There was a time not long ago when victims of phishing attacks were considered stupid. But now that the general population is becoming more aware of the phishing problem, the “pool of stupidity” is shrinking. Easy prey is becoming more difficult to find, so phishing is evolving to new levels of sophistication. Attacks using OAuth, Data URI, PDF credential phish, and PunyCode are now so difficult to detect, even security administrators themselves are falling victim.
OAuth is a way for third-party applications to access a person’s information on sites like Google, Facebook, Twitter etc., without the user providing his/her password. One of the more notorious phishing campaigns, the Google Docs Phishing Attack, leveraged OAuth, where the intended victims received an email link inviting them to view a Google Doc. The attack was extremely successful because it leveraged a reputable brand, never prompted users to enter credentials, mimicked a standard workflow, and the email was initiated from someone in the victim’s contact list, who had also been hacked.
Data URI is a uniform resource identifier (URI) scheme that provides a way to include data in-line in web pages as if they were external resources. Data URI attacks are not new, but they have gained increasing attention with the wildly successful Gmail phishing campaign. With this technique, a tiny URL within an email redirects unsuspecting users to a data URI which loads a phishing page, or an HTML attachment includes embedded data URIs that load a phishing page when the attachment is opened. This is an attractive option for attackers because it doesn’t make any HTTP requests, thus network-based detection will likely fail to recognize an attack. And, Data URI is supported by most web browsers.
Credential Phishing With PDF Attachments
PunyCode IDN Homograph Attack
With this technique, attackers are able to use a design characteristic of Mozilla Firefox and Opera web browsers to display fake domain names as the websites of legitimate brands, such as Apple, Google, Amazon, or PayPal to steal login or financial credentials and other sensitive information. The attack leverages non-ASCII characters found in non-English/Latin alphabets, many of which either strongly resemble or are identical to characters in the English or Latin alphabet. For instance, the word “Bank” can be closely replicated in Punycode using the Cyrillic letter “ve” (в) at the start of the word, which would look like “вank”.
It’s Not About Stupidity
The continued success of phishing attacks essentially guarantees that the attacks will continue to grow more complex as legacy security tools catch up with today’s exploits. Relying on users to understand these increasingly complex attacks is a losing game. A recently published research study proves this. It’s time for a new approach that doesn’t rely on user expertise to thwart phishing attacks.
If you’d like to learn more about how Menlo Security can stop phishing, malware, and ransomware for you and your organization, please stop by the Menlo Security booth #1273 at Black Hat USA 2017 in Las Vegas, NV on July 26th and 27th. Complete this form to schedule a demo of the Menlo Security Isolation Platform and enter to win an Oculus Rift VR headset!