This week APWG released its findings from Q2 of this year that compiles insights from their member companies and provides an analysis of how phishing is changing. This quarter's report shows that phishing attacks continue to increase, both SaaS and email service providers are prime targets, BEC attacks are focused on getting gift cards, and more than half of phishing sites continue to abuse HTTPS.
No End in Sight for Phishing
Although malware continues to see a decline or stagnation, phishing attacks continue to increase each quarter. According to the report:
The total number of phishing sites detected by APWG in 2Q was 182,465, up slightly from the 180,768 seen in 1Q 2019, and up notably from the 138,328 seen in 4Q 2018 and the 151,014 seen in 3Q 2018.
Between Q1 and Q2 of this year, there was a small increase in reported phishing attacks to APWG, but when compared to last year, there was nearly a 28% increase. APWG also tracks incoming reports from consumers but did not see significant increases.
SaaS, Email, and Payment Industries Most Targeted
According to this year’s Phishing Trends and Intelligence report, 83.9% of attacks targeted credentials for financial, email, cloud, payment, and SaaS services. In Q2, the combination of SaaS and Email services industries made up 31% of phishing attacks, with financial at 29%, and payment services at 11%. These findings mirror that of APWG’s latest report.
This quarter’s report shows that SaaS/Webmail was the target of 36% of attacks, the payment industry 22% of attacks, the financial industry 18%, and between 3% and 9% for other reported industries. Both SaaS and Email are often targeted due to their widespread adoption by both enterprise users and consumers, which makes it easier for threat actors to pose as either, less so than targeting these companies directly. Today, the use of social engineering to impersonate brands is one of the most common tactics in phishing, and often focuses on credential theft or BEC attacks.
HTTPS Continues to be Abused
Back in June, we reported with APWG that threat actors finally surpassed the 50% usage rate of HTTPS or SSL certificates on their phishing sites. More specifically, it topped 58% in Q1 of this year. In Q2 of this year, we observed the number still remaining over 50%, but has seen a slight decline.
“More than half – 55% – of phishing attacks detected in the second quarter of 2019 were using SSL. It is clear that users can’t use SSL to know if a site is safe or not,” said John LaCour, Founder and CTO of PhishLabs.
The reasons behind the slight decline can range from specific threat actors who abuse HTTPS reducing their efforts or even a shift in tactics. Threat actors commonly go after the tactics that yield the best ROI, which is a primary cause for changes in tactics and methods.
BEC Attacks Love Gift Cards
No, threat actors don’t want to defraud companies of hundreds if not thousands of dollars just to listen to the latest Tool album. In many cases, threat actors seek out gift cards because they are significantly harder to track and there are numerous ways to exchange them for cash.
APWG stated that of BEC attacks tracked, 65% of them resulted in requests for gift cards, 20% requested payroll diversions, and 15% direct bank transfers. In 2018, threat actors walked away with more than $1.8 billion as a result of BEC attacks, which continues to make them the most costly form of phishing.