PayPal becomes phisher’s favorite brand, Office 365 phishing techniques evolve
PayPal has overtaken Microsoft to claim the number one ranking for phisher’s favorites for the first time. Netflix was not far behind as the streaming giant moved up to the third spot with a 14.1 percent QoQ and 73.7 percent YoY growth in unique phishing URLs, according to Vade Secure.
Leveraging data from more than 600 million protected mailboxes worldwide, Vade’s machine learning algorithms identify the brand being impersonated as part of its real-time analysis of the URL and page content.
PayPal takes the top spot for the first time
After five quarters, PayPal has become the first brand other than Microsoft to claim the number one spot in the rankings. In Q3 2019, Vade’s AI engine detected 16,547 unique PayPal phishing URLs for an average of nearly 180 per day. This represents a 69.6 percent YoY increase.
Impersonating PayPal, which had more than 286 million active user accounts in Q2, is clearly a highly profitable practice for cybercriminals, with no letup in sight.
Office 365 phishing techniques shift towards email randomization
Unique Microsoft phishing URLs detected in Q3 2019 were down by 31.5 percent compared to last quarter. Although, with more than 150 unique URLs per day, Office 365 phishing attacks are still very common.
Moreover, cybercriminals have begun to shift their focus to the construction of the email, leveraging various randomization techniques to break through traditional defense layers. This minimizes the need for unique URLs for each message because the phisher is able to reuse the same webpage across a large number of emails.
One randomization technique is to leverage a modified brand logo (e.g. Microsoft logo on a blue background) in order to bypass template matching and feature matching algorithms that can only identify exact matches of the image.
Netflix phishing surges, with its six consecutive quarter of growth
Netflix phishing has seen steady growth in each of the last six quarters, rising one spot to number three in Q3 (up 14.1 percent QoQ and 73.7 percent YoY).
The platform’s popularity is surely a key driver for the corresponding growth in phishing campaigns, as it had over 158 million paying subscribers worldwide in the third quarter, along with 5.5 million free trial customers.
In addition, Stranger Things season 3, Netflix’s biggest show of the year with 64 million viewers, was released in July. It’s logical for cybercriminals to capitalize on this excitement to catch unsuspecting people off guard.
Additional key findings
- Facebook (#4), Bank of America (#5), Apple (#6), Chase (#7), CIBC (#8), Amazon (#9) and DHL (#10) rounded out the top 10 most impersonated brands.
- Facebook saw a 20 percent decline in unique phishing URLs in Q3, indicating that the massive growth it experienced last quarter has leveled off.
- There were 10 financial services brands in the top 25 in Q3. It became the most impersonated industry for the first time, accounting for 37.9 percent of all URLs.
- A large majority of phishing (79.1 percent) took place on weekdays, while Mondays and Wednesdays were the most popular days for cybercriminals to go on the offensive.
“Cybercriminals are always evolving their phishing tactics, and each quarter we see them becoming smarter and more innovative in order to keep up with the defenses being deployed by email users and businesses,” said Adrien Gendre, Chief Solution Architect at Vade Secure.
“Despite the drop in related Microsoft phishing URLs, it’s important for organizations to remain on high alert as our researchers have uncovered a number of new and sophisticated methods of attacking Office 365 users.
“For consumers, the rise of PayPal phishing, combined with the prevalence of financial institutions in our top 25, means that cybercriminals are making a concerted effort to target your wallet. My advice is to stay vigilant and follow best practices to ensure that you and your bank account are not victimized.”