Phisher's Favorites

Phishers’ Favorites: Microsoft Remains the #1 Brand in Attacks

Adrien Gendre

May 02, 2019

27 min

Today, we published our Phishers’ Favorites report for Q1 2019. Now in its fourth edition, the list highlights the 25 most impersonated brands in phishing attacks. The ranking is based on the number of unique phishing URLs Vade detects for each brand within the quarter.

For the past three quarters, we published separate Phishers’ Favorites editions for North America and Europe. However, since we’re seeing minimal difference in the top 25 brands for each region, we decided to publish a single global list.

Without further ado, here is the full list, with additional analysis below.

Microsoft remains #1 as hackers lure targets into a false sense of security

Perhaps a surprise to no one at this point, Microsoft topped our Phishers’ Favorites list for the fourth straight quarter. After a big dip in activity over the holidays, when hackers shifted their sights to consumer targets, Microsoft phishing slowly recovered in January before resuming its torrid pace in February and March. In fact, the week of March 4th was the biggest single week for Microsoft phishing since we started our analysis. Because of the sluggish start to the year, though, the number of Microsoft phishing URLs actually declined in Q1 for the first time, finishing down a modest 4.5% from Q4 2018.

Microsoft’s sustained popularity with hackers stems from the lucrativeness of Office 365 credentials, which provide a single entry point to the entire Office 365 platform while enabling them to conduct multi-phased attacks using compromised accounts. In fact, Microsoft’s own research estimates that Office 365 phishing increased 250% from Jan – Dec 2018.

Phishers Favorites Q1 2019: Microsoft remains the most phished brand

We continue to see a variety of Office 365 phishing attacks, from suspended account claims to links to phony OneDrive or SharePoint documents. Overall, the sophistication of these attacks is growing, with many Office 365 phishing pages being virtually indistinguishable from the real thing. To accomplish this, hackers mirror the actual Office 365 login page, pulling JavaScript and CSS directly from the legitimate website and inserting their own script to harvest credentials.

Microsoft Office 365 Phishing Page
Microsoft phishing page with identical branding to legitimate website

In addition, we’re seeing pages that redirect users to legitimate Microsoft pages once they’ve submitted their credentials in an attempt to convince them that nothing is amiss. For instance, one recent attack targeting multiple customers would redirect users to after they “logged in”. What’s also noteworthy about this phishing email is that the reply-to was a legitimate Microsoft email: Again, this is intended to create a false sense of security with the user.

PayPal phishing surges, propelling the company to the #2 spot

Perennial phishers’ favorite PayPal regained the #2 spot, driven by a significant 88% increase in phishing URLs in Q1 2019. PayPal held the #2 spot in Q2 and Q3 2018, before falling to #3 in Q4 2018 with a 5.1% decline in phishing URLs.

PayPal has historically been one of the most targeted brands by phishers, and for obvious reasons: it is the most widely used online payment service worldwide, with more than 250 million active users as of Q3 2018. It’s also accepted by many online vendors worldwide, making PayPal credentials highly lucrative.

Netflix phishing attacks target both consumer and corporate users

Netflix fell one spot to #3 in the Q1 edition of Phishers' Favorites. The growth in Netflix phishing URLs appear to be leveling off, from highs of 49.7% in Q2 2018 and 61.9% in Q3 2018, to 25.7% in Q4 2018 and 11.9% in Q1 2019.

Netflix Phishing Trend, Phishers Favorites, Q1 2019

In terms of content, most Netflix phishing emails claim that the user’s account has been suspended and/or their payment declined. What’s interesting is that more and more Netflix phishing emails are targeted at corporate email users. Since most users most likely use their personal email addresses for their Netflix accounts, one can only assume that hackers are hoping users won’t notice that the email was sent to their corporate email address. This is certainly possible, particularly when users read email on their mobile devices.

Another interesting trend is that many Netflix phishing emails contain as many as six or seven legitimate Netflix links (in addition to one malicious link). This technique is aimed at fooling both reputation-based email filters and users, who check one or two links and then assume that the email is legitimate.

Rounding out the top 10 of Phishers' Favorites

Facebook moved up three spots to #4, Bank of America dropped one spot to #5, and Credit Agricole shot up 15 spots to #6. Rounding out the top 10 were DHL at #7; Apple which increased eight spots to #8; Dropbox, which rose two spots to #9; and the Canadian Imperial Bank of Commerce (CIBC) which shot up nine spots to #10.

Like Netflix, Apple phishing is an interesting example that targets both consumer and corporate users. Moreover, thanks to the variety of Apple products and services, we continue to see a range of phishing subjects, including important security updates, disabled Apple ID, and Apple store receipts. We’re also seeing a combination of attack vectors, including phishing emails that also contain malicious attachments purporting to be an invoice.

Cloud continues to represent the most phishing URLs but social media saw the largest growth

After remaining consistent in Q4 2018, the industry makeup of the Phishers’ Favorites list changed in Q1 2019. Two financial services companies dropped out of the top 25, leaving seven brands in the category. Meanwhile, social media and government each added one company, bringing their respective totals to three and one. Cloud (6), Internet/Telco (5), and E-Commerce/Logistics (3) remained unchanged.

Industry Phishing Trend, Phishers' Favorites, Q1 2019

In terms of percentage, cloud accounted for the most phishing URLs for the fourth straight quarter. 42% of all phishing URLs impersonate cloud providers, down from 49.6% in Q4. This decline was driven by the fact that four of six cloud brands in the top 25—Microsoft (-4.5%), Docusign (-24.2%), Adobe (-1.6%), and Google (-34.1%)— saw a quarter-over-quarter (QoQ) decline.

On the other hand, social media phishing saw the highest QoQ growth of any sector. Phishing URLs impersonating social media brands increased 74.7% in Q1, reversing the trend of three straight quarters of decline. This growth comes from attacks impersonating two brands: Facebook and Instagram.

Facebook and Instagram phishing surge

Facebook phishing increased 155.5% in Q1, propelling the social media giant into the #4 spot. Facebook was actually the #1 impersonated brand in Q1 2018, but then saw three straight quarters of decline, dropping to the #7 spot in Q4 2018.

Facebook phishing trend, Phishers' Favorites Q1 2019

It’s hard to know precisely why phishers are suddenly interested in Facebook credentials again. One plausible explanation could be the rise of social sign-on using Facebook accounts. With a set of Facebook credentials, hackers can see what other apps the user has authorized via social sign-on—and then compromise those accounts!

Another theory could be Facebook’s own questionable business practices, with recent headlines revealing that Facebook stored hundreds of millions of user passwords in plain text, and required some new users’ email passwords in order to sign up. Hackers could be taking advantage of the confusion and concerns of Facebook users to lure them into clicking on phishing pages. 

Instagram Phishing Trend, Phishers' Favorites, Q1 2019

Instagram is another interesting example. For three quarters, Instagram phishing was virtually nonexistent. Then suddenly, in Q1, the number of URLs exploded 1,868.8%! What drove such massive growth? At the beginning of March, a number of news outlets reported on a wave of phishing emails claiming to offer a verified Instagram badge to trick recipients into providing their credentials. This same phishing attack was detected by Vade technology.

Instagram Phishing Page: Verified Badge Scam
Instagram phishing page: verified badge scam

Mondays and Tuesdays are the top days for phishing

The most popular days for phishing attacks shifted from Tuesday and Wednesday in Q4 2018 to Monday and Tuesday in Q1 2019. The middle three days were Wednesday, Thursday, and Friday. And the bottom two days for phishing were Saturday and Sunday.

Day of Week Phishing Trend, Phishers' Favorites, Q1 2019

Looking at individual brands, Microsoft phishing attacks follow the overall trend, spiking on Monday and Tuesday; remaining strong Wednesday, Thursday, and Friday; and then dropping significantly over the weekend. Given the focus on Office 365 – versus Microsoft’s consumer products and services – hackers are clearly trying to take advantage of professionals being in the office and active on email during the week to increase their odds of success.

Microsoft phishing dominates weekdays, PayPal phishing weekends

To further illustrate the prevalence of Microsoft phishing on weekdays, we looked at which brand had the most new phishing URLs on each single day in Q1. Then we tallied up the results for all 90 days in the quarter. Microsoft was the #1 phished brand on 72% of weekdays, followed by PayPal (23%) and Facebook (3%).

Single Day Highs, Phishers' Favorites, Q1 2019

Looking at single day totals for the weekend days in Q1, the results shifted to PayPal (73%), followed by Facebook (11%) and Netflix (8%).

What’s clear across the board is that while there are many consistencies from quarter to quarter (e.g. Microsoft being the #1 target), hackers show no limit to their creativity. The way they construct their attacks—from the message content to the techniques they use to trick recipients—continues to evolve very rapidly.  To learn how to mitigate threats to Office 365, read the IDC Analyst Connection: Email Security: Maintaining a High Bar When Moving to Office 365.