Despite an environment conducive to phishing scams, malicious actors achieved only a marginal increase in success in 2020, according to a report from cybersecurity company Proofpoint.
Catastrophic events, like a pandemic, coupled with hasty technological change such as many people forced to work from home immediately, have been a rich environment in the past for phishers, who use deception to infect machines with malware, steal credentials, and invade corporate networks.
But in a survey performed in connection with Proofpoint’s annual “State of the Phish” report, 57 percent of organizations in seven countries revealed they were targets of a successful phishing attack in 2020, which is only a two percent increase over 2019.
However, phishers were a lot more successful in the United States, where 74 percent of organizations told researchers they’d experienced a successful phishing attack in 2020, a 14 percent increase over 2019.
While the increase in successful attacks was slight, their impact wasn’t. Compared to 2019, the report noted that the number of respondents who told researchers that phishing attacks resulting in data loss increased 13 percent and those leading to credential compromise jumped 11 percent.
The impact of successful attacks varied by region, noted the report, which is based on data from two surveys — one of 3,500 working adults in seven countries — Australia, France, Germany, Japan, Spain, the United Kingdom, and the United States — as well as one of 600 IT security professionals in those countries and an analysis of some 75 million phishing emails.
Japan, for example, experienced a large volume of phishing emails aimed at compromising credentials for Amazon accounts. Those attacks may have contributed to why so many of the country’s organizations — 64 percent, the highest of any region in the surveys — had to deal with credential compromises.
On the other hand, Japan’s organizations were the least likely to deal with direct financial loss from phishing attacks, at 11 percent. That contrasts with the United States, where 35 percent of organizations suffered immediate financial loss, nearly twice the global average.
Data loss and ransomware infections also had significant regional differences. In Spain, for instance, 69 percent of organizations experienced data loss. That compares to 47 percent of Australian organizations.
Meanwhile, more than two-thirds of Australian organizations (67 percent) were affected by phishing-based ransomware. That compares to 25 percent in France.
Pandemic Fueled Phishing
Historically, malicious actors have been quick to launch campaigns based on current events. That was the case with COVID-19. “Attackers were on it early, and they were prolific,” said Proofpoint’s Senior Security Awareness Strategist Gretel Egan.
“There was a lot of uncertainty, fear and doubt early in the pandemic, and it continues now,” she told TechNewsWorld.
“Attackers were taking advantage of that,” she continued. “We saw subject lines around ‘Your co-worker has tested positive’ or ‘Your neighbor has tested positive’ aimed at driving people to open that email and fall into a trap.”
Evgeny Gnedin, head of information security analytics at Positive Technologies,
a global cybersecurity company, noted that, according to research by his company, in Q1 2020, 13 percent of all phishing attacks were related to COVID-19. Of those, nearly half (44 percent) targeted individuals.
“The percentage of malware attacks and social engineering attacks against government agencies increased significantly as well, and this may be due to the pandemic,” he told TechNewsWorld.
“Many attackers sent emails to government agencies of various countries with malicious attachments related to the coronavirus crisis,” he said.
Gnedin added that the pandemic situation was used both for mass malware campaigns and APT attacks.
“With so much attention on the virus,” he continued, “it’s very possible that more hacks are being aimed at companies in every sector, as IT teams globally are busier than usual maintaining operations for the large increase in remote workers.”
Growth in Malicious Domains
Another sign that phishers were hot to exploit the pandemic was the increase in suspicious domain name registrations last year. “In 2020, we saw 12,490 new domains being registered containing the word ‘vaccine’, ‘COVID’, or both,” observed Shashi Prakash, CTO and co-founder of Bolster, an AI-powered fraud prevention company in San Jose, Calif.
“Of these, 6,104 sites showed signs of being weaponized for some sort of phishing or scam attack,” he told TechNewsWorld.
Companies had to quickly transition to a new remote work environment, in many cases that included rapidly spinning up new technology, explained Steven Bay, cyber fusion center and security operations practice lead at Kudelski Security, a provider of tailored cybersecurity solutions based in Cheseaux-sur-Lausanne, Vaud, Switzerland.
“This increased the risk to businesses and likely made them more vulnerable and open to attacks,” he told TechNewsWorld.
“Phishing is already the most successful way to breach an organization,” he continued. “Layer on top of that the fact that people were more likely to click on a phishing email related to COVID-19, and it’s easy to see that hackers viewed it as a prime opportunity to launch attacks and breach organizations.”
Double Dipping Extortionists
The Proofpoint report also noted that malware infections from phishing attacks dropped by 17 percent from 2019 and that organizations saying they experienced direct financial losses due to phishing dropped 47 percent year-over-year. It reasoned those results could indicate that organizations have implemented stronger preventive measures against these types of attacks.
Although the report found the number of organizations affected by ransomware attacks remained unchanged, Egan said that there was a change in how ransoms were paid.
“More than 50 percent of organizations that were infected opted to pay to regain access to their data,” she continued. “That was a slight increase over 2019, but we saw fewer people getting access to data after a single payment.”
“A lot more organizations were delivered follow-up demands for more money and a lot more organizations were willing to pay those follow-up demands,” she observed.
She added that 32 percent paid the extra ransom in 2020 compared to two percent in 2019.”
“In 2020, ransomware amounts skyrocketed,” said Fleming Shi, CTO of Barracuda Networks, a security and storage solutions provider based in Campbell, Calif.
“Some criminal groups aren’t using fixed amounts anymore,” he told TechNewsWorld. “They’re fixing the ransom amount based on a percentage of a company’s revenue.”
Why do phishing emails continue to work despite education programs to expose them and technologies to block them?
“Because we are all human,” observed Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.
“While most anti-spam and anti-phishing filters do a great job at catching the most common hooks, the ones that do make it through tend to be topical and clever, which makes them more likely to catch their intended victim,” she told TechNewsWorld.
In addition, phishers continue to evolve their craft. “Organizations sending phishing emails are more structured,” explained Adrien Gendre, chief solutions architect at Vade Secure, a provider of an email filtering service based in Hem, Picardie, France.
“These are global organizations providing tools, platforms and services that can be leveraged and licensed to local organizations,” he told TechNewsWorld. “This has increased the quality of the phishing emails significantly.”
“They’re much more sophisticated in the way they spread phishing emails,” he continued. “Before, you might see 100,000 emails and they were all the same. Now we’re seeing 100,000 emails and every one is different in some way. They are using tricks to make the content highly dynamic and make the emails unique when compared to each other.”
The quality of the Web pages linked to the phishing emails have also improved. “I have a presentation where I show two Microsoft log-in pages,” Gendre said. “I ask my audience to vote by a show of hands which page is real and which is malicious.”
“Most of the people choose the malicious page,” he continued. “The reason they choose the malicious one is because it has a better user experience than the real one.”