过去几年中网络钓鱼攻击的演变表明复杂程度的增长使得传统的网络安全协议不足。虽然传统的病毒防护软件仍然发挥作用,但从整体上思考防御当今的威胁行为者是很重要的。该Ponemon的研究所共同研究,发现网络钓鱼攻击的77%是通过那去了标准的端点安全解决方案未被发现的文件少技术推出。换句话说,今天的网络钓鱼威胁行为者不再仅仅依靠简单的电子邮件附件来诱捕他们的受害者。
我们分享了几个帖子来检查这些不断增长的攻击向量,并按顺序进行了回顾:
- 恶意浏览器扩展程序。 设计的浏览器扩展可以完全访问浏览器中输入和呈现的大多数浏览器资源和信息。网络犯罪分子意识到在浏览器中注入恶意代码伪装成良性外观的浏览器扩展只会让他们无限制地访问通过浏览器的大部分数据,这只是时间问题。
为了进一步增加复杂性,这些插件在浏览器内存中运行,因此SSL加密对他们来说不是问题。并且为了绕过双因素身份验证(2FA),这些插件通常会等待身份验证阶段完成,然后再侦听经过身份验证的会话并窃取数据以进行进一步的攻击。
- 凭证窃取。也许是最古老的网络钓鱼形式,凭证窃取旨在诱骗用户通过恶搞网站或弹出窗口放弃登录凭据。今天的问题是,许多虚假网站反映了合法的可信赖品牌,甚至欺骗了最精明的专业人士成为受害者。
- 技术支持诈骗和恐吓软件。通常,恐吓软件以弹出窗口开始,弹出窗口显示“可怕”消息,提示用户操作最终会感染其设备。计算机病毒的威胁会提示用户单击将下载恶意软件并感染用户设备的链接。此时,信用卡数据可能被捕获,凭据被盗或设备或计算机受到损害。在某些情况下,单击链接以修复虚假病毒可能会卸载合法的防病毒软件,从而使计算机,移动设备或网络容易受到攻击。
- 网络钓鱼回调,命令和控制(C2)攻击。它们通常以网络钓鱼攻击开始,通过浏览器扩展将恶意代码安装到毫无戒心的员工设备上,武器化文件或流氓软件。这些攻击通常极其针对控制组织个人身份信息(PII)或财务数据的员工 - 通常在人力资源或应付帐款部门。一旦机器受到攻击,黑客就会对受感染的设备进行ping操作以进行回调以测试新连接,并确定传输是否会被组织的安全性检测不到。我们经常以零字节FTP文件传输或IRC通信的形式看到这些回调尝试。大多数情况下,这些测试传输未被检测到。
- 武器化文件。这些是可以来自Web下载,共享驱动器或附加到合法外观电子邮件的文件的攻击示例。PDF,Excel,Word或其他Microsoft Office文档都可能受到攻击,包含代码,链接甚至是隐蔽地将恶意软件,特洛伊木马,勒索软件甚至远程访问软件发布到系统或网络上的视频。即使武器化文档以电子邮件开头,大多数传统的反网络钓鱼电子邮件产品在通过所有其他向量(共享驱动器,PDF,Excel,Word或其他Microsoft Office文档)下载时也不会识别恶意网络钓鱼攻击。
- 多阶段网络钓鱼攻击。它首先是通过电子邮件发送的非恶意链接,但会导致看似良性的网站。打开该网站后,用户执行任务,并将本地HTML文件下载到他们的计算机。当用户从其桌面单击该文件时,将启动本地HTML页面,其中包含要继续的链接,该链接将其发送到传送网络钓鱼内容的最终域。坏人正在通过安全设备通常难以检测的多个步骤强迫理性人。他们不允许出现网络钓鱼站点,除非他们能够确认人类正在与该站点进行交互。这意味着即使最终的网络钓鱼域名在黑名单中,
这些只是许多网络钓鱼攻击中的一部分,它们不依赖传统电子邮件作为唯一的攻击媒介。当您考虑这些网络钓鱼攻击发生的速度和数量时 - 每天有数万个新的网络钓鱼站点上线,大多数在4到8小时内消失 - 您可以看到组织在防止这些攻击时面临的问题。
无法记住数百万个列入黑名单的网址或花时间交叉验证网站的来源。大多数员工不是精通技术的用户,他们没有接受过检测这些类型的复杂网络钓鱼攻击的培训,他们只是成为受害者。人类的脆弱性,人工审查的威胁情报和传统的黑名单无法与当今快速发展的网络钓鱼威胁相提并论。
该行业的大多数人正在检查网络钓鱼URL和域。该数据通常不够准确或不够快,无法检测新的快速移动网络钓鱼攻击。我们需要的是一种新方法!
检测网络钓鱼中心的最佳方法是对内容的行为分析。如果某些内容看起来很可疑,它会被加载到虚拟浏览器会话中并呈现整个页面,因此我们的会话仿真和环境侦察™(SEER)威胁检测技术可以检测URL检查和域名信誉分析所遗漏的威胁。
通过多个实时来源,我们每天主动扫描数十亿全球互联网交易和数百万个可疑网址。我们的威胁检测云中使用数百万个虚拟浏览器呈现可疑URL。SEER技术使用先进的计算机视觉,OCR,NLP和活动站点行为分析来检查站点。SEER分析功能被输入到机器学习算法中,该算法提供单一的最终判决:恶意或良性。没有不确定的威胁评分和接近零的误报。恶意URL,域和IP会不断添加到我们的实时网络钓鱼威胁情报源中,并通过Web API以多种机器可读格式提供。
这种方法与提供恶意和可疑概率的其他威胁源产品完全不同。通过二进制方法,我们可以通过防火墙提供用于自动阻止目的的Feed。它是一个不断更新的零小时网络钓鱼URL,域和具有IOC的IP的列表,可以在攻击发生之前阻止攻击。大多数威胁源甚至不适用于阻止目的,通常用于研究。我们正在营销我们的即时阻止威胁源,因为误报率接近于零,这几乎不用担心将合法网站列入黑名单。
您可以自己检查这项技术。
原文:
The evolution of phishing attacks over the past couple of years has shown a growth in sophistication that is rendering traditional cybersecurity protocols insufficient. While traditional virus protection software still plays a role, it’s important to think holistically to defend against today’s threat actors. The Ponemon Institute shared research that showed 77 percent of phishing attacks are launched via file-less techniques that go undetected by standard endpoint security solutions. In other words, today’s phishing threat actors no longer solely rely on a simple email attachment to ensnare their victims.
We’ve shared several posts that examine these growing attack vectors and a recap is in order:
- Malicious browser extensions. Browser extensions by design have full access to most of the browser’s resources and information being entered and rendered within the browser. It was just a matter of time before cybercriminals realized that injecting malicious code inside browsers disguised as benign looking browser extensions would give them unlimited access to much of the data passing through the browser.
To add further complications, these plugins run inside browser memory, so SSL encryption is not a problem for them. And in order to bypass Two Factor Authentication (2FA), these plugins usually wait for the authentication phase to be completed before snooping on the authenticated session and stealing data to mount further attacks.
- Credential stealing. Perhaps the oldest form of phishing, credential stealing is designed to trick the user into giving up their login credentials via a spoof website or popup. The problem today is that many of these fake sites mirror legitimate trusted brands, tricking even the savviest professionals into falling victim.
- Technical support scams and scareware. Typically, scareware starts with a pop-up that displays a “scary” message prompting user action that will ultimately infect their device. the threat of a computer virus prompts users to click links which will download malware and infect a user’s device. At this point, it’s possible that credit card data can be captured, credentials stolen, or a device or computer compromised. In some instances, clicking the link to fix a fake virus may uninstall legitimate antivirus software, leaving a computer, mobile device, or network vulnerable to attack.
- Phishing callbacks, command-and-control (C2) attacks. They usually begin with a phishing attack that installs malicious code onto an unsuspecting employee’s device through a browser extension, weaponized document or rogue software. The attacks are often extremely targeted toward employees that control organizational personally identifiable information (PII) or financial data – typically in human resources or accounts payable departments. Once a machine is compromised, the hacker will ping the infected device for a callback to test the new connection and determine if the transmission will go undetected by the organization’s security. We often see these callback attempts in the form of zero-byte FTP file transfers or IRC communications. The majority of the time these test transmissions go undetected.
- Weaponized documents. These are an example of attacks that can come from a web download, a shared drive or a file attached to a legitimate looking email. PDFs, Excel, Word or other Microsoft Office documents can all be compromised to contain code, links, or even videos that covertly release malware, trojans, ransomware or even remote access software onto a system or network. Even though weaponized documents start with an email, most traditional anti-phishing email products won’t identify the malicious phishing attack when its downloaded through all the other vectors (shared drives, PDFs, Excel, Word or other Microsoft Office documents).
- Multi-stage phishing attacks. It starts with a link sent in email that is not malicious but leads to what appears to be a benign site. Once that website is opened, the user performs a task and a local HTML file is downloaded to their computer. When the user clicks on that file from their desktop, a local HTML page is launched with a link to continue which sends them to the final domain where the phishing content is delivered. The bad guys are forcing a rational human through multiple steps that security equipment would normally have trouble detecting. They don’t allow a phishing site to appear unless they can confirm that a human is interacting with the site. This means that even if the final phishing domain is on a blacklist, traditional anti-phishing security cannot protect users from it until someone or some technology follows the entire user process and reaches a point where the phishing site is baited.
These are just some of the many phishing attacks that do not rely on traditional email as the sole attack vector. When you factor in the speed and volume in which these phishing attacks unfold – tens of thousands of new phishing sites going live each day, most disappearing in 4 to 8 hours – and you can see the problem that organizations face in preventing these attacks.
It’s not possible to remember the millions of blacklisted URLs or take the time to cross verify the origins of a site. Most employees are not tech savvy users, they are not trained to detect these types of sophisticated phishing attacks, and they merely fall victim. Human vulnerability, human-vetted threat intelligence and traditional blacklists are no match for today’s fast-moving phishing threats.
Most of the industry is examining phishing URLs and domains. That data is often not accurate or fast enough to detect new and fast-moving phishing attacks. What’s needed is a new approach!
The optimal method for detecting phishing centers on the behavioral analysis of the content. If something looks suspicious, it’s loaded into a virtual browser session and renders the whole page, so our Session Emulation and Environment Reconnaissance™ (SEER) threat detection technology can detect threats missed by URL inspection and domain reputation analysis.
Through multiple live sources, we proactively scan billions of global internet transactions and millions of suspicious URLs daily. Suspect URLs are rendered with millions of virtual browsers in our threat detection cloud. SEER technology inspects the site with advanced computer vision, OCR, NLP, and active site behavior analysis. SEER analysis features are fed into machine learning algorithms which deliver a single definitive verdict: malicious or benign. There are no inconclusive threat scores and near zero false positives. Malicious URLs, Domains, and IPs are continuously added to our Real-Time Phishing Threat Intelligence feed and available in multiple machine-readable formats via Web APIs.
This approach is entirely different than other threat feed products that offer a probability of being malicious and suspicious. With a binary approach, we can offer our feed for automated blocking purposes through a firewall. It’s a continuously updated list of zero-hour phishing URLs, domains, IPs with IOCs that can stop an attack before it happens. Most threat feeds are not even suitable for blocking purposes and are usually used in research. We are marketing our threat feed for instant blocking because there are near-zero false positives, which offers little fear of blacklisting legitimate websites.
You can check this technology out yourself. Contact us to learn more or try SlashNext Real-Time Phishing Threat Intelligence free for 15 days.