Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/7/2019
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Phishing Attacks Evolve as Detection & Response Capabilities Improve

Social engineering scam continued to be preferred attack vector last year, but attackers were forced to adapt and change.

The growing sophistication of tools and techniques for protecting people against phishing scams is forcing attackers to adapt and evolve their methods.

A Microsoft analysis of data collected from users of its products and services between January 2018 and the end of December showed phishing was the top attack vector for yet another year. The proportion of inbound emails containing phishing messages surged 250% between the beginning and end of 2018. Phishing emails were used to distribute a wide variety of malware, including zero-day payloads.

However, the growing use of anti-phishing controls and advances in enterprise detection, investigation, and response capabilities is forcing attackers to change their strategies as well. Microsoft said.

For one thing, phishing attacks are becoming increasingly polymorphic. Rather than using a single URL, IP address, or domain to send phishing emails, attackers last year began using varied infrastructure to launch attacks, making them harder to filter out and stop.

Microsoft said its analysis shows attackers are trying to avoid detection by using public and hosted cloud infrastructures to hide among legitimate sites and assets. "For example, attackers increasingly use popular document sharing and collaboration sites and services to distribute malicious payloads and fake login forms that are used to steal user credentials," Microsoft said. "There has also been an increase in the use of compromised accounts to further distribute malicious emails both inside and outside an organization."

The nature of phishing attacks is changing as well, Microsoft said. Many phishing campaigns last year combined attacks that were active for just a few minutes with much longer-lasting, high-volume attacks. Others were "serial variants attacks," where attackers sent small volumes of mail on successive days, the software vendor said.

Like they used any malware, criminals last year used phishing in broad-based attacks and in narrowly focused, targeted ones. As one example of a highly targeted campaign, Microsoft pointed to Ursnif, a phishing campaign that used highly localized and customized content to try and trick a relatively small set of recipients into clicking on malicious links. The campaign involved phishing emails with content that appeared to come from a legitimate business in the same city or general geographic area as the intended victim. "Such attacks are quite different from broad-based campaigns and appear to be more legitimate and trustworthy," Microsoft said.

The continued innovation around phishing is worrisome, says Usman Rahim, digital trust analyst at The Media Trust. On the one hand, phishing-attack costs are increasing for hackers. "Attackers have to put in a lot of effort in terms of creating new techniques using the latest technology," he says. But even as defenders are getting better at spotting and stopping phishing attacks, threat actors are finding new ways to escape detection, to persist on infected systems, and to find new infection tactics, he says. "New techniques or tools are certainly making it harder for attackers to compromise the network."

However, once an attacker successfully breaks into a company, network, or service, the reward is also big, he says. Attackers also have a broader range of devices to target in phishing attacks, Rahim says. "Mobile and other IoT devices are getting targeted specifically as they do not have the same defense as other protected devices."

On another front, Microsoft's analysis of 2018 threat data showed a significant drop-off in ransomware attacks. The WannaCry and NotPetya outbreaks of 2017 had many believing ransomware attacks would increase last year. However, they declined as much as 60% between March and December 2018 as end users and enterprises became more aware of the threat and how to deal with it. Businesses also exercised greater caution in backing up important files so data could be quickly restored if encrypted in a ransomware attack, Microsoft said.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
John_in_SF
50%
50%
John_in_SF,
User Rank: Apprentice
3/15/2019 | 7:55:07 PM
quite a sentence
Had to read it three times to figure out what it was attempting to say: "Like they used any malware, criminals last year used phishing in broad-based attacks and in narrowly focused, targeted ones."
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.