| Researchers January 28, 2019
January 28, 2019
Lookout Phishing AI continuously scans the Internet looking for malicious websites. Phishing AI detects the early signals of phishing, protects end users from visiting such sites as they come up, and alerts the targeted organizations.
Most cyber attacks targeting the enterprise begin with phishing. There are fewer ways into the enterprise faster than using stolen credentials to access sensitive data. To combat this, Lookout developed Phishing AI to identify early signals of attacks, build protections for our customers, and provide early warning to any targeted organizations -- regardless of whether they are Lookout customers or not. With the ability to identify phishing tools as they are being built across the Internet, Lookout Phishing AI often notifies targeted organizations before a phishing attack has started.
Timing is crucial for detecting phishing attacks, in terms of not only stopping them, but also because malicious actors are constantly building, and then tearing down, phishing websites. There are over 1.5 million phishing sites created every month. While there are some persistent phishing sites, most sites are put up and taken down in a matter of hours.
Unlike traditional phishing detection tools that require a “sacrificial lamb” to click on a phishing link before it’s detected, Phishing AI actively searches the internet for precursors of phishing sites. Lookout Phishing AI incorporates a machine learning engine that continuously scans the Internet to identify infrastructure used by phishing sites. Phishing AI leverages the same approach in the analysis of URLs that Lookout Mobile Endpoint Security uses to analyze malware. Our dynamic analysis executes URLs in a browser and watches the behavior of the site. These agents extract features from servers to generate risk scores, creating powerful data sets based on the results of interacting with billions of sites.
Phishing AI detects and tracks over 10,000 active phishing sites each day. This global criminal phenomenon is happening at such speed and scale that humans can’t identify, react, and remediate these threats in real-time quickly enough to be effective. Phishing works at an international scale, reaching across multiple jurisdictions. This makes it nearly impossible for any one governmental organization, let alone any human, to take effective action. Only an AI based-approach can effectively detect and combat criminals around the world that are constantly evolving their approach to tricking billions of Internet users into falling for phishing attacks.
Phishing URLs are becoming increasingly difficult for humans to detect. One example is the use of homoglyphs -- using numbers in the place of letters, like a 0 instead of O, in URLs like Facebook.com or Office.com. There is typo-squatting, which tricks users to overlook a misspelled URL such as Goggle.com. Moreover, long URLs are particularly effective for targeting mobile users who can’t see the complete website address on a smaller screen.
Phishing sites are also becoming more sophisticated in their look and design, making it harder for humans to visually identify a malicious site. On top of this, it is much easier to obtain phishing kits, as many phishing sites can be purchased off-the-shelf as prepackaged kits to steal user credentials. The cost of these phishing kits continues to drop, making it even easier for anyone to launch a phishing site quickly.
One technique that Phishing AI uses is computer vision, which allows Lookout to identify the difference between valid sites and malicious copies of the sites that users enter their credentials into every day. Using computer vision, Phishing AI is able to analyze the use of logos and graphics to identify even the most sophisticated phishing sites. As phishing gains in prominence, attackers are creating impressive copies of sites, making it very difficult to spot a malicious site. Can you tell the difference between a phishing site and a real one?
Play the Phishing game here.
Stay tuned for more blog posts about how Phishing AI works, key findings as our AI engine continuously evolves, and new discoveries in the criminal world of phishing. Check out select findings on Twitter @PhishingAI.
Jeremy Richards Principal Security Researcher