Microsoft says its threat analysts saw a massive 250 percent rise in the percentage of phishing messages to Office 365 users over the course of 2108, suggesting phishing will continue to remain popular in the near future.
The company saw two major spikes in 2018, rising from 0.25 percent of all inbound emails in February to 0.45 percent in March. A second spike happened between October, when phishing emails made up 0.39 percent of all inbound email, and November, when it reach 0.55 percent.
Because of this 250 percent bump in phishing email and the reason why it works, Microsoft says phishing -- a key reason why Hillary Clinton's 2016 presidential campaign emails were leaked -- will remain a challenge into the foreseeable future.
The problem lies in the fact that it “involves human decisions and judgement in the face of persistent efforts by cybercriminals to make victims fall for their lures,” according to Microsoft.
The company offered the snapshot in its 2018 Security Intelligence Report, in which it says it analyzes and scans over 470 billion email messages in Office 365 each month for phishing and malware threats. The number says nothing of how many emails Microsoft processes in total but it suggests phishing email volumes are huge.
The company has also witnessed phishing attackers mature over the year in response to increased efforts by the likes of it and Google to combat sophisticated phishing attacks that have been used as the initial compromise within an organization.
Microsoft has found that phishing attackers now use multiple URLs, domains and IP addresses to send phishing email, while modern phishing campaigns can be both short-run attacks that last minutes or the more traditional high-volume campaigns that are sustained over months. Other attackers send bursts of email on a few successive days, it notes.
Attackers, like all other developers, have started using hosted servers and public cloud services, but for attackers these services offer better camouflage that allows them to hide among many legitimate sites. These services include using document sharing and collaboration sites — think Dropbox, Microsoft OneDrive, and Google Docs — to spread malware and fake login forms for stealing user credentials.
Attackers are also increasingly using already compromised accounts to spread malicious emails within and outside of affected organizations.
Microsoft singles out the Ursnif phishing campaign as a “sophisticated, targeted campaign” while labelling phishing campaigns related to the business email compromise (BEC) scams as non-targeted or “broad-based”.
The Ursnif phishing attacks used malicious macros in emailed Office documents with file names that spoofed a legitimate business. There were only 21 unique document file names used in the campaign it analyzed in mid-2018 and the attackers customized emails for businesses in a specific city or region.
BEC campaigns often relied on “domain impersonation” to trick recipients, using a domain that looks like the original domain name, as opposed to "domain spoofing”, where both the fraudulent domain and the original domain are exactly the same.
Microsoft tells the tale of an engagement it was involved in to help a customer fend off a targeted phishing campaign. The first phase used a URL embedded in an email sent to a small group within an organization, claiming that an important document was waiting to be viewed so long as the recipient authenticate with their domain credentials. The second phase used newly compromised credentials to phish higher value officers within the targeted organization.
Ransomware is becoming less common, according to Microsoft, which notes there was a 60 percent decline in ransomware encounters between March 2017 and December 2018, signaling both better detection of ransomware threats and a shift in tactics among cybercriminals, who want quick and easy money.
Instead of dealing with the friction of victims who can’t figure out how to pay, or decide not to pay because they have backed up their data, attackers increasingly opted to free-ride off victims’ hardware to mine cryptocurrency.
End users around the world are now much more likely to encounter a cryptocurrency miner threat than ransomware. The average worldwide encounter rate for coin mining malware was 0.12 percent, just over twice the encounter rate of 0.5 percent for ransomware.
But the highest encounter rates for cryptocurrency mining malware are in poorer nations, where victims are less likely to have access to powerful hardware.
The highest rate was in Ethiopia, where the encounter rate was 5.58 percent, followed by Pakistan where the rate was 1.47 percent. The countries with the lowest coin mining encounter rate, averaging around 0.02 percent, we’re Ireland, Japan, the US, and China.