Alert: New Phishing Evasion Technique

Aiming to decrease the chances of being detected and gaining more time before their phishing scam is exposed and blocked by response organizations, attackers use multiple evasion techniques. And they continue to be creative about it! 

Tracking these techniques closely, we see a variety of them. Here are a few evasion techniques that help phishing attacks bypass security solutions:  

  1. Mobile only – The link directs to the malicious webpage only if browsing from mobile devices, leveraging the fact that mobile devices are less secure than desktops and that users may pay less attention when browsing from their mobile.
  2. Javascript redirect on startup – since redirecting by the browser is easily detected by most security solutions, attackers set the redirect to malicious webpages to be done by the browser which goes below the security tools’ radar. 
  3. Timers before redirecting – the attack waits a few seconds before redirecting to the malicious link in order to evade security solutions that run for a limited timeframe.
  4. Button automation – the redirection to the malicious page is done only following clicking a button which verifies that the user is a real person. Security solutions don’t click it and therefore don’t “get to see” the malicious page and can’t detect the link as malicious. 
  5. Captcha defender – just like the simple button automation, the victim is redirected to the malicious URL only after clicking a captcha or a reCAPTCHA and being identified as a real person. Here again – if the security tool can’t access the malicious page, it definitely can’t detect it as malicious.

These techniques and others reduce security solutions’ effectiveness making it almost impossible to prevent phishing attacks. 


Evade with a click of a captcha  

In the past couple of weeks our researchers identified a drastic increase in the number of attacks using a captcha defender to go through security tools. And guess what, these phishing attacks indeed bypassed leading Secure Email Gateway (SEG) solutions and even Advanced Threat Protection products including Office ATP and Proofpoint TAP. 

The prevalence of this technique seen among BitDam’s customers grew by hundreds of percentages in the past couple of weeks, compared to the previous two weeks. Scanning all attacks from various feeds, we’ve observed the same trend in these feeds as well, driving us to the conclusion that this was added to popular phishing kits.  

It starts with what seems like an innocent email. Here is one example for a subject line: “New Sharedfile Received for BRAND“. Opening the email, it looks like the email contains several attachments and the user is requested to click a button to view them saying “BRAND uses Outlook Files to share documents securely”. Clicking it would lead to a captcha page that looks like this:

The next page would be the actual phishing URL. For example:

By now, you are probably wondering how common this technique is and who are the target victims. So…it is more common than you would imagine. We saw it targeting most of our customers which range from small and medium businesses to enterprises with many thousands of users from various industries and locations. This evasion technique was used in phishing attempts in Europe, North America and The Middle East. The attacks were almost always delivered via email. 

Perhaps the most interesting thing about the attacks that BitDam prevented among its customer base was that all of them were leading to fake Microsoft login pages. As you can see in these screenshots, they varied in their graphics, but Microsoft remains the number one target with hackers desiring to steal Microsoft user credentials. 

What can we do about it? 

Assuming you don’t want to be the next victim, I would start by checking if your email security vendor detects such attacks. You can simply register to BitDam Lucky Meter which will send you the most recent phishing (and malware) attacks as soon as they are released to the wild, and provide you with a simple dashboard so you can easily know what bypassed your current email security. BTW – it’s totally free. 

Of course, you should never enter your credentials to unknown websites, but that tip is pretty outdated. Everyone knows they shouldn’t click suspicious links but somehow there are more successful phishing scams every day. This means someone does click them, right? 

However, if you do come across a URL that you aren’t sure about and would like to scan for phishing before going on, you can always use this online phishing scanner that will give you a verdict in no time, letting you know if the link is a phishing scam.

BitDam Launches Free Phishing Detection Tool

BitDam has just announced the launch of its advanced online URL scanner that detects phishing and malicious links. With phishing attacks constantly increasing in both sophistication and frequency – and with COVID-19 accelerating these attacks – this innovative tool could not come at a better time.

Is This A Phishing Link?

BitDam’s free phishing detection tool allows you to enter a link, scan the URL for phishing and find out if it’s malicious or not.

The tool demonstrates BitDam’s advanced phishing detection capabilities and provides the cybersecurity community with the ability to scan suspicious links even when they’re still very new – and when reputation and threat-intelligence solutions still cannot identify them.

The phishing detection tool is built for SOC and threat hunting professionals, security analysts, and MSSPs who want to be at the forefront of phishing detection technologies.

Why Phishing Protection Is So Important Now

Phishing is the No.1 cybersecurity threat facing organizations today. A combination of factors have made this problem more urgent than ever:

Phishing is now more sophisticated

Due to the increase in the severity and consequences of phishing attacks, employees are more aware of the dangers that phishing emails pose. Attackers, therefore, have become more sophisticated, employing machine learning and automation to rapidly create and distribute convincing phishing messages.

Attackers have developed new techniques

With attackers constantly developing new techniques – including using automation to bypass existing security tools – traditional security solutions, including reputation-based products, just can’t keep up.

Attacks are targeted – and missed by traditional solutions

More attackers are ditching the “spray-and-pray” type of phishing attack for more targeted phishing campaigns. These are aimed at individuals within an organization and can be hyper-personalized, ensuring they’re not identified by reputation-based detection solutions including many O365 phishing security and Gmail phishing security solutions.

Phishing attacks are on the increase

Phishing attacks have increased because they’re relatively cheap and simple to set up. With little effort or fear of consequence on the attacker’s side, they can easily access sensitive data like company login credentials. With COVID-19 increasing the number of people working remotely, as well as stress levels, attackers have been taking advantage of this situation.

Liron Barak, CEO of BitDam observes, “We are seeing a real increase in phishing campaigns in the past year. In fact, phishing has become the top cybersecurity threat, more than ransomware or any other malware. That’s because phishing attacks are much simpler to execute, and recently are more difficult to identify.”

The launch of BitDam’s phishing detection scanner could not come at a better time. Barak notes, “In addition to including our unique phishing detection capabilities in BitDam’s Advanced Threat Protection solution, we are now launching this online scanner for use by cybersecurity professionals.”

A Unique Phishing Detection Tool

Most other phishing protection solutions are based on reputation and threat intelligence. This approach is inadequate in the face of automated attacks and previously unseen first-time threats.

  • BitDam is independent of previous knowledge and data. It uses multiple sophisticated computer vision and AI algorithms to assess: is this a phishing link?
  • It can, therefore, detect phishing threats at first encounter, unlike reputation and threat intelligence-based products that have to wait to collect enough data before classifying something as phishing

Get Advanced Phishing Protection

To get started with BitDam’s online phishing detection tool, just visit the website and scan a URL for phishing.

BitDam offers phishing detection and prevention as part of its comprehensive Advanced Threat Protection solution for business collaboration platforms which includes protection for email, cloud drives, and Instant Messaging – covering threats of any type hidden in files and links.

To see for yourself how simple and impactful BitDam is, schedule a demo.

Schedule a Demo

Enter your email to get a free trial invitation