In my previous blogs, I wrote about how phishing is no longer just an email problem, how the industrialization of phishing is being driven by the easy availability and low cost of phishing toolkits, and how current phishing defenses are being bypassed by attackers.
In this post, I'm going to discuss another challenging aspect of phishing attacks: the short-lived nature of phishing campaigns.
Based on Akamai's research, the more sophisticated and targeted a phishing attack, the shorter the duration of the attack.
Let's look at the normal approach to identifying and blocking access to a phishing page, which is to build a blacklist of observed phishing domains or URLs and then deploy that to a security solution to block access to the phishing pages.
Now to do this, security vendors normally must observe unusual traffic activity hitting a domain, analyze that domain, determine if it's a phishing domain, add it to a blacklist, and push that out as a security update.
That can take many hours.
If we look at the below diagram, we see that a domain or URL can be created at any time, but only receives traffic when the phishing campaign is launched. Once anomalous behavior is seen, then the security vendor's process begins. But crucially, the blacklist may only be getting updated when the campaign is over.
In other words, the window of risk is in the first hours of a campaign, when the domain or URL has not yet been identified as malicious and is not yet on the blacklist.
This means that there is a security gap.
Akamai's Enterprise Threat Research team conducted extensive analysis of phishing campaigns and phishing toolkits. They observed that, while the campaigns might be short-lived, many of the elements in the campaigns were repeatedly seen in the code of the phishing pages.
As a result of these findings, the team was able to create a new way to accurately identify phishing pages in real time, based on the content of the page. At the highest level, this is what Akamai is launching with the zero-day phishing detection engine in Enterprise Threat Protector -- the ability to analyze requested web pages and compare these against "fingerprints" of previously seen phishing pages.
This real-time protection happens at the point the page is requested -- and even when the phishing page has never been seen before.
So how do we do this? Akamai continuously receives numerous lists of newly identified phishing domains and URLs. The web page content for these newly identified domains and URLs are retrieved, then all the similar pages are clustered and analyzed to extract common code features to produce the phishing "fingerprints" for the detection engine.
An additional data source was recently added to this intelligence. The traffic on the Akamai platform is now examined for unusual requests to websites that are using the Akamai CDN network to deliver the content. An example of a request that would be flagged by this analysis: a real-time browser request to a brand or enterprise's site for a logo. This may be indicative of a victim accessing a phishing page; the spoofed page is calling to the legitimate website to retrieve the logo -- over the Akamai CDN network.
Akamai uses the referrer headers to retrieve the suspected phishing page's content, and it's added to the data set for analysis, to detect newly created phishing pages. This is a unique and highly relevant data source that only Akamai has access to.
Let me give a practical example of how this works.
Imagine I go home tonight and register a new domain, then set up a phishing page that spoofs an Office 365 login page using one of the readily available toolkits. Then I launch my email campaign.
With the blacklist approach, in the first few hours of my campaign, victims click on the link in my email and graciously enter their usernames and passwords. That's because the blacklist has not yet been updated. I'm a happy attacker.
But with Enterprise Threat Protector's zero-day phishing detection, even the very first target who tries to access the fake login page is safe because the phishing toolkit's fingerprint is identified and therefore access is blocked in real time. That domain or URL is then automatically added to Enterprise Threat Protector's threat intelligence. I'm not such a happy attacker now.
This real-time protection against zero-day phishing attacks helps to reduce that security gap I talked about earlier. Remember, all the attacker needs is one set of credentials. Now you can lock the door before the horse has bolted.
To learn more about securing your users and devices against zero-day phishing and other targeted threats, visit akamai.com/etp.