Computer Vision and Phishing Protection: Most Commonly Asked Questions

Reading Time: 6 minutes

Computer Vision and Phishing Protection – a match made in heaven

It won’t come as news to you that computer vision and phishing protection software are a pairing with great potential. However the partnership between these two technologies is relatively new so, of course, a lot of questions arise when the subject is brought up. 

We often find the same questions come up time and time again, so we have taken it upon ourselves to take a closer look at these questions and answer them. 

 1. Why is the addition of computer vision to phishing protection software so important?

The most commonly exploited visual element in phishing campaigns is the logo. Bad actors use them in emails, documents and websites because people tend to see them as a mark of trust. It’s also fair to say that a lot of phishing protection systems simply don’t do a good job of detecting logos – no wonder it’s such a popular element used by cybercriminals. Ironscales highlighted the issue in 2020, stating that 50,000 login pages were created in the same year spoofing 200 of the world’s most well-known brands. Using Computer Vision allows phishing detection platforms to spot these commonly spoofed brands in an instant, even if the bad actors use variants or modified versions, which highlights those communications which may require more in-depth or prioritized analysis.

On top of this, bad actors are using other visual means of detection evasion which the majority of phishing detection systems are not equipped to flag. This could include disguising trigger words as images and rendering entire web pages as a graphic. Introducing computer vision into the phishing protection element of cybersecurity software enables the system to detect and flag such evasion techniques. 

 2. What is brand spoofing?

The goal of any phishing attack is to confuse an email recipient or web page visitor and trick them into believing that they can trust the content and calls to action e.g. signing in with login credentials. This is done through brand spoofing; that is, attempting to mimic a trusted brand as closely as possible so as to fool the end user. 

Typically, bad actors will utilize a variety of entities such as a URL, but it also extends to using trusted visual cues including company logos and other associated graphics. In extreme cases, we’ve seen bad actors using pixel-perfect copies of emails and web pages to mislead unsuspecting web users. 

Brand spoofing can occur across many channels from email to social media and is typically associated with visual impersonation. As outlined in the answer to question one, computer vision equips phishing detection tools with the ability to flag such visual signals and put a stop to any potential threats.

3. What are visual or graphical attack vectors?

An attack vector is the method or path used by a bad actor to initiate and enable illegal access to secure systems, accounts, servers and computers. Therefore a visual attack vector, or graphical attack vector, is any visual/graphical method used to propel an attack or evade detection. This could be anything from using a brand logo in the email or web page to converting key elements into graphics, or using QR Codes that have embedded links, and even fragmenting graphical elements that are then rebuilt using CSS or Javascript, scammers are using multiple techniques across multiple channels to both confuse victims and evade detection.

4. How are bad actors using visual attack vectors to evade detection?

Scammers make an effort to remain knowledgeable about the techniques cyber security companies use to detect phishing at all times. They know how cyber security software works and the types of programmatic scanning that are used to detect illicit communications. They are therefore able to identify various aspects that would be prone to detection and develop graphics to evade triggering an alert on the system. Some examples include:

Converting Keywords into graphics:  

Bad actors will convert key trigger words in the content into a graphic in a way that is indistinguishable from the regular text to the user, and to phishing detection systems that are not equipped with the ability to “see” images. 

Sections converted into images: 

There are many cases in which bad actors will convert an entire form, email or web page into a graphic so as to avoid detection. 

URLs converted to Graphics: 

Genuine URLs are often converted into an image and a link is attached to the graphic that points to a fake site. 

Adding Visual Noise: 

Scammers are aware that some companies use basic computer vision, so rather than displaying a logo or other element in its entirety, they will break up the graphic into many small parts and use CSS or Javascript to reassemble it all at render. This hides the image as a whole from any in-line computer vision analysis. 

5. What programmatic obfuscation techniques are bad actors using to evade detection?

If you’re a cybersecurity professional, you will know that the number of programmatic obfuscation techniques employed by bad actors is practically infinite. Unfortunately, the list continues to grow thanks to the use of AI by scammers. A few techniques include: 

Keyword padding

Bad actors who want to hide the word “login”, for example, will add random characters between each letter that gets removed by a script at runtime. So the code will read ‘L8dgfhoSt5s3gsktfhilpq3dn’ (for this example we have colored the random letters in red), easily evading detection systems that are trained to flag communications or sites with the word “login”.

Botnets
Scammers will use botnets to create 1000s of variants of text and headers that are difficult to determine as fake.

Saturation

Delivering a high volume of sophisticated and legitimate-looking emails can overwhelm a detection system, or more accurately, the humans who make the ultimate decisions. This gives the bad actors a higher opportunity for success.

Short-life / Single-Use URLs
Blacklists were once the standard approach for deciding the legitimacy of a web page/site. Bad actors, therefore, adapted technologies to allow the creation of short-life and even single-use URLs that exist for such a short time as to never make it onto any blacklists.

Frequency & IP-Based Substitution
Programmatic checks take time and resources, so typically an email or webpage will be checked once, or a limited number of times. Bad actors, therefore, use methods such as serving the correct page in an email the first time the URL is visited but substituting the spoofed page thereafter. 

6. How does Computer Vision assist in phishing detection and threat intelligence?

Phishing detection software relies on signals and triggers derived from already-processed data using a combination of technologies. Once examined, a decision engine can make a determination of threat based on the volume, category, and combination of these signals. 

However, the ability to make the right decisions as accurately as possible relies enormously on maximizing the number of signals available for analysis. Many detection systems available on the market lack the technology to analyze visual signals; that’s where Visual-AI or computer vision comes in. As a component of phishing detection workflows, computer vision enables the system to detect visual signals adding another layer of protection for users. 

This additional layer can detect not only graphical attack vectors, but, when used in a specific way, can also detect some of the programmatic obfuscation techniques outlined above – adding these valuable and critical signals to the final threat scoring, and allowing for more accurate decisions to be made.

7. Does your visual phishing detection replace traditional detection techniques?

Computer Vision is not here to replace existing technologies or techniques. Put simply, its job is to work adjacent to existing methods, adding an extra layer of protection. The Visual-AI engine does not make the determination as to whether something is a threat, that task is still allocated to the overall anti-phishing software.

8. How does this computer vision technology compare to others

There are, of course, a number of options out there if you are considering introducing computer vision to your anti-phishing software. There are many deciding factors that you may consider, including ensuring that the API is purpose-built for the task of detecting graphical attack vectors. This isn’t the case for most providers but it is for VISUA’s API. 

Another important factor in detecting brand spoofing is the ability to quickly and easily add new logos and marks to the library. Again, this is something VISUA can offer. 

If you are looking for more comparisons among market-leading computer vision providers, we’ve compared the most commonly queried-for features in a series of comparison guides. 

There are endless possible questions one might feel the need to ask when it comes to computer vision and phishing protection. While you will find plenty of the answers here on the VISUA blog, and in our podcast episode on the subject, we are always available to discuss it with you in order to help you make your decision. Fill in the form below and someone will be in touch.

Book A Demo