- Get link
- Other Apps
Phishing is one of the main attack tools on corporate networks. It is not surprising that filters against it and detectors of malicious addresses are everywhere: at email providers, on mail gateways, even in browsers. Therefore, cybercriminals constantly come up with and improve circumvention methods. One of them is delayed phishing.
What is Delayed Phishing?
Delayed phishing is an attempt to lure a victim to a malicious or fake site using the Post-Delivery Weaponized URL technique. As the name suggests, its essence boils down to replacing the site content with a malicious one after the email is delivered to the victim. That is, it receives an e-mail with a link that leads either to nowhere, or to a legitimate resource that may already be compromised, but does not yet contain malicious content. This way, the letter easily passes all filters: the algorithms find the URL contained in the text, scan the site, see no danger in it, and pass the message into the victim's mailbox.
Some time after delivery (guaranteed after the message has been delivered, but if possible before the victim reads it), the attackers bring up a pre-prepared phishing page or activate malicious content on a previously harmless site. Any trick could be there - from a replicated interface of a banking site to a browser exploit that tries to download malware to a victim. But according to a study conducted by our expert Oleg Sikorsky, in 80% of cases there is a phishing site.
How Do Anti-phishing Algorithms Cheat?
To trick the algorithm, attackers use one of three methods.
Simple link. It leads to a site controlled by hackers - either re-created or hacked and hijacked. Cybercriminals prefer hijacked sites because they tend to enjoy a positive reputation, which is a clear plus in terms of protective algorithms. At the time of delivery, behind the link is either a meaningless stub, or (more often) an error page with a 404 code.
Short link. There are enough services on the Internet that allow you to make a short URL out of a long one. They are designed to make life easier for users: they can share a short, easy-to-remember link, which expands into a full-fledged one upon transition. That is, a simple redirect is triggered. Some services allow you to change the content hidden inside the short link. This is what cybercriminals use: during message delivery, the URL leads to a legitimate site, and after a while begins to redirect to a malicious one.
Randomized short link. An even rarer case. Some of the link shortening services allow for probabilistic redirection. That is, when you click on the link, you have a 50% chance of going to google.com, and 50% to a phishing site. We assume that the attackers use such links to implement the scenario described above with a normal short link, but when redirecting to a malicious page is activated, they mix in the likelihood of getting to a legitimate site. Apparently to confuse the crawler.
When Does a Link Become Malicious?
More often than not, attackers assume that their victim sleeps at night. Therefore, messages with delayed phishing are sent out after midnight, and they become malicious in a few hours, closer to dawn. If you look at the statistics of anti-phishing program detections, you can see the peak around 7-10 am. It was the awakened users who began to click on the links sent at night, which in fact had already become malicious.
However, you shouldn't forget about spear phishing. If attackers attack a specific victim, they can study her daily routine, find out when she reads mail, and activate a malicious link by adjusting to her schedule.
How to Catch Delayed Phishing?
Since, ideally, we need to prevent the phishing link from reaching the user, it would be best to re-check the messages that are already in the mailboxes. And in some cases this is real. For example, if your organization uses a Microsoft Exchange mail server.
Also, delayed phishing can be identified with the help of advanced security software (for example, total security software)
Comments
Post a Comment