The most interesting trend to surface in Q4 of RiskIQ’s phishing report was a 100 percent increase in phishing campaigns leveraging social media platforms, accounting for 20 percent of the top 10 most phished brands.
Phishing actors are always innovating and creating new methods to lure victims into gaining access to their financial information, PII, and user accounts. Understanding the latest phishing techniques and threat actor tendencies can help organizations to stay one step ahead of phishing threats targeting them.
For the uninitiated, phishing is a form of fraud where the malicious actor impersonates or compromises the account of a reputable organisation to con unsuspecting users into parting with their login credentials, personal information and in some cases, financial assets. Users can also unwittingly divulge information about their employer that can be used by the attacker to gain access to corporate networks.
RiskIQ processes huge volumes of web-related threat data, including data on phishing incidents. From these various sources, it receives URLs which might be indicative of phishing. The URLs are processed through crawling infrastructure and fed through machine-learning technology to classify each detected phishing page appropriately. Within this group of phishing pages, there are those used for highly targeted phishing attacks, also known as ‘spear phishing,’ as well as phishing pages used for widespread ‘generic’ phishing.
Regarding infrastructure, there are two distinctions: self-maintained custom infrastructure and abused or compromised infrastructure belonging to someone else.
This information is summarized by RiskIQ every quarter to create a quarterly phishing roundup, tracking the evolving tactics of phishing campaigns. Looking at activity that took place in Q4 2017 while drawing upon data used in the Q3 Report we can make comparisons and recap trends seen over the entirety of 2017.
Overall 27,285 uniquely blacklisted phishing—domains were observed, down two percent from Q3, targeting a total of 259 unique brands, down seven percent from Q3. A slight decline quarter over quarter isn’t unusual as phishing tends to be very cyclical. Looking at the most phished brands by vertical industry there was a 40 percent of phish leveraging the brands of financial institutions, 20 percent impersonating large tech companies and 20 percent impersonating digital transaction providers. All three of those stats are in line with the Q3 findings. However, the most interesting trend to surface in Q4 was a 100 percent increase in phishing campaigns leveraging social media platforms, a trend that accounted for 20 percent of the top-ten most phished brands including the overall most-phished brand.
This new focus on social media by threat actors is significant because it represents a pivot in tactics between Q3 and Q4 towards social media platforms and away from cloud service providers, which represented 10 percent of targets in the previous report. Financial institutions are almost always the target of the highest volume of attacks, but social media is an interesting new addition to the top-target list.
Fake social media profiles have been a problem for some time. Back in November, Facebook admitted that up to 270 million accounts on the social network are illegitimate and in January Twitter disclosed to investors that up to 60 million accounts are not what they seem. But why the rise in fake accounts associated with phishing activity?
There are several potential reasons why social media is drawing more attention from threat actors. For one, the growth in popularity of financial integrations within social media platforms that, for example, give users the ability to send and receive money, can make for an easy payday. There’s also the possibility of using sensitive information from posts, messages, and profiles that can be used as lures in social engineering attacks.
For organizations that leverage social media to engage with customers and prospects, these figures should act as a wake-up call; advanced social threat detection is now a critical capability and no longer a nice to have. The low barriers to entry and high visibility of social media make it a fast and powerful tool for threat actors to commit fraud by impersonating your brand. Users who are taken in are likely to place some of the blame on the impersonated organisation for not better protecting its brand, and those same social media platforms can be used to amplify their sentiment, further tarnishing the brand.
Knowing your phishing risk is only half the battle; real-time monitoring and web enforcement should be deployed to help you protect your organization’s assets.