Phishers count on remotely hosted images to bypass email filters
Loading remotely hosted images instead of embeedding them directly into emails is one of the latest tricks employed by phishers to bypass email filters.
Phishers are always finding new ways trick defenses
Phishing emails – especially when impersonating popular brands – contain widely known brand logos and other images to give the illusion of having been sent by legitimate organizations.
Images have also been used for ages as a way to circumvent an email’s textual content analysis but, as security technologies became more adept at extracting and analyzing content from images, phishers began trying out several tricks to make the process more difficult and time-consuming for security scanners.
“Unlike embedded images, which can be analyzed in real time by email filters, remote images are hosted on the web and thus need to be fetched before being analyzed,” Vade Secure researchers explained.
To delay the fetching, phishers are employing multiple redirections, cloaking techniques, and are hosting the images on high-reputation domains.
“The use of JavaScript is also common so that it is necessary for security vendors to use state of the art web crawlers that are costlier and more difficult to scale. Cloaking techniques may also be used to ensure that it is the intended victim that is fetching the image and not a security vendor. For example, a phishing campaign targeting customers of a Canadian bank may only deliver the malicious content to web connections originating from Canada. Additionally, hosting remote images on high-reputation websites renders domain reputation-based detection ineffective,” they pointed out.
At the moment, this new approach to delivering images in phishing emails is quite popular and obviously rather successful, but as email security vendors find ways to counter these tricks, cyber criminals will have to change tack once more – and so the arms race continues.