Monstrous fox and the phish that get away

Every year, a growing number of phishing attacks target individuals. Google detect between 16,000 and 25,000 phishing pages every week. For organisations, phishing is a key component in most sophisticated attacks – Advanced Persistent Threats (APTs), espionage and state sponsored cyber attacks. Phishing is also a component in many of the high-profile Point of Sale attacks on retail organisations. Spear phishing (specifically tailored) is most often the start point for these attacks, to gain initial access to a system from which an attacker can navigate horizontally and vertically.

A recent Google study found evidence that the average phishing webpage used in manual attacks successfully steals information from 14% of visitors. The best crafted phishing pages are apparently successful against 45% of site visitors. Even though manual attacks are less common than automated attacks, this is an astoundingly high success rate, and points to the reason why phishing is so prevalent. In effect, phishing is the easiest, cheapest, most effective method for an attacker to obtain access to a system.

Most phishing attacks against individuals attempt to gain user’s email or bank account credentials. Google found that 20% of email accounts are accessed by attackers within 30 minutes of being compromised through manual phishing attacks. The phisher will sift through the compromised email account looking for ways to monetise the attack, by gaining information about other online accounts (such as ecommerce or gaming sites) which can then be compromised through account reset requests, or through scamming the account holder’s contact list by sending them fake requests for urgent money.

Monstrous fox (Operation Huyao) is a method of phishing recently described by Trend Micro. Using this technique, the phisher does not need to replicate the entire bank site. The phishing page acts as a proxy through which the user accesses the real bank site. However, when the user navigates to the logon page, the phisher presents the fake page he created rather than the real bank login. It is like a phishing/man-in-the-middle attack combo. Google data shows that more than 99% of visitors to phishing pages originate from email links, which indicates that this proxy method of Monstrous fox does not yet account for a significant portion of phishing attacks.

Conventional protection against phishing – user awareness sessions – are of limited effectiveness. Although making users aware of phishing and how to spot a phishing attack will help, it falls far short of effective protection, particularly in the case of clever spear phishing attacks.

Similarly, blacklisting is also ineffective due to the time delays involved in getting a site blacklisted through the manual checking by organisations such as Phishtank. Google have improved on the speed of blacklisting through their automated heutistic method, however it is still not quick enough to provide sufficient protection. Specifically-tailored spear phishing attacks are not protected from blacklisting or heuristics.

Two methods are successful against phishing and spear phishing attacks and require no time delay before providing protection. They are fingerprinting and dedicated applications which are destination-restricted.

Fingerprinting involves training aimed at recognising pages emulating a protected site such as a bank login page. In order to trick a user into believing that the phishing site is the real bank login page, it is designed to look as much like the real page as possible. Fingerprinting anti-phishing technology is extremely effective in identifying and blocking these sites without any time delays.

Dedicated applications (such as this one) designed to only navigate to a particular website, such as the bank or corporate site, are also completely effective against phishing attacks without any time delays. As fingerprinting and dedicated applications become more widely used, the success of phishing attacks will diminish.

Leave a Reply

%d bloggers like this: