In my podcast yesterday, I learned a lot about Artificial Intelligence and Machine Learning, and the prime differences between the two of them.  These two terms are used commonly with each other (and I have to admit, I am guilty of that as well) in the world of Cybersecurity, but the two are actually different from each other (HINT:  You have to listen to the podcast in order to find this out).

My guest and I also discussed the Cyberthreat Landscape, and what is out there.  A common denominator with this question when I ask it is that Phishing will still remain a threat out there.  Now, Phishing is probably one of the oldest Cyberattack vehicles out there, but many new variants of it have come about, as Cyberattackers have become that much more sophisticated.

Gone are the days when you could identify a Phishing email based upon its typos, weird sounding names, and mismatches in the hyperlinks in it.  Nowadays, it is even almost impossible to tell if you are even at a legitimate website or not.

For instance, there are times when I wonder, “Is this the real thing”?  Cyberattackers now make use of what are known as “Phishing Kits” in order to make their scams look like the real thing and to avoid detection, which is examined in this blog:

*Verification of credit card information:

Cyberattackers are no longer content with simply getting the numbers and other related information that they can get their hands on.  Now, they want to make sure that whatever they hijack is for real and authentic.  In this regard, the Cyberattacker is now always checking for the length of the credit card number (which is usually about 16 characters long), and only restricts it to that amount.  Anything beyond that gets discarded.  There are even cases where, if the Cyberattacker is sophisticated enough, they will even use tools that can check for the authenticity of the entire credit card number as a transaction is being placed.

*Language is now changed based upon the location of the victim:

Whenever a Cyberattacker would launch a Phishing campaign, it would always be done in massive amounts (via email), without very little thought given as to where their victims actually reside.  But as I have described many times before, the Cyberattacker of 2019 is now taking their own sweet time in order to carefully research and profile their intended targets.  In this instance, the Phishing attacks that are launched today now target the geographic location as to where the unsuspecting victim resides at.  So, for example, if a Cyberattacker wanted to target a group of individuals or companies in Japan, the content of the Phishing email will now be composed in the Japanese language, with all of the nuances in spelling and pronunciation geared towards that, without any typos or other obvious grammatical mistakes.  Below is an example of this:

(SOURCE:  https://www.zscaler.de/blogs/research/evolution-phishing-kits)

*Visiting a Phishing page only once:

In the past, a Cyberattacker would try to lure as many potential victims as he or she could to the same phony website, over and over again.  The idea here was that the greater number of victims entered in their credit card information, there would be a greater chance of using it to launch something even more covert, such as an Identity Theft attack.  In other words, the thinking on part of the Cyberattacker was that quantity is better than quality.  But now, that thinking has changed.  Rather than trying to target 200 victims, it is better to perhaps maybe target just 10, but make sure that they can be repeat victims, rather than just one-time victims.  But now, after a victim has visited a Phishing site once, and if they attempt to visit the same site again, they will then be redirected to another website.  This is just another tactic that the Cyberattacker is using to avoid detection.  In order to do this, the IP Address of the victim is automatically recorded upon the first visit. Then, if the victim attempts to visit the same Phishing site again, the IP address gets checked against a directory of other IP addresses that have been recorded. If there is a match in the IP addresses, then access to the phishing page is denied, which then results in a “Page Not Found” message being displayed, or the victim may be directed to another website.  This is illustrated below:

(SOURCE:  https://www.zscaler.de/blogs/research/evolution-phishing-kits)

*Blacklisting of IP addresses:

The Cyberattacker of 2019 knows that law enforcement agencies, forensics specialists, Cybersecurity companies and even Ethical Hackers are hot on their trail.  In an effort to avoid further detection by these agencies, organizations and individuals, the Cyberattacker has now created a so called “blacklist” of these IP addresses that belong to all of them.  So, for example, if the Secret Service attempted to get to a known Phishing site, they would be denied access to it, because their IP address would be blocked, based upon this “blacklist”.  But this kind of scenario is of course, highly dependent upon the sophistication level of the Cyberattacker.

*Assigning new directory structures:

Whenever you access a website, you will have to first type in the URL.  Once the website appears, and you dig deeper into it, you will notice that each page of the website that you visit will have a different and longer directory structure in the URL box than when you first entered in just the domain name.  This simply represents where the files are stored in order to serve that particular page to you.  Take the example of PayPal.  When you first access it, you will type in:

 www.paypal.com.

Then once you are securely logged in, and want to see how much money you have in your account, you will click on the “dashboard” tab, which will have a directory similar to the following:

www.paypal.com/dashboard

Usually, these directory structure paths remain the same throughout time, unless the changes are made to the website in question and HTML files get moved around.  But, when a Cyberattacker creates a phony website, its directory path keeps changing in order to avoid detection.  So for example, if you want to access PayPal, after typing in the real domain name, you will be taken to a much different directory structure than just the usual www.paypal.com in which you enter your username and password.  This is illustrated below:

(SOURCE:  https://www.zscaler.de/blogs/research/evolution-phishing-kits)

My thoughts on all of this?

It’s going to take much scrutiny now than ever before in order to determine if an email you receive is legitimate or not.  You simply can’t just look for the obvious tell-tale signs anymore.  In fact, Phishing campaigns are not just launched by email anymore.  Rather, you can become a victim of one just by visiting a website that looks real and authentic but is really illegitimate.  Thus, as it was illustrated, always be checking if the directory paths in the URL change to something weird after you dig deeper into a website. 

Keep in mind also, that many businesses and corporations these days are now masking their entire directory structures, and only the domain name appears across all of the pages that exist in all of the pages of that particular website.  This is really not a spoofed website, but rather, this is just an extra security precaution that is taken these days so that these directory structures do not serve a fictitious and illegitimate site.

In the end, probably the best line of defense in this instance is just trust your gut.  If something doesn’t feel right, just don’t visit that website until you can confirm the legitimacy of it by contacting the organization that it belongs to.