Key Findings
- Using data continuously captured by OpenPhish, we analyzed data from May, September, and November 2021 to see how trends in attacker activity changed as the holiday season approached.
- After generic (not industry specific) phishing, the top attacked sector, month after month, was finance. Individual financial institutions were attacked less than organizations, such as Facebook, in other sectors, but the sheer quantity of banks targeted made finance the most common sector for phishing attacks.
- Although finance, collectively, was the most attacked sector, the two highest targeted brands were Facebook and Microsoft Office 365/Outlook, which each received, on average, 10% of the phishing attacks analyzed.
- November saw increases in phishing activity, with attackers likely taking advantage of the increase in online shopping for the holiday season:
- The number of unique fraudulent domains jumped 157% in November, compared to the average for the rest of the year.
- Attacks targeting e-commerce experienced a 200% spike.
- Amazon was the top target in November, with Facebook the second most targeted.
- November also saw a large-scale phishing campaign against cryptocurrency exchanges and wallet services:
- Cryptocurrency platforms experienced an almost 1800% increase in attacks, possibly linked to the rise in the value of Bitcoin at this time.
- A single campaign was responsible for 90% of the cryptocurrency-related sites.
Phishing Continues to Grow as an Attack Vector
Phishing, which tricks victims into visiting fraudulent websites or into opening malicious email attachments, continues to grow unabated. For the ins and outs of phishing, read What Is Phishing. The 2021 Application Protection Report noted that phishing was the second most common initial attack technique leading to a successful data breach. This trend is seen across the security industry. In November, the Anti-Phishing Working Group (APWG) reported that phishing had doubled since early 2020, with July 2021 seeing the largest number of attacks in their reporting history.1 Europol’s 2021 Internet Organised Crime Threat Assessment (IOCTA) notes that due to the growth in online shopping (caused, in part, by the increase in working from home), delivery services are a frequent target for luring victims to fraudulent sites. The report finds that phishing remains the primary driver behind payment fraud “increasing in both volume and sophistication.”
The illegal use of stolen credentials can be applied at multiple stages of an attack chain. Some attacks culminate with the theft of a password database, other attacks use stolen credentials to gain access to an application or network, while other attacks use the credentials to send internal spear phishing emails from valid corporate accounts. The 2021 Credential Stuffing Report found that an average of 2.3 billion credentials are stolen each year, with the IOCTA report stating that the market for passwords and personal information is growing, since it improves the success rate of all social engineering attacks.
Top Phishing Targets
F5 Labs found this year that while a considerable proportion of phishing attacks are generic and indiscriminate in nature (on average 20%-30%), attackers increasingly use spear phishing to move laterally inside the network—once a low-level employee is compromised, it’s easier to phish other, more senior staff members. The IOCTA report corroborates this finding, remarking that social engineering as a whole is becoming more targeted, with attackers focusing on upper-level management.2
The Most Targeted Phishing Sector: Finance
Last year, F5 Labs found that the finance sector was hit particularly hard by targeted spear phishing. A third of all breaches against banking, insurance, and financial services were a result of business email compromise (BEC) in which attackers targeted specific roles (typically finance business units) pretending to be the chief executive or another high-level manager.
In 2021, this same industry was also the top target for phishing campaigns, accounting for 20%-23% of all fraudulent sites, as shown in Figure 1. Though no single financial institution was targeted significantly more than the rest, banks such as Wells Fargo and Crédit Agricole S.A. dealt with 2%-4% of all phishing sites abusing their name.
E-Commerce Under Attack During the Holiday Season
The month of November saw increases in phishing activity across the board. The number of unique domains used for fraudulent purposes increased by 157% compared to the average for May and September. Additionally, Figure 1 shows something interesting for November—a shift in attacker focus. Two sectors received considerably more phishing campaigns during this time: e-commerce and cryptocurrency exchanges. The huge spike in attacks against cryptocurrency exchanges, an increase of almost 1800% compared to previous months, deserves some deeper analysis (below).
The rise in phishing campaigns targeting e-commerce is perhaps easier to explain. The months of November and December typically see large increases in online shopping for the holiday season, so spikes in fraudulent sites pretending to be online retail stores or delivery companies are expected.
Most Attacked Companies
While the finance sector as a whole is clearly a top target for attackers, Figure 1 does not paint the entire picture. Generic phishing campaigns (that target no specific individual, organization, or sector) typically account for 20%-30% of all fraudulent sites in any given month. The most attacked individual sites were typically Facebook and Office 365/Outlook, which trade the lead during any given month (see Figure 2).
Amazon saw a 208% rise in the number of phishing campaigns in November 2021, with attackers clearly jumping on the increase in online shopping during the festive period.
Just as with top attacked sectors, the top attacked “brand” in November was Crypto/Wallet, accounting for almost 20% of all malicious websites. Let’s take a look at what went on.
Cryptocurrency Exchanges Attacked
Phishing attacks that target cryptocurrency-related sites and services tend to sit low in the list of priorities for attackers. Most months see only 1% of all phishing attempts targeting the cryptocurrency sector. Something changed in November, however, when fraudulent cryptocurrency-related sites suddenly accounted for just over 20% of all targets, an increase of over 1800%.
Delving into the raw data, it became apparent that one malicious domain stood out above the rest: krakentxy.com. Registered on November 3, 2021, it quickly became the most prolific site targeting cryptocurrency. The threat actor responsible for this campaign created 9,117 unique subdomains, all of which closely resembled those shown in Figure 3. Each krakentxy.com subdomain was hosted in Azure with a Let’s Encrypt certificate.
This particular domain made up 90% of all fraudulent cryptocurrency sites in November 2021. Although this domain is currently blocked by browsers and its DNS records no longer exist, using the Open Web Application Security Project (OWASP) Amass Project tool reveals another 194 domains currently hosted in Amazon Web Services (AWS). Although these additional domains do not currently resolve, it serves to show the cat-and-mouse game that attackers and defenders constantly play.
Even when excluding the krakentxy.com domain, cryptocurrency-related phishing sites still rose by 356% in November. The sudden interest by attackers could be attributed to the increased value of many cryptocurrencies in November. Bitcoin (BTC) rose to an all-time high of $64,400 for one BTC on November 12 (see Figure 4).