PiChris - Fotolia
Phishing attacks are highly targeted, sophisticated, hard to detect and difficult for users to avoid, with 1.39 million new phishing sites created each month, say security researchers.
In May 2017, the number of new phishing sites reached a new high of 2.3 million in that month alone, according to the September 2017 Webroot Quarterly Threat Trends Report.
Data collected by Webroot shows that the latest phishing sites use realistic web pages that are almost impossible to find using web crawlers to trick victims into providing personal and business information.
Once this data is harvested, attackers are able to steal digital identities to access business IT systems to steal data and compromise business email accounts to carry out CEO fraud attacks.
The Webroot data also shows phishing attacks have grown at an unprecedented rate in 2017, with it continuing to be one of the most common, widespread security threats faced by both businesses and consumers.
According to the report, phishing is the top cause of cyber breaches in the world, with an average of more than 46,000 new phishing sites created each day.
The sheer volume of new sites makes phishing attacks difficult to defend against for businesses, the report said.
Read more about phishing
- Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
- Email is the number one entry point for data breaches, which includes targeted email attacks such as business email compromise and spear phishing.
- Targeted malware attacks and social engineering schemes such as phishing and whaling pose a growing security threat because cyber criminals are getting help from unwitting users.
The first half of 2017 highlights the continuing trend of very short-lived phishing sites, with the majority being online and active for only 4 to 8 hours. These sites are designed to evade detection by traditional anti-phishing strategies, such as block lists.
Even if the block lists are updated hourly, they are generally 3–5 days out of date by the time they are made available, the report said, by which time the sites in question may have already victimised users and disappeared.
Attacks are increasingly sophisticated and more adept at fooling the victim, the researchers found. The note that while in the past, phishing attacks randomly targeted as many people as possible, today’s phishing is more sophisticated.
Cyber attackers now typically research their targets and use social engineering to uncover relevant personal information for individualised attacks. Phishing sites also hide behind benign domains and obfuscate true uniform resource locators (URLs), fooling users with realistic impersonated websites.
The researchers found that zero-day websites used for phishing may number in the millions each month, yet they tend to impersonate a small number of companies. Webroot categorised URLs by the type of website being impersonated and found that financial institutions and technology companies are the most phished categories.
Top companies being impersonated
Webroot also identified the top companies being impersonated throughout the first six months of 2017 included Google (35%), Dropbox (13%), PayPal (10%), Facebook (7%) and Apple (6%).
According to an FBI public service announcement issued on 4 May 2017, phishing scams cost US business $500m a year, while Verizon found phishing to be involved in 90% of breaches and security incidents and a report by ESG showed that 63% of surveyed security and network influencers and decision makers have suffered from phishing attacks in the past two years.
In the ESG report, 46% of respondents said malware attacks have become more targeted over the past two years, and 45% said there is a greater volume of malware than in the past two years.
“Today’s phishing attacks are incredibly sophisticated, with hackers obfuscating malicious URLs, using psychology and information gleaned from reconnaissance to get you to click on a link,” said Hal Lonas, chief technology officer at Webroot.
“Even savvy cyber security professionals can fall prey. Instead of blaming the victim, the industry needs to embrace a combination of user education and organisational protection with real-time intelligence to stay ahead of the ever-changing threat landscape,” he said.