Microsoft’s latest Security Intelligence Report provides information on 2018 phishing trends, the changing tactics of cybercriminals, and ransomware, cryptojacking and malware attack statistics.
2018 Ransomware Trends
2017 saw ransomware attacks dominated the threat landscape; however, as the year progressed ransomware started to fall out of favor with cybercriminals and that trend continued throughout 2018.
While ransomware attacks can still be profitable for cybercriminals, the returns are falling due to a combination of increased awareness, more robust backup strategies, and improved detection of attacks in progress. Many of the threat actors that embraced ransomware in 2017 switched their attention to distributing cryptocurrency mining malware as it produced better returns.
Microsoft has tracked ransomware attacks throughout 2018. The report shows ransomware attacks fell by 60% between March 2017 and December 2018. Ransomware attacks are now most common in developing countries. Ethiopia, Mongolia, Cameroon, Myanmar, and Venezuela saw the highest number of ransomware attacks. Encounter rates were lowest in Ireland, Japan, and the United States.
Cryptocurrency mining attacks are still highly prevalent. Cybercriminals that hijack thousands of machines and use them to mine cryptocurrencies can generate sizable returns. The campaigns are also relatively easy to conduct using off-the-shelf mining tools, which can be delivered via malicious websites and spam email. Ethiopia, Tanzania and Pakistan topped the list for highest encounter rates. As with ransomware attacks, Ireland, Japan, and the United States had the lowest encounter rates.
2018 Phishing Trends
The fall in ransomware attacks is certainly good news, but not so for phishing attacks which increased by 250% in 2018. Phishing is used to obtain sensitive information such as login credentials, spread malware, and conduct zero-day attacks. Phishing is still the most common method of attacking businesses and that is unlikely to change in 2019.
According to Microsoft’s tracking figures, phishing emails accounted for 0.55% of all inbound emails in November 2018, up from 0.13% in January 2018. One phishing trend in 2018 identified by Microsoft is the increasing use of polymorphic attacks – Attacks that involve the use of multiple URLs, domains, and IP addresses in a single campaign. Phishing campaigns now tend to involve varied infrastructure and multiple points of attack.
Attacks also tend to be short-lived. Many attacks last for a matter of minutes before URLS and domains are changed, or small volumes of emails are sent on several successive days. These methods are used to prevent IP addresses, domains, and URLs from being added to blacklists and being blocked by email security solutions.
Phishers are also now using public cloud infrastructure to hide among legitimate sites and assets. Document sharing sites and collaboration platforms are frequently used in campaigns to distribute malware and host fake login forms to steal credentials. Microsoft has also detected an increase in the use of compromised accounts to send phishing emails.
A wide range of payloads were used 2018 phishing attacks and highly varied lures were used to fool users into revealing their credentials or installing malicious software. Some of the most common phishing methods in 2018 were:
- Domain spoofing – Making the email message domain the same as the original domain name
- Domain impersonation – Use of lookalike domains for email message domains
- Text lures – Impersonation of banks, government agencies, and well-known brands to steal user credentials
- User impersonation – Impersonation of trusted contacts
- Credential phishing links – Sending of hyperlinks to fake login pages for legitimate sites
- Phishing email attachments – Sending of malicious email attachments that trigger malware downloads.
- Links to fake cloud storage locations – Seemingly legitimate messages containing links to cloud storage services for stealing credentials.