Security awareness and anti-phishing vendor PhishLabs has released its 2018 Phishing Trends & Intelligence Report. The report shows there has been a marked change in attacks, with enterprises now being targeted rather than individuals.
This comes as no surprise as the potential rewards for a successful attack on an enterprise are considerably higher than attacks on individuals. Enterprises are more likely to pay ransom demands and much larger demands can be issued when multiple devices are infected. Enterprises also store far more data, which means bigger payouts selling the information on the black market. If proprietary information can be stolen, there are plenty of opportunities to sell the information to competitors and businesses in foreign countries.
While financial institutions are still being targeted, there has been an increase in attacks on email and online services, which is now accounts for 26% of all phishing attacks. There has also been a rise in attacks on SaaS and social networking sites, although they only account for 7% and 4.5% of attacks respectively. It is interesting to note that prior to 2015, virtually no phishing attacks were conducted on SaaS companies.
The aim is not to gain access to SaaS credentials, instead the attacks use SaaS companies as the lure to gain access to other credentials, most often email credentials. Email credentials give attackers access to email accounts which can be used for further phishing attacks. Email accounts can also store vast quantities of sensitive information.
Unsurprisingly, phishing attacks against U.S. based targets are the most common, accounting for 86% of all attacks. In 2017, there were notable increases in phishing attacks in India, Columbia, and the UAE, with a decline in attacks in Canada, the UK, France, and Italy.
As more companies move to HTTPS for their corporate sites, phishers have followed suit. Toward the end of 2016, only 5% of phishing sites were hosted on HTTPS infrastructure. A year later, a third of phishing sites were HTTPS.
Phishing webpages are commonly hosted on compromised websites, although a large percentage of HTTPS phishing sites were hosted on domains registered by the phishers. Many end users still believe HTTPS means safety, which phishers rely on. Previous research conducted by PhishLabs showed that 80% of users thought a green padlock and the site starting with HTTPS were signs that the website was genuine.
The report suggests ransomware has reached maturity, with only a few new ransomware families appearing in 2017. With so many different ransomware families already in existence, and new variants constantly being developed, there is little need to go to the trouble of creating totally new families. Many of the main threats in 2017 (Locky, Globeimposter, Cerber, Jaff, and WannaCry) are still being used.
While email remains the most common attack vector, PhishLabs has highlighted a growing trend in the use of mobile messaging services and text messages for delivering hyperlinks to phishing websites. With Android devices now the most common way of accessing the Internet this comes as no surprise. Mobile devices are typically less secure than desktops, and they contain a wealth of information that can be extremely valuable to cybercriminals.
Phishing attacks are also taking advantage of the small screen size of mobile devices. Many campaigns use URL padding to hide the true URL. For example, https://paypal.com———————-account. It is easy to see how this could fool someone into believing the site was genuine when all that is displayed is https://paypal.com———————-.. These pages then take users to login pages that exactly match the spoofed brand.