Phishing remains a popular method of stealing credentials, committing fraud, and distributing malware. But what appears on the surface to be a juvenile form of cybercrime can be, in practice, a well-orchestrated, multi-faceted, and sustained attack campaign by organized crime groups. From finding victims and creating phishing sites to harvesting and fraudulently using victims’ credentials, it can be difficult to build a complete picture of the end-to-end process. We focus our report on how fraudsters are building, staging, and hiding their phishing sites and the tactics they use to remain hidden. Using insight from Shape Security, we also show how quickly cybercriminals are making use of their stolen goods.
This year’s Phishing and Fraud report examines five years’ worth of phishing incidents from the F5 Security Operations Center (SOC), and deep dives into active and confirmed phishing sites supplied by OpenText’s Webroot® BrightCloud® Intelligence Services, and analyzes dark web market data from Vigilante. Together, these build a complete and consistent picture of the world of phishing.
In our 2019 Phishing and Fraud Report, we noted a significant abuse of free and automated services, such as blogging platforms and free digital certificate services. Fraudsters made heavy use of automation with very little, if any, financial outlay. We saw emerging use of encryption with just over half of all sites leveraging HTTPS, and attackers were creating lengthy and deceptive web addresses (URLs) in order to appear genuine and confuse their victims.
The past twelve months has been not a revolution in the attackers’ methods but an evolution, and 2020 is on target to see a 15% increase in phishing incidents compared with last year. This year we found that phishing incidents rose by a staggering 220% compared to the yearly average during the height of global pandemic fears. Fraudsters were quick to seize upon the confusion and we saw large spikes in phishing activities that closely coincide with various lockdown rules and the increase in homeworking. Using certificate transparency logs, we found that at its peak, there were almost 15,000 active certificates using “covid” or “coronavirus” in their names. On the topic of encryption, the use of HTTPS also rose sharply across all phishing sites with an impressive 72% making use of digital certificates and TLS encryption. The dramatic increase in phishing activity at the beginning of lockdown could well be a factor in the sharp rise of stolen payment cards discovered in May and June of this year. The number of cards of seven major global banks found on darknet markets was almost double a similar peak period in 2019.
Fraudsters are becoming more creative with the names and addresses of their phishing sites. Attempting to create ever more realistic website addresses, we found that 55% of phishing sites made use of target brand names and identities in their URLs. We tracked theft of credentials through to their use in active attacks and found that criminals were attempting to use them within 4 hours. In some cases, the attacks occurred in real time.
Vulnerable websites continue to present an opportunity for fraudsters to host their phishing pages on a reputable URL, for free. We found that WordPress sites alone accounted for 20% of generic phishing URLs.
This year we also found that Office 365 continues to present a rich and compelling target for attackers with fraudsters employing new tactics such as “consent phishing”. And an increasing number of phishing sites are using evasion techniques to avoid detection and inspection by targeted businesses and security researchers.
Despite the continued growth of phishing attacks, security controls and user training are failing to adequately combat it. Fraudsters know that the way to make a quick buck isn’t to spend months attempting to breach an organizations security, it’s simply to ask nicely for the username and password so they can walk right in through the front door.
Phishing, the email focused form of social engineering, shows no sign of abating. It remains just as popular with organized cybercrime as it is with nation states for one simple reason: it works. The number of phishing incidents in 2020 is projected to increase by 15% compared with last year, according to data from the F5 Security Operations Center (SOC) (see Figure 1). F5 Labs’ 2020 Application Protection Report found that 52% of all breaches in the US were due to failures at the access control layer. These include credential theft, brute force login attempts, and phishing. Across the pond, data released by the UK’s Information Commissioner’s Office (ICO), showed that phishing was the number one cause of cyber related data breach for their reporting period covering April 2019 to March 2020, accounting for 28% of all cases.1 The trend continues all over the world. Numbers from the Office of the Australian Information Commissioner (OAIC) show that phishing holds the top spot in malicious cyber incidents, accounting for 36% of all cases reported to them.2 Theft of credentials, one of the most common initial attack vectors for cybercriminals, is a close second and is responsible for 29% of all incidents (July 2019 to June 2020).
Phishing is now such a problem that the 2020 Verizon Data Breach Investigations Report (DBIR) noted the use of malware and trojans had dropped significantly and that “attackers become increasingly efficient and lean more toward attacks such as phishing and credential theft.”1 Europol’s latest Internet Organised Crime Threat Assessment (IOCTA) report stated, “Social engineering and phishing remain a key threat,” and that “both demonstrate a significant increase in volume and sophistication.”2 Yet, while the organized cybercriminal element are indeed becoming far more skilled in their use of social engineering, using multi-vector attacks and intercepting SMS tokens, phishing has dramatically increased due to the ease with which it can be conducted. Phishing kits and Phishing-as-a-Service, not to mention the ease with which personal data can be obtained, all mean that virtually anyone can start a phishing campaign with very little prior knowledge. Since likelihood is a factor in calculating risk, we must assume that our risk of being phished is now greater than ever.
Non-cash payment fraud, such as credit card theft, skimming, or phishing, is commonly used to enable the majority of other cyber-dependent crime, such as extortion, theft of data, and deployment of malware. Advanced persistent threat (APT) groups have long been known to conduct active cyber espionage campaigns. Social engineering of APTs' victims via email and social media phishing campaigns is commonly the first step in the attack chain. In September 2020, a new campaign by the Iranian-linked Charming Kitten APT combined targeted spear-phishing via WhatsApp with bogus LinkedIn profiles in order to create believable back stories. Their aim was to trick the victim into downloading malware or harvest the victim’s credentials.1
Business email compromise (BEC)—spear-phishing that targets staff members who have access and the authority to transfer money—is on the rise as attackers show an increased understanding of internal business relationships and processes. The second-quarter 2020 report from the Anti-Phishing Working Group (APWG) showed that the average wire transfer attempt was more than $80,000, with one specific threat actor targeting companies for an average of $1.27 million.2
Despite many advanced tools, techniques, and procedures (TTPs), many phishing attacks are simple in nature and succeed because of poor security controls and lack of awareness by users.
How Cybercriminals Capitalized on COVID-19 in 2020
Always keen to hook onto emotive topics, cybercriminals were quick to capitalize on the global outbreak of SARS-CoV-2, colloquially known as Coronavirus or COVID-19. While millions of people struggled to learn the real facts about the pandemic from world leaders, the morally absent cybercriminal community saw their opportunity. Phishing emails began hitting inboxes around mid-March with subject lines such as “Covid-19 in your area?” and “Message from the World Health Organization.”
- Covid-19 in your area? Please confirm your address
- Click here for COVID-19 vaccinations
- Get your COVID-19 CARES Act relief check here
- Counterfeit Respirators, sanitizers, PPE
- Fake cures for COVID-19
- Message from the World Health Organization
- Message from the Centers for Disease Control and Prevention
- Click here for Coronavirus-related information
- Donate to these charitable organizations.
- Message from Local hospital - Need patient data for COVID-19 testing
- COVID 19 Preparation Guidance
- 2019-nCoV: Coronavirus outbreak in your city (Emergency)
- HIGH-RISK: New confirmed cases in your city
- Coronavirus (2019-nCoV) Safety Measures
The APWG reported that targets were predominantly “workers, healthcare facilities and the recently unemployed.”1 Figures 2 and 3 show just two samples of many pandemic-related phishing emails F5 Labs has seen.
Three primary objectives for COVID-19 related phishing emails became apparent. Fraudsters focused their efforts on:
- Asking for donations to fake charities
- Credential harvesting
- Malware delivery
While criminals seized on the opportunity to spoof login and download pages for increasingly popular web conferencing apps, such as Zoom, Skype, and WebEx, it’s remarkable how unremarkable many of these attacks really were. Europol’s IOCTA 2020 report summarizes this well stating, “COVID-19 demonstrated how cybercrime—at its core—remains largely the same but criminals change the narrative.”1 This echoes the previous discovery by F5 Labs of a Mirai botnet lazily cloned to include references to COVID-19.
The number of phishing incidents reported to the UK ICO for each quarter of 2019 and 2020 averaged 289, while new figures, released for the months covering April to June 2020, show a sharp decline with only 185 confirmed cases. The F5 Security Operations Center (SOC) saw a similar trend, with initial phishing statistics broadly following patterns of previous years but with a large spike around the start of 2020, a slump between March and April, and another significant rise over the spring and early summer months (see Figure 4).
Across the SOC datasets for the months of July to September, we found 320 unique malicious domains making use of the specific terms “covid” or “corona” in their URLs. Many other malicious sites used deliberate misspellings or simply used unrelated domain names for their attacks.
Using certificate transparency logs, we can also search for specific words or values within HTTPS certificates. It is no surprise that when the pandemic was headlining every news outlet in March, the number of certificates created that month with the words “covid” or “corona” peaked at 14,940 (see Figure 5).
Security practitioners are generally well aware of how phishers bait and hook their victims by using provocative topics, but if these trends tell us anything, it’s that end users—our staff and our customers—need to know this. Phishing awareness training must drive home the message that attackers are quick to jump onto new trends. Users need to be extra vigilant watching for email, voicemails, and text messages that appear to be related to widely discussed topics in the media or popular culture.
The Business of Phishing
There are many ways to phish, and the tools and tactics required are often determined by what the attacker is aiming to catch. As we covered in F5 Labs’ 2019 Phishing and Fraud Report, the three broad methods of phishing are:
- General, indiscriminate, in which the attacker targets many unrelated victims knowing that they are likely to get a few bites
- Semi-targeted, in which attacks are focused against a specific organization or group
- Spear phishing, in which a specific individual (often C-level or IT administrator) is directly targeted.
While the catch (the pay-out) might be different between phishing campaigns (some attackers are looking to harvest credentials while others want to distribute malware), the commonality is that fraudsters use one or more social engineering tactics to circumvent a victim’s critical thinking. In a 2013 paper, A Study of Social Engineering in Online Frauds, the authors found the five most common methods of persuasion used were authority, urgency, fear/threat, politeness, and formality.1 In 100% of the phishing emails they examined, the cybercriminal used authority, and 71% of phishing emails added a sense of urgency. Whether it be a missed package delivery, a deadline for a competition, or threat of imminent “legal action,” fraudsters know that persuading us to rush increases the likelihood that we will not logically evaluate the request. This year we’ve very much seen this to hold true with the huge jump in phishing traffic around the periods of national pandemic lockdowns and many examples of emails claiming to have information about the virus.
Social engineering, and primarily phishing, is often used as an enabler of both newer cyber-dependent crime (for example, ransomware and website compromise) as well as cyber-enabled crime (such as fraud and theft). Here, we focus on two of the most common objectives for fraudsters: credential harvesting and financial fraud.
Usernames, email addresses, and passwords can often be the actual target of the fraudster, with stolen credentials commonly selling in bulk on darknet markets. These data sets of stolen credentials are purchased by other organized crime groups to enable others to carry out activities such as credential stuffing attacks.
More often, however, credentials are used to accomplish further objectives such as the theft of intellectual property or committing financial fraud. Attackers rarely have a problem obtaining usable credentials. Shape Security’s 2018 Credential Spill Report found that 2.3 billion credentials were breached in 2017.2 And 2017 was, according to Wikipedia, a quiet year for data breaches.3 Figure 6 shows the number of data breach incidents per year compared with the cumulative number of records breached. Despite a fluctuating number of incidents from year to year, the total number of records lost or stolen appears to be growing exponentially.
Office 365 Provides a Rich Target
Microsoft’s incredibly popular email, productivity, and collaboration platform, Office 365, is a prime target for attackers. Once credentials have been captured, attackers have a multitude of options open to them. They might choose to send more fraudulent emails, now with the benefit of having them appear to come from a genuine corporate account. This same Office 365 account is likely to have access to SharePoint and OneDrive, which could provide direct access to intellectual property and sensitive data. The worst-case scenario might involve the compromised account being a member of a privileged access group, which then grants the attacker the ability to modify access privileges for the Office 365 platform itself.
A common tactic to phish for Office 365 credentials is to send a victim an email claiming that a Word or Excel document has been shared with them. To retrieve it, the victim must authenticate to the (spoofed) Office 365 website.
Now that businesses are starting to better secure their credentials (by federating user accounts, performing device posture checks, and applying MFA), fraudsters are beginning to shift their targets. With credentials becoming harder to steal, fraudsters are asking the victim for direct access to their account in an attack called consent phishing.
There are hundreds of mobile and desktops apps that promise to tidy your inbox, organize your contacts, or provide some incredibly useful new productivity feature. To use one of these apps, all you have to do is download it to your phone or laptop and authorize it to connect to your Gmail or Office 365 account.
The process for authorizing apps to your email or productivity platform is as follows:
- Tell your new app of choice what platform you use, for example, Office 365
- Your app then directs you to a login page for your Microsoft account
- You authenticate to Microsoft by entering your credentials
- Finally, you see a page, such as the one shown in Figure 7, in which you accept the permissions being requested by the app