Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Phishing attacks were on the rise in 2016. Whether you’re a national political organization, a Fortune 500 company, or a small business, if you have a digital presence, your brand, customers, and employees are targets for phishing.
At RiskIQ we process tons of web-related threat data. One of the types of data we look at is phishing incidents. From various sources, we receive URLs which might be indicative of phishing. The URLs are processed through our crawling infrastructure and fed through our machine-learning technology to classify each detected phishing page appropriately.
Within this group of phishing pages, there are those used for highly targeted phishing attacks, also known as ‘spear phishing,’ as well as phishing pages used for widespread ‘generic’ phishing. Regarding infrastructure, there are two distinctions: self-maintained custom infrastructure and abused or compromised infrastructure belonging to someone else. We’ll explore both of these throughout this post, as well as the evolving tactics of phishing campaigns.
To give an idea of the amount of data we processed for phishing alone, here’s an overview of what 2016 looked like in our system for phishing incidents only. The graph below totals to approximately 58 million incidents throughout 2016, or 158,904 a day:
Fig-1 RiskIQ detection data indicates steady dose of phishing in 2016
Most phishing pages come from compromised websites. The web hosters involved with most of these websites haven’t changed over the past few years—typically, the largest web hosts most often associate with phishing.
Topping these rankings, we have HostGator. In 2nd place, we have GoDaddy, another massive and popular hosting company. We don’t have clear insights into why these companies are implicated in so many phishing attacks (other than being two of the largest hosting organizations, of course), but there are two questions to which we would need the answers to find out:
Without correlating the above questions, it’s hard to point any fingers at specific hosts or their resellers and customers for lacking a proper upgrade/update process.
TLD & gTLD Insights
One fascinating thing to look at is the top-level domain (TLD) distribution in the observed phishing websites. The top five is not very special in and of itself, but distribution wise, it is interesting to note the dominance of “.com” as well as the closest runner-up being the Brazilian “com.br”.
Fig-2 Interestingly, the Brazilian “.br” TLD was implicated in the second-most phishing attacks in 2016
Taking an even closer look, a new angle develops: cyber threat actors disproportionately target specialized government TLDs, such as “.gov” domains. Based on the data, we can say that the following countries have some improvements to make on the IT side of their government:
Fig-3 These countries have some work to do improving their cyber security posture
An interesting note: something that has been widely abused in the field of exploit kits and malware command and control servers is generic TLDs (gTLDs). Some gTLDs are very cheap to register, which makes them extremely useful for criminals. However, on the phishing side, we have seen a very limited amount of use for this; the numbers are negligible.
In RiskIQ’s phishing data, we mostly get phishing pages focused on impersonating financial institutions. When digging through the lower-count phishing campaigns and incidents, however, there are some rather intriguing cases.
We saw a small section of what appears to be a campaign targeting healthcare companies. Because the campaigns were so targeted, we had a limited view, but we submitted the data to our systems for processing (the bad guys won’t do it for us, sadly). Most of the examples belong to campaigns targeting the company’s’ Outlook Web Access portal, where employees read their email. Below is an example targeting a large healthcare network:
Fig-4 The page looks enough like the health care network’s email service that some employees might not notice
Below, another health organization was targeted by this same actor:
Fig-5 A more generic version of the technique used in Fig-4
This phishing page looks generic, but the phish URL shows that this organization was deliberately targeted: http://wrn.fridayflowers.com.au/outl/[brand obfuscated]/logon-aspx.
The phishers here are going for breaching these healthcare providers, possibly with a financial gain in mind. Eventually, they can profit by selling access, PII, and other sensitive data.
A popular theme of phishing for various governmental service accounts arises around the time citizens have to enter their tax forms. In the United States, the phishing pages for the IRS are extremely common, but UK citizens are targeted as well. The fake pages below claim to be from the UK’s Revenue & Customs organization and ask for a very extensive list of information that would allow the cyber attacker to take complete control of the victim’s sensitive data:
Fig-6 There are three guarantees: death, taxes, and phishing campaigns related to taxes
The same scheme also occurs in France around tax time. These pages mimic the ‘Impots’ website of the French government:
Fig-7 Tax-related phishing schemes transcend borders and language
Another campaign that our system encounters are phishing pages aimed at WhatsApp users. This technique doesn’t phish for any credentials; it goes for direct profit. These pages are more ‘scam’ websites than phishing pages, but the tactics employed are the same as phishing. The users are lured into paying fake subscription costs for the continued use of their WhatsApp.
Fig-8 WhatsApp phishing page geared toward harvesting fake subscription charges
The actors mostly try to convince users by domain shadowing legitimate domains, as seen in a small section of our hits:
Another ongoing trend is the use of known internet security vendor names on phishing pages. While the “Your machine is infected, pay now to clean up” pages do go for your money, there are some pages out there that phish for email credentials. One example is the use of Symantec as a lure in the phishing page below:
Fig-9 Classic phishing: leveraging a trusted brand for nefarious purposes
Occasionally, phishing pages for Uber appear in our data. The pages themselves are just classic phishing pages with reconstructed Uber portal pages:
Fig-10 Any name brand can and will be leveraged in a phishing campaign
We just looked at just a few of the curious phishing examples we see going around every day. As you can see, criminals are always innovating and creating new methods to lure in more victims and gain access to their financial information, PII, and user accounts. Criminals will use any angle to get their victims to bite.
By tracking against a wide range of sources—social media, digital ads, known phish events within the RiskIQ index, Domain-based Message Authentication, Reporting and Conformance (DMARC), abuse box and referrer log integrations for known phishing signatures, and 15 reputational list sources—RiskIQ provides accurate, comprehensive coverage against rapidly growing phishing threats. With more than 30 million phishing pages already scanned, and tens of thousands of new pages scanned each day, we understand how best to identify phishing campaigns and mitigate their impact.
As RiskIQ collects more data, our Cyber Threat Research Team will be sure to update you with more articles like this one.
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK
The theme of this year's @cctxcanada 4th annual collaboration event is "Give and Take: Why helping others drives our success." RiskIQ's Geoff Roote explains the modern Internet Attack Surface and why defending the web is a collaborative community effort.