Why DNS and Domain Monitoring Aren’t Reliable Ways to Detect Phishing
Phishing is a successful way for cyber criminals to attack systems and monetize their gains. According to APWG, 90% of breaches are due to phishing campaigns. The FBI recently announced losses due to cybercrime in 2019 surpassed $3.5B. Phishing attacks are automated by creating new domain registrations and site creation with tools (e.g., Httrack) that wholesale copy and spoof legitimate websites in minutes. The number of spoof sites has more than doubled over the past year, with 1.5 million appearing each month. And there is no end in sight.
Defenders have deployed a number of defensive strategies and products to combat phishing, yet this attack vector continues to proliferate. Among these, a number of brand protection and anti-phishing products employ domain monitoring and DNS directory information analysis to identify and take down likely spoof sites. The process is inherently an inferential procedure that cannot guarantee full coverage to identify all spoof sites. The process is also not instantaneous. By the time a malicious site is detected, it may have been in operation for quite a long time.
Searching domain registry lists requires targeting and searching for a wide variety of naming conventions phishers may conjure up. To be sure, other meta-data about the page is helpful in identifying suspects; for example, how the site may abuse the HSTS policy mechanism. Because of the need for context, domain registry and the monitoring process relies heavily on conclusions drawn by human beings, and is fraught with error and costs. Finding a suspicious domain registration that has not yet deployed to an active server implies continuous monitoring is required to detect when the phishing site goes live. In scale, this is not cheap. Even when a site is detected, take-down is not always easy to accomplish when unfriendly ISP’s are involved with hosting the site.
Domain monitoring services are typically focused on analyzing suspicious URLs or searching of domain registrations that mock familiar brand names that appear in URLs that link to legitimate well-known sites. It all starts with the malicious URL crafted by the phisher to trick a user to click.
Detecting phishing sites is focused on analyzing URL content and information about a newly registered domain name. URL analysis includes syntactic structure that are indicators of a phishing URL, such as its length, or whether it employs too many digits. Typosquatting, where names are slightly misspelled (for example, goggle.com) or rendered with different “confusing” fonts (for example, g00gle.com), is perhaps the most difficult to detect due to the degrees of freedom the phisher has when controlling the names they devise to trick the reader. Most products that aim to detect phishing sites are dependent upon how well its detector will identify this common phishing strategy.
Beyond URL analysis, domain registration information is often used to identify the likelihood a URL links to a phishing site. The analyses typically include the length of time a domain has been registered (in theory, newer sites are more likely malicious), blacklisted IP addresses available for a fee from threat intelligence providers, and analyzing WHOIS information to learn whether the registrant is making an effort to hide themselves. Like any other analysis, the outcome is not guaranteed to identify all phishing sites. Worse, the lag between the time a phishing site goes live to the time it is accurately detected provides ample opportunity for phishers to succeed in netting victims. Domain name analysis, and URL analysis, are insufficient to detect phishing sites in real-time when they go live.
Domain monitoring does provide a measure of accuracy in detecting spoof sites, but clever adversaries evade detection of their spoof sites in various ways, such as embedding ripped webpages in subdirectories of exploited servers. As stated in the 2019 Webroot Threat Report, “Trusted sites may be compromised—even if only for a short period of time before being discovered—and threat actors know this is an effective method for evading detection.” No amount of domain monitoring intelligence will achieve the goal of real-time detection of phishing sites.
Learn more about a more modern approach to online brand impersonation attacks with our Busy Person’s Guide to Online Brand Protection.