Phishing continues to grow with social media an increasingly popular attack vector. Attackers are also focusing their attention on key targets such as Office 365 and cryptocurrency. Of most concern is that single-sign-on (SSO) is becoming more popular with bad actors as they look to maximise the returns from an attack.
The details are contained in PhishLabs Quarterly Threat Trends and Intelligence Report (registration required). The Q2/21 report also shows that year-on-year, phishing continues to be popular with attackers. Phishing attacks in H1/21 were up more than 22% on H1/20. Interestingly, while May 21 hit a new high for phishing attacks, June 21 showed the largest ever fall in attacks. It also mirrors the pattern for 2020, where attacks dropped in June and July only to pick up again later in the year.
Which industries are the phishing attacks targeting?
The top six targeted industries (Q1/21 positions in brackets) are:
- Financial (2)
- Social Media (1)
- Telecommunications (5)
- Webmail & Cloud Service (3)
- eCommerce (4)
- Dating (7)
PhishLabs commented: “The high volume of attacks targeting Social Media, Webmail & Cloud Services, and Ecommerce is related to those accounts often being used as SSO Single Sign-On (SSO) for secondary accounts. 45% of phishing attacks targeted accounts that are commonly used for SSO, up from 40% in Q1.”
The largest number of attacks from a single source was compromised sites (27.2%). Those attacks rely on the authority of the compromised domain to fool the user into thinking the attack is a genuine email. It often leads to a BEC attack which accounted for 25.4% of attacks, up 5.7% from Q1.
Many of the attacks took advantage of free services and tools and show a shift in the use of tools. Tunnelling services accounted for 24% (+13.1%) of attacks. They displaced attacks from free hosting services (-3.4%) and free domain registrations (-11.3%). However, both are still effective tools in the armoury of attackers and accounted for 16.6% and 11.8% of attacks.
PhishLabs commented: “Five ccTLDs (.ml, .tk, .ga,. cf, and .gq) highly abused by threat actors dropped from the Top 10. This suggests rapid detection and mitigation measures implemented by PhishLabs and others have made abusing free domain registrations significantly less profitable for threat actors.”
What have users been reporting?
Improvements to email security has reduced the volume of malware reaching user inboxes. PhishLabs reports that 96% of email threats do not involve malware. It means that IT security is winning part of the security battle. However, it also shows that there is a lot of malicious email and phishing attempts that are not being detected. It puts the emphasis on the user to detect and report those emails.
PhishLabs comments: “Credential theft and social engineering attacks are highly likely to reach user inboxes undetected and therefore remain top of mind for security teams.”
Of those emails that were reported or detected, 63.5% were credential theft attempts. The majority of these (78%) contained a phishing link, with the remainder have a suspicious attachment. Common among those phishing links are those that claim to come from IT support and require you to log in to unlock held emails. It gives the attacker access to Office 365 credentials that can be used to access other resources.
The rise of cryptocurrency threats
There has been a significant rise in phishing attacks against cryptocurrency. Given the price that some command, that should come as no surprise. What is surprising is where these attacks are coming from.
More than half of those attacks come from impersonation attacks (brand – 47.5%, executive 4.9% and employee 2.3%). The second biggest single source of attacks is source code (39.2%). PhishLabs says: “This activity identifies threat actor attempts at impersonating cryptocurrency businesses to confuse customers and cash in on the sector’s skyrocketing growth.”
To stage their phishing sites, 95.6% are using free hosting services. From there, they create lookalike sites, often scraping the data from the impersonated site. They also take advantage of techniques such as typosquatting and homoglyphs.
In the former attack, the letters r and n are placed together to appear as an m. In the latter, the attackers use other character sets to fool the eye. For example, Citibank[.]com is not the same as citibɑnk[.]com. (Hint: check the letter a). The latter may redirect you to an impersonated site which will then harvest credentials.
Enterprise Times: What does this mean?
This report shows that phishing continues to be lucrative and a major concern for enterprises. It has risen by 22% quarter on quarter. These attacks primarily target user credentials, these are then used to compromise organisations. Those compromised credentials are often sold to other cybercriminals who specialise in other attacks such as data theft and ransomware.
Organisations will also be concerned about the rise in phishing attacks across social media. With many employees working from home and using their own computers, compromise through social media can put the business at risk. To prevent that, employees need to be more aware than ever of phishing attacks. Fortunately, the number of attacks being detected and reported has improved. The question is, is that detection and reporting greater than the increase in attacks? PhishLabs does not offer an opinion.
There is a need to change how IT security detects attacks across multiple channels. That means tracking email, social media, SMS, and other sources where employees could be at risk.
PhishLabs says: “Strategically, security teams need more proactive intelligence spanning web (surface and dark), social media, email, and other digital channels so that these threats can be detected early in their lifecycle. Teams that operationalise this intelligence with threat takedown and mitigation capabilities will be able to minimise impact of these threats on their brands, customers, and employees.”