As we prepare to close the book on 2014, researchers at PhishMe - who provide organizations with the ability to train their employees and customers about the risks of spear phishing, have analysed the phishing emails received in the last 12 months to identify what have been the most interesting trends observed.
The top three phishing scams of 2014, according to PhishMe researchers Ronnie Tokazowski and Shyaam Sundhar, are:
In third place: Compromised .edu domain serving ZeuS
Near the end of October a pretty ordinary phishing email with a .zip attachment, supposedly containing information about a payment, circulated. The attachment contained a form of Zeus. Why does it make the list? The attackers sent the email from a compromised .edu domain. The trusted nature of an educational institution’s domain, and the generous amount of bandwidth those domains usually have provide attackers with an appealing platform for delivering malware.
In second place: Dropbox Phishing
The rise of 3rd-party cloud services like Dropbox has provided attackers with an interesting new method to deliver nasty stuff through your network. In a round of emails last June that served as the precursor to Dyre, we received phishing emails that linked to a supposed invoice on Dropbox. The Dropbox link itself was legitimate, only it led to a .zip file containing a .scr, not an invoice. Dropbox has been quick to shut down this type of abuse, but it’s proven to be great method for attackers to get past spam filters. Dropbox use is so pervasive that most organizations won’t block its links. A few weeks later we would see Dropbox links abuse d in targeted attacks against the Taiwanese government.
Top of the List: Dyre malware email
The most notorious phishing email of 2014 seemed innocent enough upon first glance. We actually received two emails containing the then unknown malware, with both of them pointing to links from a third-party file sharing service, Cubby. The content of the emails itself was bland, one simply directed the recipient to a link to an invoice, while the other was a bit more extensive, directing the recipient to a link to learn more about a failed tax payment. Both of these led to the now notorious Dyre malware, a remote access Trojan (RAT) that has targeted banking information and customer data. Dyre’s impact has been widespread enough to catch the attention of the US CERT.
Speaking about these phishing trends, Ronnie Tokazowsi said, “If we learned only one thing about phishing in 2014, it should be that phishing attackers repeat themselves. This can prove useful to help us defend against phishing in the future. While the security industry has traditionally focused on bad IP addresses and malware when it comes to phishing, we ought to be focused on tactics, techniques, and protocol. Focusing on email content, headers, and URLs to recognize patterns and take preventive action will add another layer of phishing defence.