Your users are getting phished. Now what?!
Part 1
Working for a regional ecom platform with tens of millions of visits each month phishing is our every day reality. Looking into it in detail challenged some of my assumptions and helped me get a better idea what one can do about it.
I’m sharing some of my experience from the trenches, in Part 1, about how the problem actually looks like and the effectiveness of some of the basic tools you can use. Hopefully this will help you orient yourself and set some expectations if you need to deal with it for the first time. In the next part I’ll talk about some of the proactive measures and more interesting techniques that I have found useful.
If you thought protecting your organisation from phishing was hard wait till the users show up! All the usual technical and awareness measures are out the window when you are addressing millions of people.
Two years in, here is what we tried, what worked and some of the misconceptions we learned to leave behind.
Misconception: Phishing pages will use adjacent or similar domains
Well, some undoubtedly do, but as we noticed, especially in the last year, attackers will use completely unrelated domains, file hosting services and even hacked websites. Actually these days this is the majority of phishing that we see.
Since most of the phishing page detections services are based on certificate transparency logs, DNS and domain registry, these services will unfortunately be blind to most of phishing sites.
But will people actually give away their credentials on a different domain, you ask? Yes they absolutely will. Based on data about the number of successful phishing the bad guys are right: it does not seem to make a lot of difference if the domain is different, if it is over HTTP and not HTTPS or even if the design is not 100% right, people will give away their credentials
Once you start digging into this a bit you will notice that lot of links in legitimate emails will be shortened/fronted by email sending services or other tracking solutions. This likely makes people less sensitive to weird looking links and once they hit the site a lot of them will fill in their credentials regardless.
Check out for yourself: https://raw.githubusercontent.com/tg12/pihole-phishtank-list/master/list/phish_domains.txt
So what phishing pages normally look like?
Once you have found a phishing site the basic answer is to start taking it down, adding it emailing blocklists, and getting a warning banner on it.
The takedown speed and success rate of this really depends on the type of the site so let’s dig into what you will come across:
1, Unique domain set up as a phishing page
- Classic phishing: buy similar sounding domains, set up target fake login page with some generic hosting provider.
- What you can expect: Usually these are effectively taken down by the providers within a day or two. Adding warning banner and site to phishing blacklists is usually within an hour.
2, Subdomain of hacked site
- Attackers will hack a site (usually with a generic CMS like wordpress or drupal) and take control over the domain. Then they just create a subdomain (e.g. targetdomain.auth.com.hackeddomain.org) and do what they would if they registered the initial domain.
- What you can expect: Taking the domain down is 50/50 in our experience because it depends on the owner of the initial domain too. Better cases they are taken down by the providers within a day or two. Adding warning browser banner and appending to phishing blacklists is usually within an hour. That said sometimes it can take months to completely take down the domain.
3, Subpath of a hacked site
- Attackers will hack a site or maybe just find a way to upload their phishing page. Then they just add extra pages and hope people never check the domain.
- What you can expect: These cases usually take time because they are connected to a legitimate site which in most cases are even orphaned and not maintained by anybody. Few cases they are taken down by the providers within a day or two. Adding warning banner and to phishing blacklists is usually within an hour. That said sometimes it can take months to completely take down the domain.
4, Cloud storage
- Attackers set up a malicious file in some cloud storage, that usually just serves as a way to forward users to another domain that hosts the fake login page. Usually cloud storage providers respond and take down these pages in a few hours. These days most of them do it proactively then phishers move to use different providers.
What can you do about them?
Contacting the hosting provider: (depending on the provider) they will take the site offline making it effectively unavailable for anybody who might click on the link. This is what winning looks like.
Adding it to browser blacklists: whenever somebody navigates to the site they will be welcomed with a warning banner stating the page is malicious. This is great! That said some people will still give away their passwords even with a warning banner and some exotic browsers will not even display the banner. This will happen within hours. For example this is the reporting page for Chrome
Adding it to emailing blacklists: most common mail clients will put emails with links to known phishing sites into spam and notify people about the danger if they decide to click the link anyway. It is as good as it sounds. Again, there are ways to wrap urls so it works better in some cases than others. This will happen within hours. The one that worked the best for us is https://phishtank.org/
Notify email sender: sometimes phishing attackers will use some compromised email infrastructure but in other cases they will use email sending SaaS services like MailGun or SendGrid. These services usually have abuse notification methods that will disable the account pretty effectively.
Malware?: same channels are there as for normal phishing. In this case you can try to learn more about the malware itself adding them to some behaviour sandbox: any.run, cuckoo, intezer etc
Hopefully this first part helped you to understand the problem, set realistic expectations and saved you some time finding the basic tools you can use. In the next part I’ll talk more about how one can get proactive about fighting phishing.
