PiChris - Fotolia
I heard that phishing attacks are now using proxy programs to simplify the attack process. How is it different from a traditional phishing attack? Are there any new defense measures?
Phishers, malware authors and cybercriminals have adapted functionality provided by legitimate security tools in many different ways. For example, the Metasploit Pro has a phishing toolkit that helps automate much of a phishing attack, and TrustedSec's Social Engineering Toolkit can aid in the development of phishing attacks.
Phishers probably have many automated tools for cloning a target website, generating phishing emails, malicious search engine optimization, collecting targeted information and transferring data to a more secure site.
A new phishing technique that was discovered in November 2014 dubbed Operation Huyao involves two new steps that could minimize the chances of a victim realizing they were phished. In this attack, which targets online shopping sites, the phisher adds a custom checkout process and uses proxy programs to access the target website. The custom checkout is necessary because some Web browsers have pop-ups that warn about submitting data over an unencrypted form; while an SSL proxy could have been used to capture the data as it was submitted to the legitimate e-commerce website, setting up SSL proxies is much more challenging for phishers.
Detecting an Operation Huyao phishing attack might be difficult for end users. While users could carefully examine the URL bar and see that a proxy is being used to prevent phishing attacks, URL bars aren't always displayed, and there are other ways to perform a man-in-the-middle attack. Additionally, if SSL was used, the SSL certificate could be examined to see it was a fraudulent website.
Host-based and network-based security tools like an intrusion detection system or network antimalware tool should detect and block phishing websites until they are taken down. While website operators can detect this type of attack against sites by monitoring for a significant number of remote connections from one new IP, this occurrence could just be a new NAT or legitimate proxy. Individual incidents will require additional investigation.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email. (All questions are anonymous.)
Don't miss SearchSecurity's latest phishing defense news and advice
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
Sophos researchers believe the SamSam ransomware campaign could be the work of one or a few threat actors using manual techniques. Learn how it works... Continue Reading
The hacking group Magecart was recently found to have run a card skimming campaign that put customer information at risk. Learn how this attack ... Continue Reading
A new version of GandCrab was discovered by researchers in July 2018 and involves the use of legacy systems. Learn how this version differs and who ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.