Some cybercriminals are motivated by political ideals, others by malice or mischief, but most are only interested in cold, hard cash. To ensure their criminal endeavors are profitable, they need to balance the potential payday against the time, resources and risk required.
It’s no wonder then that so many use phishing as their default attack method. Malicious emails can be used to reach many targets with relative ease, and criminals can purchase ready-made phishing kits that bundle together everything they need for a lucrative campaign.
After analyzing three months of phishing email traffic, we found that most attacks follow the money to either big tech or leading financial firms. Facebook, Apple and Amazon were the most popular tech brands being spoofed in phishing URLs. On the financial side, Charles Schwab was by far the most popular target, and was the most used brand URL overall, accounting for 13.5 percent of all cases. Chase Bank – an American subsidiary of JP Morgan Chase & Co – RBC Royal Bank and Wells Fargo were also widely used in phishing URLs.
Our investigation found that Chase has received a growing level of attention from cyber criminals over the last year, so we took a deeper dive into the tactics being used to target the bank’s customers.
The shift to mobile
One of the most prominent trends apparent in our investigation was the growing focus on mobile devices as part of phishing attacks. SMS text messages, WhatsApp and other mobile messaging services are increasingly used to launch attacks.
Attackers are adopting these methods in response to stronger email security solutions. The average mobile device is less likely to be well secured against phishing compared to a desktop endpoint. Even if the mobile device has a business email application on it, channels such as SMS and WhatsApp will bypass any anti-phishing protection it might have.
Threat actors may also mix email and mobile messaging in a single attack, for example sending a phishing email which includes a QR code that must be scanned by a smartphone, thereby jumping the attack over to the mobile endpoint. We have seen an uptick in QR-based attacks as the relatively overlooked technology became more popular during the pandemic. These attacks are again effective at evading traditional email security tools, as the QR code itself is not a malicious asset and its link destination cannot be read by detection technologies optimized for text URLs and virus signatures.
Mobile-based phishing attacks are also harder to identify due to mobile devices’ smaller screen and simplified layout, compounding the lack of security solutions on mobile.
How phishing kits mean anyone can phish like a pro
Not only are phishing approaches continually evolving to counter email security solutions, but even non-technical criminals can also easily take advantage of new techniques thanks to phishing kits. Mirroring out-of-the-box software bundles used by legitimate businesses, these kits provide a collection of tools that enable would-be criminals to quickly create and launch their own phishing campaigns.
Widely available on the dark web, such kits typically include email templates, graphics and scripts, along with a simple interface to manage the attack. Criminals can also easily purchase databases of potential target email addresses, likely sourced from previous data breaches.
Our analysis found that these kits are often highly sophisticated, configured to launch campaigns that will harvest credit card details, social security numbers, and other personal information, as well as the standard target of login credentials. The criminal community has also evolved its techniques to counter multi-factor authentication, with some kits providing the ability to capture one-time use authentication codes.
One of the most prominent kits we examined was the Chase XBATLI, which has been available for some time but has seen increased usage in targeting Chase and Amazon customers. The kit allows criminals to create their own phishing page mimicking the bank, after which they contact customers and prompt them to update their details.
Victims are asked to enter their login credentials and then confirm their personal and financial information. This ensures the perpetrators can not only access the victim’s account, but also furnishes them with other information that can be used for fraud or sold on the dark web. As a finishing touch, the XBALTI kit redirects the target to the genuine Chase landing page at the end, reinforcing the veneer of legitimacy.
XBALTI and other phishing kits we analyzed in recent months also employed evasive tactics, for example using dynamic domain services like Duck DNS to frequently change the destination of the URL. This enables them to continually use the URL even if the web server is taken down or blacklisted.
How can businesses defend against phishing attacks?
Most attacks still rely on the same handful of tactics because they keep on working.
First and foremost, always assume that if something seems fishy, it probably is phishy. Phishing emails have largely moved on from the garbled, error-ridden messages of the past, but there will still be things that give them away. Inconsistencies around language and design should be red flags, and users should always check the sender display name matches the email address. URLs should also be checked before they are opened, and company contact information can be quickly confirmed via official sites and mobile apps, or simply via search engines.
Businesses should also be supporting their workers and customers by providing an accessible channel for reporting phishing. Customers should be able to easily report suspicions to the brand, and employees should have a direct line to their IT security team, ideally through a specialized anti-phishing and remediation solution.
As criminals continue to pursue phishing as the most accessible and lucrative path to cybercrime, individuals and businesses alike need to keep up with the latest trend, as well as keeping their eyes open for the same old tricks.