A Look Back on Phishing Attacks in 2016

Phishing attacks were on the rise in 2016. Whether you’re a national political organization, a Fortune 500 company, or a small business, if you have a digital presence, your brand, customers, and employees are targets for phishing.

At RiskIQ we process tons of web-related threat data. One of the types of data we look at is phishing incidents. From various sources, we receive URLs which might be indicative of phishing. The URLs are processed through our crawling infrastructure and fed through our machine-learning technology to classify each detected phishing page appropriately.

Within this group of phishing pages, there are those used for highly targeted phishing attacks, also known as ‘spear phishing,’ as well as phishing pages used for widespread ‘generic’ phishing. Regarding infrastructure, there are two distinctions: self-maintained custom infrastructure and abused or compromised infrastructure belonging to someone else. We’ll explore both of these throughout this post, as well as the evolving tactics of phishing campaigns. 

Statistics

To give an idea of the amount of data we processed for phishing alone, here’s an overview of what 2016 looked like in our system for phishing incidents only. The graph below totals to approximately 58 million incidents throughout 2016, or 158,904 a day:

Fig-1 RiskIQ detection data indicates steady dose of phishing in 2016

Affected Hosting Organizations

Most phishing pages come from compromised websites. The web hosters involved with most of these websites haven’t changed over the past few years—typically, the largest web hosts most often associate with phishing.

Topping these rankings, we have HostGator. In 2nd place, we have GoDaddy, another massive and popular hosting company. We don’t have clear insights into why these companies are implicated in so many phishing attacks (other than being two of the largest hosting organizations, of course), but there are two questions to which we would need the answers to find out:

1. Are all affected websites maintained by the customers or the hosting organization?
2. Are the websites we have observed directly hosted by these two companies or by resellers on their platform?

Without correlating the above questions, it’s hard to point any fingers at specific hosts or their resellers and customers for lacking a proper upgrade/update process.

TLD & gTLD Insights

One fascinating thing to look at is the top-level domain (TLD) distribution in the observed phishing websites. The top five is not very special in and of itself, but distribution wise, it is interesting to note the dominance of “.com”  as well as the closest runner-up being the Brazilian “com.br”.

Fig-2 Interestingly, the Brazilian “.br” TLD was implicated in the second-most phishing attacks in 2016

Taking an even closer look, a new angle develops: threat actors disproportionately target specialized government TLDs, such as “.gov” domains. Based on the data, we can say that the following countries have some improvements to make on the IT side of their government:

Fig-3 These countries have some work to do improving their security posture

An interesting note: something that has been widely abused in the field of exploit kits and malware command and control servers is generic TLDs (gTLDs). Some gTLDs are very cheap to register, which makes them extremely useful for criminals. However, on the phishing side, we have seen a very limited amount of use for this; the numbers are negligible.

Phishing Examples

In RiskIQ’s phishing data, we mostly get phishing pages focused on impersonating financial institutions. When digging through the lower-count phishing campaigns and incidents, however, there are some rather intriguing cases.

Targeted phishing towards healthcare

We saw a small section of what appears to be a campaign targeting healthcare companies. Because the campaigns were so targeted, we had a limited view, but we submitted the data to our systems for processing (the bad guys won’t do it for us, sadly). Most of the examples belong to campaigns targeting the company’s’ Outlook Web Access portal, where employees read their email. Below is an example targeting a large healthcare network:

Fig-4 The page looks enough like the health care network’s email service that some employees might not notice

Below, another health organization was targeted by this same actor:

Fig-5 A more generic version of the technique used in Fig-4

This phishing page looks generic, but the phish URL shows that this organization was deliberately targeted: http://wrn.fridayflowers.com.au/outl/[brand obfuscated]/logon-aspx.

The phishers here are going for breaching these healthcare providers, possibly with a financial gain in mind. Eventually, they can profit by selling access, PII, and other sensitive data.

eGovernment accounts

A popular theme of phishing for various governmental service accounts arises around the time citizens have to enter their tax forms. In the United States, the phishing pages for the IRS are extremely common, but UK citizens are targeted as well. The fake pages below claim to be from the UK’s Revenue & Customs organization and ask for a very extensive list of information that would allow the attacker to take complete control of the victim’s sensitive data:

Fig-6 There are three guarantees: death, taxes, and phishing campaigns related to taxes

The same scheme also occurs in France around tax time. These pages mimic the ‘Impots’ website of the French government:

Fig-7 Tax-related phishing schemes transcend borders and language

WhatsApp ‘phishing’

Another campaign that our system encounters are phishing pages aimed at WhatsApp users. This technique doesn’t phish for any credentials; it goes for direct profit. These pages are more ‘scam’ websites than phishing pages, but the tactics employed are the same as phishing. The users are lured into paying fake subscription costs for the continued use of their WhatsApp.

Fig-8 WhatsApp phishing page geared toward harvesting fake subscription charges

The actors mostly try to convince users by domain shadowing legitimate domains, as seen in a small section of our hits:

http://whatsapp-messenger.whatsapp.com-contact.playatsapp.com/

http://whatsapp-messenger.whatsapp.com.whatsapp.playatsapp.com/

http://whatsapp-tecnico.supporto-ufficiale1.wetips.net/

Security vendor name abuse

Another ongoing trend is the use of known internet security vendor names on phishing pages. While the  “Your machine is infected, pay now to clean up” pages do go for your money, there are some pages out there that phish for email credentials. One example is the use of Symantec as a lure in the phishing page below:

Fig-9 Classic phishing: leveraging a trusted brand for nefarious purposes

Unwanted ride sharing

Occasionally, phishing pages for Uber appear in our data. The pages themselves are just classic phishing pages with reconstructed Uber portal pages:

Fig-10 Any name brand can and will be leveraged in a phishing campaign

Conclusion

We just looked at just a few of the curious phishing examples we see going around every day. As you can see, criminals are always innovating and creating new methods to lure in more victims and gain access to their financial information, PII, and user accounts. Criminals will use any angle to get their victims to bite. 

By tracking against a wide range of sources—social media, digital ads, known phish events within the RiskIQ index, Domain-based Message Authentication, Reporting and Conformance (DMARC), abuse box and referrer log integrations for known phishing signatures, and 15 reputational list sources—RiskIQ provides accurate, comprehensive coverage against rapidly growing phishing threats. With more than 30 million phishing pages already scanned, and tens of thousands of new pages scanned each day, we understand how best to identify phishing campaigns and mitigate their impact. 

As RiskIQ collects more data, our Threat Research Team will be sure to update you with more articles like this one.