Definition
Longlining attacks are mass customized phishing messages that are typically engineered to look like they are only arriving in small quantities, mimicking targeted attacks. Attackers leverage approaches used by mass marketing campaigners to generate millions of dissimilar messages. They do this with mail-generating code and infrastructure that can rotate email content, subject lines, sender IP addresses, sender email accounts, and URLs. This means that for every organization no more than 10-50 emails will look alike, enabling the malicious emails to fly under the radar of all spam and content scanning systems. Typically no attachment is included, thus minimizing the chance of detection by antivirus or other signature-based solutions. Additionally, the multiple IP addresses, sender email accounts, and URLs used in the campaign are typically legitimate but compromised.
This inherently provides ‘good’ reputation characteristics to the emails, helping them to evade any reputation-based detection approach. To prolong the attacks time-till-detection, attackers will ensure that the compromised site delivers ‘polymorphic’ malware to user machines. Every user gets a unique version of the malware, essentially defeating the value of new signatures that may be created as the attack starts to be detected. How can I protect against it? Given the sophistication of the content and compromised infrastructure that are typically seen in Longlining attacks, combating these threats by leveraging a Big Data-driven security solution will likely be more effective. Such a solution should typically not just rely on signatures and reputation controls. The goal of the email security solution should be to look for patterns based on historical traffic, analyze new traffic in real-time, and make predictions about what needs to be analyzed in a cloud-based advanced malware detection service.
Protect Against Longline Phishing Attacks
Look for an email security solution that can identify mass customized campaigns targeting multiple companies at the same time, pick out the unique characteristics across them to form a pattern, and proactively sandbox these threats to declare the pattern malicious which can help increase longlining detection. Additionally, the security solution should have an approach to managing the messages that do get through. With Longlining attacks typically capable of more than 800,000 messages per minute, many may reach users. The security solution should be capable of rewriting the various URLs in those messages, as well as predictively sandboxing suspicious URLs, so that recipients can be blocked from reaching the malicious destination once advanced malware detection has confirmed destination websites to be bad. This would typically help minimize the amount of effort required in clean-up and remediation.