Phishing-as-a-service providers are increasingly relying on a safe haven to hide malicious links: popular cloud services.
Cyren, a SaaS security provider based in McLean, Va., published a report on Monday about the evasion techniques used by phishing-as-a-service offerings, which its research team said are available for as little as $50 a month. According to the report, which tracked 5,334 new phishing kits deployed to the web so far this year, the tactic of hosting phishing domains on public cloud services has “grown significantly” this year, though the report did not include specific figures on the increase.
“By hosting phishing websites on legitimate cloud services, like Microsoft Azure, phishers are able to present legitimate domains and SSL certificates, lulling even the most attentive user into thinking a given phishing page is trustworthy,” the report stated.
Magni Sigurdsson, senior threat researcher at Cyren and co-author of the report, said using cloud services carries additional benefits for the phishing-as-a-service industry.
“Companies like PayPal have bots and crawlers out there looking for these sites, but these guys are evading them by encrypting the domains or blocking the crawlers,” he said. “We’ve also seen an increase in using legitimate cloud platforms like Azure and OneDrive that often aren’t looked at by these crawlers, because they’re whitelisted.”
Sigurdsson said while much of the activity Cyren observed was on Microsoft cloud services, other cloud providers such as AWS, Google and Dropbox are also abused.
A Microsoft spokesperson said the company takes abuse of its services seriously. “As soon as we become aware of these types of sites, we take steps to remove them,” the spokesperson said.
The company also highlighted its page for reporting abuse to the Microsoft Security Response Center.
“Through systems such as Azure Security Center and Office 365 Advanced Threat Protection, Microsoft protects customers from unsafe links and other threats,” the page said. “Microsoft uses these systems, along with industry-wide cybersecurity threat programs, automation, and machine learning to detect, identify, and fight abuse, and to keep our customers safe.”
Other evasion techniques
In addition to hosting malicious links on popular cloud platforms, the Cyren report highlighted other evasion techniques used by phishing-as-a-service offerings. In fact, the report stated that a “straight line” can be drawn between phishing-as-a-service kits and the rise of evasive phishing attacks.
“Spoofed domains are still successful in phishing attacks, because they can use a lot of techniques to avoid detection of email security products,” Sigurdsson said.
According to the report, additional techniques include the following:
- Inspection blocking is the most common evasion tactic, Cyren said. Phishing-as-a-service offerings will block connections from specific IP addresses and hosts associated with security vendors or other legitimate companies in order to hide their malicious domains.
- HTML character encoding allows an email’s HTML code to be displayed properly by web browsers, but conceals certain trigger words, like password or credit card, which can alert email security systems.
- Encrypting content is similar to character encoding and obscures the email body or attached files from email security products.
- Hiding URLs in attachments has been a growing trend over the last year, Cyren said. Phishing kits, according to the report, will often place a malicious link inside “a simple PDF constructed of images and made to look like a OneDrive document.”
- Content injection is an old, but “tried and true method,” Cyren said, where phishers include links to legitimate but vulnerable webpages or applications, which then takes users to the actual phishing domain.
Cyren researchers found 87% of phishing-as-a-service kits available on the dark web include at least one of these evasion techniques. The vendor said such SaaS kits “let even the most amateur criminal wannabe spoof targeted websites with a high degree of authenticity and embedded evasive tactics.”