Estimated Reading Time: 5 minutes
Phishing remains one of the most significant security threats on the internet. In fact, over 90% of cyber attacks begin with a phishing attack. But the methods used to facilitate attacks and deliver malicious URLs are changing. Bad actors continue to adjust tactics and social engineering efforts to use the latest trends including popular apps and virtual gathering places in order to attack the weakest link in the cybersecurity chain, the human element.
Though a significant amount of effort has been put into phishing awareness in recent years—over the, phishing is still seen as primarily an email security risk. That can be a dangerous misconception. Phishing, by definition is a “scam” or form of internet fraud in which a bad actor attempts to deceive a user into unveiling or compromising sensitive information (regardless of delivery method) and those attacks are carried out using a growing number of threat vectors—electronic mail being just one of them.
In this blog, we take a closer look at some of the most popular new threat vectors, tactics, and apps/platforms used for phishing attacks. We’ll also look at how companies can protect their brand, app/platform, and users from the dangers of phishing.
Phishing isn’t an email only security problem.
Phishing sites, webpages, and login forms sprout up all over the internet—creating a continuous game of “whack-a-mole” for the security world. We at zvelo know this, because we continuously monitor the ActiveWeb for malicious content and traffic, including phishing detections. We identify and track millions of new and dangerous URLs every day, with those detections and categorizations used to keep over half a billion end users safe from potential threats.
Though email continues to lead the pack in terms of most common delivery method for phishing attacks, bad actors are increasingly using SMS/chat and other apps with messaging features—especially on major social media platforms. Though the delivery methods are different, the basics of the scam have not changed.
Scammers exploit SMS, chat, and social media for social engineering and phishing attacks.
Relying on many of the same tactics as more traditional phishing attacks, scammers are focusing their efforts on popular messaging apps/services like Facebook Messenger, WhatsApp, Line, Skype, and even standard SMS messaging to share links. The messaging and chat features in social media platforms aren’t safe either. Scammers use these as back channels on platforms like Facebook, Instagram, Twitter, LinkedIn, and more to execute their phishing attacks.
By connecting with users via social media and chat apps in “real-time” and on their platform of choice (where they go to connect with people) many users let their guard down and are more inclined to communicate with a stranger who demonstrates interest in them or a potential connection. Link sharing within these messaging tools are ideally suited to help scammers perform attacks—much as they would in a traditional email attack.
Though the delivery format has changed, many of the key characteristics that make phishing attacks effective remain the same. For example, phishing attacks often have the following in common:
- Use redirects and URL shorteners
- Fabricate a limited time offer, expiration of service, or fee/charge to create a sense of urgency within their target
- Lead to login pages that are optimized for mobile traffic (often fail to load or redirect on desktops/laptops)
- Use “legitimate” free SSL certificates (depicted by a green lock/shield in URL bar) to give false sense of security
- Use an unofficial top level domain with a highly reputable brand (URL is often hyphenated, misspelled, etc.)
- Incorporate likes, mentions, social posts, or other elements on the page as “social proof”
- Include sharing elements with a “chance to win” to further distribute the phishing attack
How can social media platforms, app developers, and other services protect users from phishing?
If scammers are using your app or platform to prey upon your users—you don’t have to sit idly by. There are a number of approaches companies can take to limit phishing threats, as well as address other security and objectionable content concerns for their products or networks. Here are a few:
Manage fake news
This recommendation is for social media platforms and news aggregator sites specifically. Fake news articles are often intended to incite a visceral response for readers and get them to click through to the story.
Block bots
Bot traffic is not only inclined to produce high levels of spam and irrelevant content that muddy the community, they are also an ideal way to spread links to malicious and objectionable content—even helping to share phishing lures.
Investigate questionable advertisements and regulate advertising accounts
Social media platforms provide tools that allow advertisers to segment and reach a highly targeted audience—whatever they are promoting. With a small advertising budget, marketers (or scammers) can now engage with an enormous number of people whether that be to promote a accessory, spread fake news, or disseminate malicious/phishing links.
Implement a high quality web content filtering solution
The best way to understand the content be linked to on your platform or within your app is to have a highly accurate URL database or web content categorization engine capable of covering all of the visited content on the web. Whether you decide to flag the post, block the content, or delete accounts that have violated your End User License Agreement—categorization and identification at scale are critical first steps towards building a safer environment for your users.
Invest in malicious detection and phishing detection
Malicious and phishing sites in particular have “shelf-lives” that can vary tremendously. Everyday new sites are launched, others are compromised and begin hosting malicious code, and others are cleaned or taken down for a variety of reasons. Effectively protecting against malicious content and phishing attacks requires the continuous monitoring of the internet, as well as specialization in artificial intelligence and machine learning to handle the challenge at scale. Entering into a partner relationship with a company like zvelo can provide decades worth of experience and enormous value in the fight against objectionable and malicious content, or phishing attacks plaguing your app/platform.
Final Thoughts
We know that social engineering attacks, phishing in particular, are not likely to go away any time soon. That’s why it’s imperative that we build and implement scalable and highly accurate tools to protect the messaging services, social media platforms, and many other digital tools that have become integral to our daily lives.
zvelo provides the industry’s leading web content categorization, as well as malicious and phishing detection services to some of the market’s most successful web filtering and security vendors. Contact us to learn more about how our URL database and phishing detection services can improve security on your product.
