Evasive Phishing Driven by Phishing-as-a-Service

by Tinna Thuridur Sigurdardottir and Magni Sigurdsson

The phishing-as-a-service industry is making easy-to-use phishing attack tools and even full campaigns available at cheap rates, with full-service subscription prices typically varying from $50 to $80 per month, depending on the level of service, and realistic phishing web kits available for download for as little as $50. Cyren’s research lab has turned up 5,334 new, unique phishing kits deployed to the web so far this year, an indication of the scope and scale of turn-key phishing offerings.

Fig. 1 – Different style scam pages targeting Office 365 credentials on offer from a Phishing-as-a-Service web site—and with a $10 discount!

Phishing-as-a-Service Is embedding evasive phishing attacks

A straight line can be drawn between the availability of such kits and turn-key phishing platform services and the growth in evasive phishing—phishing attacks that use tactics to confound detection by email security systems. Today’s reality is that we are seeing more evasive phishing campaigns in the hands of more attackers at less effort and lower cost than in the past, as technically sophisticated phishing attack developers have adopted a SaaS business model to let even the most amateur criminal wanna-be spoof targeted web sites with a high degree of authenticity and embedded evasive tactics.

87% of phishing kits include evasive techniques

Cyren’s security lab also found that 87 percent of phishing kits sold on the dark web include at least one type of basic evasive technique. As mentioned above, blocking or redirect functions are the most common included tactic, usually implemented via a .htaccess file containing a PHP script.  One expectation for the future is that phishing developers will begin to combine many techniques together, as we’ve seen with malware. I recall a single piece of malware that did 26 different checks to try and avoid detection—we expect phishing to continue to evolve in this direction, with layers of detection evasion techniques being used.”

Fig. 2- Fake Microsoft log-in page fools even discerning users with legitimate windows.net domain and legitimate SSL certificate

Methods for the madness

Much like the evolution of evasive malware tactics over the past 30 years, professional phishing developers are utilizing more methods to fool automated defenses, and are including those methods in pre-packaged campaigns and phishing services made widely available on the dark web. 

 

Most Common Evasive Phishing Techniques

1

HTML character encoding

2

Content encryption

3

Inspection blocking

4

URLs in attachments

5

Content injection

6

Legitimate cloud hosting

Among the growing number of techniques being used today to fool automated email security systems, most common are:

HTML Character Encoding—in this ruse, some or all of a phishing page’s HTML code is encoded and is displayed normally by web browsers, but security crawlers looking through the code will not be able to read the content, missing keywords associated with phishing like “password” and “credit card” in an example from a spoofed PayPal site.

Content encryption—a tacticsimilar to encoding, because the content in the  code does not show as readable text. But here, rather than changing the representation of a word with character encoding, the entire content is encrypted, and a key is needed to decrypt it. The encrypted file usually looks very small, but when decrypted, often done by a JavaScript file, we see the real content.

Inspection blocking—the technique most regularly incorporated into phishing kits, phishers employ block lists forconnections from specific IP addresses and hosts in order to keep security systems and security analysts from evaluating and seeing the true nature of a phishing site, and to prevent access from security bots, crawlers or other user agents that are searching for phishing sites, like the Googlebot, Bingbot, or Yahoo! Slurp.When someone on the block list tries to access the page, they are usually presented with a “404 page not found” message.

URLs in attachments—a growing phishing trend over the past year has been to not place links in the body of emails, but instead hide them in attachments, in order to make detection more difficult. A typical example might be a simple PDF constructed of images and made to look like a OneDrive document, with a single button that links to a phishing site. 

Content injection—this is not a new technique, but a tried and true method used to lull the user and complicate detection by changing a part of the content on the page of a legitimate website. The unsuspecting user is then taken to the phishing page, outside the legitimate website.

Legitimate cloud hosting—this is a tactic that has grown significantly recently. By hosting phishing websites on legitimate cloud services, like Microsoft Azure, phishers are able to present legitimate domains and SSL certificates, lulling even the most attentive user into thinking a given phishing page is trustworthy. Further, many security vendors whitelist certain domains. 

This recording provides a summary 5-minute walk-through of evasive phishing tactics and attack examples, including a breakdown of the code behind them. 

Phishing is getting through

The impact on organizations everywhere is quite clear. According to survey data from Osterman Research, in 2018 44% of organizations reported they suffered at least one successful phishing attack, up from 30%  in 2017—a percentage that increases to 54% for organizations using Office 365.  In the same survey, these managers estimated that total phishing emails reaching their users were up 25% in volume last year, and that targeted spear-phishing emails were up 23%.


Want to learn more about cloud-based email security? Contact us here!

Go back