Over 200 of the world’s most prominent brands are affected by over 50,000 fake login pages used for executing various phishing attacks, a new report by IRONSCALES has found. The researchers discovered that phishing attacks from the spoofed pages mostly targeted the healthcare industry, financial services, government agencies, and technology firms. Although PayPal emerged as the brand mostly targeted by phishing attackers, the researchers said that the real threat was from over 9,500 fake login pages impersonating Microsoft services.
Key findings of the report
Ironscales researchers discovered that about 5% of the fake login pages applied polymorphic behaviors, with one brand having more than 300 permutations. Polymorphic phishing pages modified the subject or content of the emails to avoid detection by automated and human reviewers.
PayPal was the top target for phishing scams with over 11,000 fake login pages mimicking the brand. Others included Microsoft (9,500), Facebook (7,500), eBay (3,000), and Amazon (1,500). Brands like Adobe, Aetna, Apple, Alibaba, JP Morgan Chase, Tesco, Wells Fargo, and others also had spoofed pages trying to harvest users’ login details.
The study found that “the top 5 brands with the highest number of fake login pages closely mirrors the list of brands that frequently have the most active phishing websites.” Although PayPal had the highest number of fake login pages, Microsoft spoofs impersonating Office 365, One Drive, and SharePoint posed the greatest risk because they compromised both individuals’ and organizations’ accounts.
Reasons for the success of phishing attacks utilizing fake login pages
The research found that the phishing attacks were successful for two reasons. Firstly, malicious phishing emails delivering the fake login pages could easily bypass secure email gateways and spam filters.
Secondly, “inattentional blindness” prevents the victims from seeing the glaring evidence of unexpected changes hiding in plain sight.
The attackers changed the phishing emails by making “slight but significant modifications” in the email content such as the subject line or the email content. Polymorphic emails allow the victims to receive different versions of the same phishing email without triggering spam controls. This is because a signature-based email security platform fails to detect suspicious behavior once the spam emails were slightly modified. Researchers indicated that 5% of all the 50,000 attacks applied polymorphic behavior.
Close to 24% of attacks spoofing Microsoft were polymorphic with 314 permutations, while Facebook had 13% of polymorphic phishing attacks with 160 permutations.
The researchers explained that the reason for applying polymorphic behavior was because the security teams were consistently trying to take down fake login pages, forcing the attackers to evolve their tactics to defeat manual and automated technical controls.
For example, Microsoft shared insights into spear-phishing tactics with its users, hence forcing the attackers to change their tactics to disorient the already alerted victims.
Detecting fake login pages
The firm says automated detection of fake login pages is possible through the application of AI, computer vision, and deep learning algorithms. Additionally, natural language processing (NLP) using both machine learning and neural networks could help identify the contents of the emails sent by the attackers. This would allow email systems to identify the fraudulent language and mitigate phishing threats.