Several new phishing trends were evident in 2022 as cybercriminals changed their tactics for stealing credentials and distributing malware. The same tried and tested techniques were used in many phishing campaigns, including delivery failure notifications, fictitious charges to accounts, security alerts about suspicious account activity, and requests for collaboration on documents, but there have been several phishing trends in 2022 that have been gaining momentum and are likely to continue in 2023.
Phishing Attacks Soared in 2022
Data from the Anti-Phishing Working Group (APWG) shows a massive rise in phishing attacks in 2022. Q2, 2022 saw more than 1 million phishing attacks reported, more than in any other quarter to date and more than four times as many attacks that were experienced in Q1, 2020. That record was then broken again in Q3 when 1,270,883 phishing attacks were reported. One survey of 1,400 organizations found 79% had experienced an increase in phishing attacks in the past 12 months, with 92% saying at least one business account had been compromised in a phishing attack. Phishing has also become much more diverse with a wide range of lures, tactics, and techniques used in attacks.
Increase in Social Media Phishing
There has been a notable increase in the use of social media networks in phishing attacks, with LinkedIn one of the most spooked platforms. LinkedIn phishing attacks increased by more than 200% in 2022. LinkedIn phishing attacks seek credentials to the platform, which can be used for a variety of nefarious purposes. Emails are sent that use HTML templates virtually identical to the emails that LinkedIn sends, including spoofed versions of connection requests, notifications about the number of searches an individual has appeared in, and headhunting notifications.
These emails use display name spoofing to make the recipient believe the emails have been sent from LinkedIn when they have actually been sent from webmail addresses. These emails direct users to a spoofed LinkedIn site and prompt users to disclose their credentials. The increase in attacks is not surprising due to the Great Resignation, with so many individuals relying on LinkedIn for finding new employment opportunities. According to Bulletproof, LinkedIn-related phishing emails were the most commonly clicked in 2022.
Recently, a campaign was detected that used Facebook posts with phishing links, with the link to the post included in phishing emails. This method was used to bypass email security solutions, which consider Facebook.com URLs to be benign. The links in the Facebook posts direct users through a series of redirects to a phishing page where credentials are stolen. Social media posts are also used to phish for personal information that can then be used to craft convincing spear phishing emails.
Callback and Hybrid Phishing Attacks Increase
One phishing trend observed in 2022 was an increase in hybrid phishing, where more than one vector is used in the attack. This is typified by callback phishing, where a benign email is sent that contains a phone number to call to resolve an urgent issue. This method of phishing allows cyber actors to bypass email security solutions. In these attacks the phishing takes place over the telephone, with the initial contact made via email. Agari reports a 625% increase in hybrid phishing attacks, with one in four phishing attempts in the summer of 2022 involving hybrid phishing. One of the most common hybrid phishing scams notifies users about a pending charge to an account that requires a call to cancel.
Phishing Used for Delivering Ransomware
Phishing is used to gain initial access to business networks, often installing a malware dropper that is used to deliver the ransomware payload. Botnets such as Emotet are extensively used by ransomware gangs, who pay for the access that the botnets provide, with the QakBot operators similarly working with ransomware gangs. Both of these malware droppers are delivered via phishing emails. It is difficult to obtain accurate statistics on the extent to which ransomware attacks are enabled by phishing, with estimates suggesting at least half of ransomware attacks start with a phishing email, and some suggesting as many as 90% of attacks have their roots in phishing.
Phishing Attacks That Bypass Multifactor Authentication
One worrying phishing trend in 2022 was the increase in phishing attacks that bypass multifactor authentication. Phishing often has the aim of stealing credentials, but if multifactor authentication is enabled, those credentials will not grant access to accounts. With more businesses adopting MFA it has become harder for phishing attacks to succeed.
Several phishing kits are now being used that allow multi-factor authentication to be bypassed by intercepting MFA codes or stealing session cookies, in what is referred to as an attacker-in-the-middle attack. The solution is to implement phishing-resistant MFA and this is likely to be increasingly important in 2023 as more phishing campaigns are conducted that bypass weaker forms of MFA.
Work From Home Employees Increasingly Targeted
The pandemic forced many employees to work from home but as restrictions eased, many businesses continued to allow employees to work from home for at least some of the working week. During the pandemic, phishing attacks on at-home workers increased and they continue to be conducted in high numbers. One of the reasons why these attacks are conducted is because they have a higher success rate, as many businesses still lack the security infrastructure to effectively block these threats compared to when employees were office based. Further, there can be more distractions in the home, which means employees are more likely to make mistakes.
Speak with TitanHQ about Improving your Phishing Defenses
TitanHQ understands that in order to combat increasingly sophisticated phishing attacks, businesses need to implement layered defenses. TitanHQ has developed several cybersecurity solutions that tackle the threat of phishing from different angles and combined allow businesses to mount a highly effective defense against attacks. To find out more about how these solutions can work for your business, give the TitanHQ team a call today.
Phishing is one of the main ways that malicious actors distribute and install malware. Phishing emails are sent to users with attachments containing malicious code or hyperlinks are included in the emails that direct users to a website where malware is downloaded. Businesses should ensure they implement layered defenses to combat phishing, which should include an advanced spam filter such as SpamTitan, multifactor authentication for email accounts, security awareness training for employees to teach them how to recognize and avoid phishing emails, and a web filter for blocking access to the malicious websites where the malware is hosted.
A web filter also provides protection against another common attack vector – The use of search engine advertisements for driving traffic to malicious websites. This attack vector is commonly referred to as malvertising, and it is currently being used by threat actors to distribute ransomware and for stealing login credentials for cryptocurrency exchanges and financial accounts. The Federal Bureau of Investigation (FBI) has recently issued a warning about the use of malicious search engine advertisements due to the increase in the use of this attack vector this year.
One of the main problems for threat actors looking to drive traffic to their websites through search engines is getting their websites to rank sufficiently high in the search engine listings to attract enough visitors. Using search engine advertisements gets around this problem. Threat actors pay for search engine advertisements that appear at the top of the search results for specific search terms. The adverts they use mimic legitimate businesses and offer services related to a specific search term, with the adverts containing a link to the threat actor’s website. These adverts are difficult to distinguish from the actual search results.
The web pages linked in the adverts impersonate businesses and often host phishing kits for harvesting credentials. Financial institutions are impersonated to obtain credentials to access online accounts; however, most commonly, these phishing scams impersonate cryptocurrency exchange platforms. Malicious adverts are also used to direct traffic to websites hosting malware. The adverts used to deliver malware usually offer downloads of business software. The advertised software looks legitimate, and in some cases, a legitimate program will be installed, but malware is also bundled with the installer that gives the attacker access to the user’s device. Since the user gets the software they are looking for, they are unaware that their device has been compromised. One recently identified campaign impersonated the GIMP image editor and was used to deliver the Vidar information stealer. Other campaigns have been used to distribute ransomware, often via another malware variant with dropper capabilities.
A web filter – such as WebTitan – helps businesses to protect against these malicious adverts by providing time-of-click protection. When a user clicks a link in a search engine advert, the URL is checked against a constantly updated blacklist of malicious URLs. If the URL is known to be malicious, the attempt to connect to the URL will be blocked and the user will instead be directed to a local block page. If the URL is not in the blacklist and has not previously been assessed, it will be assessed in real-time. Businesses can also use a web filter to block access to certain categories of websites, such as those offering software, and the web filter can be configured to block downloads of certain file types such as executable files. This also helps businesses to block shadow IT – Software downloaded by employees that has not been authorized by the IT department.
Malicious adverts should be covered in security awareness training. Users should be told about the dangers of clicking adverts and instructed to carefully check URLs for any typos or transposed letters before clicking. It is important to stress that the URL listed in the advert may appear to be a legitimate URL, with the threat actor using redirects to send a user to their malicious URL. Employees should therefore be encouraged never to click adverts in search engines, and to instead either type the website of the company they are looking for in the address bar of their browser or find the legitimate website of that company in the organic search engine listings. Businesses should also consider using an ad-blocker to prevent advertisements from being displayed.
A new malware variant dubbed RisePro has been detected which is being distributed via websites offering fake software cracks. Software cracks, product activators, and keygens are used for activating software without paying the software developer for the license. Software can be expensive, so these tools have proven popular, and many of these tools are available free of charge; however, these executable files have long been used to install malware and adware.
RisePro malware is a previously unseen malware variant that was first detected in December 2022. RisePro is an information stealer that will steal passwords, credit card details, and cryptocurrency wallets from infected devices and the malware has already been installed on many devices, with the data stolen by the malware already being sold on Russian dark web sites, according to Flashpoint.
RisePro malware is being distributed via the PrivateLoader pay-per-install malware distribution service, which has been in operation since early 2021. The operators of PrivateLoader have a network of websites that offer cracked software, with PrivateLoader offering its clients the ability to install malware on devices in specific countries, environments, or those with certain software installed. PrivateLoader is delivered through software cracks and will deliver the malware of choice on a pay-per-install basis. An analysis of RisePro malware revealed considerable code similarities with PrivateLoader, which suggests the two may be operated by the same threat actor or a developer of PrivateLoader has broken away and has set up a rival malware loader service.
When RisePro malware is installed on an infected device it fingerprints the infected system and sends stolen data via a ZIP archive to the attacker’s command and control server. The malware will steal data from all popular web browsers, common browser extensions, and software such as Discord and Authy Desktop. The malware will also steal cryptocurrency assets from a wide range of wallets. RisePro malware can also scan filesystem folders and will exfiltrate data of interest, such as receipts that include credit card numbers.
Cracks and product activators commonly include malware or adware, and clean product activators are now very difficult to find, so any individual attempting to download and activate pirated software is taking a big risk. If pirated software is installed on a work device, that risk is greater still. A malware infection on one device can easily spread across the network and cause considerable damage. Malware infections from unlicensed/pirated software have been estimated to cost businesses close to $359 billion a year, according to the BSA Global Software Survey. Businesses should therefore take steps to reduce the risk by implementing safeguards to stop employees from accessing the sites that offer pirated software, blocking downloads, and preventing software installers from being run.
One of the easiest ways to protect against malware infections and lawsuits stemming from the use of illegal software is to block the sites used to distribute fake/pirated software with a web filter. WebTitan Cloud is a 100% cloud-delivered DNS-based web filtering service that is easy for businesses to set up and use to control access to the Internet. Users can block access to peer-to-peer file-sharing networks where pirated software is commonly downloaded and the warez sites that distribute software cracks. It is also possible to block downloads of certain file types from the internet, such as executable files. As an additional control, businesses should consider locking down all workstations to prevent non-admin users from running executable files.
For more information on web filtering and the WebTitan Cloud solution, give the TitanHQ team a call. WebTitan Cloud is available on a free trial to allow businesses to discover for themselves how effective the solution is at controlling access to the internet and how easy it is to use. WebTitan Cloud for Wi-Fi is also available for operators of Wi-Fi hotspots for controlling what users can do while connected.