Cybercriminals always take the path of least resistance when attacking. Vulnerabilities in technology, while undoubtedly presenting serious problems, usually aren’t those paths. When you have up-to-date anti-malware software installed on all your computers, and you have network firewalls running around the clock, it’s pretty challenging to break in. Add encryption, heuristic scanning and multifactor authentication (MFA) into the mix, and you’ve got a veritable fortress protecting your digital assets.
At least, you might think so.
The problem? Most cybercriminals don’t follow the hacker stereotype. Instead, they exploit the weakest link – humans. After all, why try to break encryption or hack a password when you can dupe an unsuspecting victim to give away this information freely? If the email address and domain look authentic, as though it belongs to an organization you do business with, you would probably click that link and think nothing of it. And often, there’s nothing your anti-malware can do about it.
That’s one of the underlying reasons why phishing scams are on the rise. They jumped 21 percent in the second quarter of 2019.
In my country, Brazil, which has the unfortunate distinction of being the most phished country in the world, 29 percent of people have been attacked. Kaspersky has been tracking this worrying trend for the past few years and decided it was time to take a radically new approach towards dealing with the threat. Our Global Research and Analysis Team blocked almost 37 million attacks in 2017 and just over 40 million in 2018 – and that’s just in Brazil.
So, what are the strategies for blocking phishing attempts from the very outset?
Understanding the phishing attack vectors
Although phishing attacks conducted via email get the lion’s share of the attention, social engineering attacks can take many forms. This includes SMS, telephone calls, malicious ads and fake profiles on social media. What most phishing scams have in common, however, is that they include compromised websites masquerading as those belonging to legitimate organizations. They use the same branding and wording. Sometimes they’re complete clones of the real thing. The issue: as soon as you enter confidential information, such as usernames and passwords, it ends up dropping straight into the hands of the attackers.
Banks and other financial institutions are among the most popular subjects to impersonate – not just in Brazil, but all over the world. But it’s important to remember that any organization or individual can be imitated. Phishing is a global epidemic that affects everyone.
Around 20 million new phishing websites launch every year. Granted, most of them get blocked and taken down pretty quickly, but that’s not the point. Scammers often still have more than enough time to launch their attacks before that happens. In Brazil, as well as many other jurisdictions, local legislation gives everyone the right to register a domain name. The only legal way to get a malicious domain taken down is when a company files a trademark infringement against the owner of the domain, in cases where an unauthorized party is using their brand name. That doesn’t exactly happen overnight.
Online fraud is everywhere in Brazil. Scammers exploit virtually every customer loyalty program. Government websites are impersonated to defraud critical public services like healthcare. Attackers have masqueraded as data brokers to manipulate credit scores. In one attack, the Government Environment and Nature Institute (IBAMA) was targeted by a phishing scam, resulting in 23 companies, which had been blacklisted for environmental crimes, being allowed to resume activities. In the 10 days that followed, these companies managed to extract $11 million from illegally harvested wood from the Amazon rainforest – enough to fill 1,400 trucks. Some bounty. Everything that’s online in Brazil is getting phished, fast.
It starts with domain registration
Most phishing attacks involve duping victims into visiting a malicious domain. That’s why Kaspersky’s research team wanted to get right to the root of the problem. This meant targeting the window of opportunity between when a suspicious domain is registered and when it’s used in an attack.
We started this project in 2014 by monitoring all new domain registrations, which included the names of financial institutions operating in Brazil and then checking their WHOIS data. The WHOIS lookup allowed us to find some basic information about who registered the domain, which company provided the service and when it was registered. But that wasn’t going to be enough by itself, especially with domain privacy services and GDPR masking a lot of the information. We needed to apply specialized methods to monitor domain reputation and proactively identify suspicious registrations.
Homing in on the phisher’s favorite exploits
Would-be victims of phishing attacks wouldn’t deliberately visit an unfamiliar website to log into their online bank account or any other platform, so attackers have to find different ways to reach them.
One of the most common tactics used is typosquatting. It’s a form of cybersquatting which involves registering domain names under someone else’s name or brand. A simple way to mimic a real company’s website, the attacker waits for someone to enter the domain name incorrectly and land on a compromised site. That’s why many organizations deliberately register commonly misspelled versions of their domain names. For example, entering gooogle.com instead of google.com will automatically redirect you to the correct address, but that’s only because Google registered it. However, because there are so many possible misspellings of popular brand names, it’s usually impractical to register all of them. To get around this, we used a method called Levenshtein distancing, a domain name matching algorithm that helps us automatically detect cases of typosquatting and block the offending domains.
A lesser-known but increasingly common exploit involves internationalized domain names (IDNs), which use characters that aren’t in the Latin alphabet. Traditionally, all web addresses were in ASCII text, but during the last decade, you can register web addresses in Unicode to support writing systems like Cyrillic, Greek and Chinese.
The problem here is that some languages use the same letters, but they’re different as far as computers are concerned. For example, the letter ‘B’ in English looks precisely the same as the Russian letter ‘B,’ even though the letters are different. A domain name like caixa.gov.br, one of the biggest banks in Brazil, would look the same in the Cyrillic alphabet if the letter ‘c’ is replaced with its Cyrillic lookalike. Only a computer can tell the difference because each variant uses a different encoding system.
Other exploits using the IDN system are a little less subtle. Some might add accents to characters or letters from one language which look similar to another in the hope that the victim wouldn’t notice. Compare the Russian К with the English K, for example. The slightly different shape of the former might go unnoticed by an unsuspecting user.
Protecting the most phished country in the world – what does the future hold?
We’ve come a long way since 2014. While GDPR presented a hurdle due to its masking domain name registration information, we’ve found other ways to determine domain authenticity. Still, there are cases where local human expertise still plays a central role, and some cases need human approval. For example, ‘caixa’ means ‘box’ in Portuguese, but it’s also the name of a big government bank operating in Brazil. Since we don’t want to blacklist an innocent packaging or logistics company just for using the word ‘box’ in their domain name, we need a more specialized approach. In a similar case, Santander isn’t only a major bank; it’s also the name of a Spanish city, a province in the Philippines and a state in Colombia.
In conclusion, our proactive approach has grown out of necessity. The traditional, reactive security methods are no longer sufficient enough to keep up with the race against cybercrime. We hope that our efforts will help the organizations and people of Brazil, and the rest of the world, keep one step ahead of cybercriminals.