Attacks/Breaches

3/7/2019
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Phishing Attacks Evolve as Detection & Response Capabilities Improve

Social engineering scam continued to be preferred attack vector last year, but attackers were forced to adapt and change.

The growing sophistication of tools and techniques for protecting people against phishing scams is forcing attackers to adapt and evolve their methods.

A Microsoft analysis of data collected from users of its products and services between January 2018 and the end of December showed phishing was the top attack vector for yet another year. The proportion of inbound emails containing phishing messages surged 250% between the beginning and end of 2018. Phishing emails were used to distribute a wide variety of malware, including zero-day payloads.

However, the growing use of anti-phishing controls and advances in enterprise detection, investigation, and response capabilities is forcing attackers to change their strategies as well. Microsoft said.

For one thing, phishing attacks are becoming increasingly polymorphic. Rather than using a single URL, IP address, or domain to send phishing emails, attackers last year began using varied infrastructure to launch attacks, making them harder to filter out and stop.

Microsoft said its analysis shows attackers are trying to avoid detection by using public and hosted cloud infrastructures to hide among legitimate sites and assets. "For example, attackers increasingly use popular document sharing and collaboration sites and services to distribute malicious payloads and fake login forms that are used to steal user credentials," Microsoft said. "There has also been an increase in the use of compromised accounts to further distribute malicious emails both inside and outside an organization."

The nature of phishing attacks is changing as well, Microsoft said. Many phishing campaigns last year combined attacks that were active for just a few minutes with much longer-lasting, high-volume attacks. Others were "serial variants attacks," where attackers sent small volumes of mail on successive days, the software vendor said.

Like they used any malware, criminals last year used phishing in broad-based attacks and in narrowly focused, targeted ones. As one example of a highly targeted campaign, Microsoft pointed to Ursnif, a phishing campaign that used highly localized and customized content to try and trick a relatively small set of recipients into clicking on malicious links. The campaign involved phishing emails with content that appeared to come from a legitimate business in the same city or general geographic area as the intended victim. "Such attacks are quite different from broad-based campaigns and appear to be more legitimate and trustworthy," Microsoft said.

The continued innovation around phishing is worrisome, says Usman Rahim, digital trust analyst at The Media Trust. On the one hand, phishing-attack costs are increasing for hackers. "Attackers have to put in a lot of effort in terms of creating new techniques using the latest technology," he says. But even as defenders are getting better at spotting and stopping phishing attacks, threat actors are finding new ways to escape detection, to persist on infected systems, and to find new infection tactics, he says. "New techniques or tools are certainly making it harder for attackers to compromise the network."

However, once an attacker successfully breaks into a company, network, or service, the reward is also big, he says. Attackers also have a broader range of devices to target in phishing attacks, Rahim says. "Mobile and other IoT devices are getting targeted specifically as they do not have the same defense as other protected devices."

On another front, Microsoft's analysis of 2018 threat data showed a significant drop-off in ransomware attacks. The WannaCry and NotPetya outbreaks of 2017 had many believing ransomware attacks would increase last year. However, they declined as much as 60% between March and December 2018 as end users and enterprises became more aware of the threat and how to deal with it. Businesses also exercised greater caution in backing up important files so data could be quickly restored if encrypted in a ransomware attack, Microsoft said.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
John_in_SF
50%
50%
John_in_SF,
User Rank: Apprentice
3/15/2019 | 7:55:07 PM
quite a sentence
Had to read it three times to figure out what it was attempting to say: "Like they used any malware, criminals last year used phishing in broad-based attacks and in narrowly focused, targeted ones."
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18643
PUBLISHED: 2019-04-25
GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.
CVE-2018-19359
PUBLISHED: 2019-04-25
GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.
CVE-2019-11488
PUBLISHED: 2019-04-25
Incorrect Access Control in the Account Access / Password Reset Link in SimplyBook.me Enterprise before 2019-04-23 allows Unauthorized Attackers to READ/WRITE Customer or Administrator data via a persistent HTTP GET Request Hash Link Replay, as demonstrated by a login-link from the browser history.
CVE-2019-11489
PUBLISHED: 2019-04-25
Incorrect Access Control in the Administrative Management Interface in SimplyBook.me Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI.
CVE-2019-3720
PUBLISHED: 2019-04-25
Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain a Directory Traversal Vulnerability. A remote authenticated malicious user with admin privileges could potentially exploit this vulnerability to gain unauthorized access to the file system by exploiting insufficient san...