Here at Cyxtera, we take in pride in our machine learning technology that helps us find and take down the vast majority of phishing websites almost as soon as they go live. But for some stubborn attacks, nothing beats a human touch. That is why I oversee a team of Cyxtera Threat Advisory Center (CTAC) agents that tirelessly work 24/7/365 to monitor, analyze, and remove threats across social media, email, and online channels. As agents, we tend to work on the attacks that require a little more elbow grease to take down, meaning we have a front-row seat to observe the evolution of cybercriminal threats as they attempt to circumvent established protection measures. Here are a few of the most dangerous new attacks that we have seen so far in 2019, along with a few hard-earned recommendations on how to stop them.
Attack #1 – Homoglyphs: Attacks Evolving to Evade Detection
Target: Several large Latin American banks
Modus Operandi: A homoglyph is a character or sequence of characters that appear to be similar or identical. Historically, they have been very useful in phishing attacks; a simple example is when a site’s official name has the letter O replaced with the number 0 in a phishing URL. Recent attacks have been using homoglyphs from non-ASCII characters in other languages to get around automated threat detection for online advertising and social media. In the case of both channels, attackers use homoglyph characters in other languages for ad headlines and social media profiles to ensure they do not trigger automated keyword detection. They combine this with URL links that are not similar domains to prevent detection by the systems searching for them.
The image above shows a malicious ad for a Latin American financial institution. Note that the first “a” contains a character that is not a part of the Spanish language, and the URL is not a similar domain.
This is an example of a homoglyph attack on social media. Note the Russian characters in the account name, which does not contain any brand keywords that would trigger an alert.
How We Mitigated the Threat: While automated detection using technology like machine learning is essential for detecting and stopping brand-abusing phishing attacks, it takes human beings to tweak the algorithms to ensure that they are catching the most fraud. My team of CTAC agents regularly performs manual searches and analysis to find attacks that our algorithms may not have been trained to find yet, and then enhances those algorithms accordingly for future attack detection.
Attack #2 – The Domains Change, but the IP Addresses Stay the Same
Target: A major East Asian bank
Modus Operandi: CTAC agents observed that several phishing attacks can be launched from a variety of similar domains at the same time. However, upon deactivation of that group of domains, the attacks would be relaunched from a new group of similar domains using the same IP address or IP range as the previous attacks. These IPs seemed to be carefully selected, as they were usually coming from specific countries and internet service providers more likely to facilitate such systematic behavior.
How We Mitigated the Threat: Temporarily, these kinds of attacks can be mitigated through domain and IP monitoring that culminates in a site takedown. Machine learning and other analytical technology enabled our agents to see patterns in how these attacks continued to be launched on new similar domains across various IP addresses after they had been removed the first time. It was necessary to leverage our relationships with some of the affected Internet Service Providers and even local governments in order to ensure the complete removal of certain large-scale attack takedowns.
Attack #3 – A Sugar Daddy That Is Not So Sweet
Target: A small US credit union
Modus Operandi: A Twitter account will self-identify as a “sugar daddy” or “sugar mommy”, offering to make online deposits to interested individuals on the condition that the receiving party has an account with a specific financial institution. After the victim’s attention is caught, the supposed sugar parents ask for online banking information such as usernames and passwords through direct messages. This eventually leads to money being removed from the victim’s account.
How We Mitigated the Threat: These attacks are an example of an external threat starting far from a financial institution’s perimeter that nevertheless leads to tangible losses. Our agents were monitoring thousands of different social networks for potential phishing attacks when we discovered these attacks and worked closely with the social media networks hosting the attacks to get the criminal accounts suspended. Turns out your daddy and mommy (the real ones, not the sugary kind) were right: if it sounds too good to be true, it probably is.
Attack #4 – Finding Secret Vishing Blogspots
Target: A major Middle Eastern bank
Modus Operandi: A smishing (SMS phishing) message is sent to a user’s Whatsapp account, urgently requesting that the user update their information to prevent their account and its associated cards from being blocked. The fraudulent message includes a contact number and a URL, which leads to a phishing website of the bank on Blogspot. The Blogspot site is a decoy meant to make the whole experience seem more realistic and no information is solicited there; the user’s sensitive information is obtained through a follow-up vishing (voice phishing) call after the message is received. Blogspot is an attractive option for hosting the decoy sites because:
- Blogspot sites are free and easy to create.
- Their owners are impossible to validate.
- Their unique subdomains are difficult for anti-phishing monitoring solutions to detect.
- The lack of data capture on the sites means they are not classified as phishing sites and therefore not blacklisted.
- Blogspot is slow to remove sites alleged to violate trademarks, which is the only legal way to get the sites taken down.
Above is an example of one of the fraudulent Blogpost sites. Note that there are no fields requesting a user to enter credentials, which complicates automatic classification as a phishing site.
How We Mitigated the Threat: Using brand keywords submitted to us by the financial institution, our agents were able to find the sites as part of our regular monitoring of online forum and blogging platforms. To deal with the delayed takedown these sites often present, we instantly blacklisted each site we found so that the institution’s customers would be warned when they tried to access them.
Attack #5 – When Similar Domains Play Dress-Up
Target: Several smaller Latin American banks
Modus Operandi: The end user receives a fraudulent WhatsApp message requesting personal documentation to apply for a loan. The sender is made to look like a legitimate company, and the message indicates that the required documents should be sent to an email address or a phone number different from the original sender’s number. No phishing link is included, but if the user goes to the website associated with the email address, they will see a similar domain that shares a name with a legitimate financial institution but has completely different branding. Victims are eventually asked to transfer money through WhatsApp to allegedly pay a fee to start the loan process; that money is stolen by the cybercriminals.
How We Mitigated the Threat: Many of these sites were not being classified as phishing sites because they did not capture any data, and in many cases did not even resemble the page of an official banking website. Using brand keywords that the financial institutions submitted to our agents, we were able to find the camouflaged similar domains and block end-user access to them while the longer trademark claim process to have the sites removed could fully be carried out.
As the above attacks show, cybercriminals are constantly on the prowl for new ways to evade detection mechanisms and continue to carry out phishing attacks. Financial institutions need a comprehensive digital threat protection strategy to keep up with fraudsters no matter how threats evolve, and block attacks no matter what form they morph into.
To find out more about how Cyxtera protects organizations against these and many other online threats, visit our Digital Threat Protection page.