PayPal emerged as the most-impersonated brand name by phishers in the third quarter of this year followed by Microsoft, Netflix, Facebook, Bank of America, and Apple.
Research carried out by email security solutions provider Vade Secure has revealed that malicious actors who rely on phishing attacks to steal credentials, payment card details, or personal information of targeted organisations and individuals, impersonated PayPal more than any other global brand in the third quarter of this year.
In its Phishers’ Favorites report for Q3 2019, the security firm noted that it observed 16,547 fake or malicious URLs that impersonated PayPal, compared to 13,849 URLs that impersonated Microsoft, 13,562 URLs that impersonated Netflix, and 12,041 URLs that impersonated Apple.
Phishers also impersonated other global brands such as Bank of America, Apple, Google, Chase, Amazon, DHL, Desjardins, Docusign, BNP Paribas, Dropbox, Yahoo, Adobe, AT&T, and Comcast, all of which appeared on the firm's list of the 25 most-impersonated global brands in the quarter.
More phishing URLs impersonating PayPal than those impersonating Microsoft
Significantly, this is the first time that PayPal has become the most-impersonated global brand, unseating Microsoft that held the top spot for five quarters in a row. The number of phishing URLs that impersonated PayPal rose by 167.8% and 111.9% YoY in Q1 and Q2 2019 respectively but the surge declined slightly to 69.6% in Q3.
One particular phishing campaign impersonating PayPal that caught the security firm's attention targeted more than 700,000 people across Europe. The phishers behind this campaign sent emails to victims with subject lines such as "Last reminder before judicial action" and asked them to pay €45 to avoid prosecution. The emails contained URLs that victims were asked to visit to complete their payments. These URLs impersonated PayPal's domain and required visitors to fill in their PayPal usernames and passwords.
The researchers believe that PayPal's attractiveness as a brand worth impersonating can be attributed to two initiatives taken by the company in the recent past.
"First, PayPal announced in July that it would play a big role in Facebook’s new cryptocurrency Libra (though it later pulled out). PayPal also announced it would expand Xoom, the international money transfer platform it acquired in 2015, to 32 countries, including Austria, France, Germany, Italy, Spain, and Portugal," they said.
Phishers trying new techniques to target Microsoft & Office 365 users
Even though Microsoft is no longer the most-impersonated gobal brand, the researchers believe that instead of using a large number of phishing URLs, cyber criminals are now using new techniques to get past security barriers and to fool alert users.
For example, instead of creating new URLs for new campaigns, cyber criminals are now focussing on the construction of the email and leveraging various randomisation techniques to break through traditional defense layers. This way, phishers are able to reuse the same webpage across many emails.
Cyber criminals have also increased both the volume and variety of OneDrive/SharePoint phishing that involves them sending real OneDrive notifications with a URL to a real file where the phishing URL is housed, instead of sending fake notifications that contain phishing URLs.
Last week, security researchers at McAfee Labs also uncovered a phishing campaign that involved the use of fake voicemail messages and three phishing kits by phishers to lure Office 365 users at targeted organisations to fill in their credentials on fake login pages.
The campaign involved hackers sending emails to Office 365 users, stating that they had missed a call from a certain number on a certain date and in order to access their voicemail, they needed to click on a link provided in the email.
The researchers found that the phishing emails contained HTML files as attachments that redirected users to a phishing website. These websites contained pre-populated email address fields, Microsoft logos, password fields and "Sign in" tabs. Once victims entered their Office 365 passwords, they were redirected to the office.com login page.
The firm noticed that using this technique, hackers were able to harvest email addresses, passwords, IP addresses, and location of Office 365 users using three different phishing kits, all of which appear quite similar but can be differentiated on the basis of HTML codes and the parameters which were accepted by the PHP script.
FInancial services organisations more impersonated than cloud providers
Vade Secure also observed an alarming year-on-year increase in the number of phishing URLs that impersonate Netflix. The number of such URLs rose by 73.7% compared to Q3 2018 and also rose by 14.1% compared to Q2 this year. The researchers believe that Netflix' larger user base of 158 million subscribers as well as the release of blockbusters such as Stranger Things has made phishers capitalise on the excitement and try and catch people off guard.
In terms of industries targeted by impersonation campaigns, Vade Secure found that financial services organisations were the most targeted with 10 of the 25 most-phished organisations belonging to the sector. Six cloud companies and four social media giants also made it to the firm's list.
"Financial services took the top spot for the first time, accounting for 37.9% of all URLs, thanks to big growth from Chase (70.2%), Sun Trust Bank (750.8%), Desjardins (194.7%), Société Générale (83.9%), and BNP Paribas (358.2%). Financial services was followed by cloud (32.6%), social media (13.3%), e-commerce/logistics (9.8%), and internet/telco (5.1%), and government (1.2%)," it noted.