Remote Images Push E-mail Filters to Their Limits | Free Antivirus

Phishing emails masquerading as well-known brands like Microsoft or PayPal require visual content to be successful. From brand logos to colorful illustrations, images provide the recipient with a visual cue that the email is harmless and genuine.

But images not only give malicious email the appearance of authenticity with the help of their visual element, but they also make life difficult for email filters. Image spam has always been a very popular method to bypass the textual content analysis of an email, as there is no relevant content that can be extracted from the text parts of the email: the textual content is in the image. Below is an example of a SunTrust phishing email: The email contains no text content, but a single large embedded image that mimics legitimate HTML content.

While recognizing identical images is relatively easy - thanks to signatures based on cryptographic hash algorithms such as MD5 - recognizing similar images requires complex and costly algorithms. To avoid detection, phishers manipulate the images a little by adjusting the level of compression, coloring, or geometry and bypassing email filters. Their goal is to make each image unique to bypass signature-based technologies. Below is an example of an Alibaba logo that has been changed but is still identifiable by the end-user.

As this technique becomes increasingly popular with phishers, email security vendors have improved their skills in extracting and analyzing content from images. As a result, phishers have found a new way to fool them.

Remote images

Remote images have emerged as the latest technique for bypassing filters used by hackers to exploit the weaknesses in email security technology. Unlike embedded images, which email filters can analyze in real-time, remote images are hosted on the web and must therefore be fetched before they can be analyzed. The use of remote image-based threats soared in 2020. In November 2020 alone, Vade Secure analyzed 26.2 million remote images and blocked 262 million emails that contained malicious remote images. 

To analyze a remote image, it must be accessed over a network. Cybercriminals take advantage of this weakness and use additional techniques to make the process more difficult for security scanners, such as B .: 

• Multiple diversions
• Obfuscation techniques
• Abuse of domains with a good reputation

Using multiple redirects increases the time it takes to detect a phishing attack. The use of JavaScript is also widespread, making it necessary for security providers to use modern web crawlers, which are more expensive and difficult to scale. 

Obfuscation techniques can also be used to ensure that the image is obtained from the intended victim and not from a security provider. For example, a phishing campaign targeting customers of a Canadian bank only delivers the malicious content to web connections originating in Canada. 

Also, hosting remote images on high reputation websites renders domain reputation-based detection ineffective. From Wikipedia to Github, websites with high domain and trust scores are repeatedly misused by cybercriminals. 

As a result, many of these emails go undetected. For users, this often means that they receive and report a phishing email, but later find it again, sometimes several times, in their inbox. 

Block remote image-based threats

The process of blocking image-based threats requires computer vision, a field of science that studies how computers can gain a high level of understanding of visual content. Vade Secure implemented the first computer vision technology based on deep learning models (VGG-16, ResNet) in early 2020 to recognize brand logos in emails and websites. 

The deep learning models were trained with a combination of collected images and artificially generated images. The use of artificially generated images is crucial to ensure that our technology is resistant to the various techniques used by cybercriminals, as well as to unexpected visual configurations (different background, different size, and position of the logo). Below is an example of such an image.

Since then we have been using OCR (Optical Character Recognition) in combination with NLP (Natural Language Processing) models to detect malicious text content in images. Below are some examples of malicious remote images blocked by Vade Secure.

It is important to know that we have trained several NLP models to detect threats in different languages, e.g. B. in English, German or Italian. More and more cyber threats are localized, so it is necessary to develop different NLP models to achieve maximum filtering accuracy. 

Prepare for new phishing techniques 

With the increasing importance of AI and Computer Vision in email security, cybercriminals are being forced to innovate, and they are doing just that. For every detection method that is developed, cybercriminals develop new phishing techniques to bypass detection. 

Get free antivirus to provide optimum service

Image manipulation and remote images will increase in importance as well as in complexity, as most solutions have only a limited ability to analyze images. Cybercriminals have been known to investigate their targets - a quick search for a company's MX record will reveal which email security solution is protecting the company's email. With this information, they learn to break through the protective walls.