Most phishing websites continue to be created using the conventional method of setting up a fake login page and directing the victim to the page via a link. The victim thinks the site is legitimate and they enter their credentials…which are promptly stolen.
There’s a new approach coming. As described by a security study, the new approach entails an attacker hosting a web page that appears harmless on its face – that is, it does not have any phishing code in the content. No malicious code, so nothing to detect.
However, then the page then requests JavaScript code from an AI provider to be written on the fly, and injects malicious code that way.
It makes a huge difference in the way the attack is detected. The code can be dynamic and generate a different variant of the malicious code on each visit, or for different visitors. The payload also utilizes LLMs’ infrastructure, instead of having its own malicious domain.
There is no need for the fake page to be created prior to the click anymore. The fake page will be generated dynamically through the victim’s browser, with its structure being determined by the characteristics available from the browser data, such as language preferences, device type, or geographic location.
The fake page will also be unique for every individual user, making it more difficult for outdated phishing detection technologies to recognize the malicious payload based on its repeated occurrence.
It does not mean that all phishing emails have now become AI-driven or that standard protection measures have ceased to be effective. So far this is proof of concept but should be considered now for the threats that are coming tomorrow.
Security actions you can take in your business today:
- Maintain the use of MFA on email accounts, Microsoft 365, line-of-business applications, and any remote access products used. Credential theft remains relatively ineffective when there is a secondary method of controlling their use.
- Limit any unauthorized use of LLMs at work, depending on the particular case. This is a practical prevention step, although it does not provide full coverage of the threat.
- Focus on the activity of web browsers rather than simply using anti-phishing filters and blocking domains. Browser runtime behavioral analysis is the best protection against such attacks.
- Expect that your employees may encounter a legitimate-looking phishing page. Training is important, yet it must be complemented by some technical security to control the impact of clicks on such pages.
A general lesson here is that phishing is evolving towards on-demand attacks. The initial lure through email could be quite simple. However, the landing page could be created right then and there, using services trusted by most organizations. In essence, the problem is shifting away from identifying a suspicious URL and into controlling actions a user could make from the browser window.