10 Dangerous Phishing Attack Trends To Know About In 2021

From brand impersonation and business email compromise to initial access brokers and the misuse of automated email alert templates, here are the most alarming phishing attack trends seen by the industry.

One Phish, Two Phish

Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a human victim into revealing sensitive information. Phishing was by far the most common attack performed by cybercriminals last year, with the FBI’s Internet Crime Complaint Center recording more than double the number of phishing incidents as compared with other types of computer crime.

Most phishing messages are delivered by email and historically weren’t personalized or targeted to a specific individual or company. In contrast, spear phishing attackers often gather and use personal information about their target to increase the probability of success and typically target executives or employees who have access to the organization’s sensitive financial data and services.

As part of Cybersecurity Week 2021, CRN spoke with 10 vendors about the most dangerous phishing attack trends to emerge since the start of the COVID-19 pandemic. From brand impersonation and business email compromise to initial access brokers and the misuse of automated email alert templates, here are the most alarming phishing attack trends to rear their head in recent years.

Increased Use Of Initial Access Brokers

Many cybercriminal groups have opted to focus resources on deploying ransomware and extracting extortion payments from victims and outsource the actual sending of phishing emails to an initial access broker, according to Matt Radolec, head of Varonis’ Incident Response team. These brokers are laser-focused on getting a foothold in the victim organization and tend to be lower-level criminals, he said.

Lots of spammers have moved into being initial access brokers for ransomware operators since there’s more money to be made, Radolec said, while cybercriminal syndicates can greatly expand the scope of potential victims by outsourcing the initial intrusion work. Once the brokers gain access to a victim, the more sophisticated actors take over and deploy ransomware to monetize the intrusion, Radolec said.

Adversaries have also taken advantage of conditional access being misconfigured to get authenticated and gain credentials using legacy protocols that predate the advent of multifactor authentication, he said. Organizations should ensure that access attempts from systems that are unable to adhere to modern best practices are blocked by default rather than allowed by default, according to Radolec.

More Monetization Of Business Email Compromise

It has become easier for adversaries to capture corporate credentials as organizations move to cloud-based email products like Office 365, which in turn opens up businesses to massive amounts of financial risk, according to Nick Biasini, head of outreach for Cisco Talos. Business email compromise has a very low barrier to entry, Biasini said, requiring only a free email account and Google search capabilities.

At the same time, Biasini said business email compromise (BEC) attacks can be extremely lucrative, generating more than quadruple the proceeds earned from ransomware attacks in recent years. Entry-level BEC attacks often try to monetize gift cards through social engineering, with the hackers posing as a company executive directing employees to buy gift cards for a local hospice as a charitable endeavor.

In reality, Biasini said the hackers resell the gift cards the employees purchased on the black market as well as legitimate marketplaces for a sizable amount of money. More sophisticated BEC actors use the actual inbox associated with the credential they’ve compromised to conduct voice-based social engineering or pretend to be associated with a support contract that needs to be paid out, Biasini said.

Brand Impersonation And Misuse

The best way to attack an organization if it has cemented its perimeter is by mimicking a brand it has a trusted connection with up or down the supply chain, according to Josh Douglas, Mimecast’s senior vice president of product management. Pretending to be a customer or supplier of business is a lot easier that many people think it would be, Douglas said.

Brand impersonation takes the form of everything from setting up a fake website to utilizing form sites inside Office 365 so that the correspondence looks like it’s coming from the infrastructure itself, he said. An adversary will use the lowest common denominator to trick their intended victim, and oftentimes, Douglas said a simple image is enough to fool an employee or executive into clicking on a phishing site.

Fortune 100 companies and other organizations are often subject to impersonated marketing campaigns where the hacker mimics the brand’s marketing materials to get victims to click on a phishing email, he said. Brand impersonation campaigns like to capitalize on emotion, with hackers for instance pretending to be the IRS directing email recipients to click on a link to learn about the status of their tax return.

Leaked Automated Email Alert Template

Leaked templates for automated internal email alerts are a valuable asset for adversaries looking to run phishing attacks against an organization since email alerts are treated with an implicit sense of trust by the recipient, said Greg Pollock, UpGuard’s vice president of product. This trust is amplified by the fact that oftentimes, a privileged admin is the only one in the organization who knows about this email.

Alerts should be part of a business process rather than something users run on their own since the latter becomes a liability, according to Pollack. Guessing how an email alert template looks without any inside information would be nearly impossible, Pollack said, but it isn’t difficult to find commonly used email alert templates in repositories like GitHub.

Threat actors sometimes attempt to compromise victims by sharing spoofed Google Docs since the intended victim or victims know what the template is supposed to look like and the attackers don’t need any additional information to style that email. Businesses should have a register of what emails are being sent internally and ensure that IT is alerted before any users set up an email alert of their own.

Targeted Campaigns Against Smaller Companies

Adversaries are increasingly hitting smaller companies used to only receiving generic spam with highly targeted ransomware phishing emails, said Jonathan Couch, ThreatQuotient’s senior vice president of strategy and corporate development. Threat actors will research the employees at smaller businesses and the functions they serve and craft an email that gets them to click on a link or open an attachment.

Enterprise companies often have architecture and backups in place that allow them to resist ransom demands since adversaries are unable to hop from one network to the other and offline backups are maintained, according to Couch. Conversely, smaller organizations typically don’t have the backups and architecture in place to resist demands for ransomware gangs, Couch said.

Ransomware groups have found that they can slowly but surely bleed smaller businesses such as law firms out of millions of dollars if the only alternative is going out of business, he said. Threat actors have also moved to spear phishing small businesses since generic phishing emails have a 1 percent response rate while emails designed to look like they’re from a third-party vendor can get a 75 percent response rate.

Disgruntled Employees Stealing Credentials

Hackers are increasingly going after disgruntled employees and asking them to share their credentials in exchange for a share of the proceeds from the attack, said Petko Stoyanov, Forcepoint’s global chief technology officer. Employees are typically offered unfettered access inside the company’s IT systems on their first day of work, meaning that outsiders can take advantage of that access.

Businesses should understand what the legal and cyberinsurance ramifications would be if a disgruntled employee shared their two-factor authentication with a threat actor, Stoyanov said. Companies can limit their exposure to malicious insiders by granting employees credentials with just-in-time access to only the applications that are critical to their day-to-day job responsibilities.

Disgruntled employees leaking credentials is most likely to happen in emerging countries where employees are treated more like contractors and there aren’t any copyright protections in place, according to Stoyanov. Businesses could find themselves in a particularly precarious position if an admin decided to share with a threat group the credentials for all the company’s employees, he said.

‘Sextortion’ Via Social Engineering

Adversaries are increasingly approaching users and claiming to have malware or a trojan installed on the victim’s personal computer or mobile device that recorded them watching pornography, according to Maya Horowitz, Check Point Software Technologies’ vice president of research. Even though the hackers never actually had a trojan on the victim’s computer, they’ll threaten to release incriminating videos unless they’re paid.

To sound more convincing, Horowitz said the threat actors will often reference something that’s recently been in the news such as the Pegasus spyware and purport to have a password that allowed them to take over the video camera on the victim’s device. But the stolen password isn’t tied to the camera whatsoever and is actually from a different intrusion entirely such as the LinkedIn hack, she said.

Adversaries will typically demand victims pay $50 or $100 in Bitcoin to avoid having a video of them watching pornography publicly released, and many people are willing to part with the relatively small sum of money to avoid any potential embarrassment, according to Horowitz. A set of hackers tried this a few months ago and were very successful, prompting others to turn to the same method, Horowitz said.

Spoofing Text Messages

Threat actors have gotten increasingly adept at spoofing text messages by setting up a gateway, which is only slightly more complicated than setting up an email server, said BitSight Chief Technology Officer Stephen Boyer. Adversaries know victim names and phone numbers from previous breaches and are able to match those data sets to take advantage of an unexpected attack vector, according to Boyer.

People are used to the idea of not clicking on suspicious emails but still aren’t that well-trained on the idea that they can also be phished via text message, according to Boyer. Like texts, emails can be spoofed very easily, with users almost always unaware if a message came from a mail server in the U.S. or a mail server in China, Boyer said.

“Typosquatting” also continues to be an effective phishing attack vector, with adversaries taking advantage of a lack of user awareness and technological protection to replace “O” with “0”, Boyer said. Adversaries have gotten far more sophisticated in their tradecraft, with misspellings occurring much less frequently today than in the past, according to Boyer.

Increased Use Of Insider Info As Bait

Adversaries are incredibly adept at weaving insider information into phishing emails, baiting employees by pretending to be the CEO in text messages and asking to connect, according to Michael Maggio, Reciprocity’s executive vice president of product. Users need to refrain from responding right away to texts and emails that don’t sound right, especially when they’re working from home, Maggio said.

Businesses have increasingly embraced social media to get their brand in front of a broader set of prospects, but Maggio said all this digital marketing makes tons of insider information available to the outside world, including employee email addresses. As companies become more connected with the outside world, they also become increasingly susceptible to having their data used in the wrong way.

Given how much more information about individuals and organizations is available publicly, Maggio said it’s become much easier to quickly trick employees. People continue to be the biggest security threat most organizations must deal with, especially as the phishers get more intelligent, according to Maggio.

Enter Through Side Door With Malicious Texts

Consumers aren’t as familiar with how to identify a phishing attempt in a text message, and scammers have taken advantage of that blind spot to target consumers with “smishing,” according to Darren Shou, NortonLifeLock’s chief technology officer. Banking, telecom and packages tend to be common categories for smishing, with FluBot hackers urging potential targets to click on a link to track a shipment, he said.

The link takes unsuspecting victims to a landing page where FluBot presents itself as a local delivery company, Shou said. Roughly 10,000 messages are sent each and every week to spread FluBot, and victims who fall for the social engineering trick end up getting malware downloaded onto their devices, according to Shou.

Threat actors can catch consumers off guard by coming at them from a different angle, with people more likely to fall for a text message purportedly from their bank that’s requesting a refund since SMS messages aren’t seen as an attack vector, Shou said. Not every mobile device or security product protects against side door smishing attacks, but adversaries are always looking for the path of least resistance.