Phishers’ Favorites: File phishing spreads; banks targeted
Adrien Gendre
May 07, 2020
29 min


Microsoft reclaims the #1 spot from PayPal, with 2x the phishing URLs
Microsoft, the most impersonated brand for our first five Phishers’ Favorites reports, reclaimed the top spot from PayPal, which held the distinction for the last two quarters. In total, Vade detected twice as many Microsoft phishing URLs than the next closest brand in Q1.

It’s no surprise that Microsoft remains the #1 target of corporate phishing. In October, the company reported 200 million Microsoft 365 business users; and the tidal shift to cloud email and productivity platforms is only accelerating due to the COVID-19 pandemic. Microsoft 365 credentials offer numerous potential payouts for hackers, including access to sensitive corporate information and the ability to conduct spear phishing and ransomware attacks from inside the organization.
When it comes to Microsoft 365 phishing attacks, we continue to see a lot of OneDrive and SharePoint file-sharing phishing. In the example below, the phishing page impersonates OneDrive and requests that the user log in with Microsoft 365, Outlook, or another email service to view a shared file.

Similarly, this example appears to be a secure link to a SharePoint file entitled, “Invoice & Remittance Advice.” Once again, the user is asked to log in to Microsoft 365 to access the file.

In addition, we recently discovered a Microsoft 365 phishing campaign that used COVID-19 as a hook. The email appeared to come from the Department of Health (who-publichealth-covid19 (at) getyourguide (dot) com), and contained the subject, “COVID-19: New cases around your city.” Upon clicking on the phishing URL, which was hosted on multiple legitimate hacked websites in Germany, Belarus, Spain, and Czech Republic, the user landed on the Outlook Web Access login page below.

This specific attack was sent to 48 Vade for Office 365 clients, but only one user per client. Seeing that the lifespan of the campaign was just five hours, it was a very dynamic, short-wave attack. In addition to standard phishing attempting to angle in COVID-19, we’ve also seen a variety of Coronavirus phishing and other scams as we detailed in a recent blog.
Facebook remains #2 as social media phishing aims to compromise other accounts
Social networking giant Facebook came in at #2 on our list for the second straight quarter. With nearly 2.5 billion monthly active users, Facebook offers a massive pool of targets for phishers.
Historically, one of the primary aims of social media phishing has been to harvest user credentials and then attempt to reuse the passwords to hack into other online services. After all, a 2019 Google survey found that that two in three people recycle the same password across multiple accounts.
In the example below, the alleged Facebook Security System Page claims the target’s Facebook page has been reported for abuse and may be disabled. The user is instructed to verify their account to prove that it’s their page. What’s particularly interesting about this phishing page is that the Facebook logo and ‘f’ icon have been stretched out and distorted. Image manipulation is an increasingly common tactic employed by hackers to bypass email filters that are only capable of identifying exact image matches.

Facebook makes this gateway approach even easier thanks to its universal login API, which allows users to log in to tens of thousands of apps directly from Facebook. With a single set of Facebook credentials, phishers can access—and compromise—any third-party apps the user has authorized via social sign-on.
PayPal drops two spots to #3 as phishing shifts to SMB targets
After two quarters, PayPal relinquished the title of Phishers’ Favorite, dropping two spots to #3 on our list.
PayPal has traditionally been a popular target for phishing consumers. The reasons are two-fold: a large user base, with more than 305 million active accounts as of Q4, and an immediate financial payback. Once you harvest PayPal credentials, you simply withdraw the balance of the wallet and move on.
More recently, PayPal phishing has begun targeting corporate email users, specifically SMBs. In June 2019, PayPal announced the PayPal Commerce Platform, a digital commerce solution connecting PayPal’s users with 22 global merchants. PayPal Commerce Platform provides not only a payments solution for SMBs but also simplified compliance, anti-fraud protection, and end-to-end payments offerings. This expansion—and the media coverage that came with it—resulted in an immediate spike in PayPal phishing attacks.
The remaining brands in the top 10 all rose in the ranking; eBay debuts at #9
The remaining seven brands in our top 10 all rose in the rankings in Q4. Banking giants Chase (#4), Bank of America (#5), and Crédit Agricole (#6) rose seven, one, and 19 spots respectively. Amazon was up three places to #7, and Adobe (#8), eBay (#9), and Wells Fargo (#10) all rose double digits in Q1.
Notably, eBay appeared in our Phishers’ Favorites report for the first time, debuting at #9. eBay phishing has grown significantly over the past four quarters, propelling the e-commerce giant into the top 25. Frankly, given the nature of its business, it’s shocking eBay hasn’t shown up sooner.

Logically, one common eBay phishing lure is a fake purchase notification such as the example below. What’s also interesting about this example is the phishing URL. Notice how it uses ebay.com early in the URL in an attempt to convince the user that it is the legitimate eBay domain.
<code>https://www.ebay.com-itm.pl/1962-Airstream-Bambi-16ft-Camper-Travel-Trailer/133273902820fhash-item1f07be5ee4_g_fR0AAOSwEJZdNjGP/WQAAOSwePtdK4Gwk11/Ha9IlLaBzZzfoyJSv52t/1962</code>

File phishing expands beyond Microsoft to Adobe and Dropbox
While Microsoft has been the main target of file-sharing phishing for several quarters, we’ve observed this attack type evolving to impersonate other brands.
Dropbox is an obvious example. The file hosting service rose four spots to #11 in Q1.
The phishing page below impersonates Dropbox Business, Dropbox’s more advanced offering claiming more than 300,000 corporate customers. The page prompts the user to log in to view a file attachment.

Another brand being victimized by the file-sharing phishing trend is Adobe, which rose 12 spots to #8. Perhaps best known for its ubiquitous Photoshop and Illustrator apps, Adobe also offers Document Cloud, which includes solutions for managing PDFs and e-signatures. Phishers are capitalizing on this offering to strike.
In a recent example, the recipient receives a file that is allegedly protected by AdobeDoc® Security. They are prompted to enter their email and password to access the PDF.

Threat researchers at Vade have previously seen phishing pages that are nearly identical to the example above, leading them to believe that this campaign is highly automated. Hackers dynamically insert a login form for a specific brand on top of the background image of a blurred Excel file. This way, they can efficiently reuse the same attack across multiple brands, reaching more targets and potentially earning a bigger payout.
Financial services phishing continues to dominate, but goal shifts to email passwords
For the third straight quarter, financial services companies accounted for the most brands and the most URLs in our Phishers’ Favorites report.
The number of financial brands actually dropped two to eight, but that was still enough to edge out cloud, which had six brands in the rankings. E-Commerce/Logistics had four, followed by Internet/telco (3), Social media (2), and government (2).
Regarding the share of overall phishing URLs, financial services once again led the way with 37%. Cloud gained ground, though, growing from 24.5% in Q4 to 29.1% in the most recent quarter. Social media came in third with 11.6% of URLs, followed by E-Commerce/Logistics (11.1%), Internet/Telco (8.6%), and Government (2.8%).

Last quarter, we reported on the growth of phishing impersonating smaller, regional banks. This appears to have been short-lived. The chart below highlights phishing URLs for Desjardins and ATB Financial over the last five quarters. As you can see, after substantial growth over the past two quarters, phishing activity dropped significantly in Q1.

Instead, the prevailing trend in financial services phishing seems to be impersonating major banks not with the goal of accessing financial accounts but rather to harvest email passwords. Vade has detected several variations of this scam in recent weeks, including phishing pages impersonating Bank of America and Wells Fargo. The two examples below both explicitly ask the user to enter their email address and email password.


Monday is the top day for phishing, Thursday remains popular
Looking at days of the week, Thursday remained one of the top two days for phishing, while Monday overtook Friday, the top overall day in Q4. Tuesday, Wednesday, and Friday were the middle three days, and once again Saturday and Sunday saw the fewest phishing emails.

While we had observed the overall percentage of phishing emails sent on weekends grow slightly for four consecutive quarters, that trend reversed in Q1. The percentage sent on weekends dropped from 21.2% in Q4 to 17.6% in Q1. That’s likely why Saturday and Sunday are the bottom two days for most of the brands in the top 10. The exceptions are Facebook, which sees the second most phishing on Saturday, and Amazon, which counts both weekend days among its middle three.
MSPs: Use Phishers’ Favorites to educate your clients
As always, Phishers’ Favorites presents a wealth of data for MSPs to educate their clients on the evolving threat landscape, particularly in the context of the COVID-19 pandemic. As your clients adopt more cloud-based apps in light of remote working, they will inevitably receive more phishing emails impersonating these services. Moreover, the added distraction of working from home during this period creates added risk, which could facilitate an opportunity to position advanced threat protection.