Phishing continues to be the number one threat faced by companies of all sizes, and one of the main entry points threat actors use to infiltrate networks. As defenses continue to evolve, so do the tactics threat actors use to circumvent those defenses. In this article, the GoSecure Titan® Inbox Detection & Response (IDR) team shares examples of tactics threat actors have used to bypass anti-phishing defenses.
Evasive Phishing Techniques
While widely disliked, captchas have recently become one of the most effective tools in a threat actor’s toolbox. And to make matters worse, they have found a way to use captchas against the good robots. Many email and web security systems will scan a web page for threats before allowing users to load the page. To circumvent this protection, some threat actors have been putting up a captcha screen that victims must pass before the phishing page loads. The victims have been inadvertently programmed to complete captchas without a second thought, while the automated scanners can’t prove they are human and are blocked. This allows phishing pages to stay online longer and reduces the chances that an automated scanner will find them and mark them as phishing.
Some threat actors will create fake business websites when setting up phishing campaigns, often going to great lengths to make the website look legitimate. This improves the chances that a user will fall for the phish while also reducing the chances that an analyst or scanner will detect the phishing threats.
Some phishing kits will send a unique key with each phishing link they send. This link will give the key to an intermediate site called a “redirector.” If the key is correct, the redirector will set a cookie in the victim’s browser and redirect them to the phishing page. The phishing page will then check for the presence of the cookie, and if it is correct, the phishing form will be shown to the victim. However, if the visitor’s browser does not have the cookie set, or it isn’t the value that the phishing kit is expecting, the user will instead be redirected to a benign site like google.com or wikipedia.com.
On the left side we can see what the victim sees after a phishing link is clicked in the email. On the right side is anyone else who tries to visit the link directly:
This means that automated scanners cannot crawl the phishing site and categorize it as phishing, and analysts can’t inspect or report the phishing page unless they have a copy of the original email. To make things even more difficult, some phishing kits will set the victim’s unique key to expire after the first use, making the analysis even more difficult.
Many phishing kits utilize something called a “blocker” which simply checks if the victim’s IP address or browser User-Agent is on a list stored in the same location as the phishing page. These lists usually include known security scanners and crawlers, as well as IP addresses of known VPNs, Tor exit nodes, security vendors, and cloud service providers. If the visitor matches an entry on the block lists, they are redirected to a benign website or shown a fake 404 page. This makes it more difficult for security companies and analysts to detect and analyze phishing pages.
Password-protected archives and files
Some phishing attacks will place the phishing link or attachment in a password-protected archive or PDF, and then put the password in the email (or follow-up email). This prevents scanners from detecting the phishing attempt since they can’t see inside the password-protected document. Also, this has the added benefit of making the interaction feel more “secure” and can increase the chances for the victim to fall for the phishing attempt.
Some phishing campaigns will send a benign email and then attach a phishing email to it. This often allows the phishing message to get past scanners that may not check attachments using the same rules and scans as the original email. Threat actors often use this tactic with lures that are likely to make the victim act quickly, like “Are you getting my emails?” or “Any updates on this?”
Requiring a login
Some more advanced phishing campaigns will require the victim to be logged into a popular service like Google before they are redirected to the phishing page. If they are not signed in, they will be redirected to the Google sign-in page. This is an effective tactic because most victims will already be logged into Google and will not see the Google sign-in page, but scanners will only see the Google sign-in page and may consider the URL to be safe.
A similar tactic is to upload a phishing document to a cloud storage service like Google Drive, OneDrive, or Dropbox, and then share a link to the document that is restricted to the victim’s email address. This makes it so that the victim must log into the legitimate service to view the phishing document, and analysts cannot view the document as they can’t log in to the victim’s cloud storage account.
One technique threat actors use to get their malicious URLs past scanners is to change them so that they are invalid, but still understood by browsers. For instance, a threat actor might send a link to “https:\\example.com/” or “https:/\/example.com/”. These URLs use invalid slashes after the scheme (e.g. https: or http:), so if an admin added “https://example.com/” to a list of blocked URLs, it would not match and thus the incorrect URL would bypass the block list. However, when clicked, the browser may automatically convert the invalid slashes to valid ones and send the victim to the phishing page.
2-Factor Authentication, or 2FA, is a feature used in many services that require the user to enter a unique code before logging in. This code is usually sent in an SMS message, email, or generated using an authenticator app on the user’s phone. 2FA was designed specifically to prevent phishing because, even if the user provides their username and password, the threat actor still needs the user’s 2FA code to log in. Unfortunately, threat actors found a way to bypass this mitigation by using a proxy between the phishing site and the actual service being phished. There are several open-source frameworks online such as Modlishka and Evilginx2 which automate this process.
An open redirect is a common vulnerability found in websites and web apps. They allow threat actors to create a URL to an affected website which will redirect the victim to a URL of their choosing. When an open redirect vulnerability is found on a popular website, , threat actors will weaponize the open redirect for use in their phishing campaigns.
Open redirects can be effective for defense evasion because the URL appears to go to a benign or even trusted website. For instance, if a threat actor found an open redirect in Google’s systems, they could send a phishing link such as “https://www.google.com/s/this/is/an/example?next=https://example.com”. As far as users and URL scanners see, this URL goes to google.com but when clicked it will redirect the user to example.com.
As an aside, it is important to note that open redirect vulnerabilities are common, and Google has several well-known open redirect vulnerabilities in its services. These vulnerabilities are often abused by threat actors and Google has not shown an interest in addressing the issue as it is considered a feature. For this reason, it is important not to trust a URL or link simply because it goes to a legitimate site. You should verify that the domain you end up on after clicking the link is still the domain you are expecting.
Although threat actors are continually improving their tactics, this evolution requires skill, experience and dedication – resources not possessed by most threat actors. This is where some enterprising threat actors saw an opportunity and created Phishing-as-a-Service (or PhaaS) outfits. These services are a threat actor’s one-stop shop and bring all the latest evasion techniques within reach of anyone willing to spend a little coin. These services often manage every aspect of a phishing campaign: from setting up the phishing site to managing the credential collection backend, and even sending phishing emails to the buyer’s list of targets.
One such PhaaS operation is Bullet Proof Links, operated by the Anthrax Linkers group that claims to be based in Nairobi, Kenya. As seen in the screenshot below, this service will host an Office 365 phishing page and provide links to the page for one month for only $200. These “bulletproof” links use all the tricks in the book to evade detection and stay online, and if they are taken down, a new site and link will be generated and sent to the buyer.
Evasive phishing is not new, but threat actors are constantly evolving, and their tactics are becoming more sophisticated, as they continue trying to evade detection and become faster, bolder, and increasingly targeted in their attacks. The existence of operations offering Phishing-as-a-Service indicates how advanced and profitable phishing campaigns have become, and why they work so hard to remain effective. Current security layers such as email security gateways and AV providers have a tough time catching and stopping evasive phishing, but GoSecure Titan Inbox Detection and Response (IDR) can help address the threat.
GoSecure Titan IDR delivers multi-layer protection with both automated review and human analysis of email messages submitted by users. This delivers industry-leading protection against advanced threats like the evasive phishing techniques outlined above as well as business email compromise. The GoSecure Titan IDR team can also remove dangerous messages from across the entire domain if needed. Our analysts work to maintain expertise in the detection of threats in the ever-changing landscape of evasive phishing tactics and to prevent those threats from becoming security issues.
If you would like to know more about these and other phishing techniques, be sure to check this blog regularly for research, threat intelligence and security updates from the team at GoSecure Titan Labs. You can also follow GoSecure on Twitter and LinkedIn.
This blog was authored by GoSecure Titan Labs researchers Paul Neuman and Jonathan Gregson.