Check Point: Dangerous phishing attacks in detail...
FYI, this story is more than a year old
Phishing attacks and their more recent variations such as spear-phishing and whaling are by now well-known parts of the threat landscape.
So much so that they can seem conventional, contained and not worth the attention of IT security decision-makers.
Since Check Point's Threat Emulation service went live in August, it has provided the company's Malware Research Group new insights into the extent to which this thinking is not only wrong, but dangerous.
Not Your Father’s Phishing Campaigns
Today’s phishing attacks employ sophisticated techniques for evading the traditional blacklists that are the heart of most older protections, and security leaders need to re-assess their current tools and techniques and ensure that they are up to defending against these attacks.
Two phishing campaigns in particular, detected days apart by the ThreatCloud Threat Emulation service and analyzed by the Check Point Malware Research Group, revealed important common traits:
• Low (<10%) detection rate by AV vendors, and attack known vulnerabilities in common desktop applications; specifically, Microsoft Word and Adobe Reader.
• Utilization of some form of dynamic URL scheme that evades detection by static blacklists. In the case of the phishing campaign around the Nuclear exploit kit, this scheme also resists analysis by malware researchers.
Analysis of Cryptolocker by our researchers pointed out another aspect of this trend: as a Domain Generation Algorithm (DGA)-based botnet, Cryptolocker employs dynamic, seemingly randomly-generated domain names to establish communication between bot and command and control (C&C) server.
The Cryptolocker bots generate 1,000 new domains every day, while on the other end Cryptolocker’s managers register the same 1,000 new domains and then discard them after 24 hours, so that as a result the malicious domains have little chance of being detected and registered by the industry resources that build and maintain blacklists of known malicious URLs and domains.
Viewed as a whole, these recent malware campaigns highlight the important role that dynamic URLs and domain names play in these attacks, and specifically in evading the traditional static blacklists that have traditionally been used to detect and block phishing and bots.
Specifically, dynamic URLs and DGA leverage the infrastructure of the Internet itself to generate obscure or single-use variants that confound a system of defenses based on looking for and blocking traffic from and to addresses that have been previously detected on a global network and classified as malicious.
What’s in a (Domain) Name?
These observations reflect a much larger trend in the malware ‘industry’. Attackers are exploiting weaknesses in the domain name system and traditional URL blacklisting methods to evade existing defenses and reach their targets.
In their research findings for the second quarter of 2013, the Anti-Phishing Working Group (APWG) found that while the .com top-level domain (TLD) was still the most commonly used in phishing campaigns, (44% of total phishing, up from 42% in Q1), some country TLDs are more common in phishing attacks than are actually registered.
What Can You Do?
In the face of this trend, there are those who argue that blacklisting at the gateway is no longer a viable defense against these dynamic URL schemes, DGAs and other ‘smart’ attacks.
In truth, industry leaders in enterprise security have evolved smart gateway defenses that employ a combination of techniques to detect and block these attacks.
To this end, you should make sure that your gateway security partners can provide:
• Smart mechanisms for both URL filtering and malware command and control (C&C) detection:
It will be impossible to keep up with individual URLs, so solutions must employ predictive mechanisms to compute domains, in the case of DGAs, and dynamic URLs that recognize the structure of these phishing URLs, and in the double-byte character sets.
• Real-time unpacking of suspicious or unknown files on in a virtual desktop environment, commonly known as sandboxing, detonation, or emulation:
This enables your gateway solution to determine whether an unknown and suspicious file is malicious before it can take infect the end user system.
• Prevention is essential:
Detection just leaves you on the same merry-go-round that we seemed to jump on back in the early days of IDS – chasing your tail running after infected machines. The ability to provide a threat prevention ecosystem is the only way to effectively manage the volume and severity of today’s threats.
You have to have confidence that it is accurate, and that it will neither miss anything nor generate a lot of false positives. A critical part of this confidence comes from having a cloud-based global community of data sources that can ensure your gateways are using the latest threat information.
Because threat prevention must be multi-layer if it is to be truly effective, it is vital not to neglect the endpoint and server layers.
At the endpoint, for example, rapid deployment of OS and application patches, combined with a robust, policy-driven application control solution and approach, will reduce the risk from variants of attacks targeting known vulnerabilities.
Modern malware creators are leveraging all available resources to evade existing defenses and spread malware to their targets.
You need to ensure that your strategy and solutions have evolved to keep pace with these threats and will enable to you stay ahead of attackers now and in the future.
By Patrick Wheeler, Head of Threat Prevention Product Marketing, Check Point