Skip to main content

New eBook: Security Service Edge (SSE) for dummies. Click here to download the eBook now.

Our own Rob Mukherjee discusses how, as a result of in-attentional blindness, internet users are falling prey to phishing websites that use visual similarity to lure victims.

Phishing websites, also known as spoofed websites, are a common deception tactic that cyber attackers use to obtain a person’s login credentials to a legitimate website. The operation, commonly known as credential theft is simple: send unsuspecting recipients an email spoofing a trusted brand and persuade them to click through to a login page where they will be asked to enter their username and password. Once completed, attackers have the information they need to login to a real account and start illegal activity, such as credit card fraud, data extraction and bank transfers.

While such fraudulent websites aren’t new, we’re seeing an exponential rise in their prevalence and sophistication.

As gateway-level email security tools have become smarter at detecting emails with traditional malicious content – such as automated malware downloads and malicious attachments, attackers have turned to phishing websites, most commonly as a means to impersonate the world’s most popular brands. These are especially problematic because the aforementioned security tools typically lack the “visual anomaly detection” capability to distinguish a fake login page from a legitimate login page in real-time.

Analysts from IRONSCALES recently reviewed 25,000 emails with verified malicious links and attachments. Since IRONSCALES sits in the mailbox and not at the gateway, the 25,000 emails studied had either bypassed a secure email gateway or cloud email security tool, such as Office 365 Advanced Threat Protection (ATP).

They found that 23% (5,750) of the 25,000 malicious emails included links to active phishing websites. By far, the top two most spoofed websites discovered were Microsoft (37%) and PayPal (25%).


Remember that internet sensation where a video asked viewers how many white-shirted players passed a ball and over half the viewers, intently focused on the task in hand, failed to recognise a dancing gorilla in the middle of the picture.

The success of phishing websites can be explained by that very same psychological phenomenon – in-attentional blindness – in other words, failing to spot an unexpected change in plain sight.

Recognising the perils of in-attentional blindness, hackers have latched onto the importance of creating attacks that deceive the human brain as well as defeating technological controls.

Successful phishing websites have a visual or verbal anomaly that isn’t recognised by technology, such as blurred or resized images or an undue sense of urgency (e.g. a login timer). This is because the closer the page looks to the real one, the easier advanced anti-phishing technology can detect that it’s a fake. So attackers are constantly trying to make phishing websites different enough to defeat technical email controls but similar enough that a human would think it is real.

Phishing Test

I did my own test with an Office 365 client last week and found they’d been targeted by seven different phishing website attacks in just one day. Fortunately, we’d put visual similarity email security scanning in place to stop these attacks before the links could be activated by any users. One particularly creative and cunning attack involved multiple steps and a CAPTCHA in order to be more convincing:


Phishing Examples


Here comes the science bit…

Traditional signature-based email gateway security solutions were designed to scan the source code that lays behind the HTML page in order to match the signatures of previously known attacks. Savvy criminal groups are defeating these tools by creating spoofed landing pages that look similar enough to legitimate pages to fool their intended victims but not identical enough to be caught by anti-phishing technologies.

Furthermore, these phishing websites only stay active for a few hours. By taking a polymorphic approach (an advanced form of phishing that automatically randomises components of the attack), attackers can automate and refine the process of deploying pages that stay beneath predefined detection thresholds.

So what is the answer?

It’s clearly unreasonable to expect human vision to cure itself of in-attentional blindness. However in these days of artificial intelligence, it is reasonable to expect computer vision to automate tasks that the human visual system can perform, without the flaws of in-attentional blindness. By comparing the actual visual similarity of legitimate landing pages to spoofed ones, rather than relying on simple pattern matching of source code, computer vision enabled solutions can provide a critical additional layer of defence to protect businesses from phishing websites.