Seeing Through ‘Normal’ with Computer Vision

It turns out the hardest thing in life to do is to pretend to be normal. Acting normal on the internet is even harder. Pretending to be something you’re not creates a trail of tiny patterns that can give you away. It’s a problem that no amount of sophistication or skill can solve.

Even the best hackers in the world, like organized criminals and nation states, are limited by a couple factors. First, they’re reliant on phishing, the root source of 95% of all breaches. Secondly, they need to appear authentic, which makes them predictable.

The worst attacks in hacker arsenal are what I will call the “pixel-perfect phish” — a near carbon copy of a real site. These sites are hackers trying to act normal, but they end up standing out like a guy wearing a trench coat and dark glasses in crowd if you know how to look for them.

Facebook Portal

I’m excited that our work in computer vision is breaking new ground and taking back control from attackers based on their behaviors not on the users actions. What we’ve recently figured out at Area 1 Security is that with computer vision, the harder you try to make a message look like it’s coming from someone else, the easier it is for a computer to spot. But to do it, you have to train a computer to “look” at emails and websites a little like a person does. The more a hacker acts normal, the more they stand out.

The pixel perfect phish plays on psychology. When you see a Wells Fargo login, unconsciously you might relax a little. After all, this is big, sophisticated bank and it’s earned a reputation for being secure. It’s no surprise that these attacks down some of the biggest targets. Hillary Clinton’s campaign manager fell for a password warning from GMail.

You may relax a little more if it’s an email addressed to your personal address, but personal accounts credentials are often the beachhead for corporate attacks.

These attacks are effective, easy and don’t require a lot research. But there’s a flipside to this. Every time a logo or a website appears to be something it’s not, that should be a simple red flag, right?

This is sort of what phishing education has been trying to do, but failing, for years. Telling people to mouse over domains and look for inconsistencies. But that advice is outdated. The web today is made of very complex urls, denoting servers, directories, and scripts. Add to that equation lookalike domains, and the proliferation of new domain extensions, and spotting “bad” urls has become an impossible task for people.

Cybersecurity professionals have been been asking more and more of their users at a time when most technology is asking less. It’s demanded everyone be part time a security professional. We’re about to give that job to a computer.

Enter computer vision. Thanks to some serious leaps in vector mapping, machine learning and natural language processing, we’re finally able to teach a computer to “see” like a person. Instead of sorting code and pixels as 1’s and 0’s, for the first time a computer can actually look for things.

By looking at a whole image, and finding lines and boundaries on objects like your brain does, computer scientists can make computers that can recognize faces, or figure out when a freeway lane merges. For the first time, pictures can be searched like data. Just like you might use a find function to look for a name in text, we can tell a computer to find images that are identical or close to other images.

Now our computer can look at websites and check that they are who they say they are. For instance, if our algorithm sees that a logo or a login on a page where the url doesn’t matchup, it can flag it, almost at the speed of light. If a page is setup to register credentials, but doesn’t send them to the right place, we can flag it. No matter how hard the bad guys pretend, they end up giving themselves away.

And the harder bad guys try to adapt, the easier it is for us to spot them.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.