Select Page

TL;DR

  • Stealth Phishing Attacks – highly sophisticated attacks where attackers block any cloud-based service from seeing their phishing page, and show it only to targeted victims on their devices in real-time when they click on the phishing link
  • Stealth phishing attacks have been on the rise for the past few years and have left most cloud-based anti-phishing services flying blind
  • This post shows one such actual stealth phishing attack with screenshots from various anti-phishing services calling it “safe” and not being able to see the attack page from the cloud

UPDATE 25 Feb 2019 – This attack is still not blacklisted, 9 days later, by most well-known cloud-based cybersecurity services as can be seen from the Virus Total scan done today.

 Today, I received an Apple phishing attack in my personal email account. While it looked like any regular phishing attempt, it was hardly that.

Office 365’s Real-time Safelinks Protection

With Pixm Anti-Phishing installed on my mac, I clicked on the link. Since my personal email is on Outlook.com, Office 365 provides built-in real-time link protection at the point of click. As you can see in the screenshot below, this phishing link initially gets scanned by Office 365’s Safelinks Protection but doesn’t get flagged and instead let’s it proceed to the link.

Pixm Shuts Down Phishing Attack at Point of Click

After the page finished loading and as soon as the page requests for sensitive information such as a password, Pixm jumped into action using deep learning computer vision, detected it as a phishing attack and shut it down immediately. Being on the endpoint gives Pixm the unique ability to analyze stealth webpages in real-time at the point of click. It also gives Pixm the ability to protect the user not just in their work email but also across personal email and common social/messaging platforms. 

How Pixm Anti-Phishing works

Pixm uses deep learning computer vision in real-time to analyze the webpage visually (by taking a screenshot after the page finishes loading) to find out if it looks like the login page of a well-known brand (or a brand that Pixm recognizes). If so, it compares the domain of the website the user is currently on to the list of domains authorized by that brand to show a login page. If the current domain isn’t in that list, the page is shut down immediately where the user can no longer click or type on the page.

Stealth Phishing Attack – Invisible to Cloud-based Anti-Phishing

Cloud-based services have been blocked from being able to see this attack. This stealth functionality has already been or in the process of being incorporated into all phishing kits to render cloud-based anti-phishing services blind.

 

RedMarlin’s CheckPhish seeing “Forbidden”

Phish.AI seeing “Forbidden”

URLScan.io seeing “Forbidden”

WebOfTrust (WOT)

Avast Online Security

BitDefender TrafficLight

McAfee SECURE

Google SafeBrowsing

IBM X-Force

Trend Micro Site Safety

WebRoot BrightCloud Threat Intelligence

Cisco TALOS Intelligence

ZScaler URL Risk Analyzer

COMODO Web Inspector

Fortinet FortiGuard

Vade Secure IsItPhishing.Org

NORTON Safe Web

PhishTank

McAfee SiteAdvisor/WebControl Enterprise

McAfee Real-Time Database

Symantec WebPulse Site Review

Share This