Phishing is the most commonly used attack vector in cybersecurity breaches, according to the 2019 Verizon Data Breach Report. No one is safe from its effects—not private businesses, government agencies, or everyday citizens. The ultimate goal of phishing is to lure unsuspecting victims to a spoof website that looks close enough to the real thing to convince people to enter their personal login credentials. Once those credentials are captured, adversaries can sell them for a high price, or use them to try to gain access to other accounts. Not only do phishing attacks disrupt the lives of the people who fall for them, but they destroy the trust between customers and the brands whose websites are spoofed.
Unfortunately, phishing is on the rise. A November 2019 report from the Anti-Phishing Working Group (APWA) notes that the number of phishing attacks rose in the third quarter of 2019 to the highest level since late 2016. Additionally, the report noted that a wider array of companies are being targeted by phishing attacks.
These statistics are alarming, but we can learn a few things from them. First, phishing is increasing in frequency and in scale because it works. It is a relatively cost-effective, low-risk attack vector that doesn’t require a great deal of technical skill on the part of the adversary. And second, we can deduce that the solutions available on the market today clearly aren’t getting the job done. These tools are creating a false sense of security in organizations, who mistakenly believe that if they have anti-phishing domain monitoring, then they have nothing to fear. But the evidence is mounting that they do, indeed, have plenty to be concerned about.
Where Domain Monitoring Falls Short
Domain monitoring services are designed to allow users to monitor the registration status of specific domains. Many services promise to alert you when monitored domains are nearing expiration or when they change status. But the major problem with domain monitoring is scale, especially for large brands like Microsoft and PayPal, whose websites are the target of multiple web spoofing attacks. Research from Dell Technologies reveals that there are an estimated 30,000 spoof URLs launched every day, to be used in orchestrated phishing campaigns. The sheer volume of malicious and fake websites makes it impossible for any domain monitoring solution to detect them all.
Additionally, we know that adversaries are getting smarter about how they launch their spoof websites. They are taking the time to register these domains, making it more difficult for domain monitoring to detect them. APWG’s report notes that credential theft caused by phishing attacks sent from an account linked to a domain registered by a scammer increased from 33 percent in Q2 to 40 percent in Q3 of last year.
Further, the APWG report shows that an increasing number of spoof sites are using Secure Sockets Layer protection. This occurs when a URL has an authentic SSL certificate, complete with a green padlock, in an effort to convince victims that the web address is the real deal. As the report notes, “More than two-thirds of all phishing sites (in Q3 2019) used SSL protection. This was the highest percentage since tracking began in early 2015, and is a clear indicator that users can’t rely on SSL alone to understand whether a site is safe or not.”
Adversaries are also exploiting popular link-sharing tools such as Bit.ly or ow.ly to aim their attacks at victims. According to the 2019 Webroot Threat Report, “Two of the most common ways to hide the true destination of a URL are through URL shorteners and cloud storage.” Domain monitoring won’t help when nefarious URLs are hidden by URL shorteners.
URL shorteners most frequently used for phishing attacks in 2016
Source: Anti-Phishing Working Group
IP addresses are not static, and they can quickly cycle from malicious to benign and back again multiple times. As the Webroot Report states, “Trusted sites may be compromised—even if only for a short period of time before being discovered—and threat actors know this is an effective method for evading detection.” We have seen this first-hand at Allure. One of our customers used our web spoofing detection technology to discover a spoof site that was hidden within the pages of a legitimate website–a coffee shop located in Vietnam. The customer had deployed a domain monitoring tool, but it failed to detect this spoof site.
A Better Way to Detect Spoof Websites
Phishing is big business for cybercriminals. At Allure, our approach involves changing the economics of the equation and forcing adversaries to question whether the credentials they’ve stolen through a spoof website are actually valuable to them. Our solution is the only one that addresses the problem of protecting customers from phishing. They are the biggest targets, and the most difficult for organizations to control. Using our patented beacons and decoy technology, Allure has the power to detect phishing sites or pages in real-time, before your customers are put at risk. We can often detect spoof URLs before any customers are targeted.
If your organization is ready for a new approach to shutting down phishing, get in touch with Allure today to learn more. We make it possible for you to know as soon as a spoof URL has been launched against your website, whether any of your customers have been impacted, and even where the attack originated.
Posted by Salvatore Stolfo