Security Features of Modern Phishing Prevention Products
In the early days, phishing emails were pretty straightforward. A Nigerian prince would offer you a substantial sum of money for helping to move his money to the US if you didn’t mind covering a couple of fees. Or, you would win some contest that you don’t remember entering, and need to claim your prize. With a little bit of user education, most of these attacks became ineffective and fell by the wayside. By Andrew B Goldberg of Inky.
The Phishing Threat
Modern phishing attacks are much more sophisticated. By personalizing emails to match their recipients, or precisely mimicking the look and feel of legitimate company emails, phishers induce their targets to do what they want. These emails have reached the point where it is impossible to expect users to be able to detect them unaided. Modern anti-phishing software is designed to use advanced machine learning, and other techniques, to detect and protect against subtle phishing attacks. In this post, we describe some of the capabilities of modern anti-phishing software.
Machine Learning for Spear Phishing Protection
While large-scale mass phishing attacks are still a threat for email users, targeted spear phishing attacks are an even greater danger. By using specific knowledge of an individual and their habits, a phisher can craft a malicious email to have the greatest probability of success. Through the clever use of machine learning algorithms, modern anti-phishing products can provide users with a higher level of protection against these more sophisticated phishing attacks.
Social Graph Analysis
Impersonation is at the center of all phishing attacks. A phishing email coming from someone that the target doesn’t know has a much lower probability of success than one appearing to come from someone that the recipient knows and trusts. People are also more likely to follow instructions from those they see as being in a position of authority over them. Phishers know this, and take advantage of the fact by masquerading as authority figures like C-Level executives in Business Email Compromise (BEC) attacks.
One flaw with this approach is that the recipient may not commonly correspond with the authority figure that the phisher is impersonating. An anti-phishing product that monitors the social graph of an organization can flag unusual communications as potentially suspicious. Since phishing emails rely on catching the target off-guard, a warning message to the recipient that the message is suspicious, and should be verified, is a powerful tool in protecting against this type of phishing attack.
User Profiling
Everyone has their own “voice” that comes across in verbal and written communications. This voice is shaped by where the person has lived (common expressions, grammar, etc.) and the situation in which the user is communicating (professional vs. casual, technical vs. non-technical, etc.). Voice can also be part of a brand, with companies trademarking certain phrases and developing a certain voice, to build a sense of familiarity with their users.
Using machine learning and Natural Language Processing, phishing protection products can learn the different voices of the various users within a company. When an email claiming to be from a profiled user moves through the system, the voice of the email can be compared to the stored profile, and a warning provided to the user if the email sounds anomalous. While a user may sound different when in a hurry or under stress, an email with the wrong voice may also be a spear phishing email, and warning the user to be cautious doesn’t hurt.
Email Structural Analysis
Emails contain a lot of information about the email’s sender. Some of this information is visible to the recipient, including the sender’s display name and email address, and any information contained within the body of the email. However, this is only a fraction of the information that can be stored within the email. A variety of required and optional headers contain information about the email’s path of travel, mail client, etc.
These headers, while typically invisible to the email’s recipient, are a treasure trove of information for an anti-phishing program. By observing the common headers included in a sender’s emails and their values, the program can build a fingerprint for a given sender. For example, a user may typically send emails from within the Western United States using a Gmail client. Once this fingerprint is created, the phishing protection software can compare each email allegedly originating from this sender to the fingerprint, and alert the recipient if any anomalies are detected. This form of anomaly detection is a powerful defense against spear phishing attacks, which rely on a user’s trust in a specific person or organization to cause them to take the action requested within the email.
Advanced Brand Forgery Protection
Brand forgery attacks take advantage of the differences between how humans see things, and how computers see things, to launch phishing attacks. Based upon the imagery and words included in an email, and how it appears in context, humans decide who is the likely sender of a particular email. This may not even involve checking the sender’s email address, and may be solely based on the fact that the email “looks and sounds right” for that brand.
Computers, on the other hand, examine the sending address, the text, email headers, and similar features of the email to make a decision about its authenticity. The difference in these two approaches creates the opportunity for phishers to craft brand forgery emails capable of slipping past the computer into the user’s inbox, where they click on a link or open an infected attachment.
Computer Vision Applications
Computer vision has the potential to bridge the gap between how humans and machines react to brand forgery emails. Marketing teams put a great deal of money and effort into training people to associate certain images and phrases with their brand. This pays off by creating a sense of familiarity and trust in reader’s minds when receiving an email from the company that contains text and imagery that is familiar to them. Phishers use this familiarity with brand imagery for brand forgery attacks by crafting emails to have the same “look and feel” as legitimate emails, helping to ease them past users’ defenses and increase the probability of success.
Using computer vision, anti-phishing products can identify brand imagery and text within phishing emails and identify the supposed brand of the email in the same way that a user would. By identifying the brand in this way, the phishing protection software can take extra steps to verify that the email does in fact originate from where it claims.
Brand Indicative Text Detection
A telltale sign of a brand forgery email is that the email claims to belong to a certain brand but doesn’t originate from an address associated with this brand. Phishers know this and try to craft their emails to make it difficult for anti-phishing software to detect the alleged brand of brand forgery emails.
The simplest way for a company to claim to be from a certain brand is to say so by signing the email with the brand name, or including trademarked words and phrases. To look authentic, phishers need to do this as well, but phishing protection software is aware of this and searches for common brand names within the text of emails. To defeat this, attackers take advantage of visually similar characters that will look the same to the reader but look different to the email protection software. Examples include substituting rn for m or a Greek alpha for a. To protect against this, email protection programs can use fuzzy string matching, or computer vision, to detect these visually similar but textually different pieces of brand indicative text.
Brand Domain Verification
Once anti-phishing software has identified the supposed brand from which an email claims to originate, detection of brand forgery attacks is fairly straightforward. Most brands own a limited number of domains, and the domains belonging to a given company are typically public since they are a part of a company’s marketing and branding strategy. The stability and low changeability of official brand domains makes it easy for a phishing protection product to maintain a database of the official domains associated with commonly forged brands. When an email is identified as claiming to originate from a brand, a simple comparison of the sending address of the email to a list of the official domains of the brand allows brand forgery emails to be quickly detected and blocked.
Automated Malware and Malicious Link Protection
The goal of all phishing emails is to convince the recipient to do something in the attacker’s interest. Some of the most common ways of accomplishing this are to craft an email that gets the user to click on a link, open an attachment, or run a script on their computer. Done properly, a phishing email can infect a user’s computer with malware, or steal sensitive information, without them even noticing. A primary goal of email protection programs is the detection and blocking of the malicious content contained within phishing emails.
Domain Whitelisting and Blacklisting
Links are common in phishing emails. They are the simplest way to get a user to an attacker-controlled website and don’t run the risk of an antivirus detecting malware attached to an email. Phishing protection software commonly maintains a list of known malicious domains. If an email links to a domain on this blacklist, it is blocked, quarantined, or marked as suspicious. While this is an effective method of detecting phishing emails, it is a continual battle between attackers, who register or infect new domains, and defenders, who try to keep their blacklists up-to-date in order to catch the latest threats.
URL Rewriting
Malicious links are a common feature in phishing emails. Embedding links in emails is common practice for companies that want to give users quick and easy access to the company website or the user’s account. Phishers have taken advantage of this trend by including links in their phishing emails to websites under the phisher’s control that infect the user’s machine with malware, or harvest user credentials. Using malicious links, phishers can craft a phishing email virtually identical to that of official company correspondence, with the only difference being the targets of the email’s links.
A common protection against malicious links is maintaining a domain blacklist for known active phishing websites. If a phishing email contains a link that is included on the list, an anti-phishing program knows to take action. This could include blocking the email or optionally performing URL rewriting. By rewriting the malicious URL to a benign version, the email phishing protection software can either redirect the user to the legitimate version of the site that the phisher is spoofing, or to a page educating the user about this type of threat.
Deep Link Inspection
URL blacklists are great if the phishing email comes from or links to a known malicious domain. But what about zero-day attacks using a brand-new domain? Registering a new domain takes very little time and effort, and then a new phishing site can be created by copying over a few files from an existing phishing domain. This ease of updating means that defenders are constantly trying to hit a moving target, as current domains are retired and new domains are created or resurrected after they are dropped from blacklists.
Deep link inspection is a way by which anti-phishing products can protect against zero-day phishing attacks. By simulating a click on each link in an email, the software can see the webpages that a user would be directed to by the phishing email. The software can then examine the resulting webpage for indications of phishing, and warn the user if the email appears to be suspicious.
HTML Sanitization
HTML-based emails provide users with a richer content experience by allowing emails to include images, animations, and other stylistic customizations not available in plaintext emails. However, this customization is mainly accomplished using scripts that allow senders to run code on the recipient’s computer.
Attackers take advantage of this functionality by embedding malicious code in emails to run when the recipient views the email. Anti-phishing products should be capable of analyzing script and preventing Cross-Site Scripting (XSS), JavaScript, and CSS attacks and warning the user of suspicious scripts with unknown functionality.
Choosing a Modern Anti-Phishing Solution
Phishing attacks have evolved since the original “Nigerian Letter” scams, and simple phishing protection based only on URL blacklists just doesn’t cut it anymore. Modern phishing products take advantages of advances in machine learning and computer vision to detect and protect against more sophisticated phishing schemes.
With the average successful phishing attack costing businesses $1.6 million, choosing the right anti-phishing software is an important decision for businesses. Picking modern phishing protection can save a lot of money in the long run.
Andrew B. Goldberg is Chief Scientist at Inky Anti-Phishing Software, an enterprise communications security platform, working to protect corporate email from new breeds of sophisticated phishing attacks.
You Might Also Read: