Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/7/2019
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Phishing Attacks Evolve as Detection & Response Capabilities Improve

Social engineering scam continued to be preferred attack vector last year, but attackers were forced to adapt and change.

The growing sophistication of tools and techniques for protecting people against phishing scams is forcing attackers to adapt and evolve their methods.

A Microsoft analysis of data collected from users of its products and services between January 2018 and the end of December showed phishing was the top attack vector for yet another year. The proportion of inbound emails containing phishing messages surged 250% between the beginning and end of 2018. Phishing emails were used to distribute a wide variety of malware, including zero-day payloads.

However, the growing use of anti-phishing controls and advances in enterprise detection, investigation, and response capabilities is forcing attackers to change their strategies as well. Microsoft said.

For one thing, phishing attacks are becoming increasingly polymorphic. Rather than using a single URL, IP address, or domain to send phishing emails, attackers last year began using varied infrastructure to launch attacks, making them harder to filter out and stop.

Microsoft said its analysis shows attackers are trying to avoid detection by using public and hosted cloud infrastructures to hide among legitimate sites and assets. "For example, attackers increasingly use popular document sharing and collaboration sites and services to distribute malicious payloads and fake login forms that are used to steal user credentials," Microsoft said. "There has also been an increase in the use of compromised accounts to further distribute malicious emails both inside and outside an organization."

The nature of phishing attacks is changing as well, Microsoft said. Many phishing campaigns last year combined attacks that were active for just a few minutes with much longer-lasting, high-volume attacks. Others were "serial variants attacks," where attackers sent small volumes of mail on successive days, the software vendor said.

Like they used any malware, criminals last year used phishing in broad-based attacks and in narrowly focused, targeted ones. As one example of a highly targeted campaign, Microsoft pointed to Ursnif, a phishing campaign that used highly localized and customized content to try and trick a relatively small set of recipients into clicking on malicious links. The campaign involved phishing emails with content that appeared to come from a legitimate business in the same city or general geographic area as the intended victim. "Such attacks are quite different from broad-based campaigns and appear to be more legitimate and trustworthy," Microsoft said.

The continued innovation around phishing is worrisome, says Usman Rahim, digital trust analyst at The Media Trust. On the one hand, phishing-attack costs are increasing for hackers. "Attackers have to put in a lot of effort in terms of creating new techniques using the latest technology," he says. But even as defenders are getting better at spotting and stopping phishing attacks, threat actors are finding new ways to escape detection, to persist on infected systems, and to find new infection tactics, he says. "New techniques or tools are certainly making it harder for attackers to compromise the network."

However, once an attacker successfully breaks into a company, network, or service, the reward is also big, he says. Attackers also have a broader range of devices to target in phishing attacks, Rahim says. "Mobile and other IoT devices are getting targeted specifically as they do not have the same defense as other protected devices."

On another front, Microsoft's analysis of 2018 threat data showed a significant drop-off in ransomware attacks. The WannaCry and NotPetya outbreaks of 2017 had many believing ransomware attacks would increase last year. However, they declined as much as 60% between March and December 2018 as end users and enterprises became more aware of the threat and how to deal with it. Businesses also exercised greater caution in backing up important files so data could be quickly restored if encrypted in a ransomware attack, Microsoft said.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
John_in_SF
50%
50%
John_in_SF,
User Rank: Apprentice
3/15/2019 | 7:55:07 PM
quite a sentence
Had to read it three times to figure out what it was attempting to say: "Like they used any malware, criminals last year used phishing in broad-based attacks and in narrowly focused, targeted ones."
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...