APWG Report: Phishing Attacks Rise in the Third Quarter of 2020

Most of the BEC Attacks Mounted With Deceptive Domain Names Registered by Just Five Registrars

The APWG’s new Phishing Activity Trends Report reveals a rise in reported phishing since March of 2020. In August and September of 2020, the APWG logged 200,000 phishing sites per month with more than 500 separate brands attacked by phishers each month in the quarter.

APWG contributor OpSec Security found that phishing that targeted webmail and Software-as-a-Service (SaaS) users continued to be the biggest category of phishing, with 31.4 percent of all attacks. Banks and other financial institutions were the targets of 19.2 percent of attacks, and payment processing systems such as PayPal and Square were targets for 13.4 percent of attacks. Phishing against the social media sector was 12.6 percent of attacks, primarily driven by attacks against Facebook and WhatsApp. APWG member Axur also noted that phishing in Brazil continues to trend upward, primarily attacking e-commerce and webmail services.

APWG contributor Agari continued to track “business email compromise” (BEC) attacks that focus on key personnel within targeted enterprises, one of the most damaging types of Internet crimes. BEC attacks that sought wire transfers from victim companies sought an average of $48,000. Agari also found that scammers requested funds in the form of gift cards in 71 percent of BEC attacks, which are easier to cash out. During the third quarter of 2020, the average amount of gift cards requested by BEC attackers was $1,205.

Agari’s research in the quarter revealed that about 16.3 percent of BEC attacks involved domain names registered by the scammers, domains that they used to send email to their intended victims. Most of these were registered at just five registrars: Namecheap, Public Domain Registry, Google, Tucows and NameSilo.

Phishers are also deploying encryption to fool users into thinking that phishing sites are legitimate and safe. APWG contributor PhishLabs found that in the third quarter of 2020, 80 percent of phishing sites had SSL encryption enabled. Encryption is deployed on phishing sites more often than on regular web sites: SSL is currently found on only 66.8 percent of all web sites across the Internet.

“Now, 80 percent of phishing sites have SSL encryption enabled – which surprisingly is even higher than web sites in general,” said John LaCour, CTO of PhishLabs. (According to a Q-Source survey, as of October 2020, only 66.8 percent of web sites used SSL by default.)  

“Not surprisingly, most SSL certificates used by phishers were Domain-Validated (‘DV’), which is the weakest form of certificate validation,” said LaCour. PhishLabs looked at 53,189 certificates used on phishing sites, and found that 91.3 percent were DV, while 8.6 percent were OV (Organization Validation) certs, and just 0.1% were Extended Validation (EV).

Finally, separate studies developed by by RiskIQ and Interisle Consulting Group analyzed the use of domain names for phishing. They reveal that phishers continue to obtain domain names predominantly from certain registrars and in certain top-level domains, and the latter study found that phishers themselves registered about 60 percent of the domain names on which phishing occurs. 

The full text of the report is available here: http://docs.apwg.org/reports/apwg_trends_report_q3_2020.pdf

About the APWG

Founded in 2003, the Anti-Phishing Working Group, (APWG) is the global industry, law enforcement, and government coalition focused on unifying the global response to electronic crime. Membership is open to qualified financial institutions, online retailers, ISPs and Telcos, the law enforcement community, solutions providers, multilateral treaty organizations, research centers, trade associations and government agencies. There are more than 2,000 companies, government agencies and NGOs participating in the APWG worldwide. The APWG’s www.apwg.org and education.apwg.org websites offer the public, industry and government agencies practical information about phishing and electronically mediated fraud as well as pointers to pragmatic technical solutions that provide immediate protection. The APWG is co-founder and co-manager of the STOP. THINK. CONNECT. Messaging Convention, the global online safety public awareness collaborative https://education.apwg.org/safety-messaging-convention and founder/curator of the eCrime Researchers Summit, the world’s only peer-reviewed conference dedicated specifically to electronic crime studies www.ecrimeresearch.org. APWG advises hemispheric and global trade groups and multilateral treaty organizations such as the European Commission, the G8 High Technology Crime Subgroup, Council of Europe’s Convention on Cybercrime, United Nations Office of Drugs and Crime, Organization for Security and Cooperation in Europe, Europol EC3 and the Organization of American States. APWG is a member of the steering group of the Commonwealth Cybercrime Initiative at the Commonwealth of Nations. Among APWG’s corporate sponsors are: AhnLab, Area 1, AT&T (T), ACRONIS, Afilias, ALSI GROUP NetSTAR, Allure Security, Amazon Web Services (AMZN), AnchorFree, Avast!, AVG Technologies, AWAYR AI, Axur, Baidu Antivirus, BANDURA Systems, Bangkok Bank, Banelco CSIRT, Claro Security Team, Barracuda Networks, BillMeLater, Bkav, Bolster, BrandMail, BrandProtect, Bsecure Technologies, ByteDance, CSC Digital Brand Services, Check Point Software Technologies, CipherTrace, Claro, Cloudmark, COINBASE, Cofense, Comcast, CrowdStrike, CSIS, CSIRTBANELCO, Cyxtera, Cyber Defender, CYREN, Cyveillance, DNS Belgium, DigiCert, Domain Tools, Donuts, Duo Security, Easy Solutions, PayPal, eCert, EC Cert, Entrust Datacard, ESET, EST Soft, Facebook (FB), FeelSafe Digital, FEBRABAN, Fortinet, FraudWatch International, F-Secure, GMS, GetResponse, GlobalSign, GoDaddy, Google (GOOGL), Group-IB, Hauri, Hitachi Systems, Ltd., Huawei, Hyas, .ID, ICANN, Identity Guard, Illumintel, Infoblox (BLOX), IronPort (Cisco), Ingressum, Intel (INTC), Interac, IT Matrix, iThreat Cyber Group, iZOOlogic, Kaspersky Lab, KnowBe4, CaixaBank, Lenos Software, LINE, LookingGlass, MX Tools, MailChannels, MailJet, MailChimp, MailShell, MailUp, Microsoft (MSFT), MicroWorld, Mimecast, Mirapoint, NHN, MyPW, nProtect Online Security, Netcraft, Network Solutions, Neustar (NSR), Noblis, Nominet, Nominum, NZRS Limited, OpSec Security, Palo Alto Networks, Public Interest Registry, Phishlabs, PhishMe, Planty.net, Prevalent, Prevx, Proofpoint, PSafe, RSA Security (EMC), Rakuten, RedMarlin, Return Path, RiskIQ, RuleSpace, SalesForce, SecureBrain, Secutec, SecureITLab, SegaSec, SendGrid, S21sec, SIDN, SilverPop, SLASHNEXT, SiteLock, SnoopWall, SoftForum, SoftLayer, SoftSecurity, SOPHOS, SunTrust, SurfControl, Symantec (SYMC), TDS Telecom, Telefonica (TEF), ThreatSTOP, Thomsen Trampedach, TransCreditBank, Trend Micro (TMIC), Trustwave, Twilio, UITSEC, Vasco (VDSI), VADE-RETRO, Verisign (VRSN), VIETTEL Cyber Security, VILSOL, Webroot, Workday, Wombat Security Technologies, ZEROFOX, ZIX, and zvelo.

Contacts

APWG Secretary General Peter Cassidy (pcassidy@apwg.org, +1.617.669.1123); 
OpSec: Stefanie Ellis at OpSec Security (Stefanie.ellis@markmonitor.com); 
Agari: Jean Creech of Agari (jcreech@agari.com, +1.650.627.7667); 
Axur: Eduardo Schultze of Axur (eduardo.schultze@axur.com, +55 51 3012-2987); 
PhishLabs: Stacy Shelley of PhishLabs (stacy@phishlabs.com, +1.843.329.7824); 
RiskIQ: Kari Walker of RiskIQ (Kari@KariWalkerPR.com, +1.703.928.9996).

Source: APWG