The volume of phishing attacks targeting the financial industry nearly doubled in the second quarter of this year and is the largest quarterly volume Charleston, S.C. firm PhishLabs has ever observed
In its Q2 2017 Phishing Trends and Intelligence Report PhishLabs observed a threat landscape that is thriving and volatile as cybercriminals pivot and exploit different targets.
The report recorded a 41% increase in overall phishing volume with more than 210,100 confirmed malicious phishing sites hosted on more than 61,000 unique domains. These attacks targeted 701 brands from 398 parent institutions, a slight increase from the first quarter of 2017, where phishing attacks targeted 664 brands from 388 institutions.
Nearly 88% of attacks in the second quarter targeted five industries: financial institutions, webmail/online services, payment services, cloud storage/file hosting services, and e-commerce companies.
For the second quarter in a row, phishing attacks targeting the financial industry grew to the largest quarterly volume previously observed. Compared to the second quarter of 2016, which had also seen historically high phishing volume, the frequency of phishing attacks targeting financial services was 46% higher.
“The boom in financial phishing attacks this quarter can be primarily attributed to a significant surge in attacks targeting two global financial institutions, which comprised 52% of all volume within the financial industry,” the report revealed.
The anomalous number of attacks targeting these two financial institutions were the result of multiple shared virtual server attacks, which target vulnerable compromised web servers. By compromising a web server, a phisher has access to all hosts on that server. Using automated tools, hackers infiltrating every domain residing on each host phishing can add content. This allows phishers to increase their attack vector from one domain to potentially hundreds.
PhishLabs observed this tactic targeting financial institutions many times in Q2. Several examples: 700 attacks resulted from a single compromised Virgin Islands hosting provider’s web server; nearly 500 attacks took place from a hacked Texas-based hosting provider’s webserver; and more than 600 attacks started with an intrusion into an Illinois-based hosting provider’s web server.
Just 14 compromised web servers triggered more than 4,600 attacks in the second quarter. In Q2, PhishLabs observed at least 57 compromised web servers targeting the financial services industry.
Following trends observed in Q1 2017, phishing attacks also targeting social networking sites and software-as-a-service companies continued to rise.
“Phishing threats continue to evolve tactically as cybercriminals adopt new techniques that make their scams more convincing,” the report said. Attacks targeting SaaS and social networking sites continue to grow at rates well above average while attacks targeting cloud storage providers have steadily declined from their peak a year ago.
The percentage of phishing attacks hosted using SSL certificates, which said PhishLabs help create a false sense of legitimacy, continues to rise as does a technique called URL padding, used to obscure phishing domains when viewed in mobile browsers. Additionally, cybercriminals are increasingly registering domains using new country code top-level domains, such as .VE (Venezuela), which increased 467% quarter over quarter. Meanwhile the once popular RU (Russia) country code top-level domain (or ccTLD) declined, likely due to the raised suspicion.
Other findings:
- The volume of attacks targeting SaaS platforms increased 104% quarter-over-quarter, doubling the total volume of SaaS platform attacks observed in all of 2016.
- The volume of attacks targeting social networking sites increased 70% quarter-over-quarter, exceeding the total volume of social networking attacks observed in all of 2016.
- Phishing attacks targeting cloud storage providers continued to decline in Q2, signaling a clear shift in targets by phishers.
- The usage of “Secure” phishing sites hosted using SSL certificates is becoming more and more common, growing from just 1% to 13% of overall phishing volume in the last year.
- Padding URLs with hyphens to obscure phishing domains in mobile browsers is an emerging tactic that is growing quickly in popularity.
