability of success. Through the clever use of machine learning algorithms, modern anti-phishing products can provide users with a higher level of protection against these more sophisticated phishing attacks.

Social Graph Analysis

Impersonation is at the center of all phishing attacks. A phishing email coming from someone that the target doesn’t know has a much lower probability of success than one appearing to come from someone that the recipient knows and trusts. People are also more likely to follow instructions from those they see as being in a position of authority over them. Phishers know this, and take advantage of the fact by masquerading as authority figures like C-Level executives in Business Email Compromise (BEC) attacks.

One flaw with this approach is that the recipient may not commonly correspond with the authority figure that the phisher is impersonating. An anti-phishing product that monitors the social graph of an organization can flag unusual communications as potentially suspicious. Since phishing emails rely on catching the target off-guard, a warning message to the recipient that the message is suspicious, and should be verified, is a powerful tool in protecting against this type of phishing attack.

User Profiling

Everyone has their own “voice” that comes across in verbal and written communications. This voice is shaped by where the person has lived (common expressions, grammar, etc.) and the situation in which the user is communicating (professional vs. casual, technical vs. non-technical, etc.). Voice can also be part of a brand, with companies trademarking certain phrases and developing a certain voice, to build a sense of familiarity with their users.

Using machine learning and Natural Language Processing, phishing protection products can learn the different voices of the various users within a company. When an email claiming to be from a profiled user moves through the system, the voice of the email can be compared to the stored profile, and a warning provided to the user if the email sounds anomalous. While a user may sound different when in a hurry or under stress, an email with the wrong voice may also be a spear phishing email, and warning the user to be cautious doesn’t hurt.

Email Structural Analysis

Emails contain a lot of information about the email’s sender. Some of this information is visible to the recipient, including the sender’s display name and email address, and any information contained within the body of the email. However, this is only a fraction of the information that can be stored within the email. A variety of required and optional headers contain information about the email’s path of travel, mail client, etc.

These headers, while typically invisible to the email’s recipient, are a treasure trove of information for an anti-phishing program. By observing the common headers included in a sender’s emails and their values, the program can build a fingerprint for a given sender. For example, a user may typically send emails from within the Western United States using a Gmail client. Once this fingerprint is created, the phishing protection software can compare each email allegedly originating from this sender to the fingerprint, and alert the recipient if any anomalies are detected. This form of anomaly detection is a powerful defense against spear phishing attacks, which rely on a user’s trust in a specific person or organization to cause them to take the action requested within the email.

Advanced Brand Forgery Protection

Brand forgery attacks take advantage of the differences between how humans see things, and how computers see things, to launch phishing attacks. Based upon the imagery and words included in an email, and how it appears in context, humans decide who is the likely sender of a particular email. This may not even involve checking the sender’s email address, and may be solely based on the fact that the email “looks and sounds right” for that brand.  
Computers, on the other hand, examine the sending address, the text, email headers, and similar features of the email to make a decision about its authenticity. The difference in these two approaches creates the opportunity for phishers to craft brand forgery emails capable of slipping past the computer into the user’s inbox, where they click on a link or open an infected attachment.

Computer Vision Applications

Computer vision has the potential to bridge the gap between how humans and machines react to brand forgery emails. Marketing teams put a great deal of money and effort into training people to associate certain images and phrases with their brand. This pays off by creating a sense of familiarity and trust in reader’s minds when receiving an email from the company that contains text and imagery that is familiar to them. Phishers use this familiarity with brand imagery for brand forgery attacks by crafting emails to have the same “look and feel” as legitimate emails, helping to ease them past users’ defenses and increase the probability of success.

Using computer vision, anti-phishing products can identify brand imagery and text within phishing emails and identify the supposed brand of the email in the same way that a user would. By identifying the brand in this way, the phishing protection software can take extra steps to verify that the email does in fact originate from where it claims.

Brand Indicative Text Detection

A telltale sign of a brand forgery email is that the email claims to belong to a certain brand but doesn’t originate from an address associated with this brand. Phishers know this and try to craft their emails to make it difficult for anti-phishing software to detect the alleged brand of brand forgery emails.  

The simplest way for a company to claim to be from a certain brand is to say so by signing the email with the brand name, or including trademarked words and phrases. To look authentic, phishers need to do this as well, but phishing protection software is aware of this and searches for common brand names within the text of emails. To defeat this, attackers take advantage of visually similar characters that will look the same to the reader but look different to the email protection software. Examples include substituting rn for m or a Greek alpha for a. To protect against this, email protection programs can use fuzzy string matching, or computer vision, to detect these visually similar but textually different pieces of brand indicative text.

Brand Domain Verification

Once anti-phishing software has identified the supposed brand from which an email claims to originate, detection of brand forgery attacks is fairly straightforward. Most brands own a limited number of domains, and the domains belonging to a given company are typically public since they are a part of a company’s marketing and branding strategy. The stability and low changeability of official brand domains makes it easy for a phishing protection product to maintain a database of the official domains associated with commonly forged brands. When an email is identified as claiming to originate from a brand, a simple comparison of the sending address of the email to a list of the official domains of the brand allows brand forgery emails to be quickly detected and blocked.

Automated Malware and Malicious Link Protection

The goal of all phishing emails is to convince the recipient to do something in the attacker’s interest. Some of the most common ways of accomplishing this are to craft an email that gets the user to click on a link, open an attachment, or run a script on their computer.  Done properly, a phishing email can infect a user’s computer with malware, or steal sensitive information, without them even noticing. A primary goal of email protection programs is the detection and blocking of the malicious content contained within phishing emails.

Domain Whitelisting and Blacklisting

Links are common in phishing emails. They are the simplest way to get a user to an attacker-controlled website and don’t run the risk of an antivirus detecting malware attached to an email. Phishing protection software commonly maintains a list of known malicious domains. If an email links to a domain on this blacklist, it is blocked, quarantined, or marked as suspicious. While this is an effective method of detecting phishing emails, it is a continual battle between attackers, who register or infect new domains, and defenders, who try to keep their blacklists up-to-date in order to catch the latest threats.

URL Rewriting

Malicious links are a common feature in phishing emails. Embedding links in emails is common practice for companies that want to give users quick and easy access to the company website or the user’s account. Phishers have taken advantage of this trend by including links in their phishing emails to websites under the phisher’s control that infect the user’s machine with malware, or harvest user credentials. Using malicious links, phishers can craft a phishing email virtually identical to that of official company correspondence, with the only difference being the targets of the email’s links.

A common protection against malicious links is maintaining a domain blacklist for known active phishing websites. If a phishing email contains a link that is included on the list, an anti-phishing program knows to take action.  This could include blocking the email or optionally performing URL rewriting. By rewriting the malicious URL to a benign version, the email phishing protection software can either redirect the user to the legitimate version of the site that the phisher is spoofing, or to a page educating the user about this type of threat.

Deep Link Inspection

URL blacklists are great if the phishing email comes from or links to a known malicious domain. But what about zero-day attacks using a brand-new domain?  Registering a new domain takes very little time and effort, and then a new phishing site can be created by copying over a few files from an existing phishing domain. This ease of updating means that defenders are constantly trying to hit a moving target, as current domains are retired and new domains are created or resurrected after they are dropped from blacklists.

Deep link inspection is a way by which anti-phishing products can protect against zero-day phishing attacks.  By simulating a click on each link in an email, the software can see the webpages that a user would be directed to by the phishing email. The software can then examine the resulting webpage for indications of phishing, and warn the user if the email appears to be suspicious.

HTML Sanitization

HTML-based emails provide users with a richer content experience by allowing emails to include images, animations, and other stylistic customizations not available in plaintext emails. However, this customization is mainly accomplished using scripts that allow senders to run code on the recipient’s computer.

Attackers take advantage of this functionality by embedding malicious code in emails to run when the recipient views the email. Anti-phishing products should be capable of analyzing script and preventing Cross-Site Scripting (XSS), JavaScript, and CSS attacks and warning the user of suspicious scripts with unknown functionality.

Choosing a Modern Anti-Phishing Solution

Phishing attacks have evolved since the original “Nigerian Letter” scams, and simple phishing protection based only on URL blacklists just doesn’t cut it anymore. Modern phishing products take advantages of advances in machine learning and computer vision to detect and protect against more sophisticated phishing schemes. 

With the average successful phishing attack costing businesses $1.6 million, choosing the right anti-phishing software is an important decision for businesses. Picking modern phishing protection can save a lot of money in the long run.

Andrew B. Goldberg is Chief Scientist at Inky Anti-Phishing Software, an enterprise communications security platform, working to protect corporate email from new breeds of sophisticated phishing attacks.

You Might Also Read: 

Which Phishing Messages Have A Near 100% Click Rate?:

‘Important Information About Your Credit Card’:

« In Ireland, 50% of Attacks On SMEs Go Unreported
Saudi Commission Signs Deal To Boost Cybersecurity Education »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ESG Elektroniksystem- und Logistik-GmbH

ESG Elektroniksystem- und Logistik-GmbH

ESG offer a comprehensive portfolio of cyber and IT services ranging from consulting, solutions and operations to testing, simulation and training.

BlueID

BlueID

BlueID is an IDaaS technology product which enables your objects to securely connect and interact with your users’ smart phones and smart watches.

Ceerus

Ceerus

Ceerus was created to simplify the process of deploying and managing security across all the channels in an organisation.

Excelerate Systems

Excelerate Systems

Excelerate Systems is a leading provider of IT services with a focus on Big Data, Cloud Services and Security.

EUROCONTROL

EUROCONTROL

EUROCONTROL is a pan-European, civil-military organisation dedicated to supporting European aviation. We help our stakeholders protect themselves against cyber threats.

Wolf Hill Group

Wolf Hill Group

Wolf Hill Group, a Slone Partners company, is a national recruitment firm focused on Cybersecurity.

IPification

IPification

IPification is a highly secure, credential-less, network-based authentication solution for frictionless user experience on mobile and IoT devices.

CyberCube

CyberCube

CyberCube provide world-leading cyber risk analytics for the cyber insurance market.

eSec Forte Technologies

eSec Forte Technologies

eSec Forte Technologies is a CMMi Level 3 certified Global Consulting and IT Security Services company.

AgileBlue (Agile1)

AgileBlue (Agile1)

AgileBlue (formerly Agile1) is a managed breach detection company with an Autonomous SOC-as-a-Service for 24×7 monitoring, detection and guided response.

Enea

Enea

Enea is one of the world’s leading specialists in software for telecommunications and cybersecurity. Our products are used to enable services for mobile subscribers, enterprise customers and IoT.

NewAE Technology

NewAE Technology

NewAE Technology is revolutionizing the hardware security market by making every engineer and designer aware of side-channel power analysis and glitching as important attack vectors.

Software Improvement Group (SIG)

Software Improvement Group (SIG)

Software Improvement Group helps business and technology leaders drive their organizational objectives by fundamentally improving the health and security of their software applications.

Trackd

Trackd

At trackd, we’re re-imaging vulnerability remediation for the benefit of the entire cyber security community. Automating Vulnerability Remediation without the Fear of Disruption.

ARGOS Cloud Security

ARGOS Cloud Security

ARGOS aims to simplify and strengthen cloud security, by creating a visual map of security vulnerabilities, to your priceless information stored in any cloud provider environment.

Opkalla

Opkalla

We started Opkalla because we believe IT professionals deserve better. We help our clients navigate the confusion in the marketplace and choose the solution that is right for your business.