Longlining email attacks are mass customised phishing messages that are typically engineered to look like they are only arriving in small quantities, mimicking targeted attacks. Attackers leverage approaches used by mass marketing campaigners to generate millions of dissimilar messages. They do this with mail-generating code and infrastructure that can rotate email content, subject lines, sender IP addresses, sender email accounts, and URLs. This means that for every organisation no more than 10-50 emails will look alike, enabling the malicious emails to fly under the radar of all spam and content scanning systems. Typically no attachment is included, thus minimising the chance of detection by antivirus or other signature-based solutions. Additionally, the multiple IP addresses, sender email accounts, and URLs used in the campaign are typically legitimate but compromised.
Phishing Using Mass Customisation
Longline phishing got its name from the commercial fishing practice called “longlining”. In the fishing industry, longlining utilises long fishing lines with thousands of baited hooks attached at various intervals throughout the fishing lines. Similar to the fishing industry, the technique is used by cyber attackers to catch more unsuspecting users through mass targeting techniques. Cyber attackers use email messages as hooks to lure the recipient to click on malicious content. And they are able to customise large amounts of emails, so each email appears to be tailored to the recipient.
Longline emails are types of spear phishing attacks, which send out deceptive emails that attempt to trick the recipient into providing confidential information. Longline emails are more specific because they use personalised messages to trick the user into clicking a link and then they unknowingly download malware to their device. These emails can often be more dangerous than regular phishing emails because they are personalised for each user and appear to be legitimate emails. Attackers spoof legitimate company emails and even actual email addresses so a person may think the email is coming from a company in which they already do business.
Longline phishing emails often use fear tactics, such as telling the recipient their account has been locked due to suspicious activity. Out of fear, the person clicks a link not realising they are downloading malicious content to their computer or mobile device. Then the attackers have control over their device and all their information stored on it.
What Organisations Need to Know About Longlining
To avoid detection, longline attackers use thousands of different IP addresses, sender aliases, and compromise multiple legitimate company websites at the same time. This inherently provides ‘good’ reputation characteristics to the emails, helping them to evade any reputation-based detection approach. And since they use a variety of emails with so many different settings and apparent sources, it can be difficult for organisations to weed out these longline phishing scams.
To prolong the attacks time-till-detection, attackers will ensure that the compromised site delivers ‘polymorphic’ malware to user machines. Every user gets a unique version of the malware, essentially defeating the value of new signatures that may be created as the attack starts to be detected.
How can you protect against longlining? Given the sophistication of the content and compromised infrastructure that are typically seen in longlining attacks, combating these threats by leveraging a Big Data-driven security solution will likely be more effective. Such a solution should typically not just rely on signatures and reputation controls. The goal of the email security solution should be to look for patterns based on historical traffic, analyse new traffic in real-time, and make predictions about what needs to be analysed in a cloud-based advanced malware detection service.
Protect Against Longline Phishing Attacks
Look for an email security solution that can identify mass customised campaigns targeting multiple companies at the same time, pick out the unique characteristics across them to form a pattern, and proactively sandbox these threats to declare the pattern malicious which can help increase longlining detection. Additionally, the security solution should have an approach to managing the messages that do get through by identifying targeted attacks versus legitimate emails. With longlining attacks typically capable of more than 800,000 messages per minute, many may reach users. The security solution should be capable of rewriting the various URLs in those messages, as well as predictively sandboxing suspicious URLs, so that recipients can be blocked from reaching the malicious destination once advanced malware detection has confirmed destination websites to be bad. This would typically help minimise the amount of effort required in clean-up and remediation.