The Different Topologies of a Phishing Attack
Phishing continues to be a serious threat to both individuals and enterprises. Every year, millions of new phishing URLs are identified and distributed by various threat intelligence vendors with the intent to thwart attack campaigns. However, thwarting the attacks can be quite challenging because phishing threats are not homogeneous in nature. Malicious actors use several different phishing attack topologies to execute their campaigns – each of which require a different approach to detect and mitigate the threat.
Phishing attack topologies are primarily architected in the following three ways:
Domain-Based. The malicious actor sets up their own domain and website to launch their attack. In this case, the actor registers the domain, deploys a web server, and then hosts the web page or pages needed to carry out the phishing attack.
Compromise-Based. The malicious actor may compromise an existing legitimate website and insert a phishing page within the website without the site owner’s knowledge.
Unmonitored Sites-Based. Sites that allow user content to be hosted or uploaded can also serve as a place for phishing pages to be hosted. For example, cloud storage, blogging sites, web application hosting sites, etc., are often used to carry out phishing attacks.
Each one of these phishing attack topologies require a different approach for mitigation. For example, phishing attacks that are hosted on an infrastructure controlled by the malicious actor are relatively easy to block at the domain name level. DNS filtering or next-gen firewalls that ingest threat intelligence for filtering purposes are the best approach to mitigate this type of phishing attack.
However, when you apply this same tactic to phishing attacks delivered via compromising a legitimate site, the drawback is that you have to take down the entire website rather than just the phishing page or pages. And while that may not be seriously problematic for smaller, less popular sites, it can have serious repercussions for the larger, and more popular domains. Effectively blocking this type of phishing attack, requires using URL level filtering. This can be a challenge if the phishing page is using SSL encryption, as the URL the victim clicked on may not be visible without an SSL decryption proxy implemented by the defender.
Similar to an attack which compromises a legitimate site, phishing threats hosted within user-driven, shared content sites are also difficult to block. In this case, URL filtering is also required, and that is subject to the same visibility restrictions regarding SSL encrypted web traffic as in the preceding scenario.
Given the visibility restrictions with URL filtering, what are the other options to defend against the second and third types of phishing attack topologies? The most effective form of defense is to filter the URLs in the delivery path – links in an email, links embedded in text messages, and/or links embedded in forums and blog posts. Filtering in the delivery path allows service providers to see the links, without having to intercept an encrypted HTTPS conversation between the user’s browser and the target website. In other words, this filters out the phishing links before they can be clicked on in the first place. The effectiveness of delivery path filtering is dependent upon the quality of the URL threat intelligence feed that the provider uses to filter the traffic.
Detection across these three different phishing attack topologies requires a threat intelligence vendor that tailors their detection capabilities for each scenario. The same techniques that can ferret out malicious domains owned by the attacker will not have the same level of effectiveness if the attacker is using legitimate websites to host their phishing pages. Essentially, there are different signals to consider for each type of attack. Understanding how your threat intelligence vendor detects threats, which types of threats they detect, and what visibility they have is an important consideration.