Security Features of Modern Phishing Prevention Products

In the early days, phishing emails were pretty straightforward.  A Nigerian prince would offer you a substantial sum of money for helping to move his money to the US if you didn’t mind covering a couple of fees. Or, you would win some contest that you don’t remember entering, and need to claim your prize.  With a little bit of user education, most of these attacks became ineffective and fell by the wayside.  By Andrew B Goldberg of Inky.

The Phishing Threat 

Modern phishing attacks are much more sophisticated. By personalizing emails to match their recipients, or precisely mimicking the look and feel of legitimate company emails, phishers induce their targets to do what they want. These emails have reached the point where it is impossible to expect users to be able to detect them unaided. Modern anti-phishing software is designed to use advanced machine learning, and other techniques, to detect and protect against subtle phishing attacks. In this post, we describe some of the capabilities of modern anti-phishing software.

Machine Learning for Spear Phishing Protection

While large-scale mass phishing attacks are still a threat for email users, targeted spear phishing attacks are an even greater danger. By using specific knowledge of an individual and their habits, a phisher can craft a malicious email to have the greatest probability of success. Through the clever use of machine learning algorithms, modern anti-phishing products can provide users with a higher level of protection against these more sophisticated phishing attacks.

Social Graph Analysis

Impersonation is at the center of all phishing attacks. A phishing email coming from someone that the target doesn’t know has a much lower probability of success than one appearing to come from someone that the recipient knows and trusts. People are also more likely to follow instructions from those they see as being in a position of authority over them. Phishers know this, and take advantage of the fact by masquerading as authority figures like C-Level executives in Business Email Compromise (BEC) attacks.

One flaw with this approach is that the recipient may not commonly correspond with the authority figure that the phisher is impersonating. An anti-phishing product that monitors the social graph of an organization can flag unusual communications as potentially suspicious. Since phishing emails rely on catching the target off-guard, a warning message to the recipient that the message is suspicious, and should be verified, is a powerful tool in protecting against this type of phishing attack.

User Profiling

Everyone has their own “voice” that comes across in verbal and written communications. This voice is shaped by where the person has lived (common expressions, grammar, etc.) and the situation in which the user is communicating (professional vs. casual, technical vs. non-technical, etc.). Voice can also be part of a brand, with companies trademarking certain phrases and developing a certain voice, to build a sense of familiarity with their users.

Using machine learning and Natural Language Processing, phishing protection products can learn the different voices of the various users within a company. When an email claiming to be from a profiled user moves through the system, the voice of the email can be compared to the stored profile, and a warning provided to the user if the email sounds anomalous. While a user may sound different when in a hurry or under stress, an email with the wrong voice may also be a spear phishing email, and warning the user to be cautious doesn’t hurt.

Email Structural Analysis

Emails contain a lot of information about the email’s sender. Some of this information is visible to the recipient, including the sender’s display name and email address, and any information contained within the body of the email. However, this is only a fraction of the information that can be stored within the email. A variety of required and optional headers contain information about the email’s path of travel, mail client, etc.

These headers, while typically invisible to the email’s recipient, are a treasure trove of information for an anti-phishing program. By observing the common headers included in a sender’s emails and their values, the program can build a fingerprint for a given sender. For example, a user may typically send emails from within the Western United States using a Gmail client. Once this fingerprint is created, the phishing protection software can compare each email allegedly originating from this sender to the fingerprint, and alert the recipient if any anomalies are detected. This form of anomaly detection is a powerful defense against spear phishing attacks, which rely on a user’s trust in a specific person or organization to cause them to take the action requested within the email.

Advanced Brand Forgery Protection

Brand forgery attacks take advantage of the differences between how humans see things, and how computers see things, to launch phishing attacks. Based upon the imagery and words included in an email, and how it appears in context, humans decide who is the likely sender of a particular email. This may not even involve checking the sender’s email address, and may be solely based on the fact that the email “looks and sounds right” for that brand.  
Computers, on the other hand, examine the sending address, the text, email headers, and similar features of the email to make a decision about its authenticity. The difference in these two approaches creates the opportunity for phishers to craft brand forgery emails capable of slipping past the computer into the user’s inbox, where they click on a link or open an infected attachment.

Computer Vision Applications

Computer vision has the potential to bridge the gap between how humans and machines react to brand forgery emails. Marketing teams put a great deal of money and effort into training people to associate certain images and phrases with their brand. This pays off by creating a sense of familiarity and trust in reader’s minds when receiving an email from the company that contains text and imagery that is familiar to them. Phishers use this familiarity with brand imagery for brand forgery attacks by crafting emails to have the same “look and feel” as legitimate emails, helping to ease them past users’ defenses and increase the probability of success.

Using computer vision, anti-phishing products can identify brand imagery and text within phishing emails and identify the supposed brand of the email in the same way that a user would. By identifying the brand in this way, the phishing protection software can take extra steps to verify that the email does in fact originate from where it claims.

Brand Indicative Text Detection

A telltale sign of a brand forgery email is that the email claims to belong to a certain brand but doesn’t originate from an address associated with this brand. Phishers know this and try to craft their emails to make it difficult for anti-phishing software to detect the alleged brand of brand forgery emails.  

The simplest way for a company to claim to be from a certain brand is to say so by signing the email with the brand name, or including trademarked words and phrases. To look authentic, phishers need to do this as well, but phishing protection software is aware of this and searches for common brand names within the text of emails. To defeat this, attackers take advantage of visually similar characters that will look the same to the reader but look different to the email protection software. Examples include substituting rn for m or a Greek alpha for a. To protect against this, email protection programs can use fuzzy string matching, or computer vision, to detect these visually similar but textually different pieces of brand indicative text.

Brand Domain Verification

Once anti-phishing software has identified the supposed brand from which an email claims to originate, detection of brand forgery attacks is fairly straightforward. Most brands own a limited number of domains, and the domains belonging to a given company are typically public since they are a part of a company’s marketing and branding strategy. The stability and low changeability of official brand domains makes it easy for a phishing protection product to maintain a database of the official domains associated with commonly forged brands. When an email is identified as claiming to originate from a brand, a simple comparison of the sending address of the email to a list of the official domains of the brand allows brand forgery emails to be quickly detected and blocked.

Automated Malware and Malicious Link Protection

The goal of all phishing emails is to convince the recipient to do something in the attacker’s interest. Some of the most common ways of accomplishing this are to craft an email that gets the user to click on a link, open an attachment, or run a script on their computer.  Done properly, a phishing email can infect a user’s computer with malware, or steal sensitive information, without them even noticing. A primary goal of email protection programs is the detection and blocking of the malicious content contained within phishing emails.

Domain Whitelisting and Blacklisting

Links are common in phishing emails. They are the simplest way to get a user to an attacker-controlled website and don’t run the risk of an antivirus detecting malware attached to an email. Phishing protection software commonly maintains a list of known malicious domains. If an email links to a domain on this blacklist, it is blocked, quarantined, or marked as suspicious. While this is an effective method of detecting phishing emails, it is a continual battle between attackers, who register or infect new domains, and defenders, who try to keep their blacklists up-to-date in order to catch the latest threats.

URL Rewriting

Malicious links are a common feature in phishing emails. Embedding links in emails is common practice for companies that want to give users quick and easy access to the company website or the user’s account. Phishers have taken advantage of this trend by including links in their phishing emails to websites under the phisher’s control that infect the user’s machine with malware, or harvest user credentials. Using malicious links, phishers can craft a phishing email virtually identical to that of official company correspondence, with the only difference being the targets of the email’s links.

A common protection against malicious links is maintaining a domain blacklist for known active phishing websites. If a phishing email contains a link that is included on the list, an anti-phishing program knows to take action.  This could include blocking the email or optionally performing URL rewriting. By rewriting the malicious URL to a benign version, the email phishing protection software can either redirect the user to the legitimate version of the site that the phisher is spoofing, or to a page educating the user about this type of threat.

Deep Link Inspection

URL blacklists are great if the phishing email comes from or links to a known malicious domain. But what about zero-day attacks using a brand-new domain?  Registering a new domain takes very little time and effort, and then a new phishing site can be created by copying over a few files from an existing phishing domain. This ease of updating means that defenders are constantly trying to hit a moving target, as current domains are retired and new domains are created or resurrected after they are dropped from blacklists.

Deep link inspection is a way by which anti-phishing products can protect against zero-day phishing attacks.  By simulating a click on each link in an email, the software can see the webpages that a user would be directed to by the phishing email. The software can then examine the resulting webpage for indications of phishing, and warn the user if the email appears to be suspicious.

HTML Sanitization

HTML-based emails provide users with a richer content experience by allowing emails to include images, animations, and other stylistic customizations not available in plaintext emails. However, this customization is mainly accomplished using scripts that allow senders to run code on the recipient’s computer.

Attackers take advantage of this functionality by embedding malicious code in emails to run when the recipient views the email. Anti-phishing products should be capable of analyzing script and preventing Cross-Site Scripting (XSS), JavaScript, and CSS attacks and warning the user of suspicious scripts with unknown functionality.

Choosing a Modern Anti-Phishing Solution

Phishing attacks have evolved since the original “Nigerian Letter” scams, and simple phishing protection based only on URL blacklists just doesn’t cut it anymore. Modern phishing products take advantages of advances in machine learning and computer vision to detect and protect against more sophisticated phishing schemes. 

With the average successful phishing attack costing businesses $1.6 million, choosing the right anti-phishing software is an important decision for businesses. Picking modern phishing protection can save a lot of money in the long run.

Andrew B. Goldberg is Chief Scientist at Inky Anti-Phishing Software, an enterprise communications security platform, working to protect corporate email from new breeds of sophisticated phishing attacks.

You Might Also Read: 

Which Phishing Messages Have A Near 100% Click Rate?:

‘Important Information About Your Credit Card’:

« In Ireland, 50% of Attacks On SMEs Go Unreported
Saudi Commission Signs Deal To Boost Cybersecurity Education »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Social-Engineer

Social-Engineer

Social-Engineer is a team of outside–the–box thinkers that share a common focus on human-to-human social engineering.

Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) - University of Kent

Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) - University of Kent

KirCCS harnesses expertise across Kent University to address current and potential cyber security challenges.

Guardea Cyberdefense

Guardea Cyberdefense

Guardea Cyberdefense is an IT services company specializing in the management of security projects, with a pool of skills selected from a network of specialized partners.

Wibu-Systems

Wibu-Systems

Wibu-Systems is a leading provider of solutions for the Digital Rights Management (DRM) and anti-piracy industry.

Securicon

Securicon

Securicon provides expert consulting for application, system and network security.

Cygilant

Cygilant

Cygilant is a SOC2 certified service provider that combines MSSP and Incident Detection and Response (IDR) capabilities managed by global SOCs staffed with trained security engineers.

Cyber Security Austria (CSA)

Cyber Security Austria (CSA)

Cyber Security Austria (CSA) is an independent non-profit association with the aim to address security issues in the area of IT/cyber security of critical/strategic infrastructures in Austria.

CybExer Technologies

CybExer Technologies

CybExer provide an on-premise, easily deployable solution for complex technical cyber security exercises based on experience in military grade ranges.

Sadoff E-Recycling & Data Destruction

Sadoff E-Recycling & Data Destruction

Sadoff E-Recycling and Data Destruction protect the environment and your data with proven and trusted electronics recycling and data destruction services.

ThriveDX

ThriveDX

ThriveDX, the world’s premier EdTech provider (formerly HackerU), champions digital transformation training as a means of empowering individuals to thrive in the age of digital disruption.

The ATOM Group

The ATOM Group

ATOM builds and secures technology for regulated industries. We design and build for a future we can all trust.

Opticks Security

Opticks Security

Opticks provides fraud detection and monitoring solutions for leading brands. agencies and networks. Our relentless mission is to deliver reliable and innovative software to beat digital fraud.

Purism

Purism

Purism works with hardware component manufactures and the free software community to build high quality hardware that respects your digital life.

Mission Critical Partners (MCP)

Mission Critical Partners (MCP)

Mission Critical Partners is committed to delivering innovative solutions that help our clients enhance and evolve their critical-communications systems and operations.

Staley Technologies

Staley Technologies

Staley Technologies is a US nationwide structured cabling, technology integrator, and Managed IT & Cyber Security provider.

Merlin Ventures

Merlin Ventures

Merlin Ventures is a strategic investor focused on driving growth and value for cybersecurity software companies with market-leading potential.