Longlining

More Resources

What is Longlining?

Longlining attacks are mass customised phishing messages that are typically engineered to look like they are only arriving in small quantities, mimicking targeted attacks. Attackers leverage approaches used by mass marketing campaigners to generate millions of dissimilar messages. They do this with mail-generating code and infrastructure that can rotate email content, subject lines, sender IP addresses, sender email accounts and URLs. This means that for every organisation no more than 10-50 emails will look alike, enabling the malicious emails to fly under the radar of all spam and content scanning systems. Typically, with Longline phishing no attachment is included, thus minimising the chance of detection by antivirus or other signature-based solutions. Additionally, the multiple IP addresses, sender email accounts, and URLs used in the campaign are typically legitimate but compromised.

Video

Understanding Longlining Attacks

Watch Now

Because Longlining attacks use legitimate sender information, this inherently provides ‘good’ reputation characteristics to the emails, helping them to evade any reputation-based detection approach. To prolong the attacks time-till-detection, Longlining attackers will ensure that the compromised site delivers ‘polymorphic’ malware to user machines. Every user gets a unique version of the malware, essentially defeating the value of new signatures that may be created as the attack starts to be detected. 

Look for a security solution that can identify mass customised campaigns targeting multiple companies at the same time, pick out the unique characteristics across them to form a pattern, and proactively sandbox these threats to declare the pattern malicious which can help increase detection. Additionally, the security solution should have an approach to manage the messages that do get through. With Longlining attacks typically capable of more than 800,000 messages per minute, many may reach users. The security solution should be capable of rewriting the various URLs in those messages, as well as predictively sandboxing suspicious URLs, so that recipients can be blocked from reaching the malicious destination once advanced malware detection has confirmed destination websites to be bad. This would typically help minimise the amount of effort required in clean-up and remediation.

Protecting Against Longlining Attacks

Given the sophistication of the content and compromised infrastructure that are typically seen in Longlining attacks, combatting these threats by leveraging a Big Data-driven security solution will likely be more effective. Such a solution should typically not rely only on signatures and reputation controls. The goal of the solution should be to look for patterns based on historical traffic, analyse new traffic in real-time, and make predictions about what needs to be analysed in a cloud-based advanced malware detection service.

Look for a security solution that can identify mass Longlining campaigns targeting multiple companies at the same time, pick out the unique characteristics across them to form a pattern, and proactively sandbox these threats to declare the pattern malicious which can help increase detection. Additionally, the security solution should have an approach to manage the messages that do get through. With Longlining attacks typically capable of more than 800,000 messages per minute, many may reach users. The cybersecurity solution should be capable of rewriting the various URLs in those messages, as well as predictively sandboxing suspicious URLs, so that recipients can be blocked from reaching the malicious destination once advanced malware detection has confirmed destination websites to be bad. This would typically help minimise the amount of effort required in clean-up and remediation.