Phishing attacks becoming more targeted, phishers love Microsoft the most

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.

Microsoft remains ensconced on the top of the list of brands impersonated by phishers in North America, Vade Secure has revealed.

phishers favorite targets

Phishers’ favorite targets

The company compiles a list of the top 25 “phishers’ favorites” each quarter by tallying the number of new phishing URLs they detect.

In Q3 2018, Microsoft and PayPal have retained the two top places, and Netflix, Bank of America and Wells Fargo occupy the next three.

It’s pretty obvious why Microsoft and PayPal are loved by phishers: the primary goal of Microsoft phishing attacks is to harvest Office 365 credentials.

“With a single set of credentials, hackers can gain access to a treasure trove of confidential files, data, and contacts stored in Office 365 apps. Moreover, hackers can use these compromised Office 365 accounts to launch additional attacks, including spear phishing, malware, and, increasingly, insider attacks targeting other users within the same organization,” the company explains.

They also warn about a marked increase of phishing emails pretending that the recipient has received a link to a file on OneDrive or SharePoint, and has to sign in to access the file.

PayPal credentials give phishers immediate financial payback. Netflix accounts are valuable for the payment card info contained in it, and as goods to be sold on the dark web (although, sometimes, phishers are after much more than that).

Facebook has dropped from the top 5 (to the 6th place), while Chase has hopped over 11 entries and is now in 7th.

The company pointed out that, in terms of volume, cloud and financial services combined represent nearly three-quarters of all phishing URLs.

“While both industries saw solid double-digit quarter-over-quarter growth (22.5% and 36.7% respectively), internet/telco saw the largest percentage growth of 46.3%, again thanks to the growth in Comcast phishing pages. Social media was the only industry to see a decline, reflecting the steep drop in Facebook phishing.”

New entries on the list are Comcast, NBC, AmEx and CIBC, while ING, RBC, BT and Amazon have dropped from the top 25.

“Amazon’s disappearence from the list likely has little to do with Amazon itself,” Adrien Gendre, CEO of Vade Secure North America, told Help Net Security.

“Most phishing attacks are coordinated by a small number of cybercriminal organizations who pick their target based on the profitability. When one target rises in popularity, another decreases. It doesn’t mean that Amazon is not interesting anymore to hackers; it’s just that other brands are currently more profitable to phish.”

Other interesting insights

The analysis of these latest phishing URLs also shows that:

  • Microsoft phishing emails are predominantly delivered during the working week (Tuesdays and Thursdays are preferred).
  • Bank of America phishers cash in on weekends, when bank branches and customer service lines are closed.
  • Netflix phishers prefer Sundays, likely because many new seasons of shows are released often on Fridays, and users are looking forward to watching them during the weekend. An email warning about a supposedly blocked account when users just want to watch something and relax is likely to improve the success of the phishing attack.

phishers favorite targets

Also: phishing is on the rise. The total number of new phishing URLs across the 86 brands Vade Secure tracked rose 20.4% in Q3. Worryingly, phishing attacks are also becoming more targeted.

“When we correlated the number of phishing URLs against the number of phishing emails blocked by our filter engine, we found that the number of emails sent per URL dropped more than 64% in Q3. This suggests that hackers are using each URL in fewer emails in order to avoid by reputation-based security defenses,” the company noted.

“In fact, we’ve seen sophisticated phishing attacks where each email contains a unique URL, essentially guaranteeing that they will bypass traditional email security tools.”