PiChris - Fotolia
I heard that phishing attacks are now using proxy programs to simplify the attack process. How is it different from a traditional phishing attack? Are there any new defense measures?
Phishers, malware authors and cybercriminals have adapted functionality provided by legitimate security tools in many different ways. For example, the Metasploit Pro has a phishing toolkit that helps automate much of a phishing attack, and TrustedSec's Social Engineering Toolkit can aid in the development of phishing attacks.
Phishers probably have many automated tools for cloning a target website, generating phishing emails, malicious search engine optimization, collecting targeted information and transferring data to a more secure site.
A new phishing technique that was discovered in November 2014 dubbed Operation Huyao involves two new steps that could minimize the chances of a victim realizing they were phished. In this attack, which targets online shopping sites, the phisher adds a custom checkout process and uses proxy programs to access the target website. The custom checkout is necessary because some Web browsers have pop-ups that warn about submitting data over an unencrypted form; while an SSL proxy could have been used to capture the data as it was submitted to the legitimate e-commerce website, setting up SSL proxies is much more challenging for phishers.
Detecting an Operation Huyao phishing attack might be difficult for end users. While users could carefully examine the URL bar and see that a proxy is being used to prevent phishing attacks, URL bars aren't always displayed, and there are other ways to perform a man-in-the-middle attack. Additionally, if SSL was used, the SSL certificate could be examined to see it was a fraudulent website.
Host-based and network-based security tools like an intrusion detection system or network antimalware tool should detect and block phishing websites until they are taken down. While website operators can detect this type of attack against sites by monitoring for a significant number of remote connections from one new IP, this occurrence could just be a new NAT or legitimate proxy. Individual incidents will require additional investigation.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email. (All questions are anonymous.)
Don't miss SearchSecurity's latest phishing defense news and advice
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
IBM banned removable storage devices to encourage employees to use the company's internal file-sharing system. Learn how a ban like this can improve ... Continue Reading
After a comeback of the Russian-built VPNFilter botnet, home network devices are at risk. Learn how this malware targets victims with expert Nick ... Continue Reading
The TrickBot banking Trojan joined forces with IcedID to form a dual threat that targets victims for money. Discover how this union occurred and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.