External Threat Management

RiskIQ’s Q4 2017 Phishing Roundup and 2017 Recap: Unique Domains Fall, Social Media Targets Rise

Phishing actors are always innovating and creating new methods to lure victims into gaining access to their financial information, PII, and user accounts. Understanding the latest phishing techniques and cyber threat actor tendencies helps us position our customers to stay one step ahead of phishing threats targeting their organizations.

In the Q4 2017 Phishing Roundup, we’ll detail the trends in phishing activity as observed by RiskIQ over Q4 of 2017, drawing upon data used in the Q3 Report for comparisons and recapping trends we've seen over the entirety of 2017. The data in this report, which is comprised of internally blacklisted resources—unique phishing URLs in this case—will focus on:

  • Threat volume
  • The most targeted brands
  • The WHOIS characteristics of these phishing threats

The Arrival of Social Media to the Top Target List

Overall, RiskIQ observed 27,285 uniquely blacklisted phishing—domains, down 2% from Q3, targeting a total of 259 unique brands, down 7%. However, the most significant trend to surface in Q4 was a stark increase in phishing campaigns leveraging social media platforms, a trend that accounted for 20% of the top-ten most phished brands including the overall most-phished brand.

This new focus on social media by cyber threat actors is significant because it represents a pivot in tactics between Q3 and Q4 toward social media platforms and away from cloud service providers, which represented 10% of targets in our previous report. Financial institutions are almost always the target of the highest volume of cyber attacks, but social media is an interesting new addition to the top-target list.

There are several potential reasons why social media is drawing more attention from cyber threat actors. For one, the growth in popularity of financial integrations within social media platforms that, for example, give users the ability to send and receive money, can make for an easy payday. There's also the possibility of using sensitive information from posts, messages, and profiles that can be used as lures in social engineering attacks.

The full breakdown of the most phished brands is as follows:

  • 40% financial institutions
  • 20% social media platforms
  • 20% large tech companies
  • 20% digital transaction providers

Detections by Registrar Q4 and Q3

Detections by Hosting Provider Q4 and Q3

Our Q4 registrar data, except for one outlier, showed the same top-five players (although in a different order), which have clearly become tried and true tools for phishers. The hosting provider data from Q3 to Q4, however, showed a significant discrepancy, making it impossible to speculate on any potential trends.

2017 Detections: Domains Decrease, but Number of Brands Holds Steady

Overall detections dropped off slightly in a few key areas during 2017, a decline that isn't unusual as phishing tends to be very cyclical—the number of observed domains and targeted brands remained relatively close each quarter, but the number of unique URLs varied widely.

Financial institution targets showed a general decline while social media targets showed a general increase, especially over the last quarter. Q4 was also the first quarter observed where the top targeted brand was a social media platform. While this is not a new phenomenon by any means, our data has never displayed its presence as prominently as Q4 of 2017.

Know Your Risk

RiskIQ provides access to our unique phishing detection capabilities with our External Threats product line. Knowing your phishing risk is only half the battle; External Threats offers real-time monitoring and web enforcement capabilities to help you protect your organization’s assets with RiskIQ’s industry-leading security intelligence.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor