Hornetsecurity and Phishing

Hornetsecurity's Spam and Malware Protection utilizes a sophisticated stack of scan engines that detect fraudulent and phishing emails on top of state-of-the-art spam and malware detection.

Brand impersonation attacks
Phishers often attempt to impersonate well-known brands, e.g., PayPal or Amazon, to lure their victims into handing over their credentials.

For that, phishers tend to use well-known brand names in email display names or part of their URLs pointing at phishing sites.

Hornetsecurity monitors the domains of fortune 5000 companies to identify whether a display name or URL is in true context to a specific brand or company or just impersonated in an attempted attack.

Fraudulent email detection
Hornetsecurity analyzes email content to identify malicious call-to-actions, such as sending money to a fraudster's bank account.

Through natural languaging processing, email text gets analyzed to identify its content and context.

The contextual interpretation is then enriched with email features like email sender addresses, email subjects, and SMTP servers.

Through this, Hornetsecurity detects attackers that send emails from external domains and servers.

Typo squatting and domain name permutation
Phishers register domains that are very familiar to the victim's domains or well-known brands (example: "pavpal.com"). Hornetsecurity utilizes comparison engines to detect attempts to trick victims into visiting these pages.

These domains in links identified with well-known brands or domains of Hornetsecurity's customers are being analyzed with context linked to the email content. Finally, attackers get stopped, and emails are being quarantined if found malicious.

Phishing domain detection with certificate authorities
Modern web browsers warn users when they fill out website forms on non-HTTPS websites. Phishers know this and set up HTTPS for their phishing sites ordering certificates from free certificate authorities, e.g., Let's Encrypt.

Certificate authorities are required to log issued certificates with domain names in so-called certificate transparency logs. Hornetsecurity reads domains from those logs in real-time and detects malicious domains through domain classification and additional threat models.

Consequently, phishing domains are being detected as malicious before the phishers could even set up their phishing sites. Protection occurs before the attack.