Keys on hook with opened padlocks on keyboard showing polymorphic phishing attacks making up almost half of phishing attempts
Polymorphic Phishing Attacks Now Make Up Almost Half of All Phishing Attempts by Scott Ikeda

Polymorphic Phishing Attacks Now Make Up Almost Half of All Phishing Attempts

Disturbing news came from Israel-based cybersecurity firm IRONSCALES this past week. As part of its research into developing a new automatic anti-phishing platform, the company discovered that 42% of the phishing attempts they examined were “polymorphic” in nature. Polymorphic phishing attacks are an advanced form that use randomization of email components (such as the subject line and sender name) to bombard anti-phishing security systems and determine what will make it through. Polymorphic attacks are highly effective and very difficult to defend against, but are relatively easy for cyber criminals to deploy thanks to the development of automated kits sold on the dark web.

Though it’s true that this study comes from a company attempting to sell an associated service, the IRONSCALES body of research contains a significant sample size that makes it worthy of note to cybersecurity professionals. The company identified 11,733 email phishing attacks that underwent at least two permutations, and these attacks successfully made their way into 209,807 inboxes around the world.

Understanding polymorphic phishing attacks

Polymorphic phishing attacks have been seen in the wild since at least 2016. The original form was to generate “polymorphic URLs”, thousands of different URLs leading to phishing or malware delivery pages that are automatically generated and have only very slight differences. This was done in an attempt to defeat anti-phishing defenses that automatically recognize and screen out suspected phishing links.

Polymorphic phishing is able to trick signature-based email software because phishing pages generally exist in isolation on the internet (not linked to or referenced by anything else) and are only deployed for a few hours. This makes it very difficult for automated scanning and blacklisting software to keep up with them.

Polymorphic phishing emails have become even more sophisticated. These don’t merely deliver a bunch of unique URLs, they change the characteristics of each individual phishing email in a further attempt to evade automatic anti-phishing measures. A blizzard of emails is sent out to targets, each with very small changes to often just one element of the email: the subject header, the sender’s name, the return address, and so on.

Of course, simply sending out thousands of emails to an external domain would trigger spam filters regardless of these small changes. Polymorphic attacks generally begin with a smaller and more targeted standard phishing attack on an organization. Once one employee falls for the attack, the hackers have access to a credentialed account that they can leverage to send a polymorphic attack to other users on the network. The small changes to each email are meant to prevent automated internal network security from screening the messages out. The IT team will eventually notice, but once a polymorphic phishing attack is underway they cannot blacklist the compromised accounts because they are within the organization. And the messages cannot easily be screened because they are not uniform in composition. As more network users are compromised, the attack becomes more difficult to contain.

Results of the research

The security firm’s research found that the 11,733 polymorphic email phishing attacks had at least two permutations and as many as 521. These attacks hinge on most automated cyber security software relying on signatures for screening. If the signature is constantly being altered, a signature-based system simply can’t keep up once polymorphic phishing attacks penetrate the network.

Given this, the IRONSCALES claim that nearly half of phishing attacks – 42% in their study – are now polymorphic is not hard to believe. It appears to be an extremely successful and effective attack method. Earlier research from the company found that 99.5% of secure email gateways failed to stop polymorphic phishing attacks.

These attacks have by far the highest level of success when they originate from a trusted email source, which is why attackers generally focus on compromising at least one employee account before launching polymorphic phishing attacks. These attacks are usually supported by a spoofed domain that is very similar to the one being attacked and that has had matching authentication records set in the DNS.

Stopping polymorphic phishing attacks

So how can these polymorphic email phishing threats be stopped? Naturally, IRONSCALES wants you to subscribe to their threat protection platform. However, the company did share some useful details about how polymorphic phishing attacks can best be negated.

Since these attacks are focused on evading signature-based systems, it stands to reason that a non-signature-based system would be more effective against them. That is a bit of a tall order however, as most of the market (including the biggest brand names that companies tend to rely on) is still rooted in a signature-based approach with little to nothing in the way of other options. The segment of the market to look at is tools that are designed with a behavior analysis approach instead.

Signature-based based email security tools basically wait for something to exhibit signs of being malicious, and then blacklists that thing. A behavior analysis system attempts to pre-emptively recognize items as malicious before they have a chance to strike and reveal themselves. In the case of an email screening system, this would involve the system stopping and scanning incoming emails to determine what their contents are attempting to do before passing them on to the recipient.

AI and machine learning are at the root of behavior analysis systems, using algorithms combined with human feedback to learn how to recognize malicious intent with sophistication that increases with time and exposure. The ideal behavior analysis system very briefly and quickly holds an incoming email and scans any pages it links to for behavior that is consistent with a phishing or malware attempt. Under current signature-based systems, each version of the attack usually nabs at least one victim before it is identified and blacklisted.

This sort of automated phishing prevention detection is more important than ever as new attacks are generated, deployed and then scrubbed from the internet within the space of one day. As long as signature-based email security is widely in use, it is reasonable to expect that the number of polymorphic phishing attacks will only increase.