If you Google “fake login pages” you’re immediately met with a myriad of how-to guides such as “Fake any website in seconds.” Privacy and ethical concerns aside, this is demonstrative of the ubiquity and proliferation of phishing websites, also known as spoofed websites, and their commonality as a vector for cyberattacks.

These pages almost mirror legitimate websites down to the T, with logos, formatting and overall templates all ranging from difficult to impossible to distinguish from the real thing. That also translates into them being highly effective in their end goal: credential theft.

The key here is how these pages get in front of someone in the first place. Most commonly, the operation entails targeting unsuspecting recipients with phishing emails spoofing a trusted brand and persuading them to insert their legitimate credentials, such as a username and password.  

Then, once the target enters his or her credentials, attackers have the information they need to log in to a real account and commence with illegal activity, such as credit card fraud, data extraction, wire transfers, identity theft and more.

To better understand the scope of this phenomenon, it’s important for security professionals and organizations to know just how widespread the problem is.

Fake Login Pages Prey on Gaps in Email Security

While fake login pages aren’t new, they are increasingly successful for two main reasons. First, messages containing fake logins can now regularly bypass technical controls, such as secure email gateways (SEGs) and SPAM filters, without much time, money or resources invested by the adversary. This occurs because both the message and the sender are able to pass various authentication protocols and gateway controls that look for malicious payloads or known signatures that are frequently absent from these types of messages.

The second reason can be explained by the psychological phenomenon known as inattentional blindness, which occurs when an individual fails to perceive an unexpected change in plain sight. Inattentional blindness became an internet sensation in 2012 when a video posted asking viewers how many white shirted players passed a ball. Intently focused on the task at hand, more than 50% of the viewers failed to recognize a woman in a gorilla suit in the middle of the picture. Even people with phishing awareness training are susceptible to inattentional blindness.

All of this is topped off by the proliferation and success of phishing in recent years. According to the 2020 Verizon Data Breach Investigations Report, about 65% of all breaches now result from hacking and/or email phishing attacks.

Fake Login Pages Spoof the World’s Biggest Brands

To further underscore the severity of today’s hacking and phishing challenges, researchers at IRONSCALES spent the first six months of 2020 identifying and analyzing fake login pages. Here’s a summary of what was found:

• More than 50,000 fake login pages were identified
• More than 200 of the world’s most prominent brands were spoofed with fake login pages
• Nearly 5% (2,500) of the 50,000 fake login pages were polymorphic, with one brand garnering more than 300 permutations
• The most common recipients of fake login page emails work in the financial services, healthcare and technology industries as well as at government agencies
• The top 5 brands with the most fake login pages closely mirrors the list of brands that frequently have the most active phishing websites

The top five brands include PayPal, Microsoft, Facebook, eBay and Amazon. And although PayPal sits atop the list, the greatest risk may derive from the 9,500 Microsoft spoofs, as malicious Office 365, SharePoint and One Drive login pages put not just people but entire businesses a risk.

Additionally, Adobe, Aetna, Alibaba, American Airlines, Apple, AT&T, Bank of America, British Telecom, Delta Air Lines, DocuSign, Coinbase, GoDaddy, Instagram, JP Morgan Chase, LinkedIn, Netflix, Stripe, Squarespace, Tesco, Visa and Wells Fargo were also ranked among the top brands with spoofed login pages in 2020.

Attackers Using Polymorphism in Fake Login Pages

Another common wrinkle in fake login pages is the sophistication in how they are created and deployed.

In 2019, 42% of all phishing attacks were reported as polymorphic. Polymorphism occurs when an attacker implements slight but significant and often random change to an emails’ artifacts, such as its content, copy, subject line, sender name or template in conjunction with or after an initial attack has deployed. This strategic approach enables attackers to quickly develop phishing attacks that trick signature-based email security tools that were not built to recognize such modifications to threats; ultimately allowing different versions of the same attack to land undetected in employee inboxes.

In total, IRONSCALES discovered that nearly 5% of what 50,000 fake login pages identified were polymorphic, with Microsoft and Facebook leading the list with 314 and 160 permutations respectively.

Why do certain brands see more permutations than others? For one, the security teams associated with these brands are actively looking to take down fake login pages, so attackers are forced to more frequently evolve the attack ever so slightly so to defeat human and technical controls. Additionally, these brands are a priority and or easy target for a certain hacking group(s), so there is more activity and therefore a need to constantly evolve in order to stay one step ahead of security teams.

How  Can You Stop Fake Login URLs from Reaching Your Employees’ Inboxes?

Traditional SEGs focus on what is in the email, whether a malicious link or attachment, and they generally do a decent job at preventing those types of emails from getting through to intended victims. Because these defenses are generally stalwart, hackers have had to adapt and change their tactics – after all, these folks aren’t the stereotypical “14-year-old kid sitting in the basement,” but rather organized groups that launch sophisticated, targeted attacks, and make a considerable profit while doing so.

To bypass SEGs, hackers have turned to social engineering attacks, which often contain no malicious content that these security systems are built to detect. Instead, these emails are designed to look like they come from someone or something (like a brand) that you know.

Other common variations of these attacks impersonate someone else the recipient knows – a colleague, boss, friend or family member. There are four common variations of these requests: employee availability checks, requests for an unspecific task, requests to purchase a gift card and financial requests, such as to change direct deposit location, bank details or request for payment.

This all comes at a time of a rise in COVID-related phishing attacks. To protect employees, a new technology is emerging to prevent these attacks – Natural Language Processing (NLP) which can diagnose an email just like a drive-through COVID-19 test. It works like this: an email is sent and gets through the first stage of security because it has no link and no malicious content. But NLP will analyze the actual language of the email to look for suspicious patterns like the aforementioned availability checks or financial requests. Companies that rely on traditional indications of compromise (IOC), such as malicious links or attachments, will not identify these attacks in real-time.

Computer vision and AI also play a role in detecting visual anomalies based on learned and trusted profiles (legitimate login pages/websites). While there are some indicators of compromise with fake login pages, such as blurred images, retro branding and a suspicious sense of urgency, many are unidentifiable using legacy anti-phishing technology or the naked eye. Further, NLP uses advanced machine learning and neural networks to identify the ‘what’ is being sent by analyzing fraudulent language.

Fake login pages spread by social engineering tactics have truly become a major risk for brands, as evident by both the frequency at which attackers are relying on them and the success that they are having coopting credentials. While new technology is beginning to help defenders mitigate threats, there is a long way to go before the most commonly deployed email security and anti-phishing tools make fake login page identification ubiquitous. In the meantime, the burden to minimize the risk that fake login pages present falls on brands’ ability to monitor spoofing attempts and organizations capacity to train users to identify suspicious messages that are absent of traditional markers.