We are big on Quick Wins at Securosis. Mostly because we know how hard it is to justify new technology (or processes or people), and that if you can’t show value quickly on a new project, every subsequent request gets harder and harder to get through. Until you have a breach, that is. Then your successor gets carte blanche for a honeymoon period to do the stuff you were trying to do the whole time.
Ultimately disrupting a phishing attack is an application simple economics. If it costs more for attackers to phish your brand, their margins will go down and eventually they will look to other attacks (or other targets) that return more profit. So for Quick Wins, focus on making phishing campaigns more expensive. That means messing with their sites, more effectively helping customers protect themselves, and ultimately shortening the window attackers have to monetize your customers.
Your quiver is filled with the key intelligence sources we discussed in Analyzing the Phish Food Chain, so what comes next? How can you use information like phisher email addresses, IPs, and domains to disrupt and/or stop attacks on your brand?
Taking the Phish out of the Pool
The first and most common remediation remains the phishing site takedown. Obviously phishing attacks are frustrated if the evil site is not available to harvest account credentials and/or deliver malware. But this is not an immediate fix – it takes time to prepare the documentation ISPs need, domain registrars, domain owners, browser vendors, telecom providers, and any other organization that can take the site offline. But remember that many phishing sites are hosted on legitimate – albeit compromised – web sites, so site takedowns inflict collateral damage on legitimate sites as well. We are not in the excuses business, so it’s not like we would feel bad when a compromised site is taken down until fixed, but keep in mind that the cost isn’t only to the phisher.
One of the keys to dealing with advanced malware is determining whether it makes more sense to observe the attacker to gain intelligence about tactics, objectives, etc., than to remediate the device immediately. Phishing sites demand a similar decision. If you have identified the phisher as a frequent attacker, does it make more sense to observe traffic from those sites? Or to monitor the attack kits and analyze the malware downloaded to compromised devices? The answer varies, but this kind of analysis requires sophisticated incident response and malware analysis capabilities.
A few other tactics can be helpful in disrupting phishing attacks, including directly notifying browser vendors of malicious sites because all major browsers now include real-time checks for phishing and other malware sites, and warn users from visiting compromised sites. Similarly, communicating with the major security vendors and submitting IP addresses and domains to their security & threat research teams, can give these sites and IPs negative reputations and block them within web and email security gateways.
If you have been able to identify the email address the phisher uses to harvest account credentials, you can work with their service provider (typically a major consumer email provider such as Google, Yahoo!, or Microsoft) to limit access to the account. Or work with law enforcement to track the attacker’s identity as they access the account to collect their spoils. All these tactics make it harder for phishers to lure victims to their phishing sites, steal information, and then harvest it.
Speaking of law enforcement, much of the information you need to gather to facilitate phishing site takedowns, such as IP addresses, domains, email addresses, and phishing kit specifics, is directly useful for law enforcement’s ultimate efforts to prosecute the phishers. Prosecution is rarely job #1, especially because many attackers reside in place where prosecution remains difficult, but if you need to gather the data anyway, you might as well let law enforcement run with it.
Other Tactics for Disrupting Phishing
Taking down the phishing site isn’t your only means to disrupt attacks. You can also use active controls already in place in your environment to minimize the damage caused by the attack. Let’s start with the network: your intelligence efforts have yielded a number of data points, such as IP addresses and domains associated with an attack. You may be able to work with the network operations team to block devices connecting to your site from these IPs or domains. At least you should be able to tag these devices and monitor their transactions for suspicious activity. When dealing with fraud attacks against millions of customers, being able to focus your efforts on accounts more likely to be compromised really helps.
Another tactic is to adaptively require stronger authentication for accounts exhibiting suspicious activity. Phishers collect account numbers and passwords, rarely worrying about security questions or additional authentication factors. So if you see a login attempt from a suspicious IP address or domain, you can further challenge the user attempting to login by requiring additional authentication details. Attackers generally attack the easiest targets, so this is a great way to make attacks against you more expensive, and is likely to drive phishers elsewhere.
Finally, you can work harder to stop the original phishing emails from reaching your customer’s inboxes in the first place. Leverage new standards like DMARC, which enables service providers and other large-scale senders to leverage DKIM and/or SPF message authentication technologies to provide more accurate sender authentication. Combined with traditional anti-spam analysis techniques, these technologies can minimize false positives and ensure phishing messages get tossed before customers get an opportunity to hurt themselves.
Addressing the Root Cause
Ultimately, much of what you can do to disrupt phishing is reactive. But it may also make sense to try reducing the likelihood of compromise at the point of attack: your customer. You can start with security education, working to help customers identify phishing domains and recognize the security mechanisms most consumer brands apply to email they send to customers. We are painfully familiar with the frustration of security awareness training, but this is another case of economics. If training your customers can demonstrably reduce fraud and/or brand damage, then these programs are worth considering.
Likewise many organizations, especially in the financial sector, take an even more active approach by offering endpoint protection technology to customers for free. Preventing customers from being compromised in the first place breaks the attack cycle. Of course you need to make sure the technology is effective at blocking the typical advanced malware seen today, but some organizations have done the math and determined that providing effective endpoint protection is a much better deal than constantly cleaning up the messes of customers who clicked phishing links and logged into fake sites.
Finally, if you have isolated a particular web site being used in several phishing attacks against your customers, it may make sense to approach the company or webmaster directly to help fix their site. This is a thankless job, but your alternative is to take down the site, then wait for it to come back up and be compromised again. If you have had to take action against a site more than once, the problem is unlikely to get better, so you should consider intervening.
The Quick Win is key to disrupting the phishing attacks and showing value from your email-based threat intelligence program. But ultimately an ongoing commitment to tracking phishing sites, attackers, IP addresses, domains, and attack kits is the only real way to react faster. While a live phishing site captures your customer’s credentials, the clock starts ticking until you can get the site taken down. Understanding your adversaries and their tactics, and gathering applicable data, enables you to pinpoint attacks faster and determine the most effective remediation approach faster. And every minute counts during a phishing attack.