Vade Secure recently published the second edition of its “Phishers’ Favorites” report. This quarterly ranking lists the 25 brands most usurped by cybercriminals for phishing attacks in the 3rd quarter of 2018.
To arrive at this ranking, we analyzed the number of new phishing URLs analyzed and detected each day by our email filter engine and real-time phishing detection solution for SOCs. A total of 86 companies were analyzed, which together account for 95% of the URLs we detected in Q3. Examples of these phishing URLs and corresponding pages can be found at www.IsItPhishing.ai.
More and more phishing URLs and more and more targeted attacks
Overall, it’s clear that phishing attacks are on the rise, with hackers shifting from exploiting software vulnerabilities to exploiting human vulnerabilities. Overall, the number of phishing URLs associated with the 86 brands evaluated increased by 20.4% in the 3rd quarter.
The most worrying thing for security professionals is the increasingly targeted nature of these attacks. By comparing the number of phishing emails blocked, we found that the number of emails associated with each URL dropped by 64% in the 3rd quarter. This change indicates that the hackers are using each URL in a smaller number of emails to bypass security systems based on analysis of the reputation. We’ve even detected sophisticated attacks in which each email contained a unique URL, thereby guaranteeing that it slips through the nets of traditional security tools.
Microsoft remains far and away the preferred victim of hackers
If we look at the brands targeted by these attacks, one company clearly stands out from the pack: Microsoft.
The Redmond company holds first place in the Phishers’ Favorites rankings for the second straight quarter. In terms of percentage, the increase in the number of phishing URLs targeting Microsoft may seem moderate (23.7%). However, Microsoft experienced the strongest growth in absolute numbers. In fact, the average number of URLs increasing from 124.2 in the 1st quarter to 192.4 in the 2nd, and now to 235.4 in the 3rd.
The main goal of Microsoft phishing attacks is to retrieve Office 365 user ID information. A single user ID/password combination can allow hackers to access a phenomenal amount of confidential files, data, and contacts stored in Office 365 applications, such as SharePoint, OneDrive, Skype, Excel, CRM, etc. What’s more, hackers can exploit these compromised Office 365 accounts to launch other attacks, such as spear phishing or malware-based attacks.
There are still two very common phishing strategies targeting Microsoft. The first is to imitate the Office 365 login page in a way that is practically indistinguishable. Emails pointing to this type of page often explain that the recipient’s Office 365 account has been suspended or disabled. These are written in such a way as to create a sense of urgency leading the user to immediately enter their password to unblock or access their account.
The second and increasingly common strategy is to send a message to the user indicating that they have received a link to a file hosted on OneDrive or SharePoint. To access this file, the user must first log in, which is not suspicious, since users are often asked to re-log in to various services and applications.
Cloud and financial services continue to dominate the ranking
Our analysis also made it possible to detect trends by grouping the brands by category. In terms of volume, the Cloud and financial services sectors alone accounted for nearly 75% of all phishing URLs. The two sectors experienced double-digit quarterly growth (22.5% and 36.7%, respectively), but it was the Internet/telecommunications sector that experienced the greatest percentage increase (46.3%). Social media is the only one to have seen a drop in phishing URLs thanks to Facebook, one of the few brands from the top 10 to have experienced a negative quarterly growth in the number of phishing URLs (-35.6%).
Check out the full Phishers’ Favorites article for more insights, including analysis of the most common days of the week for phishing attacks overall and per specific brands.