Modern Challenges and Solutions
Part 1: Defenses Against Phishing Attacks
Phishing attacks, one of the oldest types of cyber threats, have become more sophisticated and diverse. This evolution is due, in part, to advancements in cyber-defense technologies and policies. Here, we dive into the challenges that modern-day phishers face as well as how to circumvent them using different new approaches and methodology.
SMTP Relay Limitations
Cloud providers have increasingly clamped down on phishing by blocking the creation of Simple Mail Transfer Protocol (SMTP) relays that once allowed attackers to use Virtual Private Servers (VPS) and their domain to operate an SMTP server. The SMTP server, which is a crucial part of the email infrastructure, is now more challenging to misuse.
This change compels attackers to use more mainstream providers like Gmail, Office365, or SendGrid. These providers enforce stricter security protocols and employ advanced monitoring systems. They scrutinize not just the emails themselves, but also the context of their dispatch – the frequency, the recipient list size, and other aspects. This extra layer of inspection makes it harder for attackers to successfully launch phishing attacks via email, consequently safeguarding unsuspecting users.
Spam Filters and Email Content
Modern email clients have become highly sophisticated in their ability to filter spam and detect malicious content. These systems scrutinize not only the sender’s details but also the content of the email itself. Using words or phrases that are commonly associated with phishing, such as “urgent action required” or “you need to download,” is likely to raise red flags. The presence of such indicators could result in emails being classified as spam or even blocked entirely, making it harder for phishing emails to reach their intended recipients.
Moreover, artificial intelligence (AI) plays an increasingly crucial role in email security. AI-powered tools are used to scan and rate the content of emails, helping to determine if they represent phishing attempts or other forms of cyber threat. These AI models are trained on vast datasets of both legitimate and phishing emails, learning to distinguish between the two, based on various features such as the email’s structure, language and included links or attachments.
However, technology alone cannot provide a foolproof defense against phishing. User education is equally, if not more, important in the fight against these cyber threats. As users become more aware of phishing tactics and the signs of a phishing email, successful attacks become much less likely. Regular security awareness training and simulated phishing tests are vital tools for fostering this awareness. They equip users with the knowledge to identify and report suspicious emails, creating a human firewall that complements the technical defenses.
Automated Link & File Scanners
In our modern digital age, email security has been significantly fortified by the advent of automated services or software that visit embedded links within emails before they reach the user. These services diligently scan for any signs of suspicious activity, and if detected, they prevent the malicious links from reaching their intended target.
In addition to link scanning, there’s also the matter of attachments. Any file attached to an email is immediately scanned by most mail providers, making it increasingly difficult for attackers to deliver malware via attachments. The files are scrutinized using sophisticated antivirus and antimalware technologies, hunting for known signatures of malicious software.
Furthermore, files downloaded from the internet usually carry a ‘Mark of The Web’ (MOTW). This is metadata attached to the file by the browser during the download, marking it as originating from the Internet Zone. The existence of the MOTW triggers additional security checks by the operating system. If the file attempts to perform certain high-risk actions or operations, the user is prompted with a warning, and in some cases, the action is blocked outright.
All these protective measures contribute to a layered defense, dramatically reducing the effectiveness of straightforward phishing attacks and pushing would-be attackers to devise ever more sophisticated methods to deliver their payloads.
Common Tools Indicators of Compromise (IOCs)
The fight against phishing doesn’t end with well-informed users and sophisticated spam filters. Our defenses have also evolved to recognize and neutralize threats based on Indicators of Compromise (IOCs) tied to commonly used open-source phishing tools.
IOCs serve as tell-tale signs of a potential breach or intrusion. In the context of phishing, these could include specific patterns in the phishing emails, unique metadata, distinctive server-side characteristics, or even the use of particular phishing tools. Once identified, these IOCs enable swift action to either block or mitigate the potential threat.
Take, for instance, popular open-source tools like Gophish or Evilginx2. They have been used widely for phishing attacks and simulations. However, they also contain specific IOCs that are now known publicly, allowing for these tools to be recognized and their use effectively countered. As these tools are open-source and designed for educational or simulation purposes rather than malicious intent, their IOCs have been intentionally made identifiable. This openness helps cybersecurity professionals better understand these tools, while at the same time making it more challenging for cybercriminals to misuse them.
User Education
While evolving phishing techniques certainly pose a significant threat, the growing level of user education and awareness in digital security serves as a formidable barrier for cyber attackers. Users today are becoming increasingly familiar with the tell-tale signs of phishing attempts and are more equipped to discern potential threats.
The modern digital landscape isn’t merely about using sophisticated software or tools to fend off cyber threats; it’s equally about fostering an educated user base. Regular security awareness training and simulated phishing tests have instilled a sense of skepticism in users, arming them with the ability to identify suspicious elements in emails and web pages.
For example, modern spam filters incorporate AI-powered tools to scrutinize not just the sender’s details but also the content of the email. As users become savvier, phishing attempts using certain trigger words or phrases, such as “urgent action required” or “you need to download,” are becoming less effective.
Moreover, users are now increasingly aware of the significance of URLs, and how they can be used to ascertain a website’s legitimacy. Even sophisticated phishing attempts that simulate a browser window within a browser to spoof a legitimate domain can be thwarted if users are vigilant about the URL they interact with.
Part 2: Circumventing the Defenses
Despite these defenses, would-be phishers still find ways to circumvent these obstacles. Here, we explore some of these methods.
Circumventing SMTP Relay Limitations
Interestingly, if attackers manage to leverage providers like Gmail, Office365, or SendGrid for their phishing attempts, they could actually benefit from a better sender reputation. Emails coming from these well-known providers are more likely to land in the user’s inbox rather than the spam folder.
This is because these established providers typically have a good email sender reputation and have established trust with major email clients. Therefore, even though it’s more challenging to use these services for malicious purposes due to their heightened security measures, succeeding in doing so could ironically increase the effectiveness of phishing attacks. However, such attempts often lead to quick account suspension as these providers continuously monitor for suspicious activities.
However, another potential way around this obstacle is for attackers to stop using cloud-based VPS altogether. They could instead transform one of their physical devices into a server or even purchase a physical VPS. By doing this, attackers can regain control over the creation and management of SMTP relays.
Navigating Spam Filters and Email Content
Navigating spam filters and crafting non-suspicious emails has become an art in itself. Here are a few strategies attackers should employ to get around these obstacles:
AI Software: Leveraging AI tools like ChatGPT can be a smart move. These tools can evaluate the written content and predict if it appears to be phishing or spam. By doing this, attackers can make adjustments as necessary to avoid being flagged.
Email Testing Services: Services like Mailtrap or Mail-Tester can classify and score your email based on its likelihood of being considered spam. Using such services, attackers can fine-tune their emails to bypass spam filters effectively.
Human-like Emails: Crafting emails that appear human-written rather than looking like a service provider message can help evade spam filters. Often, legitimate service provider messages contain specific keywords that spam filters are trained to flag. By making the email seem like a personal, human-written message, it becomes less likely to be flagged as suspicious.
Building Conversations: Instead of delivering the luring message directly, starting a conversation can build trust and lower defenses. If a user replies to the phishing email, it significantly increases the trust and reputation for the sender and makes it harder for future emails to be flagged as spam. This approach requires patience and careful planning but can be very effective.
Overcoming Automated Link & File Scanners
Automated link scanners can be tricky to bypass, but there are several strategies that cyber attackers can use:
Hosting Malicious Content on Reputable Sites: A clever way, that attackers sidestep link scanners with, is by hosting their malicious content on reputable sites that are generally considered safe. Utilizing popular cloud storage providers or file-sharing sites, such as SharePoint, Google Drive, and OneDrive, attackers can camouflage their malicious intentions under the guise of trusted services. For instance, they might upload a seemingly innocuous file or document to one of these platforms. These files, often stored in an encrypted zip format, may contain the harmful payload. Encrypting the files serves a dual purpose. Firstly, it allows the content to bypass the rigorous security checks of the hosting platform, which might otherwise detect and block the malicious content. Secondly, it helps the attacker evade the ‘Mark of the Web’ that is typically attached to downloaded files and can trigger additional security checks by the user’s operating system. When the unsuspecting user clicks on the link, they are led to a trusted site and are prompted to download a file. Believing they’re interacting with a legitimate document on a reputable site, they may be less likely to suspect foul play.
Employing Redirects: A highly effective technique within this strategy leverages known ‘Open Redirect’ vulnerabilities in large, reputable services like Google or Microsoft. An ‘Open Redirect’ is a security flaw in an application that allows an attacker to redirect a user to a URL of their choice. Exploiting such a vulnerability can provide a means for an attacker to disguise a malicious link as a legitimate, trusted URL. For instance, Google, despite its rigorous security protocols, has been known to have several active Open Redirect vulnerabilities (it’s a feature not a bug). A good list can be found here. To the unsuspecting user, the initial link appears to be a legitimate Google or Microsoft URL. However, once clicked, it initiates a series of redirects, eventually leading the user to the attacker’s phishing page.
Link Cloaking: Link cloaking involves serving different content based on the visitor’s IP address, User Agent, or Referrer. In this way, benign content is served to link scanners, while malicious content is served to real users. Therefore, we need proper tooling that can provide us granular filtering on known suspicious indicators.
CAPTCHA Implementation: In an attempt to bypass automated link and malware scanners, some attackers have started implementing CAPTCHA tests on their phishing pages. These are the “prove you’re not a robot” tests that require a user to complete a simple task that would be difficult for a machine, such as identifying all the images that contain a specific object or transcribing distorted text. By making a Google CAPTCHA test a prerequisite to viewing the phishing page, attackers can effectively prevent automated scanners from accessing and analyzing the page.
Leveraging Link-Free Emails: At first glance, it might seem counterintuitive, but one innovative approach to bypassing automated scanners involves not using malicious attachments or links at all. Instead, a technique known as Device Code Phishing is employed. This method involves sending the target a persuasive email containing a numerical code, purportedly for use when they authenticate to a specific service provider. The email convinces the victim that they need to authorize a new device for their account – a fictive device created and controlled by the attacker. Upon entering the provided device code during their authentication process, the victim unwittingly grants the attacker access to their session. As a result, the attacker gains the ability to interact with the victim’s services on their behalf, effectively breaching their account without ever having to deal with suspicious links or attachments that could trigger automated security measures.
Exploiting User Trust in URLs
Phishing techniques are rapidly evolving, challenging traditional defenses and preying on the innate trust users place in certain aspects of their digital interactions. One of these aspects is the URL. In the realm of cybersecurity, URLs have been perceived as a strong indicator of legitimacy, prompting advice such as “check the URL” to be a first line of defense against phishing attacks.
However, a novel phishing technique has emerged that effectively undermines this URL-based trust. It leverages the concept of simulating a browser window within a browser to spoof a legitimate domain. This method is particularly insidious because it capitalizes on the user’s familiarity with pop-up login windows when authenticating a website via platforms like Google, Microsoft, Apple, etc.
To implement this technique, cyber criminals replicate the entire window design using basic HTML/CSS and embed an iframe that points to a malicious server hosting the phishing page. The result is a convincing replica that is almost indistinguishable from the original, thereby making the ‘check the URL’ advice less effective. This strategy exploits the fact that users, while typically aware of how a phishing email or webpage might look, often rely on graphic elements and visual similarities to legitimate sites when determining authenticity.
Dealing with Framework’s IOCs
Gophish
Gophish is a well-known open-source phishing simulation tool. For years, it has been instrumental in helping security teams test and improve their organization’s resistance to phishing attacks. While incredibly useful, it’s important to note that Gophish was designed to include several Indicators of Compromise (IOCs). These IOCs are publicly known and can be used to detect and thwart phishing attempts crafted using the tool.
There are numerous resources available that provide instructions for removing these IOCs from Gophish. For example, the sneaky_gophish project on GitHub is one such initiative that aims to enhance Gophish’s stealth capabilities.
For a deeper dive into what these IOCs are and how they can be removed, this blog post offers an excellent resource. It explains in detail the inherent risks of the out-of-the-box version of Gophish and the measures that can be taken to modify it for stealthier operations.
Evilginx2
Evilginx2 is a highly sophisticated phishing tool that is frequently used due to its powerful capabilities. It operates as a man-in-the-middle proxy, allowing it to intercept and replay a user’s actions on a target site (like gmail.com) and relay a legitimate response back to the user through a controlled domain. This not only enables the creation of convincing phishing templates that mimic the target website down to the last detail, but it also facilitates bypassing Multi-Factor Authentication (MFA) protocols.
However, despite its advanced features, Evilginx2 has identifiable Indicators of Compromise (IOCs). Notably, certain security researchers found that the tool uses a specific custom header that can be detected.
Recognizing this potential shortcoming, members of the cybersecurity community have taken steps to remove these indicators, thereby enhancing Evilginx2’s stealthiness. One such effort can be seen in this commit, where a user forked the original project and made modifications to remove the identifiable IOCs.