A new report suggests that 2020 saw an increase in phishing emails that relied on remotely-hosted images to help malicious emails slip past filtering technology. But other experts downplayed the alarm, suggesting that the technique is well-known, and squashed through multilayered defenses should be able to catch.
The blog post report from email security company Vade Secure, said that in November 2020 the team analyzed 26.2 million remote images while blocking 262 million emails containing malicious, remotely hosted images. The company said it was inspired to measure the volume of such attacks after observing what appears to be an uptick in this technique over the past year.
Blog post author Sébastien Goutal, chief scientist at Vade Secure, didn’t have past numbers with which to make a statistical comparison, but told SC Media that he’s seen a “big increase” in use of this tactic over 2019. He also said that now the “typologies of threats are broader,” citing examples of phishing schemes imitating known brands such as SunTrust, PayPal, Amazon and Bank of America.
Standard phishing emails featuring largely text-based content are often unable to sneak past email security solutions’ textual content analysis. But attackers can avoid such analysis and defeat certain older, legacy email defenses by delivering the same content in an image instead of text. But as email filters have upgraded their ability to analyze images for malicious signatures, adversaries have stepped up their game by hosting these images externally, instead of embedding them in the email itself.
“Analyzing a remote image requires fetching it over a network,” states the blog post. “Capitalizing on this weakness, cybercriminals use additional techniques to make the process more cumbersome for security scanners.”
For instance, attacker can require security scanners to go through multiple website redirections until finding the host website – and in some cases that host site is a compromised domain with a strong reputation, lending it an air of false legitimacy to users.
Additionally, “cloaking techniques may also be used to ensure that it is the intended victim that is fetching the image and not a security vendor,” the blog pot continues. “For example, a phishing campaign targeting customers of a Canadian bank may only deliver the malicious content to web connections originating from Canada.”
Still, other companies said that phishes leveraging remotely hosted images are an old hat concept at this point – something that multilayered email security solutions should be able to stop through a combination of modern detection strategies and tools
“I can't speak to the prevalence during 2020 as opposed to previously… but the technique of using images to evade security protections has been used for years by spammers to evade spam filtering solutions,” said Jonathan Tanner, senior security researcher at Barracuda Networks. “It certainly achieves its goal of evading a lot of security products, since extracting and analyzing text from images is more difficult and compute-intensive than text, plus the same text-based approaches would then need to be applied once the text is extracted. However, the images themselves can be blocked on a per-image basis depending on the solution. The image could be altered slightly to evade traditional hash-based blocking, but techniques such as fuzzy hashing exist to detect this.”
Tanner noted that a drawback for attackers who use text-based images in phishing emails – whether they’re embedded or remotely hosted – is that recipients of these messages aren’t necessarily expecting to receive images in their business emails.
“Using the technique of an image containing the textual content could potentially alert a victim of phishing that something is off about the email," he said. While the majority of users who would fall victim to phishing in the first place might still fall for the image-based technique, it's possible that for some it would look more suspicious than simply using text.”
For that reason, such tactics may work better for advertisement-based spam schemes that specifically target consumers, noted Kevin O’Brien, co-founder and CEO of GreatHorn. “What we have seen is that there are a variety of different techniques that attackers will use including using an image, but that is less prevalent in business email compromise and more prevalent in consumer focused-phishing.”
Additionally, “most business email clients block remotely hosted images by default unless it's from somebody with whom you have an existing relationship or is in your address book,” for the simple fact that it is odd and anomalous, O’Brien continued.
O’Brien said his company hasn’t noticed any particularly increase in remote-based images as a phishing tactic. But even if there were a surge in this tactic, “this is the shell game. Bad guys can change their language, change their URLs, change their images,” said O’Brien. “You could have an infinite number of different highly-tuned detection techniques, and the bad guys can always do the next one” to circumvent it.
O’Brien said he believes that modern security hygiene – including better user awareness, a stronger focus on monitoring prevalent attack vectors and blocking messages from lookalike domains – should quash the bulk of these threats.
“Very few people are focused on the risk-vector approach, so they just keep creating new detectors," he added. "It doesn't really solve the problem.”