Phishing Attack Vectors | How to Fortify Your Defenses

By: Area 1 Security

To prevent phishing attacks, Area 1 offers a cloud-native anti-phishing service that stops email, web, and network phishing attacks that other security technologies miss. Area 1 Security’s innovative technology crawls the web continuously and proactively, discovering phishing campaigns and infrastructure before attacks launch. On average, we detect malicious sites and payloads a full 24 days before industry benchmarks.

When we think of phishing attacks, the first thing that comes to mind is often phishing email.

However, if all of the email systems in the world shut down tomorrow, would phishing attacks stop?

Unfortunately, no.

The attack vectors hackers use to execute phishing campaigns aren’t limited to only email traffic. So defense strategies that focus on protecting just email will miss phishing activity on other attack vectors. For the best protection, your security strategy needs a unified approach to protect you from phishing activity across all common attack vectors, including email, web, social and network.

Phishing, the cause of 95 percent of cyber breaches, often lures victims to malicious websites. The victim clicks on a link in an email or a social media post that opens a browser and initiates web traffic to a phishing site.

These phishing websites are crafted by hackers to accomplish their malicious objective and can take several forms, for example: Credential harvesting attacks typically start with a social post or email that appears to be from a trusted organization, such as a financial institution or retailer.

In one example, the victim received an email that looks like it was sent by Microsoft. The recipient is requested to click on a link and log into their account to re-enable their subscription. When the link is clicked, the recipient’s browser opens, and web traffic is initiated to a spoofed site established by the attacker. The victim enters valid account credentials and the hacker can then harvest those credentials and use them to log into the victim’s real account for malicious purposes.

Another popular web-based phishing attack involves malware downloads. For these attacks, the hacker establishes a malicious website, or in some cases, compromises a trusted website to host malware that’s downloaded to the victim’s device.

An example of this type of attack was executed against several banks. The attack was first detected by security teams at several Polish banks that discovered malicious executables on employee workstations. They traced the source of the malware to the bank’s national regulator, the Polish Financial Supervision Authority (KNF), a website that banking employees periodically access.

The attacker compromised the regulator’s website, reportedly for over a week, by modifying one of the site’s JavaScript files, so visitors to the regulator’s site unknowingly loaded a malicious JavaScript file, which then called back to additional sites to download malicious payloads that then further infected victims workstations.

It’s estimated that over 20 commercial banks across Poland were victims, and similar attacks affected banks in other countries also. The affected banks discovered encrypted executable files on several servers and also noticed unusual network traffic going to uncommon IP addresses situated in other foreign countries.

Industry reports indicate that the attacker’s motivation was unknown. Mysteriously, it appears there were no direct financial losses incurred by the banks or their customers due to this attack. Some of the banks attacked were able to identify large outgoing data transfers, but the data was encrypted, so they weren’t able to identify the contents.

In both of these examples — the Microsoft credential harvest example and the Polish banking malicious download example — once a victim’s credentials are harvested or device is infected, the attacker can then gain access to the victim’s accounts, and in some cases networks and systems. From there, connections to external phishing sites can be established and the victim’s data can be exfiltrated, or more malware can be downloaded further infecting systems to achieve the attacker’s malicious objectives.

The point here is that it’s critical to monitor not just email traffic, but also web and network traffic to prevent access to, and downloads from, malicious phishing websites and stop cyber attacks.

Traditional Secure Web Gateways and Firewalls Fail to Uncover New Threats

So let’s look at how traditional security technologies (such as those from Cisco, Symantec/Broadcom, FireEye and others) claim to protect from these web-based phishing attacks.

To defend from malicious phishing websites, organizations often rely on secure web gateways and firewalls. Secure web gateways monitor web traffic and block user requests to known malicious websites. Firewalls inspect network traffic, detecting and blocking malware command-and-control communication to known malicious sites. Both security technologies are updated frequently with the latest threat intelligence as new malicious sites are discovered so that they know what sites to block.

However, the threat intelligence updates these security technologies rely on are mostly derived from analyzing active attacks, so there’s a security gap between the time a phishing attack launches and the time threat intelligence updates are available and can be deployed to firewalls and secure web gateways to block traffic to malicious sites.

In the case of phishing attacks, this is further complicated by the dynamic nature of phishing websites. They launch and shut down in a matter of hours. And also, because the attacks are often targeted, they’re typically low volume, so there’s little active attack data to uncover new threats.

To better understand this security gap, let’s look more closely at how attackers operate:

  • Behind every phishing campaign, before an attack launches, attackers set up infrastructure to execute their attack.
  • They often compromise servers belonging to organizations without the organizations knowledge, and use those compromised servers to launch their attacks.
  • The compromised servers are used to execute campaigns, including activity such as sending spoofed emails to target victims, receiving and sending command and control traffic, downloading malware or harvesting credentials, from unsuspecting victims.
  • Even before a targeted phishing campaign is launched, there’s a lot of attacker activity involved in establishing the phishing sites and infrastructure that attackers need in order to execute a campaign.

Traditional security technologies aren’t proactively scanning for attacker activity before campaigns launch. They wait until after the campaign launches, collecting only threat samples from active attacks, after victims are impacted, at which point it’s too late, the damage is done, and the best they can do is alert that a breach has occurred so that incident response teams can identify and try to remediate damage.

To counter this, security technologies have evolved to try to close the gap by adding advanced threat protection features, including time-of-click URL analysis and dynamic analysis of file downloads. While these feature enhancements help detect some unknown phishing websites and payloads, hackers have found ways to evade detection. Also, dynamic analysis of URLs and files introduces delays in accessing safe websites and files that can negatively impact end-user satisfaction and business productivity.

How to Effectively Close the Phishing Security Gap

So if traditional defenses miss phish, how can the phishing security gap be closed without negatively affecting business productivity and end-user satisfaction?
The key to defending from these attacks is to not wait until after attacks launch, but to get ahead of the attacks.

  • To protect against phishing attacks, cybersecurity solutions, including email, web, and network defenses, need early insight into phishing sites before campaigns launch and attacks are active.
  • An effective prevention strategy needs to fortify security defenses with technology that hunts for malicious sites before attacks launch, during the weeks and months hackers are establishing or compromising websites in preparation for launching their attack.
  • This preemptive defense provides the early visibility and threat indicators necessary to protect an organization from impending attacks.

Arming email, web and network cyber-defenses with early visibility and insight into phishing sites and payloads enables more effective detection and blocking of phishing email, malicious web downloads, and command-and-control communication — preventing cyber breaches.

To prevent phishing attacks, Area 1 offers a cloud-native anti-phishing service that stops email, web, and network phishing attacks that other security technologies miss. Area 1 Security’s innovative technology crawls the web continuously and proactively, discovering phishing campaigns and infrastructure before attacks launch. On average, we detect malicious sites and payloads a full 24 days before industry benchmarks.

By proactively hunting for new phishing infrastructure as it’s set up, Area 1 gains early visibility into phishing sites, payloads, malware, and compromised servers before campaigns launch. The resulting insight and threat indicators powers the Area 1 Horizon™ anti-phishing service to detect and block phishing threats that other security technologies miss.

The service is easy to deploy and integrates with existing email, web, and network security infrastructure to provide an added layer of anti-phishing protection that effectively stops attacks across all attack vectors.

The service can also be deployed in front of cloud email services such as Microsoft Office 365 and G Suite to protect from targeted phishing attacks that the cloud office security technologies frequently miss.

To protect from malicious downloads from phishing sites and fileless attacks such as credential harvesting, the service also includes a cloud-based DNS that integrates with your DNS server to block access to phishing URLs and domains.

And to protect from phish callbacks and access to phishing sites, the service also easily integrates with edge security devices. The service can automatically update rulesets on firewalls and web proxies with early visibility to phishing sites so that the edge devices can detect and block phish that they would otherwise miss.

At Area 1 Security, We believe in delivering cybersecurity that works. And if it doesn’t work, you shouldn’t have to pay for it. We offer a new model of cybersecurity — the first and only performance-based protection in the industry. We’re confident we can deliver the most effective protection you can buy—or you don’t pay anything. With Pay-per-Phish, you pay only if phish is detected, there’s no upfront cost or time commitment. We also offer annual subscriptions, and you have the option to choose the Pay-per-Phish model and then convert to an annual subscription at any time.

If you’re concerned about phishing attacks evading your existing security defenses, Area 1 Security can help close the gap by adding a layer of defense that provides early visibility into phishing sites before they go live and prevents phish from reaching end users. The Area 1 Horizon™ anti-phishing service deploys easily with legacy security technologies and cloud office suites and detects and protects you effectively from email, web and network phishing attacks that other defenses miss.

To assess any gaps in your current phishing defenses, request your complimentary Phishing Risk Assessment here.