In the course of a research project funded by FFG (Forschungsförderungsgesellschaft Österreich), in cooperation with SBA (Secure Business Austria), we have developed a new procedure for detecting misuse of well-known brands. This procedure enables us to target phishing and scam detection within seconds after publication of the threatening content.
How does Phishing work?
A phishing attack aims to trick an unsuspecting user into revealing private information, such as username and password, credit card information or personal data or place of residence and date of birth. This information then allows an attacker to cause damage, such as making payments, placing orders, or making contract changes for their own benefit.
How does cyan identify Phishing attacks?
Until now the detection of phishing attacks has been carried out using generic methods. These include, for example, the detection of conspicuous domain names (typos, character strings), increased web traffic to new/unknown domains or the use of honeypots, which receive phishing emails and messages and automatically extract the domains contained therein. All these methods are in use at cyan and deliver good results.
How does the new method optimize the detection of Phishing attacks?
The new method allows us to actively search for phishing content that imitates known brands and identifies them within seconds of going live. We have named this method “Brand Impersonation”.
Phishing has some distinctive characteristics which we consider as a whole:
• The target of phishing is always private data – username/password, credit card, bank data, ID data, address.
• Well-known brands are imitated – logo, look & feel, color scheme.
• To create trust, most phishing sites today are encrypted via https – lock icon in browser
• The domain names used are unobtrusive and create trust – well-known brands and terms
In addition to our usual input data such as web crawling and research feedback loop from our existing customer base, we use the global Certificate Transparency Stream as a new source. This system makes all newly issued or renewed SSL certificates public for the sake of transparency. Browser vendors as well as companies specialized in transparency information use this stream to identify inconsistencies in the certification system, such as the (re)issuance of a certificate of a well-known domain like google.com. This enables a timely response in the security environment and protects customers from tampering with the encryption system. We use this stream to receive new and unknown domains in near real time and feed them to our analysis.
How dose the new method work?
As a first step we look at the domain and search for conspicuous terms like “login”, “verify”, “payment” in connection with the name of brands. This is a clear sign of a domain that needs to be looked at more closely. Particularly conspicuous domains are added to the signature database in this step as a precautionary measure and customers are immediately informed about these inconsistencies.
As a second step we connect to the web server and load the favicon, a small image which is used in the browser or messenger as a preview image for the website. In the sense of recognition and to build trust, this is usually the brand’s logo. Criminal actors use this to make their victims think they are on a safe page. Our systems are trained with the known logos and can detect this abuse.
As a third step, we check the content of the website, especially specific keywords in the text, copyright information or imprint. Phishing sites want to be as close to the original as possible and usually copy exactly these elements. Our analysis systems are equipped with the data of the known brands and can therefore detect the usage on foreign sites.
As a fourth step, similarities in structure, images and colour scheme to the original brand page are of interest. These features are fed to machine learning algorithms to detect similarities on potentially dangerous pages.
As a final step, we check whether a more in-depth analysis using our patented sandboxing method is necessary. Since this procedure is time and cost intensive, only pages that have certain characteristics in HTML or script code and could not be identified in advance via the brand impersonation algorithms, are analyzed in this procedure.
With the help of these methods, we have been able to check over 3 billion certificates so far, whereby we have saved 1 billion domains for closer examination or later (re)checking. Every day, we analyse more than 200,000 websites in detail, identify hundreds of threats in near real time, and protect our customers from these attacks in a timely manner.
You want to stay up-to-date with our latest publications: