Estimated Reading Time: 8 minutes
91% of cyber crime starts with an email. Groups behind some of the most notorious ransomware attacks — Ryuk, Gandcrab, WannaCry, and many others — use phishing emails as a way to gain initial access into a network. As phishing attacks are often just the beginning of a more complex attack, it’s crucial for defenders to understand the anatomy of a phishing attack in order to build defense in depth strategies designed to mitigate vulnerabilities and reduce the risk of attack. The faster, and more accurately phishing URLs can be detected and blocked, the less chance an attacker has of gaining initial access to continue the attack. This post will take you through the anatomy of a phishing attack because the better defenders understand the tactics and timelines of attackers, the more effective they can be in thwarting phishing threats before they can execute.
Research & Targeting
Common Targets. According to Kaspersky, the top organizations used by phishers as bait in Q1 of 2021 are online stores (15.77%), followed by global internet portals (15.50%), and banks (10.04%).
Why Those Targets? The most simple answer is because the phishing campaigns targeting these industries are a fruitful endeavor for Malicious Cyber Attackers (MCAs). Phishing, like email marketing, is a numbers game. The odds of success against organizations with massive volumes of users, many of whom are likely to succumb to a lapse in decision-making, are stacked in favor of the MCA.
Timeline — Weeks to Years. While the MCA may have an easy time deciding on which industries to target, they may spend a year or more doing extensive recon on various brands to figure out which ones have vulnerabilities that will be the easiest and most profitable to exploit. If the MCA plans to launch a more comprehensive attack which leverages phishing emails as the initial attack vector, planning can take a long time to maximize their chances of success.
During this next phase of a phishing campaign, the MCA will acquire all the infrastructure needed to carry out the attack. This may include domain names, web hosting, form builders, email services, and so on.
One of the primary goals of a phishing campaign, like any cyber attack, is profit. As such, MCAs avoid spending money on the necessary infrastructure by leveraging Living Off The Land at Scale (LOTLS). You can read about that in greater detail in this blog post. In short, threat actors infiltrate the target environment and discover which tools they can use, and which ones are not well monitored so they can just hang out. LOTLS takes this concept and expands it by using cost effective, if not free, offerings to support their campaigns.
LOTLS takes advantage of the plethora of free form builder product offerings on the market today. This Tactic, Technique, and Procedure (TTP) is quite simple. The MCA registers for multiple forms from their preferred vendor(s). As long as they stay below the established usage/complexity threshold, the out of pocket cost is zero. MCAs then build enticing and potentially realistic looking pages to hook their victim. On the page, the victim clicks on the provided link and is redirected to a site that looks suspiciously like a legitimately branded login page. Due to the free nature of these sites and the limited verification by the providing vendors, threat actors can stand up and tear down LOTLS ‘infrastructure’ at will.
As an alternative to leveraging free tools for LOTLS, the MCAs often co-opt their target’s existing infrastructure (e.g. broken WordPress sites). This enables them to avoid paying to register domains. In addition to cutting out-of-pocket expenses, co-opting a target’s infrastructure gives the MCA an advantage in evading detection since many phishing detection solutions only block at the domain level, rather than the full-path. For example, we’ll use www[.]zvelo[.]com/wp-admin/owa[.]php. To effectively block this URL, a phishing detection solution would have to either block the entire domain — not feasible for most online stores, banks, and other primary targets — or have the capability to block at the full-path level.
During this stage of a phishing attack, the MCA will acquire multiple domains to leverage during the campaign. Phishing URLs can have a very short lifespan, usually about 4-6 hours before the URL gets reported and blacklisted. By loading up the phishing campaign with multiple URLs, the MCA is able to extend the length of their attack cycle by sending out a new round of emails that use a ‘fresh’ URL every few hours — before the previous URL has even been reported and blacklisted. So while an organization leveraging common phishing blacklists may believe they are protected, they are still highly vulnerable and under attack. The more domains and MCA has on hand, the longer they can keep their campaign active.
Timeline — Days to Years. Depending on the level of sophistication of a cyber attack, this phase of a phishing attack may last anywhere from days to years.
Phishing Campaign Cycle
Once the MCA has all of the pieces in place, they launch their campaign. This is the moment the threat becomes active, detectable, and most importantly, stoppable. The speed at which the threat is detected will vary greatly depending on which phishing detection solution, not all solutions are designed to break the kill chain at the same point in the cycle.
Phishing emails are sent out to users en masse and may circulate the ActiveWeb anywhere from several minutes up to an hour before someone engages with their campaign by clicking on the phishing link.
The victims who click the link get directed to a phishing page which is virtually indistinguishable from the legitimate brand to the untrained eye — especially on mobile devices. That landing page will have fields asking users to input account details, username & password, or other sensitive information. If, or when, a victim enters their information, the MCA wins and has what they need to gain initial access to an organization’s network. Not all victims who click will follow through and complete the form, giving up their details. But it’s a numbers game. The bigger the email list, the better the chances the MCA will have to successfully phish numerous victims.
While it’s difficult to know what the average Click Through Rates (CTR) are for actual phishing attacks, the numbers reported from phishing simulations range from 15%-30%. According to a recent study using phishing simulations, 67% of those who clicked actually submitted their credentials. North American users in particular, showed an overall CTR of 25.5% and an 18% submission rate.
About 4 hours or less from the time the threat has become active, the MCA will recycle the phishing email and swap the first URL with a fresh one. The MCA knows the lifespan of any single URL is extremely limited, so they come prepared with multiple URLs to keep the campaign active for as long as possible, before they are shut down. Even though the initial URL may no longer be active, the campaign will continue with a fresh URL.
Eventually, about 4-6 hours after the threat has become active, the initial URL gets reported to one or more phishing threat services like OpenPhish, APWG, PhishTank, etc. When a phishing URL is reported, the URL gets blacklisted which effectively prevents any additional users from becoming victims of that specific URL. A key point here is that by the time most phishing URLs get reported and blacklisted, the MCA has already moved on to using a fresh URL, and continues to claim more victims.
Timeline — Hours. This campaign cycle ends when the MCA has gone through all the URLs they acquired, which depending on the sophistication of the attacker, lasts less than 24 hrs. While this may be the shortest phase of a phishing attack, it is also the most dangerous since this is where the attacker is able to harvest the credentials they need to gain initial access and move on to the next phase of their attack.
Timing is Critical for Phishing Detection and Prevention
Whether a phishing attack is aimed at harvesting credentials, business email compromise (BEC), ransomware, or otherwise, it continues to top the list of attack vectors because it has a high payoff for the MCAs. In order to block phishing attacks and break the kill chain before an attacker is able to gain a foothold in the network, defenders must be able to detect phishing threats as soon as possible from the the point at which the threats become active. Realistically speaking, this is incredibly difficult to achieve as little can be done (effectively at least) until someone clicks on a phishing URL. Once that first click occurs, that link is considered active which means it can be detected and blocked — preventing any further users from becoming victims. Different solutions will detect the phishing threat at various points of the attack. The closer the detection capability is in relation to the first click, the higher your chances will be to avoid an attack.
Consider, again, the average statistics mentioned earlier in this post. If your organization is a target, 25% of your users are likely to click on a phishing email and 18% of all who receive the email — not just 18% of the 25% who click — will follow through and submit their credentials. How many people are part of your organization? What does 18% look like in terms of risk to your organization?
Lower Your Risk of Attack with zvelo Phishing Detection
Unlike other blacklist solutions which may not detect phishing URLs for hours on end, zvelo’s PhishBlockList has the capability to detect phishing URLs from the moment that URL becomes part of the ActiveWeb — the first click. The ability to detect, and then block, a phishing URL at the first click drastically reduces your risk.
zvelo’s proprietary AI-based threat detection and categorization technologies, combined with curated domains, threat and other data feeds, plus global clickstream traffic generated through a partner network of 600+ million users and endpoints to provide unmatched visibility, coverage, reach and accuracy in detecting active and emerging phishing threats. This AI-powered phishing threat intelligence feed exposes phishing threats within the ActiveWeb traffic and other sensor-based data streams for market-leading performance in detecting, predicting, and identifying thousands of new phishing threats on the ActiveWeb daily — including “zero-day” threats not found in ANY other phishing feed.
Learn more about how PhishBlockList can improve your phishing detection solutions and applications.