As we prepare to close the book on 2014, researchers at PhishMe, a company which helps organizations train their employees and customers about the risks of spear phishing, have analysed phishing emails received in the last 12 months to identify some of the most interesting trends observed.
The top three phishing scams of 2014, according to researchers Ronnie Tokazowski and Shyaam Sundhar, are:
In third place: Compromised .edu domain serving ZeuS
Near the end of October, the researchers noticed a pretty ordinary phishing email with a .zip attachment, supposedly containing information about a payment, circulating around the web. The attachment contained a variant of Zeus.
Free eBook: Modern Retail Security Risk – Get your copy now.
Why does it make the list? The attackers sent the email from a compromised .edu domain. The trusted nature of an educational institution’s domain, and the generous amount of bandwidth those domains usually have provide, attackers with an appealing platform for delivering malware.
In second place: Dropbox Phishing
The rise of 3rd-party cloud services like Dropbox has provided attackers with an interesting new method to deliver nasty stuff through your network. In a round of emails last June that served as the precursor to Dyre, we received phishing emails that linked to a supposed invoice on Dropbox. The Dropbox link itself was legitimate, only it led to a .zip file containing a .scr and not an invoice.
Dropbox was quick to shut down this type of abuse, but it’s proven to still be a great method for attackers to get past spam filters. Dropbox use is so pervasive that most organizations won’t block its links.
A few weeks later, we saw Dropbox links abused again in targeted attacks against the Taiwanese government.
Top of the List: Dyre malware email
The most notorious phishing email of 2014 seemed innocent enough upon first glance. We actually received two emails containing the then unknown malware, with both of them pointing to links from a third-party file sharing service Cubby. The content of the emails itself was bland. One simply directed the recipient to a link to an invoice, while the other was a bit more extensive, directing the recipient to a link where they could learn more about a failed tax payment. Both of these led to the now notorious Dyre malware, a remote access Trojan (RAT) that has targeted banking information and customer data.
Dyre’s impact has been widespread enough to catch the attention of the US CERT.
Speaking about these phishing trends, Ronnie Tokazowsi said, “If we learn only one thing from phishing attacks in 2014, it should be that phishing attackers repeat themselves. This can prove useful to help us defend against phishing in the future. While the security industry has traditionally focused on bad IP addresses and malware when it comes to phishing, we ought to be focused on tactics, techniques, and protocol. Focusing on email content, headers, and URLs to recognize patterns and take preventive action will add another layer of phishing defence.
For a list of other top phishing scams, please read the full article posted on PhishMe’s blog here.
By Ronnie Tokazowski and Shyaam Sundhar, Senior Researchers, PhishMe
PhishMe launched publicly in 2008, and incorporated as an independent entity in 2011. PhishMe Incorporated is based in Northern Virginia, just outside of Washington, DC, with staff across the country. Our support, operations and sales teams are headquartered in our Virginia office, with additional offices in New York and London.
Our team developed the PhishMe concept based on dozens of years of experience in penetration testing, social engineering, abuse management, incident response and forensics. As our founding team looked at the results of the annual assessment model we implemented for clients, we realized that to effectively combat phishing attacks, our customers needed to combine compelling exercises with dynamic, immersive training.