50% Phishing Emails Seek Credential Theft, as Malware Delivery Declines

March 02, 2021 - The number of phishing campaigns delivering malware has drastically decreased in recent years, with just 12 percent of phishing deploying malware. On the other hand, 57 percent of all phishing attacks were designed for credential theft in 2020, according to Cofense.

The 2020 Annual State of Phishing Report details evolving tactics used by threat actors, as well as the impact of COVID-19 on the scope of phishing campaigns.

The report is compiled from the analysis of millions of emails related to phishing attacks. Of the 255,000 malicious emails analyzed, researchers found almost 100 unique malware families.

For healthcare, 59 percent of attacks took aim at credential theft, while 15 percent were designed for business email compromise and just 5 percent contained malware payloads.

Further, across all sectors, about 45 percent of credential phish attacks targeted Microsoft Office users.

“The vast majority of phishing campaigns are credential theft or conversational,” Cofense CTO and Co-Founder Aaron Higbee, explained in the report. “While malicious attachments still play a role in phishing, the frequency of this has dramatically declined over the years.”

“In fact, most phish attachments these days are not even malware, but instead, conduits to open a browser to further credential theft,” he added. “While on the decline, we have our finger on the pulse of phishing related malware.”

The report notes that these emails have been found in enterprise environments employing diverse types of phishing defense tools, including secure email gateways and content filters.

The success can be attributed to the nature of credential phishes, which are better at evading defense technologies. Credential phishing pages are inexpensive to host, enabling hackers to maintain these pages with minimal fees.

Attackers are also able to easily change the infrastructure used to support these malicious landing pages. These campaigns also leave few consistent and reliable indicators of compromise (IOCs), which makes it difficult to assess with post-mortem investigations.

Some of the largest, most successful campaigns in 2020 preyed on COVID-19 fears, as well as attacks led by the notorious Ryuk and Emotet variants.

Emotet is primarily delivered through massive email campaigns, with its hackers continuously evolving the threat to improve its success. The report shows these attack methods were similar to those employed by Ryuk. Healthcare is among the most targeted sector for both of these threat groups.

The abuse of trusted platforms to deliver malware and credential harvesting pages is also on the rise. This includes hosting credential phishing pages and malicious payloads on legitimate websites or cloud services.

Hackers abuse trusted collaboration sites and cloud providers, including Microsoft, Google, Adobe, and DropBox to deliver credential phishing attacks and malware. In these attacks, targeted users receive links that appear legitimate and direct victims to trusted sites commonly used for daily business operations. 

Researchers also observed attacks where the user was given an option to select from the most commonly used email platforms. These phishing campaigns often contain URLS hosted on legitimate domains and have a broad customer base, which means these attacks may not be blocked by content rules and filters.

These types of attacks were previously reported throughout the year, including two campaigns that leveraged free Google services and social engineering to bypass security measures to ensure the phishing attacks landed in the inbox.

Notably, a phishing URL has an average lifespan of just 24 hours, which means black listing is irrelevant for these types of attacks. Thus, defenses are often left to human detection.

“Remember, credentials are high value. They provide the keys to the castle for adversaries, sometimes allowing for long-term access to sensitive accounts and information,” researchers noted.

“While threat actors constantly develop sophisticated techniques to evade SEGs and steal credentials, many still use tried and-true methods with significant success,” they added. “Data breaches and theft originating from stolen credentials are extremely common, giving threat actors access to sensitive data, web servers, end user accounts, and leave the organizational infrastructure vulnerable to other attack types.”

Cofense predicts 2021 will continue to see credential-focused attacks, with hackers already experimenting with CAPTCHA protected phishing sites. As such, healthcare entities should review recommendations for securing the enterprise against phishing attacks.

Microsoft and Europol previously provided strong guidance on spear-phishing attacks and needed technologies, while joint guidance from the Healthcare and Public Health Sector Coordinating Council and the Health Information Sharing and Analysis Center sheds light on healthcare’s needed tactical security crisis response amid COVID-19.