External Threat Management

Phishing Attacks? Facepalm.

On the surface, phishing usually looks like a regular website or a message from a family member, friend, or coworker—it even fools internet savvy folks now and then. But when you look at phishing incidents under the hood, you can't help but see why many of them are truly Facepalm worthy.

What is phishing?

In infosec, you hear about phishing all the time; it fools grandparents out of their Social Security checks, lures business execs into divulging top secret information, and costs the banking industry over $1 Billion annually. It can take several different forms—email, SMS, website, a phone call, or chat program—but phishing's purpose is always the same: separate an unsuspecting victim from their money or sensitive or personally identifiable information.

How does a RiskIQ web crawl detect it?

The following observations made by the RiskIQ research team will show you why when it comes to phishing, a little vigilance goes a long way.

In this example, the phisher used a fake page pretending to be from a well-known Canadian bank asking customers to update their "Personal Security and Details." Questionable grammar aside, it's a decent attempt at fooling the bank's more careless customers into giving up their login credentials:

Top1

However, when you dig deeper, you see just how ridiculous this phishing attempt is. First of all, the domain name ends in '.NL', which is country code for the Netherlands—probably not where a Canadian bank's URL would resolve from:

2 top

However, the title of the page does tell us we’re banking at said Canadian bank, which, ostensibly, is in Canada:

3 top

Yet, continuing our world tour, the IP address for resolution is not even close to Canada; it's located in Germany: @ AS29671 (SERVAGE Service GmbH):

4 top

Facepalm indeed.

When we dig into the source code, you can see that a compromised WordPress account is part of this phisher's infrastructure because of the URL from which the logo is being downloaded. The source code also shows another connection to a different compromised WordPress account, which indicates the collection method “login module” is being used by the phisher. This code shows a bit of trickery, stating that the bank is not available and to call:

5 top

Since we got this far, I’ll humor the phisher a little by putting in fake info and clicking "OK" to "update my details successfully":

6 top

As a careless banking customer, this would result in a major headache. As a cybersecurity researcher, this quick run-through shows how much fun a crawl can be when looking under the hood into the source code.

Protect yourself

Safeguarding your organization against the potential of attack—and understanding motive and intent of that attack—often requires rich intelligence data. RiskIQ web crawls, like the one above, add to our proprietary dataset comprised of all phishing attacks we discover, known as our Phishing Feed. RiskIQ provides real-time access to this data, which can defuse current phishing attacks and develop policies to detect and mitigate future incidents.

You can learn more about RiskIQ web crawling technology here.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor