Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017

As recent healthcare breach notices have shown, phishing poses a major threat to the confidentiality of protected health information (PHI). The past few weeks have seen several healthcare organizations announce email accounts containing the PHI of thousands of patients have been accessed by unauthorized individuals as a result of healthcare employees responding to phishing emails.

Report Shows Massive Rise in Phishing Attacks Using Malicious URLs

This week has seen the publication of a new report that confirms there has been a major increase in malicious email volume over the past few months.

Proofpoint’s Quarterly Threat Report, published on October 26, shows malicious email volume soared in quarter 3, 2017. Compared to the volume of malicious emails recorded in quarter 2, there was an 85% rise in malicious emails in Q3.

While attachments have long been used to deliver malware downloaders and other malicious code, Q3 saw a massive rise in phishing attacks using malicious URLs. Clicking those links directs end users to websites where malware is downloaded or login credentials are harvested.

Proofpoint’s analysis shows there was a staggering 600% increase in phishing attacks using malicious URLs in Q3. Compared to 2016, the use of malicious URLs has increased by a staggering 2,200%. The volume of malicious emails has not been that high since 2014.

Locky is Back With a Vengeance

Proofpoint analyzes more than one billion emails, hundreds of millions of social media posts, and more than 150 million malware samples every day. The report combines the analyses performed over the quarter.

Out of all of the email threats analyzed, 64% were used to deliver ransomware. At the start of the year, Cerber ransomware was the biggest ransomware threat, having taken over from Locky, but in Q3, Locky came back with a vengeance. Locky ransomware accounted for 55% of all malicious payloads and 86% of all ransomware payloads. There were also notable increases in other ransomware variants, including Philadelphia and Globelmposter.

The second biggest threat was banking Trojans, which accounted for 24% of all malicious payloads. Proofpoint’s report shows the Dridex Trojan has fallen out of favor somewhat, with The Trick now the biggest threat in this category. Downloaders accounted for 6% of malicious emails and information stealers 5%.

In the first half of 2016, exploit kits were being extensively used to deliver malware and ransomware, although exploit kit activity dwindled throughout the year and all but stopped by 2017. However, exploit kit activity is climbing once again, with the Rig the most commonly used exploit kit. Proofpoint notes that rather than just using exploits, the actors behind these EKs are now incorporating social engineering techniques into their campaigns to fool users into downloading malware.

Social media attacks also rose, in particular so called “angler attacks” via Twitter. These attacks involve the registration of bogus support accounts. Twitter is monitored for customers who are experiencing difficulty with software, and when a complaint is made, the user is sent a tweet from the bogus account containing malicious links.

Proofpoint also noted a 12% rise in email fraud in Q3, up 32% from last year, and a notable rise in typosquatting and domain spoofing. The registration of suspicious domains now outnumbers defensive domain registrations by 20 to 1.

The advice to all organizations is to implement robust spam filtering software to block malicious emails, use solutions to block malicious URLS such as web filters, use email authentication to stop domain spoofing, and to take steps to protect brands on social media. The risk from look-alike domains can be greatly reduced with defense domain purchases – registering all similar domains before the typosquatters do.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.