Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/22/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Tops Phishers' Favorite Brands as Facebook Spikes

Microsoft remains the favorite brand to spoof in phishing campaigns, but more attackers are impersonating Facebook.

Cybercriminals often exploit victims' familiarity with popular brands to manipulate them into falling for phishing campaigns. Microsoft is the most common brand to spoof, researchers report, with PayPal in second place and Facebook rapidly catching up in a close third.

The "Phisher's Favorites" report, released today by Vade Secure, ranks the 25 most impersonated brands in phishing attacks based on unique phishing URLs detected within each quarter. Microsoft has held the top spot every time, a trend it continued in the second quarter of 2019, when 20,217 unique Microsoft phishing URLs were detected — more than 222 per day. This marks a 6.8% decline from the first quarter but a 15.5% increase from Vade Secure's first report. (The report is now in its fifth edition.)

Microsoft remains phishers' favorite due to its size and the high value of Office 365 credentials, explains Adrien Gendre, chief solutions architect at Vade Secure. Its latest quarterly earnings reported more than 180 million active monthly enterprise users on Office 365; IDC estimates the platform makes up 47.6% of enterprise cloud email implementations. Office credentials offer a single point of entry to files, data, and contacts in SharePoint, OneDrive, and Skype.

"While hacked Office 365 credentials can certainly be used to access sensitive company information and files, the real driver is east-west movement via insider attacks," says Gendre of attackers' motivation. "Detecting display name spoofing or close cousin domains is relatively easy; detecting attacks coming from legitimate email accounts is much harder."

It's easy to manipulate employees with fake Microsoft emails because the Office 365 platform "is the lifeblood of businesses," he continues. Most can't do their jobs without access to email, chat, and other productivity and file management tools, which is why they're compelled to take action when an email appears notifying them their Office 365 account has been suspended. Other phishing attacks may contain links to OneDrive or SharePoint documents, Vade analysts found.

Microsoft beat PayPal by more than 4,300 phishing URLs in the second quarter, but emails impersonating the payment service were up nearly 112% year-over-year. A global user base makes it a popular target, and stealing PayPal credentials leads to quick payback for attackers. Most PayPal phishing emails claim a recipient's account has been blocked or suspended, prompting them to go to a fraudulent page to confirm or restore their account.

Phishers Get Social
Facebook isn't far behind: After a consistent decline in the second half of 2018, URLs spoofing the social media giant spiked 155% in the first quarter of 2019 and 175.8% in the second quarter. "The fact that Facebook phishing has increased significantly for two straight quarters is indication to me that these attacks are working," Gendre says. Headlines about Facebook's privacy issues, and communications from the company about updates to its terms of use and privacy policies, also give attackers opportunity to strike.

The increase may also be attributed to Facebook Login, or the social sign-on using Facebook accounts. With Facebook credentials, attackers can see which other apps a user has authorized with Facebook Login and compromise those accounts. With access to Facebook Messenger, they may also target a victim's contacts with additional phishing scams, Gendre points out.

Still, he doesn't think the growth will last. "The reason is that the potential payback isn't as direct as it is for Microsoft and PayPal," he says. "There also isn't a strong corporate angle, which is where most hackers are increasingly setting their sights."

Social media also saw the most quarter-over-quarter growth of all industries; phishing in this sector accelerated from 74.7% in the first quarter of 2019 to 130.7% in the second, entirely driven by Facebook phishing URLs. Still, social media phishing campaigns only made up 16% compared with other industries, putting the industry in third. Cloud is still in the top spot (37%), followed by financial services (33%).

Amazon Rises Up the Ranks
One of the findings that surprised Gendre most was the growth in Amazon phishing, which increased 182.6% throughout the first quarter and 411.5% year-over-year. But the spike wasn't what stood out to him — it's the fact Amazon wasn't a popular target sooner.

"Amazon is one of those brands that straddles the consumer and corporate worlds and could thus be an effective lure for both audiences," he explains. "No one wants to have an order canceled because of a declined payment, or they want to know immediately about a delay with their shipment."

There was a spike in Amazon phishing URLs on May 5, around the time reports surfaced of a new Amazon phishing kit. Another spike occurred on June 19 after Prime Day was announced. Analysts noticed a wide variety of Amazon phishing emails, which manipulate victims with messages about Amazon rewards, loyalty vouchers, "exclusive product," or "special surprise."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "You Gotta Reach 'Em to Teach 'Em."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/26/2019 | 10:45:29 AM
Resources should go into Email Phishing, Web and Cloud attacks

Based on the statistics provided, it seems that companies should put more money in defending against phishing, web and cloud attacks (especially S3 configuration). In addition, we should look into utilzing WAF design where the application looks at the number of counts someone tries to access a webserver (anything over 10-20 times) and they get the 401-404 error codes, this needs to be an automated action.



In addition, if we are not dealing with major countries or nation-states, then why not block entire countries; especially those that pose the greatest risk/threat.

Finally, we need to integrate into the mix a global phishing campaign where the attackers put in a email filtering list that updates it from the global providers like Google, Amazon, Microsoft, Cisco, Yahoo, IBM, Verizon and others to help thwart these attacks (utilize machine learning to comb through all of the data to come up with a score or ranking based on the type of attack (quantify the attack vector and threat, anything between 50-60% is put into an pending pool, 60-80% a warning or notification is sent and 80-100% it is automatically blocked by the software - tiered approach)



 Todd
HezalA443
50%
50%
HezalA443,
User Rank: Apprentice
8/23/2019 | 3:48:56 AM
Good Post
It was good to read your post.
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1817
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
CVE-2013-2091
PUBLISHED: 2019-11-20
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
CVE-2012-1257
PUBLISHED: 2019-11-20
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.
CVE-2013-1816
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
CVE-2011-4455
PUBLISHED: 2019-11-20
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.