2016: The year of the Phish (an analysis of phishing threat trends)
According to the ‘Phishing Activity Trends Report‘ newly published by the Anti-Phishing Working Group (APWG), 2016 was a piss-poor year as far as stopping phishing was concerned.
The report suggests that, in fact, 2016 was the worst year for phishing attacks ever. With the total number of attacks totalling 1,220,523 this represents a 65% increase over the 2015 numbers.
The growth in phishing is put into even sharper perspective if you jump all the way back to 2004, when the APWG saw just 1,609 attacks per month across the fourth quarter of the year. Compare that to the fourth quarter of 2016 and the monthly average was 92,564. In percentage terms that’s an increase of 5,753% over 12 years. That’s the single biggest percentage figure our analysts have ever had to type here at IT Security Thing, and some of us have been at this game for more than 25 years!
So, are we surprised? Not a bit, truth be told. There are two consistent attack entry point methodologies being put to use by threat actors, pretty much regardless of the threat payload: DDoS and phishing. Although DDoS gets a lot of press for taking down large organisations, it’s more commonly used to disrupt much smaller businesses. Typically, we see DDoS attacks used as smoke screens to divert resources (security team eyes, essentially) from the real payload that is often data exfiltration elsewhere on the network.
Phishing, on the other hand, drives a myriad of threats. Ransomware would not be such a massive problem if phishing were not so successful a social engineering tactic. How successful? Well, according to the ‘2016 Enterprise Phishing Susceptibility and Resiliency Report‘ from PhishMe, some 91% of all cyberattacks commence with a phish of some sort. It also reveals that spear phishing campaigns are up 55% on 2015 numbers, and business email compromise losses as a result are up by another huge number: 1,300%.
“Phishing is an attack that relies primarily on fooling people,” says Greg Aaron, a senior research fellow with APWG, “for that reason, phishing remains both popular and effective. Truly, phishing is more pervasive and harmful than at any point in the past.”
So how does phishing fool people to this extent? That’s a question that really needs to be answered if the threat tide is ever to be turned back. APWG member RiskIQ reckons that “a relatively low percentage of phishing websites targeting a brand attempt to spoof that brand in the domain name” and that’s at secondary-level or the fully-qualified domain name according to Jonathan Matkowsky, VP for intellectual property and brand security at RiskIQ. “This is evidence that phishers do not need to use deceptive domains names to fool Internet users into visiting their sites.”
‘The Rising Tide – Why credential phishing and abuse is more dangerous than ever‘ is another recently published report, this time from the researchers at MWR InfoSecurity who reviewed 100 recent simulated attack campaigns that targeted almost a million individual users. Unsurprisingly, social media remains the most effective lure to entice users to click a link in an email, even when those emails were sent to a work account.
Initiated with a request to connect via a social media platform, almost a quarter of users clicked the link to be taken to a fake login screen, with 54% going on to provide user credentials and 80% to download a malicious file executable.
The least successful methodology was sending an invoice or some other financial lure, for want of a better term, which achieved only limited success when user credentials were requested. Human resources (HR) requests, on the other hand, were the most effective with a hit rate of 73% clicking the link and providing credentials.
“The results of these simulated phishing attacks brings to the fore many security professionals’ worst fears,” says James Moore, managing director of phishd by MWR InfoSecurity who continues, “if these attacks had been real, around 990,000 users could have been compromised.”
Moore admits that this core behaviour is difficult to modify, revealing that “more than 10% of targeted users fell victim to the first two stages of our simulated attack and disclosed their user credentials, but more concerning is that out of those targeted with a social media request or a promotional offer, more than 10% downloaded a potentially malicious file via their corporate email accounts.”
The MWR research also revealed that only 3% of employees targeted by the simulation reported the attack, while 25% clicked on the link in the phishing email.
“Despite continued warnings,” Moore concludes, “many organisations need to stop assuming that only email could be accessed in an attack.” Indeed, the phishing reality is that emails are often just the starting point for a continued attack on the organisation. “Robust, and sometimes basic security controls, such as two-factor authentication or disabling fie and SharePoint remote access,” Moore advises, “could be highly effective in fighting the risk of long-term credential abuse.”
Kaspersky Lab has also released some new threat research, and the ‘Financial cyberthreats in 2016‘ report makes for pretty grim, if not actually surprising, reading as well. The Kaspersky researchers found that almost half of all phishing attacks registered in 2016 by Kaspersky Lab’s heuristic detection technologies were aimed at stealing their victim’s money.
Robert Capps, VP of business development at NuData Security, admits it’s no surprise that phishing is still a valid concern for cyber security professionals. “The Internet is awash with stolen consumer data ripe for malicious use,” Capps says, “providing fertile soil in which fraudsters can grow innovative attacks using purloined black-market data.”
Victims of stolen data are a natural target for phishing, since most major data breaches target login credentials, email addresses and passwords. “This dataset is perfect to concoct nearly flawless phishing attacks,” warns Capps, who continues, “often by impersonating major organisations or financial institutions with which they normally interact online.”
Capps reckons that we need to “take a step back” and start respecting that the average consumer can’t be expected to avoid clicking something designed specifically to lure them into clicking it. Indeed, the culture of victim blaming really needs to stop as it helps nobody except for the cyber-criminals who continue to exploit security teams and experts that need to do a better job.
“Instead of blaming the victims that are unlikely to become more adept at online security,” Capps insists “we should find ways we can do our jobs better.”
In other words, we need to rely less on grandma upping her security game and more on our collective ability to innovate and invent solutions that don’t use the goodies the fraudsters are suckering folks into giving up.
Spear phishing, which was not included in those shocking APWG numbers, continues to be a real and growing concern within the security industry. One recent campaign, uncovered by Menlo Security, demonstrates why this is. The ‘well-known enterprise’ that was attacked failed to see it coming. According to Menlo the attackers performed various checks on the password entered by the victim and their IP address to determine whether it was a true compromise versus somebody who had figured out the attack before continuing.
The attackers also supported various email providers. This was determined by the fact that they served custom pages based on the email domain. For example, a victim whose email address was email@example.com would be served a page that looked like a Gmail login page.
The attackers then exfiltrated the victim’s personally identifiable information (PII) to an attacker controlled account. Relying heavily on several key scripts to execute the phishing campaign, the attacker was able to obtain the victim’s IP address in addition to the victim’s country and city.
The spear phishing vulnerabilities stem from legacy email security solutions, including sandbox-based anti-phishing products, being largely based on reputation; that is, whether an email link is known to be “good” or “bad.” A link’s reputation is determined via third-party data feeds, or internally by way of large-scale email traffic and data analysis.
In the case of spear phishing attacks, which target specific individuals within an organization, the email link is usually unique, as is the target user, hence there is no third-party reputation data available, nor is there enough data to analyze internally to make an accurate determination. If the determination is incorrect, users are sent directly to a website where credentials can be stolen or malware can be downloaded to the user’s device.
Researchers from Proofpoint have also released a report in the form of their Quarterly Threat Summary from Q4 2016 that analyses threats trends across email, mobile and social media. The key findings included the fact that social media phishing attacks have increased by 500% from the beginning to end of 2016.
Proofpoint also recognises that organizations are becoming more aggressive in the way that they address business email compromise (BEC), but BEC actors are adapting their attack techniques as well. By the end of the last quarter, Proofpoint says that BEC actors had realized that spoofing emails to the CFO from the CEO was less effective than spoofing emails from the CEO to other staff. Indeed, CEO to CFO spoofing dropped 28% by December – from a high of 39% in August.
Q4 exploit kit activity remained steady, albeit with a strong decline of 93% from the start of the year. The RIG and Neutrino exploit kits were around to pick up the activity left by the disappearance of Angler at the beginning of Q3. The end result being that exploit kit market as a whole has been left to serve mid-level malvertising operators and pretty much nobody else.
The report finds that, for emails containing malicious URLs, destinations shifted almost exclusively to dedicated phishing pages. Exploit kit pages were only the destination for 1% of links in malicious emails in December.
We will finish this analysis piece with news of two phishing campaigns; one targeting Gmail users and the other those with PayPal accounts.
Google has responded to threat actors who were sending email messages from the compromised Gmail accounts of known contacts of the target. These included embedded images that looked, for all intents and purposes, like PDF attachments but when clicked served only to execute the opening of a fake Gmail login page.
This was a clever attack technique, exploiting the data URI that posed as a URL to the unobservant or less well clued up user; most everyone in other words. The data URI in question served up the fake Gmail pages but didn’t flag them as potentially dangerous as they were using that data URI. Google has now updated the Chrome client so that it shops a ‘not secure’ flag when an address starts with data: and about time as well we say. Ditto to the fact that Google is working on preventing redirections from such data URI addresses in future versions of the browser.
As for the PayPal phishing scam, this one really shouldn’t catch anyone out. Although the phishing mail looks authentic enough in terms of logos and design, the grammar gives the game away. Take a look here and tell us this would have fooled you?
It will have fooled plenty though, as it only takes a moment where your concentration isn’t what it should be to slip up and click the link through to something like this. If you did, then you would have been greeted to a genuine looking PayPal credentials page complete with a SSL certificate for added authenticity. The scammers actually did a much better job of the landing page than they did the phishing email we reckon.
This employs the usual scare tactics employed by credential scammers, encouraging the target to enter ever more revealing and valuable information if they want to ‘secure’ their account and get access to it returned.
Quite apart from the observational lapses, and once again the URL should have given the game away that this wasn’t PayPal you had landed at, the use of two factor authentication or two factor verification would have protected the victim by blocking the attackers from being able to access the account anyway.