A phishing attack is a type of social engineering attack that uses disguised emails as the attack vector. Phishing attacks are the most prevalent types of cyberattacks and are often used to establish the initial infection vector on target victims. Cybercrime attacks associated with APT groups and ransomware usually start with phishing attacks. The attackers masquerade as trusted entities and use legitimate-looking emails to dupe victims into opening them. Upon clicking the malicious link, it can further connect with a C&C server to deliver malicious payloads on the victimโs system. Phishing attacks are also used to gain persistence into an organizationโs internal network by targeting its employees and obtaining privileged access to the secured data.
Figure 1: Infection Cycle of a Phishing Attack
In many cases, APT Groups use malicious email attachments like word documents and PDF files that are crafted to look legitimate in order to dupe victims into opening them. The documents are embedded with malicious scripts and exploits to further infect or deliver the payload on the victim system. Some APT Groups such as Fancy Bear (APT 28), Machete, Mythic Leopard (APT36) & Emotet use spear phishing campaigns as their weapon of choice.
Cybercriminals use phishing attacks to steal user data such as login credentials, Credit Card details, and other sensitive data by impersonating trustworthy entities like bank employees and government employees. Additionally, the infected accounts are used for carrying out other cybercrime attacks, identity theft, and infecting other systems in the same organization.
The Cyble Research team closely monitors phishing attacks captured through its Honeypots. In the last three months, we have seen thousands of phishing attempts originating from several geographical locations, including Sweden, Russia, China, Ukraine, Nigeria, and South Korea, among others. We have also observed scammers impersonating as FBI officials, philanthropists, UN officials, and other legitimate-looking profiles crafted to serve malicious ends.
The screenshot below showcases the daily count of phishing attacks during the last three months, as captured by one of our Honeypots.
Figure 2: Phishing Attack Counts per day
Figure 3: Map of attacker sources
The following chart depicts the country-wise distribution of the attackers from two of our honeypots.โฏCybleโฏobserved that most attacks are from countries like Sweden, China, the Netherlands, and Russia.
The following is a list of the top 10 ASN (network operators) from where phishing attacks are originating, along with their respective attack counts:
The following is a list of the top 10 source IP addresses for phishing attacks, along with their respective attack counts:
Some of the common types of phishing attacks captured by honeypot sensors have been listed below.
Case 1: Covid-19 Scams comprise a type of phishing scam in which fraudsters take advantage of COVID-19 and send fraudulent emails masquerading themselves as UN or WHO officials offering funds or donations to fight the virus. In order toโฏreceive funds,โฏtheโฏscammer asksโฏthe victim to sendโฏhis/her personal information or click on a link/attachment that can be used to steal the user’s credentials or to carry out cyberattacks.
Case 2: Education–related scams– We have seen numerous instances of phishing attacks targeting universities and schools. In this case, scammers use typosquatting domains representing themselves as university administration. Education-related phishing scams are directed at luring students into sending money or sharing personal information. In one such instance, we found scammers targeting the Central Washington University, as shown in the image below.
The image below showcases the warnings issued on the Central Washington University website related to phishing attacks.
Case 3: Banking Scamโฏis aโฏtype of fraud inโฏwhich scammers impersonate as bank officialsโฏandโฏmislead victims into believing that they have won a lottery from that bank. This is followed by tricking victims into sending sensitive personal details to an email address.โฏScammers send mails fromโฏtyposquatting domains related to the banking sector, as showcased in the images below.
Case 4:โฏBinary OptionsโฏScamโฏis a type of fraud inโฏwhichโฏscammers use high-pressure sales tactics toโฏconvince individuals to invest in a trading account, making claims that the system is simple and high profits are guaranteed.โฏUnsuspecting individuals are then directed to a website with a login, account details, and the trading platform. They encourage the victim to put some money into the account, after which the fraudsters demonstrateโฏa number ofโฏsuccessful trades to convince and encourage the victim to investโฏmore.
Once victims fall prey and invest in the scheme, they are seen to report their money disappearing quickly. When they try to withdraw from the scheme, they find it impossible to get their money out of the account. Scammers try to keep the victim invested in the program,โฏbut inevitably they stop taking the victim’s calls and, after a short period, it is common for these firms to disappear.โฏWe came across one such case where scammers sentโฏanโฏemail fromโฏโDr. King Mooreโฏ<info@binaryforex.org>โโฏ
โฏโฏโฏโฏ Case 5:โฏFBIโฏScamโฏis aโฏtype of phishing fraud inโฏwhich scammers impersonate asโฏFBIโฏofficialโฏandโฏinform victims thatโฏan offshore account has been openedโฏin their nameโฏand credited withโฏaโฏlarge amount of money.โฏIn order toโฏreceive the amount,โฏtheโฏscammer encourages the victimโฏtoโฏsendโฏpersonal information,โฏincluding passwordsโฏand workโฏdocuments,โฏto an email address.โฏ In one such instance, the scammers are seen to have sent the email impersonatin as the “FEDERAL BUREAU OF INVESTIGATION” with the email address of <info@fbi.gov.org>.โฏโฏ
โฏCaseโฏ6:โฏ419 ScamโฏโโฏAdvance Fee / Fake Lottery Scamโฏis a type of fraud mostly dominated by criminals from Nigeria and otherโฏAfrican countries.โฏScam victimsโฏare promised a large amount of money through aโฏlottery prizeโฏinheritance or some otherโฏdigital money transfer form. However,โฏvictims never receive the non-existent fortune and are instead tricked into sending their money toโฏcriminals.โฏWeโฏhaveโฏobservedโฏsuch a fraud which masquerades as an emailโฏfromโฏ“Mr. David Murray” <test@comstar.ru>.โฏThe image belowโฏhighlights the encoded email data and its actual contents captured in real-time.โฏโฏ
Case 7: SAFCO International Trading Co.โฏScamโฏwhereโฏa scammer contacts a manufacturing company and asks for theirโฏcatalogue/price list.โฏThe scammers impersonate as a business dealer and tryโฏto build aโฏrelationship with companies which can be later used to stealโฏdata or money from business owners.โฏWe foundโฏattacks originating from London. In this case, scammers have sent an email fromโฏ“Denver Khalid” <safcollc@outlook.com>.
Several other instances were observed by the Cyble Research team, wherein we discovered that attackers are using different tactics to dupe their victims. Proper network security technologies should be implemented along with web and email security in order to defend against phishing attacks. In addition, organizational-level trainings should be conducted on identifying phishing attacks.
Following are some of the essential cybersecurity best practices that help create the first line of control against attackers. We recommend our readers to follow the best practices suggested below:โฏ
- Be cautious about all email communications you receive and never click on email links from unknown sources.
- Never open untrusted links and email attachments without verifying their authenticity.ย
- Never share your personal information, including financial information, over the phone, email, orย SMSes.โฏโฏโฏย
- Periodicallyโฏupdateโฏantivirus signatures,โฏengines, and operating system patches.โฏย
- Use strong passwords or Active Directory authentication while usingโฏFile and Printer sharing services.โฏย
- Allowโฏadminโฏpermissionsโฏtoโฏonly thoseโฏusersโฏwho needโฏto install and runโฏrequiredโฏsoftware applications.โฏ
- Implementโฏa strong password policyโฏthatโฏrequiresโฏfrequentโฏpassword changes.โฏย
- Make it a habit to keep a watch on your financial transactions, and if you notice any suspicious activity, contact your bank immediately.โฏโฏโฏโฏย
- Configureโฏa personal firewall onโฏtheโฏenterprise networkโฏto denyโฏunwantedโฏconnection requestsโฏandโฏdeactivate services that are not required.โฏย
- Restrictโฏaccess to unfavorable websites.โฏย
- Useโฏremovable mediaโฏsuch asโฏUSB thumb drives, external drives,โฏandโฏCDsโฏwith caution.โฏย
- Always download andโฏscanโฏsoftwareโฏfrom the Internetโฏbeforeโฏexecuting.โฏย
- Stay aware of theโฏlatest threats and implement appropriate Access Control Lists (ACLs).โฏย
- People concerned about their exposure on the Dark web can register atโฏโฏAmIBreached.comโฏto ascertain their exposure.โฏโฏโฏย
Aboutย Cyble:ย
Cybleย is a globalย threat intelligenceย SaaSย provider that helps enterprises protect themselvesย from cybercrimesย andย exposure in theย darkweb.ย Cybleโs prime focusย is to provide organizations with real-time visibility into their digital riskย footprint.ย Backed by Y Combinator as part of the 2021 winter cohort,ย Cybleย hasย alsoย been recognized by Forbes as one of the top 20 Best Cybersecurityย Startupsย To Watch In 2020.ย Headquartered inย Alpharetta, Georgia,ย and withย offices inย Australia, Singapore, andย India,ย Cybleย has a global presence.ย To learn more aboutย Cyble, visitย www.cyble.com.ย
