Multi-Stage Phishing Attacks Launch Local Files to Evade Existing Security

SEERTM (Session Emulation and Environment Reconnaissance) is SlashNext’s own proprietary and patented threat detection technology and the foundation of our anti-phishing solutions. One of its best features is preemptive threat hunting that allows organizations to stay ahead of the latest threats and operationalize enhanced phishing protection in real-time. Recently, SEER has helped us uncover a progression by bad actors toward more sophisticated multi-stage phishing attacks that are designed to evade existing anti-phishing security.

There was a time when phishing threats were simple and straight forward. Users would get an email with a message coaxing them to click on an enclosed malicious link that would put the phishing page right in front of them. The phishing domain was embedded in the link contained in the email itself. That made protection simple for anti-phishing email gateway products. All the SEG would do is have a domain blacklist, match it to the link in the email body; if there was a match the user would be blocked from accessing the phishing site. Pretty easy.

In the next generation of phishing attacks, the bad guys started to introduce the concept of redirectors. Redirectors would use a URL shortening services in a newsletter or some email communication where the link would be pointing further down the road to the phishing link. The bad actors would list a rewritten, shortened URL in the email body and when the user clicked on it a SEG would allow the user access since it wasn’t on its blacklist. The rewritten URL would then redirect the user to a phishing site.

What we are seeing now is a third evolution. In these multi-stage attacks, the link sent in an email is not malicious, but what appears to be a benign site. Once that website is opened, the user performs a task and a local HTML file is downloaded to their computer. When the user clicks on that file from their desktop, a local HTML page is launched with a link to continue which sends them to the final domain where the phishing content is delivered. In this scheme, the bad guys are forcing a rational human to engage in multiple steps that security equipment would normally have trouble detecting. They don’t allow a phishing site to appear unless they can confirm that a human is interacting with the site. This means that even if the final phishing domain is on a blacklist, traditional anti-phishing security cannot protect users from it until someone or some technology follows the entire user process and reaches a point where the phishing site is baited. That final page could be any one of the six major phishing types (credential stealing, scareware, rogue software, phishing exploits, social engineering scams, or phishing callback/C2s).

The new TTPs used in this scheme have two implications. First, it is going to make detection difficult for technologies that rely on URL inspection and domain reputation analysis. The chances that a local HTML file domain buried at the end of the user action ever gets revealed is low. Secondly, even if the final phishing domain was revealed and blacklisted, the chances that an organization will be able to do a blacklist match on a site launched locally is even lower. Most traditional anti-phishing solutions are using email analysis that don’t even check locally launched sites. These attacks are clearly a new attempt by hackers to get around the crawling and matching technologies used in email gateways.

The good news is that SlashNext SEER detection technology uses virtual browsers in a purpose-built cloud to dynamically inspect all sites with advanced computer vision, OCR, NLP, and active site behavioral analysis. SEER uses these capabilities to follow the user process offered by multi-stage phishing threats and detect the final phishing stage.

Contact us for a demo of any of our SEER powered anti-phishing solutions and see for yourself how multi-vector, multi-payload phishing protection can help secure your organization against multi-stage and other sophisticated phishing attacks.

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.