Phishing attacks are a major cyber threat that continue to evolve and become more sophisticated, causing billions of dollars in losses each year according to the recent Internet Crime Report. However, traditional offline or inline phishing detection engines are limited in how they can detect evasive phishing pages. Due to the performance requirements of inline solutions, they can only target specific campaigns and, at best, act as a basic static analyzer. On the other hand, offline detection solutions heavily rely on crawlers to collect content and update a blocklist to enforce blocking phishing pages. They, too, are limited; offline tools cannot detect evasive phishing pages that present benign content to a crawler or short-lived campaigns that abandon the URL before it gets updated in the blocklist.
At Netskope, we have developed a deep learning-based Inline Phishing Detection Engine (DL-IPD) that can address all of these limitations. It allows us to inspect web content and block phishing web pages in real time, complementing our offline analyzers and blocklists. The model continuously learns the dynamic behavior patterns of phishing pages and can identify patient-zero and evasive phishing attacks. Similar to generative pre-training of large language models, such as BERT and ChatGPT/GPT-4, we use a large number of web pages to train the HTML encoder and then use it to build a phishing classifier. We have been awarded three U.S. patents for our innovative approach to phishing detection.
The Inline Phishing Detection Engine (DL-IPD) is available to all Intelligent SSE and Netskope Next Gen-SWG customers.. In this blog post, we will share some of the patient-zero and evasive phishing examples that our engine has detected.
Patient-zero threat
To detect phishing pages, traditional offline solutions typically crawl URLs flagged in traffic or collected from the security community. Once a page is identified as phishing, it is added to a blocklist database used for URL filtering to prevent future access. However, this approach can result in delays due to the time it takes to collect features and update the database, which can allow the first victim and phishing attempts to go undetected, potentially compromising the entire organization. Inline analysis offers an advantage by inspecting the actual content that users see, thereby preventing patient-zero attacks. In the following section, we present examples of patient-zero campaigns that have been detected.
Credential and credit card theft
Credential theft phishing pages are designed to look like legitimate websites, such as online services or e-commerce websites, and trick users into entering their login credentials and credit card information. The following is an example of a patient-zero credential theft phishing page that was detected by DL-IPD on April 11, 2023. The campaign mimics the login page of CTT Correios de Portugal, the national postal service of Portugal, and requests victims to enter their personal and credit card information.
Health scam
Since the deployment of Netskope Advanced Inline Phishing Detection, we were able to track various forms of health scams, including fake cures for serious illnesses, unproven health supplements and treatments, and bogus medical equipment and devices. The following is an example of a health scam that was detected by Netskope on April 10, before any other vendor (based on VirusTotal records). This scam involves tricking the victim into purchasing a health product package.