Trend Four

Phishing attacks have never been more effective

Phishing attacks have evolved far beyond poorly-worded emails offering ‘unclaimed lottery winnings.’ In 2020, phishing is not only pervasive, but it is also the most damaging high-profile cybersecurity threat facing organizations today.

Smarter distribution

Our research shows that a new phishing site is launched every 20 seconds. Making matters worse, scammers are now focused on device-centric social engineering to target users in places where they wouldn’t expect to find these types of attacks, such as gaming, messaging and social media apps.

Not only are phishing attacks reaching users in more places, but they are more personalized. Business email compromise (BEC) attacks are moving to other forms of communication such as social media messengers, and spear phishing is made easier on mobile simply by knowing someone’s phone number. Malicious actors are taking the time to research their targets’ behavior patterns and work environments to exploit any weaknesses.

Using encryption

Phishing is also becoming impossible to detect visually. Double-checking the address bar for suspicious URLs used to be an easy way to catch a spoof domain, but now attackers use free services like Let’s Encrypt to gain SSL certification for malicious phishing sites. Unfortunately, this is effective because users believe the padlock symbol preceding a URL is a reliable indicator that a website is safe.

Disguised with Punycode

Attackers are increasingly using Unicode to make their phishing domains harder to detect. Punycode converts words that use Unicode characters (in languages like Cyrillic, Greek and Hebrew, for example) into ASCII characters so that computers can understand them. Unicode characters make domain names that look familiar to the naked eye but actually point to a different server or link to an unfamiliar domain.

It’s easy for an attacker to launch a domain name that replaces some ASCII characters with similar-looking Unicode characters. However, different alphabets are not the only sources of characters that can be converted to ASCII using Punycode — the ever-growing library of emojis can also be converted using Punycode.

Using big brands

To increase the success rate of an attack, malicious actors need to be selective when deciding which companies to impersonate. It’s simple — more users means “more phish in the sea.”

Malicious actors are increasingly targeting applications used for work, such as Office 365 and Google’s G Suite apps. As businesses strive to move their corporate assets to the cloud, this is a major concern. One slipup by an employee who receives a clever phishing attack (e.g., asking them to confirm their Google Drive login credentials) can give a hacker access to corporate assets stored on these types of popular cloud applications.

Recommendations on how to mount an effective defense against mobile phishing attacks

Many phishing sites are published online for only a few hours before hackers move to an entirely new hosting server. This allows them to evade detection and maintain ongoing campaigns without being blocked. The risk to users is highest in those first critical hours before static, list-based threat intelligence is updated. In this short window of time, mobile devices are most vulnerable to newly published attacks, and the stakes are higher when they target corporate cloud applications. That’s why a zero-day phishing solution — specifically one that operates across all communication apps and not just email — is critical in stopping both the common attacks and the more sophisticated ones that are launched against your business.