Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/7/2019
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Phishing Attacks Evolve as Detection & Response Capabilities Improve

Social engineering scam continued to be preferred attack vector last year, but attackers were forced to adapt and change.

The growing sophistication of tools and techniques for protecting people against phishing scams is forcing attackers to adapt and evolve their methods.

A Microsoft analysis of data collected from users of its products and services between January 2018 and the end of December showed phishing was the top attack vector for yet another year. The proportion of inbound emails containing phishing messages surged 250% between the beginning and end of 2018. Phishing emails were used to distribute a wide variety of malware, including zero-day payloads.

However, the growing use of anti-phishing controls and advances in enterprise detection, investigation, and response capabilities is forcing attackers to change their strategies as well. Microsoft said.

For one thing, phishing attacks are becoming increasingly polymorphic. Rather than using a single URL, IP address, or domain to send phishing emails, attackers last year began using varied infrastructure to launch attacks, making them harder to filter out and stop.

Microsoft said its analysis shows attackers are trying to avoid detection by using public and hosted cloud infrastructures to hide among legitimate sites and assets. "For example, attackers increasingly use popular document sharing and collaboration sites and services to distribute malicious payloads and fake login forms that are used to steal user credentials," Microsoft said. "There has also been an increase in the use of compromised accounts to further distribute malicious emails both inside and outside an organization."

The nature of phishing attacks is changing as well, Microsoft said. Many phishing campaigns last year combined attacks that were active for just a few minutes with much longer-lasting, high-volume attacks. Others were "serial variants attacks," where attackers sent small volumes of mail on successive days, the software vendor said.

Like they used any malware, criminals last year used phishing in broad-based attacks and in narrowly focused, targeted ones. As one example of a highly targeted campaign, Microsoft pointed to Ursnif, a phishing campaign that used highly localized and customized content to try and trick a relatively small set of recipients into clicking on malicious links. The campaign involved phishing emails with content that appeared to come from a legitimate business in the same city or general geographic area as the intended victim. "Such attacks are quite different from broad-based campaigns and appear to be more legitimate and trustworthy," Microsoft said.

The continued innovation around phishing is worrisome, says Usman Rahim, digital trust analyst at The Media Trust. On the one hand, phishing-attack costs are increasing for hackers. "Attackers have to put in a lot of effort in terms of creating new techniques using the latest technology," he says. But even as defenders are getting better at spotting and stopping phishing attacks, threat actors are finding new ways to escape detection, to persist on infected systems, and to find new infection tactics, he says. "New techniques or tools are certainly making it harder for attackers to compromise the network."

However, once an attacker successfully breaks into a company, network, or service, the reward is also big, he says. Attackers also have a broader range of devices to target in phishing attacks, Rahim says. "Mobile and other IoT devices are getting targeted specifically as they do not have the same defense as other protected devices."

On another front, Microsoft's analysis of 2018 threat data showed a significant drop-off in ransomware attacks. The WannaCry and NotPetya outbreaks of 2017 had many believing ransomware attacks would increase last year. However, they declined as much as 60% between March and December 2018 as end users and enterprises became more aware of the threat and how to deal with it. Businesses also exercised greater caution in backing up important files so data could be quickly restored if encrypted in a ransomware attack, Microsoft said.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
John_in_SF
50%
50%
John_in_SF,
User Rank: Apprentice
3/15/2019 | 7:55:07 PM
quite a sentence
Had to read it three times to figure out what it was attempting to say: "Like they used any malware, criminals last year used phishing in broad-based attacks and in narrowly focused, targeted ones."
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.