The PhishLabs Blog

How Source Code Analysis Helps Defend Against Phishing

Posted by Lindsey Havens on May 3, '17

Code.jpgIf you want to protect your organization from phishing attacks, threat intelligence is a vital tool.  From phish kits and phishing sites to individual email lures, there’s a huge amount to learn from each section of the phishing kill chain.

Last month we kicked off our new webinar series, in which we’ll be taking a deep dive into specific phishing attacks to help members of the infosec community understand precisely how and why each attack vector works.

This time around we took a close look at consumer-focused phishing, including the full lifecycle of a phishing attack from lure to data collection, and how each stage can be analyzed for actionable threat intelligence.

This session was hosted by Crane Hassold, a Senior Security Threat Researcher on our R.A.I.D. (Research, Analysis, and Intelligence Division), and a former FBI Cyber Behavioral Analyst. Among other things, his work on threat actor profiling at PhishLabs is paving the way in proactive phishing detection, mitigation, and takedown.

This is the first in a series of posts breaking down the first webinar, and shedding some light on how phishing intelligence can help secure your organization.

Throughout the year, our R.A.I.D. team tirelessly collects and analyzes a multitude of phishing lures, sites, and kits. At the start of each year, we release our annual Phishing Trends & Intelligence report, which details precisely how the phishing landscape has changed over the previous 12 months. To find out precisely what's going on in the world of phishing, download your free report today.

Download the 2017 Phishing Trends & Intelligence Report

Where Does Phishing Intelligence Come From?

At a fundamental level, having a strong understanding of how phishing attacks function will have a tremendous impact on your ability to mitigate and respond to incoming attacks. On the other hand, if you don’t truly understand the phishing kill chain, it’s going to be almost impossible to reliably defend your organization.

Typically, phishing actors need two things in order to conduct a successful attack:

  • A phishing site - The webpage used to harvest credentials, or deploy malware
  • A lure - The phishing email that convinces a user to visit the actor’s phishing site

Now, while it is possible for phishing actors to design and build their own phishing sites, they typically don’t have the skills or inclination to do so. As a result, most phishing actors rely on a this ingredient:

  • A phish kit - The ‘recipe’ used to create a phishing site. It typically includes all of the code, graphics, and content needed to quickly produce a convincing web page.

The great thing is, with a bit of digging, all three of these ingredients are available to threat researchers. Lure samples can be continuously collected and dissected. Most lures will link to an associated phishing site, which again are a great source of phishing intelligence.

Even phish kits, which are implemented well before an attack actually materializes, are easily available, as they’re often advertised and distributed freely through social media channels and openly accessible dark web markets.

Once the individual components have been collected, there are three primary ways in which they can be interrogated:

  1. Source code analysis
  2. URL pattern analysis
  3. Malicious domain correlation

Today, we’ll take a look at how source code analysis of individual phishing sites can be used to gather actionable threat intelligence. 

Lessons in Source Code: Phishing Sites

The most obvious targets for source code analysis are the phishing sites themselves. After all, without the phishing site, most campaigns would fail to achieve their desired result.

In case you aren't familiar with webpage source code, it tends to look something like this:

Screen Shot 2017-05-01 at 13.31.48.png

Now, to the uninitiated, this may seem intimidating. To a threat analyst, however, this code is a rich source of threat intelligence.

By analyzing the source code of a single phishing site, experienced analysts are able to identify and extract unique strings that can dramatically improve their ability to detect future attacks.

Among others, here are some of the phishing site source components our analysts study:

HMTL title tags - Quite simply, this is the code that tells your web browser the title of a target webpage. Somewhat surprisingly, experience has taught us that these common tags are a very reliable way to link phishing attacks (and consequently phishing actors) together.

Form posts - This is the code (usually php script) used to collect the data being stolen. By analyzing this code, our analysts can learn a great deal about how and where the data is stored, which again can help to them to track specific campaigns and actors.

Comments & signatures - If you don’t have programming experience, you may not realize that your favorite websites likely contain a whole range of information that you never get to see. Legitimate programmers insert comments in their code to help themselves and other understand precisely how individual aspects of a program or web page function. Hackers do this too, but they also commonly use the comment functionality to insert their “signatures”, thereby taking credit for their handiwork. This could be as simple as a text handle such as MafiaBoy or c0mrade, or it could be something much more unique:

Screen Shot 2017-04-28 at 11.38.49.png

Both explanatory comments and signatures are extremely valuable, as they provide an insight into the motives, tactics, and identity of phish kit authors, and can often be used to link both phishing sites and kits to specific actors.

The Pay-Off

At this stage, you may well be thinking that all this analysis sounds like a lot of work, especially when you consider how frequently most organizations are targeted by phishing attacks.

And, in all honesty, you’d be right. It is a lot of work, and it does require highly skilled and experienced threat analysts. But, done properly, the benefits of high quality phishing intelligence are substantial.

For one, the intelligence you produce will help you identify future phishing attacks much more quickly. Even when phishing actors make use of anti-detection mechanisms such as HTACCESS files or php blocklists, if you have access to powerful intelligence you’ll be able to quickly identify incoming attacks. That means fewer phishing lures reaching your users’ inboxes, and ultimately it means fewer security incidents.

And it goes further than that. On a daily basis, most security operations analysts spend a huge amount of time analyzing and discarding false positives, which are potential threats that turn out to be nothing. Using high quality phishing intelligence, not only will you be able to flag real threats more quickly, you’ll also be able to improve your security controls to the point where far fewer false positives are flagged for analyst attention.

There’s So Much More…

In this post, we’ve barely scratched the surface of how phishing intelligence can be produced and used to enhance your organization’s security profile.

For that matter, we’ve only covered one small part of Crane’s webinar, in which he went on to explain how URL pattern analysis and malicious domain correlation can provide even more valuable intelligence, and went through the details of a specific attack in detail.

To learn more, you can check out the webinar on-demand by clicking here (it’s free), or keep following the blog to read the rest of this series.

In the meantime, if you’re interested in finding out how your organization could benefit from phishing threat intelligence produced by our very own R.A.I.D team, contact us today

Topics: Phishing, Threat Intelligence


What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Upcoming Events


Posts by Topic

see all