Wout Debaenst’s FIRST talk (video) described the preparatory steps an adversary must take before conducting a targeted phishing campaign, and the opportunities each of these presents for defenders to detect and prevent the attack before it happens. The talk was supposed to be accompanied by live demos, but these were sufficiently realistic that the hosting provider blocked them the night before the presentation!
- Create the domain name(s) to be used to create (misplaced) confidence in the phishing emails. I was familiar with the term ‘typosquatting’ for domains that transpose two letters, or use look-alike characters, but ‘combosquatting’ – adding something plausible like “shop” to a genuine domain name – and ‘doppelganger’ – where the malicious domain is created by removing punctuation from the real one – were new, useful, descriptions. Tools exist, including the free DNStwister, to check for domains that may be suspiciously close to your own. Another technique is to register something that looks like a genuine platform service, then add the target company as a subdomain: here certificate transparency reports can be a useful source to check for your company name appearing in unexpected places, but wildcard certificates mean that individual subdomains will not be reported.
- Prepare the infrastructure that will be used to send emails, host webpages and so on. This involves considerable effort, so phishers will often reuse the same infrastructure across multiple attacks. This creates an opportunity for detection: if your company name appears in association with an IP address, WHOIS information or even website images and templates that have previously been reported in relation to phishing attacks, then it’s likely that bad things are being prepared for you. Tools such as Virustotal and Brandefense map these known associations. Intruders can evade these by setting up new infrastructure for each attack, or mingle their activities with genuine traffic by using a CDN, but this increases the cost of the attack, hopefully beyond its likely benefit.
- Send phishing emails. This provides an additional source of information whose reputation can be checked by the receiving organisation. Email content is often checked, but there are opportunities also to check the originating domain, IP address, mailserver and other information. These defender checks complement those at the previous stage, because freshly-created domains may themselves look suspicious.
- Execute malicious code. Although phishing can be conducted using only plaintext, executable components are more common and can often be blocked by disabling unnecessary features, such as macros or filetypes, in endpoint clients and devices.
None of these techniques can prevent phishing by a sufficiently determined attacker, but they increase the cost of a successful attack, both in terms of required preparation and risk of discovery. For many organisations, that should put off sufficient threat actors to significantly reduce the risk.