The APWG’s new Phishing Activity Trends Report reveals that the number of phishing attacks observed by APWG members grew through 2020, fully doubling over the course of the year. Attacks peaked in October 2020, with a high of 225,304 new phishing sites appearing in that month alone, breaking all previous monthly records.
In Brazil, security firm Axur saw slower growth in the number of phishing attacks that targeted Brazilian companies and consumers in Brazil. But overall, Axur observed almost twice as many such phishing sites in 2020 as it did in 2019, a concerning year-over-year growth.
APWG contributor OpSec Security found that phishing that targeted financial institutions was the largest category of phishing in the fourth quarter, at 22.5 percent of all attacks. This category nosed out webmail and Software-as-a-Service (SaaS), which experienced 22.2 percent of all attacks. Phishing against the social media sector declined slightly to 11.8 percent, even as social media usage was high during the U.S. presidential election. In Brazil, Axur found that phishing against e-commerce sites constituted 45 percent of phishing attacks, perhaps taking advantage of consumers who are staying at home and using online shopping during the COVID-19 pandemic.
APWG contributor Agari continued to track “business email compromise” (BEC) attacks, one of the most damaging types of Internet crimes. BEC attacks that sought wire transfers from victim companies sought an average of $75,000 – a 56 percent increase from $48,000 in the third quarter of 2020. This increase is primarily due to a resurgence in BEC campaigns from “Cosmic Lynx,” a sophisticated Russian-based crime group. Agari observed one BEC attack in progress in which the wire transfer request was for a whopping $999,600.
RiskIQ analyzed the use of domain names for phishing. “It appears that most of the domain names used for phishing are not compromised infrastructure, but are malicious domain name registrations created by the threat actors themselves,” said Jonathan Matkowsky of RiskIQ’s Incident Investigation and Intelligence (i3) team. Both RiskIQ and Agari saw these kinds of criminal domain name registrations were concentrated at a few registrars and in a few top-level domains.
Phishers are also deploying encryption to fool users into thinking that phishing sites are legitimate and safe. APWG contributor PhishLabs found that in the fourth quarter of 2020, 84 percent of phishing sites had SSL encryption enabled. Encryption is deployed on phishing sites more often than on regular web sites: SSL is currently found on only 66.8 percent of all web sites across the Internet.