Phishing is an online threat that doesn’t seem to go away, in particular, because it has been very effective. Our H1 2020 Attack Landscape report has indicated that email still remains the preferred method for malicious threat actors for delivering spam, phishing and other malicious content.
The current pandemic that is going on in the real world has not changed or slowed down the pace of malicious threat activities in the cyber world. Phishing emails remain rampant, and with most organization infrastructures shifting to cloud and with the proliferation of remote work and studies, the phishing themes have also shifted to target credentials of those tools and platforms.
In this post, we review the statistics of the phishing emails we have seen since October 2020.
Web and application hosting services a popular choice
The top 3 domains seen hosting phishing pages come from web or application hosting services while the rest are mostly compromised domains.
Figure 1: Breakdown of the top 20 domains seen hosting phishing pages
These hosting services have recently become a popular choice for the attackers because the cost involved in setting up a webpage is relatively low or sometimes even free for basic use. As phishing pages are oftentimes taken down quite quickly after being reported, the use of hosting services enables threat actors to generate and switch their pages rapidly without substantial downtime.
By placing phishing pages to hosting services, threat actors also try to add a layer of legitimacy for the users as those services provide SSL certificates (reflected in the “https” prefix in the URLs). We expect this to remain as a popular choice for threat actors because it saves their resources and efforts of identifying domains or web servers that they could compromise before hosting their phishing pages.
Microsoft O365 credentials increased in popularity
As indicated in our H1 2020 Attack Landscape report, Facebook remains the most frequently spoofed brand in phishing emails. Webmail and cloud application providers have been inching up the popularity list in the recent months. That said, spoofed financial institution emails still make a bulk of what we have seen, as reflected in the sector breakdown table below.
Facebook, Inc. 23% Outlook 11% Office365 9% Russian Post 9% Halifax Bank of Scotland Plc 8% Lloyds TSB Group 4% Amazon.com Inc. 4% PayPal Inc. 4% WhatsApp 4% Chase Personal Banking 4% Webmail Providers 3% RuneScape 3% Bank of America 2% LinkedIn Corporation 2% Orange 2% Netflix Inc. 2% DHL Airways, Inc. 2% eBay Inc. 2% Microsoft OneDrive 2% Apple Inc. 2%
Table 1: Top 20 brands spoofed in phishing email
Financial 29% Social Networking 20% Online/Cloud Service 15% Email Provider 9% Logistics & Couriers 8% Telecommunications 6% e-Commerce 5% Payment Service 4% Gaming 2% Government 2%
Table 2: Breakdown of the sectors used as phishing email themes
Microsoft O365 credentials are a popular target as organization are intensifying their migration to cloud applications to better support remote workers.
Figure 2: Example of Microsoft O365 phishing email
Figure 3: Fake Microsoft O365 password expiry email
Figure 4: Fake Microsoft O365 VoIP system email
Financial themed phishing emails continue to be used
While cloud application credentials may be useful for threat actors to gain initial access to an organization, financial institution credentials remain a lucrative target for monetaryContinue reading