Phish Labs Phishing News

Executive protection can no longer be siloed. High-profile executives face increasing risks not just from cyberattacks and doxxing, but also from real-world harm linked to online exposure. From targeted harassment campaigns to threats fueled by leaked personal data, the line between virtual and physical safety is fading. As a result, having proper digital executive protection is just as critical as traditional physical security — and often, it’s the first layer of defense.

Every quarter, Fortra analyzes thousands of social media incidents to identify the top threats and trends plaguing organizations, their brands, and employees. Social media is a highly attractive environment to cyber attackers due to the large user base, constant flow of information, and the shift of younger generations relying more on social platforms for information instead of web searches. This blog will offer insights into the most targeted social media platforms by threat actors, and an overview of the threat landscape in each of those platforms.

Fortra has observed a rising trend in legitimate service abuse, with a significant volume of attacks targeting Cloudflare Pages. Workers.dev is a domain used by Cloudflare Workers’ deployment services, while Pages.dev is used by Cloudflare’s Pages platform that facilitates the development of web pages and sites. Fortra’s Suspicious Email Analysis (SEA) team has identified different threats being hosted on this platform, including attacks such as phishing redirects, phishing pages and targeted email lists.

Fortra has identified active phishing campaigns capable of evading email security gateways and filters. This analysis outlines key tactics, real-world examples, and related threat indicators. Sample Email Lure Sample 1: Vishing Example Sample 2: Office365 Phishing Example Sender Verification

In the world of domain ownership, the need for disputes and enforcement can occur. But how should they be handled? What’s the difference between Uniform Domain-Name Dispute-Resolution Policy (UDRP) domain takeovers and a domain takedowns? Let’s take a closer look at the processes.

Fortra has identified active phishing campaigns capable of evading email security gateways and filters. This analysis outlines key tactics, real-world examples, and related threat indicators.Sample Email Lure Sender Verification

Active Phishing Campaigns are coordinated attacks that Fortra has observed bypassing email security gateways and filtering tools. The following analysis includes examples, high-level details, and associated threat indicators. To protect the privacy of Fortra’s clients, the brand targeted in this attack has been anonymized and is generically referred to as “Brand” whenever their name appears in the context of this attack campaign.Sample Email Lure Sender Verification

According to Cybersecurity Ventures, cybercrime would be the world’s third-largest economy (after the U.S. and China) if measured as a country as its damages may total $9.5 trillion globally in 2024. While this may be a surprising stat, it should reiterate the importance of your cybersecurity plan and solutions. External threats play a large part in digital threat landscape, and like the name suggests, external threats are those that come from outside of your organization.

Every day, the digital threat landscape morphs as threat actors come up with new ways to infiltrate and succeed against your organization. To take proactive measures against cyber threats, organizations need threat detection strategies.Of the three forms of threat intelligence (strategic, operational, and tactical), tactical threat intelligence is the most directly actionable. This form of threat intelligence is meant for direct consumption by security practitioners or automated systems, and usually consists of threat data such as indicators or heuristics. It has two primary purposes.

Fortra’s PhishLabs announces a new, native integration for stronger brand protection with digital banking platform, Jack Henry Banno. This significant update will help PhishLabs and Banno customers identify phishing quicker and more accurately. “This integration is a win for all involved. It simplifies the process for our customers, ensures the secure handling of low-sensitivity data, and enables us to detect attacks much sooner – in some cases before they reach the targeted customer,” explains Eric George, director, Fortra solutions engineering.

Understanding how cyberattacks unfold is key to stopping them. In this blog, Fortra’s threat researchers break down the anatomy of a recent smishing campaign, revealing the tactics, techniques, and infrastructure behind the attack.

Active Phishing Campaigns are coordinated attacks that Fortra has observed bypassing email security gateways and filtering tools. The following analysis includes examples, high-level details, and associated threat indicators. Sample Email Lure Sender Verification

Active phishing campaigns observed by Fortra are coordinated attacks that successfully bypass email security gateways and filters. This analysis presents examples, key insights, and relevant threat indicators.Sample Email Lure

One of the most used phishing-as-a-service platforms, LabHost, has been taken down by an international group of law enforcement authorities coordinated by Europol. Fortra has closely monitored LabHost and has mitigated tens of thousands of phishing attacks carried out by cybercriminals using the platform in recent years. LabHost is estimated to have obtained 480,000 card numbers, 64,000 PIN numbers, and no less than one million account passwords. Earlier this year, we published a detailed profile on LabHost.

Browser fingerprinting has become a powerful tool in the cybercriminal’s arsenal, enabling phishing site operators to bypass security checks and extend the life of malicious campaigns. Originally developed for legitimate purposes—such as uniquely identifying web browsers—it has now been co-opted by threat actors. Today, it’s a widespread tactic in phishing attacks, with research revealing that one in four phishing sites leverages some form of browser fingerprinting.

Credit unions were the top targeted industry on the Dark Web in Q4 2023, continuing its lead over the historically targeted banking industry for the third consecutive quarter. Financials as a whole continue to be a primary focus of criminal groups on underground channels, with more than 91% of malicious activity directed at either credit unions, banks, financial services, or payment services.

In Q4, impersonation threats made up more than 45% of total attacks on social media, with the vast majority targeting banking and financial services. Impersonation on social media continues to grow, with threats specifically targeting corporate executives responsible for driving the majority of volume for three consecutive quarters.

In Q4, three malware families represented more than 93% of all payload volume targeting end users, with Malware-as-a-Service (MaaS) DarkLoader leading all other reports. Fortra first received reports of DarkLoader in user inboxes in Q3, with attack volume picking up significantly beginning in October. The shift to criminal activity associated with DarkLoader comes after coordinated efforts by officials in Q3 to disrupt former malicious powerhouse QBot.

Compare Phishing Performance With Global Results The results are in! Fortra’s Terranova has recently made the 2023 Gone Phishing Tournament results available for review. More than 250 organizations participated globally in the free annual phishing simulation training. Hosted in October 2023, the event helps organizations and security leaders better understand high-risk areas, compare phishing performance, and establish data-driven goals with accurate benchmarking data.

The majority of malicious emails reported in user inboxes contained a link to a phishing site, making credential theft emails the attack method of choice for cybercriminals in Q4. Credential theft made up nearly 60% of all reported incidents, with more than half of the volume attributed to O365 attacks. Despite the threat actor preference toward this threat type, credential theft attacks declined as a whole in Q4, with increased reports of response-based and malware attacks reaching inboxes.

Fortra is monitoring malicious activity targeting Canadian banks conducted by Phishing-as-a-Service group LabHost. Throughout 2022 and 2023, Fortra has observed phishing attacks connected with Phishing-as-a-Service (PhaaS) groups grow as threat actors use the tools provided through membership services to launch a variety of campaigns. The providers of these platforms boast features such as access to an array of stolen industry branding, monitoring tools, security bypass abilities, and more.

Phishing sites impersonated the social media industry more than any other in Q2, Q3, and Q4 of 2023. In Q4 alone, social media phish leapt nearly 20%, reaching the highest volume of abuse (over 67%) since Fortra has reported on this data point.Every quarter, Fortra’s PhishLabs examines hundreds of thousands of phishing attacks targeting enterprises and their brands. In this post, we break down the latest phishing activity, staging methods, and top-level domain abuse.

Historically, the average brand is targeted by 40 look-alike domains per month. Look-alikes are a strategic component of malicious lures and websites and used in a variety of spaces including social platforms, text messages, the open web, and email. An attack that incorporates a look-alike domain can mean the difference between a convincing campaign and a suspicious one, with a versatility that allows them to mislead victims and their security tools.

Most organizations have security controls in place to inspect URLs in emails to prevent the risk of credential phishing and business email compromise (BEC) attacks. However, threat adversaries have pivoted their tactics to bypass security stacks. And clicking these types of attacks often leads to account takeover. In fact, data from Fortra in Q2 2023 reported more than three-quarters of credential theft attacks stemming from a link pointing victims to malicious websites.

Executive impersonation on social media is at an all-time high as threat actors take advantage of AI to improve and scale their attacks. In Q3, accounts pretending to belong to high-ranking executives on social media climbed to more than 54% of total impersonation volume, surpassing brand attacks for the first time since Fortra began tracking this data. The volume and composition of these attacks strongly indicates they are crafted using generative AI.

In this Tripwire guest blog, we break down how to best communicate the significance of a cybersecurity investment.

How will the digital risk and email security landscape evolve in 2024? In this VM Blog article, Eric George discusses the industry’s future and shares his seven predictions for 2024. Originally published in VM Blog. Excerpt:

It’s not news that most enterprises operate in the cloud. Migration to the cloud leads to better collaboration, data storage, and lower costs compared to on-premises resources. Odds are your organization is currently enjoying the conveniences of the cloud. The cloud has reshaped the way organizations operate, but with the migration comes new obstacles in email security, and the cloud has its own vulnerabilities. Relying on Microsoft’s add-on security features is simply not enough at stopping advanced threats.

As we approach the end of the year, LastPass Labs has reviewed the last 12 months to take account of the threat environment and how it has changed, as well as our accomplishments. Throughout 2023, the Threat Intelligence, Mitigation, and Escalations (TIME) team focused on rapidly expanding our capabilities to protect our customers from phishing sites and/or infostealers.

There is little doubt that AI-fueled impersonation campaigns and novel attacks via non-traditional channels have emerged as a primary concern for security teams. Brand impersonation is on the rise, with nearly 40 look-alike domains targeting brands each month. On social media, impersonation attacks account for almost half of all threatening content. And online counterfeit campaigns are increasingly abusing trademarked materials in paid search ads and direct messages to convince victims of their legitimacy.