Phishing in the Deep End: The Growing Threat of Attacks Beyond Email

Phishing has long posed a threat to businesses thanks to attackers who convince users to open harmful email attachments and executable links. As a result, companies have strengthened malware blocking protections and added secure email gateways, while training employees to be more alert about phishing emails. But the landscape is changing yet again. 

In turn, hackers have increased their levels of sophistication through attacks that no longer rely on suspicious emails or attachment files at all, but instead are penetrating corporate networks via phony websites, fake ads, rogue apps, or realistic browser pop-ups, extensions and plug-ins.

Users who mistakenly click on these new delivery formats may be opening their companies up to costly data breaches or extortion attempts through backdoor ransomware payloads.

Recent findings from Ponemon Institute show that 77% of current attacks which compromise organizations are launched via file-less techniques designed to evade detection and bypass standard endpoint solutions. Cyber-criminals are turning more and more to such methods which exploit the human attack surface, taking advantage of the blind spots of current security solutions that evade existing safeguards. 

This problem is also exacerbated from the increased use of personal cellphones, laptops and tablets which employees adopt for work-related tasks. When employees access the internet for personal reasons on such dual-use devices, they may expose their corporate networks to phishing attacks which can lead to disastrous outcomes for their companies.

This new generation of threats doesn’t target the device, the software or the network, instead the primary target has now become the unsuspecting person using these systems, and the delivery method is no longer a malicious PDF, word doc, or zip file.

For example, one alarming new trend involves the injection of obfuscated malicious JavaScript code into compromised websites that redirect users to Tech Support Scams. The nefarious methods used to compromise these sites make it difficult for experts to identify the JavaScript injection hack because its tracks are buried within several layers of code. 

In examining the source code on such compromised websites, researchers found a suspicious encrypted script that uses numbers to hide the suspicious content within the eval() function. In that eval(), it deploys the JavaScript from CharCode() method to convert all the numbers into  characters which get embedded into the website. By decoding the numbers back into characters, the researchers were able to retrieve the hidden content beneath these numbers, which contained a hidden link to another site. When that URL was opened, it redirected users to a scam page. 

This scam page played a very loud audio warning based on text-to-speech, saying that your computer has been infected with a virus, so the user is urged to call Tech Support immediately to remove the virus. This scary notice was amplified by an additional message which warns users not to turn off their computers because doing so will cause sensitive financial data and credentials to be stolen:

This is an unfortunate example of where current security shortcomings fail to recognize a new type of threat. Firewalls are only effective when there is a known malicious URL to block, but the hackers have become skillful at quickly propping up new unidentified web pages and then taking them back down within hours to avoid detection.

Because these risky sites are so short-lived, there is no way for security indexing bots to track all of them. Since databases and threat feeds can’t keep pace either, standard firewalls are unable to block the risky sites.

Likewise, anti-virus and malware protections only help when there is a file to examine, it has become more critical to detect and block phishing attacks before any malicious files can penetrate the user environment.

Security professionals have begun to recognize this risk, but their organizations lack any defenses to effectively guard against phishing attacks beyond email, so they remain increasingly vulnerable to this new wave of socially engineered attacks.

There is only one solution to this growing problem – detecting and blocking phishing attacks before the user can reach the page behind the link and start the kill chain from which bad things happen.

Security professionals and IT practitioners need to start thinking differently about how the social engineered threat landscape is changing and what they need to do to address this growing threat. The solution for more powerful, real-time phishing threat detection lies at the intersection of computer vision, optical character recognition, natural language processing, and state-of-the-art machine learning to achieve truly adaptive threat detection capabilities to catch these sneaky new script and HTML-based attacks.