Not too long ago, phishing attacks were fairly easy to spot. Most emails were poorly spelled and had fairly obvious pretexts, like the famous Nigerian prince trying to move money to the US and in desperate need of your help (and a small expediting fee). User awareness training for these types of attacks was pretty straightforward: look out for obvious errors and look for the “green padlock” representing HTTPS.
In the modern day, phishers are more sophisticated. Organized crime has moved into the space and phishing has become professional, with well-designed emails and convincing phishing sites. The old guidance doesn’t work as well anymore when some phishing emails can fool cybersecurity experts and almost half of phishing sites use HTTPS (and have that green lock). Modern anti-phishing guidance tells users to check the URL and verify it is trusted before entering any sensitive information or clicking on things. However, even this can be defeated by phishers who have compromised a “trusted” site.
In this piece, we’ll describe how this works and how to protect your sites with tools like a strong web application firewall (WAF).
A Brief Introduction to URLs
URLs save us from having to memorize IP addresses by creating human-readable descriptions of the website that we’re visiting. A URL can be broken into two major chunks: one describing the website being visited and the other describing where on the site this particular page is stored. The first part of a URL replaces an IP address and points to a particular webserver. Like an IP address, this is composed of dot-separated values, like www.google.com. This part of the URL represents a hierarchical structure, where com is the top-level domain (TLD), google is the site being visited, and www refers to the default page on this site.
Many people don’t understand URLs and are taken in by phishing scams targeting this first part of the URL; however, our focus is on the second part. The assumption is that a user has reached the right site. The remainder of the URL is separated by forward slashes (/). It resembles the directory structure of a Linux machine for good reason: this describes where in the web directory a given page is located. People are used to ignoring this part of the field, and phishers take advantage of this to put malicious pages on “trusted” sites.
Hiding Phishing on “Trusted” Sites
The number of possible subdirectories for a website is essentially unlimited, and the complexity of most web server directories mean that administrators rarely look at anything that they don’t have to. As a result, it is entirely possible for directories and pages to exist on a webserver without the owner’s knowledge.
If a hacker manages to compromise a trusted webserver, they probably have the ability to create new directories and files on the server within the web directory. Due to how websites work, this means they are creating new pages on the trusted website.
These pages will also be able to use the same certificate as legitimate sites since certificates are at the “site” level (i.e. the first half of the URL). As a result, they can create “trusted” HTTPS connections that appear to be from a trusted site for pages completely under their own control.
This type of attack has occurred to major, trusted brands. In 2017, the website of the Paul F. Glenn Center for the Biology of Aging at Stanford University was compromised by hackers and used to host phishing sites and send spam mail for several months. Anyone who visited the site would see a legitimate certificate (belonging to a Stanford University center) and would be more likely to fall for the scam.
Protecting Your Online Reputation
These “trusted” phishing sites can significantly damage the reputation of the websites and brands that they are hosted on. Sites may receive consumer complaints or be blocked by web browsers that detect the malicious phishing pages included on their servers. Protecting your organization’s online reputation requires awareness of how your website is being used. This is where a web application firewall (WAF) with the ability to monitor for anomalous behavior can be invaluable.
For most websites, visits to webpages buried deep inside multiple obfuscating directories is uncommon. If this suddenly becomes common for a site (i.e. because a particular page is using by an attacker to host phishing content), the common behavior patterns for the site will change significantly. A WAF that monitors common access patterns and alerts upon detecting anomalies could be what saves your company’s online reputation.
Stopping “Trusted” Phishing Sites
Phishing is one of the biggest threats to individual and organizational security. With the advances in network security, targeting the human behind the keyboard allows an attacker to evade many of these defenses. A cat and mouse game has been going on for years between network defenders developing new protections against phishing and attackers finding ways to get around them.
One way that attackers make phishing pages look more plausible is by hosting this malicious content on compromised, trusted sites. These phishing pages have legitimate-looking URLs and certificates, making them more plausible to the victim.
Protecting your websites against this type of attack is crucial to protecting your organization’s online reputation. Deploying a WAF with the ability to detect and alert on unusual behavior (such as visits to these phishing pages) can help you find and remove these pages before they hurt your brand.