Malware has been employing anti-researcher and detection-evading tactics, almost since the beginning of malicious code. And while phishing and spam have been using detection-evading techniques for ages, anti-researcher tactics seem to be a new tool in their arsenal. Both phishing and spam seemed to prefer the shotgun approach, preferring quantity to quality when it came to finding victims.
According to an article in SC Magazine, this is beginning to change. This change employs a simple tactic that’s commonly used in emails sent by companies to existing customers – it includes a link that can only be accessed by the user him or herself. Anyone else accessing the link will be given an error message. By using this technique, they make it difficult for anyone who isn’t the targeted user to view the phishing email, and it makes adding the phish to anti-phishing detection potentially more difficult.
But if the history of anti-malware has taught us anything, “more difficult” does not by any stretch of the imagination mean “impossible.” Sometimes, the evasion itself can give detection methods a solid hint that something is up to no good. In the case of polymorphic viruses, AV software can often use the code that generates the virus’ changes to identify it. Legitimate software seldom tries to do such squirrelly things as changing their own code. Because companies commonly use dynamic mass emails, it might be difficult to exclude this behavior generically. But phishing emails that lead to a unique site and push the sort of code that would be useful for a zero-day exploit would be very clearly problematic.
Have you seen any of this new phishing behavior? Or are all of the questionable emails you receive caught in spam filters or by security software?