Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Evasive Malware, Meet Evasive Phishing

In a previous column, I wrote about how evasive malware has become commoditized and described how the techniques being used in any given piece of malware had grown in number and sophistication—the layering of multiple techniques being its own form of sophistication.

In a previous column, I wrote about how evasive malware has become commoditized and described how the techniques being used in any given piece of malware had grown in number and sophistication—the layering of multiple techniques being its own form of sophistication. At the time, we had been digging around in our sandbox array and found that 98 percent of malware sent for analysis was using at least one evasive technique, and one-third of malwares were using a combination of six or more detection evasion techniques. Then there are malwares like Cerber ransomware, which is very sandbox aware and runs 28 evasive processes or, if you like, uses 28 techniques intended to confound security systems and thus evade detection.

Phishing following the malware curve

I have spent most of my career in the malware world, so I’ve got a well-developed sense of the detection cat-and-mouse game between security professionals and malware developers—recognizing that for some the preferred metaphor is an arms race. Given the extensive and rich history of the evolution of malware, “evasive malware” entered the lexicon long ago and is an often-used term of art. Malware’s roots pre-date the Web, with early experiments playing “gotcha” with fork bombs and trojans infecting mainframes. In the 1980s, with the advent of PCs, we saw the first worms, self-encrypting viruses, and even the first ransomware—distributed on floppy disks. We come to the present, in which I keep a catalogue of evasive malware tactics divided into 26 categories, and talk frequently about how malware has entered a “hyper-evasive” phase.

“Evasive phishing,” however, is not a term much heard. When I do a search on the phrase, I get eight times the results for evasive malware that I do for evasive phishing. But my expectation is that we all will—and need to—start talking a lot more about “evasive phishing” than in the past. To be clear, when I use the term evasive phishing, I’m not talking about clever phishing pitches, well-designed emails or sites, or any social engineering techniques to mislead the user. I’m talking on a more “product strategy” and technical level about techniques to hide phishing infrastructure—principally web sites—from security systems and phishing URL crawlers.

Phishing kits exemplify the trend

Without even getting into the (very important) topic of the growth of “phishing-as-a-service,” we can see evasive tactics in the more straightforward and very large phishing kit sub-market—these kits are pre-packaged spoofed web pages downloaded as a ZIP file for a fee usually in the $50 range. 

Tactics to evade or make detection more difficult can include things like encrypting the whole phishing site with AES encryption, or encoding the title of the website in an effort to fool phishing crawlers. Basic tactics in use fall into two general categories: 1) blocking security systems from evaluating and seeing the true nature of the phishing site, by looking up the IP or domain from which the user is connecting and blocking (or redirecting) accesses originating from certain IP addresses or ranges; and blocking access from security bots or crawlers or other user agents that are searching for phishing sites, like the Googlebot, Bingbot, or Yahoo! Slurp.

87% using evasive techniques

We just did a bit of focused work around phishing kits, where we monitored the use of files or code which makes a judgment about the user, as I was explaining above, then decides whether to actually show the phishing site. From a sample of 2,025 sites generated by various kits, it turns out that 87 percent of them use at least one type of basic evasive technique. The most common method for implementing this is use of a .htaccess file in the kit, which is a PHP script with these blocking or redirect functions. 

By the way, we also learned that many specialize in a single brand, like spoofing the Office 365 log-in page, or imitating Paypal or Dropbox pages. But many are multi-brand kits—for the money the cybercriminal gets the option of mounting phishing campaigns targeting any of many brands.

There’s a reason why surveys of IT and security admins this year keep pointing to phishing as the top source of breaches and, unsurprisingly, their top security concern. That will only change as security systems get up the curve on combating evasive phishing, which begins with a broader recognition of the changed nature of the game. Evasive malware, move over and make room for evasive phishing.

Written By

Click to comment

Expert Insights

Related Content

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Phishing

The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...