New Phishing Techniques: From Targeted Attacks to Evasive Phishing

The reality is that phishing is not going away. Research from government agencies and IT industry analysts demonstrates that phishing attacks are successful: last year the FBI Internet Crime Complaint Center reported a 100% rise in business email compromise attacks; Osterman Research reported 48% of organizations have suffered a phishing-related breach; and Verizon reported phishing was the top threat variety resulting in a breach. From massive-scale, botnet-driven outbreaks to highly focused attacks using business email compromise (BEC), spear phishing, and whaling phishing techniques--every company and employee is at risk of becoming a target.

Phishing techniques provide a robust ROI to the people behind it, as barriers to entry have fallen and the “phishing-as-a-service” economy has evolved to lower costs. We also can’t lose sight of the fact that phishing’s primary distribution channel—email—is the easiest and only reliable way to reach business users directly. In this whitepaper, you’ll discover some new and some classic phishing techniques, such as:

1. HTML character encoding: with this phishing technique, some or all of a phishing page’s HTML code is encoded and is displayed normally by web browsers, but security crawlers are not able to read specific aspects of the page.
2. Content encryption: a tactic similar to encoding, where the content in the code does not show as readable text.
3. Inspection blocking: the phishing technique most regularly incorporated into attacks, where phishers employ block lists for connections from specific IP addresses and hosts known to be used by security companies.
4. URLs in attachments: a growing phishing trend over the past year has been to not place links in the body of emails, but instead hide them in attachments, in order to make detection more difficult.
5. Content injection: this is a tried and tested phishing technique used to lull the user and complicate detection by changing a part of the content on the page of a legitimate website.
6. Legitimate cloud hosting: by hosting phishing websites on legitimate cloud services, like Microsoft Azure, phishers are able to present legitimate domains and SSL certificates, lulling even the most attentive user into thinking a given phishing page is trustworthy.

In this report, learn about new phishing techniques, how evasive phishing techniques are requiring new defensive strategies, and how you can protect your employees, operations, and reputation from a phishing attack.