Detecting Phishing Attacks

By Saurabh Shakyawar, 3rd Eye Advisory®
Detecting Phishing Attacks

Phishing is a technique that grabs sensitive information like username, password etc through online. There are several anti-phishing softwares and techniques for detecting potential phishing related attempts in emails and detecting phishing contents on websites, but phisher salways come up with new and hybrid techniques to bypass the available software and techniques.

Phishing is a deception technique that applies a combination of social engineering and technology to collect sensitive and private information, such as passwords and bank details by impersonating as a trustworthy person or business entity in an electronic communication.

Phishing uses spoofed emails that look authentic and pretend to be coming from valid sources like Govt. institutions, Banks, ecommerce sites etc., to attract users to visit fraudulent websites through links which are attached in the phishing email. The fraudulent websites are designed in such a way to mimic the look of a real company website. The attacker's trick users by exploiting different social engineering techniques such as threat to suspend user accounts if they do not complete some update process, like attaching Aadhar Details to Bank Accounts or some other reasons to get the users to visit their spoofed web pages.

There are a number of different techniques that allow for the detection of phishing contents are as follows:

HTML Email Format:
Emails formatted like HTML webpage are mainly used for phishing attacks, because simple text emails don't contribute towards scale of tricks allowed with HTML-formatted emails.

URLs based on IP Address:
One way to hide a server's identity is achieved with the use of an IP address, which makes it challenging for users to know exactly where they are being directed to when they click the link. A legal website usually has a domain name for its identification. Attackers usually use some zombie systems to host phishing sites. When a link in an email contains a link whose host is an IP address (for example,

Age of Domain Name:
The domain names used by fraud websites are usually used for a limited time frame to avoid being caught by the users. We can detect via use of this feature to flag emails as phishing based on the fact that the domain is newly registered and set a criteria of being new if it is less than 30 days old. This can be achieved by performing a WHOIS query on the domain name in the link. A WHOIS query provides other information such as the name or person to which the domain is registered to, address, domain's creation and expiration dates etc.

Using the Number of Domains:
Using the domain names in the links that are being extracted and do a count of the number of domains. Two or more domain names are used in an URL address to forward address from one domain to the other.
http://www.google.com/url?sa=t&ct=res&cd=3&url=http%3A%2F%2Fwww.an tiphishing.org%2F&ei=-0qHRbWHK4z6oQLTmBM&usg=uIZX_3aJvESkMveh4uItI5DDUzM=&sig2=AVrQFpFvihFnLjpnGHVs xQ for instance has two domain names where google.com forwards the click to URL antihphishing.org domain name.

Number of Sub-domains:
Fraudsters make use of sub domains to make the links look legitimate. Having sub domains means having an inordinately large number of dots in the URL. We can use of this feature to detect flag emails as phishing emails. For instance,
https://login.personal.wamu.com/verification.asp?d=1 has 2 sub domains.

Presence of JavaScript:
JavaScript is usually employed in phishing emails, because it allows for deception on the client side using scripts to hide information or activate changes in the browser. Whenever an email contains the string "JavaScript".

Usage of Form Tag:
HTML forms are one of the techniques used to gather information from users. An example below shows the use of form tag in an email. An email supposedly from SBI may contain a form tag which has the action attribute actually sending the information to http://www.sbisite.co.in/profile.php and not to http://www.sbi.co.in

Use of Links in Text:
Most often phishing emails will exploit the use of links for redirection. They uses manynumber of links in text in the email is used as a feature. A link in an email is one that makes use of the "href" attribute of the anchor tag.

Use of URL Based Image Source:
To define the phishing emails look more authentic and original, logos, images and banner of real companies are used in the emails. They create replica the images of the real web pages of companies to forge. That is why if any of the emails make use of such URL based images we count it as a phishing email.

Domains Matching:
We can analyze the header of the email to extract the information and match it with the domains in the body of the email. Most phishing emails contains different domains in the header and the body part. We can thus detect emails that have mismatching domain information. For example: The 'From' information in the header part of the email will show the email originating from "someone@wannacrypt-site.com", while the body will have actual ("http://www.sbi.com") company's domain for an authentic look.

Usage of Keywords:
Phishing Attack emails contain number of frequently repeated keywords such as suspend, verify, username, etc. We basically count word frequency (Count of keyword divided by total number of words in an email) of a handful of most commonly used keywords by phishers.

Some common list of keywords that phishers have used as features are listed below: Client, Customer, Login, Logout, Signup, Update, Confirm , User,Suspend, Restrict, Hold , Verify, Account, Username, Password , Aadhar etc.

#ReadyBusinessPlan #ask3rdEyeAdvisory #LearnAt3rdEyeAdvisory #3rdEyeAdvisory

Article by: Saurabh Shakyawar, 3rd Eye Advisory®
More on IT Advisory