F5 Labs has launched its third annual Phishing and Fraud Report1, providing the latest industry snapshot on cybercriminals’ most common data breach tactics.
The research draws on data from F5’s threat intelligence partner Webroot, as well as its own global Security Operation Centers.
Based on analysis from the past year, F5 Labs believes phishing is now the most prominent attack method used to breach data2. The finance, health, education, non-profit, and accounting sectors are more likely to be compromised.
“There is so much phishing going on because it is easy and it works,” said David Warburton, Principal Threat Evangelist, F5 Networks, and report co-author.
“Attackers don’t have to worry about hacking through a firewall, finding a zero-day exploit, deciphering encryption, or rappelling down an elevator shaft with a set of lockpicks in their teeth. The hardest part is coming up with a good trick email pitch to get people to click on, and a fake site to land on.”
With threat volumes set to continuously rise, F5 Labs suggests phishing is no longer as seasonally specific or predictable as before.
Last year, the F5 SOC reported a 50% increase in phishing attacks during the ecommerce-heavy holiday period between October and January. This is no longer the case.
“2019 hasn’t shown the same pattern to the two previous years,” said Warburton.
“The rise of social media makes personal data freely available any time. A wide range of events, be that public holidays, sporting competitions or political situations, provide threat actors with the branding and emotive story they need to craft a convincing phishing campaign.”
According to F5 Labs, target addresses for phishing emails come from a variety of sources, such as spam lists and open source intelligence gathering. Depending on the approach and intensity used to target victims, phishing emails can be sent out to thousands of potential victims or a specific individual3.
Anatomy of a 2019 phishing attack
Combining detailed Webroot data from July 2019 with its own research over the past year, F5 Labs concluded that phishing emails are three times more likely to have a malicious link than an attachment. The most impersonated brands and services are Facebook, Microsoft Office Exchange, and Apple.
One of this year’s main recurring trends is that phishers continue to relentlessly push for credibility, with as many as 71% of phishing sites using HTTPS to appear more legitimate.
F5 Labs also found that 85% of analysed phishing sites that make use of digital certificates have them signed by a trusted Certificate Authority (CA).
Furthermore, 21% of certificates on phishing sites include either 20% Organization Validation (OV) or 1% Extended Validation (EV) types, both of which are specifically intended to establish higher levels of trust.
“The whole point of validated certificates is to provide assurance of an organization’s domain ownership,” said Warburton. “It seems that this is not working. In fact, Chrome and Firefox have announced plans to take the display of EV off the main screen. Apple’s Safari has already deprioritised them.”
Fake phishing sites were located across a wide range of Internet hosts, with the most dominant being 4cn.org (2.7%), airproxyunblocked.org (2.4%), 16u0.com (1.0%), and prizeforyouhere.com (1.0%).
Top domains featuring unique phishing sites include blogspot.com, which was responsible for 4% of all analysed instances of phishing and 43% of malware. The popular blogging platform enables users to easily host malicious content on a well-recognised domain that handily provides free, OV-rated TLS certificates for all its sites.
Other frequently compromised domains include 000webhostapp.com, ebaraersc.net, and .info. The most frequently appearing patterns in examined phishing URLs were .htm (19.4%), .php (7.4%), login (3.0%), and admin (1.2%).
F5 Labs also observed that over 7% of malware sites were making use of encrypted connections over non-standard HTTPS ports (i.e. 8443).
“Leveraging HTTPS encryption to hide malware from traditional intrusion detection systems (IDSs) is a common threat actor tactic, and one we are seeing increase in line with overall observed attack trends. The majority of malware cannot be detected without SSL/TLS inspection,” Warburton added.
The rise of automation
Another significant trend in the 2019 Phishing and Fraud Report is the growing number of phishers embracing automation to optimise attacks.
The data shows that many phishing sites obtain certificates via services such as cPanel (integrated with the Comodo CA) and LetsEncrypt. 36% of phishing sites had certificates that lasted only 90 days, which strongly suggests that phishers are using certificate automation.
“95% of domains we analysed were accessed fewer than ten times, and 47% of sites were accessed only once. This means that attackers need to fully automate the process of standing up a phishing site to maximise return on investment. Automation allows a phisher to programmatically orchestrate the process of purchasing and deploying certificates across all their domains,” said Warburton.
“Free certificates, as we’ve predicted, make it much easier for attackers to host phishing sites. However, this isn’t all down to services like LetsEncrypt. There are many other ways to easily create free TLS certificates. Phishers are being frugal and reusing certificates across phishing and malware sites. Many certificates we found had Subject Alternative Names, allowing for multiple re-use of the same certificates across many domains.”
F5 Labs recommends that any phishing prevention strategy should include robust awareness training commitments, as well as the following technical security controls:
- Use Multifactor authentication (MFA). It is a phishing “gap insurance,” preventing stolen credentials from being used from an unexpected location or unknown device.
- Clearly label all email from external sources to prevent spoofing.
- Make antivirus (AV) software a critical tool for every relevant system. In most cases, AV software will stop a malware installation attempt if the software is up to date. Set AV policies to update daily at a minimum.
- Implement web filtering solutions to prevent users from inadvertently visiting phishing sites. When a user clicks on a link, the solution can block outbound traffic.
- Inspect encrypted traffic for malware. Traffic from malware communicating with command and control (C&C) servers over encrypted tunnels is undetectable in transit without some form of decryption gateway. It is vital to decrypt internal traffic before sending it to incident detection tools for infection review.
- Improve reporting mechanisms. Incident responses should include a streamlined and guiltless method for users to flag suspected phishing.
- Gain better visibility via endpoint monitoring, understand what malware is becoming active on the network, and ascertain which credentials may be compromised.