We’re closing in on late 2019 now. This year has so far been breakout productive in innovation. Businesses now more than ever turn to the digital world to handle everything from payroll to smart contracts. It’s no surprise, then, that phishing scams are alive and well.
Still, phishing is a bit of a vague term for the digital fraud activity that’s happened this year. How can we break down phishing in 2019? We need to look at particular facts, stats, and jargon to understand what we’re up against for the remainder of this year. We also need to compare patterns that carried over from recent years in 2019. This will help us forecast 2020’s phishing incidents.
Defining a phishing attack
A basic phishing attack will happen through email messages and advertisements. Typically, these emails will include a link or a file that will compromise the recipient’s computer system. Often, these attacks will also redirect to a login page that looks just like the legitimate login to an app the intended victim is already active on. This login page will look like a common email system like Gmail or a familiar social media handle like Facebook.
Keep in mind that while this basic definition helps us understand phishing as a concept it’s not enough. Phishing is becoming incredibly more sophisticated on a daily basis.
Facts at a glance
Between 2018 and 2019 there have been recurring phishing patterns. We can observe them at a glance to get a feel for what we’re up against. The following comes from a report by PhishLabs that compares 2018 with 2019. As follows:
- Under normal circumstances, phishers must pose as a single financial institution. This takes some effectiveness out of their attacks. Many of the phisher’s targeted victims won’t be customers of the bank that flags in the scam. Modeling the interbanks e-Transfer alerts is appealing to the cybercriminals. It gives them the leverage to target several different bank chains at a time.
- Phishing attacks seem to correspond with an increase in free hosting site usage. Between 2015 and 2018 the phishing scam operations had doubled their free hosting usage from 3.0% to 13.8%.
- Phishing hosting climbed through the first business quarter of 2018. After that, it remained much the same per volume. Except between August and September when there was an additional spike. There is good room for comparison between this spike and September-October of 2019.
- Phishing sites are easily prepped with a phish kit. This is made easier by the free hosting services. One threat actor can produce a large quantity of sites. Even over a short period of time, the reach of one threat actor will spread massively. This volume can be produced by a small number of phishers.
- 000webhostapp was the most popular free host for phish activity in 2019. It made up for 69% of freely hosted phish.
- There was an observable risk of SMS phishing in 2018. Many people don’t expect there to be a phishing risk to their phones and open texts instinctively. SMS hold much harder trace prospects. The phish kits for mobile phish programs set up mock login for mobile apps that pass a high level of authenticity.
- It is important to remember that phishing attacks still have a high rate of success. Phishing scams are the province of novice cybercriminals. They use these scams to gather access to credentials. They will also use it to distribute ransomware.
- Organized crime uses phishing to steal up into the millions. Nation-states use phishing to pinpoint strategies and gain inside information about a target environment.
- Phishing attacks are creeping in to all corners of the digital world. Email is not the only target. Tech teams need to start watching out for phishing on social media, SMS, mobile apps, streaming, etc. Anything that can be digitized will be phished at some point.
Breaking it down
Even with some common patterns, no two phishing scams are alike. They are often similar but there is always that one bug in the system that makes them hard to detect. We have to narrow the common behavior down to stay protected. It’s not just about looking at the statistical rates of the crimes. It’s about getting inside the phishers heads. Think like a phisher to avoid getting phished.
Symantec put together a research piece for the Internet Security Threat Report in February 2019. Here’s what they found out about phishing:
Business Email Compromise abbrev. BEC email phishing incidents of 2017-2019 shared common keywords. Below they are graphed in rank of frequency and the rise of the use percentage.
Words Rise in use percentage
Below 4.0 growth
Below 3.0 growth
We can see from these stats that phishing scams are getting more sophisticated. They are asking for “urgent” “attention” at a much higher rate than they are asking for a flat out payment transfer. This infers that the phisher are familiar with the changing fraud prevention methods. They are looking for the loophole in anti-phishing strategies.
Developing a strong phishing victimology
So, we can see what kind of con lingo the phishters are using from these above charts. Who are they using this language against? Who would they target that would be the most likely to open an email with this type of language in the subject line or text body?
To understand that, we’re going to have to develop a keen understanding of who the victims were in the 2017-2019 phishing attacks.
Small to mid-sized businesses on the slate to be phished
Symantec’s research uncovered the rate of email phishing per the size of the business model was highest in the mid-sized business range. The businesses with the highest numbers of phishing hits had around 1,001-1500 employees. Of the users within that size range, 56 out of that 1,001-1,500 employees were the targets. This ranges between 3.73-5.59% of the employees for businesses in this size range.
Symantec also found that 48% of all malicious emails are work files. They are usually attached files. The email will be disguised as a business software notification, transaction information_such as an invoice or a receipt. The attached office files will then contain malicious script. Opening the email downloads the script code and completes the malware transfer to the office systems.
So, we can see from above that only a small percentage of the people in these companies are being targeted. If it was much larger, the suspicion would spread faster. The whole office team would have a higher chance of sabotaging the attack. This small percentage of the targeted employees then have to have a sound reason to open the infected emails.
The small percentage of targeted employees work in finance and HR
Switch back to the Phishlab findings for 2018-2019. 98% of the attacks in users inboxes included no malware. The vast majority of 2018’s inbox phishing scams were credential theft and email scams. For 2018, the most effective lures were for financial/HR and e-commerce scamming techniques. These lures worked on corporate targets. 83.9% of these attacks targeted five key industries. These attacks targeted credentials for financial, email, cloud, payment, and SaaS services.
From this, we can see that the small percentage of the targeted employee base are those in the corporate communications roles. These are HR people and financial managers. The exact typology that would be quick to open an “urgent” labeled email.
This group of people are highly trained in financial scams, right? So, if they are taking the bait, then these attacks have a high-level of sophistication. They will also be transparent. The HR or financial employee will not be able to detect anything suspicious with the email at a glance. Why is that?
For the scope of the Symantec study, the highest number of malicious email attachment contents was scripts at 47.5%. This was followed by executables and other attachments.
What are phishing scripts?
So, what is a script? How does this compromise your IT system even without using malware?
A script is a bit of code the phishing hacker will write that will run in the background of the email the HR team opens. It doesn’t have to have any virus in it to be harmful. It will just find a way to spy on your system. The hackers often use this to steal financial information from inside the system.
Hackers will use complex scripts in their phishing work. The more sophisticated the phishing technique the more different scripts are in play. Trend favorites among hackers that can be observed have been written in Python and Ruby.
Real-world case studies
Now that we understand the target range and victimology of phishing attacks, we need to take a look at some of 2019’s most infamous cases so far. It’s good to breakdown what went wrong for someone else to avoid the same mistakes. That way these attacks can mean something more than just a hit and run on a business that may have even cost them the entity.
Some of these hits have been a little too close for comfort and recent. One such infamous case came to us through a Healthcare Drive report that went up in August, 2019.
Presbyterian hospital phishing attack that compromised 183K patients’ data
The phishing attacks at the Presbyterian hospital chain exposed both patients and health plan members. This happened in the New Mexico based integral network. The breach was discovered on June 6 at Nine-Hospital. The email accounts that were exposed included patient credentials. Names, health plan members, Social Security numbers, birth dates, and confidential clinical and plan information were exposed.
The team at Presbyterian could not find any malicious use of the data that was harvested. They could also not determine if the phishers had gained access to Presbyterian’s EHR or billing systems.
That doesn’t mean that the attack had no consequences, though. In fact, this kind of attack is actually worse. The victims can change their financial info and credentials with some patience. Data can, however, be recirculated for fraud and even sold.
A similar attack at Massachusetts General
The phishing attack itself launched on May 9th. That means it was in the system for almost 2 months before it was detected.
Healthcare drive also reported an attack on Massachusetts General Hospital in August. The attack was related to two computer programs. The researchers in the neurology department were using them. Personal health information for more than 10,000 patients was exposed through that attack. This breach was discovered sooner than the one in the hospital in New Mexico. The attack was launched around June 10-16 (the exact date is not pinpointed). The hospital discovered it on the 24th day of June.
The takeaway from these cases
In 2019, we’re seeing a pattern with healthcare establishments. Because data usage is getting so much more sophisticated in 2019 the value of data is increasing. So, stealing data itself is often more valuable than in past years when the phishers were just interested in making away with cash.
Developing a criminal profile for phishers
Understanding the victimology behind phishing is important. Still, it’s only half the work. To stop a phisher, you have to think like a phisher. Who are they? What is the motive for their phishing crimes?
Turns out that phishing is the evolution of phreaking. Phreaking was the name they gave to telecom hackers. Phishers are just the cyber punk reprisals of classic identity thieves. If we focus on that, we can form a criminal profile that will help to better understand the motivation behind phishers.
The US Department of Justice has spent decades exploring and developing criminal profiles for identity thieves in general.
Likewise, the Center for Identity Management and Information Protection has profiled federal case data from 2008-2013 studying identity theft. It published in 2015. You can read it here.
Comparing the CIMI 2015 study on identity thieves to 2019 phishers
In the CIMI research, the highest offender cases for identity theft and associated crimes like bank and tax fraud came from Florida. This was followed by California as the second highest percentage rate of offenders.
The 5 states with the highest number of identity theft offenses are as follows:
- New Jersey
One interesting fact to note is that all of these states have beach towns. All of them are also tourist and business attractions. If we compare this fact to phisher trends, we notice that the industries that phishers target, like hospitality and finance, could often be local to them. Phishers and identity thieves are likely to be familiar with the victims they target in those cases.
For offender age groups, the study found an increase in the past two decades of middle-aged offenders. Still, 36.7% of identity theft offenders for 2007 were between the ages of 25-34.
86.7% of the offenders observed in this study were native-born legal residents of the United States.
Only 6.1% of the identity theft criminals at that time were illegal aliens.
One-third of the identity thieves were female. This means that in 2007, males predominated identity thief statistics. This did not change for the 2015 update in the study, but female identity theft statistics increased.
In 2007, more identity thieves operated as part of a network of scammers than as a single person. As far back as 2007, there was a huge spike in internet use for identity theft. This shows us that criminals likely to be regular case identity thieves are also likely to be phishers.
Group benefits of credential scams__the payoff of phishing
Often, the identity frauds were a husband/wife team. Also, groups that engaged in phishing-styled identity attacks in this study ran shopper fraud rings. They stole credit card information from online victims. Then, they converted the stolen information into false credit cards. They would use the credit cards to purchase vast amounts of retail items. They would then return or transport these items to convert them into cash. They would exploit drug addicts and the homeless by exchanging the cash they harvested through the fraud shopping for these vulnerable people’s social security numbers and other credentials.
They would use the credentials of these people who had fallen through the system to then obtain fake driver’s licenses and other false credentials. They would use these new credentials to assume an identity in the state of residence the exploited individual would be if they were on record. From there, they would use these credentials to make false bank accounts. They could then forge checks from these accounts.
The identity thieves in the older study showed patterns of using stolen identity information to commit other fraud-related crimes.
In this study, often the identity theft victims were strangers to the thief. The 2015-era update to this study showed that often the relationship between perpetrator and victim was customer and client.
We know from this report that these people are often acting as some insider cell group. They benefit from side-stepping the government and from exploiting easy targets. Over the years, the profile for the victims themselves has not been determined in stone. Phishing scams, with their increased internet access, do however spark a higher rate of individual targets. They will look for one person inside a business whose compromise would sweep the whole entity into the scam.
Lessons in phishing from the hackers themselves
So, now we have a pretty sound victimology attacks. We know the exact people we need to heavy-weight train for these incidents. We also know which focus groups needs to be watched and screened the most against insider threat.
Now, it might help to create a criminal methodology for the attacks themselves. What is the exact breakdown of a phishing scam? We studied the methods taught by Pentest Geek, an ethical hacking group that use scenarios and mock hacking to act like a fire drill for business teams. They have a complete guide to the phishing attack process. They published it on September 18, 2019.
The step-by-step process for a common phishing attack looks like this:
- Enumerate the email addresses
The first thing your phisher is going to do is enumerate the email list. They have to determine exactly who they want to send these emails to. To do this, they will use a service like Jigsaw.com. Jigsaw will enumerate the emails automatically for the would-be phisher. Using Jigsaw, the phisher will have the support of a database and can export this knowledge to CSV files. The system at Jigsaw will try to block this script. The hackers will then operate in the newest available version. They will operate from a free jigsaw.com account. They will pass their credentials as arguments on the cil.
An alternative option is the Harvester. Harvester is a Python script that is part of BackTrack5 and is located at /pentest/enumeration/theharvester. This script can rapidly search across a span of different search engines. As the name implies, it will then harvest the enumerated email addresses that it finds.
- Evade antivirus systems
The phisher is then going to study your antivirus system. They will need to know what system they are dealing with so they can find a weak spot. Evading your antivirus is the loophole these script runners have in infecting your confidential information database. One way is to spy on your DNS cache. They can see the type of antivirus their victim uses from the DNS cache.
Once they’ve determined what type of antivirus the business is using, the hacker will download the same or similar system. They will study it on their own to form the best plan to crack into it.
- Use of egress filtering
The phisher is then going to need to choose a payload. Some of the favorites are reverse_https or reverse_tcp_all_ports. This second one is not as familiar to some lower-to-intermediate hackers. In essence, reverse_tcp_all_ports implements a reverse TCP handler and works with “allports” stagers. It’s kind of like a wiretap. It listens on a single TCP port. Then, the operating system redirects all of the incoming connections on all the ports to the “listening” port.
The hackers will often use Linux based systems. This operating system is essential to the more heavy technical part of this process. The filter is catching essential information from the victim system for the hacker. At the same time, they can use the Linux-based hacking operation to login in remotely. They also use these reverse-https systems to hide their traffic in your system. Intrusion prevention systems have a difficult time detecting the malicious presence because it looks like regular HTTPS traffic. The only way the hackers would get caught in the act in this case is if the corporation is running deep packet inspection with SSL stripping.
- Pick an email phishing scenario
Then comes the easiest bit. The hacker will find a template and a scenario that will work as the perfect email lure. Remember, in recent stats, the hacker is often targeting about 3-5% of small to medium sized businesses staffers. They are going to go after the credential managing roles like HR or finance. They will post emails that look like they came from the businesses bank network. These emails will be labeled as “urgent” reports that need the victim’s immediate attention.
- Sidestep web proxy servers
The hackers will then identify what web proxy servers their target victim is using. The web proxy server is going to block the business network from visiting certain sites. Some of these systems are even equipped with antivirus protection. This means that the web proxy server can block the victim from downloading the executable the phisher has sent. The phisher will have to find a way to sidestep this to get what they want. They will then invest in their scam by purchasing a valid SSL certificate for the malicious site. This means that when the victim user visits the SSL certified site, an encrypted tunnel is funneling back to the phishing scam.
- Send out the phishing messages
The hackers have some options here. They can spoof an email or they can purchase a real domain to make the ruse even more convincing.
If they choose to send from a valid domain, then they’re often going to cash in on a cheap domain marketplace. GoDaddy is the most popular cheap domain purchase option at the moment. Some sales deals for fresh domains have them listed as low as a $1.17, tax and fees included.
A lot of the sites purchased through GoDaddy have an email feature in them. The hacker will access the domain “create an email” feature and use that to make an email account for their site.
The hacker will then go into the code of the GoDaddy email account and change all of the “Who is” identifying information. They will use this code to run a web convincing imposter routine for their phishing scam. They will have to run a match check against the website they want to imposter to make sure everything reflects legitimately. This has to look as real as possible.
At this point, they might choose an email provider to blast the phishing emails. Yet, the more sophisticated operations will run them as the scripts mentioned above.
The hackers in the Pentest Geek report ran a script using Ruby. They used a simple Ruby script called sendmail.rb. It made them a list of email addresses along with the email message that they sent out. They can use this script to track the users of a phishing site. With this simple script, tracking activity through the phishing site was easy but tracking individual clicks was harder.
Among these hackers, Metasploit was the favorite set up for multi-handler tools. They liked this site because it helped them set up some custom options. Phishers are all about customizing their crime. It makes it harder to track.
The hackers at Pentest Geek would first create a resource script. They’d do this in case their multi-handler died. This script will set up for the hackers following the model they formed during testing.
The hackers will set up this multi-handler to protect their web sessions. They will modify things like scraper.rb if using a Ruby code. This code is used to enumerate information integral to the phishing scam at this stage. Things like email addresses, system information, hashes, and miscellaneous useful information.
The hacker uses this to multitask manage so that they don’t have to wait for each stager and session to arrive. Allowing the system to manage some of the tasks helps the hacker to distribute the work and run a wider reaching campaign.
Proactive anti-phishing steps
Now you know who these people are. You know what they want. You also know what they’ll do to get it. A clear idea of the criminal motives and the ideal victims takes the mystery out of the act of phishing.
That still isn’t enough to prevent all phishing. You will have to build some steps into your online business communications that take all of this information.
Invest in advanced anti-phishing protects
It should be clear by now that antivirus isn’t enough to stop these scams. Spam boxes with strong filters aren’t enough. You need to invest in deep packet inspection with SSL stripping. This is the counter move that the hackers identified can stop their method in one of its earlier planning stages.
It’s also good to invest in web proxy that has built in anti-phishing measures. TechTarget recommends that you use an intrusion detection system or antimalware system too. Even then, that’s not where you should stop shielding against phishing. TechTarget also suggests your website operators should detect these types of attacks by monitoring for a specific number of connections for one new IP. Even then, you will have to keep an eye out. New connections can come from a new NAT or a legitimate proxy. A suspicious number of connections from one site user will require ramped up investigation tactics.
If you receive a suspicious email from your bank, contact the fraud department
We’ve seen above that phishing hackers often use legitimate financial institutions as the template for point of compromise. If your HR department or financial department receives and email from the company bank or another bank, that in itself is questionable. Banks don’t typically directly contact their clients. Rather, they allow the client to reach them if they have a question regarding a transaction or something that flagged.
Florida has developed an Identity Theft victim kit because of the statistical spike of this kind of crime in their state. They list the three major credit bureaus as the places to alert if you expect a system breach. You can have them place a “fraud alert” on your accounts. Then, you can also ask for your credit reports to watch for fraudulent behavior. You can do this immediately if an employee in your company has opened a direct-from-creditor or bank email that was sent outside of regular correspondence with the bank’s service department.
They recommend that you contact the fraud departments also of all your creditors and all your banks and financial institutions. You should have all of them place your accounts on a fraud watch list while you sort out the breach.
Phishing is not going anywhere anytime soon. That’s because information fraud is not going anywhere. It’s a bit unfortunate but nevertheless a well-trained team has little to fear.
If you need a VPN for a short while when traveling for example, you can get our top ranked VPN free of charge. ExpressVPN includes a 30-day money-back guarantee. You will need to pay for the subscription, that’s a fact, but it allows full access for 30 days and then you cancel for a full refund. Their no-questions-asked cancellation policy lives up to its name.