Phishers now using redirectors to foil investigators

Anti-fraud investigators are constantly forcing phishing websites offline, but now the scammers are using a new tactic to send unsuspecting victims to other fraudulent websites.

Cyota, a security company that specializes in preventing phishing attacks, is warning that phishers are now resorting to "smart redirectors" that detect and reroute victim traffic to other fake sites that have not yet been taken down by investigators or ISPs. According to Amir Orad, Vice President of Marketing at Cyota, investigators cannot be complacent and assume a single website takedown has actually stopped a phishing attack - simply because there could be dozens or even hundreds of fake websites still remaining.

Phishing attacks commonly start as a fake email asking for account information, that convincingly looks like an official email from a real bank, brokerage company or other financial institution. Victims are then directed to a fraudulent website to type in their information. Cyota operates its own "Anti Fraud Command Center" (AFCC) that actively tracks and takes down phishing websites. By scanning billions of emails, the center can find attack patterns and identify problem computers that are either hosting the sites or sending out phishing emails.

Orad told TG Daily that while the center has helped shut down more than 10,000 phishing websites in the last three years, scammers appear to be getting smarter. "The bad guys evolve all the time," says Orad, referring to the new "smart redirection" tactic. Instead of just setting up one fake website, scammers will now set up dozens, perhaps hundreds of fake sites and put a redirector into the email.

If some of the sites get taken down, there is little impact as the redirector sends the victim to the ones that are still up. "Now investigators can't have the false assumption that when they take down one site that the attack is done," says Orad.

This new threat can be stopped with layered security and online security software using "risk-based authentication". This software, which Cyota sells to major financial institutions to secure online websites, uses authentication that takes into account a computer's device fingerprint or unique identifier, the location of a computer and a profile of what the user usually does. It raises a red flag if there is any deviation: If a certain threshold of risk has been reached, the software will start asking further questions to better identify the user.

Simply logging onto a brokerage website from another computer isn't enough to trigger extra questions, but logging in from a different computer, that is located in Russia and transferring money to an account that a has never been used before would cause the website to inquire just a bit more.

Phishing attacks steal billions of dollars per year, but the loss of trust is an even bigger problem than direct monetary losses. "Phishing has a huge financial impact. But the biggest challenge is that people will lose trust in their institution, which also has a financial impact down the line," says Orad.