Combating phishing

Article
08/30/2012

From time to time, customers call in and ask us what we are doing to combat phishing attacks. My guess is that they are really asking how we combat spoofing as most malware attacks delivered via email use spoofing (that is, they imitate someone they are not). We filter mail for businesses, so they are especially concerned with keep malware out of their environment and email is one way it gets in.

The term phishing has become synonymous with spoofing even though the goals are different: phishers are trying to steal financial information by impersonating a bank, whereas spoofers are trying to infect your computer by tricking you into either clicking a link or opening an attachment; they do this by impersonating a brand you recognize. Sometimes they just straight up ask you for your username and password. Phishers use spoofing as a tactic, but not all spoofers are phishers.

For our purposes, we’ll assume that phishing encompasses both financial phishing and spoofing for the purposes of malware infection.

Customers want to know how we combat phishing. Actually, how we combat phishing is similar to how most spam filters combat phishing. Wikipedia has an entire section dedicated to anti-phishing (and spam filtering, for that matter). Yet despite the fact that it is a tactic that has been around for years, even today in 2012 it is still a problem. The fact that there is an industry working group – the Antiphishing Working Group – testifies to this.

Spam filters have a number of ways to combat phishing. Here are four:

IP reputation

Most spam filters today make use of IP blocklists. These are lists of IPs that are known to send malicious spam at one time or another. While there are lists of varying quality, most industry professionals agree that the lists provided by Spamhaus are among the best ones. Other vendors populate their lists through the extensive use of honeypot networks, still others use statistical criteria based upon spam/nonspam ratios.

Spam filters will update their IP lists periodically (some do it every few minutes, others do it a little longer than that). Since most spam is sent from compromised IP addresses, it’s important to update IP lists at regular intervals.

IP blocklists catch the majority of spam, and they also catch the majority of phishing. But not every piece of spam, phishing or not, can be caught with IP blocklists.
URL reputation
Some spam is sent from IPs that cannot be listed on IP blocklists, such as spam sent from a compromised email account, or even spam from a free webmail account such as Hotmail. Much phishing spam contains a URL within the message – the user must click the link to reset their credentials, verify their shipping package, update their configuration, etc.

This is where URL reputation lists come in. Just like IP blocklists maintain lists of spamming IPs, URL reputation lists maintain lists of URLs that appear in spam campaigns. Spam filters download these lists and use them as a weight in their filter (recommended) or reject mail from messages that contain them (not recommended). A spam filter may not be able to block based upon the IP but it can look inside the message and determine that a message contains malicious content.

There are numerous URL reputation lists used in the industry. Example of more well known ones include URIBL, SURBL and Spamhaus’s DBL.
Sender authentication
Since most phishing messages use some sort of spoofing, techniques that catch spoofing are used to help mitigate some of it. The most commonly used sender authentication techniques are SPF checks, but DKIM checks and now DMARC checks are also used. I won’t go into SPF and SenderID because I have written about it previously on this blog.

Antispam professionals don’t claim that SPF checks catch the majority of phishing messages. They barely catch a sizeable minority. They do catch a small amount of spam, and certain classes of spam. The technique is not perfect. But it does help.

Sender authentication techniques are better for whitelisting than they are for catching spam. However, they do have their place in a modern spam filter.
Content filtering
The last piece of the puzzle in combating phishing is content filtering. Many spam filters perform Bayesian filtering which is a probabilistic engine that looks for features within a message and assign it weights to make a spam/nonspam verdict.

Still other filters make extensive use of regular expressions that look for words, phrases and patterns that occur in the message headers, message body and attachments. By creating rules that target commonalities that exist in phishing, spam filters are able to predict new phishing campaigns that don’t exist yet because phishers and spoofers make repeated use of certain words, patterns and phrases.

Modern filters combine traits of a message and act differently when they occur together. For example, if a message contains no SPF record, that’s not a very reliable spam indicator. If it is sent from ups.com, that, too, is not a reliable spam indicator. Neither of this is much to go on when considered independently.

But if a message is sent “from” ups.com and has no SPF record, that is a much more reliable spam indicator because UPS publishes an SPF record for ups.com. Filters that combine multiple pieces together can behave much more intelligently and predictively about future spam campaigns.

Techniques #3 and #4 are good at catching “zero-day” spam when a new spamming IP or URL hasn’t been added to any reputation lists.

This does not exhaust the full techniques available to modern filters. It is not even everything that we do. However, they are some of the most effective techniques used to stop spam in general, and phishing in particular.

While spam filters are one piece of the anti-phishing puzzle, this needs to be combined with best practices on the part of the organization, and the user. It’s not an either/or proposition, both need to work together.

Combating phishing

Additional resources