Criminals adopting new methods to bypass improved defenses, says Zscaler
PhaaS, SMiShing, and remote work drive increase in phishing attacks
The number of phishing attacks worldwide jumped 29 percent last year as threat actors countered stronger enterprise defenses with newer methods, according to researchers with Zscaler's ThreatLabz research team.
Cybercriminals have adapted to multi-factor authentication (MFA), employee security awareness training, and security controls by broadening who and where they will attack.
While the United States remained the country with the most phishing attempts, others are seeing faster growth in the number of incidents – exploiting new vectors like SMS and lowering the barrier of entry for launching attacks through pre-built tools made available on the market.
"Phishing attacks continue to remain one of the most prevalent attack vectors, often serving as a starting point for more advanced next stage attacks that may result in a large-scale breach," Deepen Desai, CISO and vice president of security research and operations at Zscaler, told The Register.
"As organizations continue to improve their defenses to combat phishing attacks, threat actors also evolve their tools, tactics, and procedures in order to evade these controls and make phishing attacks more successful."
ThreatLabz's report released Wednesday comes from a year's worth of phishing data culled from the Zscaler cloud. ThreatLabz analysed data from more than 200 billion transactions a day and 150 million daily blocked attacks.
Microsoft, Telegram, Amazon, OneDrive, and PayPal were the top brands used in phishing scams, and the retail and wholescale sectors saw the most year-over-year growth, with a jump of 436 percent.
At the heart of this is the ongoing cat-and-mouse game of act and react between hackers and those tasked with protecting organizations and individuals. Phishing-as-a-service (PhaaS) – like ransomware-as-a-service and similar outsourced malware – not only can accelerate the number of phishing attempts but also makes it easier for less technically skilled hackers to run sophisticated campaigns.
The top PhaaS methods are phishing kits – essentially packages of everything a threat actor needs – and open-source phishing frameworks, which can be found on code-sharing forums and offer a range of features to execute specific attack functions or automate the entire process. They're also free.
"Phishing kits package up and commoditize everything required to very quickly launch hundreds or thousands of convincing and effective phishing pages with very little technical skill required," Desai said.
"Even attackers with advanced skills are making the switch from development to leveraging phishing kits to launch campaigns at scale. Now attackers can simply copy templates from the kit to a compromised web server or a hosting service to spawn a phishing page for a targeted brand."
Phishing kits make it easier to launch attacks and more difficult for security teams to detect them, he said. Using open-source templates eliminates many of the typos, bad grammar, and unsigned certificates that security pros typically rely on to identify phishing scams.
- Bank had no firewall license, intrusion or phishing protection – guess the rest
- China APT group using Russia invasion, COVID-19 in phishing attacks
- This browser-in-browser attack is perfect for phishing
- How CAPTCHAs can cloak phishing URLs in emails
"With higher sunk costs, cybercriminals have also developed a more focused approach to selecting their ideal targets," Desai said. "The result of these shifts is a sharp increase in financial losses across organizations being hit by phishing scams over the past several years."
Hackers also are evolving the delivery vectors and techniques, including SMiShing, which uses SMS text messages on mobile devices rather than email as the entry point for engaging targets. This has been around since 2006, but use is skyrocketing, with a report showing a 300 percent increase in the last quarter of 2020 and another 700 percent increase in the first six months of 2021, according to the ThreatLabz researchers.
In such messages, criminals masquerade as company executives, high-profile brands, bank or cell phone providers, and contest organizers to lure victims into clicking on the phishing links.
"These attacks can be very effective as many victims are more trusting of texts from unrecognized numbers than they are of emails from unrecognized senders," the researchers wrote. "Many are also accustomed to SMS marketing, which increases trust in that medium. It is relatively easy for threat actors to create a local phone number and message those in the same area code, which increases trust."
Other attacks are also growing, Desai said, like vishing – voice phishing, where hackers pretend to be from a reputable company – and browser-in-the-browser – where a malicious browser window is deployed within a browser window, with attackers replicating pop-up login windows that appear to be from such companies as Google, Microsoft, and Apple.
Bad actors using phishing methods are also using public cloud storage service providers like Amazon Web Services, Microsoft Azure, and Google Cloud to host the phishing pages, he said.
Current events – such as the COVID-19 pandemic and the rising popularity of cryptocurrency – continue to work as lures to convince victims to click on a malicious links. The shift to more remote work has also added to the threat level of phishing. Employees no longer have the same security at home that they may have had in the office. VPNs and collaboration applications were used as themes in phishing campaigns, Desai said.
"We are now transitioning into a hybrid world which provides cybercriminals yet another opportunity of infecting a remote employee's machine after a successful phishing attack and then using it as a beachhead to move laterally when the same employee is in [the] office," he said. ®