IT Brief New Zealand logo
Technology news for New Zealand's largest enterprises
Story image

Check Point: Dangerous phishing attacks in detail...

Fri 13 Dec 2013
FYI, this story is more than a year old

Phishing attacks and their more recent variations such as spear-phishing and whaling are by now well-known parts of the threat landscape.

So much so that they can seem conventional, contained and not worth the attention of IT security decision-makers.

Since Check Point's Threat Emulation service went live in August, it has provided the company's Malware Research Group new insights into the extent to which this thinking is not only wrong, but dangerous.

Not Your Father’s Phishing Campaigns

Today’s phishing attacks employ sophisticated techniques for evading the traditional blacklists that are the heart of most older protections, and security leaders need to re-assess their current tools and techniques and ensure that they are up to defending against these attacks.

Two phishing campaigns in particular, detected days apart by the ThreatCloud Threat Emulation service and analyzed by the Check Point Malware Research Group, revealed important common traits:

• Low (<10%) detection rate by AV vendors, and attack known vulnerabilities in common desktop applications; specifically, Microsoft Word and Adobe Reader.

• Utilization of some form of dynamic URL scheme that evades detection by static blacklists. In the case of the phishing campaign around the Nuclear exploit kit, this scheme also resists analysis by malware researchers.

Analysis of Cryptolocker by our researchers pointed out another aspect of this trend: as a Domain Generation Algorithm (DGA)-based botnet, Cryptolocker employs dynamic, seemingly randomly-generated domain names to establish communication between bot and command and control (C&C) server.

The Cryptolocker bots generate 1,000 new domains every day, while on the other end Cryptolocker’s managers register the same 1,000 new domains and then discard them after 24 hours, so that as a result the malicious domains have little chance of being detected and registered by the industry resources that build and maintain blacklists of known malicious URLs and domains.

Viewed as a whole, these recent malware campaigns highlight the important role that dynamic URLs and domain names play in these attacks, and specifically in evading the traditional static blacklists that have traditionally been used to detect and block phishing and bots.

Specifically, dynamic URLs and DGA leverage the infrastructure of the Internet itself to generate obscure or single-use variants that confound a system of defenses based on looking for and blocking traffic from and to addresses that have been previously detected on a global network and classified as malicious.

What’s in a (Domain) Name?

These observations reflect a much larger trend in the malware ‘industry’. Attackers are exploiting weaknesses in the domain name system and traditional URL blacklisting methods to evade existing defenses and reach their targets.

In their research findings for the second quarter of 2013, the Anti-Phishing Working Group (APWG) found that while the .com top-level domain (TLD) was still the most commonly used in phishing campaigns, (44% of total phishing, up from 42% in Q1), some country TLDs are more common in phishing attacks than are actually registered.

What Can You Do?

In the face of this trend, there are those who argue that blacklisting at the gateway is no longer a viable defense against these dynamic URL schemes, DGAs and other ‘smart’ attacks.

In truth, industry leaders in enterprise security have evolved smart gateway defenses that employ a combination of techniques to detect and block these attacks.

To this end, you should make sure that your gateway security partners can provide:

• Smart mechanisms for both URL filtering and malware command and control (C&C) detection:

It will be impossible to keep up with individual URLs, so solutions must employ predictive mechanisms to compute domains, in the case of DGAs, and dynamic URLs that recognize the structure of these phishing URLs, and in the double-byte character sets.

• Real-time unpacking of suspicious or unknown files on in a virtual desktop environment, commonly known as sandboxing, detonation, or emulation:

This enables your gateway solution to determine whether an unknown and suspicious file is malicious before it can take infect the end user system.

• Prevention is essential:

Detection just leaves you on the same merry-go-round that we seemed to jump on back in the early days of IDS – chasing your tail running after infected machines. The ability to provide a threat prevention ecosystem is the only way to effectively manage the volume and severity of today’s threats.

• Confidence:

You have to have confidence that it is accurate, and that it will neither miss anything nor generate a lot of false positives. A critical part of this confidence comes from having a cloud-based global community of data sources that can ensure your gateways are using the latest threat information.

Because threat prevention must be multi-layer if it is to be truly effective, it is vital not to neglect the endpoint and server layers.

At the endpoint, for example, rapid deployment of OS and application patches, combined with a robust, policy-driven application control solution and approach, will reduce the risk from variants of attacks targeting known vulnerabilities.

Modern malware creators are leveraging all available resources to evade existing defenses and spread malware to their targets.

You need to ensure that your strategy and solutions have evolved to keep pace with these threats and will enable to you stay ahead of attackers now and in the future.

By Patrick Wheeler, Head of Threat Prevention Product Marketing, Check Point

Related stories
Top stories
Story image
Artificial Intelligence
Frost & Sullivan recognises Genesys as leader in new reports
Frost & Sullivan has recognised Genesys as a leader in the cloud contact centre market for its robust cloud and digital capabilities.
Story image
Manhattan Associates
Shortening the click-to-customer cycle through smart technologies
Speed of delivery without accuracy is a dealbreaker for consumers. How can retailers operating in an omnichannel environment overcome the challenge of click-to-customer cycle times.
Story image
Vectra AI
Vectra’s inaugural Partner of the Year Awards revealed
APAC companies Baidam, Firmus, ShellSoft and Macnica have been recognised in Vectra AI's inaugural Partner of the Year Awards.
Story image
Cybersecurity prompts upgrade for 1.3 billion electricity meters
ABI Research finds Advanced Metering Infrastructure (AMI) and cybersecurity concerns are prompting the upgrade of 1.3 billion electricity meters by 2027.
Story image
Rubrik Security Cloud marks 'next frontier' in cybersecurity
"The next frontier in cybersecurity pairs the investments in infrastructure security with data security giving companies security from the point of data."
Story image
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Trojan cyber attacks hitting SMBs harder than ever - Kaspersky
In 2022 the number of Trojan-PSW detections increased by almost a quarter compared to the same period in 2021 to reach 4,003,323.
Story image
SPS network now available to CrescoData eCommerce customers
CrescoData, a Pitney Bowes Company and PaaS business in the commerce space, says its customers can now connect to the SPS Commerce Retail Network.
Story image
Customer experience
Research unveils precarious customer loyalty for retailers
New research has found customers are reassessing established brand loyalties as their priorities and behaviours shift.
Story image
Digital Transformation
The Huawei APAC conference kicks off with digital transformation
More than 1500 people from across APAC have gathered for the Huawei APAC Digital Innovation Congress to explore the future of digital innovation.
Story image
Cloud Security
Aqua Security createa unified scanner for cloud native security
“By integrating more cloud native scanning targets into Trivy, such as Kubernetes, we are simplifying cloud native security."
Story image
Vodafone NZ buys remaining stake in retail joint venture
Vodafone New Zealand has purchased the remaining 50% stake in the specialist joint venture (JV) with private equity company Millennium Corp.
Story image
Could your Excel practices be harming your business?
While Excel has been the de-facto standard for budgeting, planning, and forecasting, is it alone, enough to support organisations in the global marketplace that’s facing rapid changes due to digital transformation?
Story image
A10 Networks finds over 15 million DDoS weapons in 2021
A10 Networks notes that in the 2H 2021 reporting period, its security research team tracked more than 15.4 million Distributed Denial-of-Service (DDoS) weapons.
Story image
New Relic enters multi-year partnership with Microsoft Azure
New Relic has announced a strategic partnership with Microsoft to help enterprises accelerate cloud migration and multi-cloud initiatives. 
Story image
Silver Peak
The path to an adaptive, modern network
Managing and securing the network looks different than it did just two years ago—especially given that most of these networks are made up of multi-generations of infrastructure stitched together over time.
Story image
Cybersecurity starts with education
In 2021, 80% of Australian organisations responding to the Sophos State of Ransomware study reported being hit by ransomware. 
Story image
Wireless Nation
Wireless Nation, N4L provide 4G network to remote NZ schools
Wireless Nation and Network for Learning (N4L) have rolled out the Rural Connectivity Group’s (RCG) new 4G network to better connect three Chatham Islands schools.
Story image
Vectra AI
Understanding the weight on security leader’s shoulders, and how to shift it
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
Booster Innovation Fund. A fund of Kiwi ingenuity – for Kiwi investors.
Link image
Story image
Application Security
What are the DDoS attack trend predictions for 2022?
Mitigation and recovery are vital to ensuring brand reputation remains solid in the face of a Distributed Denial of Service (DDoS) attack and that business growth and innovation can continue.
Story image
Women in Technology
Huawei webinar emphasises the importance of women in tech
Industry findings by Coursera discussed as part of a webinar jointly organised by Huawei and Reuters Events found 6% more women enrolled in tech courses this year than in 2021.
Story image
Maintaining secure systems with expectations of flexible work
Most office workers feel they've proved they can work successfully from home, and as much as employers try, things aren't going back to the way they were anytime soon.
Story image
Equinix announces milestones on sustainability commitments
Equinix has released its 2021 Sustainability Report which outlines progress, innovation and accomplishments on key ESG commitments.
Story image
Digital Transformation
The impact of COVID-19 on healthcare environments and care delivery
The COVID-19 pandemic has revolutionised the healthcare industry while overcoming staff shortages, social distancing requirements, and lockdowns.
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Story image
Artificial Intelligence
SAS announces new products amid cloud portfolio success
Analytics and AI company SAS is deepening its broad industry portfolio with offerings that support life sciences, energy, and martech.
Story image
New vulnerabilities found in Nuspire’s Q1 2022 Threat Report
“Threat actors are quickly adjusting their tactics and these exploits tend to get industry attention, but the threat posed by older and attacks still persists."
Story image
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Nutanix study reveals financial services sector lagging with multicloud adoption
Nutanix has released new research that reveals the financial services sector is lagging behind when it comes to multicloud adoption.
Story image
More than 40% of banks worried about cloud security - report
Publicis Sapient's new report finds security and the lack of cloud skills and internal understanding of business benefits are big obstacles for banks moving to the cloud.
Story image
Legrand unveils Nexpand, a data center cabinet platform
Legrand has unveiled a new data center cabinet platform, Nexpand, to offer the necessary scalability and future-proof architecture for digital transformation.
Threat actors are exploiting weaknesses in interconnected IT/OT ecosystems. Darktrace illuminates your entire business and takes targeted action to stop emerging attacks.
Link image
Story image
Qualys updates Cloud Platform solution with rapid remediation
The new update is designed to enable organisations to fix asset misconfigurations, patch OS and third-party applications, and deploy custom software.
Story image
Alarming surge in Conti Ransomware Group activity - report
A new report has identified a 7.6 per cent increase in the number of vulnerabilities tied to ransomware in Q1 2022.
Story image
Comcast to use ThreatQuotient for cybersecurity operations
Comcast, the parent company of NBC Universal and SKY Group, has chosen ThreatQ Platform and ThreatQ Investigations to meet their cybersecurity needs.
Story image
Let’s clear the cloud visibility haze with app awareness
Increasingly, organisations are heading for the cloud, initiating new born-in-the-cloud architectures and migrating existing applications via ‘lift and shift’ or refactoring.
Find out how a behavioural analytics-driven approach can transform security operations with the new Exabeam commissioned Forrester study.
Link image
Story image
Cradlepoint expands its Cellular Intelligence capabilities
Cradlepoint has announced additional Cellular Intelligence capabilities with its NetCloud service.
Story image
Nozomi Networks
Nozomi Networks, Siemens reveal software integration
Nozomi Networks and Siemens have extended their partnership by embedding Nozomi Networks’ software into the Siemens Scalance LPE local processing engine.
Story image
Data Center
Preventing downtime costs and damage with Distributed Infrastructure Management
Distributed Infrastructure Management (DIM) can often be a lifeline for many enterprises that work with highly critical ICT infrastructure and power sources.
Story image
New Relic
New Relic launches vulnerability management platform
New Relic has introduced New Relic Vulnerability Management to help organisations find and address security risks faster and with greater precision.
Story image
NCSC advisory highlights poor security configurations
The GCSB's National Cyber Security Centre (NCSC) has released a cyber security advisory identifying commonly exploited controls and practices.
Story image
Supply chain
Jetstack promotes better security with supply chain toolkit
The web-based resource is designed to help organisations evaluate and plan the crucial steps they need to establish effective software supply chain security.