Vade has been awarded a new patent by the US Patent and Trademark Office for a new method of preventing phishing kits from initiating defensive actions when examined by URL scanning technology. This technique is built into Vade's web scanner IsItPhishing.AI, the company says.
Phishing kits contains all the components needed to launch a phishing campaign, in an easy-to-deploy format, and are readily available for sale on cybercriminal forums and marketplaces. Many of the kits also feature cloaking mechanisms to help evade detection from security tools and are designed to trigger the phishing pages only under certain conditions, such as users on devices running a specific operating system or users located in specific geographic locations. From the perspective of the seller, the defensive features add value to the phishing kits and may attract more buyers, says Rik Turner, a principal analyst at Omdia.
The patent specifically addresses how kits thwart URL scanning technology. There are other ways to detect phishing, and kits have other defenses against those methods.
Kits detect URL scanning by checking the IP address of an incoming HTTP connection, and if it appears to belong to a security vendor, return an error page or redirect to a legitimate site, Vade says. The phishing page is never loaded, so the URL scanner is tricked into thinking the message and the link inside the message is not malicious.
Vade's approach is to "impersonate the intended victim of the phishing website by scanning the decoded original URL using the decoded optimal scanning parameters, such that the scanned phishing website does not generate a defensive action responsive to the scan," according to patent's description of the technology. Vade utilizes multiple methods, including Natural Language Processing, on the malicious website to determine the parameters of a user that would be most likely to trigger the phishing attack. With those parameters, Vade can create a connection request that would not appear to come from a security vendor and reduce the likelihood that "a defensive action will be taken to hide the existence of the malicious content pointed to by the URL," the company says.
"The Vade technology is liable to be a useful addition to anyone’s anti-phishing toolkit, and may well raise Vade’s profile in the market," Omdia's Turner says.
Vade’s latest patent is part of the company's ongoing research and development in new attack techniques, says Sébastien Goutal, Vade's chief science officer. In February, USPTO awarded Vade a different patent for its method of collecting and generating real threat samples in security awareness training. Vade's approach programmatically collects threat samples from user inboxes (already protected with Vade's security technology) and generates training materials customized to that user. For example, if the user has clicked on a real phishing email impersonating Microsoft, the program will send training emails impersonating Microsoft to that user. This technique is currently in Vade Threat Coach, its automated user awareness training program.