TRENDING
ever more creative with the names and addresses of their phishing sites .
In 2020 to date , 52 % of phishing sites have used target brand names and identities in their website addresses . Using phishing site data from Webroot , F5 Labs discovered that Amazon was the most targeted brand in the second half of 2020 . Paypal , Apple , WhatsApp , Microsoft Office , Netflix and Instagram were also among the top 10 most impersonated brands . By tracking the theft of credentials through to use in active attacks , F5 Labs observed that criminals were attempting to use stolen passwords within four hours of phishing a victim . Some attacks even occurred in real time to enable the capture of multi-factor authentication ( MFA ) security codes .
Meanwhile , cybercriminals also became more ruthless in their bids to hijack reputable , albeit vulnerable URLs – often for free . WordPress sites alone accounted for 20 % of generic phishing URLs in 2020 . The figure was as low as 4.7 % in 2017 .
Furthermore , cybercriminals are increasingly cutting costs by using free registrars such as Freenom for certain country code top-level domains ( ccTLDs ), including . tk , . ml , . ga , . cf , and . gq . As a case in point , . tk is now the fifth most popular registered domain in the world .
Hiding in plain sight
2020 also saw phishers intensify efforts to make fraudulent sites appear as genuine as possible . F5 SOC statistics found that most phishing sites leveraged encryption , with a full 72 % using valid HTTPS certificates to trick victims . This year , 100 % of drop zones – the destinations of stolen data sent by malware – used TLS encryption ( up from 89 % in 2019 ).
Combining incidents from 2019 and 2020 , F5 Labs additionally reported that 55.3 % of drop zones used a non-standard SSL / TLS port . Port 446 was used in all instances bar one . An analysis of phishing sites found that 98.2 % used standard ports : 80 for cleartext HTTP traffic and 443 for encrypted SSL / TLS traffic .
Future threats
According to recent research from Shape Security , which was integrated with the Phishing and Fraud Report for the first time , there are two major phishing trends on the horizon . As a result of improved bot traffic ( botnet ) security controls and solutions , attackers are starting to embrace click farms . This entails dozens of remote ‘ workers ’ systematically attempting to log on to a target website using recently harvested credentials . The connection comes from a human using a standard web browser , which makes fraudulent activity harder to detect .
Even a relatively low volume of attacks has an impact . As an example , Shape Security analysed 14 million monthly logins at a financial services organisation and recorded a manual a fraud rate of 0.4 %. That is the equivalent of 56,000 fraudulent logon attempts and the numbers associated with this type of activity are only set to rise .
Shape Security researchers also recorded an increase in the volume of real-time phishing proxies ( RTPP ) that can capture and use multi-factor authentication ( MFA ) codes . The RTPP acts as a person-in-the-middle and intercepts a victim ’ s transactions with a real website . Since the attack occurs in real time ,
“
PHISHING ATTACKS WILL CONTINUE TO BE SUCCESSFUL AS LONG AS THERE IS A HUMAN THAT CAN BE PSYCHOLOGICALLY MANIPULATED IN SOME WAY .
the malicious website can automate the process of capturing and replaying timebased authentication such as MFA codes . It can even steal and reuse session cookies .
Recent real-time phishing proxies in active use include Modlishka2 and Evilginx23 . F5 Labs and Shape Security are set to monitor the growing use of RTPPs in the coming months .
“ Phishing attacks will continue to be successful as long as there is a human that can be psychologically manipulated in some way . Security controls and web browsers alike must become more proficient at highlighting fraudulent sites to users ,” Warburton concluded .
“ Individuals and organisations also need to be continuously trained on the latest techniques used by fraudsters . Crucially , there needs to be a big emphasis on the way attackers are hijacking emerging trends such as COVID-19 .” •
20 INTELLIGENTCIO www . intelligentcio . com