Phishing Attack Trends Captured by Cyble Honeypots

A phishing attack is a type of social engineering attack that uses disguised emails as the attack vector. Phishing attacks are the most prevalent types of cyberattacks and are often used to establish the initial infection vector on target victims. Cybercrime attacks associated with APT groups and ransomware usually start with phishing attacks. The attackers masquerade as trusted entities and use legitimate-looking emails to dupe victims into opening them. Upon clicking the malicious link, it can further connect with a C&C server to deliver malicious payloads on the victim’s system. Phishing attacks are also used to gain persistence into an organization’s internal network by targeting its employees and obtaining privileged access to the secured data. 

Figure 1: Infection Cycle of a Phishing Attack 

In many cases, APT Groups use malicious email attachments like word documents and PDF files that are crafted to look legitimate in order to dupe victims into opening them. The documents are embedded with malicious scripts and exploits to further infect or deliver the payload on the victim system. Some APT Groups such as Fancy Bear (APT 28), Machete, Mythic Leopard (APT36) & Emotet use spear phishing campaigns as their weapon of choice.  

Cybercriminals use phishing attacks to steal user data such as login credentials, Credit Card details, and other sensitive data by impersonating trustworthy entities like bank employees and government employees. Additionally, the infected accounts are used for carrying out other cybercrime attacks, identity theft, and infecting other systems in the same organization. 

The Cyble Research team closely monitors phishing attacks captured through its Honeypots. In the last three months, we have seen thousands of phishing attempts originating from several geographical locations, including Sweden, Russia, China, Ukraine, Nigeria, and South Korea, among others. We have also observed scammers impersonating as FBI officials, philanthropists, UN officials, and other legitimate-looking profiles crafted to serve malicious ends.  

The screenshot below showcases the daily count of phishing attacks during the last three months, as captured by one of our Honeypots.  

Figure 2: Phishing Attack Counts per day 

Figure 3: Map of attacker sources 

The following chart depicts the country-wise distribution of the attackers from two of our honeypots. Cyble observed that most attacks are from countries like Sweden, China, the Netherlands, and Russia. 

The following is a list of the top 10 ASN (network operators) from where phishing attacks are originating, along with their respective attack counts: 

The following is a list of the top 10 source IP addresses for phishing attacks, along with their respective attack counts: 

Some of the common types of phishing attacks captured by honeypot sensors have been listed below.  

Case 1: Covid-19 Scams comprise a type of phishing scam in which fraudsters take advantage of COVID-19 and send fraudulent emails masquerading themselves as UN or WHO officials offering funds or donations to fight the virus. In order to receive funds, the scammer asks the victim to send his/her personal information or click on a link/attachment that can be used to steal the user’s credentials or to carry out cyberattacks. 

Case 2: Education–related scams– We have seen numerous instances of phishing attacks targeting universities and schools. In this case, scammers use typosquatting domains representing themselves as university administration. Education-related phishing scams are directed at luring students into sending money or sharing personal information. In one such instance, we found scammers targeting the Central Washington University, as shown in the image below. 

The image below showcases the warnings issued on the Central Washington University website related to phishing attacks. 

Case 3: Banking Scam is a type of fraud in which scammers impersonate as bank officials and mislead victims into believing that they have won a lottery from that bank. This is followed by tricking victims into sending sensitive personal details to an email address. Scammers send mails from typosquatting domains related to the banking sector, as showcased in the images below. 

Case 4: Binary Options Scam is a type of fraud in which scammers use high-pressure sales tactics to convince individuals to invest in a trading account, making claims that the system is simple and high profits are guaranteed. Unsuspecting individuals are then directed to a website with a login, account details, and the trading platform. They encourage the victim to put some money into the account, after which the fraudsters demonstrate a number of successful trades to convince and encourage the victim to invest more.  

Once victims fall prey and invest in the scheme, they are seen to report their money disappearing quickly. When they try to withdraw from the scheme, they find it impossible to get their money out of the account. Scammers try to keep the victim invested in the program, but inevitably they stop taking the victim’s calls and, after a short period, it is common for these firms to disappear. We came across one such case where scammers sent an email from “Dr. King Moore <info@binaryforex.org>”  

     Case 5: FBI Scam is a type of phishing fraud in which scammers impersonate as FBI official and inform victims that an offshore account has been opened in their name and credited with a large amount of money. In order to receive the amount, the scammer encourages the victim to send personal information, including passwords and work documents, to an email address.  In one such instance, the scammers are seen to have sent the email impersonatin as the “FEDERAL BUREAU OF INVESTIGATION” with the email address of <info@fbi.gov.org>.   

 Case 6: 419 Scam – Advance Fee / Fake Lottery Scam is a type of fraud mostly dominated by criminals from Nigeria and other African countries. Scam victims are promised a large amount of money through a lottery prize inheritance or some other digital money transfer form. However, victims never receive the non-existent fortune and are instead tricked into sending their money to criminals. We have observed such a fraud which masquerades as an email from “Mr. David Murray” <test@comstar.ru>. The image below highlights the encoded email data and its actual contents captured in real-time.   

Case 7: SAFCO International Trading Co. Scam where a scammer contacts a manufacturing company and asks for their catalogue/price list. The scammers impersonate as a business dealer and try to build a relationship with companies which can be later used to steal data or money from business owners. We found attacks originating from London. In this case, scammers have sent an email from “Denver Khalid” <safcollc@outlook.com>. 

Several other instances were observed by the Cyble Research team, wherein we discovered that attackers are using different tactics to dupe their victims. Proper network security technologies should be implemented along with web and email security in order to defend against phishing attacks. In addition, organizational-level trainings should be conducted on identifying phishing attacks. 

Following are some of the essential cybersecurity best practices that help create the first line of control against attackers. We recommend our readers to follow the best practices suggested below:  

• Be cautious about all email communications you receive and never click on email links from unknown sources. 

• Never open untrusted links and email attachments without verifying their authenticity. 
• Never share your personal information, including financial information, over the phone, email, or SMSes.    
• Periodically update antivirus signatures, engines, and operating system patches.  
• Use strong passwords or Active Directory authentication while using File and Printer sharing services.  
• Allow admin permissions to only those users who need to install and run required software applications. 
• Implement a strong password policy that requires frequent password changes.  
• Make it a habit to keep a watch on your financial transactions, and if you notice any suspicious activity, contact your bank immediately.     
• Configure a personal firewall on the enterprise network to deny unwanted connection requests and deactivate services that are not required.  
• Restrict access to unfavorable websites.  
• Use removable media such as USB thumb drives, external drives, and CDs with caution.  
• Always download and scan software from the Internet before executing.  
• Stay aware of the latest threats and implement appropriate Access Control Lists (ACLs).  
• People concerned about their exposure on the Dark web can register at  AmIBreached.com to ascertain their exposure.    

About Cyble: 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.