Over the last decade phishing has exploded. Volume has increased every year, with threat actors reliably focusing the majority of their efforts on the same five or six industries.
It was a serious threat, of course, but it had become somewhat… predictable.
But in 2016, some major changes occurred. In just 12 months, the entire phishing landscape shifted.
Last month, we released our annual Phishing Trends & Intelligence report, which takes a close look at the latest phishing trends, tools, and techniques, as well as providing context and perspective. We believe that, in addition to the facts, security conscious organizations need to understand how and why threat actors behave the way they do.
Following release of the report, we held a webinar to go over the results of the report, and give the security community an opportunity to ask questions. The webinar was hosted by Crane Hassold, our Senior Security Threat Researcher and a former FBI Cyber Behavioral Analyst.
Need the whole story? The latest Phishing Trends & Intelligence report is the only way to find out precisely how the phishing landscape changed in 2016. Download yours today for free.
Method to the Madness
The first thing Crane covered was the sheer scale of the project required to produce the 2017 PTI report.
We analyzed almost 1,000,000 confirmed phishing sites hosted on over 170,000 unique domains and more than 66,000 unique IP addresses. In this process, we discounted millions more potential phishing sites, because we wanted to ensure we were working with pristine data.
The second thing Crane explained was what we mean when we talk about a phishing “attack”. We’re not talking about a single phishing email, or even a single phishing campaign.
For our purposes a phishing attack is a single domain hosting phishing content. We believe this is the best way to accurately define phishing volume. An argument could be made for using the number of phishing sites, but the proliferation of directory generators, which can quickly create dozens or even hundreds of phishing sites on a single domain, quickly skews these results.
Finally, it’s important to understand what we mean when we talk about volume and share of attacks. Phishing volume is the total number of attacks analyzed during the year. When we talk about the share of attacks targeted at a specific industry, figures will be given as a percentage of total phishing volume.
For example, if we analyzed 100 attacks spread equally across four industries, each would have a 25% share of the total volume. This distinction is important, because it is entirely possible for an industry’s phishing volume to increase substantially even as its share of total phishing volume falls.
2016 Phishing at a Glance
The analysis we completed last year identified phishing attacks against 976 brands, belonging to 568 parent institutions. Of those, 91 percent of attacks targeted just five industries:
Financial Services - 23 percent
Cloud Storage - 22.6 percent
Webmail/Online Services - 20.6 percent
Payment Services - 13.9 percent
E-Commerce Sites - 11 percent
Across these five industries, attack volume grew by an average of 33 percent.
Keep in mind that phishing volume has risen consistently every year for the past decade. Some industry commentators had already branded the previous year the ‘Year of Phishing’, so a further 33 percent increase in volume across the top five industries is truly massive.
But there’s something else hidden in these figures that’s even more interesting. As Crane pointed out on the webinar, while financial services is still the most targeted industry, its top spot is far less secure than it was just a year before.
Back in 2013, financial services were the holy grail of phishing targets, and as a result almost 40 percent of all phishing attacks targeted the industry. Since then, however, the industry’s share of phishing attacks has fallen consistently, reaching just 23 percent in 2016.
At the same time, another industry has seen a massive rise in phishing volume and share of total attacks. In 2013, just 10 percent of phishing attacks targeted cloud storage companies, but by 2016 the industry had shot up to second place with a whopping 22.6 percent share of phishing attacks. If this trend continues, in 2017 we’ll see cloud storage finally surpass financial services as the most attacked industry.
And one more interesting thing to note. Of all those attacks against cloud storage companies, 90 percent were aimed at just two targets: Google Drive and Dropbox.
A Tactical Change
At its heart, phishing is a business model, and its important not to lose sight of this fact. No matter which company is being attacked, and which techniques are used, the motive remains the same: Profit.
But while threat actors are inevitably seeking to make money, the way in which they achieve that varies. Historically, there have been three primary phishing tactics used by threat actors to extract their filthy lucre:
1) Immediate Account Takeover
This is the most obvious and direct approach to making money from phishing, and has historically been the most commonly used. Primarily targeting banks and payment services, phishers simply gain control of an account, and either directly extract (steal) money, or sell the account credentials to a third party actor.
Either way the pay-off is immediate, making this an attractive proposition for any threat actor.
But over the past three years we’ve seen a consistent decline in this type of attack. Back in 2013, 64 percent of attacks targeted financial and payment services organizations, but by last year that share had fallen to just 37 percent.
2) Mass Harvesting Credentials to Attack Secondary Targets
One of the most significant trends in online services over the past decade is a wholesale move away from requiring users to create a unique username. Instead, most online services now allow users to login using their email address and password.
Now that might not seem like a big deal, but consider this: 39 percent of users reuse passwords across online services.
Clearly, this is a huge asset for threat actors. Now, if they can compromise a single set of user credentials, there's a strong chance they can be used to gain access to dozens of other accounts.
Successfully stealing a user’s Dropbox credentials, for instance, might enable an attacker to access that individual’s accounts at Facebook, Dropbox, Amazon… the list goes on.
And of course, this style of attack still offers threat actors multiple ways to make money. They can either use this expanded access to steal money, send further lures to social connections, etc. or they can sell the credentials via dark web marketplaces.
Naturally, this discovery has sparked a massive increase in attacks on web services that allow the use of an email address in place of a unique username.
Back in 2013, these types of industries were targeted by just 21 percent of phishing attacks. But in 2016, that figure had shot up to 46 percent… almost half of all attacks.
3) Gather Comprehensive Information about a Victim
This is perhaps the most sinister phishing tactic used by threat actors to make a profit. Instead of directly stealing money or selling credentials, some actors prefer to use their skills to collect a comprehensive set of information on a number of victims.
They might, for instance, collect a victim’s full name and address, date of birth, tax codes, employer details, and so on. Why? Because this information can be used for lower frequency, higher impact crimes like identity theft and tax fraud.
Again, this tactic, which typically targets e-commerce and government services, has seen a significant increase in popularity over the past few years, rising from 5.9 percent in 2013 to 12.7 percent last year.
In particular, we’ve observed a 300 percent increase in attacks on tax agencies in the past three years. Even more amazingly, the IRS were targeted by more phishing attacks in January 2016 than in the entire previous year.
And there’s a secondary benefit on offer for threat actors using this tactic: All the information they collect on individuals can be used to inform future phishing activity. Compromised phone numbers, for instance, can be reused for SMS lure campaigns, as well as to gain access to services which make use of 2-factor authentication.
Why the Shift?
Once again, it’s vital to remember that profit is the ultimate objective of almost every threat actor. If and when we observe changes in their tactics, it’s reasonable to assume they are simply “going where the money is”.
Specifically, though, by shifting targets and techniques, threat actors are seeking to make the process of making money easier and more effective by:
- Making credential harvesting more efficient
- Expanding their avenues of profit
- Taking advantage of ease-of-use features built into many websites
- Collecting information that can be used to commit other crimes
- Moving to more indirect, but likely more profitable, monetization strategies
- Adapting to enhanced security controls employed by financial and payment service companies
And in all of these cases, the proliferation of websites accepting email addresses in place of unique usernames has been a tremendous asset to threat actors. As Crane put it, this single ease-of-use feature has created a “single point of failure for online identity”.
And this is where we get right down to it. Cloud storage and SaaS companies may have seen a massive increase in attacks, but they aren’t the real target. Instead, threat actors target these organizations in order to steal credentials that can be used to make profit elsewhere.
At this point, because of the explosion in this phishing tactic, any online service that allows the use of an email address to login should necessarily assume their customers’ credentials have already been compromised elsewhere. And if that doesn’t scare you, either as a business or as an individual, we don’t know what will.
When and Where Attacks Happened
Historically, we’ve observed pretty much the same spread of phishing attacks throughout each year. Phishing volume increases throughout each year, ending with a substantial spike during the Christmas holiday period.
2016 was different.
Instead of gradually increasing as the year went on, phishing attacks in 2016 peaked mid year. This was the result of phishers taking advantage of global events (e.g. Brexit), along with a massive spike in shared virtual server attacks during May and June. This is where a threat actor manages to compromise a web server, and uses automated tools to quickly upload malicious phishing content to every domain hosted on it. This process enables the threat actor to easily launch mass phishing campaigns, and makes the task of blocking malicious domains much harder.
Once again, this demonstrates threat actors’ willingness to break from their previous behavior patterns any time the opportunity for further profit arises.
Somewhat unsurprisingly, 81 percent of phishing attacks still target US organizations. But there were other significant trends observed in 2016.
Canada, for instance, saw a 237 percent increase in phishing activity. And interestingly, this wasn’t a ‘spike’ of activity, as is usually the case, but a sustained increase in threat actors targeting Canadian organizations. Canadian financial institutions became a particularly popular target in 2016, going against the overall trend, suggesting that perhaps threat actors view them as an easier target than those in the US.
2016 also saw increases in phishing volume for France, Italy, and Germany, while China, Great Britain, and Australia all saw decreases.
Phishing Sites Under the Microscope
Since phishing campaigns are heavily dependent on the creation of malicious phishing sites, a large portion of our PTI report and the subsequent webinar focuses on exactly how and where they are constructed.
For instance, last year more than 50 percent of phishing sites were hosted in the US. Not surprising at all, of course, but there were some interesting trends in other parts of the world.
Eastern European countries, for instance, hosted far more phishing sites than they had in the previous year. At the same time, we observed a substantial decline in phishing sites hosted in East Asian countries, which had historically been big players in the phishing world.
Of course, it’s not just about where a phishing site is hosted. Another significant trend in 2016 came in the area of top level domains (TLDs) - That’s the last part of a URL, for those who didn't know, for example .COM .NET or .ORG.
Once again, the most common TLD for phishing sites was, unsurprising: .COM
But in 2016, the new generic TLDs became much more popular. Where only 66 new gTLDs were observed in the previous year, a whopping 220 new gTLDs were observed hosting malicious phishing content in 2016. For example, some of the URLs we observed hosting phishing content included:
Clearly, under the right circumstances, each of these domains could seem very plausible to potential victims. On top of this, many of the new gTLDs are extremely inexpensive to register, making them an ideal proposition for threat actors.
Finally, a huge proportion of our research was devoted to identifying and analyzing phish kits. These are essentially the ‘recipe’ for creating phishing sites, and the vast majority of sites analyzed in recent years were created using these kits. And this is precisely why we spend so much time and energy analyzing them: The more we study phish kits, the more we learn about the tools and techniques used to carry out phishing attacks.
In 2016, we collected and analyzed over 29,000 phish kits designed to attack more than 300 companies. From all that, we identified the following trends:
- More than a third of phish kits utilized techniques to evade detection
- 29 percent attempted to evade browser-based blocking
- 22 percent used techniques to restrict access
Overall, these trends demonstrate threat actors’ desire to preserve their phish sites once setup. They can, of course, continue to create new sites using either maliciously registered domains or by compromising legitimate domains, but both of those tactics require time and resources. Instead, if a threat actor can incorporate techniques designed to maximize the impact of their phishing sites while minimizing the chances of detection, their business model becomes much more robust.
For more information about how phish kits evolved in 2016, check out this post.
The Ransomware Boom
The final trend discussed during the webinar was the continued rise of ransomware. And unless you’ve been living under a rock for the past decade, this won’t come as a huge surprise: 2016 saw a massive surge in ransomware.
As always, phishing was easily the most commonly used delivery mechanism for ransomware. The process is just so easy, even the most technically challenged threat actors can pull it off. And, as you might expect, this simplicity led to a lot of copycats.
In 2016 alone, we observed more than 300 ransomware families. As you might expect, the majority of these died off reasonably quickly, but not before a substantial number of victims were infected. Ransomware has a high infection rate, compared to other types of malware, but quite a low payment rate, as most victims opt to either restore from backups or live without the affected files.
Once again, though, threat actors demonstrated their willingness to make changes in order to maximize profits. As individuals became less and less willing to pay their ransoms, threat actors in 2016 began to target businesses instead. Not any businesses, of course, but the businesses they deemed most likely to pay up.
In particular, threat actors focussed their ransomware campaigns on organizations that have a pressing need for constant access to their data. Hospitals, schools, government organizations, and small businesses were overwhelmingly targeted by ransomware in 2016, and many were forced to pay ransoms in order to maintain business continuity.
If you made it this far, it might feel like we’ve thrown a lot of information at you. But really, this post just scratches the surface of the phishing landscape. For a more in-depth look at how phishing evolved in 2016, you have two options.
First, you can (and should, in our opinion) check out last month’s webinar. Crane did a great job of summarizing the findings of the PTI report, and answered a number of pressing questions posed by members of the InfoSec community.
But if you really want the whole picture, the recently released Phishing Trends & Intelligence report is what you need. You can download it for FREE here, and if you’d like to know more about how you can fight back against phishing in 2017, please do get in touch.