Working for a regional ecom platform with tens of millions of visits each month phishing is our everyday reality. Looking into it in detail challenged some of my assumptions and helped me get a better idea of what one can do about it.

I’m sharing some of my experience from the trenches about methods and tools we tried and the ways we were successful dampen phishing.

If you thought protecting your organisation from phishing was hard wait till the users show up! All the usual technical and awareness measures are out the window when you are addressing millions of people.

How can you detect them?

Phishing reporting mailbox: The simplest and most effective step is to provide some generic information to your users about phishing on your website and give them an email address they can forward the phishing emails to. For us, it turned out to be useful to also provide some detail on how to forward emails, because these days people often view emails on their phones and will just send you a screenshot.

An added benefit of having a phishing submission mailbox is that you will learn a lot about your regular communications to users. Whenever it is not on point, some will probably mistake it for phishing and report it back to you.

The downside of this method is, that most likely by the time phishing emails are forwarded to you, some users will have given their credentials away. Additionally, since these days companies have few public email addresses, you will also receive quite a lot of unrelated questions. If you decide to handle these, depending on your customer service culture, answering/routing them will take considerable effort.

When setting up the mailbox we looked at some of the more established companies dealing with similar issues. Most of them will specifically have auto-reply stating, that one will not receive specific feedback on submissions. In the beginning, we did answer them in detail, in hopes to raise awareness and boost submissions. Eventually, we stopped doing that without any noticeable side effects. What helped was rather, that some of the users who had gotten phished at one point did become avid forwarders of phishing emails later on.

Awareness: The basic thing is, in case there is an active campaign against you, you could add an extra notification on your site, something that they see either straight after login or directly on your landing page. This is a great option because users fatigued by phishing spam will not trust or read your emails anymore.

Eventually, we also sent some examples of actual phishing emails in a newsletter. Initially, I was very sceptical because we were literally sending phishing to our users, which I assumed would only add confusion, but it turned out great. We had a big uptick in submissions and password changes. Granted it is one data point but I’ll probably keep this in mind for the future.

Honey accounts: You can create some fake user accounts on your site and start dropping them in phishing pages to add them to the target list of attackers. After that, you can open a beer, kick back and see if anything comes up. Usually, these lists are shared/bought/sold and targeted by different phishing campaigns. Similarly, it can provide really valuable information about the behaviour and goals of the attackers if you have a baseline of a compromised account without any actual user interaction.

Referrer header: Attackers often set up phishing pages to load resources from your actual page. There, you will be able to find them by checking the referrer header for these resource loads because it will point to the phishing domain. Requires some work, but it is awesome because at the latest you will know about a new phishing site when one of your users is visiting it the first time. That said if the phishing attackers have proper opsec this will not work. You are giving them extra work though and if they are setting the phishing page up on a hacked site they might not be able to/want to change these settings.

Looking for domains: You can look for recent DNS entries, domain registrations, or certificate transparency logs for recently acquired certificates. Most times if attackers set up a domain, which in our case is a fraction of all cases, they will try to set up something similar to yours. So look in a few character distance around your sender domains and brand names.

There are a few more non-obvious tricks. I’m glad to share it if you reach out. I do not want to give away things that we have been effectively using to not harm our own operations.

How Can I Make It More Painful For Them?

Outright hacking the phishing sites is probably not legal or even advised but you could make it a bit more painful for them in ways that is legal in most jurisdictions. Obviously, this is not legal advice you should check it for yourself to make sure you don’t get into trouble.

Looking for the phish kit: Sometimes it is worth looking around on the phishing site because there might be either the phishing kit available, that allows you access to the source code, or directory listing not disabled that will give you some pointers.

Usually you will find the kit by taking the landing URL path and making it to zip: http://fake.domain/fake/login.php → http://fake.domain/fake.zip you can find collections of kits out there if you want to learn more about them: https://github.com/cybercdh/phishfinder. If you get lucky you may find something to identify and prosecute the criminals conducting the phishing campaign. You can find out more for example with StalkPhish.

Sending fake credentials: You can blast them with fake credentials for non existing users, hopefully poisoning their user lists and making it easier to notice their logins. More advanced option is to even have your login page give 200 for these users so you trick them when they do the validation. Most of the phishing kits we looked at will monitor source IP and user agent so keep this in mind when you are trying to give them trash.

What about technical measures

DMARC: it was supposed to solve phishing but it doesn’t really and it has its own problems. What you may gain is that attackers cannot send emails where the from email shows up as yours. That said people usually only check the alias of the from email -or more just the subject- and not the email sender itself. Even if they did attackers can still set up on adjacent domains.

Setting up DMARC is also not without its complications. Tldr: there are 2 parts to DMARC, which itself is just the reporting and enforcement mechanism. DKIM says nobody tempered with the email, SPF says the email was sent by one of the whitelisted senders.

So you need to make sure all sending mechanisms you use can set these and be listed in SPF. Even when that is a given you will have some trouble for example when your users are forwarding emails (e.g. Gmail set up to forward all emails to Outlook will have a broken SPF since the sender is Google).

This is not to say DMARC is useless, but it will not be straightforward and will not solve phishing. However, DMARC reports are even useful to tell you about delivery problems for example and you can set up DMARC in report only mode as well.We are using it, it just have not had any noticeable impact on phishing.

MFA/Step-up authentication: making the credentials not be the only thing that users need to use to log in (or in case of step-up authentication used to do sensitive operations) is a great way to ratchet up the cost of attackers. The downside is that it will mean costs for you too: some friction for users, costs of SMS messages if you use them, and more complicated account resets upping customer service requirements. Add to that, that people that are willing to give away their credentials on random sites will probably have little overlap with the group that opts in for MFA and even if it is mandatory (which in most cases is a big step) might still give away their MFA codes as well.

If you think I missed something or you want to collaborate on making the life of phishers harder, don’t hesitate to reach out!