Vade observed a steep rise in phishing attacks in Q1 2023, with volumes increasing by 102% quarter-over-quarter (QoQ), accounting for the highest Q1 total since 2018. Let’s examine the findings of the latest report.
Phishing and malware trends: Q1 phishing volumes exceed Q4 totals
In Q1 2023, Vade detected 562.4 million phishing emails, surpassing the previous quarter’s total by 284.8 million. January accounted for the highest volume of phishing emails in Q1 with 488.5 million, more than five times the combined total of February (26.6 million) and January (47.3 million). This month-to-month pattern differs from the same period in 2022, when March accounted for the most phishing emails.
Phishing volumes, Q4 2022 – Q1 2023
Phishing and malware trends: malware volumes decline moderately
Malware volumes declined QoQ, falling 7% and accounting for 52.3 million emails, a 13% decrease from the same period last year. Despite the dip, the figure exceeds Q1 volumes in 2021, 2020, and 2019. Malware emails steadily increased throughout Q1 2023, peaking in March (20.3 million), then declining to 16.2 million in February and 15.7 million in March.
Malware volumes, Q4 2022 – Q1 2023
Phishing and malware trends: phishing attacks target productivity suites with new techniques
Behind the numbers in this quarter’s report, we see several important trends. Among the most notable is the sustained supply of phishing attacks spoofing the brands and productivity suites of Microsoft and Google. While we’ve written extensively about this trend, Vade researchers continue to discover new techniques exploiting these popular organizations.
That includes a phishing attack detected by Vade in March 2023. A phishing campaign spoofed Microsoft 365, using legitimate YouTube attribution links and a Cloudflare CAPTCHA to evade detection. The use of YouTube attribution links is a new tactic that could bypass email filters that scan for suspicious redirects.
Microsoft 365 phishing email detected by Vade
In the attack, victims receive a spoofed email alerting them that their Microsoft 365 password has expired and must be updated to “avoid service disruption.” They’re given the option to keep their existing password by clicking “Keep Same Password,” which is hyperlinked to a YouTube URL that contains the phrase, “attribution_link.”
While attribution links are used to give someone credit for using their content, they are used in this case to redirect users to the phishing webpage. If users click the button in the phishing email, it quickly redirects them to YouTube followed by a page with Cloudflare CAPTCHA, which is likely hosted on Cloudflare and uses URL crawling and bot protections. Hackers leverage YouTube and Cloudflare to add perceived legitimacy to the campaign and bypass email gateways whitelisting the platforms.
Cloudflare intermediary page detected by Vade
Once users click the CAPTCHA, it directs them to a Microsoft 365 phishing page. Here, the page personalizes the experience by auto populating the user’s email address and leaving an empty field for their password.
Microsoft 365 destination phishing page detected by Vade
If users attempt to sign into the phishing page, hackers can harvest their credentials.
While previously documented phishing attacks have also used YouTube links to redirect users to malicious webpages, the links included the label “redirect.” This gave a visual indication that the YouTube links didn’t match the URL of the destination page.
In this case, no security vendors regarded the YouTube attribution link as malicious on VirusTotal.
Phishing and malware trends: Phishing attacks combine multiple sophisticated techniques
In March 2023, Vade detected a new phishing campaign that combines several sophisticated techniques to compromise victims’ cryptocurrency wallets. This includes exploiting Google Translate to bypass detection from email security tools, using JavaScript and CSS to obfuscate phishing pages, and leveraging Interplanetary File System (IPFS) Decentralized Network to host a phishing kit.
Phishing email impersonating Wallet Connect
The attack begins when victims receive an email impersonating the Wallet Connect, an application for connecting mobile cryptocurrency wallets to decentralized applications. The email informs that they must verify their wallet to avoid an account suspension.
Behind the scenes of the attack, hackers use IPFS Decentralized Network to host a phishing kit. Part of WEB 3.0 technologies, IPFS is a decentralized storage and delivery network based on peer-to-peer (P2P) networking. IPFS enables users around the world to exchange files, making it an attractive target for cybercriminals. Victims can open the file with or without running an IPFS client on their devices, thanks to gateways used as proxies. IPFS also eliminates the cost of phishing kit storage for cybercriminals. And once hackers upload a file, only they can delete it.
To bypass detection from security systems that may identify IPFS format in emails, hackers translate the IPFS URL using Google Translate. This changes the URL pattern from “http://<cid>.ipfs.<gateway host>/<path>” to “http://<cid>[-]ipfs[-]<gateway host>/<path>”, replacing [.] with [-]. This process also adds, “translate[.]goog/” to the URL. The addition leverages the reputation and a legitimate domain of Google, increasing the chances the malicious email reaches users’ inboxes.
After the victim clicks the malicious link, they get directed to a page claiming to verify they’re not a robot. At the top of the page, the Google Translate top bar indicates that the on-page text has been translated into the victim’s language and makes the page look legitimate.
Fake verification webpage
Inspecting the HTML of the page, we see that it’s organized into three nodes, or data structures. The first node displays the fake verification screen for five seconds using CSS properties.
JavaScript and CSS properties used on phishing page
To hide the first node and display the second, the attacker uses a combination of JavaScript and CSS properties.
Connect Wallet phishing page
Once the first note is hidden, the second node displays the phishing page to the victim. If the user clicks “Connect Wallet,” the third node displays, with a new page that lists 21 spoofed cryptocurrency wallets the victim can connect to.
Fake window listing spoofed cryptocurrency wallets
Once the victim selects a cryptocurrency wallet to connect, the phishing page displays a window that simulates a connection with the wallet’s service.
Fake window simulating a connection with a crypto wallet
Then, the page refreshes to display another window that instructs the victim to enter their wallet’s verification information (Recovery Phrase, Keystore JSON, and Private Key). Vade researchers confirmed that this attack’s phishing kit appeared in previously reported 2022 campaign.
Phishing page to harvest verification information
When viewed on a mobile device, the phishing campaign is more difficult to detect. The second node, which displays the phishing page, hides the Google Translate top bar content thanks to CSS properties. This technique makes the phishing page more convincing for victims who are suspicious of seeing the Google Translate top bar.
Phishing campaign viewed on mobile device
The campaign follows a recent surge in phishing activity spoofing Google services and companies.
Email is the top distribution method for phishing and malware
Email provides hackers with more opportunity to exploit businesses, as organizations increasingly adopt productivity suites like Microsoft 365 and Google Workspace. Email also gives hackers the ability to leverage a wide range of legitimate services and techniques to increase the scale, perceived legitimacy, and overall effectiveness of their attacks.
To stay protected, organizations must step up their cybersecurity. That includes boosting cyber hygiene with phishing awareness training. It also entails supplementing native email security with layered protection from an integrated, third-party solution like Vade for M365, which combines machine and human intelligence to create a dynamic security model.
