Home / Blogs

The Continued Rise of Phishing and the Case of the Customizable Site

We’ve noted in previous CSC studies1, 2, 3 that phishing continues to be an extremely popular threat vector with bad actors and shows no signs of subsiding—in part, because of the COVID-19 pandemic and the rise in popularity of remote working. Indeed, the most recent figures from the Anti-Phishing Working Group (APWG)4, 5 show that the numbers of phishing attacks are higher than ever before, with the quarterly total of identified unique phishing attacks exceeding 1 million for the first time in Q1 2022, and over 600 distinct brands attacked each month.

Figure 1:Total monthly numbers of unique phishing attacks from Q1 2018 to Q2 2022, as reported by APWG6

An earlier report by APWG7 noted that over 80% of phishing sites were found to be employing secure socket layers (SSL) or transport layer security (TLS) certificates (allowing use of HTTPS)—an increase from around 5% at the end of 2016—and 90% of these certificates had been issued by free providers, such as cPanel and Let’s Encrypt.

Furthermore, Interisle’s 2022 Phishing Landscape study8, 9 reported the detection of over 1.1 million phishing attacks between April 2021 and April 2022, with over 2,000 brands targeted, but the majority targeting just 10 top brands. Overall, 69% of attacks made use of specifically registered domains, with the attacks disproportionately concentrated on new generic top-level domains (gTLDs). Additionally, a small number of registrars dominate the malicious registrations. Around 41% of domains reported for phishing were found to have been used within 14 days of their registration, and most of these were reported within 48 hours.

Modern phishing is driven by the desire for credential theft and business impersonation, but it’s also increasingly recognized as the gateway for launching malware and ransomware attacks, which often lead to serious compromises of corporate systems and other security issues, such as domain name system (DNS) attacks.

The customizable phishing site

Central to many phishing attacks is the use of a fraudulent look-alike site mimicking the appearance of the official site of the brand being targeted—often including a login form prompting the input of sensitive customer information which thereby falls into the hands of the fraudster. In a classic phishing attack, the site will impersonate a specific brand, and cybercriminals will send emails to a wide group of users driving them to the site. This strategy uses the assumption that a certain portion of the recipients will be genuine customers of the targeted brand and may be fooled.

However, over the last two years, CSC has noted the emergence of a much more egregious style of phishing site, the appearance of which is dynamically tailored to the specific recipient in each case and can successfully target a much broader portion of recipients from a single campaign.

An example was first identified in February 2020, using a URL of the form https://[fraudsite.com]/[directory]/?usr=[string], where “string” was a series of apparently random characters. The site appeared to target the user of a specific corporate email address relating to a brand owner, with the address pre-populated into the login form on the page. The background of the site displayed a framed version of the official company website, giving the appearance that the user was logging into their own corporate site. All of this content appeared to be hard coded into the HTML of the phishing site.

However, closer inspection revealed that the content actually appeared to be dynamically generated, with the string in the URL comprising a Base64-encoded version (a standard method of converting binary data, such as a string of standard ASCII characters, into an alternative text format) of the recipient email address.

To determine how the phishing site handled this information in practice, a modified URL was generated, replacing the previous Base64 string with an encoded version of a CSC employee email address. This produced the page shown in Figure 2, for which the HTML source code again appeared to be hard coded when viewed.

Figure 2: A version of the phishing site constructed by modifying the string in the original URL, showing how it would appear if targeted towards the user of a specific CSC corporate email address (obfuscated in the screenshot for privacy purposes).

The implication is that the site is presumably running a script to dynamically generate the HTML of the page, based on the content of the Base64 string within the URL. This provides the potential to generate a very convincing, customized phishing attack whereby, given a recipient email address, the fraudulent site is configured to display a framed version of the host domain of the email address, overlain by a login box pre-populated with that address. Consequently, the same phishing email could potentially be sent to large numbers of email addresses, with no further requirement to customize the email or the corresponding phishing site to the recipients in question—beyond ensuring that a Base64-encoded version of the recipient email address is appended to the link in the phishing email in each case (which could easily be automated via use of a script).

It was also established that the behavior of the site appears to be dependent on exactly how and where it’s viewed, with the site appearing inactive when viewed in a virtual machine environment. This type of configuration has previously been noted as a technique used by fraudsters to thwart forensic analysis of their sites by security professionals, who often work in virtual environments.

It’s also notable that this type of site would be very difficult to detect using traditional brand monitoring approaches. Aside from the fact that the site may have been set up as an unindexed island site, intended to be accessed only via links in spam emails, there’s potentially no reference to any brand in the site content itself, with brand-specific content being generated dynamically in the HTML only when a specific URL is accessed. In this type of case, detection would be dependent on the ability of CSC’s anti-fraud engine, working in conjunction with web referrer information provided by the brand owner, to identify when the phishing site draws information from the brand owner’s official site when the framing process is carried out.

A study in July 202210, 11 reported the identification of an extremely similar style of attack, in this case using a bit-for-bit mirror of the official site of the brand being targeted.

Conclusions

These findings highlight the importance of a comprehensive phishing detection and enforcement program, able to identify threats of a variety of types. Detection should incorporate domain monitoring (to identify phishing sites where the brand name—or a variant—is included in the domain name) and internet monitoring (to identify other fraudulent sites linked from content indexed by search engines) components. However, other data sources—such as spam traps and honeypots, and other data feeds like customer abuse mailbox data and webserver logs—should also be used to identify phishing sites that are unindexed or feature content that is more dynamically generated.

However, even this is only part of the solution. As noted above, phishing attacks often form the basis for subsequent malware attacks or other security incursions. Accordingly, a robust security posture should also include the deployment of a range of domain security measures—such as those offered by an enterprise-class registrar—to protect critical corporate domains. It’s also advisable for brand owners to avoid the use of service providers who allow unsavory practices such as typosquatting, domain name auctions, and name spinning (the sale of domains containing brand variations)—all of which can facilitate phishing attacks.

By David Barnett, Brand Monitoring Subject-Matter Expert at CSC

David Barnett has worked in the internet brand-protection industry as an analyst and consultant since 2004. David managed the Analysis & Consultancy services in Brand Monitoring from 2006 to 2019, and currently works as the Brand Monitoring subject-matter expert in CSC’s office in Cambridge, U.K., helping to serve a range of brand-protection customers in a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign