PhishLabs' Phishing Trends and Intelligence annual report provides insight on significant trends, tools, and techniques used by threat actors to carry out phishing attacks. It provides context and perspective into HOW and WHY these trends are occurring
By understanding the threat, we can better defend against it. The report data is sourced from more than one million confirmed phishing sites residing across more than 170,000 unique domains. We investigated more than 7,800 phishing attacks every month, identifying the underlying infrastructure used in the attacks and shutting them down. The report uses this data to illuminate significant trends, tools, and techniques being used by the threat actors.
Do download the on-demand full webinar, click here: https://info.phishlabs.com/phishing-trends-and-intelligence-pti-report-webinar
Do download the PTI Report, click here: https://info.phishlabs.com/2017-phishing-trends-and-intelligence-report-pti
2017 Phishing Trends & Intelligence Report: Hacking the Human
1.
2. 2017 R.A.I.D. Webinar Series
• What’s it about?
• Insights from our Research, Analysis, Intelligence Division and other PhishLabs’ experts
• Hosted every month, exact dates TBD
• Focus on current threat campaigns – dissect attacks, scams, campaigns, and discuss threat
actors
• Goal: equip you to better secure your network, your employees, your company and your
customers
• Who should attend?
• Open invitation – feel free to share!
• Security leaders and professionals responsible for managing cyber threats
3.
4. February agenda
2017 Phishing Trends & Intelligence Report: Hacking the Human
Proprietary and Confidential
Copyright 2017 PhishLabs
4
Crane Hassold
Senior Security Threat Researcher
5.
6.
7. Phishing Trends & Intelligence Report Purpose
• Provide insight on significant trends, tools, and techniques used by
threat actors to carry out phishing attacks
• Provide context and perspective into HOW and WHY these trends
are occurring
• By understanding the threat, we can better defend against it
Proprietary and Confidential
Copyright 2017PhishLabs
7
8. Methodology
Proprietary and Confidential
Copyright 2017PhishLabs
8
• Analysis of nearly 1 million confirmed malicious phishing sites hosted on more
that 170,000 unique domains and more than 66,000 unique IP addresses
• “Attack” = domain hosting phishing content
• Volume vs. Share
• Volume relates to the raw, cumulative number of attacks
• Share references the percentage of attacks relative to the entire attack population
9. Industry Trends: Who is Being Targeted?
• 976 brands from 568 parent institutions targeted by phishing attacks in 2016
• 91% of all attacks targeted five industries
• Financial institutions
• Cloud storage services
• Webmail/online services
• Payment services
• E-commerce sites
• Attack volume targeting the top 5 industries grew by an average of 33%
• Financial institutions still the most targeted industry…barely
Proprietary and Confidential
Copyright 2017PhishLabs
9
10. The Rise of Cloud Storage Phish
• Attacks targeting cloud storage services
expected to surpass those targeting
financial institutions in 2017
• Percentage of attacks targeting FIs have been
steadily declining
• Cloud storage phish made up less than 10%
in 2013; now account for nearly a quarter
• 90% of cloud storage phish target only
two companies (Google, Dropbox)
Proprietary and Confidential
Copyright 2017PhishLabs
10
11. Evolving Motivations
• Three primary motivations for fraud-based phishing:
1. Immediate Account Takeover
2. Credential Proliferation
3. Data Diversification
Proprietary and Confidential
Copyright 2017PhishLabs
11
12. Motivation #1: Immediate Account Takeover
• Historically, the primary motivator for phishing
attacks
• Targets are usually banks and payment service
companies
• Immediate, direct profit
• Industries impacted by these attacks have seen
a decline in volume
Proprietary and Confidential
Copyright 2017PhishLabs
12
2013
64%
2016
37%
13. Motivation #2: Credential Proliferation
• Attackers mass harvest credentials for the
purpose of attacking secondary targets
• Focused on web services that use email
addresses as a primary credential
• Indirect profit
• Significant increase in targeting
Proprietary and Confidential
Copyright 2017PhishLabs
13
2013
21%
2016
46%
14. A Systemic Vulnerability
• The shift in targeted industries is driven by a major vulnerability -- the use of email
address as a primary credential
• Target one = target all
• Facilitates password reuse attacks
• 39% of users reuse passwords across services (Pew Research, 2017)
Proprietary and Confidential
Copyright 2017PhishLabs
14
16. Motivation #3: Data Diversification
• Purpose is to collect more comprehensive
information about a victim
• Impacted industries include e-commerce
sites and government services
• Phishing attacks targeting tax agencies have
increased 300% since 2014
• IRS phish in January 2016 exceeded volume of
attacks seen in all of 2015
• Less frequent, higher impact
• Used to commit other types of crimes (e.g.,
identify theft, tax fraud)
• Also used to facilitate future phishing activity
(e.g., phone numbers)
Proprietary and Confidential
Copyright 2017PhishLabs
16
17. Why are We Seeing This Shift?
• Phishing threat actors are evolving their tactics to:
1. Make their jobs easier
2. Expand the avenues of profit
3. Take advantage of ease-of-use features built into many websites
• By shifting their targets and techniques, phishers have:
1. Made credential collection more efficient
2. Focused on collecting a wider breadth of information to facilitate other crimes
3. Moved to a more indirect, but likely more lucrative, profit motive
4. Adapted to security controls used by FIs and payment service companies
Proprietary and Confidential
Copyright 2017PhishLabs
17
18. What are the Implications?
• Password reuse attacks serious threat to secondary targets
• Cloud storage and SaaS accounts are not the primary targets
• Expect that customers have already been compromised elsewhere
• “It’s not my problem” paradox
• Brand reputation issues
Proprietary and Confidential
Copyright 2017PhishLabs
18
19.
20. Country Trends: Where are the Attacks Happening?
• 81% of phishing attacks target US-based
entities
• Significant increase in attacks targeting
Canadian targets (+237%)
• Focused on financial institutions
• Sustained increase, not a quick spike
• Switzerland, France, Italy, Germany also
saw increases
• China, Australia, Great Britain saw
significant declines in attacks
Proprietary and Confidential
Copyright 2017PhishLabs
20
21. Hosting Locations: Where are Phish Hosted?
• More than half of all phishing sites
hosting in the United States
• Sharp increase in the number of phish
hosted in Eastern Europe
• Decline in phish hosted in East Asia
Proprietary and Confidential
Copyright 2017PhishLabs
21
22. Top-Level Domains: How are Phish Hosted?
• 51% of phishing sites hosted on .COM TLD
• New gTLDs still associated with a small
fraction of phishing sites, but they’re
growing
• 220 new gTLDs observed in 2016 vs. 66 in 2015
• Inexpensive option for phishers looking to have
control over their infrastructure
• Allow phishers to create legitimate-looking
domains
Proprietary and Confidential
Copyright 2017PhishLabs
22
23. Phish Kits: How are Phish Made?
• Kits are the “recipe” for creating most phishing sites
• Collecting & analyzing kits give us a more in-depth understanding of techniques
used to carry out phishing scams
• Anti-detection techniques
• Access controls
• Code obfuscation
• Data exfiltration
• Collected more than 29,000 kits in 2016 targeting 300+ different companies
• More than a third used techniques to evade detection
• 29% used methods to evade browser-based blocking
• 22% utilized mechanisms to restrict access to phishing site
Proprietary and Confidential
Copyright 2017PhishLabs
23
24. Ransomware: Yeah, That Happened…
• Ransomware has been around for decades, but saw a massive surge in 2016
• Phishing was, by far, the most common method of delivery
• Simplicity led to copycats
• Ransomware-as-a-service
• High rate of infection, low rate of payment
• Threat actors evolved targeting tactics to change from individuals to strategic
businesses
Proprietary and Confidential
Copyright 2017PhishLabs
24