Phishing is commonly regarded as the most common and effective way attackers can gain access into a network. This week we will be discussing common phishing practices, how they work, why they can be harmful to your organization, and how Stamus Security Platform (SSP) can help.
At Stamus Networks, we talk a lot about what we do to detect threats, but we don’t always emphasize what those threats are, why they are harmful, and how you can use SSP to help your organization detect them before it’s too late. This series -- Threats! What Threats? – seeks to change that.
Phishing’s history dates back to the 1990s when a group of hackers, known as the warez community, impersonated America Online (AOL) employees to collect personal information and login data from AOL users. Since then, phishing has been a common practice for attackers seeking to gain access into secure networks. In fact, the 2022 Verizon Data Breach Investigations Report (DBIR) found that malware is still delivered by email and office web documents more than any other method and 70% of social engineering breaches involved phishing in some capacity.
Phishing is actually a relatively simple process. A form of social engineering, it involves sending a fraudulent message - typically by email - where the attackers poses as a reputable source in order to trick the user into responding with personal information, clicking on harmful links, or opening images with hidden executable files. Sometimes, the links used by phishers lead to legitimate looking websites which might be nearly identical clones of the user’s bank, university, or social media. Information about the victim is often gathered ahead of time from public resources, such as social media, to make messages more personalized so that they appear reliable.
There are numerous types of phishing attacks. Most have been given fun names, but some are more common than others:
Basic Email Phishing: This is the most common type of phishing technique. Attackers will usually register fake domain names and send thousands of common requests to victims. They will often choose a reputable domain name, such as a bank or major tech company, and then add or replace characters, use subdomains, or use the trusted organization’s name as the email username.
Spear Fishing: This type of phishing is similar to basic email phishing, however it is targeted at one specific person or organization. By using detailed information that is especially relevant to the victim in the subject or body text, attackers can make the message appear more legitimate, ultimately making the phishing attempt more likely to be successful.
Whaling: Like spear phishing, whaling is targeted at specific individuals within an organization. Unlike spear phishing however, whaling focuses on targeting senior management or other highly privileged roles. These attempts do not always rely on more basic phishing techniques like malicious URLs or fake links, and more commonly use personal information available on the public domain to create scenarios that might bait users into responding and providing sensitive data.
Smishing and Vishing: These phishing attempts rely on phone communication rather than written email communication. Attackers will call (Vishing) or SMS text message (smishing) their potential victim acting as seemingly legitimate organizations in an attempt to get the individual to access a malicious link or provide sensitive financial or personal information. These scammers might find a victim’s phone number by public domain access points like social media, websites, and directories or through dark-web locations where personal data gathered from previous data breaches can be purchased with cryptocurrency.
Angler Phishing: This phishing technique is newer as social media becomes a more common communication medium. Attackers will mimic an organization’s existing social media account name and use the same profile picture in the hopes that a victim will not look closely enough to notice discernable differences. Then, they will respond to customer complaints or reach out offering “rewards” in exchange for personal information like full names, mailing addresses, or phone numbers.
Phishing attempts tend to be relatively easy to spot once users have been educated on common phishing practices. Since they usually contain a sense of threat or urgency that other email communications do not and linguistic errors like misspelling or grammar are common, most would-be victims can detect suspicious communications before they can cause any harm. Regardless, users should be wary of any communication that has a threatening undertone or urgency that is uncharacteristic.
While proper training of employees can certainly mitigate the risk posed by malicious phishing efforts, extra precautions should be taken in the event that a phishing attempt is successful in gaining access into your network.
Stamus Security Platform (SSP) is a broad spectrum and open network detection and response (NDR) system that delivers high-fidelity threat detection with explainable and transparent contextual evidence. As a network-based system, its primary function is to detect threats once they have gained access into an organization’s network. Phishing, by nature, is often a precursor to network-based attacks; however, SSP still enables security teams to detect potential phishing activity on their network in several ways:
SSP analyzes network traffic to detect potential phishing activity by searching for the presence of homoglyphs (also known as homographs) in a selected set of domains. A homoglyph attack is a method of deception often used by phishers to trick targets into clicking on malicious links by obfuscating the domain names. For example, an attacker might substitute “g” for “q” or an uppercase “i” for a lowercase “l”. In more sophisticated cases, the malicious link contains characters from different alphabets (represented by different unicodes) or character sets whose shape is nearly identical to the spoofed domain.
SSP gives users the choice to monitor their own custom domain list and/or the Alexa top 100 domain list. Detections that trigger based on user-generated domain lists are stored indefinitely until the configuration is changed.
When Stamus Security Platform registers a high-priority alert that poses significant, immediate threats to the user’s organization, it procures a Declaration of Compromise™ (DoC). These high-profile declarations notify the user of important threats with an included incident timeline and contextual evidence, enabling them to respond to threats sooner and more effectively.
A DoC is the association of one threat impacting one asset and stateful information such as when it was first seen, when it was last seen, the kill chain phase the threat is in, and so on. SSP DoC coverage includes several Phishing methods, including malware families like Maldoc that have been previously identified as phishing exploits.
When a DoC is triggered by a phishing attack, it will appear on the operational dashboard, and will generate an attack timeline enriched by all related metadata and files. And if configured to do so, it can automatically trigger an incident response, initiate a SOAR playbook, or send a block request to a firewall, XDR or EDR system.
Each day, the threat research team at Stamus Labs scans all newly registered international domains, and identifies those that appear to be imitating or representing the most popular domains on the Internet. This research forms the basis of the Stamus Phishing Domains list, to which SSP customers are automatically subscribed.
When SSP detects any engagement with these domains on the network, it triggers an alert. These alerts may be escalated to a Declaration of Compromise or triaged by security teams as part of a regular review.
While security teams can enjoy the benefits of automated threat detection provided by SSP, many organizations choose to be even more proactive in their defenses. In this case, the security analyst actively hunts for specific threats or scenarios that could be present on their network.
SSP’s guided threat hunting interface includes numerous predefined filters that allow the analyst to search for homoglyph activity, executable images, suspicious URLS, specific TTPs identified in the MITRE ATT&CK framework, and more.
Stamus Security Platform gives users the ability to detect phishing activities before they are able to install malware or ransomware onto a system. By using a network detection and response system with built-in phishing detection, security teams can more-proactively defend their organizations, mitigate risk, and respond to threats sooner.
If you would like to see a live demonstration of the Stamus Security platform and see for yourself how phishing threats can be detected sooner on your network, please click on the button below to request a demo.