Story image

Check Point: Dangerous phishing attacks in detail...

13 Dec 13

Phishing attacks and their more recent variations such as spear-phishing and whaling are by now well-known parts of the threat landscape.

So much so that they can seem conventional, contained and not worth the attention of IT security decision-makers.

Since Check Point's Threat Emulation service went live in August, it has provided the company's Malware Research Group new insights into the extent to which this thinking is not only wrong, but dangerous.

Not Your Father’s Phishing Campaigns

Today’s phishing attacks employ sophisticated techniques for evading the traditional blacklists that are the heart of most older protections, and security leaders need to re-assess their current tools and techniques and ensure that they are up to defending against these attacks.

Two phishing campaigns in particular, detected days apart by the ThreatCloud Threat Emulation service and analyzed by the Check Point Malware Research Group, revealed important common traits:

• Low (<10%) detection rate by AV vendors, and attack known vulnerabilities in common desktop applications; specifically, Microsoft Word and Adobe Reader.

• Utilization of some form of dynamic URL scheme that evades detection by static blacklists. In the case of the phishing campaign around the Nuclear exploit kit, this scheme also resists analysis by malware researchers.

Analysis of Cryptolocker by our researchers pointed out another aspect of this trend: as a Domain Generation Algorithm (DGA)-based botnet, Cryptolocker employs dynamic, seemingly randomly-generated domain names to establish communication between bot and command and control (C&C) server.

The Cryptolocker bots generate 1,000 new domains every day, while on the other end Cryptolocker’s managers register the same 1,000 new domains and then discard them after 24 hours, so that as a result the malicious domains have little chance of being detected and registered by the industry resources that build and maintain blacklists of known malicious URLs and domains.

Viewed as a whole, these recent malware campaigns highlight the important role that dynamic URLs and domain names play in these attacks, and specifically in evading the traditional static blacklists that have traditionally been used to detect and block phishing and bots.

Specifically, dynamic URLs and DGA leverage the infrastructure of the Internet itself to generate obscure or single-use variants that confound a system of defenses based on looking for and blocking traffic from and to addresses that have been previously detected on a global network and classified as malicious.

What’s in a (Domain) Name?

These observations reflect a much larger trend in the malware ‘industry’. Attackers are exploiting weaknesses in the domain name system and traditional URL blacklisting methods to evade existing defenses and reach their targets.

In their research findings for the second quarter of 2013, the Anti-Phishing Working Group (APWG) found that while the .com top-level domain (TLD) was still the most commonly used in phishing campaigns, (44% of total phishing, up from 42% in Q1), some country TLDs are more common in phishing attacks than are actually registered.

What Can You Do?

In the face of this trend, there are those who argue that blacklisting at the gateway is no longer a viable defense against these dynamic URL schemes, DGAs and other ‘smart’ attacks.

In truth, industry leaders in enterprise security have evolved smart gateway defenses that employ a combination of techniques to detect and block these attacks.

To this end, you should make sure that your gateway security partners can provide:

• Smart mechanisms for both URL filtering and malware command and control (C&C) detection:

It will be impossible to keep up with individual URLs, so solutions must employ predictive mechanisms to compute domains, in the case of DGAs, and dynamic URLs that recognize the structure of these phishing URLs, and in the double-byte character sets.

• Real-time unpacking of suspicious or unknown files on in a virtual desktop environment, commonly known as sandboxing, detonation, or emulation:

This enables your gateway solution to determine whether an unknown and suspicious file is malicious before it can take infect the end user system.

• Prevention is essential:

Detection just leaves you on the same merry-go-round that we seemed to jump on back in the early days of IDS – chasing your tail running after infected machines. The ability to provide a threat prevention ecosystem is the only way to effectively manage the volume and severity of today’s threats.

• Confidence:

You have to have confidence that it is accurate, and that it will neither miss anything nor generate a lot of false positives. A critical part of this confidence comes from having a cloud-based global community of data sources that can ensure your gateways are using the latest threat information.

Because threat prevention must be multi-layer if it is to be truly effective, it is vital not to neglect the endpoint and server layers.

At the endpoint, for example, rapid deployment of OS and application patches, combined with a robust, policy-driven application control solution and approach, will reduce the risk from variants of attacks targeting known vulnerabilities.

Modern malware creators are leveraging all available resources to evade existing defenses and spread malware to their targets.

You need to ensure that your strategy and solutions have evolved to keep pace with these threats and will enable to you stay ahead of attackers now and in the future.

By Patrick Wheeler, Head of Threat Prevention Product Marketing, Check Point

Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
Record revenues from servers selling like hot cakes
The relentless demand for data has resulted in another robust quarter for the global server market with impressive growth.
Opinion: Critical data centre operations is just like F1
Schneider's David Gentry believes critical data centre operations share many parallels to a formula 1 race car team.
MulteFire announces industrial IoT network specification
The specification aims to deliver robust wireless network capabilities for Industrial IoT and enterprises.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Schneider Electric's bets for the 2019 data centre industry
From IT and telco merging to the renaissance of liquid cooling, here are the company's top predictions for the year ahead.
China to usurp Europe in becoming AI research world leader
A new study has found China is outpacing Europe and the US in terms of AI research output and growth.