Vade Secure, the global leader
in predictive email defense, today published the results of its
Phishers'
Favorites report for Q1 2019, which reveals that social media phishing,
primarily Facebook and Instagram, saw the highest quarter-over-quarter growth
of any industry with a 74.7 percent increase. While Facebook has been in the
top 10 since the report's inception, Instagram cracked the top 25 for the first
time, taking the #24 spot on the Phishers' Favorites list.
With the headlines about
Facebook storing hundreds of millions of user passwords in plain text, and
requiring some new users' email passwords in order to sign up, Vade Secure
believes that hackers could have been taking advantage of the confusion and
concerns of Facebook users to lure them into clicking on phishing pages. The
company also detected the same phishing attack that was publicized in early
March around Instagram phishing emails claiming to offer a verified Instagram
badge to trick recipients into providing their credentials.
Microsoft remains the most
phished brand, as hacker techniques continue to evolve
Overall, Microsoft remained the
most impersonated brand in phishing attacks for the fourth straight quarter.
Microsoft's sustained popularity with hackers stems from the lucrativeness of
Office 365 credentials, which provide a single entry point to the entire Office
365 suite while enabling them to conduct multi-phased attacks using compromised
accounts.
Moreover, analysis of phishing
emails and pages reveals that attackers are getting increasingly sophisticated
with attacks targeting corporate email users. A few techniques include:
- Mirroring
real brand assets. With Office 365 phishing attacks, cybercriminals will
often mirror the actual Office 365 login page, pulling JavaScript and CSS
directly from the legitimate website and inserting their own script to
harvest credentials - making sure that the phishing page is virtually
indistinguishable from the real thing.
- Redirecting
to legitimate content. Vade research found that many
Microsoft phishing pages actually redirected users to legitimate Microsoft
pages once they'd submitted their credentials in an attempt to convince
them that nothing was amiss. In addition, the "reply-to" address in some
phishing emails was a legitimate Microsoft email: support@microsoft.com.
- Mixing safe and
malicious URLs. In the case of Netflix phishing (the #3 most
impersonated brand), the emails sent to targets contained as many as six
or seven legitimate Netflix links along with one malicious link. This
technique is aimed at fooling both reputation-based email filters and
users, who check one or two links and then assume that the entire email is
legitimate.
- Preying
upon mobile email readers. Many Netflix users do not sign
up for accounts using their corporate email address; yet Vade found that
corporate users are often the targets of Netflix phishing. Because of the
way email is viewed on mobile devices - often multiple accounts from one
app - cybercriminals are likely hoping that users won't notice, assuming
that the email was sent to their correct address.
"It seems like
every quarter cybercriminals are upping their game and getting increasingly
sophisticated, and Q1 2019 was no exception," said Adrien Gendre, Chief
Solution Architect, Vade Secure. "These hackers are now intimately familiar
with how both consumer and corporate email users interact with the internet and
are constantly evolving their techniques to trick users into clicking malicious
links and providing their credentials. Multi-phased attacks are still on the
rise as well, so all email users must be sure to keep a critical eye out for
phishing and spear phishing emails, and organizations must take a comprehensive
approach combining technology and training to protect their employees."
As with the
previous editions, the Phishers' Favorites report was compiled by tallying the
number of unique phishing URLs detected by Vade Secure and made publicly
available on www.IsItPhishing.AI.
Leveraging data from more than 600 million protected mailboxes worldwide,
Vade's machine learning algorithms identify the brand being impersonated as
part of their real-time analysis of the URL and page content.