Cybercriminals often exploit victims’ familiarity with popular brands to manipulate them into falling for phishing campaigns. Microsoft is the most common brand to spoof, researchers report, with PayPal in second place and Facebook rapidly catching up in a close third.
The “Phisher’s Favorites” report, released today by Vade Secure, ranks the 25 most impersonated brands in phishing attacks based on unique phishing URLs detected within each quarter. Microsoft has held the top spot every time, a trend it continued in the second quarter of 2019, when 20,217 unique Microsoft phishing URLs were detected — more than 222 per day. This marks a 6.8% decline from the first quarter but a 15.5% increase from Vade Secure’s first report. (The report is now in its fifth edition.)
Microsoft remains phishers’ favorite due to its size and the high value of Office 365 credentials, explains Adrien Gendre, chief solutions architect at Vade Secure. Its latest quarterly earnings reported more than 180 million active monthly enterprise users on Office 365; IDC estimates the platform makes up 47.6% of enterprise cloud email implementations. Office credentials offer a single point of entry to files, data, and contacts in SharePoint, OneDrive, and Skype.
“While hacked Office 365 credentials can certainly be used to access sensitive company information and files, the real driver is east-west movement via insider attacks,” says Gendre of attackers’ motivation. “Detecting display name spoofing or close cousin domains is relatively easy; detecting attacks coming from legitimate email accounts is much harder.”
It’s easy to manipulate employees with fake Microsoft emails because the Office 365 platform “is the lifeblood of businesses,” he continues. Most can’t do their jobs without access to email, chat, and other productivity and file management tools, which is why they’re compelled to take action when an email appears notifying them their Office 365 account has been suspended. Other phishing attacks may contain links to OneDrive or SharePoint documents, Vade analysts found.
Microsoft beat PayPal by more than 4,300 phishing URLs in the second quarter, but emails impersonating the payment service were up nearly 112% year-over-year. A global user base makes it a popular target, and stealing PayPal credentials leads to quick payback for attackers. Most PayPal phishing emails claim a recipient’s account has been blocked or suspended, prompting them to go to a fraudulent page to confirm or restore their account.
Phishers Get Social
The increase may also be attributed to Facebook Login, or the social sign-on using Facebook accounts. With Facebook credentials, attackers can see which other apps a user has authorized with Facebook Login and compromise those accounts. With access to Facebook Messenger, they may also target a victim’s contacts with additional phishing scams, Gendre points out.
Still, he doesn’t think the growth will last. “The reason is that the potential payback isn’t as direct as it is for Microsoft and PayPal,” he says. “There also isn’t a strong corporate angle, which is where most hackers are increasingly setting their sights.”
Social media also saw the most quarter-over-quarter growth of all industries; phishing in this sector accelerated from 74.7% in the first quarter of 2019 to 130.7% in the second, entirely driven by Facebook phishing URLs. Still, social media phishing campaigns only made up 16% compared with other industries, putting the industry in third. Cloud is still in the top spot (37%), followed by financial services (33%).
Amazon Rises Up the Ranks
One of the findings that surprised Gendre most was the growth in Amazon phishing, which increased 182.6% throughout the first quarter and 411.5% year-over-year. But the spike wasn’t what stood out to him — it’s the fact Amazon wasn’t a popular target sooner.
“Amazon is one of those brands that straddles the consumer and corporate worlds and could thus be an effective lure for both audiences,” he explains. “No one wants to have an order canceled because of a declined payment, or they want to know immediately about a delay with their shipment.”
There was a spike in Amazon phishing URLs on May 5, around the time reports surfaced of a new Amazon phishing kit. Another spike occurred on June 19 after Prime Day was announced. Analysts noticed a wide variety of Amazon phishing emails, which manipulate victims with messages about Amazon rewards, loyalty vouchers, “exclusive product,” or “special surprise.”
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio