Modern-age phishers are deploying cloaking tactics and redirections – in order to host the images to bypass the e-mail filters and security settings.
With phishing attacks on the rise globally, phishers are exploring innovative tactics to tricks the defences. Lately, loading remotely hosted images rather than embedding them directly into e-mails, is one of the most recent tricks – utilized by the threat actors to bypass email filters.
While the phishing emails are impersonating popular brands, they contain widely recognized brand logos or other images. This is to give an illusion of having been sent by legitimate organizations.
Indeed, the attackers have been using pictures for ages as a way to circumvent textual content analysis of an email. However, with security technologies becoming more capable of extracting as well as analyzing content from images, phishers try various tricks.
This is primarily to make the whole process for security scanners more difficult and time-consuming. Basically, unlike embedded images that can be analyzed in real-time by email filters, the remote images are generally hosted on the web.
As a result, they are required to be fetched before being diagnosed. And to delay the fetching route, phishers employ cloaking techniques, multiple redirections and host the images onto high-reputation domains.
For instance, a phishing campaign targeting customers of a FinTech organization may only deliver the malicious content to the web connections – originating from that country. Furthermore, hosting remote images on high-reputation websites reduces the domain reputation-based detection ineffective.
At present, this new approach of delivering images within phishing emails is a popular threat – and a successful one. However, as email security vendors find new ways to counter such tricks, the cybercriminals will need to change tack again. As we advance, this trend will continue.