F5 Labs' Phishing and Fraud Report shows: COVID-19-related scams and increasingly sophisticated attacks are exacerbating global threats. Phishing attacks increase by 19 percent due to COVID-220.
The COVID-19 pandemic continues to lead to significantly increased phishing and fraud attempts, as a current analysis by F5 Labs shows. According to the fourth edition of the Phishing and Fraud Report published today, phishing incidents rose 220 percent year-on-year at the height of the global pandemic. Based on data from F5's Security Operations Center (SOC), the number of phishing incidents will increase by 2020 percent in 15 compared to the previous year. But that number could increase with the second wave of the pandemic.
Terms “covid” and “corona” at the top
The three main targets for COVID-19-related phishing emails are therefore fraudulent calls for donations for alleged charities, the collection of access data and the delivery of malware. In addition, the number of certificates with the terms “covid” and “corona” reached a high of 14.940 in March - an increase of 1102 percent compared to the previous month.
"The risk of falling victim to phishing attacks is higher than ever - as fraudsters are increasingly using digital certificates to make their websites appear real," says Roman Borovits, Senior Systems Engineer at F5. “The attackers are also quick to jump on emotional trends, so that COVID-19 is further aggravating the already dangerous situation. Unfortunately, our research shows that security controls, user training and general awareness around the world still leave something to be desired. "
New methods of phishing
As in previous years, F5 Labs found again that scammers are getting more creative with the names and addresses of their phishing sites. In 2020 so far, 52 percent of phishing sites had names and identities of well-known brands in their addresses. Amazon was most frequently used for attacks in the second half of 2020. Paypal, Apple, WhatsApp, Microsoft Office, Netflix and Instagram were also among the top ten most imitated brands. While tracking the theft of credentials through to their use in active attacks, F5 Labs found that criminals attempted to use stolen passwords within four hours of phishing a victim. Some attacks were even carried out in real time to enable the capture of security codes with multi-factor authentication (MFA).
Cyber criminals are also becoming less unscrupulous when it comes to hijacking legitimate but vulnerable URLs. WordPress alone accounted for 20 percent of generic phishing URLs in 2020, up from 4,7 percent three years earlier. In addition, cyber criminals are increasingly saving costs by using free registries such as Freenom for certain country-specific top-level domains (ccTLDs) such as .tk, .ml, .ga, .cf and .gq. Today .tk is the fifth most frequently registered domain in the world.
Deceptively real phishing sites
In 2020, phishers also stepped up their efforts to make fraudulent sites appear as real as possible. F5 SOC statistics showed that most phishing websites use encryption. 72 percent use valid HTTPS certificates to deceive the victims. Even all drop zones - the targets of stolen data sent by malware - use TLS encryption, up from 89 percent last year.
Future threats
According to recent research by Shape Security, which was included in the report for the first time, two major phishing trends are emerging. As a result of improved security controls and solutions for bot traffic (botnet), attackers are using more and more click farms. Dozens of "remote workers" systematically attempt to log into a target website with recently obtained access data. The connection is started by a person using a standard web browser, which makes it more difficult to detect the fraud.
Even a relatively small percentage of attacks can have dire consequences here. For example, Shape Security analyzed 14 million monthly registrations with a financial service provider and recorded a fraud rate of 0,4 percent. However, that equates to 56.000 fraudulent login attempts - and the numbers will continue to rise.
Trend real-time phishing proxies
As a second trend, Shape Security researchers saw an increase in real-time phishing proxies (RTPP) that can capture and use multi-factor authentication codes (MFA). The RTPP acts as a person-in-the-middle and intercepts a victim's transactions with a real website. Because the attack occurs in real time, the malicious website can automate the process of capturing and rendering time-limited authentications such as MFA codes. It can even steal and reuse session cookies. Recently actively used RTTPs include Modlishka and Evilginx2.
"Phishing attacks will be successful as long as people allow themselves to be psychologically manipulated in any way," continues Borovits. “Security controls and web browsers need to be better able to alert users to fraudulent websites. But users and companies must also be continuously trained in the latest techniques used by fraudsters. Current trends such as COVID-19 must be the focus. "
Study with 5 years of data as a background
This year's Phishing and Fraud Report examines phishing incidents based on the experience of the F5 Security Operations Center (SOC) over the past five years. It details active and confirmed phishing websites served by OpenText Webroot BrightCloud Intelligence Services. He also analyzes Vigilante dark web market data. Together, this information provides a complete and consistent picture of the world of phishing.
Directly to the report at F5.com
Via F5 Networks F5 (NASDAQ: FFIV) gives the world's largest companies, service providers, government agencies and consumer brands the freedom to deliver any app securely, anywhere, with confidence. F5 offers cloud and security solutions that enable companies to use the infrastructure they choose without compromising speed and control. Please visit f5.com for more information. You can also visit us on LinkedIn and Facebook for more information about F5, its partners and technologies.