Chapter 6: Navigating the Phishing Maze: Tactics, Trends, Innovations, and Evasions

Download The Reports

The realm of phishing threats has evolved into a complex landscape, demanding a comprehensive exploration to understand and confront the dynamic tactics employed by cyber adversaries. In this chapter, we delve deep into various facets of phishing, from server-side attempt to detect sandboxes to the misuse of redirection services , reCAPTCHA and QR Codes.

 

VM Detection Challenges: Server-Side Tricks

A major challenge encountered was the server-side attempt to detect sandboxes. Phishing sites are likely trying to detect sandboxes through the association of IP addresses with known VPNs with the intent of redirecting the visitor to benign websites like Wikipedia, delivering 404 error messages, or aborting connections instead of revealing the phishing page.

The goal is to ensure that URLs function normally on personal devices but not within sandboxes.

 

Redirection Shenanigans: Exploiting Trustworthy Platforms

Another persistent issue involved the misuse of redirection services by phishing actors to lend a veneer of trust to their malicious links. Services like LinkedIn and Google were exploited to camouflage phishing URLs.

Additionally, official services provided by platforms such as Facebook and Google were manipulated for targeting victims. For instance, in one case, Google Forms was used for payment requests in phishing schemes, where the ‘from’ field being ‘noreply@google.com’ added an air of legitimacy to the scam.

 

Fake reCAPTCHA Pages: Enhancing Credibility or Avoiding Detection?

Phishing sites are also increasingly deploying fake reCAPTCHA pages instead of real ones. This tactic could be aimed at avoiding detection by CAPTCHA services or lending an additional layer of credibility to the phishing sites in the eyes of potential victims.

 

QR code and phishing

 

Quishing Trends: QR Codes’ Expanding Realm

In addition to evolving phishing tactics, the trend of “Quishing” (phishing involving QR codes) has become increasingly prevalent. Initially used in emails, QR codes are now incorporated into PDF and Word documents, HTML attachments, and websites.

 

Innovative Evasion Techniques: QR Code Complexity

Attackers are also employing innovative evasion techniques. One method involves using slightly blurry images in QR codes, easily decipherable by smartphones but posing challenges for automated software.

Another technique includes inverting the colors or randomly tilting QR code squares to the left or right, making it easier for smartphones to read them but potentially causing automated QR extraction libraries used in security solutions to fail. These strategies highlight the ongoing need for advanced methods in detecting and countering phishing attacks.

 

Trusted Domains Exploitation: The Open Redirect Menace

Phishing attacks have also increasingly exploited trusted domains by abusing so-called “open redirect” vulnerabilities. Attackers use reputable domains like LinkedIn, Google, or Microsoft to create phishing links, capitalizing on the trust users have in these well-known services.

This approach is particularly effective as the legitimate domains do not immediately raise suspicions, especially among non-technical users.

 

Evolution Beyond Open Redirection: Leveraging Trusted Domains

Attackers have evolved beyond merely exploiting open redirection vulnerabilities. Some now host malicious content on services associated with well-known domains, like Microsoft’s “blob.core.windows.net” for Azure blob/data storage, where attackers can even choose a subdomain, or Adobe’s “indd.adobe.com” for publishing InDesign documents online.

By leveraging these trusted domains, attackers can more effectively deceive users and circumvent traditional security measures.

 

Less Known TLDs in Phishing: A Suspicions Wake-Up Call

Additionally, we have observed a notable trend in phishing: many phishing pages used less known Top-Level Domains (TLDs) such as “.top” or “.xyz”. To understand this trend better, we analyzed URLs automatically submitted to our systems in the last 30 days (between December 2023 and January 2024), focusing on the association of certain domains with malicious activities.

The analysis, while inherently biased as most links in the dataset were malicious, still confirmed an observed pattern: certain TLDs are highly associated with malicious activities, to the extent that the mere presence of these TLDs should raise user suspicion. Conversely, the most trusted domains were those with stricter controls, like “.edu” or “.gov”, which are less likely to be associated with phishing due to the rigorous requirements for their registration.

 

Beyond Traditional Entry Points: Exploring New Frontiers

There has been a notable shift in phishing tactics, with attackers moving beyond traditional entry points like email. Users are increasingly wary of email-based threats, leading attackers to explore alternative platforms.

This quarter, innovative phishing attempts were observed through various services, including Microsoft Teams, where DarkGate malware was delivered. Google Ads were exploited to distribute different malware families, and text messages masquerading as communications from Amazon, delivery services, or even family members.

 

Exploiting Alternative Platforms: Unconventional Communication Channels

Furthermore, attackers have utilized Skype (see Figure 4) and GitHub Gists, which are public pages for sharing code snippets, similar to Pastebin. These Gists can be indexed by search engines, making them accessible via Google.

This method was exploited by at least one attacker to trick victims into installing a malicious Python package via pip.

 

Conclusion

In this quarter, we witnessed a distinct evolution in phishing techniques, including server-side VM detection, misusing redirection services from reputable domains, and deploying fake reCAPTCHA pages.

The emergence of “Quishing” using QR codes in various document formats and evasion techniques like blurry images or tilted QR dots demonstrate the adaptive methods used by attackers.

Phishing sites leveraging less known TLDs like “.top” or “.xyz” and hosting malicious content on services linked to well-known domains indicate a calculated approach to gain user trust.

Additionally, the shift from traditional phishing mediums to platforms like Microsoft Teams, Google Ads, text messages, Skype, and GitHub Gists reveals the attackers’ inclination towards exploiting varied and less conventional communication channels.

 

Days
Hours
Minutes
Seconds

Join us for the Halloween edition of our regular “Threat Detection Highlights” webinar series focusing on Latrodectus loader!