6 Most Dangerous Types Of Phishing Emails And Scams In 2019
CRN asks threat researchers at Imperva, Malwarebytes and Webroot which types of phishing emails and scams they believe are creating the most chaos for businesses this year.
Organizations are increasingly finding themselves targeted by phishing emails or scams so that hackers can gain access to confidential information or sensitive data. Employees now more than ever are encountering credible-looking messages, links or websites that attempt to impersonate someone or something legitimate in hopes of gaining access to financial data or trade secrets.
A rise in BYOD adoption and internet penetration has only increased the attack surface for phishing attempts, meaning users need to remain vigilant and on guard regardless of the type of device being used.
Technology advances in everything from artificial intelligence to automation to deepfakes are making it possible for adversaries to scale their phishing efforts and incorporate additional factors without losing their ability to target. And as threat actors increasingly get their hands on benign domains and SSL certificates, illegitimate links and URLs have become much more difficult to spot.
As part of CRN's Cybersecurity Week 2019, here's a look at six new or emerging types of phishing emails or scams that are wreaking havoc on users, devices and systems this year.
AI-Based Phishing Apps
Many phishing messages that come through today aren't written well enough to fool most people, but that will change as artificial intelligence makes it possible to tailor the messages more effectively, according to Terry Ray, senior vice president and fellow at Redwood Shores, Calif.-based Imperva.
Adversaries today looking to craft individual spearphishing messages have to engage in a laborious manual effort, but Ray said AI will allow for phishing to be done far faster in an automated fashion. Building phishing attempts into automated systems will make it easier to pinpoint targets that can be monetized and quickly create messages that are highly relevant to the person being targeted, he said.
Ray expects nation-state actors and foreign organized crime syndicates to build phishing tools that leverage open-source technology and AI for tasks like supervised learning and clustering. By turning to automation and AI, Ray said phishers will be able to increase their success rate by systematically making their messages far more targeted.
Using Benign Domains
Adversaries attempting to impersonate entities like Chase Bank or PayPal requesting user confirmation on a transaction or account changes will often create a phony login page that looks real, according to Tyler Moffitt, senior threat research analyst at Broomfield, Colo.-based Webroot.
However, the URL would typically be completely different, and once users noticed the URL didn't match the website they were purportedly on, Moffitt said many would refrain from entering in their username or password. But hackers have started hijacking benign web domains to host phishing URLs, meaning that users appear to be presented with chase.com or paypal.com after clicking on the malicious link.
Today, Moffitt said more than 40 percent of phishing URLs are being hosted on benign domains, meaning the malicious activity can take place even on legitimate-looking URLs. Since these phishing websites are often only active for a few hours before going dark, Moffitt said real-time active phishing protection is needed to detect constant changes in the threat landscape.
Threat actors have turned to making phone calls using voice deepfakes that sound like the organization's CEO or CFO to get employees to comply with unorthodox requests such as money transfers, according to Adam Kujawa, director of Malwarebytes Labs at Santa Clara, Calif.-based Malwarebytes.
A company's top executives often appear on YouTube in everything from corporate marketing materials to product tutorials to TEDx talks, and Kujawa said adversaries can feed those video clips into an AI algorithm and pull off a vocal impersonation of the executive. And most people don’t have access to technology that could confirm whether video or audio of a person is legitimate or a deepfake, he said.
Kujawa expects adversaries to begin creating custom audio files using deepfake technology that can be delivered via a phone call if the subordinate doesn't comply with the initial impersonation email that's supposedly from an executive. Technology will likely be released on the internet that makes it easier for hackers to incorporate deepfakes into their phishing efforts, Kujawa said.
Cybercriminals have turned to grabbing a whole bunch of username, password and email address data on the dark web from previous breaches—particularly of pornography websites—and used that to create targeted emails, Kujawa said.
The attacker will then send an email out stating they have the user's password and claiming to have installed malware on the pornography site that took advantage of the user's webcam to record both what the user was watching as well as the user themselves, Kujawa said. The hacker will then threaten to publicly release the webcam footage unless they are paid via cryptocurrency, Kujawa said.
Kujawa started seeing so-called sextortion attacks in 2018, and said they've been very effective for adversaries since so many victims are willing to comply with the blackmail threat out of sheer embarrassment. However, Kujawa anticipates the effectiveness of sextortion will eventually decrease as users become aware the webcam recording claims made by hackers are "complete baloney."
Hackers will attempt to instill a sense of urgency in employees of an organization by pretending to be their boss (or their boss' boss) and asking them to quickly click on a link or complete a task, Moffitt said. For instance, the threat actor might impersonate the CMO and ask the company event coordinator to purchase several $100 Amazon gift cards for an upcoming event.
Nearly two-thirds of employees say they're most likely to open an email from their supervisor before any other, Moffitt said, and adversaries have capitalized on that sense of urgency to have employees forgo suspicion and throw caution to the wind and do whatever's asked. Hackers tend to do data scraping and collect publicly available information to better go after a specific target, Moffitt said.
Spoofing attacks have increased by 274 percent over the past three years, Moffitt said, with hackers making $53 million just this year alone by impersonating C-level executives or vice presidents and saying they want something immediately.
Obtained SSL Certificates
For the longest time, Moffitt said a lot of phishing websites were unable to obtain an SSL certificate and were therefore on a http:// connection rather than the more secure https:// connection. As a result, Moffitt said many users end up learning that websites without the lock icon associated with an https:// would likely result in them being phished.
But today, Moffitt said that more than half of phishing websites have obtained an SSL certificate, meaning they're able to host the phishing page using an https:// connection. As a result, Moffitt said phishing sites have become much harder to detect even though users have become much more educated on the matter.