Phishing by Numbers The manipulation of human behaviour for criminal intent is nothing new. Age old scams which tricked people into handing over their hard earned cash have been going since humans came down for the trees. The modern equivalent of these old scams is phishing. Phishing is now considered to be the number one most successful technique used by cybercriminals. Variants on the theme of social engineering and trickery, have created a phishing toolset that can be used by cybercriminals to steal login credentials, exfiltrate personal data, and install ransomware. Phishing comes in many forms, from emails containing malicious attachments or with links to spoof websites, to malicious texts, and spoof phone calls. Such a successful method is likely to continue being the weapon of choice of the cybercriminal unless we can put measures in place to prevent it. Type of Phishing There are a variety of phishing types. Each has the ultimate goals of either ensuring that malware is installed on the recipient’s device, or that they click on a link that takes them to a spoof website, where either they download malware or enter sensitive data, such as login credentials. The following show the most common types of phishing to date. Phishing In March 2016, 93% of phishing emails were being used to infect victims with ransomware (1) Numbers of organizations reporting they had a phishing attack in 2015 = 85%. Up from 72% in 2014 (2) Phishing emails containing JavaScript applications and Microsoft Office Macros were the most common methods of infecting users (1). In a new twist on the old hijacking of email contact lists, a phishing scam based on facebook has emerged this year. Users were sent fake facebook messages informing them a friend had mentioned them in a comment. This message contained a Trojan which installed a Chrome browser extension. The Chrome extension handled a Facebook account takeover, allowing manipulation of privacy settings and data theft (3). The IRS has seen a 400% increase in phishing of IRS clients during the 2016 tax season (4) Source:
PhishMe, Q1 2016 Malware Review: http://phishme.com/project/phishme-q1-2016-malware-review/ Wombat Security, State of the Phish 2016: https://www.wombatsecurity.com/press-releases/new-report-state-of-phishing-attacks Telegraph, Facebook fake friend phishing attack, July 2016: http://www.telegraph.co.uk/technology/2016/07/06/facebook-fake-friend-phishing-attack-uncovered—heres-how-to-sp/ IRS: https://www.irs.gov/uac/newsroom/consumers-warned-of-new-surge-in-irs-email-schemes-during-2016-tax-season-tax-industry-also-targeted
Spear Phishing Spear phishing is a type of phishing email that is specifically targeted towards a known person. Usually it will have their name in the email body and will have enough specific personal information to look very convincing. Spear phishing has been used very successfully in a number of high profile attacks including the Target Corp breach of 2014. Often this type of phishing will be used to steal login credentials to secure resources such as servers. 67% of organizations reported a spear phishing attack (1) Size of organization does not guarantee immunity from spear phishing. Organizations of all sizes are being attacked. However, smaller sized businesses (under 250 employees) are seeing a larger increase in spear phishing attempts over the last 3 years. Whereas larger (greater than 2500 employees) businesses have about the same numbers of attacks over the last 3 years. Spear phishing by company size (2): Sources:
Wombat Security, State of the Phish 2016 Symantec, Attackers Target Both Large and Small Businesses: https://www.symantec.com/content/dam/symantec/docs/infographics/istr-attackers-strike-large-business-en.pdf Kaspersky Labs, Threat Post: https://threatpost.com/amazon-users-targets-of-massive-locky-spear-phishing-campaign/118323/
Whaling or Business Email Compromise (BEC) This is a variant of a spear phishing email which is targeted at employees of a corporation, tricking them into thinking the email originates from their CEO or similar C-level executive. This type of phishing requires much more upfront research by the phisher and the resultant email is very convincing. BEC (Whaling) statistics In Q4 2015 55% of businesses saw an increase in this type of scam (1) January 2015 – June 2016:
Losses amount to: almost $1.3 billion (actual $3,086,250,090) Number of countries involved: 100 Number of U.S. States involved: 50 Number of countries that stolen monies go to: 79, but concentrated in Southeast Asia (2)
37% of companies surveyed had been victim of a targeted phishing scam where the email had purported to be from their CEO (3) This year, SnapChat was victim to a payroll targeted BEC resulting in the personal details and payroll information of an undisclosed number of employees being disclosed. The email looked like it came for the SnapChat CEO, Evan Spiegel (4). In similar CEO faked phishing attacks, 55 companies in 2015 fell for a W-2 U.S. tax records scam. In this scam, the company’s details were found using sites like LinkedIn. They used emails that looked like they had originated from the CEO to trick company accounts into releasing W-2 tax record data on its employees. This was then used to make false tax claims (5). Source:
Minecast, Changes in Whaling and Fraud Email Tactics: https://www.mimecast.com/security-center/ FBI, Business E-Mail Compromise: The 3.1 Billion Dollar Scam: https://www.ic3.gov/media/2016/160614.aspx Alien Vault, Clicking With The Enemy: https://www.alienvault.com/blogs/security-essentials/clicking-with-the-enemy CNET, Snapchat employee falls for email phishing scam: http://www.cnet.com/uk/news/snapchat-hit-by-email-phishing-scam/ Cloudmark Security Blog: https://blog.cloudmark.com/2016/03/31/55-companies-and-counting-w-2-spear-phishing-attacks-continue-to-increase/
SMiShing SmiShing is a variant of phishing that uses mobile texts, instead of emails to trick users into releasing details such as login credentials. An example was a recent WhatsApp based Smishing scam. Users would receive a normal SMS text on their phone alerting them to some a need to pay a fee to keep using WhatsApp. The SmiSh tricked users into clicking on a link which took them to a spook WhatsApp site where they were asked for credit card details. 55% of organizations reported a SMiShing attack (1) Source:
Wombat Security, State of the Phish 2016
Vishing Vishing involves the use of a phone call to extract personal data from a user which is then used to commit fraudulent acts. There are many vishing scams involving banks and other financial institutions. One of the largest to date is the IRS vishing scam (1). In March 2016 there was a 10X increase in the numbers of vishing attempts with around 450,000 victims (2). Sources:
IRS: https://www.irs.gov/uac/irs-warns-taxpayers-of-summer-surge-in-automated-phone-scam-calls-and-requests-for-fake-tax-payments-using-itunes-gift-cards Pindrop Blog: https://www.pindropsecurity.com/irs-phone-scam-live-call_analysis/
Number of phishing attacks across global market (1) Source:
RSA, Fraud Action Quarterly, Q2 2016 Threat Report: https://community.rsa.com/docs/DOC-58632
Alternative Numbers from Anti-Phishing Working Group (APWG) Unique Phishing Websites for 6 months to April 2016 Source: APWG, Phishing Activity Trends Reports from Q4 2015 and Q1 2016: http://docs.apwg.org/reports/apwg_trends_report_q4_2015.pdf http://docs.apwg.org/reports/apwg_trends_report_q1_2016.pdf Number of unique reported email campaigns Source: APWG, Phishing Activity Trends Reports from Q4 2015 and Q1 2016: http://docs.apwg.org/reports/apwg_trends_report_q4_2015.pdf http://docs.apwg.org/reports/apwg_trends_report_q1_2016.pdf Click rate 2014 – 23% opened a phishing email; 11% clicked on malicious link or opened attachment (i.e. completed the phish) (1) 2015 – 30% opened a phishing email; 13% clicked on malicious link or opened attachment (i.e. completed the phish) (1) Only 3% alerted management to the possibility of a phishing email (1) Click rate per industry – top five (2):
Telecommunications: 24% Professional Services: 23% Government: 17% Insurance: 16% Retail: 14%
Source:
Verizon, 2016 Data Breach Investigations Report: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ Wombat Security, State of the Phish 2016: https://www.wombatsecurity.com/press-releases/new-report-state-of-phishing-attacks
Top Ten Country Sources of Phishing Emails – Q1 2016
USA: 12.43% Vietnam: 10.30% India: 6.19% Brazil: 5.48% China: 5.09% France: 4.90% Russia: 4.89% Mexico: 4.57% Germany: 2.91% Argentina: 2.60%
Top Ten Country by Users Attacked
Brazil: 21.5% China 16.7% Great Britain: 14.6% Japan: 13.8% India: 13.1% Australia: 12.9% Bangladesh: 12.4% Canada: 12.4% Ecuador: 12.2% Ireland: 12%
