SaaS and webmail platforms have become the prime targets for phishing attacks. HTTPS protocol is massively diverted.
The Anti-Phishing Working Group (APWG) has just published its latest report for the first quarter of 2019, which highlights a new trend in phishing techniques.
For the first time, the most substantial proportion (36%) of attacks of this type targeted Software as a Service (SaaS) platforms and webmails, ahead of the payment services category, which accounted for 27% of attacks recorded during the period.
More sophisticated phishing techniques
Phishing techniques are becoming more and more complicated. Zscaler recently identified five new advanced methods called “evasion” and “anti-analysis” techniques.
- Creating a random filename on each visit: Some phishing kits create a random filename new random name file on each visit, making it challenging to identify the site as a phishing site.
- HTML attributes with random values on each visit: the page values of the HTML attributes are generated randomly on each visit to make a phishing page challenging to analyze and detect.
- Creating a new directory of random names on each visit: some phishing campaigns systematically create a new directory of random names and the phishing page is hosted on this random directory
- Unique access to the phishing page: Each time a customer visits these phishing pages, their IP address is checked against the list of IP addresses of customers they have previously visited. Depending on the results of this check, access to the phishing page is either granted, or a message “Page not found” is displayed, or the customer can be redirected to other sites.
- Proxy verification using online services: Recently, many phishing kits have included an encrypted list of IP addresses, user agents and hostnames, all blacklisted, that security researchers and security companies use. If the client attempts to connect with an IP address or user agent on this blacklist, the phishing content will not be broadcast. In some cases, in addition to the list of encoded IP addresses, the client’s IP address is verified using certain online services to determine whether or not it is a proxy.
HTTPS used as a decoy
In total, phishing sites detected in the first quarter was 180,768, a sizeable increase from the fourth quarter of 2018 (138,328 websites identified). The other lesson of the APWG report is the increasing sophistication of phishing attacks.
Cybercriminals are now making extensive use of HTTPS-based booby-trapped sites to more effectively mislead their victims into believing that they are visiting a trustworthy site.
According to PhishLabs statistics cited in the report, 58 nearly 60% of the phishing sites listed in the first quarter used HTTPS.