2017 R.A.I.D. Webinar Series
• What’s it about?• Insights from our Research, Analysis, Intelligence Division and other PhishLabs’ experts
• Hosted every month, exact dates TBD
• Focus on current threat campaigns – dissect attacks, scams, campaigns, and discuss threat actors
• Goal: equip you to better secure your network, your employees, your company and your customers
• Who should attend? • Open invitation – feel free to share!
• Security leaders and professionals responsible for managing cyber threats
February agenda
2017 Phishing Trends & Intelligence Report: Hacking the Human
Proprietary and ConfidentialCopyright 2017 PhishLabs
4
Crane HassoldSenior Security Threat Researcher
Phishing Trends & Intelligence Report Purpose
• Provide insight on significant trends, tools, and techniques used by threat actors to carry out phishing attacks
• Provide context and perspective into HOW and WHY these trends are occurring
• By understanding the threat, we can better defend against it
Proprietary and ConfidentialCopyright 2017PhishLabs
7
Methodology
Proprietary and ConfidentialCopyright 2017PhishLabs
8
• Analysis of nearly 1 million confirmed malicious phishing sites hosted on more that 170,000 unique domains and more than 66,000 unique IP addresses
• “Attack” = domain hosting phishing content
• Volume vs. Share• Volume relates to the raw, cumulative number of attacks
• Share references the percentage of attacks relative to the entire attack population
Industry Trends: Who is Being Targeted?
• 976 brands from 568 parent institutions targeted by phishing attacks in 2016
• 91% of all attacks targeted five industries• Financial institutions
• Cloud storage services
• Webmail/online services
• Payment services
• E-commerce sites
• Attack volume targeting the top 5 industries grew by an average of 33%
• Financial institutions still the most targeted industry…barely
Proprietary and ConfidentialCopyright 2017PhishLabs
9
The Rise of Cloud Storage Phish
• Attacks targeting cloud storage services expected to surpass those targeting financial institutions in 2017• Percentage of attacks targeting FIs have been
steadily declining
• Cloud storage phish made up less than 10% in 2013; now account for nearly a quarter
• 90% of cloud storage phish target only two companies (Google, Dropbox)
Proprietary and ConfidentialCopyright 2017PhishLabs
10
Evolving Motivations
• Three primary motivations for fraud-based phishing:
1. Immediate Account Takeover2. Credential Proliferation3. Data Diversification
Proprietary and ConfidentialCopyright 2017PhishLabs
11
Motivation #1: Immediate Account Takeover
• Historically, the primary motivator for phishing attacks
• Targets are usually banks and payment service companies
• Immediate, direct profit
• Industries impacted by these attacks have seen a decline in volume
Proprietary and ConfidentialCopyright 2017PhishLabs
12
201364%
201637%
Motivation #2: Credential Proliferation
• Attackers mass harvest credentials for the purpose of attacking secondary targets
• Focused on web services that use email addresses as a primary credential
• Indirect profit
• Significant increase in targeting
Proprietary and ConfidentialCopyright 2017PhishLabs
13
201321%
201646%
A Systemic Vulnerability
• The shift in targeted industries is driven by a major vulnerability -- the use of email address as a primary credential
• Target one = target all
• Facilitates password reuse attacks
• 39% of users reuse passwords across services (Pew Research, 2017)
Proprietary and ConfidentialCopyright 2017PhishLabs
14
A Systemic Vulnerability
Proprietary and ConfidentialCopyright 2017PhishLabs
15
Motivation #3: Data Diversification
• Purpose is to collect more comprehensive information about a victim
• Impacted industries include e-commerce sites and government services• Phishing attacks targeting tax agencies have
increased 300% since 2014
• IRS phish in January 2016 exceeded volume of attacks seen in all of 2015
• Less frequent, higher impact
• Used to commit other types of crimes (e.g., identify theft, tax fraud)
• Also used to facilitate future phishing activity (e.g., phone numbers)
Proprietary and ConfidentialCopyright 2017PhishLabs
16
Why are We Seeing This Shift?
• Phishing threat actors are evolving their tactics to:1. Make their jobs easier
2. Expand the avenues of profit
3. Take advantage of ease-of-use features built into many websites
• By shifting their targets and techniques, phishers have:1. Made credential collection more efficient
2. Focused on collecting a wider breadth of information to facilitate other crimes
3. Moved to a more indirect, but likely more lucrative, profit motive
4. Adapted to security controls used by FIs and payment service companies
Proprietary and ConfidentialCopyright 2017PhishLabs
17
What are the Implications?
• Password reuse attacks serious threat to secondary targets• Cloud storage and SaaS accounts are not the primary targets
• Expect that customers have already been compromised elsewhere
• “It’s not my problem” paradox
• Brand reputation issues
Proprietary and ConfidentialCopyright 2017PhishLabs
18
Country Trends: Where are the Attacks Happening?
• 81% of phishing attacks target US-based entities
• Significant increase in attacks targeting Canadian targets (+237%)• Focused on financial institutions
• Sustained increase, not a quick spike
• Switzerland, France, Italy, Germany also saw increases
• China, Australia, Great Britain saw significant declines in attacks
Proprietary and ConfidentialCopyright 2017PhishLabs
20
Hosting Locations: Where are Phish Hosted?
• More than half of all phishing sites hosting in the United States
• Sharp increase in the number of phish hosted in Eastern Europe
• Decline in phish hosted in East Asia
Proprietary and ConfidentialCopyright 2017PhishLabs
21
Top-Level Domains: How are Phish Hosted?
• 51% of phishing sites hosted on .COM TLD
• New gTLDs still associated with a small fraction of phishing sites, but they’re growing• 220 new gTLDs observed in 2016 vs. 66 in 2015
• Inexpensive option for phishers looking to have control over their infrastructure
• Allow phishers to create legitimate-looking domains
Proprietary and ConfidentialCopyright 2017PhishLabs
22
Phish Kits: How are Phish Made?
• Kits are the “recipe” for creating most phishing sites
• Collecting & analyzing kits give us a more in-depth understanding of techniques used to carry out phishing scams• Anti-detection techniques
• Access controls
• Code obfuscation
• Data exfiltration
• Collected more than 29,000 kits in 2016 targeting 300+ different companies• More than a third used techniques to evade detection
• 29% used methods to evade browser-based blocking
• 22% utilized mechanisms to restrict access to phishing site
Proprietary and ConfidentialCopyright 2017PhishLabs
23
Ransomware: Yeah, That Happened…
• Ransomware has been around for decades, but saw a massive surge in 2016
• Phishing was, by far, the most common method of delivery
• Simplicity led to copycats
• Ransomware-as-a-service
• High rate of infection, low rate of payment
• Threat actors evolved targeting tactics to change from individuals to strategic businesses
Proprietary and ConfidentialCopyright 2017PhishLabs
24
Top Related