Phishers’ Favorites: Note phishing increases; banks targeted

Today, we published our Phishers’ Favorites report for Q4 2019. Now in its seventh edition, Phishers’ Favorites ranks the 25 most impersonated brands in phishing attacks, based on the number of unique phishing URLs detected by Vade within the quarter. As we protect 600 million mailboxes in 76 countries, we have a unique view on global email traffic and the phishing campaigns targeting both consumer and corporate email accounts.

PayPal is the #1 overall target for the second straight quarter

For the second straight quarter, PayPal was the most impersonated brand in phishing attacks. While PayPal phishing was down 31% compared to Q3, the volume was up 23% year over year. With a daily average of 124 unique URLs, PayPal phishing is a prevalent threat targeting both consumers and SMB employees.

PayPal’s sustained popularity stems from the immediate financial payback from hacking PayPal accounts. Moreover, with active user accounts climbing to more than 295 million in Q3, PayPal offers a massive pool of potential targets for phishing campaigns.

We continue to see PayPal phishing attacks leveraging legitimate content in an attempt to fool both users and email filters. Past campaigns have employed techniques such as mixing legitimate URLs with one phishing URL, leveraging legitimate reply-to addresses, and redirecting users to the actual PayPal website once they’ve submitted their credentials on the phishing page.

A recent PayPal phishing email reports a “new login from unknown device,” offering technical sign-in details such as the operating system, web browser, and version. The message claims that access to the target’s PayPal account will remain limited until they log in and confirm their identity.

Microsoft remains the main corporate target, as file and note phishing picks up

Microsoft remained the primary corporate target in Q4, coming in at #3 on our list. This is no surprise given the consistent growth of the Office 365 platform. In October, Microsoft reported that there are now 200 million active monthly Office 365 business users. Seeing how many SMBs still rely on Microsoft EOP alone, cybercriminals just need to tune their phishing campaigns to evade Office 365’s native defenses. With compromised O365 accounts, they can access sensitive information stored in SharePoint, OneDrive, Skype, etc., along with launching spear phishing attacks targeting other employees or partners.

We continue to see a variety of Office 365 phishing attacks, including the trend we reported on last quarter of file-sharing phishing impersonating OneDrive and SharePoint. These campaigns range from fake OneDrive/SharePoint notifications leading directly to a phishing page, to legitimate notifications leading to files containing phishing URLs.

As we recently shared in our Email Security Predictions 2020, we’re seeing an evolution from file-sharing phishing to note phishing impersonating OneNote and Evernote. The campaigns work the same: you receive either a fake notification leading directly to a phishing page or a real sharing notification to a note containing a phishing URL. The difference is that OneNote or EverNote notes are not files, but rather HTML pages. The same technology that is used by email security vendors to scan the contents of files doesn’t work with HTML pages, which means these emails have a higher likelihood of reaching users’ inboxes.

After 6 quarters of growth, Netflix phishing finally falls

One of the biggest surprises in our Q4 report is that Netflix phishing actually declined! Up until now, Netflix phishing had been a model of consistency, growing for six consecutive quarters. But that trend reversed abruptly in Q4, with a 50.2% drop in unique phishing URLs. In fact, the 6,758 Netflix phishing URLs detected by Vade in Q4 was the lowest total since Q2 2018.

Financial services phishing continues to dominate, targeting smaller, second tier banks

For the second quarter, financial services companies accounted for the most brands and most URLs in our Phishers’ Favorites report. The number of financial brands was consistent at 10, with the addition of Square, ATB Financial, and M&T Bank balancing out the departure of Wells Fargo, SunTrust Bank, and Societe Generale. The number of cloud, e-commerce/logistics, and government organizations remained consistent, at six, three, and one respectively. Social media added two companies (WhatsApp and Instagram) while internet/telco dropped two (Yahoo! and AT&T).

Regarding the share of overall phishing URLs, financial services led the way with 37%, followed by cloud (27%), social media (24%), e-commerce/logistics (7%), internet/telco (4%), and government (1%). What’s interesting is how different types of financial institutions fared on a relative basis. Phishing targeting the largest banks largely declined, with Bank of America (-21.5%), Chase (-14.6%), Credit Agricole (-30%), and Wells Fargo (-54.4%) all seeing fewer phishing URLs. The outlier in this category was BNP Paribas, France’s second largest bank by assets, which was up 23.1%. Meanwhile, phishing targeting smaller, second tier banks was up, led by M&T Bank (469.8%), Desjardins (54.4%), and ATB Financial (0.7%).

This shift towards phishing customers of smaller banks could reflect the same overall trend we’re seeing towards more email attacks targeting small businesses. For example, the ransomware wave of 2016 targeted large enterprises, who in response to major business disruptions invested in stronger cybersecurity controls. Smaller companies typically don’t have the same level of protections in place, which is why ransomware attacks have shifted towards SMBs and local government. Similarly, large banks have invested in building out SOCs, incident response and takedown procedures to limit phishing campaigns impersonating their brand. Smaller banks may not have the same level of controls in place.

Social media phishing continues to surge, led by WhatsApp and Instagram

Despite having only three brands in the top 25, social media increased its share of phishing URLs from 13.1% in Q3 to 24.1% in Q4 2019. This growth was driven by WhatsApp, which shot up 63 spots to #5, and Instagram, which rose 16 spots to #13. The remaining social brand, Facebook, rose two spots to #2, despite an 18.7% dip in phishing URLs. On a year-over-year basis, though, Facebook was up 358.8%.

Digging into WhatsApp, the staggering growth in phishing URLs stems primarily from a campaign inviting recipients to the so-called Berbagi WhatsApp group, which advertises pornographic content. Moreover, it appears web hosting provider 000webhost was hacked and used to host the phishing pages. Note the consistent structure of this sample of URLs:

Regarding Facebook, one plausible explanation for its consistent popularity could be the rise of social sign-on using Facebook Login. With a set of Facebook credentials, phishers can see what other apps the user has authorized via social sign-on—and then compromise those accounts.

Moreover, rather than seek a financial payback from social media phishing, cybercriminals may be harvesting credentials and then attempting to reuse the passwords to hack into other online services. After all, a 2019 Google survey found that that two in three people recycle the same password across multiple accounts.

Lastly, it’s worth noting that Facebook launched a new payments system in November called Facebook Pay. Available across Facebook, Messenger, Instagram, and WhatsApp, Facebook Pay enables users to send money to friends, shop for goods, or even donate to fundraisers. It will be interesting to see whether Facebook Pay drives further growth in phishing across Facebook’s brands, particularly if the size of the service’s user base reaches and exceeds PayPal’s.

Friday was the top day for phishing

For the first time since we began our analysis, Friday was the top day overall for phishing emails, followed closely by Thursday. Tuesday, Wednesday and Monday took the middle three spots. As usual, Saturday and Sunday were at the bottom.

As you can see from the heat map, Friday was one of the top two days for seven of the top brands, such as PayPal, Facebook, Netflix, WhatsApp, and Bank of America. Seeing that these are mainly consumer-oriented brands, phishers are likely trying to hit these targets when they’re actively using such services, making them more willing to comply with the action demanded. Imagine going a whole weekend without access to your Netflix account!

On the other hand, Microsoft phishing continued its trend of peaking mid-week, with Wednesday and Thursday being the top two days in Q4. This is logical as phishers want to reach corporate targets when they’re in the office and active on their work email accounts.

Lastly, while I noted above that Saturday and Sunday were the least common days for phishing, we’ve noted a trend of cybercriminals gradually sending more campaigns on the weekends. Over the last four quarters, the share of phishing URLs sent on weekends has increased from 19.8% to 21.2%. While this is hardly earth shattering, it’s worth keeping an eye on, as users are more likely to let their guard down over the weekend.

MSPs: use Phishers’ Favorites to educate your clients

For MSPs, Phishers’ Favorites presents a wealth of data to educate your clients on the dynamic threat landscape and how it’s continuously evolving. Ultimately, this could facilitate an opportunity to reassess the client’s existing email security and position a solution like Vade for Office 365.


Phishers' Favorites 2019 Year in Review
Discover the 20 most spoofed brands of 2019 and key phishing trends and techniques used to target and exploit victims.

Get the EBook