This week, APWG released its findings from Q3 that compiles insights from their member companies and provides an analysis of how phishing is changing. The key findings from the latest report show that phishing attacks continued to rise throughout the year, 40% of BEC attacks involve domains registered by the threat actor, and now more than two-thirds of all phishing sites are using SSL certs or HTTPS.
HTTPS Continues to be Abused
More than two-thirds of all phishing sites used SSL protection. This was the highest percentage since tracking began in early 2015, and is a clear indicator that users can’t rely on SSL alone to understand whether a site is safe or not.
This year has been a clear turning point for threat actors adopting SSL certifications or abusing HTTPS as part of their phishing efforts. In June we observed for the first time that more than half of all phishing sites were using HTTPS. Now, in reviewing Q3, the number has spiked to more than two-thirds of all phishing sites or 68% after seeing a slight decline in Q2.
“In Q3 2019, more than two-thirds of all phishing sites - 68% - were using SSL. This was up from 54 % the prior quarter,” said John LaCour, PhishLabs Founder and CTO. “This is the highest number of phishing sites using SSL since we began tracking it in early 2015, and a clear indicator that users can’t rely on SSL alone to indicate whether or not a site is safe.”
The rise in abuse use of HTTPS now exceeds the number of sites in total using HTTPS, which is around 56.1%.
No End in Sight for Phishing
The number of phishing attacks rose in the third quarter of 2019, to a high level not seen since late 2016. Phishing that targeted webmail and Software-as-a-Service (SaaS) users continued to be the biggest category of phishing.
The total number of phishing sites detected by APWG in the third quarter of 2019 was 266,387. This was up 46% from the 182,465 seen in Q2, and almost double the 138,328 seen in Q4 2018.
In Q3 of this year, APWG member organizations detected a total of 266,387 phishing sites, up 46% from Q2. This places Q3 as the worst period in the past three years for phishing attacks. In connection to the phishing sites, a reported 122,359 unique phishing lures were sent to the general public, excluding those reported by their member organizations and duplicate versions.
BEC Attacks Domain Impersonations
The effectiveness of a BEC attack relies on how well a threat actor can socially engineer a conversation. This typically means creating an ideal environment and sprinkling in some urgency, which results in fooling a victim into wiring funds or sending gift cards to the threat actor.
According to APWG, In Q3 threat actors increased the number of domains they impersonated as part of BEC attacks. More specifically, the number moved from 33% in Q2 to 40% in Q3 of domains created by a threat actor with the intent to maliciously target someone with a BEC attack.