PiChris - Fotolia
I heard that phishing attacks are now using proxy programs to simplify the attack process. How is it different from a traditional phishing attack? Are there any new defense measures?
Phishers, malware authors and cybercriminals have adapted functionality provided by legitimate security tools in many different ways. For example, the Metasploit Pro has a phishing toolkit that helps automate much of a phishing attack, and TrustedSec's Social Engineering Toolkit can aid in the development of phishing attacks.
Phishers probably have many automated tools for cloning a target website, generating phishing emails, malicious search engine optimization, collecting targeted information and transferring data to a more secure site.
A new phishing technique that was discovered in November 2014 dubbed Operation Huyao involves two new steps that could minimize the chances of a victim realizing they were phished. In this attack, which targets online shopping sites, the phisher adds a custom checkout process and uses proxy programs to access the target website. The custom checkout is necessary because some Web browsers have pop-ups that warn about submitting data over an unencrypted form; while an SSL proxy could have been used to capture the data as it was submitted to the legitimate e-commerce website, setting up SSL proxies is much more challenging for phishers.
Detecting an Operation Huyao phishing attack might be difficult for end users. While users could carefully examine the URL bar and see that a proxy is being used to prevent phishing attacks, URL bars aren't always displayed, and there are other ways to perform a man-in-the-middle attack. Additionally, if SSL was used, the SSL certificate could be examined to see it was a fraudulent website.
Host-based and network-based security tools like an intrusion detection system or network antimalware tool should detect and block phishing websites until they are taken down. While website operators can detect this type of attack against sites by monitoring for a significant number of remote connections from one new IP, this occurrence could just be a new NAT or legitimate proxy. Individual incidents will require additional investigation.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email. (All questions are anonymous.)
Don't miss SearchSecurity's latest phishing defense news and advice
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading