Phishing has always been one of the most common e-mail threats, but it has now become a fairly difficult threat to detect and block. As we noted earlier in the year, the content of phishing emails has become essentially identical to legitimate messages.
From the point of view of blocking and detecting email based on content, this is a serious issue. Because they are so similar to legitimate emails, any pattern likely to detect these phishing messages is also likely to detect many legitimate messages. This would raise the number of false positives to unacceptable levels.
Detecting phishing emails based on analyzing URLs also presents a challenge because phishing sites are going down very quickly after they go online. According to the Global Phishing Survey report for the first half of 2012 that was released by the Anti-Phishing Working Group, the average uptime of a phishing site is now down to below 24 hours, with the median uptime just below six hours. This means that there is now relatively limited time to analyze and detect malicious sites, potentially reducing the effectivity of URLs for detecting phishing messages.
Trend Micro has developed new technology that harnesses the capabilities of the Smart Protection Network, together with big data analytics to detect phishing messages. This proactive solution takes various characteristics and develops a network mapping of groups and communities. Email templates, IP addresses, and other attributes are among the characteristics used to map relationships and behaviors within the network.
The behavior of messages is compared to the intelligence developed by this solution and it determines whether a message could be phishing email based on behaviors and attributes. For example, if two email senders send similar messages and one is known to send messages of that particular legitimate template (such as a email notification from a large company that also originates from the said company) and the other is not known to send these messages, then the latter could be a phishing attack.
In essence, this technology allows Trend Micro to be able to identify these attacks even if the website hosting the phishing page is down or has changed. With this, the ability to detect phishing attacks in the shortest amount of time possible is improved.
Look here for further details about this technology and it’s effectiveness in the near future.