Phishing
HID RMS protects the web application against phishing attacks.
What is a phishing attack?
A fake site, a so-called phishing site, pretends to be a legitimate web page, for example, an online banking login page, a mailbox login page, etc. The author of such a page usually tries to trustfully copy the original website’s appearance to make the users fill in their login and other personal details. Instead of letting the user into the expected legitimate app, this phishing site just signs out while collecting the user’s data. The application then sends the harvested data to the fraudster drop zone, where the data can be handled in various ways (immediately misused, sold to the black market, etc.), which leads to account takeover.
HID RMS protects the end-users by detecting phishing victims while providing all necessary details about the phishing attack. This helps fraud analysts take quick action against the attacker while notifying the victim and securing the victim’s account in time (e.g., changing passwords).
Phishing detection methods
HID RMS detection methods:
-
JavaScript probe
-
HTTP referrer
-
CSS artifacts
-
Image
Phishing detection is provided by placing special elements in the website’s HTML source code. These elements are evaluated when being loaded on a non-allowed domain. Such elements are, e.g., a JavaScript component, website CSS artifacts, or pixel images. Their location and form are changed at random intervals to increase success rates. When a website is copied with an active HID RMS element – the phishing attack was started, and users become victims (by entering their data into fields prepared by the attacker), HID RMS can record and list specific users who entered their data. Banks can start informing users or restricting access to their accounts before unauthorized access (ATO – account takeover) occurs.
If an attacker disables the JavaScript, there are multiple detection methods that we can utilize still. These methods contain:
-
Checking for newly-issued SSL certificates and full-text search for the client’s name within the URL,
-
Utilizing our set of compromised e-mail addresses (presented on dark web databases available to purchase), automatically scan for our client’s logo (OCR) and brand name.
-
Checking various phishing feeds
-
Others
HTTP referrer method – the suspicious site is identified thanks to a redirection of the user from page A (phishing site) to page B (bank site), where the JS probe gets the referrer.
All detected phishing domains are monitored by Cyber Fraud Fusion Center (CFFC). CFFC can take further steps to take the fraudulent domain down and mitigate the attack's impact on the bank and its clients.
If the phishing site is detected, we use standard procedure, investigate and evaluate their validity and severity by using a combination of automatic checks and automatic evaluation.
In addition to the methods described above, the honeypot tool is used as well. The honeypot is constantly searching for phishing campaigns sent by email. When we detect an ongoing phishing campaign or any malware threat spread by email, bank is immediately notified.
Phishing in HID RMS Panel
Phishing has three subcategories:
-
Domains
-
Clients
-
Visits
| Name | Description |
|---|---|
|
Domains |
List of detected suspicious domains, including all necessary details. On the top of the page are various useful filters. Domains can be sorted by First and Last visit, Domain, and Visits count. The domains are checked by automated tools in combination with CFFC team analysts. |
|
Clients |
List of clients who became phishing victims with necessary details. Users can be sorted by the First visit.
|
|
Visits |
- |
