How to Protect Your Employees When Threat Actors Leverage Legitimate Infrastructure

In a recent blog we discussed Why Organizations Need to Take Phishing Threats Against Their Employees Seriously. Here’s another reason why organizations should be concerned. Cybercriminals are increasingly using mainstream, legitimate commercial infrastructure sites to avoid detection and host the growing number of phishing attacks they launch.

The 2019 Webroot Threat Report revealed some pretty interesting statistics, including the fact that phishing attacks increased 36 percent and the number of phishing sites grew 220 percent over the course of 2018. While those stats certainly get one’s attention, the stat that really hits home is this one:

40 Percent of Malicious URLs Were Found on Good Domains

As more threat actors leverage legitimate infrastructure and manipulate trusted brands, it’s becoming harder and harder to stop these phishing attacks and cybersecurity threats. A recent CSO article drove this home, by outlining six ways that threat actors are manipulating legitimate infrastructure. One of ways they mention is stolen or legitimately purchased cloud services. Cybercriminals can employ phishing emails that contain links to legitimate cloud providers – including AWS, Azure, Alibaba, Google – that are hosting phishing sites. The initial URL is legitimate, and as such most URL filtering tools and block lists will not catch them. Once clicked, the URL is redirected to a phishing page that is hosted elsewhere.

Just recently, GoDaddy removed 15,000 subdomains that were used for online scams. In their investigation, they found that threat actors were sending phishing emails to people that promoted a product. When clicked, the user was landing on a subdomain that was hosted on a legitimate site, without the site owner’s knowledge. Adding to the deceit, these products were often backed by fake endorsements from celebrities and other trusted brands. The ZDNet article named Jennifer Lopez, Blake Shelton, Wolf Blitzer, the Shark Tank TV show, among others that were used as part of the scam.

An interesting article published last year at InfoSecurity Magazine stated that 42 percent of the top 100,000 websites, as ranked by Alexa, “either are using software that leaves them vulnerable to attack or have already been compromised in some way.” Many of these sites link to other websites (25 on average according to the article), which creates additional opportunities for threat actors to manipulate an otherwise legitimate domain.

So, you can train your employees on identifying phishing attacks, illegitimate websites, and other ploys, but how can you police legitimate websites that are being manipulated? URL filtering tools and blocklists don’t work because blocking legitimate websites and cloud service providers would be much to invasive to employee productivity, never mind the drain on IT resources and manpower to do it.

SlashNext’s threat detection technology uses a browser-based approach that follows URL re-directs and examines the contents of each subsequent page rather than focusing singularly on the URL analysis or domain reputation analysis of only the initial page. Our SEERTM technology (Session Emulation and Environment Reconnaissance) runs virtual browsers in a purpose-built cloud to dynamically inspect sites, and perhaps more importantly page contents and server behavior, with advanced computer vision, OCR, NLP, and active site behavioral analysis. Machine learning enables definitive verdicts—malicious or benign—with exceptional accuracy and near-zero false positives.

Our Real-Time Phishing Threat Intelligence and Targeted Phishing Defense solutions can see beyond the legitimate website to identify what might lie in wait. Start a free 15-day trial of Real-Time Phishing Threat Intelligence or contact us for a demo of our Targeted Phishing Defense to see how you can protect your organization.

*** This is a Security Bloggers Network syndicated blog from SlashNext authored by Lisa O'Reilly. Read the original post at: