Fast Moving Threats are Taking Days to Appear on VirusTotal and Other Leading Threat Feeds Leaving the Bad Actors an Eternity to Wreak Havoc on Remote Workers
SlashNext recently discovered and blocked an Instagram credential-stealing attack [hxxp://lnstagramcl[.]cf. In this particular attack, the bad actors used typosquatting to deceive victims, by changing the “i” to”l” to lure users into entering their Instagram credentials to verify their account (Example 1). Mobile users are more susceptible to these types of phishing threats because of small screens, mistakes by users when inputting a URL and invisible URL strings hiding the address. With iPhone, users are 18x more likely to get phished than to download malware, the stakes are high for mobile and endpoint security vendors to make sure they detect and block these zero-hour attacks.
Example 1: Instagram credential stealing threat found by SlashNext
There is nothing particularly unusual about this credential-stealing incident, except it was not found by VirusTotal and 40 other detection engines on July 19 (Example 2). On July 22, four days later, only five engines found the threats (Example 3). While SlashNext discovered and blocked the threat four days ago, therefore protecting their users. Unfortunately, millions of other users relying on VirusTotal and other leading detection engines are not protected.
Example 2: Virus Total screen reporting clean on all detection engines on July 19, 2020
Example 3: Virus Total screen reporting clean on all detection engines on July 22, 2020
“I see it happening all the time, zero-hour detections not showing up on Virus Total for days,” said Atif Mushtaq, Founder of SlashNext.
SlashNext tested five other malicious URLs to see if VirusTotal or the other threat feeds discovered and blocked those attacks. Of the five URLs that we found on July 19, 2020, VirusTotal and many of the other engines still found them clean four days later, despite the fact they were still active on July 22, 2020.
Compromised SharePoint Account
One of the examples we tested is a malicious URL of a Microsoft Excel form in SharePoint. In this case, it appears this primary school’s SharePoint account was hacked and being used to phish the general public through this built-in form feature. This credential-stealing phishing attack at hxxp://springfieldprimaryschool-my[.]sharepoint[.]com is an example of a phishing attack hosted on legitimate SharePoint hosting infrastructure. [Example 4]
Example 4: Credential stealing phishing attack hosted on legitimate SharePoint hosting infrastructure
With the new normal of remote learning over the past four months, schools have been scrambling to host learning materials in the cloud. Still, most schools do not have the budgets or resources for full-time security teams, so these types of legitimate domains are favorite targets for bad actors. These attacks are on the rise and become more prevalent because they are challenging to detect and can potentially evade existing URL inspection and domain reputation analysis methods. Four days later, on July 22, 2020, only five detection engines flagged the threat. [Example 5]
Example 5: Virus Total screen reporting 5 engines are detecting the malicious URL on July 22, 2020
Since the URL led to a legitimate (whitelisted) infrastructure, the URL was not flagged as dangerous and demonstrated how this threat could bypass most security stacks.
Protecting remote workers from today’s sophisticated attacks requires a phishing protection toolbox that takes a Zero-Trust approach covering several attack vectors and goes beyond URL inspection and domain reputation.
Harness the Power of Real-Time with SEER™ Technology
SlashNext’s patented behavioral phishing detection technology uses millions of virtual browsers to detect unknown threats with unmatched accuracy. SEER™ (Session Emulation and Environment Reconnaissance) is a scalable, cloud-based threat detection technology that uses computer vision, NLP, and OCR, to dynamically inspect page contents and server behavior. Sophisticated machine learning algorithms and virtual browsers perform rich analysis to accurately detect zero-hour phishing threats and numerous enrichment artifacts.
This unique combination of techniques sees through evasion tactics and accurately detects phishing pages, even those hosted on compromised websites and legitimate infrastructure. It also follows through on all URL re-directs and performs run-time analysis on the final page of multi-stage threats.
With growing enterprise mobility requirements plus higher numbers of remote workers, properly securing mobile and remote users is causing IT security teams, to rethink their endpoint security strategies. To see how you can protect your remote workforce from the growing number of sophisticated phishing threats contact us and request a demo of our endpoint products today or register for the July 28th webinar to see how our phishing detection improves automation in SOAR and SIEM platforms.