Authored by Jim Black, Sr. Product Marketing Manager, Akamai's Enterprise Security Business Unit
Phishing is not a new security problem. In fact, it’s been around since the earliest days of email when most users received numerous emails from African kings or other high-ranking officials who promised them great riches if they simply provided their bank account details. Things have changed a lot since then.
Those poorly worded email scams have evolved to the point at which highly sophisticated phishing campaigns are being executed on an industrial scale. Attackers are continuously adapting their approaches and techniques to evade detection and fly under the security radar. Moreover, in the past few years, we have seen the attackers extend their phishing way beyond email to use social media, instant messaging, and other channels to reach potential victims and ensnare them in the scam.
Multiple layers of security
In response, most companies now use multiple approaches to try and protect themselves against the risk of an employee falling for a phishing email that asks them, for example, to reset their password. This will include multiple layers of security, often including a secure email gateway or a cloud-based email security service and the ongoing education of users to ensure they remain vigilant. Despite these measures, phishing attacks are still highly successful and can often be the starting point for a much more significant security breach.
Human vulnerabilities
However, if we look at the history of phishing from those early efforts right up to today’s sophisticated attacks, the common thread is that phishing targets human vulnerabilities. And, as we all know, when security requires a human to make the right decision it is likely to fail at some point.
Akamai’s security research team investigated the problem to determine if there might be new approaches that could help organizations improve their protections against phishing. The team found that attackers were often using low-cost, off-the-shelf phishing kits that allowed them to quickly build and execute very sophisticated, highly scaled phishing campaigns that were often using and abusing hosting services and content delivery networks to do so.
Short-lived attacks
On the back of that research and analysis, the team created a novel way to identify and block brand-new phishing pages in real time, even if these were being accessed for the very first time. What was most interesting was that these detected phishing pages were not yet listed in any of the phishing block lists that are frequently used to prevent access; in fact, there were delays of hours and even days before these phishing domains and URLs appeared in these lists. Another observation was that many attacks were short lived and their lifespan could be measured in hours and sometimes minutes, rather than days and weeks. The delay in adding new phishing domains and URLs with a short lifespan to these block lists was creating a potential security gap.
The zero-day phishing detection engine
The research led to the development of a zero-day phishing (ZDP) detection engine, which was incorporated into Akamai’s cloud secure web gateway, Enterprise Threat Protector. Very simply, the engine leverages Akamai’s unprecedented visibility into internet traffic to feed an offline machine learning system that checks to see if recently created phishing pages have been built using either an existing phishing toolkit that we already know about or a brand-new or modified kit.
Based on collecting and analyzing large volumes of phishing data, Akamai created an automatic
mechanism that continuously creates “fingerprints” that can be used to detect new kits or variants of existing kits. Those fingerprints are then pushed out to Akamai’s global proxy platform every few hours.
When web content is requested, the ZDP engine compares the page against its live database to determine if this is a phishing page without any prior context about the domain or URL being accessed. To further improve protections for all customers beyond patient zero, when a newly created phishing page is detected, the domain or the URL is then added to our threat intelligence list so that subsequent requests by any user are proactively blocked at the DNS level.
Real-time in-line detection
The ZDP engine has been deployed as a real-time in-line detection for more than a year now, so we thought it might be interesting to see how many unique, newly created phishing pages had been detected. In 2021, the ZDP engine identified and blocked more than 54,000 newly created unique phishing pages.
A look at the brands that are most frequently targeted by these scams revealed that Facebook and Microsoft are among the most popular. Looking into phishing toolkits being used as part of phishing scams, we were able to see that toolkits such as Question Quiz, Kr3pto, and 16Shop are still being used extensively to steal credentials and sensitive information, and abuse the reputation of brands.
