Inside the Modern Phishing Campaigns of 2019


The world of cybersecurity is dominated by headlines of malware, ransomware, data breaches, app vulnerabilities, IoT threats and botnet attacks. But phishing has been a serious threat since the early 2000s and is widely regarded as the most common attack vector for cybercriminals.

Today, phishing is not about volume. These email threats are now tuned to successfully trick a high-value target into taking a desired action: clicking on a malicious link, opening a malware-laden file, providing a password or authorizing financial transactions.

In the current cyber arms race, threat actors are constantly trying to get around security systems. In the context of email as a threat vector, phishing has evolved into spear-phishing, impersonation and Business Email Compromise (BEC) types of attacks. These messages are highly targeted with extensive social engineering efforts to carefully select and study the victim.

Global phishing volume down, attacks more targeted

Published in the 2019 SonicWall Cyber Threat Report, our Capture Labs threat researchers recorded 26 million phishing attacks worldwide, a 4.1 percent drop from 2017. During that time, the average SonicWall customer faced 5,488 phishing attacks.

2018 Global Phishing Volume

As businesses get better at blocking email attacks and ensuring employees can spot and delete suspicious emails, attackers are shifting tactics. New data suggests they’re reducing overall attack volume and launching more highly targeted phishing attacks (e.g., Black Friday and Cyber Monday attacks).

Explore the five common tactics phishers are using to steal credentials, deploy malware, infiltrate networks and damage brands.

  1. Malicious URLs and fake or spoofed websites
    With improvements in secure email solutions that mitigate phishing, cybercriminals are resorting to innovative methods to execute targeted attacks, such as using weaponized URLs in email to deliver malicious payloads or creating phishing websites with fake login pages to harvest user login credentials.In late 2017, it was reported that nearly 1.5 million phishing sites are created each month. And the detection of phishing sites has become harder because phishers are obfuscating phishing URLs with multiple redirections and URL shortners.

    In addition, about half of these phishing sites are using HTTPS and SSL certificates, which make it easier for cybercriminals to deceive their victims.

    Source: “PhishPoint: New SharePoint Phishing Attack Affects an Estimated 10% of Office 365 Users,” Avanan, August 2018.

    According to Microsoft’s security intelligence report, “attackers increasingly use popular document sharing and collaboration sites and services to distribute malicious payloads and fake login forms that are used to steal user credentials.”

  2. Phishing targeting Office 365 applications, users
    SaaS and webmail services are increasingly targeted by phishing campaigns. According to the Anti-Phishing Working Group (APWG), phishing that targeted SaaS and webmail services doubled in the fourth quarter of 2018.As Office 365 gains adoption as the most popular choice of cloud email platform across organizations of all sizes and verticals, it comes as no surprise that Microsoft is the most impersonated brand.

    “As Microsoft’s SEG market share increases, smart attackers will specifically target Microsoft’s defenses,” reports Gartner.

    This is not unconceivable because an Office 365 subscription is available to anyone with a credit card, making its security features very accessible to cybercriminals. This theoretically enables criminal groups to design phishing campaigns that can evade Microsoft’s native defenses. In fact, in another report, researchers found 25% of phishing emails bypass Office 365 security.

  3. Compromised credentials
    In January 2019, security researcher Troy Hunt discovered “Collection 1,” a trove of 773 million email addresses and 21 million passwords available for sale on Hacker Forum.These compromised user IDs and password combinations are used to carry out attacks from the inside. A common attack includes account takeover that involves threat actors compromising employee corporate credentials by either launching a credential phishing campaign against an organization or buying credentials on the Darkweb due to third-party data leaks. The threat actor can then use the stolen credentials to gain additional access or escalate privileges. Compromised credentials may remain undiscovered for months or years.
  4. Impersonation, CEO fraud and Business Email Compromise (BEC)
    According to the FBI, Business Email Compromise, or BEC, is a scam targeting businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments. These sophisticated scams are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.These types of attacks are hard to stop because they do not contain malicious links or attachments, but a message to the victim seemingly from a trusted sender requesting transfer of funds.

    The FBI Internet Complaint Center (IC3) reported last summer that from October 2013 to May 2018, total losses worldwide for known BEC scams hit $12.5 billion.

  5. Malicious PDF files and Office doc attachments
    Email attachments are a popular delivery mechanism for malicious payloads, such as ransomware and never-before-seen malware. SonicWall Capture Labs threat researchers recently found a substantial increase of malicious or fraudulent PDF files.These fraud campaigns take advantage of recipients’ trust in PDF files as a “safe” file format that is widely used and relied upon for business operations. I recommend reading “New PDF Fraud Campaign Spotlights Shifting Cybercriminal Phishing Tactics, written by Dmitriy Ayrapetov, Executive Director of Product Management, to learn more about these types of phishing campaigns and how you can stop them.

This post is also available in: Italian

SonicWall Staff