Open your preferred email client. Now hit “page down” three times. Chances are one of the messages that just scrolled past you is a phishing email, a message that’s intended to fool you into sending money to a stranger, giving up your login credentials or installing malware on your computer.
Phishing emails have been around nearly as long as email itself: The Nigerian prince scam is one classic. Although spam filters have gotten better at spotting and removing them from inboxes, attackers continue to come up with new ways to fool their victims. A new report from cloud security provider Avanan Inc. dramatizes the extent to which phishing attacks have kept ahead of the technology to prevent them.
Avanan, which provides phishing prevention technology for use with popular cloud applications, analyzed more than 55 million emails and found that one out of every 99 was a phishing attempt. Worse, Avanan claimed, just over 30% of phishing emails sent to organizations using Microsoft Corp.’s Office 365 software evaded filters and made their way to users’ inboxes.
A Microsoft spokesperson disputed the report’s findings, saying in a statement, “Contrary to Avanan’s marketing claims, Office 365 uses a multi-layered filtering solution to detect and combat phishing attacks.” Microsoft posted an extensive description of how it measures the effectiveness of anti-malware and anti-phishing filters last fall in which it claimed it has “the lowest miss rate of phish emails reported among other security vendors for Office 365.”
Direct to victim
Phishing emails are messages that are intended to look legitimate but which have criminal intent. The most common type contains links that install malware when clicked upon. That’s followed closely by credential harvesting attempts, which send recipients to a fake login page in hopes of getting them to type in a username and password.
Much less common are extortion and “spearphishing” emails, the latter of which uses social engineering techniques to customize a message to the recipient. While relatively rare, “they’re deadlier than credential harvesting attacks,” said Yoav Nathaniel, an Avanan security researcher, because they appear to come from a trusted colleague and are often targeted at top executives.
Phishing attacks are on the rise. AO Kaspersky Lab reported that its filters netted more than 137 million phishing emails in the third quarter of 2018, up 132% from a year earlier. The reason is that phishing is startlingly effective. F5 Networks found them to be the root cause of 48% of breach cases the company investigated.
Proofpoint Inc. reported that email is the culprit in more than 92% of malware infections, and nearly all ransomware attacks begin with phishing emails. Verizon Corp. estimates that 4% of people will click a link in any given phishing campaign, making phishing far more lucrative for attackers than spam. That rate can soar to 30% at organizations that haven’t trained their people what to look for.
The Avanan study documents a technique called URL obfuscation that has proven effective at evading even the best spam filters. The tactic takes advantage of the fact that nearly all email is now in HTML format, even simple text messages. This enables attackers to embed invisible characters that human readers can’t see but computers can.
Obfuscation uses the font and style attributes of HTML to conceal text. By defining a size of zero, the assailant can effectively render a character or space invisible to the human eye. For example, the hyperlink <a href=”http//www.siliconangle‌fake‌.com”>SiliconANGLE</a> appears to the viewer to point to www.siliconangle.com but actually links to www.siliconanglefake.com. The HTML tag ”‌″ specifies a font size of zero and would be ignored by a browser when launching a hyperlink.
“If you were to make it a practice to take any questionable email and paste it into Windows Notepad, you’d see all those characters,” said Michael Hiskey, Avanan’s chief marketing officer. But no one ever does that.
Obfuscation would seem like an easy problem to solve, but Nathaniel said it’s deceptively complex. “HTML can go to several levels of obfuscation and each obfuscation is different,” he said. For example, another obfuscation tactic modifies the base tag, which specifies the root URL for all relative links in a document, to a rogue destination. Since readers never see the base tag, the tactic is nearly impossible for humans to detect.
Watch for WordPress
Avanan researchers identified a few common characteristics of the phishing emails they examined. More than a third contained a link to a site built on WordPress, the popular content management system. The presence of “wp-includes” in URLs or file names ending in .php are a giveaway there.
Messages containing shortened links are somewhat more likely to be phishing emails and 9% of the email sent to undisclosed recipients were fake. If you get a message containing a cryptocurrency wallet address, run screaming; 98% were phishing scams.
The report also finds that 4% of branded emails are phishing attempts. Microsoft and Amazon.com Inc. were the two most often spoofed, comprising 81% of malicious branded messages. They were followed by financial institutions and package delivery services. Branded phishing attempts typically impersonate trusted brands in an effort to attract clicks on a rogue link or send visitors to a spoofed landing page in an effort to capture login credentials.
Phishing’s effectiveness, combined with the difficulty of detecting it through automated means, means it will be with us for a long time. “It moves the weakness in your infrastructure from the smart guys in the IT engine room to Flo in accounting,” Hiskey said. “It’s much easier to get Flo to click on a link.”
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.