While the number of so-called brand-phishing attacks remained stable from the first quarter of 2020 to the second, there was a major shift in position for the companies that threat actors think people are most likely to trust — or whose pages they will most likely click on, according to Check Point Research’s Brand Phishing Report for Q2.
Brand phishing is a type of attack in which a threat actor imitates an official website of a known brand by using a similar domain or URL in an attack, as well as in some cases a copycat web page similar or identical to the actual company’s original website in look and feel.
Attackers also began using email more as a vector in these types of attacks in Q2, likely inspired by the amount of people relying on virtual communication while working at home during the COVID-19 pandemic, noted Check Point manager of threat intelligence Lotem Finkelsteen, in an email to Threatpost.
“As we are all forced to work from home, the inbox is a prime attack method for hackers,” he said. “I’d think not twice, but three times before opening up a document in email, especially if it’s allegedly from Google or Amazon.”
Attackers send malicious and deceptive links via email or text messaging, and then guide a potential victim via web redirects or a fraudulent mobile app to a spoofed page, where they try to steal credentials, personal information or intercept payments.
Technology companies were the No. 1 industry for attackers to leverage in such attacks, followed by banking and social networks. In the first quarter of 2020, Apple was the most popular brand among attackers in the tech sector for luring phishing victims.
However, in the second quarter, Google took the top spot alongside Amazon — with each brand used in 13 percent of attacks in Check Point’s telemetry — followed by WhatsApp and Facebook (9 percent), Microsoft (7 percent) and Outlook (3 percent), according to the report.
Apple plummeted to the No. 7 spot behind them, sharing the honors with Netflix, Huawei and PayPal, all of which were represented in 2 percent of brand-phishing attacks.
The end of the second quarter included the early days of the COVID-19 crisis, with many countries around the world enforcing stay-at-home orders, which may explain for the change in preference for attackers. With people confined at home and seeking information about coronavirus, Google — as the top search engine — would become even more popular than usual.
Using Amazon to purchase goods for delivery — as many stores were closed or had limited opening hours in the beginning of Q2 — also has seen a massive surge since the pandemic started, driving more interest in that brand as well. Indeed, researchers saw a pair of recent phishing campaigns aimed at lifting credentials and other personal information under the guise of Amazon package-delivery notices.
As mentioned previously, Q2 also saw a shift in the specific vectors being used for attacks. As is typical, the web was the main conduit for brand phishing attacks, with 61 percent of them originating there. However, email, which was third in Q1, moved to the second spot in the following quarter with 24 percent of attacks, and mobile dropped to third with 15 percent of attacks, researchers said.
In addition to so many people relying on email as they worked from home during the pandemic, businesses also began to reopen towards the end of Q2 as some restrictions eased, also boosting email traffic as a means of attack, according to Check Point. One phishing campaign seen in June took advantage of this — along with the realities of the post-COVID-19 work environment — by purporting to send coronavirus training resources to employees returning to the workplace. Instead, the emails sent malicious links.
The overall leaders, Google and Amazon, were the top two also used the most in web attacks, followed by WhatsApp; while Microsoft and Outlook, unsurprisingly, were No. 1 and 2 in email-based attacks, followed by Unicredit. Facebook, WhatsApp and PayPal were the leaders in mobile-based brand phishing attacks in Q2, according to the report. Almost 15 percent of phishing attacks trace to mobile, the firm said.
The brand-phishing efforts show no sign of letting up. During late June, Check Point researchers witnessed a fraudulent website which was trying to imitate the login page of Apple’s cloud services, iCloud. The purpose of this was to try and steal iCloud login credentials accordingly, the phishing URL was listed under the domain account-icloud[.]com. The domain was first active in late June.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.