Curb Your Enthusiasm: A.I. Will Not Save Us From Phishing

Posted June 26, 2018

Phishing is by far the biggest security threat to any organization. It’s the most common source of attacks and has been at the root of spectacular cyber incidents like the Sony hack and the Petya ransomware attack. Due to the grave danger that phishing poses, remedies are highly sought after. Lately, companies have turned to machine learning and artificial intelligence, the supposed solutions to all societal problems, to combat phishing.

It’s a seductive proposition: AI-based products promise flawless security – “it’s a machine, it doesn’t make mistakes!” - alongside convenience, since they automate the process. One implementation of this is Microsoft’s Office 365 “Advanced Threat Protection” security, which checks emails for words and phrases that could hint at malicious activity, such as impersonating legitimate companies (e.g. Apple or Microsoft) and sentences asking for payments or password resets.
However, researchers at Avanan revealed on June 19th how hackers can bypass Microsoft’s tool by adding random words to the email body at font size zero (‘ZeroFont’), which will appear to the scanner as unstructured, non-malicious gibberish. To the recipient, the ZeroFont text is invisible, thus creating an entirely different email.
You read that right! A technique used by students to pad their assignment papers is enough to fool a cutting edge algorithm.

This is not the first time scammers have duped algorithms using simplistic methods: a few weeks earlier, Avanan also discovered that something similar was possible with URL links.
It is likely that hackers will continue to study how these bots function and find new ways to fool them. These criminals are creative, adaptable and unpredictable, whilst the machine defender is uncreative, inflexible and predictable. As such, these tools could lead to more breaches, as they teach consumers to switch off their scepticism whilst the AI serves up scams as “trusted messages”.
Luckily, there are simple behaviours and habits that humans can learn to spot phishing attempts. For example, it is not possible to change the font in the sender address field. Therefore, one look at the sender lets you to identify a phishing mail, even if it slipped through the filter.
In order to truly protect yourself against phishing, learning ways to spot a phishing mail rather than relying on a machine will prove to be more sustainable. It takes humans to outsmart other humans.
Co-founder, social engineering specialist and amateur philosopher.

Leave a Reply

Your email address will not be published.

Scroll to top