Ways to Protect Against Modern Day Spear Phishing


Anyone who works in the cyber-security field knows that phishing attacks – especially those against large enterprises – are on the rise.  The odd of success are in the attacker’s favor because these attacks rely on uniquely human factors that are notoriously exploitable.

Phishing attacks have evolved throughout the years and in the past, they were simple attacks.  Attackers would send a message with a link to a bogus site to trick a user into running malicious code on their computer.  Today, however, phishing attacks are highly complex and the damage to the victim can be extremely severe and even irreversible.

The most effective phishing attack that exists in the anti-security world today, the attack that can infiltrate all layers of defense, is spear phishing. The vast majority of headline-making data breaches in recent years all started with spear phishing attacks.

Spear Phishing:   The Art of Seduction

First, the attacker chooses a victim, let’s say www.contoso.com.  The attacker then uses a dynamic DNS service and a virtual server, so they can publish their own similar site.  Something similar in name like www.comtoso.com, assuming that users may not notice the minor change in the URL.

In the second phase, the attacker copies the www.contoso.com site using scraping tools or data-harvesting tools such as Automation Anywhere or Ion.  Now the attacker has a lookalike site under the name www.comtoso.com.  All that is left for them to do, is to draw victim users to the fake site so visitors can insert their credentials.  The attacker’s next step is to collect as many email addresses as possible by using fingerprinting tools like Foca and Maltego.

Now the attacker has to wait for a user to log in to the bogus site using valid Contoso credentials and they can collect them. Then, as attackers often say, it’s game over.

[You might also like: DNS and DNS Attacks]

Anti-Phishing Techniques

Anti-phishing products and services have also been around for quite some time and they occupy a significant area of the cyber security industry. Antivirus programs now often include anti-phishing features and most browsers are automatically equipped with Google Safe Browsing; this combination provides a moderate level of anti-phishing protection, but is not enough to protect a company against a sophisticated attack.

Anti-phishing solutions can be integrated into web browsers or can operate in a standalone way and frequently they use similar methods to detect phishing attacks.

Domain reputation

All anti-phishing vendors collect intelligence about URL blacklists.  They do this by using reputation analysis technology for domain reputation and data information, such as black-listed top level domains (TLDs). There are some sites that will provide you with this information for free – http://www.borderware.com/ is one example. The information from these services can also come from mailing block lists and reported sites.

The downside to this method is that most attackers will use techniques like ‘throw-away’ in which they obtain domain names to employ malicious URLs, but for only brief periods of time. This enables them to fly under the radar of URL blacklists and reputation analysis technology.

Phishing Alerts for Registrars and Hosting Providers

Registrars, hosting providers and ISPs are able to provide a footprint of their IP addresses, name servers and Whois servers.  Their anti-phishing software is continuously updated and can provide alerts to users based on this information.

[You might also like: 5 Cyber Attack Developments Worth Your Attention]

Toolbars

There are different toolbars that can be installed on today’s most popular browsers. These toolbars constantly monitor the URL searches and report back to the software in order to match the rule-based policy.

DNS Search Protection

Using this method of protection, domains that are deceptively similar to legitimate websites are logged in repositories.  The software monitors DNS registrations daily for specific alert patterns and also probes potential domains at common TLDs and register points like .com, .net, .free.fr.

SSL Site Search Protection

Phishing attacks that make use of SSL certificates are especially dangerous, as most users associate the presence of a valid SSL certificate with an increased level of assurance. Some products have the ability to search over five million SSL certificates for forgeries.

Awareness

The most important and effective way to safeguard against phishing attacks is through the education of employees and the heightening of their awareness of social engineering attacks.  Many organizations offer education programs abut security and these enable users to become more aware of the most current risks and threats.

The bottom line is that the problem lies somewhere between the chair and the keyboard.  It is ultimately up to the end user to read all emails and alerts with a critical eye and decide whether the information and the links are safe or not.  As long as the decision is in the hands of the user, the chances of success in phishing attacks will remain high and that’s exactly what keeps the anti-phishing industry growing.  Organizations will keep searching for solutions, and anti-phishing technology must continue to develop in accordance with this demand.

DDoS_Handbook_glow

Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.

Download Now

Snir Karat

Snir Karat is an information security expert for the Radware Emergency Response Team with vast experience in information technology, network analysis, and application security risks. He specializes in network and application security for Radware’s premium customers. Prior to working at Radware, Mr. Karat was an information security consultant at EY and a manager of CISO services for various industries where he handled penetration tests and incident response.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center