Ironscales, an automated phishing prevention, detection, and response provider, stated that credential theft attacks via fake or spoofed login pages and social engineering attacks have increased during the first half of 2020. In its research report, Ironscales revealed that it identified more than 50,000 fake login pages, impersonating around 200 popular global brands.
How Credential Theft Attack Works?
In a credential theft attack, hackers target users with an email imitating a popular brand and tricks them via social engineering techniques into entering their credentials on a spoofed login page. Once the victim enters the credentials, the information is automatically transferred to the attackers. Hackers could use this information to log in to users’ accounts to perform banking frauds, data extraction, wire transfers, identity theft, and other malicious activities.
“These nefarious yet often highly realistic looking pages are now a common tactic deployed by attackers seeking to obtain a person’s login credentials to a legitimate website, such as a bank, email client, or social media site, among many other popular services,” Ironscales’ researchers said in a statement.
Ironscales also observed that health care is the most targeted sector in credential theft attacks followed by financial services, government agencies, and IT sectors. The top five brands with the most fake login pages include:Description
| Brand Total Fake Login Pages % of all Fake Login Pages | ||
| PayPal | 11,000 | 22% |
| Microsoft | 9,500 | 19% |
| 7,500 | 15% | |
| eBay | 3,000 | 6% |
| Amazon | 1,500 | 3% |
Data Source: Ironscales
“Although PayPal sits atop the list, the greatest risk may derive from the 9,500 Microsoft spoofs, as malicious Office 365, SharePoint and One Drive login pages put not just people but entire businesses a risk,” researchers added.
Polymorphic Phishing Attacks
The research further stated that 5% (2,500) of the 50,000 fake login pages were polymorphic, with one brand garnering more than 300 variations. Microsoft and Facebook topped the list with 314 and 160 permutations, respectively.Description
| Brand No. of Permutations % of all Permutations | ||
| Microsft | 314 | 24% |
| 160 | 13% | |
| Chase Bank | 81 | 6% |
| Netflix | 38 | 3% |
| eBay | 34 | 3% |
| Alibaba | 30 | 2% |
| AT&T | 26 | 2% |
| Wells Fargo | 26 | 2% |
| PayPal | 24 | 2% |
| DHL | 21 | 2% |
Data Source: Ironscales
In Polymorphic phishing attacks (also known as Polymorphism), an attacker makes slight and random changes to a phishing email like its content, subject line, sender name, or template. This enables the phishing actors to easily escape from email security tools, which fail to recognize such modifications and obtain access to users’ inboxes.
While the research did not explain why these enterprises have more permutations than others, it stated that this could have occurred for two reasons:
- The security teams associated with these brands are actively looking to take down fake login pages, so attackers are forced to more frequently evolve the attack ever so slightly so to defeat human and technical controls.
- These brands are a priority and or easy target for a certain hacking group(s), so there is more activity and therefore a need to constantly evolve to stay one step ahead of security teams.
Eyal Benishti, founder and CEO, Ironscales, said, “Polymorphic email phishing threats represent an incredibly difficult challenge for SOC and IT security teams to overcome. Just as security personnel think that they may have a phishing threat under control, attackers can augment the artifacts to give the message an entirely new signature, thereby enabling what is for all intents and purposes the same malicious message to bypass the same human and technical controls that might have stopped a previous version of the attack.”
