In their recent report, the Anti-Phishing Working Group (APWG), a not-for-profit industry group that targets identity theft and fraud resulting from phishing, crimeware, and e-mail spoofing, focused largely on the rapid pace of phishing growth. The first quarter of 2022 was the worst ever, the first in which attacks crossed the one million threshold. Almost one-fourth of attacks targeted victims in the financial sector and credential phishing attacks on enterprise users increased by 7%.
As these figures demonstrate, the classic social engineering appeals using email and SMS messages (known as “smishing”) – and updated channels, like instant messengers and voice messages combined with email, SMS or IM (“vishing”) – remain highly effective. Perhaps not on a percentage basis but in terms of absolute numbers, thanks to the sheer volume of messages being sent.
Ambitious cybercriminals (and the best cybercriminals are nothing, if not innovative) are continuing to develop ways to increase the effectiveness of their messages and to bypass some of the defenses that have been put in their way. What follows is a number of the new-and-improved phishing techniques that researchers have recently uncovered.
Evading Detection with Reverse Tunnels
In one new phishing technique, threat actors have been combining reverse tunnel services with URL shorteners to effectively mask their identities and make detection exceptionally difficult, resulting in increased returns on phishing investment and reducing the likelihood of getting caught.
Reverse tunnels, which are provided as a service by companies such as Cloudflare, Ngrok and LocalhostRun, allow users to expose a server or computer to the internet without opening ports. A lightweight process, clientless tool or program that is downloaded (depending on the provider) is run on the reverse tunnel user’s device to create an outbound tunnel to the provider’s network.
Details of each service differ, but all enable a public HTTPS URL to be created for a website that is, in truth, running locally on an individual’s server or PC. Some do not even require users to create an account.
How the Scams Work
- On their local server or PC, the threat actor creates a website that spoofs that of a trusted financial institution or government office.
- They then run the reverse tunnel service to make a URL available to users. Because the URLs generated by the reverse tunnel providers tend to be long and frankly, a bit scary, they use well-known URL shorteners such as bit.ly, cut.ly or is.gd to shorten the URLs.
- Phishing messages, with the usual urgent messages, are distributed through all the usual channels – social media ads and fake social media pages, SMSes, instant messaging services like WhatsApp and Telegram, and of course, email.
- Victims who click on these links land on a spoofed page that is located on the criminal’s server, where they are instructed to enter credentials in order to resolve the “problem” cited in the original message.
What is Different and Better (for the Scammers)
Let’s go back to step #1 in the previous section. Traditionally, threat actors have hosted their spoofed sites on reputable web hosting platforms such as GoDaddy, NameCheap and Google, using domain names that closely resemble those of the organizations they’re spoofing. While this process (obviously) hasn’t stopped phishing activity, it does throw some stumbling blocks in the paths of threat actors.
When a phishing domain is detected and reported, the hosting providers take down the site and work with law enforcement to identify who registered it. The threat actors may also face legal action for trademark infringement from the legitimate organizations that they spoofed.
By using reverse tunnels in conjunction with URL shorteners, the criminals are protected in a number of ways. First, the very random domain names used with remote tunnel services are highly unlikely to be detected by domain name scanning services. URL shorteners add an additional layer of obfuscation. Perhaps more importantly, reverse tunnel service providers are not obligated to monitor or remove malicious URLs since they are not hosting the services. Together with the fact that the threat actors are not registering close-to-brand-name domain names, this lowers the likelihood of being discovered and legally charged.
More Phishing Dangers
In addition to the reverse tunnel technique, researchers recently publicized a method by which cybercriminals can leverage Microsoft WebView2 to steal authentication cookies and bypass MFA when logging into stolen accounts. The technique requires victims to run a malicious executable, meaning that the ability to bypass MFA must be initiated via a successful social engineering attack before threat actors can further benefit from fruits of subsequent phishing campaigns.
This technique is not known to have been used (yet) in real-world attacks, but in all likelihood, it is being put into practice right now.
Exploiting SMS Sender IDs
If you rely on conversation threads to determine which SMS is legit and which is likely to be smishing, think again.
It turns out that in many locations it is remarkably simple to “send” a phishing SMS from the number of the legitimate organization that is being spoofed. Worse yet, if the recipient has a thread of legit messages from that sender on their phone, the smishing message will appear in that thread.
The threat actor need only open the “sender ID” setting and enter a number or text string — no verification is needed. While some countries require sender ID’s to be pre-registered, surprisingly few do so. As a result, a smart threat actor can simply enter the number from which the legitimate bank, for instance, that they are spoofing sends messages to customers. And even skeptical users will trustingly click malicious links that the messages contain.
This risk is one that all regulators worldwide should address in one of two ways – either by requiring that the “sender ID” be registered as the phone number from which the SMS is actually being sent, or by adding a warning to messages that are sent from a different number. Meanwhile, in too many countries, it is buyer beware.
Protecting Users Who Don’t Always Protect Themselves
Being human means having moments of weakness. And being mature means working out ways to protect ourselves from danger when we hit one of those moments (no more ice cream calling to me from my freezer, alas.)
The cyber criminals who design phishing attacks are geniuses at targeting your users’ weak spots with sophisticated social engineering techniques. And no matter how aware your users are regarding the tricks and traps used in phishing campaigns, some are bound to click when hit at a weak moment.
A mature phishing defense needs to be able to protect users especially when they fail to protect themselves. ZTEdge Web Isolation solution protects against phishing attacks and credential theft by opening web sites in isolated cloud-based containers. Website code and browser-delivered executables, such as the one required for the MFA bypass, are executed in a short-lived, isolated cloud-based container where they can cause no harm, not on the user device. Safe rendering data streamed to users’ browsers provides a fully interactive website experience – unless a site has questionable reputational ratings. In that case, the site can be opened solely in read-only mode, so that users cannot be tricked into providing credentials.
Despite regulatory and law enforcement efforts, phishing is likely not only to continue, but to continue expanding to new channels and adopting new techniques. It is up to mature organizations to acknowledge the ongoing risk and do what they can to keep their users from falling prey.