Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies

David WarburtonDirector, F5 Labs

David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments below.

COVID-19 continues to significantly embolden cybercriminals’ phishing and fraud efforts, according to new research from F5 Labs.

In the fourth edition of the Phishing and Fraud Report, it was discovered that phishing incidents rose 220% during the height of the global pandemic compared to the yearly average.

Based on data from F5’s Security Operations Center (SOC), the number of phishing incidents in 2020 is now set to increase 15% year-on-year, though this could soon change as additional waves of the pandemic spread.

The three primary objectives for COVID-related phishing emails were identified as fraudulent donations to fake charities, credential harvesting, and malware delivery.

A Phisher’s Domain

As per previous years’ research, F5 Labs noted that fraudsters are becoming ever more creative with the names and addresses of their phishing sites.

In 2020 to date, 52% of phishing sites have used target brand names and identities in their website addresses. Using phishing site data from Webroot, F5 Labs discovered that Amazon was the most targeted brand in the second half of 2020. Paypal, Apple, WhatsApp, Microsoft Office, Netflix, and Instagram were also among the top ten most impersonated brands.

By tracking the theft of credentials through to use in active attacks, F5 Labs observed that criminals were attempting to use stolen passwords within four hours of phishing a victim. Some attacks even occurred in real time to enable the capture of multi-factor authentication (MFA) security codes.

Hiding in Plain Sight

2020 also saw phishers intensify efforts to make fraudulent sites appear as genuine as possible. F5 SOC statistics found that most phishing sites leveraged encryption, with a full 72% using valid HTTPS certificates to trick victims. This year, 100% of drop zones—the destinations of stolen data sent by malware—used TLS encryption (up from 89% in 2019).

Combining incidents from 2019 and 2020, F5 Labs additionally reported that 55.3% of drop zones used a non-standard SSL/TLS port. Port 446 was used in all instances bar one. An analysis of phishing sites found that 98.2% used standard ports: 80 for cleartext HTTP traffic and 443 for encrypted SSL/TLS traffic.

Future Threats

According to recent research from Shape Security, which was integrated with the Phishing and Fraud Report for the first time, there are two major phishing trends on the horizon.

As a result of improved bot traffic (botnet) security controls and solutions, attackers are starting to embrace click farms. This entails dozens of remote “workers” systematically attempting to log onto a target website using recently harvested credentials. The connection comes from a human using a standard web browser, which makes fraudulent activity harder to detect.

Even a relatively low volume of attacks has an impact. As an example, Shape Security analysed 14 million monthly logins at a financial services organisation and recorded a manual fraud rate of 0.4%. That is the equivalent of 56,000 fraudulent logon attempts, and the numbers associated with this type of activity are only set to rise.

Shape Security researchers also recorded an increase in the volume of real-time phishing proxies (RTPP) that can capture and use multi-factor authentication (MFA) codes. The RTPP acts as a person-in-the-middle and intercepts a victim’s transactions with a real website. Since the attack occurs in real time, the malicious website can automate the process of capturing and replaying time-based authentication such as MFA codes. It can even steal and reuse session cookies.

Recent real-time phishing proxies in active use include Modlishka and Evilginx2. F5 Labs and Shape Security are set to monitor the growing use of RTPPs in the coming months.

Download the F5 Labs 2020 Phishing and Fraud Report to learn more.

About the Report

This year’s F5 Labs Phishing and Fraud Report examines five years’ worth of phishing incidents from the F5 Security Operations Center (SOC) and deep dives into active and confirmed phishing sites supplied by OpenText’s Webroot® BrightCloud® Intelligence Services. It also includes analysis of dark web market data from Vigilante and research by Shape Security. Together, these build a complete and consistent picture of the world of phishing.

About the Author

David WarburtonDirector, F5 Labs

David Warburton is director of F5 Labs. He has worked in the IT industry for over 20 years, starting life as a full stack developer before wrangling with the perils of cloud architecture and then moving the serene and peaceful life of cyber security. His research covers a wide range of topics from the deeply technical, such as cryptography, to the more real-world sociotechnical side of security. Warburton has given talks around world for Infosec (UK), GovWare (Singapore), Crikeycon (Australia), ITBN (Hungary), Digital Transformation EXPO (UK) and for the UK military. Warburton has made dozens of international media appearances on TV, print and industry podcasts, including BBC World News, Sky News, SABC, The Guardian and Risky Business. He is the author of F5 Labs publications including the annual ‘Phishing and Fraud’ and ‘TLS Telemetry’ reports, and recently he co-authored the SSL/TLS/HTTPS scanning devops tool ‘Cryptonice’ which helps organisations improve their application security posture. Warburton was awarded a Masters in Information Security from Royal Holloway University of London where his thesis was on the use of security and cryptography in internet-of-things (IoT).

More blogs by David Warburton