In the world of identity management and security, fraudsters are constantly evolving their tactics, exploiting weaknesses in outdated device identification methods. For fraud, identity and digital experience teams, securing...
How to Stop Phishing at Its Origin — Before a Single Customer Falls Victim
by Daniel Iliaev and Brooks Flanders
In spite of media warnings about phishing scams, millions of consumers continue to fall prey to deceptive emails or text messages luring them to a spoofed website that looks nearly identical to the legitimate site. Victims are most likely to click on messages that are urgent (a problem with their account) or enticing (coupons or perks) sent from a brand they trust. The instant they log in, attackers have stolen their username and password, and in some cases, they’ve installed malware.
We all know what happens next. The scammer simply logs in to take over the customer’s account, run fraudulent transactions and steal personal data to sell on the dark web. In many cases, they will later conduct credential stuffing attacks, testing the same credentials on other sites across the web.
According to Verizon’s Data Breach Incident Report, phishing was involved in 36% of all data breaches in 2022. Attackers are now sending an estimated 3.4 billion phishing emails every day. The reason phishing remains so popular is because it’s easy to do and difficult to prevent! Breaches in 2022 caused by phishing took an average of 295 days to identify and contain, according to IBM. This gives fraudsters the luxury of time to do real damage.
The key to preventing damage is rapid detection — faster than your customers can click. At Transmit Security, we’ve developed several ways to stop phishing-related breaches before they can start. In this blog, we’ll explain how phishing websites are created and what Transmit Security does to protect customers when your company’s site is spoofed in a phishing campaign.
Phishing: new tricks of the trade
Phishing attacks might sound simple, but they are growing more sophisticated. A prime example making news headlines is EvilProxy, a subscription-based ($400 per month) phishing-as-service tool, created to evade multi-factor authentication (MFA). When a user clicks on an EvilProxy phishing page, it reverse proxies the login page to reflect the UI and branding the user expects to see. After the victim logs in, this tool transfers the traffic via the proxy. In doing so, fraudsters intercept session cookies containing authentication tokens, bypass MFA and log in, appearing to be the legitimate customer.
Other phishing toolkits make it easy for attackers to create spoofed sites quickly with pre-packaged sets of files containing code, templates and resources, including pre-made login forms and scripts. To deceive more savvy victims, hackers might even obtain SSL certificates to enable HTTPS encryption, which creates the illusion of a secure connection, even though the site is malicious.
How a typical phishing site is created
Now that we’ve covered a few advanced phishing tactics, let’s get back to the basics. Creating a spoofed phishing site good enough to deceive unwitting victims involves many steps:
Choosing a target: Malicious actors typically select well-known brands that are likely to have a very large user base. Popular websites, banks, social media platforms and email providers are common targets.
Spoofing the domain: Hackers register domains that appear similar to the legitimate domain, using variations like misspellings, hyphens or alternative top-level domains, like .net or .ai. At first glance, the URL appears like the real one.
Hosting the spoofed site: To host the phishing site, they might use a compromised website, free hosting service or use their own servers to host the fake site.
Copying the target website: Hackers replicate the visual design and branding elements to look almost identical to the legitimate site. Using a tactic known as “reverse engineering” or “cloning,” they’ll copy the scripts of the real website to recreate the UI and interactive functionality. Some of these scripts contain the Device Recognition System Software Development Kit (DRS SDK), which further enhances the appearance of legitimacy and security on a phishing site.
The DRS SDK helps websites identify and authenticate customers based on their known devices’ unique characteristics, such as browser settings, screen size, operating system and more. When incorporating these scripts, the attacker may try to bypass device recognition, using tactics like device spoofing, for example. This could backfire, however, and we’ll cover that below.
Setting up redirects: Hackers might send phishing emails or malicious links that redirect users from legitimate sites to their spoofed sites. This can involve URL shorteners or compromised websites used as intermediaries. They also use redirects, aka referrers (illustrated below), to send victims from the spoofed site back to the legitimate site so the victim can access their bank account balance, for example. They won’t notice anything is wrong.
Distributing the campaign: Attackers use various tactics to distribute phishing emails or text messages, which may involve bulk email campaigns, social media posts or compromised websites. Employing the fine art of social engineering, the messages use urgent or enticing language to lure users to the spoofed site.
Collecting data: The spoofed website is different from the real site in one important regard; it collects credentials and reroutes the data to the attackers instead of the legitimate website.
How to stop phishing at its origin
Each of these steps the attacker takes to create a phishing site leaves a digital trail. The domain, IP address, DRS SDK, redirects, distribution methods plus the devices and behaviors all provide clues. Transmit Security Detection and Response Service analyzes these clues in real time — to block phishing sites and URL redirects the very moment a customer clicks on the spoofed version of your website.
Detection and Response analyzes hundreds of signals at all times to prevent all types of account takeover (ATO) fraud. Continuous risk and trust assessments leverage machine learning and AI-driven anomaly detection, advanced behavioral biometrics, privacy-age device fingerprinting, reputation services and other detection methods that evolve as quickly as fraud MOs. The end result: accurate and immediate phishing prevention that protects your customers and your brand.
Transmit Security’s phishing prevention includes:
Anomaly detection: By analyzing the URL and looking for those subtle variations, like misspellings or hyphens, Detection and Response instantly knows if the domain is a spoof. Transmit Security automatically takes into account all of your company domains and subdomains, so your security team does not need to configure this manually.
Reputation services: When a user interacts with a website, a lot can be learned from each request sent, such as the referrer or redirect. With IP reputation services, Detection and Response checks to see if each IP address has a known history associated with fraudulent activity. If so, it’s likely fraud and weighed heavily in the risk score. Likewise, web reputation is checked for known phishing domains. A vast number of known phishing domains exist and can be used to flag and block incoming traffic.
Device fingerprinting: This is where the DRS SDK comes into play and gives us an advantage. Our service detects whether a user is accessing a site from an unknown device and can even tell if the attacker is using a device emulator or device spoofing, which means their efforts to evade detection won’t work with Transmit Security. We detect fingerprinting mismatches as well as devices that have previously been used by attackers for account fraud or phishing.
Behavioral biometrics: Transmit Security builds trusted customer profiles of each user’s typical behavior patterns and, by contrast, spots suspicious behavior. Detection and Response measures and analyzes the behavior of any user who logs in and interacts with your application or website. This means we can see if a fraudster uses the customer’s stolen credentials — even if they were stolen from another site. Behavior analysis includes:
Typing speed and consistency
Time spent on certain fields
Mouse movements and acceleration
Typing errors and delete operations that can indicate fraud
Copy and paste usage
Non-phishable credentials: Transmit Security Authentication Services supports and secures passkeys in addition to offering our best-in-class passwordless MFA. Customers who log in with fingerprint or facial biometrics achieve the strongest form of MFA — without ever using a password. The customer’s biometric (inherence factor) unlocks a private key (possession factor), which signs the authentication challenge. On the receiving end, the public key verifies a match. The customers’ biometrics and private keys are impossible to phish because they never leave a user’s device. Only the signed challenge, void of private data, is sent over the web.
Not all passwordless solutions eliminate passwords completely since most require customers to use a password to register, recover an account or bind a new device. Transmit Security’s passwordless MFA is unique for offering multi-device support, true omnichannel experiences. With Transmit Security, customers only register one time to move across channels or devices with a single, unified identity.
Why Transmit Security anti-phishing is unique
There are several reason Transmit Security is better than other anti-phishing solutions:
Accuracy:AI, ML and multi-method detection improve our detection accuracy:
Reduces false positives and false negatives by 90%
Improves device fingerprinting accuracy to 99.7% or better
Reduces friction, CAPTCHA and MFA challenges by 80%
Reduces complexity & costs with 1 unified solution for risk, trust, fraud, bots & behavior
Visibility and Control: Unlike most anti-fraud solutions built on proprietary, black box AI models, Transmit Security offers full transparency into the raw telemetry data. Our new conversational analytics tool leverages generative AI to perform natural language queries and deliver actionable insights based on the data that’s collected. Security teams can even influence the algorithms if desired.
Automation: Customers do not need to manually configure domain anomaly detection. Transmit Security keeps track of your domains and subdomains automatically and spots variations instantly.
Ease of use & ROI: Ease of management, visibility and automation contribute to low overhead costs, minimizing the total cost of ownership (TCO).
In 2004, the same year the U.S. launched the National Cyber Alert System, Brooks launched her career with one the largest cybersecurity companies in the world. With a voracious curiosity and a determination to shed light on a shadowy underworld, she's been researching and writing about enterprise security ever since. Her interest in helping companies mitigate deceptive threats and solve complex security challenges still runs deep.