As cybersecurity solutions become better at detecting email-based threats using machine learning (ML) and other advanced tools, cybercriminals continue to tweak their arsenal and employ leveled up versions of tried-and-tested social engineering tactics — such as phishing — to increase the likelihood of users falling for fraud, identity theft, or spoofing which could lead to enterprises losing substantial amounts of money. The FBI reports that between October 2013 and May 2018, businesses in and outside of the U.S. have lost over US$12.5 billion dollars from business email compromise (BEC) scams.
Our annual Cloud App Security report reveals that in 2018 alone, our Trend Micro™ Smart Protection Network™ security infrastructure blocked over 41 billion email threats. With heightened awareness that it just takes one successful phishing email for a business to incur massive financial losses, companies have learned to employ better email security solutions and practices. To this, cybercriminals responded by changing gears and improving their phishing strategies.
More Sophisticated Phishing Techniques
Today, it’s not just malware used that’s evolving and targeted – the technique in which it is delivered to victims has also taken on these characteristics.
Phishing has been morphing. According to the recently released Microsoft Security Intelligence Report cybercriminals are making it harder even for advanced cybersecurity tools to detect phishing emails. They are now sending phishing emails via varied infrastructure, avoiding using a single URL, IP address, or domain for sending out the emails. Aside from this, there has been a noted growth in the use of popular document sharing and collaboration sites by attackers in siphoning off sensitive user information such as email addresses, usernames, and passwords via fraudulent login forms. Out of the 8.9 million high-risk email threats that our Trend Micro™ Cloud App Security™ solution detected and blocked in 2018, we found that 40 percent of them were credential phishing attacks.
The Microsoft report also notes that attackers have increasingly used compromised email accounts to spread malicious emails in and out of an organization. The report also reveals that phishing campaigns made use of a combination of email-based attacks: one that is short, which is operative for several minutes; one that is active for an extended period of time and at a great volume; and a “serial variant” which is active for a period of consecutive days and at a small volume.
In addition, last year, we observed a unique phishing campaign at work — it uses compromised email accounts to reply to ongoing email threads. The legitimate-looking email responses contain malicious documents that house the banking trojan and spyware URSNIF, which victims unwittingly downloaded to their systems. We also saw an Apple ID phishing scam that scare users into clicking links to a credential phishing site, telling them that their service will be suspended if they do not reveal their personal information. We also detected a peculiar combination of phishing and malware techniques used in a campaign that spread the CamuBot banking trojan to business-class bank users in Brazil.