Phishing: The Oldest and Wisest Attack Vector
What is phishing?
Phishing is an evergreen security problem that’s been around since the earliest days of our connected world. Back then, people were unaware of the concept of phishing and, despite the terrible spelling and grammar in the emails, people still responded to fictitious African kings who promised them great riches.
However, the nature of phishing has changed dramatically over the years and is now delivered on an industrial scale. Today’s phishing techniques have made it significantly harder for users to determine if that email from their favorite brand is genuine or fake.
Despite the changes we have seen in phishing attacks over the years, the key motivation for the cybercriminals remains the same: to trick people into disclosing confidential information, such as login credentials for their online accounts. Once the criminals have that information, they either resell the account logins on the dark web, or use the credentials themselves to access the accounts.
How have phishing attacks changed?
The most significant change in phishing attacks is that the criminals now leverage off-the-shelf phishing toolkits that allow them to quickly build and deliver very sophisticated phishing campaigns at scale. The phishing kits can be bought for as little as a few hundred dollars, and they allow the attackers to create a full phishing campaign, including emails and customer login pages that look identical to the targeted brand’s login page.
Phishing kits: As-a-service tools and products
In addition, the suppliers of the kit will often offer a full phishing-as-a-service product, which means the criminals don’t even have to worry about sending out the emails.
The availability of low-cost phishing kits and phishing-as-a-service tools allows criminals to release new campaigns very quickly. According to Akamai data on phishing campaigns that used more than 300 different phishing toolkits, 2% of the tracked kits were reused on at least 54 distinct days during the 90-day period of Q4 2022. Furthermore, 55% of the kits were reused for at least four days, and among all the tracked kits, 100% were reused for no fewer than two distinct days over the same period.
The frequency and volume of these phishing attacks makes it exceptionally difficult for brands’ security teams to deal with this problem. No sooner has one phishing attack targeting its customers’ been thwarted, then another is already underway. The same Q4 2022 data revealed that some brands had seen more than 300 domains that were created with the same phishing kits that mimicked their brand.
Phishing is no longer just email
Another big change is that phishing no longer includes just email. Attackers now use multiple channels — email, SMS, messaging, and social media — to deliver and amplify phishing campaigns. Akamai frequently observes attacks that promise rewards for completing a simple quiz; for example, a free backpack for answering three simple questions.
In late 2022, Akamai security researchers uncovered a new phishing kit that was being used to mimic several large retail brands ahead of the holiday season. The kit used a combination of social engineering, multiple evasion techniques, and access control to bypass security measures.
One of the evasion techniques — utilizing URI fragmentation — is novel. The email through which the scam is delivered contains a token that is later used to reconstruct a URI link to which the victim will be redirected. Any access to a phishing scam without obtaining and using that token will be restricted from accessing the phishing landing page.
These campaigns are usually accompanied by numerous fake testimonials from previous “winners” that are used to gain the victims’ trust and to inject a sense of urgency. A new approach to this technique is the creation of fake user forums in which previous winners discuss their prize.
The attackers target highly popular brands because that increases the odds of their campaigns reaching the most customers. It's simply a numbers game: If the attackers send out, say, 500,000 emails, then it's highly likely a decent percentage of the recipients are existing customers of the brand. Once the attackers have garnered the targeted brand’s customers details, they can then use that list to launch more targeted campaigns.
Attackers are primarily targeting consumers
One final insight from the Q4 2022 data is that 93% of phishing attacks are targeted at consumers, which shows that the attackers perceive the barriers to success are significantly lower than when targeting businesses.
The combination of the industrial scale of the sophisticated phishing attacks against consumers and the high frequency of these campaigns presents a significant problem for brands that are being targeted. A customer who falls for one of these attacks, and has their account compromised, is very likely to develop a negative perception of the brand and may take their business elsewhere.
Akamai’s efforts to protect your customers
So, what else can brands do to further proactively protect their customers against these attacks?
In our next blog post, we’ll share more of our security research findings on phishing attacks and give best practice guidance on how to protect your organization’s customers against these types of attacks.
Learn more
If you are headed to the RSA Conference 2023, stop by the Akamai booth to see demos and hear technical talks about our latest security tools. If you won’t be there in person, follow us on LinkedIn for announcements and video clips.
