The Latest in Phishing: September 2017

We bring you the latest in phishing statistics and attacks from the wild.

Phishing Statistics and News:

• Analysis of 100,000 corporate devices by mobile security firm Wandera has revealed that gaming apps are the ‘main source’ of phishing attacks on those devices. The research further reveals email apps as the second most likely culprits. iPhones were identified as the most widely targeted at 63%, while Android devices came in at 37%.
• The latest Black Hat Attendee Survey revealed that phishing and social engineering are top concerns for infosec professionals. In addition, survey respondents said these types of attacks are the most time-consuming for them on a day-to-day basis. You can read more analysis of survey results on our blog.
• The Anti-Phishing Working Group’s 2016 Global Phishing Survey identified a new trend when it comes to phishing attacks. Hackers are engaging in the practice of buying internet addresses to mimic legitimate websites. The largely decentralized nature of domain name registration is to blame, with almost half of all phishing sites registered to hackers.
• Dimension Data’s latest NTT Global Threat Intelligence Report has found that “phishing attacks were responsible for as much as 73% of malware being delivered to organizations,” reports CIO New Zealand. As end users become increasingly targeted, four industries accounted for 77% of all ransomware detected from October 2015 through September 2016: business and professional services, government, healthcare, and retail.

Increase your security response team's efficiency with PhishAlarm Analyzer

Phishing Attacks:

• An urgent warning from the IRS has been issued to taxpayers regarding a ransomware email scam that uses the emblem of the IRS and FBI to encourage recipients to download a questionnaire. Phishing attempts that impersonate government agencies are tried and true. According to Forbes, IRS Commissioner John Koskinen called this "a new twist on an old scheme."
• As if the damage from Hurricane Harvey weren’t devastating enough, scammers are capitalizing on the goodwill of donors to relief efforts. The opportunistic phishing attacks often masquerade as relief funds and donation requests. US- CERT has issued a warning, stating to “[R]emain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey. Emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters.” With Hurricane Irma currently wreaking havoc, users should be on the lookout for similar scams.
• Game of Thrones fans were recently targeted by timely phishing schemes from ATP17, an operation out of China that was using the recent episode leaks to entice recipients to fall for the scam. The emails contained files with Trojan malware that granted the attackers access to the infected machines. The attacks were discovered by security company Proofpoint, who believes that technology companies were being targeted.
• A spokesman from Singapore Airlines has revealed to The Straits Times that the airline was being used in a phishing attack touting free tickets in celebration of its 70^th Attackers incorporated vishing into their strategy, masking actual phone numbers with legitimate ones and telling victims they were selected for a drawing or had won tickets, with the ultimate goal being to obtain personal data. The airline has advised customers to check the Singapore Airlines website for official details regarding the company’s anniversary.
• A series of business email compromise (BEC) attacks out of West Africa made its rounds across various industries, targeting retailers, engineering firms, real estate companies, universities, technology companies, and churches. The attacks spanned from late March through mid-August, and attempted to steal credentials from end users when they opened an infected PDF. The information was then used to send spear phishing emails to the victims’ contacts.
• A phishing scam targeting consumers who participated in Amazon’s third annual Prime Day in July has been making the rounds. The online retail giant was being spoofed in an attempt to ask its customers to leave a review for a chance to win a $50 gift card. If clicked, the recipient is redirected to a phishing site that steals login credentials.
• A two-part phishing scam designed to steal the passwords of University of Illinois students was identified by the university’s Technology Services department. The first email, which authorized a large payment, contained a malware-ridden attachment, with the second email containing an attachment with a Trojan. Students were urged to delete the emails, change their passwords, and run anti-malware software just to be safe.
• Windows 10 users were alerted to a new phishing scam involving the operating system’s tech support. The attack involves malicious ads that redirect victims to a fake tech support site presenting itself as a security alert or the “Blue Screen of Death” (a site familiar to some Windows users). Unfortunately, these scare tactics are becoming fairly common. In an article from Tech Republic, Microsoft indicated that “at least three million users of various platforms and software encounter tech support scams” every month.
• Dallas-based property company U.S. Residential suffered a phishing attack in which one of its employee’s email accounts was hacked. The scammer then used the account to send emails, and may have had access to other sensitive files containing personal employee data, such as Social Security numbers. U.S. Residential alerted employees of the breach and claim they are unaware of any fraudulent activity utilizing the sensitive information, and have since contacted the FBI.
• Irish-based property website MyHome.ie has been alerting its users of a potential phishing scam in which the recipient is asked to update their user account information by activating their email address. The phishing site mimics that of MyHome.ie, but is an imposter site. The company has asked customers to ignore the emails, and informed users that MyHome.ie would not request their information in that manner.
• The notorious cybercriminal group dubbed “DarkHotel” has been targeting politicians and executives via calculated, highly sophisticated whaling and malware-based spear phishing attacks. These emails contain perfectly legitimate documents, which eliminates any suspicion on the recipients’ part, but their computers become infected once the attachment is opened. An article from The Inquirer claims this is “a major departure from [DarkHotel’s] approach, in which the attacker would have to share the same WiFi as its victim.” It is believed the group is adopting this social engineering strategy to remain competitive as end users become savvier to less sophisticated scams.
• Researchers from Kaspersky Lab have identified a series of Nigerian-based BEC attacks that hit more than 500 companies in 50 countries. The emails contained .RTF files with embedded malware. This article from Kaspersky Lab details the strategy. It remains unclear who was actually behind the attacks. You can read more about the rise of these scams (and find advice for your end users) on our blog.
• A report from Proofpoint has identified cryptocurrency users as the target of phishing attacks attempting to steal credentials that enable the scammers to withdraw funds from victims’ accounts. The phishing emails mimic Bitcoin wallet company Blockchain.com and request users’ login credentials. Coverage of the scam from SC Magazine cites Proofpoint as stating, “We have observed regular updates to phishing templates keeping them in step with design changes to the legitimate blockchain.com website.”