TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

2018 Phishing and Fraud Report: Attacks Peak During the Holidays

2018-11-08 · Read original ↗

ATT&CK techniques detected

36 predictions
T1566.002Spearphishing Link
98%
"victim ’ s bank saying “ click here to login and get your bank statement. ” figure 13 : fake link in an email message presents this legitimate - looking bank login screen other common phishing lures include : - donation requests. email requests from well - known charities solicit…"
T1566.002Spearphishing Link
98%
". instead, they should try reaching the site directly in a separate browser session. figure 26 : fake paypal website created by a scammer and reached via a malicious link in an email message technological defenses user awareness training is a great start and absolutely essential,…"
T1566.002Spearphishing Link
98%
"personal information, or click on a link or open an attachment. users should try to verify the alert using some other means such as connecting directly to the sender ’ s website or calling the help line. - unexpected email from a friend, acquaintance, colleague, or business assoc…"
T1566.002Spearphishing Link
98%
"figure 24. figure 24 : f5 phishing email with malicious link in the attached pdf requesting users log in with their f5 credentials figure 25 : example of a fake adobe login screen requiring the user to supply credentials before opening the pdf file - shortened urls from services …"
T1566.002Spearphishing Link
97%
"##ated some of the most popular internet services in the world. by spoofing these most commonly used services in combination with one of the familiar lures ( described in the previous section ), phishers increase the chances that an unsuspecting victim will trigger their maliciou…"
T1555.003Credentials from Web Browsers
97%
"have also expanded their targets well beyond banks to include popular retailers like best buy, victoria ’ s secret, macy ’ s and others, as was the case with ramnit. in 2018, panda malware, a spinoff of the zeus banking trojan, expanded its targets to include cryptocurrency excha…"
T1566.002Spearphishing Link
97%
"appear to come from a home buyer ’ s real estate agent on or near their scheduled closing date of a property. the email contains an attachment giving the buyer new ( different ) money wiring instructions that point to the scammer ’ s bank account. figure 11 : real estate scam wir…"
T1566.002Spearphishing Link
96%
"top impersonated companies in phishing attacks by name and industry, the growth rate in phishing attacks, and the fastest growing targets. we looked at how phishing works, the most common and successful phishing lures, what happens when a phishing attack is successful, and what t…"
T1566.002Spearphishing Link
96%
"https ). traffic from malware sites communicating with command and control ( c & c ) servers over encrypted tunnels is completely undetectable in transit without some kind of decryption gateway. this is significant to enterprise environments that rely on malware infection notific…"
T1566.002Spearphishing Link
96%
"names sound like real companies — or sound exactly the same but are spelled differently. phishers even go out of their way to install encryption certificates on these sites to appear more legitimate. ninety - three percent of the phishing domains webroot collected in september an…"
T1566.002Spearphishing Link
94%
"feature, instruct all users to call the helpdesk or security team if they see a suspicious email. if the email turns out to be a phishing attempt, the security team can quickly delete it from mailboxes ( so no one else is taken in by it ) and warn all employees. phishing attempts…"
T1566.002Spearphishing Link
93%
"that happen through an application vulnerability, which are likely fixed during the normal incident response process. phishing is a social engineering attack. you can ’ t apply a patch to someone ’ s brain ( at least, not yet ) or firewall off their ability to click on links or a…"
T1566.002Spearphishing Link
89%
"need to track that information so you can report on it later. - capture images of the phish for security awareness training later. nothing brings training home for users like when you show them real attacks against real folks in their organization. it ’ s hard to say “ it can ’ t…"
T1566.002Spearphishing Link
84%
". - web filtering. plan for your users to get phished and have a web filtering solution in place to block access to phishing sites. when a user clicks on a link to a phishing site, their outbound traffic to that site will get blocked. not only will this prevent a breach to your o…"
T1566.002Spearphishing Link
83%
"the globe. five of the banks service customers primarily in europe, and three ( including one payment processor ), service customers primarily in latin america. figure 17 : industry breakdown of the top 20 growing targets from september 2018 to october 2018 ( source : webroot ) f…"
T1598Phishing for Information
81%
"malware, exfiltration of data, theft of funds from bank accounts, ransomware extortion, and propagation of worm viruses to create botnets. in the indictment, fbi special agent nathan p. shields states, “ … such spear - phishing emails that are the product of reconnaissance are of…"
T1566.002Spearphishing Link
79%
"victims are likely to open that are often embedded with malware or offer an avenue for the victim to submit their financial information ( see figure 16 ). when organizations are conducting security awareness training, employees should be warned to stay vigilant and wary when it c…"
T1566.002Spearphishing Link
77%
"2018 phishing and fraud report : attacks peak during the holidays executive summary in november 2017, f5 labs published an introductory report entitled phishing : the secret of its success and what you can do to stop it. a year later, it should come as no surprise to security pro…"
T1566.002Spearphishing Link
75%
"in the case of spear - phishing, this lure is customized to the targeted victim. at the end of the year, phishers will take advantage of fiscal year - end and holiday events as part of their masquerade. technical engineering. devising the method to hack the victim, which can incl…"
T1566.001Spearphishing Attachment
75%
"those that ran 6 to 10 campaigns dropped the click - through rate to 28 % ; and those that ran 11 or more training campaigns reduced the rate to 13 %. additionally, phishing simulations and campaigns were found to be most effective when the content is current and relevant. this m…"
T1657Financial Theft
73%
"ll pivot and go after other targets. in other cases, say, with stolen credit card data, the thieves try to sell that data on the darknet. in turn, the buyer might do any of the following : - create fake credit cards by loading card numbers onto card blanks ( cashout services ) an…"
T1598.002Spearphishing Attachment
68%
"or executives. this phishing email with the “ urgent ” subject line was supposedly sent by f5 ’ s ceo to an employee. ( note the “ external email ” warning label, discussed later in the technological defenses section. this should be an internal email and would never be marked as …"
T1566.002Spearphishing Link
64%
"from january 2014 to the end of 2017. the overwhelming majority are phishing sites ( 75. 6 % ), followed by malicious scripts ( 11. 3 % ) and url redirects ( 5. 2 % ), which are also used in conjunction with phishing operations. mobile phishing ( 2 % ) makes an appearance as a tr…"
T1598Phishing for Information
63%
"in the case of spear - phishing, this lure is customized to the targeted victim. at the end of the year, phishers will take advantage of fiscal year - end and holiday events as part of their masquerade. technical engineering. devising the method to hack the victim, which can incl…"
T1056.003Web Portal Capture
63%
"screen shots, clipboard pastes, and keylogging are techniques all used by malware to capture login credentials and other sensitive information typed in by the user on their computer or mobile device. they ’ re typically downloaded to a user ’ s system, just like any other type of…"
T1566.002Spearphishing Link
60%
"legitimate and appear to come from real companies and organizations. one way they ’ re accomplishing this is by cloning real emails. quoting again from the federal indictment against park jin hyok : “ … the subjects of this investigation copied legitimate emails nearly in their e…"
T1566.002Spearphishing Link
55%
"##ware sites active in september and october leverage encryption certificates - reducing the amount of phishing emails that creep into employee mailboxes is key, but you also need to accept the fact that employees will fall victim to a phishing attack by preparing your organizati…"
T1598.003Spearphishing Link
50%
"in the case of spear - phishing, this lure is customized to the targeted victim. at the end of the year, phishers will take advantage of fiscal year - end and holiday events as part of their masquerade. technical engineering. devising the method to hack the victim, which can incl…"
T1566.001Spearphishing Attachment
48%
"that other users got the same phishing email and opened it, clicked on a link, or opened an attachment. - scan your email system for the phishing email and remove it from all mailboxes. there is a decent chance it ’ s still in the mailboxes of employees who haven ’ t seen it yet,…"
T1566.001Spearphishing Attachment
48%
"or executives. this phishing email with the “ urgent ” subject line was supposedly sent by f5 ’ s ceo to an employee. ( note the “ external email ” warning label, discussed later in the technological defenses section. this should be an internal email and would never be marked as …"
T1598Phishing for Information
42%
"ll steal any information that will give them access to accounts. in f5 labs ’ report lessons learned from a decade of data breaches, phishing was found to be the root cause in 48 % of breach cases we investigated. not only is phishing the number one attack vector, it ’ s consider…"
T1598.003Spearphishing Link
42%
"names sound like real companies — or sound exactly the same but are spelled differently. phishers even go out of their way to install encryption certificates on these sites to appear more legitimate. ninety - three percent of the phishing domains webroot collected in september an…"
T1566.002Spearphishing Link
42%
"through rate on malicious emails, links, and attachments from 33 % to 13 %. - common phishing lures are known and should therefore be a key focus of your security awareness training. - seventy - one percent of phishing attacks seen from september 1 through october 31, 2018 focuse…"
T1566Phishing
41%
"malware, exfiltration of data, theft of funds from bank accounts, ransomware extortion, and propagation of worm viruses to create botnets. in the indictment, fbi special agent nathan p. shields states, “ … such spear - phishing emails that are the product of reconnaissance are of…"
T1598.003Spearphishing Link
41%
"malware, exfiltration of data, theft of funds from bank accounts, ransomware extortion, and propagation of worm viruses to create botnets. in the indictment, fbi special agent nathan p. shields states, “ … such spear - phishing emails that are the product of reconnaissance are of…"
T1598.002Spearphishing Attachment
31%
"malware, exfiltration of data, theft of funds from bank accounts, ransomware extortion, and propagation of worm viruses to create botnets. in the indictment, fbi special agent nathan p. shields states, “ … such spear - phishing emails that are the product of reconnaissance are of…"

Summary

Phishing attack? Absolutely. Success? Likely. Risk of incident? High. Breach costs? About $6.5 million.