The Latest in Phishing: May 2017

We bring you the latest in phishing statistics and attacks from the wild.

Phishing Statistics and News:

• NTT Security’s 2017 Global Threat Intelligence Report (GTIR), which analyzes global threat trends, has revealed that EMEA is the top source of phishing attacks worldwide, coming in at an alarming 53%. It found that phishing attacks were the primary vehicle for the delivery of global malware, with 73% of infections attributed to phishing.
• The FBI has issued an advisory warning professionals that Business Email Compromise (BEC) attacks continue to rise in 2017, with 40,203 reported losses over the last three years totaling more than $5.3 billion. In an interview with the International Business Times, Proofpoint researchers stated that they have found “more than 70 percent of BEC subject lines use the terms ‘urgent,’ ‘payment,’ or ‘request.’”
• Verizon’s annual Data Breach Investigation Report (DBIR) was released for 2017 and shows that phishing is still a big factor in data breaches. Read highlights from the report on our blog.
• Chinese security researcher Xudong Zheng discovered a variation of a homograph attack that affects Chrome, Firefox, and Opera browsers and enables phishers to use Punycode to register fake domains that can pass for sites like Apple, Google, and eBay. Google and Opera have deployed a fix, and instructions to remedy the issue in Firefox can be found in Bleeping Computer’s of the scam.

Increase your security response team's efficiency with PhishAlarm Analyzer

Phishing Attacks:

• More than 200 Gmail users were targeted by Russian government hackers known as "Fancy Bear" who designed a sophisticated phishing campaign utilizing Google AMP to poach passwords. Affected parties included journalists and activits who disfavor the Russian government, Ukranian military personnel, and high-ranking officials in energy. Their use of URL shortners made it possible for security researchers to identify the victims. Coverage from Motherboard points out the emails were sent "just a few days before Google warned some Russian journalists and activists that "government-backed attackers" were trying to hack them using malicious Tiny.cc links."
• Scammers attempting to capitalize on the massive global WannaCry ransomware attack have devised a phishing message that poses as UK-based telecom BT. The email points recipients to a fake security upgrade that was supposedly released to combat the ransomware attack. Action Fraud has BT customers to log into their accounts directly from the BT website to avoid falling for this trickery.
• British Members of Parliament have found their personal email accounts to be the target of a phishing scam that attempts to obtain their passwords and other personal details. The National Cyber Security Centre has asked staff to enable two-factor authentication, forward suspicious emails, and not to share their passwords or other private information with unverified sources.
• The National University of Singapore has been hit by multiple spear phishing attempts. One employee who fell for the attack had their account used to send additional phishing attempts to other employees. Although the motives for the attack are unknown, they are being attributed to an attempt to obtain government information.
• Digital signature service DocuSign has confirmed the breach of a customer database, resulting in stolen emails being used in a phishing attack. The phishing emails — which request a wire transfer — appear to come from DocuSign; malware is installed on an end user’s computer if the Word attachment is opened. Since discovering the data breach, DocuSign has put additional security measures in place and contacted authorities.
• French consumers are being targeted in a phishing campaign posing as the Bank of France. Victims have been sent fake financial communications such as bills, loan confirmations, and warnings of frozen accounts in an attempt to obtain their account numbers and other private information. Bank of France has cautioned customers not to reveal sensitive data via phone or online.
• A major phishing attack targeting Google Docs users in the government, academic, and private sectors was a global topic of conversation due to its ability to spoof such a large brand. The phishing emails were highly successful because they appeared to come from a legitimate source, usually one the end user was familiar with. Google halted the attacks within an hour, but it reportedly still managed to affect at least one million accounts.
• Employees of Facebook and Google fell victim to a phishing scam that collectively cost their employers more than $100 million. The perpetrator, a Lithuanian man who has since been arrested, sent phishing emails to workers over a two-year period, conning them into wiring millions of dollars at a time to a fake bank account.
• An airline phishing attack with an astounding 90% success rate has been discovered by Barracuda Networks. In addition to phishing, the technique included a combination of several practices such as impersonation and malware installation. These attack vectors were used in tandem to pose as an organization and mimic their emails to fool employees into opening malware-ridden attachments that granted hackers access to their data, leaving them vulnerable to additional attacks like ransomware. An article from The Stack claims, “These impersonations are successful enough that counterfeited emails are opened more than 90% of the time.” To combat this threat, Barracuda recommends a combination of sandboxing, anti-phishing software, and security awareness training for employees.
• World of Warcraft (WoW) players are being targeted with two variations of a phishing attack promising free game perks as bait. The attacks were discovered by Malwarebytes researcher Chris Boyd, who told SC Magazine that “offers related to free pets, armor, or weapons are always attractive to younger gamers who want to stand out from the crowd.” Boyd recommends that gamers verify offers by visiting the company’s security advice pages, using an authenticator and SMS alert system, and looking for the green padlock that displays “Blizzard Entertainment, Inc.” to know whether a request is legitimate.