2017 Phishing Trends & Intelligence Report: Hacking the Human

2017 R.A.I.D. Webinar Series

• What’s it about?• Insights from our Research, Analysis, Intelligence Division and other PhishLabs’ experts

• Hosted every month, exact dates TBD

• Focus on current threat campaigns – dissect attacks, scams, campaigns, and discuss threat actors

• Goal: equip you to better secure your network, your employees, your company and your customers

• Who should attend? • Open invitation – feel free to share!

• Security leaders and professionals responsible for managing cyber threats

February agenda

2017 Phishing Trends & Intelligence Report: Hacking the Human

Proprietary and ConfidentialCopyright 2017 PhishLabs

4

Crane HassoldSenior Security Threat Researcher

Phishing Trends & Intelligence Report Purpose

• Provide insight on significant trends, tools, and techniques used by threat actors to carry out phishing attacks

• Provide context and perspective into HOW and WHY these trends are occurring

• By understanding the threat, we can better defend against it

Proprietary and ConfidentialCopyright 2017PhishLabs

7

Methodology


8

• Analysis of nearly 1 million confirmed malicious phishing sites hosted on more that 170,000 unique domains and more than 66,000 unique IP addresses

• “Attack” = domain hosting phishing content

• Volume vs. Share• Volume relates to the raw, cumulative number of attacks

• Share references the percentage of attacks relative to the entire attack population

Industry Trends: Who is Being Targeted?

• 976 brands from 568 parent institutions targeted by phishing attacks in 2016

• 91% of all attacks targeted five industries• Financial institutions

• Cloud storage services

• Webmail/online services

• Payment services

• E-commerce sites

• Attack volume targeting the top 5 industries grew by an average of 33%

• Financial institutions still the most targeted industry…barely


9

The Rise of Cloud Storage Phish

• Attacks targeting cloud storage services expected to surpass those targeting financial institutions in 2017• Percentage of attacks targeting FIs have been

steadily declining

• Cloud storage phish made up less than 10% in 2013; now account for nearly a quarter

• 90% of cloud storage phish target only two companies (Google, Dropbox)


10

Evolving Motivations

• Three primary motivations for fraud-based phishing:

1. Immediate Account Takeover2. Credential Proliferation3. Data Diversification


11

Motivation #1: Immediate Account Takeover

• Historically, the primary motivator for phishing attacks

• Targets are usually banks and payment service companies

• Immediate, direct profit

• Industries impacted by these attacks have seen a decline in volume


12

201364%

201637%

Motivation #2: Credential Proliferation

• Attackers mass harvest credentials for the purpose of attacking secondary targets

• Focused on web services that use email addresses as a primary credential

• Indirect profit

• Significant increase in targeting


13

201321%

201646%

A Systemic Vulnerability

• The shift in targeted industries is driven by a major vulnerability -- the use of email address as a primary credential

• Target one = target all

• Facilitates password reuse attacks

• 39% of users reuse passwords across services (Pew Research, 2017)


14

A Systemic Vulnerability


15

Motivation #3: Data Diversification

• Purpose is to collect more comprehensive information about a victim

• Impacted industries include e-commerce sites and government services• Phishing attacks targeting tax agencies have

increased 300% since 2014

• IRS phish in January 2016 exceeded volume of attacks seen in all of 2015

• Less frequent, higher impact

• Used to commit other types of crimes (e.g., identify theft, tax fraud)

• Also used to facilitate future phishing activity (e.g., phone numbers)


16

Why are We Seeing This Shift?

• Phishing threat actors are evolving their tactics to:1. Make their jobs easier

2. Expand the avenues of profit

3. Take advantage of ease-of-use features built into many websites

• By shifting their targets and techniques, phishers have:1. Made credential collection more efficient

2. Focused on collecting a wider breadth of information to facilitate other crimes

3. Moved to a more indirect, but likely more lucrative, profit motive

4. Adapted to security controls used by FIs and payment service companies


17

What are the Implications?

• Password reuse attacks serious threat to secondary targets• Cloud storage and SaaS accounts are not the primary targets

• Expect that customers have already been compromised elsewhere

• “It’s not my problem” paradox

• Brand reputation issues


18

Country Trends: Where are the Attacks Happening?

• 81% of phishing attacks target US-based entities

• Significant increase in attacks targeting Canadian targets (+237%)• Focused on financial institutions

• Sustained increase, not a quick spike

• Switzerland, France, Italy, Germany also saw increases

• China, Australia, Great Britain saw significant declines in attacks


20

Hosting Locations: Where are Phish Hosted?

• More than half of all phishing sites hosting in the United States

• Sharp increase in the number of phish hosted in Eastern Europe

• Decline in phish hosted in East Asia


21

Top-Level Domains: How are Phish Hosted?

• 51% of phishing sites hosted on .COM TLD

• New gTLDs still associated with a small fraction of phishing sites, but they’re growing• 220 new gTLDs observed in 2016 vs. 66 in 2015

• Inexpensive option for phishers looking to have control over their infrastructure

• Allow phishers to create legitimate-looking domains


22

Phish Kits: How are Phish Made?

• Kits are the “recipe” for creating most phishing sites

• Collecting & analyzing kits give us a more in-depth understanding of techniques used to carry out phishing scams• Anti-detection techniques

• Access controls

• Code obfuscation

• Data exfiltration

• Collected more than 29,000 kits in 2016 targeting 300+ different companies• More than a third used techniques to evade detection

• 29% used methods to evade browser-based blocking

• 22% utilized mechanisms to restrict access to phishing site


23

Ransomware: Yeah, That Happened…

• Ransomware has been around for decades, but saw a massive surge in 2016

• Phishing was, by far, the most common method of delivery

• Simplicity led to copycats

• Ransomware-as-a-service

• High rate of infection, low rate of payment

• Threat actors evolved targeting tactics to change from individuals to strategic businesses


24

2017 Phishing Trends & Intelligence Report: Hacking the Human

Internet

Transcript of 2017 Phishing Trends & Intelligence Report: Hacking the Human