ThreatList: Credential-Sniffing Phishing Attacks Erupted in 2018

Credential compromise emerged the main target for phishing campaigns in 2018 – rather than infecting victims’ devices with malware.

Phishing attacks have continued to grow over the past year – but now, it appears that more bad actors are launching these tricky attacks in hopes of scooping up credentials, rather than a previously-popular goal of infecting victims’ devices with malware.

The new trend was outlined by Proofpoint researchers in a new Thursday report, “State of the Phish,” which compiled and analyzed data from tens of millions of simulated phishing emails sent globally between Oct. 2017 and Sept. 2018.

Overall, the report found that 83 percent of respondents experienced phishing attacks in 2018 – up 5 percent from 2017. That may not come as a surprise, as in the last year phishing has led to several massive hacks – whether it’s hijacking Spotify users’ accounts or large data breaches like the December San Diego Unified School District breach of 500,000.

“Across the board, infosec professionals identified a more active social engineering landscape in 2018,” researchers said in the report. “The vast majority — 96 percent — said the rate of phishing attacks either increased or stayed consistent throughout the year, and more respondents said they experienced attacks during 2018 than in 2017.”

phishing credential theft

Credit: Proofpoint

Other methods of phishing have increased as well. Up to 49 percent of respondents said they have experienced “voice phishing” (when bad actors use social engineering over the phone to gain access to personal data) or “SMS/text phishing” tactics (when social engineering is used via texts to collect personal data) in 2018. That’s up from the 45 percent of those who experienced these methods in 2017.

Surprisingly, bad actors appear to be using phishing as a means to scoop up credentials – as opposed to previously, when they were looking to infect users with malware. Credential compromise as a phishing end goal increased more than 70 percent, according to the report, leapfrogging malware infections to become the most common impact in 2018.

phishing credential theft

Credit: Proofpoint

“According to Proofpoint research, instances of credential phishing quadrupled betweenQ2 and Q3 2018 — a dangerous trend given the serious ramifications of a successful credential compromise attack,” researchers said. “This is of particular concern given that multiple services often sit behind a single password.”

Researchers saw an array of credential-stealing phishing attacks in 2018, including campaigns targeting shipping firms to scoop up credentials and a campaign hiding the source code of its landing page in order stealing credentials from customers of a major U.S.-based bank.

In looking at simulated phishing attacks as part of the report, researchers found that simulated attacks that use links to lure onto a page where they then are urged to enter personal data are the most common – the report found that 69 percent of phishing attacks use a link, while 17 percent use a direct data entry format and 14 percent use an attachment.

Based on these simulated attacks, the most successful phishing campaigns – where the most failed in a phishing test – include toll violation notifications, updated building evacuation plans, a note requiring an invoice payment, and notifications requesting an email password change.

While phishing attacks are on the rise, the good news is that these threats are on the radar screen for enterprises, and more infosec teams are developing and employing an array of tactics to defend against them.

IT teams have good reason to be concerned –firms experience an array of negative impacts due to phishing, including financial losses (fraudulent wire transfers, legal fees, and fines), compliance issues, reputation damage and frustration from customers.

credential theft phishing

Credit: Proofpoint

Researchers fund that up to 95 percent of respondents say that they now train end users to identify and avoid phishing attacks, via computer-based online training and simulated phishing attacks.

“Naturally, infosec teams employ a wide range of technical tools — including email/spam filters, URL rewriting, advanced malware analysis, and threat monitoring platforms — in their defense-in-depth architectures,” the report said. “But they are also shifting to a more people-centric model by proactively identifying phishing susceptibility, measuring end-user risk, and delivering regular security awareness training.”

Interestingly, IT teams are switching up the consequences for employees who continue to click on phishing emails in simulated tests. Instead of applying a monetary penalty for repeat-offenders in phishing tests, companies are turning to focus more on supplementing employees’ knowledge with counseling from managers, additional training, and in some cases removal of access to systems.

Despite these moves, phishing tactics continue to evolve and become more tricky to spot over the years. In 2018, researchers saw everything from campaigns hiding malicious URLs in SharePoint files to a new tactic employing credential-harvesting forms hosted on Azure Blob storage.

“To best take advantage of increasing phishing awareness, organizations should make it easy for end users to report suspicious messages and make it easy for response teams to take action,” researchers said.

Interested in learning more about data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

Suggested articles