A pair of cyber product firms anticipate phishing attacks will ramp up during the winter.
David Warburton, Senior EMEA Threat Research Evangelist, at F5 Networks said: “We’re in the middle of a cyber-crimewave where phishers and fraudsters take advantage of people at their most distracted. It is prime season for individuals giving up credentials or inadvertently installing malware. Businesses are wrapping up end-of-year activities, key staff are on vacation, and record numbers of online holiday shoppers are searching for the best deals, looking for last-minute credit or feeling generous when charities come calling.”
F5 Labs, with Webroot, has launched its second annual Phishing and Fraud report. According to the report, the F5 Security Operations Center (SOC) for F5 WebSafe, which tracks and shuts down phishing and fraudulent websites for customers, found that fraud incidents in October, November, and December tend to jump over 50pc compared to the annual average. The report authors say that 75.6pc of all websites taken offline by the F5 SOC between January 2014 and the end of 2017 were related to phishing attacks. This is followed by malicious scripts (11.3pc) and URL redirects (5.2pc), which are also used in conjunction with phishing operations. Mobile phishing (2pc) was also identified as a growing issue.
Tech and finance
Although phishing targets vary based on the nature of the scam, 71pc of attackers’ efforts from September 1 to 31 October 2018 focused on impersonating just ten organisations. Technology companies were most mimicked (70pc of incidents), with more than half, 58pc of phishers’ time spent posing as the likes of Microsoft, Google, Facebook, Apple, Adobe, Dropbox, and DocuSign during the monitored period. The finance sector was also under fire. 13 of the top 20 fastest growing targets were financial organisations. Banks accounted for 55pc of these, five of which were major European entities. Some of the most successful malware started as banking malware. For example, Trickbot, Zeus, Dyre, Neverquest, Gozi, GozNym, Dridex, and Gootkit are all banking trojans known to have spread initially through phishing campaigns.
The report stresses that the best first line of defence is consistent education and creating a culture of curiosity. Tests by Webroot show that security awareness training can have a particularly ameliorative effect. Companies that ran 11 or more training campaigns reduced employee phishing click-through rates to 13pc. Six to ten sessions saw a 28pc click-through rate, rising to 33pc with one to five employee engagements. F5 Labs stresses the importance of organisations implementing access control protections, including multi-factor authentication and credential stuffing controls, to prevent phished credentials becoming a breach. The firm recommends use of challenge-response technologies like CAPTCHA to distinguish humans from bots. As users can find them annoying, use in cases where it’s highly likely a script is coming from a bot.
Phishing sites are often newly registered domains. When F5 reviewed the list of active malware and phishing domains collected by Webroot in September, only 62pc were still active a week later.
Warburton added: “As organisations get better at web application security, it will be easier for fraudsters to phish people than to find web exploits. Ultimately, there is no one-stop-shop security control for phishing and fraud. A comprehensive control framework that includes people, process, and technology is a critical requirement to reduce the risk of an attack becoming a major incident.”
