Evasive Malware, Meet Evasive Phishing
In a previous column, I wrote about how evasive malware has become commoditized and described how the techniques being used in any given piece of malware had grown in number and sophistication—the layering of multiple techniques being its own form of sophistication. At the time, we had been digging around in our sandbox array and found that 98 percent of malware sent for analysis was using at least one evasive technique, and one-third of malwares were using a combination of six or more detection evasion techniques. Then there are malwares like Cerber ransomware, which is very sandbox aware and runs 28 evasive processes or, if you like, uses 28 techniques intended to confound security systems and thus evade detection.
Phishing following the malware curve
I have spent most of my career in the malware world, so I’ve got a well-developed sense of the detection cat-and-mouse game between security professionals and malware developers—recognizing that for some the preferred metaphor is an arms race. Given the extensive and rich history of the evolution of malware, “evasive malware” entered the lexicon long ago and is an often-used term of art. Malware’s roots pre-date the Web, with early experiments playing “gotcha” with fork bombs and trojans infecting mainframes. In the 1980s, with the advent of PCs, we saw the first worms, self-encrypting viruses, and even the first ransomware—distributed on floppy disks. We come to the present, in which I keep a catalogue of evasive malware tactics divided into 26 categories, and talk frequently about how malware has entered a “hyper-evasive” phase.
“Evasive phishing,” however, is not a term much heard. When I do a search on the phrase, I get eight times the results for evasive malware that I do for evasive phishing. But my expectation is that we all will—and need to—start talking a lot more about “evasive phishing” than in the past. To be clear, when I use the term evasive phishing, I’m not talking about clever phishing pitches, well-designed emails or sites, or any social engineering techniques to mislead the user. I’m talking on a more “product strategy” and technical level about techniques to hide phishing infrastructure—principally web sites—from security systems and phishing URL crawlers.
Phishing kits exemplify the trend
Without even getting into the (very important) topic of the growth of “phishing-as-a-service,” we can see evasive tactics in the more straightforward and very large phishing kit sub-market—these kits are pre-packaged spoofed web pages downloaded as a ZIP file for a fee usually in the $50 range.
Tactics to evade or make detection more difficult can include things like encrypting the whole phishing site with AES encryption, or encoding the title of the website in an effort to fool phishing crawlers. Basic tactics in use fall into two general categories: 1) blocking security systems from evaluating and seeing the true nature of the phishing site, by looking up the IP or domain from which the user is connecting and blocking (or redirecting) accesses originating from certain IP addresses or ranges; and blocking access from security bots or crawlers or other user agents that are searching for phishing sites, like the Googlebot, Bingbot, or Yahoo! Slurp.
87% using evasive techniques
We just did a bit of focused work around phishing kits, where we monitored the use of files or code which makes a judgment about the user, as I was explaining above, then decides whether to actually show the phishing site. From a sample of 2,025 sites generated by various kits, it turns out that 87 percent of them use at least one type of basic evasive technique. The most common method for implementing this is use of a .htaccess file in the kit, which is a PHP script with these blocking or redirect functions.
By the way, we also learned that many specialize in a single brand, like spoofing the Office 365 log-in page, or imitating Paypal or Dropbox pages. But many are multi-brand kits—for the money the cybercriminal gets the option of mounting phishing campaigns targeting any of many brands.
There’s a reason why surveys of IT and security admins this year keep pointing to phishing as the top source of breaches and, unsurprisingly, their top security concern. That will only change as security systems get up the curve on combating evasive phishing, which begins with a broader recognition of the changed nature of the game. Evasive malware, move over and make room for evasive phishing.