I wrote recently on the biggest hole in security – us. While sophisticated hacks on hardware and software make for good technology reading, fooling users into opening the front door remains one of the easiest and lowest cost ways for evil-doers to break into our systems. And one of the more popular ways to fool us is phishing in all its various guises – dangling a tempting email or link encouraging us to click through to the next level.
An outfit called PhishLabs has published quite detailed surveys for the past few years. The most recent covers both consumer-targeted phishing and business/organization-targeted spear-phishing; I’ll just look at some of the consumer-related highlights (lowlights?) here.
One style of phishing is email-based, often asserting that you need to update account information to keep an account current or avoid a penalty. These have historically been fairly unsophisticated, often looking a little too clumsy and threatening to be taken seriously, but some more recent attempts are much more difficult to spot. A recent phish posing as a mail from American Express is so well crafted that all the contents look reasonable, checking the real mail address doesn’t help and the only indication that this is a phish is a single-letter spelling change in one link.
Industries targeted for consumer-based phishing shouldn’t be a surprise. The most common are:
- Financial services at 33%, in which I would expect credit card targets dominate
- Cloud storage and file hosting comes in at 20%. Attacks here grew over 150% in 2015 and are apparently targeted primarily to collect usernames and passwords
- Webmail and online services at 18%
- Ecommerce at 12%. Indications are that activity through Alibaba contributes significantly to this rate
- Payment services at 10%. This originally attracted over a quarter of attacks but has dropped significantly as a target, for unexplored reasons.
The most rapidly growing among these targets are cloud storage and file hosting and webmail and online services.
A depressing result from the survey is that 77% of attacks worldwide are directed at US consumers, which maybe says something about our wealth, or our gullibility, or possibly both. China is the next closest target at a paltry 5%, again attributed at least in part (per the survey) due to growth in Alibaba transactions. Attack rates in both the US and China are growing, though the US so dominates the percentage that this must be nearing saturation. Curiously the UK and Germany have seen a decrease in this area.
Lest you think that blocking everything but .com sites will save you, the majority of phishing sites are hosted on legitimate but compromised domains. However, outside these common domains one observation they make is that while known problem top-level domains had been handled by browser blacklists and whitelists, this approach may become difficult to maintain as ICAAN has opened up more free-form naming for top-level domains. At least for the present this point may be moot as bad actors seem to prefer working with the (relative) trust we already have in .com, .org and .net domains.
PhishLabs also describe some of the ecosystem for phishing malware. As in other types of malware, the majority of users of phishing kits are not sophisticated enough to build these themselves so acquire them in Dark Web marketplaces. Kits are pretty cheap but, as in legitimate markets, users prefer freeware. Now there is a growing trend for kit developers to distribute their kits free, but with unadvertised backdoors. This way the developer can collect whatever the malware user collects, for direct use or for sale.
Phishing is in one sense the last frontier in security. Not in the sense that we are anywhere close to conquering hacks – we’ll never get there. I mean more in the sense of the weakness that is exploited – us, the consumers. To me that makes it a very interesting area, because zero-day defenses have to an understanding of psychology and culture (what works in the US might not work in China, or vice-versa) as much as they do of technology. PhishLabs themselves have products and services to detect and shut down phishing sites. I have also seen work on discovery in this area based on Deep Learning techniques. This should be an area ripe for innovation.
You can read the full PhishLabs survey HERE.