Phishing actors are always innovating and creating new methods to lure victims into gaining access to their financial information, PII, and user accounts. Any angle they can play to get their victims to enter their information, they'll use.
In this roundup, we'll detail the trends in phishing activity as observed by RiskIQ over Q3 of 2017. The data contained within this report comes from internally blacklisted resources aggregated by the RiskIQ team. Understanding the latest phishing techniques and threat actor tendencies helps us position our customers to stay one step ahead of phishing threats targeting their organizations.
The report will focus on:
- The number of phishing threats
- The most targeted brands
- The WHOIS characteristics of these phishing threats
Less Phishing, Fewer Targets
In Q3, RiskIQ observed 931,665 unique blacklisted phishing URLs. Of these, 27,868 were unique domains, which is down from the 39,320 unique domains we detected in Q2. In fact, overall detections are down slightly in Q3, which is reflected in our brand detection data. RiskIQ observed a total of 279 brands targeted by phishing campaigns over the Q3 period, down slightly from the 316 brands in Q2.
It should be noted, however, that the nature of phishing campaigns is cyclical and that fewer detections are not due to missed detections. While the method and frequency of these phishing campaigns vary as seen through our data, the threat remains constant.
However, one constant is the top 10 brands being observed, all but three of which are the same between Q2 and Q3. Financial services and digital transaction brands continue to be favorite targets, which is not surprising as threat actors involved in phishing campaigns attempt to trick users into providing sensitive data, which these companies collect in spades. As far as the new top-10 brands, two are large financial institutions, and the third is a social media platform. The breakdown of the Q3 top-10 brands is as follows:
- 40% financial institutions
- 20% large tech companies
- 20% digital transaction providers
- 10% cloud storage providers
- 10% social media platforms
GoDaddy and PublicDomainRegistry are the Go-to Tools for Phishers
Despite the differences in detection amounts between Q2 to Q3, GoDaddy and PublicDomainRegistry continue to be the most affected of the top-five registrars.
There are two types of phishing sites: those that use compromised websites and those that use malicious registrations. Regarding the latter, one noteworthy trend from Q2 that continued in Q3 was the rise of privacy-protected registrations used in malicious registrations, which we observed throughout our data. We also noticed several syntax patterns in our registrant email data, such as threat actors registering phishing domains with throwaway emails that follow similar syntax patterns—first initial and last name for example. However, RiskIQ also noticed less obvious, high-entropy patterns that are more difficult to spot such as randomly generated alphanumeric strings that all use the same amount of characters.
Where the Phish are Hosted
As in Q2, the hosting provider with the highest amount of affected URLs was an outlier in our data. This time around, hosting provider Ecotel supplanted Zenedge LLC, as the leader. As with the rest of the Q3 data, the hosting provider data is indicative of overall detections being down.
Knowing your Risk
RiskIQ provides access to our unique phishing detection capabilities with our External Threats product line. Knowing your phishing risk is only half the battle; External Threats offers real-time monitoring and web enforcement capabilities to help you protect your organization's assets with RiskIQ’s industry-leading security intelligence.
Also, be sure to check out RiskIQ’s Q3 Mobile Threat Landscape.