It won’t come as news to you that computer vision and phishing protection software are a pairing with great potential. However the partnership between these two technologies is relatively new so, of course, a lot of questions arise when the subject is brought up.
We often find the same questions come up time and time again, so we have taken it upon ourselves to take a closer look at these questions and answer them.
The most commonly exploited visual element in phishing campaigns is the logo. Bad actors use them in emails, documents and websites because people tend to see them as a mark of trust. It’s also fair to say that a lot of phishing protection systems simply don’t do a good job of detecting logos – no wonder it’s such a popular element used by cybercriminals. Ironscales highlighted the issue in 2020, stating that 50,000 login pages were created in the same year spoofing 200 of the world’s most well-known brands. Using Computer Vision allows phishing detection platforms to spot these commonly spoofed brands in an instant, even if the bad actors use variants or modified versions, which highlights those communications which may require more in-depth or prioritized analysis.
On top of this, bad actors are using other visual means of detection evasion which the majority of phishing detection systems are not equipped to flag. This could include disguising trigger words as images and rendering entire web pages as a graphic. Introducing computer vision into the phishing protection element of cybersecurity software enables the system to detect and flag such evasion techniques.
The goal of any phishing attack is to confuse an email recipient or web page visitor and trick them into believing that they can trust the content and calls to action e.g. signing in with login credentials. This is done through brand spoofing; that is, attempting to mimic a trusted brand as closely as possible so as to fool the end user.
Typically, bad actors will utilize a variety of entities such as a URL, but it also extends to using trusted visual cues including company logos and other associated graphics. In extreme cases, we’ve seen bad actors using pixel-perfect copies of emails and web pages to mislead unsuspecting web users.
Brand spoofing can occur across many channels from email to social media and is typically associated with visual impersonation. As outlined in the answer to question one, computer vision equips phishing detection tools with the ability to flag such visual signals and put a stop to any potential threats.
Scammers make an effort to remain knowledgeable about the techniques cyber security companies use to detect phishing at all times. They know how cyber security software works and the types of programmatic scanning that are used to detect illicit communications. They are therefore able to identify various aspects that would be prone to detection and develop graphics to evade triggering an alert on the system. Some examples include:
Converting Keywords into graphics:
Bad actors will convert key trigger words in the content into a graphic in a way that is indistinguishable from the regular text to the user, and to phishing detection systems that are not equipped with the ability to “see” images.
Sections converted into images:
There are many cases in which bad actors will convert an entire form, email or web page into a graphic so as to avoid detection.
URLs converted to Graphics:
Genuine URLs are often converted into an image and a link is attached to the graphic that points to a fake site.
Adding Visual Noise:
If you’re a cybersecurity professional, you will know that the number of programmatic obfuscation techniques employed by bad actors is practically infinite. Unfortunately, the list continues to grow thanks to the use of AI by scammers. A few techniques include:
Bad actors who want to hide the word “login”, for example, will add random characters between each letter that gets removed by a script at runtime. So the code will read ‘L8dgfhoSt5s3gsktfhilpq3dn’ (for this example we have colored the random letters in red), easily evading detection systems that are trained to flag communications or sites with the word “login”.
Scammers will use botnets to create 1000s of variants of text and headers that are difficult to determine as fake.
Delivering a high volume of sophisticated and legitimate-looking emails can overwhelm a detection system, or more accurately, the humans who make the ultimate decisions. This gives the bad actors a higher opportunity for success.
Short-life / Single-Use URLs
Blacklists were once the standard approach for deciding the legitimacy of a web page/site. Bad actors, therefore, adapted technologies to allow the creation of short-life and even single-use URLs that exist for such a short time as to never make it onto any blacklists.
Frequency & IP-Based Substitution
Programmatic checks take time and resources, so typically an email or webpage will be checked once, or a limited number of times. Bad actors, therefore, use methods such as serving the correct page in an email the first time the URL is visited but substituting the spoofed page thereafter.
Phishing detection software relies on signals and triggers derived from already-processed data using a combination of technologies. Once examined, a decision engine can make a determination of threat based on the volume, category, and combination of these signals.
However, the ability to make the right decisions as accurately as possible relies enormously on maximizing the number of signals available for analysis. Many detection systems available on the market lack the technology to analyze visual signals; that’s where Visual-AI or computer vision comes in. As a component of phishing detection workflows, computer vision enables the system to detect visual signals adding another layer of protection for users.
This additional layer can detect not only graphical attack vectors, but, when used in a specific way, can also detect some of the programmatic obfuscation techniques outlined above – adding these valuable and critical signals to the final threat scoring, and allowing for more accurate decisions to be made.
Computer Vision is not here to replace existing technologies or techniques. Put simply, its job is to work adjacent to existing methods, adding an extra layer of protection. The Visual-AI engine does not make the determination as to whether something is a threat, that task is still allocated to the overall anti-phishing software.
There are, of course, a number of options out there if you are considering introducing computer vision to your anti-phishing software. There are many deciding factors that you may consider, including ensuring that the API is purpose-built for the task of detecting graphical attack vectors. This isn’t the case for most providers but it is for VISUA’s API.
Another important factor in detecting brand spoofing is the ability to quickly and easily add new logos and marks to the library. Again, this is something VISUA can offer.
If you are looking for more comparisons among market-leading computer vision providers, we’ve compared the most commonly queried-for features in a series of comparison guides.
There are endless possible questions one might feel the need to ask when it comes to computer vision and phishing protection. While you will find plenty of the answers here on the VISUA blog, and in our podcast episode on the subject, we are always available to discuss it with you in order to help you make your decision. Fill in the form below and someone will be in touch.
Seamlessly integrating our API is quick and easy, and if you have questions, there are real people here to help. So start today; complete the contact form and our team will get straight back to you.