TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

2020 Phishing and Fraud Report

2020-11-11 · Read original ↗

ATT&CK techniques detected

47 predictions
T1566.002Spearphishing Link
99%
“) phishing kits the alternative — and arguably an even easier method than cloning a site — is to acquire a phishing kit. these are turnkey phishing solutions that come packaged with all the html, images, and code needed to create a fraudulent site ( see figure 10 ). figure 10. le…”
T1566.002Spearphishing Link
99%
“found that wordpress sites alone accounted for 20 % of generic phishing urls. this year we also found that office 365 continues to present a rich and compelling target for attackers with fraudsters employing new tactics such as “ consent phishing ”. and an increasing number of ph…”
T1566.002Spearphishing Link
98%
“##page can be a simple three - step process : - visit the genuine website - right - click and select save page as … - take the html, css, and images just saved and host them on a rented server while these steps are somewhat over - simplified, the principle is entirely valid. the …”
T1566.002Spearphishing Link
97%
“phishing campaign. the average time between a victim entering payment card details into a phishing site and a cybercriminal fraudulently using those credentials was just four hours. in many cases, a repeated login was attempted another seven hours later. 4 hours the average time …”
T1583.001Domains
97%
“for free abusing free top - level domains registering a domain such as myphishingdomain. com ( or something slightly less obvious, such as secure - site - login. com ) brings with it a cost charged by the registrar. this can range from a few dollars a year to many thousands of do…”
T1566.002Spearphishing Link
95%
“ones require an active license from the author and employ numerous tricks to avoid detection by researchers and casual observers. one such recent example is the officev4 kit, which, not surprisingly, targets users of office 365. officev4 fraudsters must have an active license in …”
T1566.002Spearphishing Link
93%
“to disguising text as images, there are too many ways for fraudsters to mask the real destination of a hyperlink within an email. many businesses now recognize this and do not include links in emails ( although many still do ). consumers must become develop the habit of entering …”
T1583.001Domains
92%
“sites using. com at over 50 % ( see figure 21 ). phishers are also getting creative and having fun with their domain names. punycode, the ascii translation of domain names using non - english character sets, has long been popular with phishers looking to trick their victims. one …”
T1583.001Domains
90%
“source : f5 soc ) spoofing brands by using similar urls attackers use a combination of tactics to make their phishing urls appear genuine. from making use of target brands in the domain to the implementing genuine https certificates, their goal is to minimize the risk of victims …”
T1566.002Spearphishing Link
90%
“the total number of human logons per month to detected manual fraud attempts for a large financial services customer the emergence of real - time phishing proxies phishing is typically an asynchronous attack in which the attacker does not need to be active at the same time a vict…”
T1657Financial Theft
89%
“##nal. having access to a victim ’ s name, physical address, and email address allows the criminal to create fraudulent accounts in the victim ’ s name. additionally, physical addresses allow them to pay for goods using the correct billing address while sending goods to a differe…”
T1583.001Domains
87%
“is now a common practice, attempt to highlight the true domain, but there is much inconsistency among them. google ’ s chrome browser, for example, shades the path of the website in gray and highlights both the domain name and also any subdomain ( figure 14 ). firefox, however, r…”
T1566.002Spearphishing Link
85%
“. the code sharing website pastebin has many sample. htaccess files with preconfigured ip ranges and domains that other phishers can use to get started. many phishing kits examine the user - agent header of the client browser. researchers often use scripts or tools to view malici…”
T1566.002Spearphishing Link
84%
“services in an effort to massively scale their attacks and bypass security controls. in the past few years, we saw huge formjacking ( web card skimming ) campaigns that stole personal information and payment card data. many of these attacks, such as those by the magecart threat g…”
T1657Financial Theft
83%
“to claim a prize or to donate money to a charity. often these scams trick visitors into making a one - time donation to a non - existent charity or getting them to sign up for regular direct debits. semi - targeted phishing attacks, however, will go after customers of a specific …”
T1566.002Spearphishing Link
82%
“frameworks, such as att & ck, 17 ( https : / / www. f5. com / labs / articles / threat - intelligence / 2020 - phishing - and - fraud - report # _ ftnautoincr17 ) to help identify likely avenues of phishing messages ( for example, email, sms, whatsapp, facebook, etc. ). - conside…”
T1566.002Spearphishing Link
79%
“example, office 365 - your app then directs you to a login page for your microsoft account - you authenticate to microsoft by entering your credentials - finally, you see a page, such as the one shown in figure 7, in which you accept the permissions being requested by the app fig…”
T1528Steal Application Access Token
78%
“example, office 365 - your app then directs you to a login page for your microsoft account - you authenticate to microsoft by entering your credentials - finally, you see a page, such as the one shown in figure 7, in which you accept the permissions being requested by the app fig…”
T1583.001Domains
77%
“emojis to give some indication of what might wait for the visitor if they follow the link ( see figure 23 ). once the domain name is registered, the phishing site needs to be placed onto a website. this year, like last, we saw extensive use of free and cheap cloud hosting service…”
T1566.002Spearphishing Link
77%
“show just two samples of many pandemic - related phishing emails f5 labs has seen. figure 2. a phishing email that used fear of the pandemic to hook its victims figure 3. another covid - 19 related phishing email with malicious presentation attached three primary objectives for c…”
T1566.002Spearphishing Link
76%
“highlighting fraudulent sites to users. from deceptive urls to abuse of https certificates, both staff and customers must be continuously trained on the latest techniques that fraudsters are using. robot download the report now!”
T1566.002Spearphishing Link
75%
“” or “ password is incorrect, ” a proxy can determine the risk a site poses. knowing this, phishers avoid being detected by using images to display text whenever possible. figure 27 shows images used by the officev4 phishing kit. it uses png images to display text such as “ enter…”
T1566.002Spearphishing Link
74%
“as genuine as possible. in today ’ s online world, using tls certificates so that websites appear secure is a virtual necessity. despite domain names that have nothing to do with brand the site is impersonating, unwitting victims often see the padlock and phrases such as “ connec…”
T1583.001Domains
71%
“”. the same domain was registered for each of the free tlds, as shown in figure 22. figure 20. distribution of all top - level domains in october 2020 figure 21. distribution of tlds used by phishing sites in september 2020 ;. com remains the most popular these nearly 1, 000 doma…”
T1566.002Spearphishing Link
67%
“name. across all our datasets, we found an average of almost 10 % of all phishing incidents involved victims being sent to malicious pages built using wordpress. examining data from the f5 soc, we see that figure rise as high as 20 % when we focus on phishing sites that do not ma…”
T1566.002Spearphishing Link
66%
“f5 ' s security operations center. phishing is now such a problem that the 2020 verizon data breach investigations report ( dbir ) noted the use of malware and trojans had dropped significantly and that “ attackers become increasingly efficient and lean more toward attacks such a…”
T1583.001Domains
60%
“of the address bar. despite graying the subdomain, all the victim can see is the start of the address, which includes some authentic looking words such as ssl, encryption, and security. figure 17. phishing site url making use of deception techniques to hide the true address in an…”
T1566.002Spearphishing Link
57%
“the uk ico for each quarter of 2019 and 2020 averaged 289, while new figures, released for the months covering april to june 2020, show a sharp decline with only 185 confirmed cases. the f5 security operations center ( soc ) saw a similar trend, with initial phishing statistics b…”
T1589.001Credentials
56%
“seen this to hold true with the huge jump in phishing traffic around the periods of national pandemic lockdowns and many examples of emails claiming to have information about the virus. phishing objectives social engineering, and primarily phishing, is often used as an enabler of…”
T1078.004Cloud Accounts
56%
“3 billion credentials were breached in 2017. 10 and 2017 was, according to wikipedia, a quiet year for data breaches. 11 12figure 6 shows the number of data breach incidents per year compared with the cumulative number of records breached. despite a fluctuating number of incident…”
T1566.002Spearphishing Link
55%
“peaked at 14, 940 ( see figure 5 ). figure 5. rate of new certificates containing " covid " or " corona. " security practitioners are generally well aware of how phishers bait and hook their victims by using provocative topics, but if these trends tell us anything, it ’ s that en…”
T1566.002Spearphishing Link
55%
“against a specific organization or group - spear phishing, in which a specific individual ( often c - level or it administrator ) is directly targeted. steps in a phishing attack while the catch ( the pay - out ) might be different between phishing campaigns ( some attackers are …”
T1566.002Spearphishing Link
54%
“being phished is now greater than ever. non - cash payment fraud, such as credit card theft, skimming, or phishing, is commonly used to enable the majority of other cyber - dependent crime, such as extortion, theft of data, and deployment of malware. advanced persistent threat ( …”
T1566.002Spearphishing Link
53%
“malware communicating with command and control and drop zone servers. - inspect ssl / tls connections to ensure that malicious and potential phishing web traffic is being blocked. respond to phishing campaigns - have a plan and know who to work with to take down phishing sites as…”
T1566.002Spearphishing Link
52%
“2020 phishing and fraud report executive summary phishing remains a popular method of stealing credentials, committing fraud, and distributing malware. but what appears on the surface to be a juvenile form of cybercrime can be, in practice, a well - orchestrated, multi - faceted,…”
T1584.001Domains
52%
“source : f5 soc ) spoofing brands by using similar urls attackers use a combination of tactics to make their phishing urls appear genuine. from making use of target brands in the domain to the implementing genuine https certificates, their goal is to minimize the risk of victims …”
T1583.001Domains
43%
“ones require an active license from the author and employ numerous tricks to avoid detection by researchers and casual observers. one such recent example is the officev4 kit, which, not surprisingly, targets users of office 365. officev4 fraudsters must have an active license in …”
T1598.003Spearphishing Link
43%
“sites using. com at over 50 % ( see figure 21 ). phishers are also getting creative and having fun with their domain names. punycode, the ascii translation of domain names using non - english character sets, has long been popular with phishers looking to trick their victims. one …”
T1598.003Spearphishing Link
40%
“) phishing kits the alternative — and arguably an even easier method than cloning a site — is to acquire a phishing kit. these are turnkey phishing solutions that come packaged with all the html, images, and code needed to create a fraudulent site ( see figure 10 ). figure 10. le…”
T1566.002Spearphishing Link
38%
“f5 soc investigated during 2020. combining incidents from 2019 and 2020, we found that 55. 3 % of drop zones use a non - standard ssl / tls port. in all but one of these cases, port 446 was used. almost all phishing sites, 98. 2 %, used standard ports : 80 for cleartext http traf…”
T1584.001Domains
34%
“of the address bar. despite graying the subdomain, all the victim can see is the start of the address, which includes some authentic looking words such as ssl, encryption, and security. figure 17. phishing site url making use of deception techniques to hide the true address in an…”
T1566.002Spearphishing Link
34%
“sites using. com at over 50 % ( see figure 21 ). phishers are also getting creative and having fun with their domain names. punycode, the ascii translation of domain names using non - english character sets, has long been popular with phishers looking to trick their victims. one …”
T1598.003Spearphishing Link
34%
“the total number of human logons per month to detected manual fraud attempts for a large financial services customer the emergence of real - time phishing proxies phishing is typically an asynchronous attack in which the attacker does not need to be active at the same time a vict…”
T1598Phishing for Information
33%
“2020 phishing and fraud report executive summary phishing remains a popular method of stealing credentials, committing fraud, and distributing malware. but what appears on the surface to be a juvenile form of cybercrime can be, in practice, a well - orchestrated, multi - faceted,…”
T1566Phishing
33%
“against a specific organization or group - spear phishing, in which a specific individual ( often c - level or it administrator ) is directly targeted. steps in a phishing attack while the catch ( the pay - out ) might be different between phishing campaigns ( some attackers are …”
T1584.001Domains
32%
“emojis to give some indication of what might wait for the visitor if they follow the link ( see figure 23 ). once the domain name is registered, the phishing site needs to be placed onto a website. this year, like last, we saw extensive use of free and cheap cloud hosting service…”
T1598Phishing for Information
31%
“being phished is now greater than ever. non - cash payment fraud, such as credit card theft, skimming, or phishing, is commonly used to enable the majority of other cyber - dependent crime, such as extortion, theft of data, and deployment of malware. advanced persistent threat ( …”

Summary

In our 2020 edition of the Phishing and Fraud Report, we focus on how cybercriminals build and host phishing sites, the tactics they use to avoid detection, and how they’ve capitalized this year on the COVID-19 pandemic.