Stop Phishing Cold with UltraThreat Feeds Data
Quick: Do you know the leading cause of data breaches?
The answer is phishing attacks – and right now, we’re seeing a 5-year high in attacks. Bad actors are working overtime to exploit the disruptions of the pandemic. More than 60,000 phishing sites were reported in March 2020 alone, and in mid-April Google reported it was blocking 18 million COVID-19 related phishing and malware emails every day.
One of the reasons phishing is such a problem, other than the sheer volume of attacks, is a tendency to underestimate the seriousness of the threat. The attack vector is just an email, after all.
But phishing attacks are actually far more structured and sophisticated than many people realize. A recent year-long study analyzing more than 22 million user clicks reaching more than 400,000 phishing sites revealed some of the most detailed insights yet into phishing attacks:
- They’re focused, intense campaigns: The average attack lasts 21 hours between the first and last victim visit, and often involves newly registered or newly active URLs.
- The big campaigns are highly effective: The largest attacks are sophisticated, capable and convincing; the top 10% by size accounted for almost 90% of victims.
- The emails are getting harder to detect: Many originate from hijacked business accounts, and the destination URLs are less obviously suspect than in the past.
- They create a lot of problems: More than 7% of victims entered credentials into the phishing forms.
Attacks are also becoming more narrowly targeted, as more cyber crooks employ spear-phishing, a technique used by almost two-thirds of known groups carrying out targeted cyber attacks. One attack in the 2020 tax season targeted ADP users, for example, telling them their W-2 form was ready. The clickable links lead to domains that posed as a legitimate ADP login page to collect the users’ credentials; they had been registered the day of the attack.
Defenses have gaps. Against this growing and increasingly effective onslaught, most organizations counter with some combination of three defensive tools.
The two most common are filters in the secure email gateway and user education to prevent staffers from clicking on unknown emails. They can be effective against amateurish and obvious phishing attempts, but not so much against the more sophisticated and dangerous campaigns.
The third tool – intelligence-based warnings of known phishing URLs – is more powerful. It enables security teams to block access to the phishing site, ending the risk by preventing users within the network from clicking through.
But there’s a critical gap in even this defense: the “golden hours.” As we’ve seen, phishing attacks today are relatively quick, focused campaigns, with target URLs activated specifically for the effort. Identifying these sites takes time. The study noted above described how that unavoidable delay creates a vulnerability gap that intelligence feeds can’t fill. Quoting the report:
“The detection of each attack by anti-phishing entities occurs on average nine hours after the first victim visit. Once detected, a further seven hours elapse prior to peak mitigation by browser-based warnings."
The researchers dubbed the 16 hours between the start of the campaign and the first appearance of warnings the “golden hours” of an attack -- and that’s exactly when most victims are snagged.
Threat intelligence can’t close that golden hours gap. In fact, unless you know a clairvoyant with an interest in cybersecurity, there’s no way to block users from accessing a new phishing URL until it’s been identified as malicious and disseminated.
How to close the “golden hours” gap. The answer lies in the fact that phishing attacks rely on newly registered or newly activated URLs. (Sometimes bad actors register a website and leave it inactive for weeks or months before putting it to work.) Neustar UltraThreat Feeds include data feeds that identify:
- Newly Published Domains
- Newly Observed Domains, including newly activated first level, second level and fully qualified domains
The data is provided in near real time and drawn from our globally distributed network of authoritative and recursive DNS service sites, which process well over 100 billion lookups every day.
It gives your team the data you need to prevent users from accessing phishing sites in the early stages of an attack – closing the golden hours gap. And it’s virtually effortless for your team:
- Route the data into your security ecosystem
- Block access to all newly registered and newly observed domains for a specific and limited period of time – 24 or 36 hours, for example
- Enable access after the golden hours have passed – and threat intelligence data enables you to continue blocking known phishing sites
In one stroke, your organization and your staff are protected against even the most sophisticated phishing emails, and the associated threat of data breaches.
The Newly Published and Newly Observed Domain feeds are just some of the valuable threat feeds Neustar offers IT security teams to help them protect their brand, defend their domain and mitigate fraud. If you’d like to learn more about how you can incorporate these timely, DNS-derived insights into your security framework, contact us or give us a call at 1-855-898-0036 in the US or +44 1784 448444 in the UK.