Another day, another phish.
Over the weekend, it was reported that a Stanford University website has been hosting multiple hacking tools that cyber threat actors likely leveraged to deploy phishing sites onto the compromised server.
According to Security Week, an actor recently uploaded two PHP scripts to the infected server, allowing attackers to send significant amounts of spam or phishing emails. Although most phishing pages come from compromised websites, this site was a particularly good opportunity for hackers because a domain with a reputation as good as those associated with Stanford (Alexa rank of 717) lends credibility to their phishing pages and makes their campaigns much more impactful.
At RiskIQ, we process tons of phishing-related web threat data to automate analysis and response to phishing attacks. From various sources, we receive URLs which might be indicative of phishing, which are then processed through our crawling infrastructure and machine-learning technology to classify each suspected phishing page appropriately.
Below is one example of a phishing domain we detected from the campaign leveraging glennlaboratories.stanford.edu, in this case emulating the LinkedIn brand. We blacklisted the page immediately to help our customers defend against the at-large threats from this infected server:
Don’t be Phish Food
With RiskIQ, Cyber Security, eCrime, and Incident Response teams combat phishing at scale and drastically mitigate its impact.
Know your Digital Footprint
For Stanford, failing to detect the problem and remove the hacking tools from its server was likely due to a lack of visibility. Without an understanding of their digital footprint and attack surface, they were probably unable to discover new web pages created outside their standard procedures or monitor official pages for compromise.
Interacting with web assets exactly how a real user would from different browsers, locations, and device types around the world, RiskIQ Digital Footprint would have alerted Stanford to new pages coming online hosted by their server, as well as unsanctioned changes to current pages. Their cyber security team would have been made aware of these events automatically, and presented with the new pages and changes as something to be addressed and remediated, or dismissed. Also, the Stanford team would have been alerted to any of their hosts serving phishing pages found on any of our blacklist feeds.
Automate Phish Detection
For web-based phishing threats, RiskIQ continuously scans web pages from a wide variety of sources for evidence of phishing while our proprietary machine-learning classification and virtual user technology rapidly find and confirm new phishing pages. With direct integration to Google Safe Browsing and Microsoft SmartScreen, RiskIQ confirms and automatically blocks phishing to 98% of web users at the browser level.
For phishing campaigns that use email as the attack vector, RiskIQ automatically crawls and scans URLs found in emails submitted through internal and external abuse boxes to validate phishing emails and pages. Once confirmed, these sites are blocked via Google and Microsoft, as well.
According to the APWG, the total number of phishing attacks in 2016 increased 65% over 2015. Safeguarding your organization against the potential of attack—and understanding motive and intent of that attack—requires full visibility into the state of all the assets, as well as rich intelligence data and machine-learning automation. With more than 30 million phishing pages already scanned, and tens of thousands of new pages scanned each day, RiskIQ understands how best to identify phishing campaigns and mitigate their impact.
To see how Digital Footprint works for yourself, interact with our free demos in RiskIQ Community Edition today.