If you’ve been following our coverage of this year’s Phishing Trends and Intelligence Report, you are aware of the largest key finding: the shift from consumers to enterprise targets.
While important, there are several other key findings that we’ve observed in the past year, and it’s important to address how the industry is or should be handling them. In addition to the shift to enterprise, mobile is once again posting new risks to businesses and consumers, social engineering is becoming a primary weapon of choice, there is a new primary phishing target in town overtaking finance, and due to the success of SaaS they are on the rise as well.
To provide some added context for where these key findings derived from:
- We analyzed more than 1.3 million confirmed malicious phishing sites in 2017 that resided on nearly 300,000 unique domains
- We investigated and mitigated more than 12,000 phishing attacks every month, identifying the underlying infrastructure used in these attacks and shutting them down
The Shift to Enterprise
Key Finding: Industry shift shows signs of threat actors switching from primarily targeting individuals to targeting organizations.
We have extensively covered this primary key finding; however, it’s still necessary to call out exactly how some organizations are addressing the connected risks. For starters, people still remain the primary component in these attacks, so training is one of the strongest defensive measures you can put in play.
Combine this with the necessary network security, and the potential for credential theft is greatly reduced. Depending on the industry in question, there may also be a high volume of attacks landing in employee inboxes. When this occurs, threat monitoring needs to become a larger priority, and that means expanding outside of the typical office hours.
Email and Online Services Top Target
Key Finding: Email and online services (26% of all attacks) overtook financial institutions (21%) as the top phishing target.
Email and online services have over taken the financial industry as the largest phishing targets. In 2013, just 12 percent of phishing attacks targeted email/online services. However, in 2017 the industry’s share has grown to more than a quarter of the year’s total volume. The widening gap between email/online services and all other industries became very pronounced during the second half of 2017 when the industry’s share accounted for a third of all phish. Specifically, the increase in email/online service phishing attacks in 2017 was driven almost exclusively by a concentrated rise in attacks impersonating Microsoft Office365 login pages.
Organizations are combating this just as they are with the shift to enterprise targets. As employees and users are switching to Office 365, training becomes a key component in reducing the possibility of downloading or accessing malware send through a phishing attack. Microsoft itself is continuing to bolster their own defenses as well, and they’ve recently launched their own version of a phishing email simulator.
Use of HTTP on the Rise for Phishing Sites
Key Finding: Nearly one-third of all phishing sites observed by the end of 2017 were located on HTTPS domains, up from only five percent at the end of 2016.
As more websites adopt the use of HTTPS or SSL certifications, threat actors are doing the very same. Through a combination of social engineering and necessity, phishing sites now employ the HTTPS moniker because it increases their success rate. Now a day HTTPS is often misconstrued as safe or secure, which is not fully accurate.
Unfortunately combating phishing sites with HTTPs status is a bit more complicated than your standard threat monitoring program or training, which is why PhishLabs crawls thousands of potential threats using SSL certificates each day. In doing so we are able to identify if a site has malicious content on it for a brand, and if it’s a parked domain it can then be further monitored for any potential changes later on. This way the attack is nipped at the bud as a proactive measure.
SaaS Success Leads to Larger Target
Key Finding: Attacks targeting SaaS exploded with more than 237 percent growth.
With success and user adoption comes a greater threat. In 2017 the software as a service or SaaS industry saw an increase of 237 percent in phishing attacks. Like the growth in social media-branded attacks and use of HTTPS, threat actors are abusing the brands that people trust the most. Because of this the broadsweeping attacks will now attempt to steal both consumer and employee credentials alike.
So how can an organization combat these attacks? It’s no different than any other necessary training program; however, if your organization has ever received a SaaS branded phishing lure, include one of these in your phishing simulations. By putting your users through real-world scenarios, they will be better prepared if an attack comes through.
Trust in Social Media Increases User Vulnerabilities
Key Finding: Attacks targeting social media platforms have nearly tripled since last year due to the inherent trust between users and the platform or brand.
Like SaaS, social media-branded phishing lures are on the rise and that is because of the rapid adoption of these platforms. Unfortunately, the most successful attack campaigns use a combination of social engineering and brand trust, and specific social media platforms are considered more trustworthy than others. Like SaaS based phish, thwarting social media branded phish is as simple as including examples in your training and simulations. For organizations who have employees that use social media, which is most, they can also make use of brand monitoring that includes a social media aspect.
The Maturing of Ransomware
Key Finding: The ransomware landscape is maturing and is no longer experiencing exponential growth of new threat families.
In 2017 ransomware was hitting headlines on a regular basis, and new families of ransomware were constantly being pushed into the world. However, in 2017 there were very few new threat families added or making their way around, but that is not necessarily a positive metric in itself. The market for ransomware has instead matured, which means that the more successful attacks are still pervasive, and that leaves less room for threat actors to add their own into the mix. Threat monitoring plays a pivotal role in reducing the potential for ransomware infecting your systems. A backup never hurt, either.
Old Desktop Threats Now Plaguing Mobile
Key Finding: Mobile malware continues to rise, and new techniques take advantage of the increased use and security shortcomings of mobile devices.
In response to increased attacks targeting users, many companies now offer SMS-based two-factor authentication (2FA) to limit or prevent fraudulent access. As a result of these defensive measures, attackers have created SMS interceptors that are used in some threat campaigns. Using these tools, attackers can obtain a user’s credentials via a phishing campaign and then intercept the user’s 2FA mobile message. As a result, the attacker would then have all the necessary information needed to pass authentication tests and gain access to a user’s account.
The use of 2FA bypass has also become an increasingly common feature in mobile malware, especially mobile banking trojans. Often used for credential and SMS theft, mobile banking trojans possess the ability to intercept or steal SMS messages, system information, contacts, call history, and other user data. Some of the most prolific mobile banking trojans in 2017 included BankBot, Marcher, RedAlert2, Mazar, and LokiBot.