- Upgrade to Microsoft Office Pro and Windows 11 Pro with this bundle for 87% off
- Get 3 months of Xbox Game Pass Ultimate for 28% off
- Buy a Microsoft Project Pro or Microsoft Visio Pro license for just $18 with this deal
- How I optimized the cheapest 98-inch TV available to look and sound incredible (and it's $1,000 off)
- The best blood pressure watches of 2024
Phishing Trends and Tactics: Q1 of 2023
In the world of cybersecurity, there are a few constants, one of the big ones being the fact that news, innovation, and threats move fast and are constantly evolving. It is important for security professionals to stay in the loop about major developments in cybercriminal activity and the cybersecurity industry. Fortra’s PhishLabs offer resources to learn about a variety of cybersecurity-related topics, including a blog that regularly features cybersecurity news. In order to stay up to date on pertinent events, we have summarized the main takeaways from the first quarter of 2023.
Shift in Phishing Tactics
In Q1, free domain registrations saw a significant decline in popularity, likely as a result of free domains from Freenom being halted. This decrease, while it has not led to a significant change in the popularity of no-cost methods on the whole, may be reflective of a trend toward “other means of building malicious infrastructures.” Phishing sites mimicking financial institutions also dropped 13%, the largest decrease in activity since 2020, but financial institutions remained the most impersonated industry (42.1%). The second most targeted industry was social media, which saw an increase of 8.1% to a total of 26.1%, followed by webmail and online services (11.4%), telecommunications (8.3%), and cloud storage and file hosting (5%).
Almost three-quarters of credential thefts were staged using no-cost methods like compromising existing sites or using free services. The most abused Top-Level Domain (TLD) was .com (51.3%), distantly followed by .org (4.7%), .us (2.4%), and .co (2.3%). Legacy generic TLDs made up 60.2% of Top-Level Domain abuse, followed by Country-Code TLDs (ccTLDs) (26.9%) and new generic TLDs (12.9%). The top ten most abused TLDs were all Legacy gTLDs and ccTLDs.
All-Time High of Malicious Emails
In the time that PhishLabs has been documenting emails classified as malicious or do not engage, the volume of those emails in Q1 is the highest it has ever been—nearly a quarter of all emails. Separately, malicious emails made up 7.7% of reported emails, while those classified as do not engage represented 15.9%. Of the malicious emails recorded in Q1, there was a sizable increase in the proportion of credential thefts, up 14.4% to reach a total of 58.2%.
In contrast, response-based malicious emails saw a decrease of 13.1% to make up 40.5% of malicious emails. Of the response-based attacks reported, nearly half (45.1%) were hybrid vishing attacks. In second place, 419 attacks made up 36.4% of response-based attacks, followed by BEC (14.3%), job scams (4.1), and tech support (0.1%).
The majority of credential theft emails (62.4%) were phishing links, while the remaining 37.6% contained malicious attachments. This reflects a minor shift in proportions—an increase of 0.6% for malicious phishing links and a decrease by the same amount for malicious attachments.
Ransomware Payload Trends
The ransomware family QBot made up a staggering 87.8% of payload volume, distributed mainly through malicious attachments in phishing emails. QBot has recently been delivered via OneNote and Adobe documents, as well as HTML smuggling campaigns. The most popular malware family two quarters in a row, QBot features capabilities such as self-spreading, C2 communication, and sandbox detection.
Trailing behind QBot was Emotet, representing 6% of Q1 ransomware payload volume. Emotet continued operations in March following a hiatus of several months. Emotet was one of the biggest botnets in the world until it was temporarily disabled by authorities in 2021; nonetheless, it is “a highly sophisticated and evasive malware” that is constantly being updated and enhanced to increase payload.
The third most reported malware family this quarter was IcedID, comprising 3% of ransomware payload volume. IcedID was first introduced as a banking trojan, but banking functionalities have recently been removed. Modifying the functionality of a malware family is a common technique as cybercriminals adjust their priorities according to shifting needs. Updating code enables bad actors to launch a wider range of attacks, thereby increasing its popularity in the Ransomware-as-a-Service (RaaS) industry.
Social Media Attacks
Attacks targeting businesses via social media saw an increase of 12.2% in Q1; the average business is targeted by around 84 attacks each month. Social media is a conducive environment for cybercriminal activity because it is easy to create and disseminate malicious material and difficult to monitor. The top threat types on social media in Q1 were cyber threats (33.1%), impersonation (26.3%), counterfeit (22.1%), and fraud (16.9%).
The industry most targeted by social media threats was banking, representing 33.5% of reported social media attacks. This was followed by retail (24.4%), cryptocurrency (14.7%), and financial services (9.3%). Of these, retail saw the most significant change from the previous quarter—an increase of nearly 7%.
Conclusion
For cybersecurity professionals, it is vital to stay on top of the most recent news about tech, security, and cyberthreats. Being informed is the first step in protecting an enterprise against bad actors. Armed with the right information, security teams can evaluate various security products and solutions to determine what best meets their company’s needs.