Cybercriminals targeting social media: Facebook and Instagram are becoming phishers’ favorites
Social media phishing, primarily Facebook and Instagram, saw the highest quarter- over-quarter growth of any industry with a 74.7 percent increase, according to the Vade Secure Phishers’ Favorites report for Q1 2019.
While Facebook has been in the top 10 since report’s inception, Instagram cracked the top 25 for the first time, taking the #24 spot on the Phishers’ Favorites list.
With the headlines about Facebook storing hundreds of millions of user passwords in plain text, and requiring some new users’ email passwords in order to sign up, Vade Secure believes that hackers could have been taking advantage of the confusion and concerns of Facebook users to lure them into clicking on phishing pages.
The company also detected the same phishing attack that was publicized in early March around Instagram phishing emails claiming to offer a verified Instagram badge to trick recipients into providing their credentials.
Microsoft remains the most phished brand, as hacker techniques continue to evolve
Overall, Microsoft remained the most impersonated brand in phishing attacks for the fourth straight quarter. Microsoft’s sustained popularity with hackers stems from the lucrativeness of Office 365 credentials, which provide a single entry point to the entire Office 365 suite while enabling them to conduct multi-phased attacks using compromised accounts.
Moreover, analysis of phishing emails and pages reveals that attackers are getting increasingly sophisticated with attacks targeting corporate email users.
A few techniques include:
- Mirroring real brand assets. With Office 365 phishing attacks, cybercriminals will often mirror the actual Office 365 login page, pulling JavaScript and CSS directly from the legitimate website and inserting their own script to harvest credentials – making sure that the phishing page is virtually indistinguishable from the real thing.
- Redirecting to legitimate content. Vade research found that many Microsoft phishing pages actually redirected users to legitimate Microsoft pages once they’d submitted their credentials in an attempt to convince them that nothing was amiss. In addition, the “reply-to” address in some phishing emails was a legitimate Microsoft email: support@microsoft.com.
- Mixing safe and malicious URLs. In the case of Netflix phishing (the #3 most impersonated brand), the emails sent to targets contained as many as six or seven legitimate Netflix links along with one malicious link. This technique is aimed at fooling both reputation-based email filters and users, who check one or two links and then assume that the entire email is legitimate.
- Preying upon mobile email readers. Many Netflix users do not sign up for accounts using their corporate email address; yet Vade found that corporate users are often the targets of Netflix phishing. Because of the way email is viewed on mobile devices – often multiple accounts from one app – cybercriminals are likely hoping that users won’t notice, assuming that the email was sent to their correct address.
“It seems like every quarter cybercriminals are upping their game and getting increasingly sophisticated, and Q1 2019 was no exception,” said Adrien Gendre, Chief Solution Architect, Vade Secure.
“These hackers are now intimately familiar with how both consumer and corporate email users interact with the internet and are constantly evolving their techniques to trick users into clicking malicious links and providing their credentials. Multi-phased attacks are still on the rise as well, so all email users must be sure to keep a critical eye out for phishing and spear phishing emails, and organizations must take a comprehensive approach combining technology and training to protect their employees.”