The latest Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG), which compiles insights from member companies, announced that the year-end number of reported phishing websites for 2019 reached a record high. Most menacing; however, are the trends of phishing gangs targeting users of web-hosted email, social media, and business email compromise (BEC) attacks that show increasing sophistication.
By most measures, the APWG states, "2019 was one of the most dangerous years on record for online users."
Use of SSL Certificates on Phishing Sites Reach All-Time High
PhishLabs, an APWG member and contributor to the report, documents the increasing use of SSL certificates (HTTPS) on phishing websites that are designed to make attacks appear more legitimate and avoid browser warnings. Almost three-quarters of all phishing sites now use SSL protection, compared to just under half this time last year. This percentage is the highest since tracking began in 2015, and is a clear indicator that users can’t rely on SSL alone to determine whether a site is safe.
“By the end of 2019, 74% of all phishing sites were using TLS/SSL,” observed John LaCour, Founder and CTO of PhishLabs. This percentage increased from 68% in Q3 and 54% in Q2 of 2019. “Attackers are using free certificates on phishing sites that they create, and are abusing the encryption already installed on hacked web sites.”
At PhishLabs, we track the number of phishing sites that are protected by the HTTPS encryption protocol, which secures communications by encrypting the data exchanged between a person’s browser and the web site they are visiting.
2019: A Roller-Coaster Ride for Phishing
Among the data that APWG member companies track are the number of unique phishing websites detected throughout the year. This is a primary measure of phishing across the globe.
In total, the number of phishing sites detected in the Q4 was 162,155. This is down from the 266,387 sites observed in Q3, the 182,465 sites observed in Q2, but an increase from the 138,328 sites in Q4 2018.
The number of reported phishing attacks, however, stabilized at the end of the year in Q4. However, the period between July and October of 2019 was notably worse than any other tracked period for phishing attacks in the past three years.
The number of unique domain names used for phishing also jumped from 13,597 in October to 15,261 in November, but then decreased to 12,260 in December. The number of phishing reports submitted to APWG by the general public in Q4 was 132,553, up from 122,359 in Q3 and 112,163 in Q2. In part, this is likely due to different threat actor(s) being more or less active in their respective quarters.
Gift Card Requests Targeting Stores That Carry Physical Goods
In 2019, webmail and Software-as-a-Service (SaaS) users continued to be the biggest category of phishing. Scammers continue to harvest credentials, using them for business email compromise (BEC) schemes and to penetrate corporate SaaS accounts.
One notable change observed in Q4 was the types of gift cards requested by criminals executing BEC attacks. Requests decreased for the popular Google Play gift card, and schemes soliciting eBay, Target, Best Buy, and Sephora gift cards increased. Since these companies sell physical goods and the attacks took place during the holiday season, this increase could indicate that scammers are looking to launder money by using the cards to buy physical products that they can sell.
Download the full report: Phishing Activity Trends Report, 4th Quarter 2019