Today, we published our Phishers’ Favorites list for Q4 2018. Now in its third edition (check out the Q2 2018 and Q3 2018 lists), the list highlights the 25 most commonly impersonated brands in phishing attacks. It’s compiled by analyzing the new phishing URLs detected each day by Vade technology and made publicly available on www.IsItPhishing.AI.
Microsoft remains #1, as Office 365 phishing opens the door to multi-phased attacks
For the third straight quarter, Microsoft topped our Phishers’ Favorites list. In absolute numbers, Microsoft continues to dwarf all other brands, with 2.3x times more phishing URLs than #2 Netflix in Q4.
The overwhelming popularity of Microsoft with phishers stems from the lucrativeness of Office 365 credentials. A login provides hackers with a single entry point to all of the apps under the Office 365 platform—as well as the files, data, contacts, etc. stored in them.
Increasingly, we’re seeing Office 365 phishing used in orchestrated multi-phased attacks. Here, hackers harvest Office 365 credentials and then use those legitimate accounts to send spear phishing emails targeting those users’ colleagues or business partners. Thus, the goal is not the credentials themselves but rather a financial payout in the form of wire transfers, ransoms, or gift cards. And because they leverage legitimate accounts, these attacks are virtually impossible for traditional email security products to detect.
Despite the rise of multi-phased attacks, the growth rate of Microsoft phishing URLs slowed to 4.9% in Q4, down from 23.7% in Q3. Seasonality was perhaps the biggest factor, as the number of new URLs plummeted in the second half of December. Seeing that so many workers take vacation and don’t actively check their work email over the holidays, hackers simply focused on other targets. But you can be sure that the level of activity will resume in the New Year!
Netflix overtakes PayPal for the #2 spot with holiday surge
So which brand was phishers’ favorite over the holidays? The answer is our #2 most impersonated brand on our Phishers' Favorites list: Netflix. Netflix phishing URLs surged 25.7% in Q4, propelling the company ahead of PayPal. Specifically, there was a big spike in Netflix phishing attacks in late December. In fact, Christmas day was the single biggest day for Netflix phishing URLs in all of 2018!
Our data validates several media reports that surfaced just after Christmas about a string of Netflix phishing scams. Even the FTC issued a warning, sharing a phishing email that claims the user’s account is on hold because Netflix is “having some trouble with your current billing information” and invites the user to click on a link to update their payment method. This is a classic example of Netflix phishing, so there’s really no new techniques here. Instead, hackers were likely trying to take advantage of people being home and consuming Netflix content over the holidays to give an allegedly suspended account an added sense of urgency.
Rounding out the Top 10
PayPal dropped one spot to #3 with a 5.1% decline in phishing URLs. PayPal is a perennial phishers’ favorite, given the immediate financial payback from hacking these accounts. However, it seems that PayPal might be losing favor with hackers, at least temporarily, as they seek more lucrative payouts.
Bank of America held on to the #4 spot despite a 33.2% drop in phishing URLs and Chase moved up two spots to #5 with a 0.8% increase in phishing URLs. Rounding out the rest of the top 10 were DHL, which saw a healthy 24.5% increase; Facebook, which saw the biggest drop (-39.1%) in the top 10; DocuSign, which saw phishing URLs grow 11.5%; LinkedIn, which experienced a 15.8% increase; and Dropbox which declined 25.4%.
Cloud services are now the target of half of phishing URLs
Categorizing the brands by industry, the makeup of the Phishers’ Favorites list didn’t change in Q4. Financial services led with 9 companies, followed by cloud (6), internet/telco (5), commerce/logistics (3), and social media (2).
What’s more interesting is the share of phishing URLs. For the third straight quarter, cloud represented the most URLs. Moreover, its share has grown from 38.5% in Q2, to 39.2% in Q3, to 49.6% in Q4. That’s right: cloud services are now the target of nearly half of all phishing URLs! This strong overall growth was of course driven by Microsoft (+4.9%) and Netflix (+25.7%), but also DocuSign (+11.5%) and Google (+8.6%). Only Dropbox and Adobe saw declines in phishing URLs among cloud vendors, of 25.4% and 10% respectively.
While financial services represent the second largest industry at 32%, its share declined from 35.1% in Q3. This was due primarily to decreases in phishing targeting PayPal (-5.1%), Bank of America (-33.2%) and Wells Fargo (-72.7%). The remaining six financial services companies on the list saw increases in phishing attempts.
UBS phishing explodes likely due to new phishing kit
The most notable example in that group is UBS, which saw a staggering 3078.0% increase in phishing URLs, propelling the company 35 spots up to #16. After seeing minimal activity for the first nine months of the year, UBS phishing surged in October, peaked in November, and started to wane in December.
Analysis of the UBS phishing URLs reveals a consistent pattern (see examples below) in the way that they’re structured. This suggests that these URLs all originated from the same phishing kit. The kit may have been released in early Q4, leading to the spike and subsequent wane as email security products started to catch on to it.
Sample UBS phishing URLs:
| http://switzerlandag12mqocb.naniqsystems.net/ubs/ |
| http://switzerlandag1irlbv.alertpads.com/ubs/ |
| http://switzerlandag1.ananeat.com/ubs/ |
| http://switzerlandag1.ananeat.com/ubs/card.php |
| http://switzerlandag1irlbv.alertpads.com/ubs/card.php |
| http://switzerlandag1.alertpad.net/ubs/ |
| http://switzerlandag1.alertpad.net/ubs/card.php |
| http://switzerlandag12mqocb.naniqsystems.net/ubs/card.php |
| http://switzerlandag1qchrujkuh.deput365.com/ubs/card.php |
| http://switzerlandag1ltm.depute365.com/ubs/card.php |
| http://switzerlandag1qchrujkuh.deput365.com/ubs/ |
| http://switzerlandag1ltm.depute365.com/ubs/ |
| http://switzerlandag1wrxpn.curointernational.com/ubs/ |
| http://switzerlandag1wrxpn.curointernational.com/ubs/card.php |
| http://switzerlandag1kc.alertsenses.com/ubs/ |
| http://switzerlandag1kc.alertsenses.com/ubs/card.php |
| http://switzerlandag172mf.paymentsea.com/ubs/ |
| http://switzerlandag172mf.paymentsea.com/ubs/card.php |
| http://switzerlandag1hk.brandmanagementclub.com/ubs/ |
| http://switzerlandag1hk.brandmanagementclub.com/ubs/card.php |
Tuesdays and Wednesdays are the top days for phishing attacks
Analyzing the day of week as part of our Phishers' Favorites report, we found that the most popular days for phishing attacks shifted from Tuesday and Thursday in Q3 to Tuesday and Wednesday in Q4. The remaining weekdays filled out the middle three and once again, the weekend accounted for the bottom two.
Looking at day of week data for individual brands, there were a couple of noteworthy observations:
- Microsoft phishing is predominantly M-F – Microsoft phishing attacks mirror the overall data, spiking on Tuesday and Wednesday; remaining strong Monday, Thursday, and Friday; and then dropping significantly over the weekend. Hackers are clearly trying to take advantage of professionals being in the office and active on email during the week to increase their odds of success.
- Bank of America phishers cash in on weekends – The most popular day for Bank of America phishing attacks is Sunday. Notably, because bank branches and customer service lines are closed, it’s harder for recipients to verify that email and pages impersonating Bank of America are malicious.
Introducing Phishers’ Favorites Lake!
While we’ll continue to do our own analysis on this blog, we wanted to make it easier for press, analysts, and bloggers to do their own analysis and find their own stories within the data. With that said, we are excited to announce the launch of Phishers’ Favorites Lake, an interactive tool to slice and dice the data however you’d like.
