According to researchers from Zscaler’s ThreatLabz research team, the number of phishing attacks worldwide jumped 29% in the last year as threat actors countered stronger corporate defenses with new methods.
Cybercriminals have adapted to multi-factor authentication (MFA), employee security awareness training, and security controls expanding who and where they will attack.
While the United States remained the country with the most phishing attempts, others are seeing faster growth in the number of incidents – leveraging new vectors like SMS and lowering the barrier of entry to launch attacks thanks to pre-built tools made available on the market.
“Phishing attacks remain one of the most prevalent attack vectors, often serving as a starting point for more advanced attacks that can result in a large-scale breach,” Deepen Desai, CISO and VP of Research and security operations at Zscaler, says The register.
“As organizations continue to improve their defenses to combat phishing attacks, threat actors are also evolving their tools, tactics, and procedures to evade these controls and make phishing attacks more effective. “
The ThreatLabz report released on Wednesday comes from a year of phishing data extracted from the Zscaler cloud. ThreatLabz analyzed data from over 200 billion transactions per day and 150 million attacks blocked daily.
Microsoft, Telegram, Amazon, OneDrive and PayPal were the top brands used in phishing scams, and the retail and wholesale sectors saw the strongest year-over-year growth, with a jump of 436%.
At the heart of it all is the ongoing cat-and-mouse game of do-and-do between hackers and those tasked with protecting organizations and individuals. Phishing-as-a-service (PhaaS) – like ransomware-as-a-service and similar outsourced malware – can not only accelerate the number of phishing attempts, but also allow less skilled hackers to conduct more easily sophisticated campaigns.
The main PhaaS methods are phishing kits – essentially packages containing everything a malicious actor needs – and open source phishing frameworks, which can be found on codesharing forums and offer a range of features to run specific attack functions or automate the whole process. They are also free.
“Phishing kits bundle and commoditize everything needed to launch hundreds or thousands of compelling and effective phishing pages very quickly with very little technical skill required,” Desai said.
“Even attackers with advanced skills are moving from developing to using phishing kits to launch large-scale campaigns. Now attackers can simply copy templates from the kit to a compromised web server or hosting service to generate a phishing page for a targeted brand.”
Phishing kits make attacks easier to launch and harder for security teams to detect, he said. Using open source templates eliminates many of the typos, grammatical errors, and unsigned certificates that security professionals typically rely on to identify phishing scams.
“With higher sunk costs, cybercriminals have also developed a more targeted approach to selecting their ideal targets,” Desai said. “The result of these changes is a sharp increase in financial losses in organizations affected by phishing scams over the past few years.”
Hackers are also evolving delivery vectors and techniques, including SMiShing, which uses SMS on mobile devices rather than email as an entry point to engage targets. It’s been around since 2006, but usage is skyrocketing, with one report showing a 300% increase in the last quarter of 2020 and another 700% increase in the first six months of 2021, according to ThreatLabz researchers.
In such messages, the criminals impersonate corporate executives, prominent brands, banking or mobile phone providers, and contest organizers to trick victims into clicking on the phishing links.
“These attacks can be very effective because many victims trust text messages from unrecognized numbers more than emails from unrecognized senders,” the researchers wrote. “Many are also used to SMS marketing, which increases trust in this medium. It is relatively easy for hackers to create a local phone number and message those using the same area code, which builds confidence.”
Other attacks are also on the rise, Desai said, such as vishing — voice phishing, where hackers pretend to be from a reputable company — and browser-in-browser — where a malicious browser window is deployed inside a browser window. , with attackers replicating pop-up login windows that appear to come from companies such as Google, Microsoft, and Apple.
Bad actors using phishing methods also use public cloud storage service providers like Amazon Web Services, Microsoft Azure and Google Cloud to host phishing pages, he said.
Current events – such as the COVID-19 pandemic and the growing popularity of cryptocurrency – continue to work as decoys to convince victims to click on malicious links. The shift to more remote working has also increased the threat level of phishing. Employees no longer have the same security at home as in the office. VPNs and collaboration apps have been used as themes in phishing campaigns, Desai said.
“We are now moving to a hybrid world that offers cybercriminals a new opportunity to infect a remote employee’s machine after a successful phishing attack, then use it as a beachhead to move laterally when the same employee is in [the] office,” he said. ®