NEW TECH: SlashNext dynamically inspects web page contents to detect latest phishing attacks

By Byron V. Acohido

Humans are fallible. Cyber criminals get this.

Human fallibility is the reason social engineering has proven to be so effective – and why phishing persists. Consider these metrics from messaging security firm Proofpoint:

•Email-based corporate credential phishing attacks quadrupled in Q3 2018 vs. the previous quarter.

•Web-based social engineering attacks jumped 233% vs. the previous quarter.

•99% of the most highly targeted email addresses in the quarter didn’t rank as such in the previous report, suggesting that attackers are constantly shifting targets.

What’s more, a study by antivirus vendor Webroot informs that more than 46,000 new phishing sites go live each day, with most disappearing in a few hours. And a recent survey conducted by SlashNext, a Pleasanton, CA-based supplier of advanced antiphishing systems, revealed that 95% of IT professionals underestimate phishing attack risks. This holds true even though nearly half the respondents reported their organizations experience 50 or more phishing attacks per month, with 14% experiencing 500 phishing attacks per month.

It’s not as if companies and cybersecurity vendors have been sitting on their hands. Vast resources have been directed at filtering emails – the traditional delivery vehicle for phishing campaigns – and at identifying and blacklisting webpages that serve as landing pages and payload delivery venues.

So quite naturally, cyber criminals have shifted their attack strategies. They are pursuing fresh vectors and honing innovative payload delivery tactics. The bad guys are taking full advantage of the fact that many companies continue to rely on legacy defenses geared to stop tactics elite phishing rings are no longer using.

I recently had an eye-opening discussion about this with Jan Liband, SlashNext’s chief marketing officer. Here are the key takeaways from that interview:

Unguarded vectors

By now, most mid-sized and large enterprises have a secure email gateway that’s highly effective at filtering out 80%-95% of phishing emails. So phishers have moved on to comparatively unguarded vectors: social media channels, SMS (text), ads, pop-ups, chat apps, IM, malvertising and rogue browser extensions, Liband told me.

Platforms like Facebook, Twitter and Instagram are wide open for intelligence gathering. With knowledge of our friends, families and preferences, phishers are able to craft postings and messages targeting groups of victims, or specific individuals. The end game is to funnel victims to landing pages.

Malvertising is even more insidious. An entire cottage industry exists supporting the placement of malicious ads that come and go, circulating to even well-known, high-traffic websites. Click on the wrong  web page at the wrong time, and you could end up on a phisher’s landing page.

Phishers have insinuated themselves into the flow of legitimate online ads that get dynamically placed as part of an ecosystem designed to be wide open and flexible. It’s an ecosystem that has turned out to be perfectly suited to criminal activities.

Misaligned defenses

Then there are browser extensions. Rogue browser extensions have access to an incredible amount of info and can serve as Man-in-the-Browser middlemen to secretly record keystrokes and other sensitive browser transaction info for the bad guys. And since browser extensions may only exist in browser memory and are part of a “trusted application” (i.e. a browser) they largely evade detection by anti-virus protections.


This makes rogue browser extensions one of the most dangerous threats out there. They are most often promoted via phishing across multiple channels such as email, ads, pop-ups, and in some cases, they can simply be found on trusted app stores with 5-star listings, Liband told me. Sometime these pivot off of major sporting events or holidays.

During the March Madness college basketball tournament, for instance,  phishers circulated a free bracket-tracking browser extension.  The bracket-trackers actually worked as described – but they also silently infected the user’s browser, providing sensitive info to the attacker.

“The number of attack vectors has exploded in recent years,” Liband said. “As a criminal, I can phish you anywhere I can get you a link. Enterprises have a lot of guards at the email gate, but there are so many other ways to reach users inside the corporate castle.”

Another criminal tactic that has come into wide play lately is the deployment of landing pages that come and go in a matter of hours. This enables threat actors to stay a step ahead of the web crawlers set loose by Google and others to hunt down and blacklist the URLs of landing pages determined to be supporting malicious activities.

“Existing enterprise controls look to block URLs, derived from lots of trustworthy sources, that are on a known blacklist,” Liband observed. “The bad guys figured that out. So now they pop up URLs really fast, then take them down, or host phishing pages on a reputable and unblocked site, and nothing in anyone’s security arsenal knows to block it until after the attack has already shut down and moved on.”

Real-time analysis

SlashNext founder and CEO Atif Mushtaq was working as a senior scientist at intrusion detection vendor FireEye when he came to the realization that direct OS and system exploits were getting less common while exploiting the human attack surface was becoming more common via more sophisticated attacks and new vectors beyond traditional phishing emails. Mushtaq saw that little innovation was taking place to mitigate the advanced social engineering techniques that the leading phishing rings had moved on to.


One way to keep up, Mushtaq figured, would be to develop a better method for phishing site detection. So he founded SlashNext and pioneered the use of using virtual browsers in a purpose-built cloud to dynamically inspect page contents and server behavior to get far more clues about the site than outdated domain reputation based techniques.

A technique called SEER, which stands for Session Emulation and Environment Reconnaissance. Together with machine learning algorithms, SlashNext’ system can accurately detect phishing sites in real-time, regardless of initial phishing attack vector, even if they are hosted on reputable domains. This result is real-time phishing threat intelligence that can be used to close the gaps in existing security controls.

“The badness that is trying to tricks users is actually within the contents of the page, not the URL” Liband told me. “So we use natural language processing, along with lexical semantics and many other techniques to analyze the contents and intent of the page : how is it trying to manipulate the user, is it somehow exploiting human emotion, like fear or greed?

“We also use optical character recognition to extract and analyze text that has been embedded within graphics,” he continued. “And our system does active site behavioral analysis by filling out forms, clicking on links, following where any redirects lead to. In short, we use virtual browsers to look at the landing page the way a human security researcher would, but much faster and at cloud scale.”

This deep analysis could take a seasoned human analyst — which by the way are in short supply —  15 to 20 minutes to complete for a single suspect landing page. SlashNext’s automated platform can do it in a few seconds, at scale, and with very high accuracy.

“Our systems is looking at so many clues that it’s possible to make an accurate determination within a few seconds whether a landing page is a malicious phishing page or not,” Liband told me.

This is yet another example of machine learning and advanced data analytics directed at closing a gaping security hole. It’s a general approach that needs to be adopted much more widely, and each incremental advance is a step in the right direction. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone