Over the last decade, malicious software has become a pervasive problem for Internet users as many networked resources include vulnerabilities that are subject to attack. In particular, persons looking to infiltrate a network or steal sensitive data have utilized a method known as phishing. Typically, a phishing attack comprises the transmission of an electronic communication, such as an email, to a broad group of recipients that purports to be from a known institution, such as a bank or credit card company, that seems to have a legitimate intention. For example, a malware writer may transmit an email to a large group of recipients purporting to be from a social media platform and asserting a password change is required for continued use of the platform. The email may have the look and feel of a legitimate email sent by the social media platform and include a Uniform Resource Locator (URL) that directs the recipients to a website requesting the recipient to enter credential information in order to change the recipient's password. The URL will not be associated with the social media platform, although it likely has the look and feel of the social media platform's website. The phishing attack is completed when the recipient of the email enters submits credential information to the website, which is then delivered to the malware writer. As used herein, the terms “link” and “URL” are used interchangeably.
As the efficacy of broad scale phishing attacks has decreased, malware writers have turned to a more personalized method, known as spearphishing, or credential spearphishing, attacks. Spearphishing is a more targeted version of phishing attacks that combines tactics such as victim segmentation, email personalization, sender impersonation, and other techniques to bypass email filters and trick targeted recipients into clicking a URL within the email, or opening an attachment attached thereto.
Spearphishers, malware writers that generate and transmit electronic communications that include spearphishing attacks, may use social engineering methods to personalize an email at a targeted recipient or small group of targeted recipients. For example, a spearphisher may extract information from social media platforms or a corporate website to craft an email that includes personalized information attempting to impersonate an institution relevant to the recipient, or small group of recipients, such as a bank, a credit card company or an employer. The spearphishing email may request that the recipient download an attachment or click on a URL. The attachment may contain malicious content, such as a malicious embedded object within a PDF document or Microsoft® Excel® file. The embedded object may comprise, for example, an exploit kit or other malicious payload that either installs malicious software or initiates malicious, anomalous or unwanted behavior (e.g., initiating a callback to a compromised server). The URL within a spearphishing email may direct the recipient of the email to a web page that imitates a legitimate institution claiming to need the recipient to provide credential information (e.g., login) in order to change a password, verify their identity, read an important notice, etc. Submission of credential information through such a web page merely provides the credential information to the spearphisher enabling the spearphisher to access sensitive information. An email that includes a URL directed to a web page that requests credential information may be referred to as a credential spearphishing attack.
These spearphishing attacks may be multi-vector, multi-stage attacks that current malware detection technology is unable to detect. For instance, the spearphishing attack may utilize email spoofing techniques to fool email filters. Additionally, spearphishing attacks may utilize zero-day (i.e., previously unknown) vulnerabilities in browsers or applications, use multi-vector, multi-vector attacks or dynamic URLs to bypass current malware detection systems. Additionally, as spearphishing attacks are personalized, they often lack characteristics typical of spam and therefore usually go undetected by traditional spam-filters.
Based on the problems presented by spearphishing attacks, and in particular, credential spearphishing attacks set forth above, current malware detection systems, including field-based sandbox detection systems contain numerous shortcomings and therefore fail to proactively detect spearphishing attacks. Credential spearphishing attacks may not include exploitation techniques but may instead rely on human interaction to input sensitive data into an input form (e.g., text box) and unknowingly submit that data to an unsecure server. The data may be passed to the unsecure server via an outbound POST request generated by the website on which a user is browsing. Therefore, credential spearphishing attacks present numerous detection challenges to current malware detection systems.