Phishing and social engineering schemes are still top concerns for cybersecurity professionals as threat actors continue to deploy them in an attempt to fool email recipients. Brand impersonation — an old but notorious social engineering tactic — is continually being used, with the Trend Micro™ Cloud App Security™ solution detecting and blocking 3.5 million attacks of this type in 2018. The sustained prevalence of brand impersonation in phishing attacks is further demonstrated in a new report by Vade Secure which listed the most impersonated brands in phishing attacks in the first quarter of 2019.
Microsoft claimed the top spot despite the 4.5% decrease in the number of Microsoft phishing URLs from the last quarter of 2018. Vade Secure attributes this to the profitability of Office 365 credentials, which give attackers a single entry point to the entire Office 365 platform as well as allow them to conduct attacks via the compromised accounts.
Over the years, threat actors have developed a variety of methods in their bid to successfully phish Office 365 credentials. Brand impersonation is one of these methods, and Cloud App Security detected countless email attacks that use it last year. In a detected sample shown below, a phishing email poses as an account termination notice from Office 365. The fake email notification informs the recipient that if the termination was an error, it can be cancelled via a linked login page. The linked page spoofs an Office 365 login screen and, if the user attempts to log in, his/her Office 365 credentials will be stolen.
Figure 1. Phishing email that impersonates Microsoft Office 365
PayPal and Netflix also top the list
Apart from Microsoft, PayPal and Netflix round out the top three most impersonated brands in phishing attacks.
PayPal took the second spot with an 88% increase in phishing URLs in the first quarter of 2019. Being the most widely used online payment service with more than 250 million active users, it’s no surprise that PayPal remains as one of the most impersonated brands.
Meanwhile, Netflix came in third, with an 11.9% increase in phishing URLs. Most phishing emails that spoof Netflix are fake notifications of user account suspension and/or declined payment. Interestingly, many Netflix-posing emails contain six or seven legitimate Netflix links, apart from one malicious URL. This technique is an attempt to confuse users and reputation-based email filters.
The use of sophisticated social engineering tactics to trick victims into giving out personal information, for example, their email account credentials, has long been employed by cybercriminals in their schemes. While it’s an old trick, users and enterprises must continue to be mindful of such schemes so they can have insights on how to stay protected from phishing attacks.
Enterprises can take advantage of Cloud App Security, a supplementary security solution that enhances existing email gateways by using advanced technologies. Cloud App Security uses artificial intelligence (AI) and computer vision technology to help detect and block phishing attacks that use brand impersonation by checking if a legitimate login page’s branded elements, login form, and other website components are being spoofed. The solution also makes use of Writing Style DNA, a technology that helps detect email impersonation tactics used in business email compromise (BEC) and similar scams by using machine learning (ML) to recognize the DNA of a user’s writing style based on past emails.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).