Phishing: An Ever-Evolving Threat

Whether it is was scammers duping World Cup fans with enticing emails touting a free trip to Moscow or the test against the DNC, phishing attacks were clearly the headline-grabbing darlings of bad actors in 2018. One headline even states that online phishing attacks increased more than 200 percent from the previous year.

In fact, more than half of Lookout Safe Browsing users have encountered a malicious link in the last year, which we predict will rise in 2019 as bad actors become increasingly organized, advanced and stealthier. Data gathered through the Lookout Phishing AI platform points to some pronounced trends that are poised to take off in the coming year. Here are the top three predictions for 2019:

Phishing-as-a-Service (PhaaS) Will Gain Ground

Development of commercial phishing kits will continue to accelerate. Sold through underground markets and developed through multiple versions, these kits are beginning to resemble modern marketing platforms. In some cases they may even be hosted, just like software-as-a-service and could even include campaign management tools to monitor click-through rates. Moreover, these kits are using one-time URLs to evade detection and blacklisting. As we move into 2019, this increased automation and commercialization of kits will enable attackers to operate more efficiently and effectively.

The Move to Mobile Continues

Lookout Phishing AI is detecting new sites made specifically for mobile on a weekly basis. When opened on a desktop, it clearly looks like a poorly made phishing domain, but on a mobile device, it looks legitimate. This disregard for the browser demonstrates a mobile-first approach. This trend will continue to grow as mobile device usage increases in the enterprise. In fact, Gartner predicts that “80 percent of worker tasks will take place on a mobile device by 2020.” Phishing attacks have emerged as an effective attack vector in the era of post perimeter security—and attacks that target mobile will be even more effective. We mix business and leisure on our mobile devices, combining corporate email and enterprise services with personal messaging apps and social media, creating an environment where employees can be phished and corporate credentials stolen through personal activities.

The ‘Consumerization’ of Targeted Attacks:  Personalized Phishing

For the most part, targeted attacks or spear-phishing are considered an advanced attack technique, largely used by nation state actors or higher-level criminal operations. However, with the continued rash of data breaches, there is a sea of personal information available on the black market.

After the recent Marriott breach, Brian Krebs noted:

“One aspect of these types of breaches that often gets overlooked is their utility for future phishing attacks. That’s a ton of information to have and to draw upon when you’re conducting spear-phishing attacks going forward.”

I couldn’t agree more with Krebs—while working on phishing AI, I’ve discovered that a lot of breach data is used in targeted attacks. Each new breach exposes a new set of email addresses to target in these attacks, and by combining this information with other breach data, such as passwords and other personal information, the attack increases its legitimacy. In this regard, targeted attacks are becoming consumerized as the reach of these attacks grows.

As we enter 2019, expect phishing to remain a major enterprise security priority. As attackers continue to invest in greater automation and focus on mobile devices, it is imperative for businesses to stay ahead of these trends by also making greater investments in automation and post-perimeter security protection.

Jeremy Richards

Avatar photo

Jeremy Richards

Jeremy Richards is a Principal Security Intelligence Engineer at Lookout, where he leads the research and development of Lookout Phishing AI, a machine learning engine that continuously scans the Internet to identify infrastructure used by phishing sites. Richards works closely with business and government to help identify emerging threats and new trends related to phishing. He is a frequent presenter of mobile security research at such conferences as BSides, AtlSecCon, SecTor, UNCC Cyber Security Symposium, and THOTCON.

jeremy-richards has 1 posts and counting.See all posts by jeremy-richards