The PhishLabs Blog

The Sinister New Trend in Phishing (and Why You Should Care)

Posted by Lindsey Havens on Feb 14, '17

bigstock-Faceless-Hooded-Anonymous-Comp-74798056.jpgUnless you’ve been living under a rock for the past decade, you’ve already heard of phishing.

You probably have an idea of how it works. Perhaps you’ve even spotted a few suspicious emails in your inbox.

Security conscious organizations have been concerned about phishing for a long time. Many have been actively teaching employees to recognize and report phishing emails on sight.And in the past, it’s been organizations that needed to worry about phishing. Aside from low level spam, regular people like you and me didn’t have much to fear.

But that’s all changed. Threat actors have found a way to profit from individuals, and if you aren’t careful you could find out the hard way exactly what that means.


The 2017 Phishing Trends and Intelligence Report revealed a profound shift in the threat landscape. In our February webinar you'll find out what's changed, and how it could affect your organization.

Register for Webinar


Out With The Old

Historically, financial institutions have been the target of choice for phishing campaigns. But while that’s a tremendous frustration for those organizations, they don’t pass their losses on to their customers, so it doesn’t really affect individuals.

In 2013, attacks targeting financial institutions accounted for 38 percent of all phishing attacks… but the trend is starting to dwindle.

Every year, our Research, Analysis, and Intelligence Division (R.A.I.D) at PhishLabs produce the Phishing Trends and Intelligence (PTI) report. The information contained in this report is gathered throughout the year, and is sourced from the operations and technology systems we use to fight back against phishing.

According to the latest report, released last week, attacks on financial institutions in 2016 accounted for just 23 percent of all phishing attacks.

But here’s the thing. The total number of attacks on financial institutions actually increased… along with the total number of attacks on other prominent industries such as payment services and e-commerce sites.

So what happened? Since 2013, there’s been a meteoric rise in the number of phishing attacks targeting another, less obvious industry.

Beware the Cloud

In 2013 a mere 9 percent of phishing attacks targeted cloud hosting services. In 2016, that figure reached a massive 22.6 percent, almost dethroning financial services as the most targeted industry. If our predictions are correct (and they usually are) in 2017 cloud hosting services will surpass financial institutions as the most targeted industry.

OK, so Cloud security isn’t a new concern. Security conscious organizations have been working to secure their cloud services and applications for several years now.

But it isn’t just organizations that should be worried.

Why? Because the vast majority of phishing attacks targeting cloud service providers aren’t going after business services… they’re going after consumer cloud services. Overwhelmingly, that means Google Docs/Drive, and DropBox.

You read that correctly. If things carry on the way they’re going, in 2017 consumer cloud services will be targeted by phishing emails more than any other industry.

But, you might be thinking, that doesn’t make sense. After all, it’s pretty easy to understand how threat actors make money targeting financial institutions, or payment services, or even hospitals… but where’s the value in targeting DropBox?

To answer this, we need to get inside the mind of a threat actor.

How To Make Money Phishing

Historically, threat actors have made their money in a fairly direct manner. Man-in-the-middle malware, ransomware, and BEC scams, for example, have all been extremely productive in recent years.

In targeting consumer cloud services, though, threat actors are starting to take a more indirect approach.

Consider the way most online services, including cloud services, allow you to login. Instead of requiring a unique username, the vast majority allow you to use your email address in conjunction with a unique password.

But are those password really unique? Of course not. Most people simply reuse their password for each online service.

If a threat actor can harvest mass credentials from a cloud service provider, then, they have a lot more on their hands than access to your photo collection. In all probability, they have access to all your online accounts.

How do you like the idea of a threat actor gaining access to your Facebook account? How about your Instagram, LinkedIn, Google, PayPal, Amazon, Evernote, Skype, Ebay, Microsoft, or Apple accounts?

Needless to say, this approach to credential harvesting is far more efficient than targeting each account individually. It’s known as password reuse, and poses a huge threat to online service providers, who should expect that a substantial proportion of their users are relying on credentials that have already been compromised elsewhere.

But let’s take a step back. We still need to understand precisely how threat actors can profit from harvesting these credentials. In simple terms, there are three ways for a threat actor to monetize stolen account credentials:

  1. Immediate account takeover - Stealing money from an account (e.g. PayPal) or selling account access via an underground market.
  2. Credential proliferation - Using generic credentials to gain access to further accounts.
  3. Data diversification - Collecting detailed information about an individual that can be used to commit other crimes, including identity theft, or tax fraud.

The practice of allowing email addresses in place of unique usernames, in conjunction with the lack of security awareness among the general populace, constitutes a huge vulnerability in the phishing ecosystem.

And for the time being, it seems likely this new trend will continue unabated.

Phishing Trends and Intelligence Report

As you’ve no doubt already surmised, this switch in threat actor tactics constitutes a fundamental change in the dynamics of the phishing landscape. Not only are more people at risk from phishing than ever before, many will never even be aware their credentials have been compromised.

But as huge as this change is, it’s not the only new trend in phishing. For the past twelve months, our R.A.I.D. team has been working 24/7 to identify and categorize the latest phishing threats and trends. Now, you can benefit from all that research and first hand experience by downloading the 2017 Phishing Trends and Intelligence Report for FREE.

To find out how the phishing landscape evolved in 2016, and what it could mean for your organization, click here.

Topics: Phishing, PTI Report

   

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Upcoming Events

Calendar_Mock_