PiChris - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can phishing attacks that use proxy programs be stopped?

Phishing attacks are adopting new functionality to avoid detection, including the use of proxy programs to simplify the attack process. Learn how to defend against this type of risk.

I heard that phishing attacks are now using proxy programs to simplify the attack process. How is it different from a traditional phishing attack? Are there any new defense measures?

Phishers, malware authors and cybercriminals have adapted functionality provided by legitimate security tools in many different ways. For example, the Metasploit Pro has a phishing toolkit that helps automate much of a phishing attack, and TrustedSec's Social Engineering Toolkit can aid in the development of phishing attacks.

Phishers probably have many automated tools for cloning a target website, generating phishing emails, malicious search engine optimization, collecting targeted information and transferring data to a more secure site.

A new phishing technique that was discovered in November 2014 dubbed Operation Huyao involves two new steps that could minimize the chances of a victim realizing they were phished. In this attack, which targets online shopping sites, the phisher adds a custom checkout process and uses proxy programs to access the target website. The custom checkout is necessary because some Web browsers have pop-ups that warn about submitting data over an unencrypted form; while an SSL proxy could have been used to capture the data as it was submitted to the legitimate e-commerce website, setting up SSL proxies is much more challenging for phishers.

Detecting an Operation Huyao phishing attack might be difficult for end users. While users could carefully examine the URL bar and see that a proxy is being used to prevent phishing attacks, URL bars aren't always displayed, and there are other ways to perform a man-in-the-middle attack. Additionally, if SSL was used, the SSL certificate could be examined to see it was a fraudulent website.

Host-based and network-based security tools like an intrusion detection system or network antimalware tool should detect and block phishing websites until they are taken down. While website operators can detect this type of attack against sites by monitoring for a significant number of remote connections from one new IP, this occurrence could just be a new NAT or legitimate proxy. Individual incidents will require additional investigation.

Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Don't miss SearchSecurity's latest phishing defense news and advice

This was last published in June 2015

Dig Deeper on Email and Messaging Threats-Information Security Threats