Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/22/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Tops Phishers' Favorite Brands as Facebook Spikes

Microsoft remains the favorite brand to spoof in phishing campaigns, but more attackers are impersonating Facebook.

Cybercriminals often exploit victims' familiarity with popular brands to manipulate them into falling for phishing campaigns. Microsoft is the most common brand to spoof, researchers report, with PayPal in second place and Facebook rapidly catching up in a close third.

The "Phisher's Favorites" report, released today by Vade Secure, ranks the 25 most impersonated brands in phishing attacks based on unique phishing URLs detected within each quarter. Microsoft has held the top spot every time, a trend it continued in the second quarter of 2019, when 20,217 unique Microsoft phishing URLs were detected — more than 222 per day. This marks a 6.8% decline from the first quarter but a 15.5% increase from Vade Secure's first report. (The report is now in its fifth edition.)

Microsoft remains phishers' favorite due to its size and the high value of Office 365 credentials, explains Adrien Gendre, chief solutions architect at Vade Secure. Its latest quarterly earnings reported more than 180 million active monthly enterprise users on Office 365; IDC estimates the platform makes up 47.6% of enterprise cloud email implementations. Office credentials offer a single point of entry to files, data, and contacts in SharePoint, OneDrive, and Skype.

"While hacked Office 365 credentials can certainly be used to access sensitive company information and files, the real driver is east-west movement via insider attacks," says Gendre of attackers' motivation. "Detecting display name spoofing or close cousin domains is relatively easy; detecting attacks coming from legitimate email accounts is much harder."

It's easy to manipulate employees with fake Microsoft emails because the Office 365 platform "is the lifeblood of businesses," he continues. Most can't do their jobs without access to email, chat, and other productivity and file management tools, which is why they're compelled to take action when an email appears notifying them their Office 365 account has been suspended. Other phishing attacks may contain links to OneDrive or SharePoint documents, Vade analysts found.

Microsoft beat PayPal by more than 4,300 phishing URLs in the second quarter, but emails impersonating the payment service were up nearly 112% year-over-year. A global user base makes it a popular target, and stealing PayPal credentials leads to quick payback for attackers. Most PayPal phishing emails claim a recipient's account has been blocked or suspended, prompting them to go to a fraudulent page to confirm or restore their account.

Phishers Get Social
Facebook isn't far behind: After a consistent decline in the second half of 2018, URLs spoofing the social media giant spiked 155% in the first quarter of 2019 and 175.8% in the second quarter. "The fact that Facebook phishing has increased significantly for two straight quarters is indication to me that these attacks are working," Gendre says. Headlines about Facebook's privacy issues, and communications from the company about updates to its terms of use and privacy policies, also give attackers opportunity to strike.

The increase may also be attributed to Facebook Login, or the social sign-on using Facebook accounts. With Facebook credentials, attackers can see which other apps a user has authorized with Facebook Login and compromise those accounts. With access to Facebook Messenger, they may also target a victim's contacts with additional phishing scams, Gendre points out.

Still, he doesn't think the growth will last. "The reason is that the potential payback isn't as direct as it is for Microsoft and PayPal," he says. "There also isn't a strong corporate angle, which is where most hackers are increasingly setting their sights."

Social media also saw the most quarter-over-quarter growth of all industries; phishing in this sector accelerated from 74.7% in the first quarter of 2019 to 130.7% in the second, entirely driven by Facebook phishing URLs. Still, social media phishing campaigns only made up 16% compared with other industries, putting the industry in third. Cloud is still in the top spot (37%), followed by financial services (33%).

Amazon Rises Up the Ranks
One of the findings that surprised Gendre most was the growth in Amazon phishing, which increased 182.6% throughout the first quarter and 411.5% year-over-year. But the spike wasn't what stood out to him — it's the fact Amazon wasn't a popular target sooner.

"Amazon is one of those brands that straddles the consumer and corporate worlds and could thus be an effective lure for both audiences," he explains. "No one wants to have an order canceled because of a declined payment, or they want to know immediately about a delay with their shipment."

There was a spike in Amazon phishing URLs on May 5, around the time reports surfaced of a new Amazon phishing kit. Another spike occurred on June 19 after Prime Day was announced. Analysts noticed a wide variety of Amazon phishing emails, which manipulate victims with messages about Amazon rewards, loyalty vouchers, "exclusive product," or "special surprise."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "You Gotta Reach 'Em to Teach 'Em."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/26/2019 | 10:45:29 AM
Resources should go into Email Phishing, Web and Cloud attacks

Based on the statistics provided, it seems that companies should put more money in defending against phishing, web and cloud attacks (especially S3 configuration). In addition, we should look into utilzing WAF design where the application looks at the number of counts someone tries to access a webserver (anything over 10-20 times) and they get the 401-404 error codes, this needs to be an automated action.



In addition, if we are not dealing with major countries or nation-states, then why not block entire countries; especially those that pose the greatest risk/threat.

Finally, we need to integrate into the mix a global phishing campaign where the attackers put in a email filtering list that updates it from the global providers like Google, Amazon, Microsoft, Cisco, Yahoo, IBM, Verizon and others to help thwart these attacks (utilize machine learning to comb through all of the data to come up with a score or ranking based on the type of attack (quantify the attack vector and threat, anything between 50-60% is put into an pending pool, 60-80% a warning or notification is sent and 80-100% it is automatically blocked by the software - tiered approach)



 Todd
HezalA443
50%
50%
HezalA443,
User Rank: Apprentice
8/23/2019 | 3:48:56 AM
Good Post
It was good to read your post.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4590
PUBLISHED: 2020-09-21
IBM WebSphere Application Server Liberty 17.0.0.3 through 20.0.0.9 running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. IBM X-Force ID: 184650.
CVE-2020-4731
PUBLISHED: 2020-09-21
IBM Aspera Web Application 1.9.14 PL1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188055.
CVE-2020-4315
PUBLISHED: 2020-09-21
IBM Business Automation Content Analyzer on Cloud 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the i...
CVE-2020-4579
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted HTTP/2 request with invalid characters. IBM X-Force ID: 184438.
CVE-2020-4580
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted a JSON request with invalid characters. IBM X-Force ID: 184439.