It’s only May, and is it just me, or has this already been the longest decade ever?

Cyber-threat actors are as sneaky as ever, and they have been evolving and adapting their methods to cash in on your organization’s dime. Email phishing continues to be one of, if not the most popular attack vector that adversaries use to gain initial access to systems, eventually compromising your data, your infrastructure, and your reputation. As written in their yearly Internet Crimes Complaint Center (IC3) report from 2019, the FBI received over 110,000 complaints of phishing alone.

Based on data from 2019 and what we’ve observed in 2020, Digital Shadows (now ReliaQuest) has gathered three phishing trends that cybercriminals and advanced persistent threat (APT) groups are using to target your business:

  1. Malicious domains continue to be a significant hurdle for organizations. Attackers are continuing to improve their methods to make domains appear more legitimate to their targets. Strategies that were once used to avoid phishing emails are now mostly obsolete.
  2. Business email compromise (BEC) offers a significant return on investment for attackers, and while not the most common type of attack, cybercriminals are getting more creative in their tactics to advance their campaigns. Social engineering tactics, specifically phishing, are prime methods that attackers use to initiate BEC.
  3. The evolution of phishing-as-a-service (PHaaS) and phishing kits continue to enable attackers to target organizations for what amounts to pocket change. With this reasonably new business, even the most amateur cybercriminals can deploy sophisticated and devastating attacks.

Criminals are upping their game to seem legitimate.

Throughout the years, internet users and security researchers have been heavily involved in the frustrating cat-and-mouse game of phishing: Attackers have tested what works while we make an effort to foil their attempts. To increase the likelihood of a successful phishing campaign, criminals have turned to more “legitimate” solutions such as adding security certificates, embedding redirects inside of recognized links, and creating lookalike domain names that are near-indistinguishable to most users.

While many of these strategies are not new, they have become much more prevalent; attackers have improved their craft by (almost seamlessly) blending into our legitimate messages, making their thoughtfully designed techniques more difficult to detect.

SSL certificates

Spoof domains have proven to be a significant obstacle when it comes to organizations’ security posture. As we have adopted various strategies to identify potential phishing sites, I’m sure many of us have had similar exchanges with a colleague or friend:

Bob: Hey, I’m not sure if this site is legitimate.

Alice: Does it have the padlock by the address bar?

Bob: Yeah, it does!

Alice: Awesome – you should be good then.

Bob: Cool, thanks!

What I’m referring to in this scenario is the presence of a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificate. From a user standpoint, SSL/TLS certificates serve an array of imperative purposes, mainly that they encrypt internet traffic sent between the client (your device) and the webserver. 

Unfortunately, looking for a padlock to identify secure websites is no longer (if it ever really was) a reliable strategy to circumvent malicious websites. As internet users are taught to lend trust to SSL/TLS protected sites, adversaries have responded by registering certificates of their own to improve the impact of their attacks, leading to data loss, unauthorized access, credential theft, and malware propagation. To add to this problem, attackers can also easily purchase websites with SSL included in criminal marketplaces.

Figure 1: website listing with SSL included advertised on Apollon

To combat this, we have observed numerous attempts to dodge attackers’ ploys, including registrars cracking down on malicious website owners and the improvement and timeliness of browser alerts on malicious or suspicious websites. Contrarily, bulletproof hosting companies, which are more lenient in terms of what can be hosted on or distributed from their servers, inadvertently and figuratively throw a wrench into any intended refinements to website hosting.

While some recent improvements are a move in the right direction, they are not an end-all-be-all to malicious websites or successful phishing attacks.

  • In March 2020, backdoor and trojan malware variants, Mokes and Buerak, were observed being deployed to target systems after site visitors were misled by false certificate update messages. The websites that hosted the messages maintained legitimate certificates, and since the website appeared to be valid, unsuspecting victims were easily fooled into downloading the malware.
  • A campaign that impersonated entertainment companies’ websites was identified in March 2019. The domains displayed login pages and maintained recycled SSL certificates, which were used to harvest credentials from site visitors.

As SSL and TLS certificates continue to be an essential piece of attackers’ methods to steal information, it is highly likely that users will continue to be targeted in future phishing attacks that masquerade as legitimate websites with “trusted” certificates.

Open redirect abuse

Many of us have stumbled upon a fake login page that impersonates a legitimate service. It can be tough to spot these fakes, and attackers continue to exploit our comfort with familiarity. As adversaries tend to take the path of least resistance, such sites have become more common because they work (and will continue to work as long as cybercriminals can turn a profit).

While attackers may create these cloned sites from scratch, many website templates are available for sale, from email providers to financial institutions, on dark web marketplaces (we’ll discuss this later). Open redirects are used in a variety of attacks, with malware and credential harvesting being the most common.

  • In March 2020, attackers launched a phishing campaign that aimed to steal credential data from unsuspecting users by redirecting them to a malicious phishing page. The link embedded in the phishing email pointed to a YouTube page, which contained a redirect that resolved to the attackers’ page. Based on the quality of the phishing page, it is easy to see how users could be tricked and fall victim to the campaign.
  • Throughout 2019 and into 2020, cybercriminals have used Google and Adobe open redirects to bypass spam filters and redirect users to malicious websites. The malicious sites typically host fake login pages for credential harvesting.

Many large companies do not consider open redirects to be a security vulnerability, so not much can be done to avoid redirect campaigns in the future; however, some would argue that redirects propagate phishing campaigns. In recent months, phishing campaigns have commonly leveraged open redirects from well-known companies to improve the perceived legitimacy of their attack methods. If the links appear to belong to a legitimate company, users are more likely to trust them and click on them. For example, try to enter this into your URL address bar:

https://www.google.com/url?q=https://www.digitalshadows.com

Depending on the browser that you use, you probably observed a Redirect Notice. Did you continue? Either way, many phishing victims have continued with the belief that they were being redirected to a legitimate platform, only to have their credentials stolen or their system compromised.

As open redirects continue to be used for legitimate purposes, it is highly likely that cybercriminals will continue to abuse this feature for nefarious reasons.

Punycode

If you saw this link, would you think that it’s legitimate?

https://www.ԁіɡіtаlѕһаdοwѕ.com

I don’t see much of a difference, but in reality, this domain translates to a completely different URL:

https://www.xn--tldw-z7b71sswab64aebb13k11a.com

Kinda spooky, huh?

This method, called a homograph attack (aka punycode, script spoofing), abuses the nuances of internationalized domain names (IDNs) by using non-Latin characters to masquerade as legitimate sites and has been around since the early 2000s. As it’s nearly impossible to distinguish the tiny differences when they’re embedded in a phishing email or website, cybercriminals have found that it’s reasonably simple to fool users. While most browser manufacturers and infrastructure-as-a-service (IaaS) providers have introduced defenses to thwart these attacks, it is possible that this method has been used in highly-targeted social engineering campaigns.

  • In March 2020, cybercriminals were able to register lookalike domains with generic top-level domains (gTLDs) and subdomains to impersonate legitimate sites by using the Unicode Latin IPA Extension characters.
  • Over a 12-month period in 2017 and 2018, security researchers identified 8,000 homograph domains that spoofed the IDN of large-brand names, where 91% offered content of some kind.

As a confession, while it wasn’t punycode, I registered a domain homograph a few years ago by replacing an “l” with an “i,” to play a trick on a few colleagues. My intent was not malicious; I just wanted to set up a clever Rickroll, and it worked wonderfully!

Unfortunately, attackers commonly set up fake domains with criminal intentions, and they may continue using this method in their future attacks. Defenses to homograph attacks depend on policies implemented by the Internet Corporation for Assigned Names and Numbers (ICANN); however, a solution to completely mitigate homograph attacks has not yet been deployed.

Quality (over quantity) prevails.

In recent years, spam campaigns have started to phase out, while targeted campaigns have increased significantly. Rather than throwing tens of thousands of phishing emails to the wind, adversaries have started to investigate their targets before deploying campaigns methodically. Business email compromise, spearphishing, and targeted ransomware attacks have gained a structure of personalization over time to lure victims into trusting malicious messages. While some phishing emails are easy to spot, others may seem undeniably believable while displaying various social engineering principles: Authority, intimidation, scarcity, urgency, familiarity, and trust.

Business email compromise

For the fifth year running, BEC attacks, a specialized form of phishing, comprise the highest amount of reported financial loss, a whopping $1.8 billion in 2019. There are several different variants of BEC, but in one common method, the attacker can either impersonate an executive’s email address or use a compromised business email account to target an employee, customer, or supplier to move funds or confidential information to the phisher. While they are not nearly as widespread as other, more common phishing attack types, the profitability offered by a successful BEC attack (think millions of dollars) continues to attract cybercriminals.

  • Throughout the COVID-19 (aka coronavirus) pandemic, cybercriminals have adjusted their messaging to virtually pickpocket unsuspecting organizations. According to an alert released by the FBI, phishers are requesting the adjustment or rescheduling of payments due to coronavirus audits, quarantine processes, and precautions.
  • From June 2016 and July 2019, the FBI received over 166,349 reports of BEC and more than USD 26 billion in losses.

Trends from 2019 revealed a significant increase in BEC attacks that explicitly targeted the diversion of payroll funds. It is highly likely that threat actors will continue to use this method for monetary gain in future attacks. Successful BEC attacks can result in hefty financial losses; organizations should ensure that staff members are trained on how to identify and report popular social engineering attempts that can result in BEC.

Spearphishing

Spearphishing is a form of phishing that targets a specific individual or organization. Frequently, the emails are tailored to the recipient to make it more believable. Rather than throwing thousands of emails over the wall, criminals are becoming more selective to increase the likelihood of a successful attack.

Two common types of spearphishing include business email compromise, which we have already mentioned, and whale phishing (or whaling). Whaling is another form of BEC; however, high-level executives are the primary target. Attackers can use executive-related information found on public websites, including names, phone numbers, email addresses, or personal addresses when selecting their targets and designing social engineering campaigns. C-level data can be highly valuable to cybercriminals, especially for BEC campaigns, and we have often seen executive email lists sold and traded on criminal forums.

Figure 2: website listing for a job opening to market the sale of an executive email database

An attacker will often spend considerable time investigating their target, so they can tailor the email to them and make it as compelling as possible.

  • In late April 2020, high-ranking executives at more than 150 companies received emails containing a PDF attachment, which ultimately redirected them to a Microsoft Outlook login page. Once the executives were fooled into entering their credentials, threat actors collected the data and were granted access to the victims’ accounts.
  • In January 2019, a spearphishing email targeting Ukrainian government entities was identified. The campaign used a malicious LNK file with a PowerShell script, which was used to download a payload from the attackers’ command and control (C2) server.

As phishing campaigns become more targeted, personalized, and sophisticated, it is highly likely that spearphishing will continue to be used as a vessel for credential theft and malware spread in the coming months to years.

Targeted ransomware

Ransomware attacks have evolved over the years to be impressively sophisticated and targeted. As ransomware was once primarily a threat to consumers (coined the “spray and pray” method), threat actors have switched gears to methodically target businesses, likely due to the sheer profitability and monetary value of employee data and organizations’ proprietary information.

While 2019 was a big year for ransomware, which included the fall of GandCrab, the rise of Sodinokibi, and persistent attacks against a variety of sectors with variants like Ryuk, 2020 has proven to be even more of a volatile epoch for organizations facing ransomware threats.

An emerging trend of the “pay or get breached” model of ransomware attacks, popularized by threat groups such as Maze, aims to steal organizations’ data before encryption and publicize the names or the data of targeted companies that refuse to meet ransom demands. Alternatively, more sophisticated variants of ransomware, such as SamSam, do not rely on spearphishing; instead, they use vulnerability exploitation or brute-force tactics against weak Remote Desktop Protocol (RDP) passwords to gain access and infect systems.

  • In mid-April 2020, Cognizant confirmed that it was hit by a ransomware attack. While Maze operators denied allegations of attribution for the attack, Cognizant corroborated that they identified indicators of compromise relating to the Maze ransomware variant and were obliged to treat the attack as a breach.
  • In December 2019, Travelex was hit with a ransomware attack that leveraged a critical Citrix vulnerability (CVE-2019-19781). Following the attack, Sodinokibi (aka REvil) was observed targeting other vulnerable systems to spread ransomware.

As criminals shift to target businesses and deploy enterprise-crippling ransomware, it is highly likely that organizations will have to strategically consider the reality of potentially falling victim to future ransomware attacks. With the introduction and continuous trend of the pay-or-get-breached model of ransomware, organizations will also have to begin processing ransomware attacks as data breaches. In the coming months and years, it is highly probable that ransomware operators will continue to use multiple attack vectors, including vulnerability exploitation, spearphishing, and brute-force techniques as a method of compromise for monetary gain and sensitive data collection.

(how we think you may feel after reading this)

Phishing templates and phishing-as-a-service (PHaaS)

You don’t need to be a skilled threat actor or have a detailed understanding of your target to conduct an effective phishing attack as long as you have the means to buy a template. Commonly, templates offered on criminal forums and marketplaces contain how-to guides and are intended to masquerade as legitimate company emails. The most persuasive of these templates are aimed at being indistinguishable from a legitimate email.

average cost of phishing templates
Figure 3: Breakdown of average costs of different phishing templates

Phishing-as-a-service (PHaaS) and phishing kits are an alternative to phishing templates, which can allow an attacker to rent the infrastructure required for conducting phishing attacks. Procuring and setting up backend infrastructure, especially without the necessary technical skills, can be time-consuming, costly, and complicated. Phishing capabilities are available to those who would not otherwise have them, simply by outsourcing the work. PHaaS offerings are monetized in familiar ways, offering various monthly subscription rates, each with various feature tiers, and gradually mirroring as-a-service offerings like that of those in real life.

As the business for phishing templates and PHaaS flourishes, it is highly likely that phishing will become even more prevalent. Additionally, as PHaaS products offer more complex features, it is possible that campaign attribution will become even more challenging in the coming months. If you’re interested in learning more about phishing services on criminal forums and marketplaces, check out our in-depth overview of the phishing ecosystem: The Ecosystem of Phishing.

The Ecosystem of Phishing: From Minnows to Marlins

Risk reduction solutions

All of the methods that we have outlined in this blog commonly begin with the first phishing email. The alternative pathways are abundant, whether it’s a misspelled, poorly written message or a well-designed and thoroughly customized impersonation email. For this reason, phishing remains one of the most common techniques of attack.

As we continue to brave what 2020 has to offer (good and bad), planning for social engineering attacks and their perceived threats is an ideal solution. As described in this blog, the phishing methods employed by the most advanced opponents are virtually identical to those explored in criminal forums by enthusiastic learners. With templates, instructions, cloning sites services, and phishing tools scattered throughout the cybercriminal landscape, a continued wave of sophisticated attacks are on the horizon.

While solutions for avoiding or deterring phishing campaigns seem to disappear day by day, companies are still able to employ a wide variety of approaches that can help them remain generally safe from phishing attacks. These include a few phishing mitigation strategies that can benefit your company:

  1. Limit the information your organization and employees share online, including on social media sites. The most successful phishers perform detailed reconnaissance so they can craft the most effective emails and social engineering lures.
  2. Monitor for registrations of typo-squatted domains that attackers can use to impersonate your brand, send spoofed emails, and host phishing pages.
  3. Implement additional security measures, such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM). These can make the spoofing of your domain more difficult. Check out our detailed practitioner’s guide to combating email spoofing risks.
  4. Protect your accounts in case phishers do manage to steal user credentials. Two-factor authentication measures should be mandated across the organization and implemented whenever possible.
  5. Train your employees how to spot phishing emails and, more importantly, give them a clear and recognized reporting method to alert security teams of suspected phishing attempts. Eventually, a phishing email will fall through the net. Employees need to know how to react to these quickly and should not fear any repercussions of being the victim of a social engineering attack.

If you want to learn more about how Digital Shadows (now ReliaQuest) can help your organization, check out our Phishing Protection page or request a demo below.

Thanks for sticking around, Readers. Until next time!