In 2020, threat actors took advantage of the COVID-19 pandemic and adopted COVID-19 and coronavirus themed lures for their phishing campaigns. The volume of phishing emails did not increase in 2020, but many threat groups found they had much greater success with pandemic-related themes than their regular lures.
Phishing is the most common method used by threat actors to conduct cyberattacks on businesses. The attacks target employees, who are a weak link in the security chain. All an attacker has to do is create a convincing lure for an email and make sure the emails arrive in inboxes. Once there, the end user performs the actions that gives the attacker access to their network. Businesses implement email security gateways (SEG) to detect and block these emails, but no email security gateway will block all phishing emails and according to the phishing detection and response platform provider Cofense, an alarming number bypass SEG solutions.
In its Annual State of Phishing report, Cofense highlighted the tactics, techniques, and procedures (TTPs) that have been leveraged by phishing threat actors over the course of the past year and how they have changes from previous years.
Cofense reports that more than 50% of phishing emails are sent for credential phishing and these messages commonly bypass email security defenses and are delivered to inboxes. The URLs used in these campaigns are continually added to the blacklists used by email security gateways, but the average lifespan of a phishing URL is only 24 hours. By the time it is added to a blacklist and is blocked, it has often already been abandoned. Phishing pages are inexpensive to host, it is easy to change the infrastructure to stay one step ahead of security solutions, and the messages fool a high percentage of end users.
In 2020, one tactic that was increasingly used to evade detection by security solutions was layering. This is the use of safe domains in a multi-stage phishing attack. Links are sent in phishing emails to legitimate web and cloud services such as OneDrive, OneNote, SharePoint, or Google Drive, which provides access to a PDF file or document referenced in the email. These pages are not malicious, but the document that users must click to view is. To open the document the user must click, then they are redirected to a page where they are asked for their Office 365 credentials to access the document. A legitimate-looking login prompt is displayed, although it is not on a Microsoft domain. The user is then granted access to the file wand will not be aware that their credentials have been stolen.
Only 12% of phishing emails in 2020 were used to deliver malware. In 2020, malware was most commonly delivered using malicious macros and exploitation of the CVE-2017-11882 Equation Editor vulnerability, although 2020 saw a new tactic of malware delivery increase in popularity. GuLoader first appeared in Q1, 2020 and rapidly increased in prevalence. GuLoader is an executable file that is used to deliver RATs, keyloggers, and other types of malware, and is usually deployed using weaponized malicious documents. The malware is heavily obfuscated to hide its malicious actions, can analyze the environment it is in to detect virtual and sandbox environments, and the malicious payloads the malware delivers are hosted on legitimate platforms such as OneDrive and Google Drive. That makes this threat particularly hard to block.
The Emotet botnet has now been severely disrupted, but it was one of the biggest threats in 2020. Emotet malware is delivered by phishing emails. Once the malware is installed, it hijacks the email account, harvests email addresses, and sends copies of itself from the email account to victims’ contacts, inserting itself into legitimate message threads. The initial emails use a combination of attachments and malicious URLs to deliver the malware payload. Access to devices compromised by Emotet malware is sold to other threat groups for downloading their malware and ransomware payloads.
The TrickBot botnet was another key source of malware infections in 2020. Access to TrickBot-infected devices was sold to threat groups such as Ryuk to deliver ransomware. The Ryuk gang also used the BazarBackdoor since September 2020 for delivering their ransomware payload. TrickBot and the BazarBackdoor are primarily delivered via phishing emails. The phishing emails target businesses and often link to Google Docs pages, which use the layering tactic to bypass security solutions, with the malware hosted on cloud platforms such as Amazon AWS. The use of these legitimate cloud platforms makes it hard for security solutions to identify and block the attacks.
Phishing emails often arrive in inboxes, so it is essential to improve human phishing defenses and train end users how to recognize phishing emails and condition them into reporting threats to their security team. Data from phishing emails simulations conducted through the Cofense PhishMe platform highlights just how often employees open phishing emails. Almost 11 out of every 100 users will click on a phishing email, which could potentially lead to a malware download or the theft of their credentials. However, through continued training and phishing email simulations, susceptibility to phishing attacks can be greatly reduced.