The latest evolution of URL-less phishing attacks through rendezvous algorithms

Written by Enrico Frumento, CEFRIEL

The traditional concept of phishing that most people have, even among the IT Security workers, is an email with some deceptive text or in general a hook, which contains an URL, where the innocent user is driven to. Wherever the text is (into the email body or into an attachment), the threat model is the same: there is a component of the email (i.e., the body or the attachment) that leads to a malicious URL.
Most of the defence anti-phishing instruments are built around this paradigm. The systems that inspects the body of the emails or, the URL filtering instruments integrated into the email clients, are deeply tied to this model of phishing. Nothing wrong of course: most of the phishing email are still fitting this model, but things are evolving, and new trends are appearing in the wild: the cybersecurity is a continuous arm-wrestling. There are some interesting new evolutions that may change the current landscape of the defence tools.

Apparently, for a phisher, the solutions to avoid being caught exists: the first is to use convincing and well-done email or attachments; the second is to avoid any URL in the phishing email that could be detected by some sort of tool. The first option is already exploited in the wild since a few times: we are increasingly seeing high-quality phishing email since years. From the initial concept of SPAM attackers evolved toward phishing, spear-phishing and lastly, context-aware phishing (this last evolution still little explored) [1].

The latter, that goes under the name of URL-less phishing, is something less simple, which started to appear, in its latest evolutions, just few months ago.
The road towards URL-less phishing emails passed through the former usage of the obfuscation techniques, to deceive the URL monitoring systems or the user directly and the web sites trampolining.

  • The intention of the obfuscation techniques is always to trick users or the URL monitoring systems into thinking a website link is real. Among the most used, there are three primary techniques: URL shorteners, URL doppelgangers, and URL redirects [2]. Most of the up-to-date defence systems are able to detect most of these fooling attempts.
  • The intention of trampolining is instead to decouple the delivered phishing message from the final landing URL through several intermediate redirectors (e.g., compromised sites).

The combination of obfuscation and trampolining makes the whole solutions flexible and efficient.

Of course, URL-less phishing emails have always been used, for different reasons: one classic example, documented even on Wikipedia, is the Bayesian poisoning [3][2] whose aim is to degrade the effectiveness of spam filters that rely on Bayesian spam filtering, through the text of the email, as a preparatory part of an attack. Though their usage was limited to specific attack plans.

Recently, Comodo reported the interesting example IKARUS dilapidated (the name comes from a string found inside the ransomware), a Locky based ransomware whose campaigns hit several enterprises in the wild [4][5][6].

Among the interesting novelties of this attack there is one that is quite interesting: the presence of a script, contained into the malevolous attachment, whose aim is to generate phishing URL domain names in realtime, to fool the A.I. based detection tools and evade any blacklisting in the middle. Essentially, it behaves like a rendezvous script, conceptually like those used for the botnets. The botnet rendezvous scripts perform a specific function: they generate the URL of the Command & Control Center (CCC) at the instant T, where the bots are converging to get commands or send the captured data [7]. Similarly, the IKARUS script generates real time domain names (i.e., hooks) where the phishing victims are redirected. The script, like the similar botnet scripts, has its own evasion tricks and generates URLs that are appealing for a human (e.g., not random illegible) and hardly classified as malevolous by an A.I.

This is an interesting evolution because the accumulated know-how of the botnet herders can be spent for novel phishing attacks and we expect some evolution of this type of techniques.

More formally, in cognitive radio networks, rendezvous is an operation by which two cognitive users establish a communication link on a commonly-available channel for communications. For convenience, we refer to “cognitive users” as the phishing victim and the landing (malevolous) web site and as “channel” the generated landing URL.

Some existing rendezvous algorithms can guarantee that rendezvous can be completed within finite time and they generate channel-hopping (CH) sequences based on the whole channel set.  However, some channels may not be available (i.e. malevolous URLs that have already been blocked or blacklisted) and these existing algorithms would replace the unavailable channels in the CH sequence [8]. Replacing the unavailable channels involved also the concept of trampolining and consists in switching the unavailable channel (i.e., the URL) in one of the redirectors of the trampolining sequence, in time for the next rendezvous of the cognitive users (i.e., the phishing employee and the landing site).

One type of rendezvous algorithm is the DGA (Domain Generation Algorithms) which are used by the attackers to give malware the ability to compute where the command and control servers will be at any given time. Similarly, they can be used to give the phishing system the ability to compute where the landing page will be at any given time: the local script contained into the hook (i.e., the email) generates channels (i.e., URLs) in sync with the hosting system.

What the phishing herder needs to do is hence to register the channel (i.e., the landing URL), in time. An activity that is performed, according to [9], quite efficiently:

  • 46000 new phishing sites created every day, an average of 1.385 million new, unique phishing sites each month, with a high of 2.3 million sites created in May 2017;
  • very short-lived phishing sites, with the majority being online and active for only 4 to 8 hours;
  • utilize social engineering to uncover relevant personal information for individualized attacks;
  • Zero-day websites used for phishing may number in the millions each month, yet they tend to impersonate a small number of companies.

 

 [1] “D2.1 The role of Social Engineering in the evolution of attacks”, DOGANA Project (GA. 653618), 2016. [Online]. Available: https://www.dogana-project.eu/images/PDF_Files/D2.1-The-role-of-SE-in-the-evolution-of-attacks.pdf

 [2] “URL Obfuscation: Still a Phisher's Phriend”, Dark Reading, 2017. [Online]. Available: https://www.darkreading.com/partner-perspectives/f5/url-obfuscation-still-a-phishers-phriend/a/d-id/1330027?

 [3] “Bayesian poisoning”, Wikipedia.org, 2017. [Online]. Available: https://en.wikipedia.org/wiki/Bayesian_poisoning

 [4] “IKARUSdilapidated: Locky Ransomware Family Back with a New Email Phishing Campaign Attack”, Comodo, 2017. [Online]. Available: https://www.comodo.com/ctrlquarterlyreport/Comodo_LockyRansomwareReport_081717.pdf

 [5] “IKARUS dilapidated Locky Part II: 2nd Wave of Ransomware Attacks Uses Your Scanner/Printer, Post Office Billing Inquiry”, Comodo Threat Intelligence Lab, 2017. [Online]. Available: https://www.comodo.com/ctrlquarterlyreport/Comodo_IKARUSdilapidated_Special_Report_Part_II.pdf

 [6] “Ransomware phishing attacks Lure employees, beat machine learning tools: Part III of the Evolving IKARUSdilapidated and Locky Ransomware Series”, Comodo Threat Intelligence Lab, 2017. [Online]. Available: https://www.comodo.com/ctrlquarterlyreport/Comodo-20Sept-2017-special-report-konica-copier-attack.pdf

 [7] D. Plohmann, E.  Gerhards-Padilla and F.  Leder, "Botnets: Detection, Measurement, Disinfection & Defence", Enisa.europa.eu, 2011. [Online]. Available: https://www.enisa.europa.eu/publications/botnets-measurement-detection-disinfection-and-defence/at_download/fullReport.

 [8] L. Yu, H. Liu, Y. Leung, X. Chu and Z. Lin, "Efficient Channel-Hopping Rendezvous Algorithm Based on Available Channel Set", arXiv:1506.01136v1 [cs.NI], 2015 [Online]. Available: https://arxiv.org/pdf/1506.01136.pdf. [Accessed: 06- Oct- 2017]

 [9] “46,000 new phishing sites are created every day”, Help Net Security, 2017. [Online]. Available: https://www.helpnetsecurity.com/2017/09/22/46000-new-phishing-sites/. [Accessed: 06- Oct- 2017]

 

by Enrico Frumento (CEFRIEL)

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618