Phishing Attack Trends Captured by Cyble Honeypots

A phishing attack is a type of social engineering attack that uses disguised emails as the attack vector. Phishing attacks are the most prevalent types of cyberattacks and are often used to establish the initial infection vector on target victims. Cybercrime attacks associated with APT groups and ransomware usually start with phishing attacks. The attackers masquerade as trusted entities and use legitimate-looking emails to dupe victims into opening them. Upon clicking the malicious link, it can further connect with a C&C server to deliver malicious payloads on the victimโ€™s system. Phishing attacks are also used to gain persistence into an organizationโ€™s internal network by targeting its employees and obtaining privileged access to the secured data. 

Figure 1: Infection Cycle of a Phishing Attack 

In many cases, APT Groups use malicious email attachments like word documents and PDF files that are crafted to look legitimate in order to dupe victims into opening them. The documents are embedded with malicious scripts and exploits to further infect or deliver the payload on the victim system. Some APT Groups such as Fancy Bear (APT 28), Machete, Mythic Leopard (APT36) & Emotet use spear phishing campaigns as their weapon of choice.  

Cybercriminals use phishing attacks to steal user data such as login credentials, Credit Card details, and other sensitive data by impersonating trustworthy entities like bank employees and government employees. Additionally, the infected accounts are used for carrying out other cybercrime attacks, identity theft, and infecting other systems in the same organization. 

The Cyble Research team closely monitors phishing attacks captured through its Honeypots. In the last three months, we have seen thousands of phishing attempts originating from several geographical locations, including Sweden, Russia, China, Ukraine, Nigeria, and South Korea, among others. We have also observed scammers impersonating as FBI officials, philanthropists, UN officials, and other legitimate-looking profiles crafted to serve malicious ends.  

The screenshot below showcases the daily count of phishing attacks during the last three months, as captured by one of our Honeypots.  

Figure 2: Phishing Attack Counts per day 

Figure 3: Map of attacker sources 

The following chart depicts the country-wise distribution of the attackers from two of our honeypots.โ€ฏCybleโ€ฏobserved that most attacks are from countries like Sweden, China, the Netherlands, and Russia. 

The following is a list of the top 10 ASN (network operators) from where phishing attacks are originating, along with their respective attack counts: 

The following is a list of the top 10 source IP addresses for phishing attacks, along with their respective attack counts: 

Some of the common types of phishing attacks captured by honeypot sensors have been listed below.  

Case 1Covid-19 Scams comprise a type of phishing scam in which fraudsters take advantage of COVID-19 and send fraudulent emails masquerading themselves as UN or WHO officials offering funds or donations to fight the virus. In order toโ€ฏreceive funds,โ€ฏtheโ€ฏscammer asksโ€ฏthe victim to sendโ€ฏhis/her personal information or click on a link/attachment that can be used to steal the user’s credentials or to carry out cyberattacks. 

Case 2: Educationrelated scams– We have seen numerous instances of phishing attacks targeting universities and schools. In this case, scammers use typosquatting domains representing themselves as university administration. Education-related phishing scams are directed at luring students into sending money or sharing personal information. In one such instance, we found scammers targeting the Central Washington University, as shown in the image below. 

The image below showcases the warnings issued on the Central Washington University website related to phishing attacks. 

Case 3: Banking Scamโ€ฏis aโ€ฏtype of fraud inโ€ฏwhich scammers impersonate as bank officialsโ€ฏandโ€ฏmislead victims into believing that they have won a lottery from that bank. This is followed by tricking victims into sending sensitive personal details to an email address.โ€ฏScammers send mails fromโ€ฏtyposquatting domains related to the banking sector, as showcased in the images below. 

Case 4:โ€ฏBinary Optionsโ€ฏScamโ€ฏis a type of fraud inโ€ฏwhichโ€ฏscammers use high-pressure sales tactics toโ€ฏconvince individuals to invest in a trading account, making claims that the system is simple and high profits are guaranteed.โ€ฏUnsuspecting individuals are then directed to a website with a login, account details, and the trading platform. They encourage the victim to put some money into the account, after which the fraudsters demonstrateโ€ฏa number ofโ€ฏsuccessful trades to convince and encourage the victim to investโ€ฏmore.  

Once victims fall prey and invest in the scheme, they are seen to report their money disappearing quickly. When they try to withdraw from the scheme, they find it impossible to get their money out of the account. Scammers try to keep the victim invested in the program,โ€ฏbut inevitably they stop taking the victim’s calls and, after a short period, it is common for these firms to disappear.โ€ฏWe came across one such case where scammers sentโ€ฏanโ€ฏemail fromโ€ฏโ€œDr. King Mooreโ€ฏ<info@binaryforex.org>โ€โ€ฏ 

โ€ฏโ€ฏโ€ฏโ€ฏ Case 5:โ€ฏFBIโ€ฏScamโ€ฏis aโ€ฏtype of phishing fraud inโ€ฏwhich scammers impersonate asโ€ฏFBIโ€ฏofficialโ€ฏandโ€ฏinform victims thatโ€ฏan offshore account has been openedโ€ฏin their nameโ€ฏand credited withโ€ฏaโ€ฏlarge amount of money.โ€ฏIn order toโ€ฏreceive the amount,โ€ฏtheโ€ฏscammer encourages the victimโ€ฏtoโ€ฏsendโ€ฏpersonal information,โ€ฏincluding passwordsโ€ฏand workโ€ฏdocuments,โ€ฏto an email address.โ€ฏ In one such instance, the scammers are seen to have sent the email impersonatin as the “FEDERAL BUREAU OF INVESTIGATION” with the email address of <info@fbi.gov.org>.โ€ฏโ€ฏ 

โ€ฏCaseโ€ฏ6:โ€ฏ419 Scamโ€ฏโ€“โ€ฏAdvance Fee / Fake Lottery Scamโ€ฏis a type of fraud mostly dominated by criminals from Nigeria and otherโ€ฏAfrican countries.โ€ฏScam victimsโ€ฏare promised a large amount of money through aโ€ฏlottery prizeโ€ฏinheritance or some otherโ€ฏdigital money transfer form. However,โ€ฏvictims never receive the non-existent fortune and are instead tricked into sending their money toโ€ฏcriminals.โ€ฏWeโ€ฏhaveโ€ฏobservedโ€ฏsuch a fraud which masquerades as an emailโ€ฏfromโ€ฏ“Mr. David Murray” <test@comstar.ru>.โ€ฏThe image belowโ€ฏhighlights the encoded email data and its actual contents captured in real-time.โ€ฏโ€ฏ 

Case 7: SAFCO International Trading Co.โ€ฏScamโ€ฏwhereโ€ฏa scammer contacts a manufacturing company and asks for theirโ€ฏcatalogue/price list.โ€ฏThe scammers impersonate as a business dealer and tryโ€ฏto build aโ€ฏrelationship with companies which can be later used to stealโ€ฏdata or money from business owners.โ€ฏWe foundโ€ฏattacks originating from London. In this case, scammers have sent an email fromโ€ฏ“Denver Khalid” <safcollc@outlook.com>. 

Several other instances were observed by the Cyble Research team, wherein we discovered that attackers are using different tactics to dupe their victims. Proper network security technologies should be implemented along with web and email security in order to defend against phishing attacks. In addition, organizational-level trainings should be conducted on identifying phishing attacks. 

Following are some of the essential cybersecurity best practices that help create the first line of control against attackers. We recommend our readers to follow the best practices suggested below:โ€ฏ 

  • Be cautious about all email communications you receive and never click on email links from unknown sources. 
  • Never open untrusted links and email attachments without verifying their authenticity.ย 
  • Never share your personal information, including financial information, over the phone, email, orย SMSes.โ€ฏโ€ฏโ€ฏย 
  • Periodicallyโ€ฏupdateโ€ฏantivirus signatures,โ€ฏengines, and operating system patches.โ€ฏย 
  • Use strong passwords or Active Directory authentication while usingโ€ฏFile and Printer sharing services.โ€ฏย 
  • Allowโ€ฏadminโ€ฏpermissionsโ€ฏtoโ€ฏonly thoseโ€ฏusersโ€ฏwho needโ€ฏto install and runโ€ฏrequiredโ€ฏsoftware applications.โ€ฏ
  • Implementโ€ฏa strong password policyโ€ฏthatโ€ฏrequiresโ€ฏfrequentโ€ฏpassword changes.โ€ฏย 
  • Make it a habit to keep a watch on your financial transactions, and if you notice any suspicious activity, contact your bank immediately.โ€ฏโ€ฏโ€ฏโ€ฏย 
  • Configureโ€ฏa personal firewall onโ€ฏtheโ€ฏenterprise networkโ€ฏto denyโ€ฏunwantedโ€ฏconnection requestsโ€ฏandโ€ฏdeactivate services that are not required.โ€ฏย 
  • Restrictโ€ฏaccess to unfavorable websites.โ€ฏย 
  • Useโ€ฏremovable mediaโ€ฏsuch asโ€ฏUSB thumb drives, external drives,โ€ฏandโ€ฏCDsโ€ฏwith caution.โ€ฏย 
  • Always download andโ€ฏscanโ€ฏsoftwareโ€ฏfrom the Internetโ€ฏbeforeโ€ฏexecuting.โ€ฏย 
  • Stay aware of theโ€ฏlatest threats and implement appropriate Access Control Lists (ACLs).โ€ฏย 
  • People concerned about their exposure on the Dark web can register atโ€ฏโ€ฏAmIBreached.comโ€ฏto ascertain their exposure.โ€ฏโ€ฏโ€ฏย 

Aboutย Cyble:ย 

Cybleย is a globalย threat intelligenceย SaaSย provider that helps enterprises protect themselvesย from cybercrimesย andย exposure in theย darkweb.ย Cybleโ€™s prime focusย is to provide organizations with real-time visibility into their digital riskย footprint.ย Backed by Y Combinator as part of the 2021 winter cohort,ย Cybleย hasย alsoย been recognized by Forbes as one of the top 20 Best Cybersecurityย Startupsย To Watch In 2020.ย Headquartered inย Alpharetta, Georgia,ย and withย offices inย Australia, Singapore, andย India,ย Cybleย has a global presence.ย To learn more aboutย Cyble, visitย www.cyble.com.ย 

Scroll to Top