Credential Phishing: The Shift to Enterprise

Last week we published the 2018 Phishing Trends and Intelligence report and presented on the topic during a webinar, and the primary key finding highlighted why enterprise organizations are now the primary target over consumers. The following is a high level look at what our Director of Threat Intelligence, Crane Hassold, discussed during the webinar.


Cybersecurity Live - Boston

While the shift is our primary key finding for this year, there are several important components that led to it. For starters, email and online services took the number one spot for phishing attacks, the adoption of SaaS based technology led to a rapid increase in attacks, email can be used for two-factor protection and password resets, and at the heart of it all is the continued effectiveness of social engineering. Combined, there is a clear shift from consumers to organizations being targeted.

So how did we identify such a momentous shift in targets? In the past year we analyzed more than 1.3 million confirmed suspicious phishing sites across more than 300,000 domains, with more than 12,000 attacks analyzed and mitigated each month. In turn, our research team was able to identify several new trends, with the largest being the shift to Enterprise and why it is occuring.

The Shift


Just as ransomware exploded in 2016, the components leading to the shift to enterprise saw a similar pattern. SaaS or software as a service branded phishing attacks more than tripled, with DocuSign and Adobe being the primary focus. In these attacks, a user is tricked into thinking they are receiving a notice from other brand. Ultimately the goal is not to obtain their account credentials for these accounts, but more so their email credentials. In addition to SaaS, email service provides, especially Office 360 and OWA also increased, which led to the industry becoming most targeted in 2017.

Evolving Tactics

In 2016 the biggest shift was around how a victim was targeted, and since that time tactics have only continued to evolve. However, in 2017 we’ve seen an increase in all-in-one phishing sites that are designed for mass credential harvesting, which is driven by the continued use of email as a primary account (often reused), and results in password reuse and reset attacks.

The solution? Use different passwords and usernames, activate two-factor authentication, and use a password manager. On top of that, ensure you adhere to the training program your company puts in place that is designed to help prevent you from falling victim in the first place.

How Credentials Are Being Used

On the surface enterprise attacks may appear as if they are going after SaaS product credentials, but there is more to it. In most cases a threat actor is either going after access to email accounts so that they can facilitate BEC or business email compromise attacks, or for password reuse/reset attacks on secondary targets. A BEC attack is particularly nasty because a hacker is either attempting to obtain intellectual property theft, hold sensitive information for ransom, or to have an employee wire transfer money to them.

Credential Theft Trends

Although the shift to enterprise has resulted in an increase in attacks targeting both email and SaaS, the financial and cloud industries (-40%) has been decreases. Though on the decline, the financial industry is still a high-risk target and up higher than numbers from 2013 and 2014. In total, phishing attacks steadily increased from the start of 2017 through to the end of Q3. However, in Q4 phishing attacks leveled out.





*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Elliot Volkman. Read the original post at: