This whitepaper provides:
Discover how VISUA’s powerful and flexible Visual-AI can help close the net on scammers!
By supplementing the current AI systems with advanced and targeted Visual-AI, you achieve a perfect combination that delivers ‘human’ visual analysis (but at machine speed) with AI data analysis. This combination is far more difficult for bad actors to evade and can be effective at near real-time (one second or less), allowing all content and traffic requests to be processed in real-time to the client.
This Whitepaper concerns itself with any form of phishing that relies on visual elements in the communication to gain the trust of the reader. Such as attacks that leverage brands and those techniques where the content of emails, websites and documents are converted to graphics to fool phishing detection systems (PDS).
The concept we propose is one that operates in near real-time and views content as a human would see it but at ‘machine-speed’. Able to handle massive volumes quickly and accurately. Delivering a valuable scoring system to a PDS, which can then be used in their own filtering and scoring system. This web page contains the key highlights from each section of the whitepaper. For the full document, hit the download button at any point.
Phishing has fuelled massive growth in the cybersecurity sector. By 2023, Forrester predicts the global spending on cloud security tools alone will hit $12.6 billion, up from $5.6 billion in 2018, but that’s a pre-COVID 19 era prediction.
Up to Aug 2019, the number of victims of phishing had increased by 59%, while BEC (Business Email Compromise) attacks had grown by a staggering 160%, compared to 2015 figures, according to Security.org. But research by Positive Technologies indicated a recent acceleration in growth of 22.5% in Q1 2020 compared to what was seen in Q4 of 2019!
Phishing technologies and methods are drastically improving too. According to Ironscales, it has allowed attackers to spoof the world’s top 200 brands to create 50,000 fake login pages. Nearly 5% (2,500) of the 50,000 fake login pages were polymorphic, with one brand spinning out more than 300 permutations. PDS are tasked with identifying and blocking phishing attacks but are faced with numerous challenges:
Anti-phishing companies are in an arms race with bad actors. From their ever more ingenious obfuscation techniques to avoid detection, to their targeting of more channels (voice, social, malware, web ads and text messages), and more endpoints, the task is getting ever more challenging.
As ingenious as many of the phishing techniques are, being a successful bad actor needs little more than a good working knowledge of IT systems and access to the dark web, which is a haven for nefarious commerce. Hacking and phishing ‘kits’ can be purchased from as little as $2, and whole cybercrime solutions can be bought at what most would consider ‘very reasonable prices’.
For PDS providers, their customers need them to detect and stop every phishing attempt. The bad actors, however, have a much lower bar, where just one breach is a major success.
A sure-fire method of stopping phishing attacks is to simply block any communication from unknown sources that contain a file attachment or a link to an external site. As effective as this is, it also gets in the way of genuine business.
Any PDS must operate as close to real-time as possible, with absolute minimal delay, so as to be transparent to the user. Scammers are consummate opportunists and they know that it takes time for relevant data about domains, senders, URLs and other sources/flags to be gathered, scored, and added to relevant blacklists. For this reason, they switch and change often, with sites existing, in some cases, for only hours.
IT professionals have a natural reluctance to patch, and especially to patch too often. Patches also introduce delays in closing gaps in the defence cordon, giving bad actors the time they need to get a win.
Phishing attacks are at their highest level in three years; with attacks rising to levels not seen since 2016. March alone saw over 60,000 phishing sites reported – and that’s simply the ones that were identified/identified in time. The massive excess growth, (above the backdrop of ‘standard’ growth), is very much attributable to COVID-related attacks and sites. The issue, therefore, that PDS providers have is quickly and efficiently sifting through all communications and links to validate genuine communications and sites while blocking bad ones.
Phishing used to be limited only to email on PC. Today every device and every channel can now be a conduit for phishing. From mobile malware delivered through SMS (SMiShing), the gathering of data through voicecalls (Vishing) and even through malicious apps or ads served in apps, websites and social media. Social engineering is one of the latest techniques used. Employing gamification and the power of sharing, they operate through social media sites and chat apps to snare victims, who then share a fake link.
As cloud services become more popular and new techniques are employed by users and made standard by social sites (like Twitter’s shortening of all URLs to t.co versions), bad actors are exploiting the trust that users have in these services, making it more likely that they’ll click on links to files hosted on Google Docs, Microsoft OneDrive or URLs that have been shortened.
Visual-AI’s strength is its ability to see the world as humans see it, but at machine speed. Never tiring, never making mistakes and to a much higher accuracy than humans can achieve. Visual-AI, therefore, enables a new paradigm in combating phishing attacks where the attackers rely on:
Used in email, documents and websites, the logo of a bank, service or system can inspire confidence. It’s important to note that brands can have multiple versions of their logo and Bad actors will also use older or outdated logos in their attacks. Identifying the highest risk/most phished brands in attacks quickly allows the PDS to take priority action on that message or site.
Similar to logos, Scammers may use recognised and authoritative marks to increase trust. Safety marks, security cert marks, and padlock icons specifically in website content, etc. can be combined to ratchet up trust factors in recipients. The presence of these marks, in conjunction with other elements, can be a key indicator of a phishing attempt.
The mini logo-based icon used in the tab of a website is another often-used technique to try and confuse victims. It can be another effective ranking factor.
They will convert key ‘trigger’ words in the content to a graphic. For instance, words like ‘Username’, ‘Password’, ‘Login’, and ‘Credit Card Number’ will be converted from readable text to a JPG or PNG, but in such a way to be indistinguishable from the normal text to the user.
Rather than converting just a word at a time, they may convert an entire form to a graphic, overlaying the input fields above the graphic. In some cases, as outlined in the image to the right they will convert the entire email or site into a single graphic.
Similar to key ‘trigger’ words, a genuine URL is converted to a graphic, however, a link is then attached to the graphic that points to the fake site. In this way a user may see www.paypal.com, but the link behind the image will point to www.paypa1.com.
As outlined in a previous section, many systems rely on blacklists to identify threats. Bad actors will therefore run a site for a very short period before they change servers, IPs, domains etc., thereby avoiding being flagged. 2020 has also seen the rise of single-use URLs that therefore only last seconds!
As well as being a fantastic method for tricking victims, bad actors will often use legitimate links in emails and websites, such as help, legal and even anti-fraud pages. They will also use a legitimate reply-to address, all of which helps to confuse the PDS.
As shown in the Apple example previously, bad actors will take the most sensitive section/s of content that can trigger a detection, or even the entire email/website and convert them into graphics. This greatly reduces or eliminates machine-readable content/code, giving the PDS nothing to work on.
Bad actors can drive victims to genuine sites, but trigger an additional window, or a popup, to open above the legitimate login form in order to substitute their bad form, as shown in the examples below.
Visual-AI sees all content with human eyes. It is something that the bad actors cannot avoid because their goal is to show humans an email, site or document that looks as natural and genuine as possible. By fully rendering the content (perhaps in a sandbox) and converting the output to an image, the PDS will have captured what a human will see. This can then be passed to VISUA’s Visual-AI engine for analysis.
Render the web page/email and save it as a flat image for processing.
Identify high-risk brands (for priority processing) and any anomalous attributes within the page/email.
Calculate a risk score and pass it, with the identified anomalies, back to the master phishing detection system for final actions.
This whitepaper has highlighted the challenges faced by cyber-security companies and PDS providers in stopping phishing attacks. It shows the extreme and ingenious lengths bad actors go to in order to avoid detection and achieve their goals. And further outlined the role that Visual-AI has to play in enhancing detection and blocking of phishing attacks.
We know that trained humans have the capabilities to detect phishing attacks to a very high degree of accuracy. The problem is the volumes they can process are very low. An army of humans would therefore be required to keep up with the volume of checks required. The work would also be tedious and tiring.
AI addresses the issue of speed because it operates at ‘machine speed’; able to process millions of pieces of data in a fraction of the time it would take a human to do the same work. AI can also be trained to quickly and efficiently compare multiple strands of data and data-points to identify correlations that would otherwise be missed. The weakness of AI is that bad actors can relatively easily evade the employed data gathering techniques, which non-visual AI systems rely on, to produce their results.
By supplementing the current AI systems with advanced and targeted Visual-AI, you achieve a perfect combination that delivers ‘human’ visual analysis (but at machine speed) with AI data analysis.
Seamlessly integrating our API is quick and easy, and if you have questions, there are real people here to help. So start today; complete the contact form and our team will get straight back to you.