More phishing websites are being created than ever before. The scale of the problem was emphasized in the Q3 Quarterly Threat Trends Report from Webroot. In December 2016, Webroot reported there were over 13,000 new phishing websites created on a daily basis – almost 390,000 new phishing webpages every month. By Q3, 2017, that figure had increased to more than 46,000 new phishing webpages a day – around 1,385,000 every month. The report showed that 63% of companies surveyed had suffered a phishing related security incident in the past two years.
Phishing webpages need to be developed on that scale as they are now detected much more rapidly and added to blacklists. Phishing websites now usually remain active for between 4-6 hours, although that short time frame is enough to allow each site to capture many users’ credentials. Many of those websites also carry an SSL certificate, so they appear to users to be safe websites. A website starting with HTTPS is no guarantee that it is not being part of a phishing attack
Report Looks into Phishing Tactics
While phishers normally use their own domains to phish for credentials, a recent report from Duo Security indicated legitimate websites are increasingly being compromised and loaded with phishing kits. The study listed more than 3,200 unique fishing kits spread across 66,000 URLs. These phishing kits are being traded on underground marketplaces and bought by accomplished phishers and wannabe cybercriminals. 16% of those URLs were on HTTPS websites.
Duo Security notes that persistence is put inplace by creating a .htaccess file that blocks the IP addresses of threat intelligence gathering firms to stop detection. The Webroot report also highlighted a rise in the use of benign domains for phishing.
The phishing kits are usually placed into the wp-content, wp-includes, and wp-admin paths of WordPress sites, and the signin, images, js, home, myaccount, and css folders on other sites. Organizations should review file changes in those directories to ensure their sites are not hijacked by phishers. Strong passwords should also be used along with non-standard usernames and rate limiting on login attempts to enhance resilience against brute force attacks.
Stopping Phishing Attacks
Sadly, there is no single solution that will allow organizations to stop phishing attacks, although it is possible to reduce risk to an acceptable level. In the healthcare sector, phishing defenses are a requirement of HIPAA and steps must be taken to minimize risk to a reasonable and acceptable level. The failure to address the risk from phishing can result in fines for noncompliance.
Defenses should put in place a combination of technological solutions to prevent the delivery of phishing emails and to cut out access to phishing URLs. Employees must also receive regular training to show them how to identify phishing emails.
As OCR remarked out in its July Cybersecurity newsletter, HIPAA (45 C.F.R. § 164.308(a)(5)(i)) requires groups to provide regular security awareness training to employees to help prevent phishing attacks. OCR said that “An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.”
Due to the increased popularity of HTTPS, it is no longer enough for users to check that the site is secure to avoid phishing scams. While a URL beginning with HTTPS does give an indication that the site is secure, it is important that end users do not automatically trust those websites and let their guard down. Just because a website has an SSL certificate it does not mean it can be taken as being genuine. Users should also be told to pay close attention to the domain name to make sure that they are visiting their intended website, and always to exercise caution before deciding to share any login credentials.
Even with security awareness training, staff members cannot be expected to identify all phishing attempts. Phishers are developing increasingly complex phishing emails that are barely distinguishable from genuine emails. Websites are more difficult to identify as malicious, emails are well written and convincing, and corporate branding and logos are often used to trick end users. Technological solutions are therefore necessary to reduce the number of emails that reach inboxes, and to prevent users from visiting malicious links when they do.
Anti spam software is vital for reducing the amount of emails that are shared. Groups should also review using a web filtering solution that can block access to known phishing websites. The most effective real-time URL filtering solutions do not need blacklists and banned IP addresses to block attacks. Blacklists are still useful and can stop phishing attacks, but phishing websites are normally only active for a few hours – Before the sites are seen as malicious and added to blacklists. A variety of additional detection mechanisms are needed to block phishing websites. Due to the rise in phishing sites on secure websites, web filters should be able to decrypt, scan, and re-encrypt web traffic.
Healthcare groups should also sign up to threat intelligence services to receive warnings about sector related attacks.