Visual Signals: Critical Enhancement to Slam the Door on Scammers
A Whitepaper introducing the role of Visual-AI to enhance phishing detection methods
Phishing Is A Growing Problem
60,000 phishing sites were reported in March 2020 alone - That's a 160% increase in 5 years.
Attackers spoofed the world’s top 200 brands and created 50,000 fake login pages.
This whitepaper provides:
- An analysis of phishing that relies on visual elements to gain the trust of the user
- A review of how bad actors use graphical techniques and elements to build trust, confuse users and evade detection
- Details on how Visual-AI could be applied to detect the "undetectable"
Discover how VISUA's powerful and flexible Visual-AI can help close the net on scammers!
Visual-AI + Standard AI is the Answer!
By supplementing the current AI systems with advanced and targeted Visual-AI, you achieve a perfect combination that delivers ‘human’ visual analysis (but at machine speed) with AI data analysis. This combination is far more difficult for bad actors to evade and can be effective at near real-time (one second or less), allowing all content and traffic requests to be processed in real-time to the client.
Introduction
This Whitepaper concerns itself with any form of phishing that relies on visual elements in the communication to gain the trust of the reader. Such as attacks that leverage brands and those techniques where the content of emails, websites and documents are converted to graphics to fool phishing detection systems (PDS).
The concept we propose is one that operates in near real-time and views content as a human would see it but at ‘machine-speed’. Able to handle massive volumes quickly and accurately. Delivering a valuable scoring system to a PDS, which can then be used in their own filtering and scoring system. This web page contains the key highlights from each section of the whitepaper. For the full document, hit the download button at any point.
Problem Statement
Phishing has fuelled massive growth in the cybersecurity sector. By 2023, Forrester predicts the global spending on cloud security tools alone will hit $12.6 billion, up from $5.6 billion in 2018, but that’s a pre-COVID 19 era prediction.
Up to Aug 2019, the number of victims of phishing had increased by 59%, while BEC (Business Email Compromise) attacks had grown by a staggering 160%, compared to 2015 figures, according to Security.org. But research by Positive Technologies indicated a recent acceleration in growth of 22.5% in Q1 2020 compared to what was seen in Q4 of 2019!
Phishing technologies and methods are drastically improving too. According to Ironscales, it has allowed attackers to spoof the world’s top 200 brands to create 50,000 fake login pages. Nearly 5% (2,500) of the 50,000 fake login pages were polymorphic, with one brand spinning out more than 300 permutations. PDS are tasked with identifying and blocking phishing attacks but are faced with numerous challenges:
It’s An Arms Race
Anti-phishing companies are in an arms race with bad actors. From their ever more ingenious obfuscation techniques to avoid detection, to their targeting of more channels (voice, social, malware, web ads and text messages), and more endpoints, the task is getting ever more challenging.
Readily Available, Weaponised Technologies
As ingenious as many of the phishing techniques are, being a successful bad actor needs little more than a good working knowledge of IT systems and access to the dark web, which is a haven for nefarious commerce. Hacking and phishing ‘kits’ can be purchased from as little as $2, and whole cybercrime solutions can be bought at what most would consider ‘very reasonable prices’.
The Odds Are Stacked Against You
For PDS providers, their customers need them to detect and stop every phishing attempt. The bad actors, however, have a much lower bar, where just one breach is a major success.
Brute Force Method
A sure-fire method of stopping phishing attacks is to simply block any communication from unknown sources that contain a file attachment or a link to an external site. As effective as this is, it also gets in the way of genuine business.
Challenges
The PDS industry faces numerous challenges in delivering a system that can be relied on by their clients:
Time & Speed
Any PDS must operate as close to real-time as possible, with absolute minimal delay, so as to be transparent to the user. Scammers are consummate opportunists and they know that it takes time for relevant data about domains, senders, URLs and other sources/flags to be gathered, scored, and added to relevant blacklists. For this reason, they switch and change often, with sites existing, in some cases, for only hours.
Complex Systems Take Time To Patch
IT professionals have a natural reluctance to patch, and especially to patch too often. Patches also introduce delays in closing gaps in the defence cordon, giving bad actors the time they need to get a win.
Massive Volumes
Phishing attacks are at their highest level in three years; with attacks rising to levels not seen since 2016. March alone saw over 60,000 phishing sites reported - and that’s simply the ones that were identified/identified in time. The massive excess growth, (above the backdrop of ‘standard’ growth), is very much attributable to COVID-related attacks and sites. The issue, therefore, that PDS providers have is quickly and efficiently sifting through all communications and links to validate genuine communications and sites while blocking bad ones.
Multiple Attack Vectors, Channels And Devices/End-Points
Phishing used to be limited only to email on PC. Today every device and every channel can now be a conduit for phishing. From mobile malware delivered through SMS (SMiShing), the gathering of data through voicecalls (Vishing) and even through malicious apps or ads served in apps, websites and social media. Social engineering is one of the latest techniques used. Employing gamification and the power of sharing, they operate through social media sites and chat apps to snare victims, who then share a fake link.
Bad Actors Employ Legitimate Technologies
As cloud services become more popular and new techniques are employed by users and made standard by social sites (like Twitter’s shortening of all URLs to t.co versions), bad actors are exploiting the trust that users have in these services, making it more likely that they’ll click on links to files hosted on Google Docs, Microsoft OneDrive or URLs that have been shortened.
For more on the challenges faced by PDS, Download the full whitepaper
The Visual-AI Solution
Visual-AI’s strength is its ability to see the world as humans see it, but at machine speed. Never tiring, never making mistakes and to a much higher accuracy than humans can achieve. Visual-AI, therefore, enables a new paradigm in combating phishing attacks where the attackers rely on:
- Building trust through the use of familiar and authoritative visual cues
- Evading detection by using graphical elements to replace machine-readable elements
- Evading detection by adding noise to, or eliminating/obfuscating, code
Examples of Key Visual Elements Exploited By Bad Actors That Visual-AI Can Detect:
Company Logo
Used in email, documents and websites, the logo of a bank, service or system can inspire confidence. It's important to note that brands can have multiple versions of their logo and Bad actors will also use older or outdated logos in their attacks. Identifying the highest risk/most phished brands in attacks quickly allows the PDS to take priority action on that message or site.
Marks
Similar to logos, Scammers may use recognised and authoritative marks to increase trust. Safety marks, security cert marks, and padlock icons specifically in website content, etc. can be combined to ratchet up trust factors in recipients. The presence of these marks, in conjunction with other elements, can be a key indicator of a phishing attempt.
Favicon
The mini logo-based icon used in the tab of a website is another often-used technique to try and confuse victims. It can be another effective ranking factor.
Examples of Evasion Techniques Involving Graphical Elements That Visual-AI Can Detect:
Text Converted To Graphics
They will convert key ‘trigger’ words in the content to a graphic. For instance, words like ‘Username’, ‘Password’, ‘Login’, and ‘Credit Card Number’ will be converted from readable text to a JPG or PNG, but in such a way to be indistinguishable from the normal text to the user.
Sections Converted To Images
Rather than converting just a word at a time, they may convert an entire form to a graphic, overlaying the input fields above the graphic. In some cases, as outlined in the image to the right they will convert the entire email or site into a single graphic.
URLs Converted To Graphics
Similar to key ‘trigger’ words, a genuine URL is converted to a graphic, however, a link is then attached to the graphic that points to the fake site. In this way a user may see www.paypal.com, but the link behind the image will point to www.paypa1.com.
6 Common Detection-Evasion Techniques That Visual-AI Can Detect:
- Keep The Lifespan Short
As outlined in a previous section, many systems rely on blacklists to identify threats. Bad actors will therefore run a site for a very short period before they change servers, IPs, domains etc., thereby avoiding being flagged. 2020 has also seen the rise of single-use URLs that therefore only last seconds!
- Add Noise
A great way to evade is to confuse. They achieve this by adding significant ‘noise’ to the code of an email or site. They will change key attributes of graphics, like filenames and HTML attributes and metadata. They can even break up graphics into multiple small parts, as shown below. Using HTML or JavaScript these separate parts can be displayed seamlessly to a visitor in their web browser. - Legitimise The Illegitimate
As well as being a fantastic method for tricking victims, bad actors will often use legitimate links in emails and websites, such as help, legal and even anti-fraud pages. They will also use a legitimate reply-to address, all of which helps to confuse the PDS. - Nothing To See Here
As shown in the Apple example previously, bad actors will take the most sensitive section/s of content that can trigger a detection, or even the entire email/website and convert them into graphics. This greatly reduces or eliminates machine-readable content/code, giving the PDS nothing to work on. - Dynamic Content
They will use (often obfuscated) JavaScript to dynamically generate the contents of a page. This stops HTML parsers from being able to extract elements, such as form fields, for analysis because the page is only displayed when rendered by a web browser. This issue has been made worse by the introduction of WebAssembly, which provides many advantages for developers, but has been massively adopted by bad actors who are delighted with the fact that they can compile code, which makes it even easier to obfuscate. - Open The Windows
Bad actors can drive victims to genuine sites, but trigger an additional window, or a popup, to open above the legitimate login form in order to substitute their bad form, as shown in the examples below.
For more detail, Download the full whitepaper
How Visual-AI Detects The ‘Undetectable’
Visual-AI sees all content with human eyes. It is something that the bad actors cannot avoid because their goal is to show humans an email, site or document that looks as natural and genuine as possible. By fully rendering the content (perhaps in a sandbox) and converting the output to an image, the PDS will have captured what a human will see. This can then be passed to VISUA’s Visual-AI engine for analysis.
1) Render & Capture
Render the web page/email and save it as a flat image for processing.
2) Process The Image
Identify high-risk brands (for priority processing) and any anomalous attributes within the page/email.
3) Visual Risk Scoring
Calculate a risk score and pass it, with the identified anomalies, back to the master phishing detection system for final actions.
For more detail, Download the full whitepaper
Conclusion
This whitepaper has highlighted the challenges faced by cyber-security companies and PDS providers in stopping phishing attacks. It shows the extreme and ingenious lengths bad actors go to in order to avoid detection and achieve their goals. And further outlined the role that Visual-AI has to play in enhancing detection and blocking of phishing attacks.
Humans To The Rescue?
We know that trained humans have the capabilities to detect phishing attacks to a very high degree of accuracy. The problem is the volumes they can process are very low. An army of humans would therefore be required to keep up with the volume of checks required. The work would also be tedious and tiring.
Artificial Intelligence To The Rescue?
AI addresses the issue of speed because it operates at ‘machine speed’; able to process millions of pieces of data in a fraction of the time it would take a human to do the same work. AI can also be trained to quickly and efficiently compare multiple strands of data and data-points to identify correlations that would otherwise be missed. The weakness of AI is that bad actors can relatively easily evade the employed data gathering techniques, which non-visual AI systems rely on, to produce their results.
Visual-AI + Standard AI Is The Answer!
By supplementing the current AI systems with advanced and targeted Visual-AI, you achieve a perfect combination that delivers ‘human’ visual analysis (but at machine speed) with AI data analysis.
Get The Whitepaper
Get the complete and detailed whitepaper document. Simply complete the form and you will be able to open the whitepaper in full. We'll also email you a link to the document, so you can open it as needed, or forward to a colleague.
Get the whitepaper
