Phishing Attack Vectors | How to Fortify Your Defenses

Jane Wasson |@Area1Security| Area 1 Security

Phishing Attack Vectors

If all of the email systems in the world shut down tomorrow, would phishing attacks stop?

Well, we’d all happily see our inboxes go to zero, but unfortunately, no, phishing wouldn’t stop.

Why? The attack vectors hackers use to execute phishing campaigns aren’t limited to only email traffic. So defense strategies that focus on protecting just email will miss phishing activity on other attack vectors. For best protection, your security strategy needs a unified approach to protect you from phishing activity across all common attack vectors, including email, web, and network.

Web-based Phishing Activity

Phishing attacks, the cause of 95 percent of cyber breaches, often lure victims to malicious websites. The victim clicks on a link in an email or a social media post that opens a browser and initiates web traffic to a malicious phishing site. These sites are crafted by hackers to accomplish their malicious objective and can take several forms, for example:

Credential harvesting attacks typically start with an email or social post that appears to be from a trusted organization, such as a financial institution or retailer. The victim is requested to click on a link and log into their account or change their password. When the link is clicked, the victim’s browser opens, and web traffic is initiated to a spoofed or compromised site established by the attacker. The victim enters valid account credentials that the hacker can then harvest and use to log into the victim’s real account for malicious purposes.

Example Credential Harvest Phishing Attack

Malware download attacks are another form of web-based attacks that involve malicious websites, or in some cases, a compromised trusted website, that hosts a file with hidden malware. The victim visits the site, downloads the file, and the hidden malware infects the victim’s device. In some cases, the victim only needs to visit the website. Unbeknownst to the victim, malware will then download and infect the victim’s device.

Network Phishing Activity

Once the victim’s credentials are harvested or their device infected, the attacker is positioned to gain access to the victim’s network and move laterally through the network to infiltrate systems. From there, network connections to external phishing sites can be established to exfiltrate the victim’s data, or to download even more malware via network traffic, further infecting systems to achieve the attacker’s malicious objectives.

In all cases, it’s critical to monitor not just email traffic, but also web and network traffic to prevent access to, and downloads from, malicious phishing sites and stop cyber attacks.

How Secure Web Gateways and Firewalls Protect From Phishing Attacks

To defend themselves and their users from malicious phishing websites, organizations often rely on secure web gateways and firewalls. Secure web gateways monitor web traffic and block user requests to access known malicious websites. Firewalls inspect network traffic, detecting and blocking attacker lateral movement through the network, command-and-control communication and data exfiltration to known malicious sites. To prevent attacks, both security technologies rely on threat intelligence, and are frequently updated as new malicious sites are discovered.

However, the threat intelligence these security defenses rely on is mostly derived from analyzing active attacks. Because of this, there’s a security gap between the time an attack launches and the time it’s discovered and threat intelligence updates made available to firewalls and secure web gateways. In the case of phishing attacks, this is further complicated by the dynamic, short-lived nature of phishing websites and the low volume, targeted nature of attacks.

Although hackers typically take weeks or months to create and ‘stand up’ malicious sites, or to compromise trusted sites for a campaign, once an attack is executed, the phishing sites are often launched and shut down in a matter of hours.

Also, because the attacks are usually targeted at a handful of victims, the volume of malicious threat activity is small. As a result, legacy security defenses that rely on collecting large volumes of threat data from active, launched attacks to derive threat intelligence are less effective. By the time an attack is discovered and threat intelligence collected and deployed to firewalls and secure gateways, the damage is done.

To counter this, security technologies have evolved to add advanced threat protection features, including time-of-click URL analysis and dynamic analysis of file downloads. While these feature enhancements help detect some unknown malicious websites and payloads, hackers have found ways to evade detection. Also, dynamic analysis of URLs and files introduces delays in accessing safe websites and files, thus negatively impacting end-user satisfaction and business productivity.

So how can the phishing security gap be closed without negatively affecting business productivity and end-user satisfaction?

Early Visibility Into Phishing Sites and Campaigns

To protect against phishing attacks, cybersecurity solutions, including email, web, and network defenses, need early insight into phishing sites before campaigns launch and attacks are active. An effective solution must fortify security defenses with technology that hunts for malicious sites before attacks launch, during the weeks and months hackers are establishing or compromising websites in preparation for launching their attack. This preemptive defense provide the early visibility and threat indicators necessary to protect an organization from impending attacks. Arming email, web and network cyberdefenses with early visibility and insight into phishing sites and payloads enables more effective detection and blocking of phishing email, malicious web sites and downloads, attacker lateral movement through networks, command-and-control communication and data exfiltration — preventing cyber breaches.

Area 1 Horizon™ Anti-Phishing Service

Area 1 Security offers a cloud-based anti-phishing service that stops email, web, and network phishing attacks that other security technologies miss. Area 1 Security’s innovative technology crawls the web continuously and proactively, discovering phishing campaigns and infrastructure before attacks launch. On average, we detect malicious sites and payloads a full 24 days before industry benchmarks.

By proactively hunting for new phishing infrastructure as it’s set up, Area 1 Security gains early visibility into phishing sites, payloads, malware, and compromised servers before campaigns launch. The resulting insight and threat indicators powers the Area 1 Horizon™ anti-phishing service to detect and block phishing threats that other security technologies miss.

The service is easy to deploy and integrates with existing email, web, and network security infrastructure to provide an added layer of anti-phishing protection that effectively stops attacks. The service also easily integrates with security orchestration tools, providing phishing detection and ruleset updates to facilitate efficient incident response and visibility to phishing activity. Our Area 1 Horizon anti-phishing service is locked and loaded with threat insight that allows us to effectively detect and stop email, web, and network phishing attacks that slip past other security solutions, so that your business is protected.

Learn more about phishing attack vectors and how Area 1 Horizon anti-phishing service stops phish including:

o Attack vectors hackers exploit to execute phishing campaigns

o How phish bypass security infrastructure

o Strategies to fortify defenses and stop phishing attacks

Watch the webinar “Phishing Attack Vectors | How to fortify your defenses”