Stopping the #1 Source of Exploitation:  Spear Phishing in Depth

Again, it’s nearly closing time at another INFOSEC show and as usual, I’m still trying to find the most innovative INFOSEC vendor who solves a big problem.  That’s when I stumbled upon Inky®.  At first, I was wondering why the company wasn’t called FireSHIELD or SteelBlue or some other also-ran InfoSec name.  So my first question – why the name Inky®?

Figure 1: Dave Baggett, CEO/Founder Inky®

Dave Baggett has a very cool answer…he said to me, ‘think about Octopus going fishing…they hit them with their ink to confuse the senses and then they easily capture the fish.  So as you can see from the cartoon, the Octopus uses it’s big brain to outsmart the fish – and that’s what Inky is doing to phishing attacks…outsmarting them.

Inky makes Phish Fence to capture the worst of the worst and nearly all phishing attacks.  Phish Fence acts like a phishing expert sitting next to each user, analyzing that person’s mail.  Users simply click the black Inky icon and a side panel displays the analysis.  This significantly reduces the chance that an employee will fall for a phishing scam.  By the way, Dave is not a first timer at this, he grew his last company to a $700M valued acquisition – sold to Google.  This last company that he founded leveraged Dave’s expertise in machine learning and huge data set analysis in real-time.  Taking that big data set analysis knowledge, artificial intelligence and machine learning into Inky, is a perfect transition.  Dave’s team is looking to go faster than the latest phishing exploit and he knows that machine learning is the way to go.  He’s bright, passionate and doesn’t need to be working at this – he could be on a beach somewhere in early retirement.  However, he is a serious entrepreneur who wants to create something of lasting value – to solve a huge problem that affects all of us.  This is his mission and he’s the real deal.  I’d say he’s a time-based security market leader – this is my favorite model because it works – be faster than the exploitation of the vulnerability and you win.  Humans just can’t do it anymore.  This is also a worthy use of AI, where machines don’t replace us, they augment us and provide real-time expertise when we need it.  Dave and his team at Inky are doing just that with their Phish Fence solution.

According to Worldbank, Cybercrime surpassed drug crime as the largest form of crime worldwide – reaching $600B in 2016.  It is expected to grow to over $6 Trillion by 2021, according to Cybersecurity Ventures.  Most of these breaches happen through email.  It all starts with a spear phishing attack whereby a trusting user, the victim, clicks a link or opens an attachment in an email that appears to come from someone they trust.  Spear phishing is becoming so sophisticated that even the best anti-phishing systems have not been able to detect the latest threats.  Enter Inky and Phish Fence – they discover the most challenging and well-structured spear phishing attacks that other vendors cannot touch.

So, Inky developed Phish Fence as a unique new solution that protects Outlook users against spear phishing and other email-based attacks.  It’s the first anti-phishing solution that works as an add-in right within Outlook. It gives your users detailed information about email-based threats, providing both protection and training.

Figure 2: Screenshot of Inky’s Phish Fence plugin running inside Outlook

Inky Phish Fence can be deployed either as an email plugin for Outlook or Gmail or through an inline gateway model with rules for mail delivery and warnings.  Thus, instead of a side pane plugin, warning users about a spear phishing attack, Inky Phish Fence can redirect emails away from users or add a warning to the body of the suspicious email so users know, from inside the email, that it’s suspicious and risky.

Inky Phish Fence analyzes the full HTML contents of each mail live when the user views the mail in Outlook. Machine learning algorithms spot misleading links, attempts to impersonate major brands, suspicious uses of typo and Unicode domain name variants, and sources of questionable content like gambling, malware/adware and trackers. Inky also flags external emails that claim to be from internal senders.

Everyone’s talking about how hot the future of Cybersecurity will be when vendors start adding ‘artificial intelligence’ and machine learning.  Inky has already done it.  They are light years ahead of competition.

For example, if you haven’t checked it out yet, there’s a standard for email you should be looking at called DomainKeys Identified Mail (DKIM), which allows senders to associate a domain name with an email message, thus vouching for its authenticity.  The mail server signs the email with a digital signature in a field that’s added to the message header.   What’s really cool is that when the signature is generated, the public key used to generate it is stored at the listed domain. After receiving the email, the recipient Mail Transfer Agent (MTA) can verify the DKIM signature by recovering the signer’s public key through the Domain Name Service (DNS). It then uses that key to decrypt the hash value in the email’s header and simultaneously recalculate the hash value for the mail message it received. If both match, then the email has not been altered. This gives users some security knowing that the email did originate from the listed domain and that it has not been modified.  Signatures are set to expire to avoid the attack vector of reusing a signed email, so signatures are set to expire.

Figure 3: Screenshot of Inky’s Phish Fence Warning Message

Unfortunately, the current widely implemented standard, DomainKeys Identifed Mail (DKIM), can only verify the server, not the individual, from which an email arrived. DKIM specifies one key per server. That’s fine if the server is, say, bankofamerica.com, but what if a spoofer sent from bankofarnerica.com? The combination of “r+n” looks closely like an “m”, especially in some san serif fonts such as Arial.  Inky Phish Fence is smart enough to catch this among many other newer forms of intelligent phishing attacks.

Those ‘last generation’ anti-phishing solutions protect  against malware attachments and spam, which is important. They sometimes claim to deal with phishing, but they only recognize phishing attacks via URLs that people have previously reported. Cisco Umbrella, for example, relies on the PhishTank database of reported phishing URLs.  Unfortunately, this approach doesn’t work on the large and growing array of phishing attacks that have never been reported, have URLs uniquely targeting recipients, or lack URLs entirely (such as spear phishing wire fraud emails).

I’ve been a strong proponent of user training and awareness and have recommended PhishMe on numerous occasions. However, we find that after training, many users are easily co-opted, yet again.  What I like even more is how Inky Phish Fence is not simulation – it’s real-time security.  It gives end-users and IT staff specific feedback on real email they’ve received.  Lately, the most recent phishing attacks look no different to the human eye than legitimate messages.  So, it’s time someone solved this problem.

This next wave of phishing attacks includes forgeries that are visually indistinguishable from the brands they are attempting to impersonate. Attackers are using domain names, URLs, and logo imagery that humans cannot differentiate from the real thing. An example is the recent attack using the domain bankofarnerica.com (note the letter M has been replaced by the visually similar RN sequence). This kind of differences so subtle that even trained cyber security experts have a hard time spotting it.  The bottom line is: no amount of training can make users see something that isn’t there.

Uniquely, Inky Phish Fence anti-phishing engine performs content checks to identify these attacks. Phish Fence incorporates over two dozen content checks based on heuristics and AI, and represents the next generation phishing protection, built to address this new wave of attacks.  Inky Phish Fence uses machine learning models to look at each email – the text and imagery – as a human would, to identify brand impersonation. No other solution does this, and without this protection you remain exposed to email-based phishing attacks.  Finally, Inky Phish Fence both protects and educates users. Gateway solutions simply quarantine mail that fails their checks, leaving users confused about what happened.  Inky Phish Fence gives users feedback they can understand about exactly what seems suspicious.

We’re pleased to announce that Inky makes our Top 50 Cyber Security Innovators for 2017 because they have uniquely solved a huge problem way beyond the normal capabilities of any anti-phishing solution we’ve seen.  Like most really cool startups, Inky® chose to spend a lot of time in stealth mode building out the technology.  They setup shop at Rockville Maryland’s Innovation Hub at 155 Gibbs Street, Rockville, MD 20850.  You can reach Dave and his team Toll Free at 1-833-727-INKY (4659) or via email at sales@inky.com and at https://inky.com.

 

About the Author

Gary Miliefsky , the Publisher of Cyber Defense Magazine is a globally recognized cybersecurity expert, inventor and founder of numerous cybersecurity companies including Netwave, QuickBuy, NetClarity and SnoopWall. He is a frequent invited guest on national and international media commenting on mobile privacy, cyber security, cyber crime and cyber terrorism, also covered in both Forbes and Fortune Magazines. He has been extremely active in the infosec arena, he is an active member of Phi Beta Cyber Society (http://cybersecurityventures.com/phi-beta-cyber/), an organization dedicated to helping high school students become cyber security professionals and ethical hackers. He founded Cyber Defense Magazine in 2012 and we’ve been going strong ever since. Miliefsky is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), the National Information Security Group (http://www.NAISG.org) and the OVAL advisory board of MITRE responsible for the CVE Program (http://CVE.mitre.org). He also assisted the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace as well as the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. Previously, Gary has been founder and/or inventor for technologies and corporations sold and licensed to Hexis Cyber, Intel/McAfee, IBM, Computer Associates and BlackBox Corporation. Gary is a member of ISC2.org and is a CISSP®. Learn more about him at https://www.cybersecuritymediagroup.com/about-our-founder/