A new report from the Anti-Phishing Working Group (APWG) shows phishing attacks are occurring at levels not seen since 2016.
The quarterly phishing reports from APWG are compiled from data supplied by APWG members such as Agari, MarkMonitor, RIskIQ, and PhishLabs. The reports provide insights into the methods used by phishers and the extent to which businesses and consumers are being attacked.
In Q3, 2019, more than 86,000 unique phishing sites were identified each month, up 46% from Q2. Hundreds and often thousands of unique URLs are used on each of those phishing sites.
APWG received an average of 39,420 unique phishing email reports each month in Q3, 2019, up 9.09% from Q2. Phishers impersonated an average of 427 brands each month in Q3, up from an average of 313 impersonated brands a month in Q2, 2019.
The biggest phishing targets in Q3 were Software-as-a-Service and webmail sites such as Office 365, which collectively accounted for 33% of attacks. Credentials obtained from attacks on those sites are used in Business Email Compromise (BEC) attacks. The payment industry was the second most targeted (21%), followed by financial institutions (19%). There has been little change in the most targeted industries from previous quarterly reports.
Data from Agari shows that BEC scammers most commonly request gift cards. 56% of all BEC attacks request money in the form of gift cards. 25% of BEC attacks attempt to divert payroll, and 19% of attacks request the direct transfer of funds to accounts controlled by the scammers.
While it is possible to obtain more money from payroll and direct deposit attacks, they are less anonymous, transfers of money are often reversed, and they require the use of money mules. Gift card scams are far easier to cash out, although a typical successful scam is far less profitable. On average, the attackers receive $1,500 per victim in gift card scams compared to $52,325 via wire transfer requests. The largest wire transfer request in Q3 was $850,790. The largest gift card request was $8,000. The gift cards most commonly requested were Google Play (27%), Steam Wallet (14%), Amazon (12%), and Walmart (11%).
Agari has been tracking the activities of a BEC gang known as Silent Starling. The group consists of three main threat actors who compromise email accounts and set up mail forwarding rules to obtain all emails sent and received from those accounts. The accounts are monitored for weeks or months.
Most attacks are performed on suppliers and vendors. These vendor email compromise scams are becoming much more common than business email compromise scams, as vendor email accounts can be used to conduct phishing campaigns on all companies served by the vendors. That makes the attacks far more profitable than BEC attacks.
Data from PhishLabs shows that the number of phishing attacks using HTTPS sites have been steadily rising since 2016. 68% of phishing URLs now have valid SSL certificates, which shows how important it is for web filtering solutions to decrypt, inspect, and re-encrypt web traffic. It also shows that a alid SSL certificate is no guarantee that a site is genuine.