Web-Based Phishing Threats Pose New Risks to an Organization’s Security
By Atif Mustaq – Chief Executive Officer at SlashNext,
Thanks to international coverage of large-scale attacks against enterprises and political campaigns, phishing has become a common fear within organizations of all sizes. In general, phishing isn’t a new threat, but the hackers are changing their tactics and wreaking havoc through a variety of browser-based attack vectors.
Phishing emails often contain blatantly suspicious attachments or links that the majority of modern email accounts filter into spam or trash folders. Unfortunately, most users are under the impression that phishing threats are limited to these often clumsily produced, poorly written scam emails.
This is not the case.
Cyber criminals are quite skilled and knowledgeable. They are harnessing whole other facets of the internet to create similar but stronger threats. While email phishing remains one method, other social engineering launch points include disguised websites, fake advertisements, rogue applications, pop-ups, chat apps, social media as well as malicious browser extensions and plug-ins. Each of these vectors can be manipulated to appear to be exactly what they imitate, such as commonly used pages and applications like Gmail and Dropbox. It’s remarkable how deceptive threat actors can make these phishing schemes look. The naked eye of the average user and even computer security professionals at times can’t spot the difference.
One of the reasons these threats are so difficult to detect is the lack of time they are active. Most quick-hit phishing sites are only online for four to eight hours, according to the 2018 Webroot Threat Report. The study reported that the longest-active site was up for just 44 hours. The shortest-lived site was online for just 15 minutes. These short periods of time leave a brief window for organizations to detect and respond to threats. They can no longer trust outdated defense systems — they need real-time phishing site detection.
Early in 2018 cybercriminals virtually flexed their capabilities by launching a phishing scheme with an imitation sign-up page for the RSA Conference 2018, one of the top cybersecurity events in the world. The perpetrators were able to trick several security professionals into giving away identification and credit card information, as well as steal conference registration fees and sell backdoor access to the compromised devices via the Dark Web. This year, a new page is up hoping to target the new crop of RSA users in 2019 – you can see from the image above how sophisticated and official this webpage looks.
These phishing strategies represent a whole new generation of threats. Security systems are prepared to defend against the first three generations: 1st-network-based, 2nd signature-based and 3rd malware. However, most defenses aren’t advanced enough to detect these web-based phishing attacks that are so intricately designed.
So, what should organizations do to protect users from these increasing and advancing threats? Cybersecurity training can only go so far, especially with the believable masquerades designed by malicious social engineers. Security sandboxes are another method, but they are an outdated strategy and they require too much support from IT teams to be a reasonable option for modern organizations. New and advanced threats need new and advanced security.
Businesses need a device and OS agnostic real-time phishing site detection that works across all phishing attack vectors. This approach detects malicious phishing sites by examining page contents and server behavior ensuring phishing threats beyond email are detected quickly. It delivers definitive, binary threat verdicts that determine whether websites are malicious or benign with near-zero false positives. With 46,000 new phishing sites going online each day, it only takes one successful phishing attack to cause organizational mayhem.
About the Author:
Atif Mushtaq is founder and CEO of SlashNext, which is pioneering a new, more effective way of protecting companies from the growing problem of Web-based phishing. Atif is the visionary behind SlashNext’s innovative approach that employs cloud-based session emulation and phishing detection technology to uncover threats.