Quantum Titan’s AI Deep Learning Engines Detect and Block Zero-Day Phishing Attacks in Real Time

Since its launch in December 2022, Check Point’s patented inline ‘Zero Phishing’ technology has prevented dozens of zero-day phishing campaigns. In this blog post we aim to share three highlighted cases our engines prevented over the past month.

New Zero-Phishing AI Engines – X4 more phishing pages detected, 40% higher detection rate

In our latest Titan release R81.20, we have introduced an industry first inline security technology named ‘Zero Phishing’. This patented technology is based on dedicated AI engines in
ThreatCloud AI and is already in production in the ‘Harmony Browse’ and ‘Harmony Mobile’ products. Now, with the Titan release, it has been added inline on any of Quantum gateways and is part of the Gen V SandBlast security package.
ThreatCloud AI, Check Point’s Threat Intelligence cloud, uses over 40+ AI and Machine Learning technologies that identify and block emerging threats that haven’t been seen before .
When tested, the ‘Zero Phishing’ was able to detect x4 more zero-day phishing pages than traditional anti-phishing solutions, and 40% more detections compared to AI-based security vendors.
The key advantage of the inline ‘Zero Phishing’ AI technology is that it doesn’t require any installation on an endpoint or mobile devices. The user needs to simply browse through a Check Point gateway to be protected from such zero-day phishing pages as shown in Figure 1.

Figure 1: Blocking never-seen-before phishing attacks

Here are three recent phishing websites that the ‘Zero Phishing’ technology has prevented in real-time: 

Case in point #1 – Instagram: 

Figure 2: Phishing website “Instagram” 

The above website impersonates an Instagram website tricking users to type in their login credentials while stealing them for further steps of the attack.   

Figure 3: Prevention Timeline

This website was first seen on Feb 15 by the ‘Zero Phishing’ AI engine in ThreatCloud. A first submission to Virus Total was done a day later. 

Only after 7 days, on Feb 21, it was flagged as malicious by Virus Total after 30+ engines found it malicious. 

‘Zero Phishing’ Top compromised indicators: 

The ‘Zero Phishing’ engine scans the website, collects indicators, and sends them to Check Point’s ThreatCloud as shown in Figure 4.  

Figure 4: ‘Zero Phishing’ indicators

ThreatCloud AI engines receive the indicators and flag the website as malicious.

• Site title matched to a famous brand
• Favicon is missing
• URL with bad reputation

ThreatCloud AI returns with an answer that the website is a phishing one and therefore the page is blocked without the possibility to fill the private information. The overall process takes less than 2 seconds to keep the highest user productivity.

User experience following the block of the webpage: 

Figure 5: ‘Zero Phishing’ blocking steps

Case in point #2 – MetaMask:

Figure 6: Phishing website “MetaMask“

The above website consists of two pages, which aims at first to collect the user password to the “MetaMask” crypto wallet. In the next step, the victim is forwarded to a Reset Wallet page which requires the victim to input Secret Recovery Phrases.
The first submission to Virus Total was added 30 hours after Check Point’s detection.

‘Zero Phishing’ Top compromised indicators:

Figure 7: ‘Zero Phishing’ indicators

Top indicators detected by ThreatCloud AI:

• Newly registered domain
• Anonymous register
• Internal URLs that request resources from a suspicious variety of sources Iframes
• IP bad reputation

Case in point #3 – Louis Vuitton:

Figure 8: Phishing website “Louis Vuitton“

The above impersonates a Louis Vuitton official website. It is highly sophisticated website with several inner webpages, including a whole menu of products that look similar to the actual Louis Vuitton products.

Figure 9: Products in the phishing website “Louis Vuitton“ 

After the user fills his cart, he is asked to select a payment method and to fill in the user’s password to complete the process. 

‘Zero Phishing’ Top compromised indicators:

Figure 10: ‘Zero Phishing’ indicators

Top indicators detected by ThreatCloud AI:

• URL with bad reputation
• Newly registered domain
• Anonymous register

 A link is not always what it seems

Phishing is a type of cybersecurity attack during which malicious actors send messages pretending to be a trusted person or entity. Phishing is the most common type of social engineering, which is a general term describing attempts to manipulate or trick users.
Social engineering is an increasingly common threat vector used in almost all security incidents.

A link is not always what it seems. Hackers have gone to great lengths to create convincing websites that look just like the real deal. Oftentimes, this is spoofing a major company. By convincingly spoofing legitimate websites, bad actors are hoping to encourage end-users to enter their credentials. When done properly, URL phishing can lead to usernames, passwords, credit cards, and other personal information being stolen.

In our latest 2023 cyber security report, Check Point’s IR teams reported that in 2022
21% of initial entry vectors discovered in their cases were due to Phishing incidents.

How To Identify URL Phishing

URL phishing attacks use trickery to convince the target that they are legitimate. Some of the ways to detect a URL phishing attack is to:

• Ignore Display Names: Phishing emails can be configured to show anything in the display name. Instead of looking at the display name, check the sender’s email address to verify that it comes from a trusted source.
• Verify the Domain: Phishers will commonly use domains with minor misspellings or that seem plausible. For example, company.com may be replaced with cormpany.com or an email may be from company-service.com. Look for these misspellings, they are a good indicators.
• Check the Links: URL phishing attacks are designed to trick recipients into clicking on a malicious link. Hover over the links within an email and see if they actually go where they claim. Enter suspicious links into a phishing verification tool like phishtank.com, which will tell you if they are known phishing links. If possible, don’t click on a link at all; visit the company’s site directly and navigate to the indicated page.

The speed and sophistication of evasive zero-day phishing attacks requires AI Deep Learning to predict and block malicious behavior without human intervention.
Check Point’s Quantum Titan revolutionizes threat prevention and security management with AI Deep Learning, advanced cloud services, integrated IoT security, and firewall auto scaling performance for mission critical applications.