Research from Cofense has found that user credentials are being targeted by hackers and scammers on a scale never seen before. Indicators of compromise (IoC), digital evidence of a cyber attack, for credential phishing have increased in Q3 by close to 45% over Q2, the company's report found.
IT Management Solutions - Compared to the Q3 period of 2022, IoCs of credential phishing are up 85% with PDFs being the most common malicious file extension attached to a phishing email.
Do not take the bait from phishy emails - This significant increase in phishing attacks could be attributed to several factors. Scammers have adapted their tactics to bypass email spam filters by employing Google AMP to make their phishing links appear more legitimate by utilizing the recognized ‘www.google.com’ domain to make a phishing link appear more trustworthy.[1]
Another factor contributing to the rise of phishing in Q3 is the use of QR codes. By looking at a QR code with the human eye, it is impossible to tell where it will take you. But scammers can direct you to a legitimate looking website that will then ask you to provide your credentials to log in.
The most prevalent malware associated with phishing in Q3 was the Agent Tesla keylogger, closely followed by FormBook information stealer. The most popular delivery methods to infect your computer with these forms of malware are the CVE-2017-11882 exploit, which uses a corrupt memory exploit to run arbitrary code, and PDF droppers, which are specially built PDFs that execute a document file when clicked, installing malware onto your system.
In terms of the domains most used in phishing attempts, .com has remained as the most prevalent domain, however .ru has seen a significant rise in popularity over the previous quarter most likely due to an increasing use and success of Phishing as a Service (PhaaS) tool Caffeine. .ru = Russia.
While it is difficult to identify where threat actors launch campaigns and attacks due to the use of VPNs, Cofense identified malicious cyber activities through the use of Command and Control (C2) servers which are used to deliver phishing campaigns on behalf of threat actors. The US remained as the main location for C2 nodes, with 71% of phishing campaigns utilizing a C2 source with a US based IP.
The report states that, “This is likely to continue as many cloud hosting services abused by threat actors [that] are hosted in the United States.”
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.msn.com/en-us/news/technology/beware-your-login-details-are-being-targeted-more-than-ever-here-s-what-to-look-out-for/ar-AA1jhnDM/
Comments