Phishers’ Favorites: Microsoft Retains #1 Spot as Attacks Grow

Today, we’re excited to publish the second edition of Phishers’ Favorites. The quarterly list highlights the 25 most commonly spoofed brands in North America, including their current position and how many spots they moved up/down since Q2.

As with the previous edition, the list was compiled by tallying the number of new phishing URLs detected each day by Vade and made publicly available on www.IsItPhishing.AI. A total of 86 brands are currently tracked and analyzed for purposes of Phishers’ Favorites. These 86 brands account for 95 percent of all phishing URLs detected by our technology.

Without further ado, here is the latest Phishers’ Favorites Top 25 list, with more detailed analysis and commentary below.

Phishers' Favorites Top 25 List

View full top 25 list

Phishing URL volume is up, with attacks becoming increasingly targeted

It’s clear that phishing attacks are on the rise, as hackers shift from exploiting software vulnerabilities to exploiting human vulnerabilities. Overall, the total number of new phishing URLs across the 86 brands tracked rose 20.4% in Q3.

Phishers' Favorites: Targeted Phishing

What should be more concerning to security professionals is that phishing attacks are becoming more targeted. When we correlated the number of phishing URLs against the number of phishing emails blocked by our filter engine, we found that the number of emails sent per URL dropped more than 64% in Q3. This suggests that hackers are using each URL in fewer emails in order to avoid by reputation-based security defenses. In fact, we’ve seen sophisticated phishing attacks where each email contains a unique URL, essentially guaranteeing that they will bypass traditional email security tools.

Microsoft remains the #1 spoofed brand, dwarfing all others

Drilling into the individual brands that are spoofed by phishers, there is one company that dwarfs all others: Microsoft.

Phishers' Favorites: Microsoft #1 Target

For the second quarter, Microsoft topped our Phishers’ Favorites list. Percentage wise, the 23.7% quarter-over-quarter growth in Microsoft phishing URLs might seems modest. However, in absolute numbers, Microsoft saw the largest overall growth, with the average number of phishing URLs surging from 124.2 per day in Q1, to 192.4 in Q2, to 235.4 per day in Q3.

The primary goal of Microsoft phishing attacks is to harvest Office 365 credentials. With a single set of credentials, hackers can gain access to a treasure trove of confidential files, data, and contacts stored in Office 365 apps, such as SharePoint, OneDrive, Skype, Excel, CRM, etc. Moreover, hackers can use these compromised Office 365 accounts to launch additional attacks, including spear phishing, malware, and, increasingly, insider attacks targeting other users within the same organization.

We continue to see two common Microsoft phishing pages. The first replicates the Office 365 sign-in page, with most of these examples being virtually indistinguishable from the real thing. The emails pointing these pages often contain messages about Office 365 access being suspended or disabled; the aim is to create a sense of urgency that compels the recipient to immediately enter their password in order to unlock or access their account.

Microsoft Phishing Page: Office 365 Login

The second, and increasingly common example, pretends that the recipient has received a link to a file on OneDrive or SharePoint. In order to access the file, the user must first sign in with their credentials, which isn’t necessarily suspicious giving how frequently we’re asked to reauthenticate various services and apps.

Microsoft Phishing Page: Sharepoint File

Rounding out the Phishers' Favorites Top 10

PayPal held steady at #2 with a 29.9% increase in phishing URLs. PayPal is a perennial phishers’ favorite, given its large user base (244 million active accounts, as of Q2 2018) and the immediate financial payback from hacking these accounts.

Netflix moved up one slot to #3, driven by a substantial 61.9% increase in phishing URLs. The streaming video service is a popular target because hackers frequently attempt to access credit card numbers by pretending that accounts have been suspended due to billing issues. Login credentials to Netflix (and other services) are also sold on the dark web for low prices.

Rounding out the top 5 were Bank of America and Wells Fargo, which saw a 57.4% and 21.5% growth in phishing URLs respectively. Fellow financial services company Chase saw a massive 352.2% increase in phishing URLs to crack the top 10 for the first time.

Interestingly, Facebook was the only brand in the top 10 with negative quarter-over-quarter growth in phishing URLs (-35.6%). This comes on the heels of an even bigger -54.3% drop in Q2.  The steady decline in 2018 suggests that hackers are losing interest in Facebook as a target, perhaps due to greater public scrutiny and focus on security in the wake of Cambridge Analytica, the recent breach impacting 50 million accounts, and other incidents.

Cloud and financial services continue to dominate industries 

Once again, we categorized Phishers' Favorites brands based on industry to see what additional trends we could uncover. The makeup of the top 25 remained fairly stable, led by financial services with nine companies and cloud with six. Internet/telco added one company to bring the total to five, thanks to a 359.4% surge in Comcast phishing pages. Meanwhile, e-commerce/logistics dropped one company to three, with Amazon falling out of the top 25.

Phishers' Favorites: Industry Analysis

In terms of volume, cloud and financial services combined represent nearly three-quarters of all phishing URLs. While both industries saw solid double-digit quarter-over-quarter growth (22.5% and 36.7% respectively), internet/telco saw the largest percentage growth of 46.3%, again thanks to the growth in Comcast phishing pages. Social media was the only industry to see a decline, reflecting the steep drop in Facebook phishing, as notes above.

Tuesdays and Thursdays are the top days for phishing attacks

This quarter, we added something new to Phishers’ Favorites, analyzing the day of week for each phishing URL. We found that Tuesday and Thursday are the two most common days for phishing attacks, followed by Wednesday, Monday, and Friday. From there, activity trails off significantly on Saturday and Sunday. Yes, it appears that even hackers are working for the weekend.

Phishers' Favorites: Day of Week Analysis

What’s interesting is that this data reflects general marketing best practices for the best days to send emails. Here’s one study which shows that Tuesday, Thursday, and Wednesday are the top three days for sending marketing emails. It’s unclear whether hackers are looking to marketing best practices to inform their attacks, or whether they’re backing into it through their own testing and optimization. But clearly they’re attempting to maximize the number of opens and clicks.

Looking at day of week data for individual brands, there were a few noteworthy observations:

  • Microsoft phishing is predominantly M-F – Mirroring email marketing patterns, Microsoft phishing attacks spike on Tuesday and Thursday; remain relatively strong Monday, Wednesday, and Friday; and then drop significantly over the weekend. Seeing that most Office 365 attacks are focused on corporate targets, hackers are clearly trying to take advantage of professionals being in the office and active on email during the week to increase their odds of success.
  • Bank of America phishers cash in on weekends – Contrary to Microsoft, the two most popular days for Bank of America phishing attacks are Saturday and Sunday. As Krebs on Security noted in a recent article, “virtually all ATM cashout operations are launched on weekends, often just after financial institutions begin closing for business on Saturday.” The same would seem to hold true for bank phishing. By sending Bank of America phishing on the weekend, when branches and customer service lines are closed, hackers make it harder for recipients to verify that email and pages are malicious.
  • Hackers ‘Netflix & shill’ on Sundays – Netflix is another interesting exception, with the most popular day for phishing attacks being Sunday. One study shows that Netflix streaming peaks on Saturday, as many new seasons of shows are released all at once, often on Fridays. Hackers are likely looking to advantage of this surge in activity, compelling recipients to act quickly to unlock their account.

Learn more? Download the white paper Fighting Phishing