by Alexander Garcia-Tobar, VP of Corporate & Business Development
Agari often detects attacks in real time with very little “signal”, many hours or days prior to the spike in malicious activity. Early detection can alert Enterprises or Takedown vendors (companies that take confirmed malicious links/URLs offline) to suspicious email and dramatically speed response and remediation times. The speed of detecting new phishing attacks is a critical prerequisite to blocking such attacks before they scale and cause widespread damage.
“Where the same URL was reported by more than one source, Agari reported it first, 90% of the time” – Major Financial Services Firm
The anatomy of a typical phishing attack
The pattern Agari sees in phishing attacks is very similar to that of a criminal testing out a stolen credit card: first a small charge (for example, filling up a car) is tested using the stolen card. If the charge goes through, the criminal will then progressively increase the charge amount until a certain level of confidence is achieved. At that point, the criminal will charge as much as possible to max out the credit card and collect as much “revenue” he/she can.
Similar to the stolen credit card example above, phishing attacks follow the same pattern. During the initial test phase, the criminal will test smaller amounts of phishing attacks to ensure he/she is getting through to the intended targets, and not being blocked by ISP spam filters or other traditional filtering mechanisms. Subsequently, the criminal will ramp up the attack until confidence is high the attack will avoid being blocked. At this point the test phase is over, and the criminal will ramp up the number of messages dramatically, sending out 10’s or 100’s of millions of messages to unsuspecting consumers.
The above graphic is a real example showing when Agari warned a global financial institution of an impending phishing attack. The criminal’s test phase was detected by our analytics engine on 5/10/13 at 12:00 and triggered a real time threat feed sent to the client and its takedown vendor. The feed contained information on the submission time, spoofed domain, subject line of the email, and any suspicious URLs embedded in the email. By detecting and blocking the phishing attack on 5/10/13 at 12:00 the client is able to prevent the majority of the targets from receiving the malicious messages. An important side benefit is in the detection of the embedded URLs in the suspicious emails. At the client’s discretion, the URLs can be analyzed by their take down/security vendor of choice and establish whether the URLs are malware/APT. The client can then make a determination on whether to “take down” the URLs and thwart any subsequent attacks on it’s employees, customers, any other company. The criminal now needs to mount a completely different attack and is back to square one.
As the above example demonstrates, early detection of email attacks is crucial to mitigating the majority of the damage to both your customer and your brand. We encourage all enterprises to use detection methods that are able to function in real time and detect attacks as early as possible.