Phishing attacks are surging in both sophistication and frequency – trending up at a rate of over 700% in 2024 – leaving businesses vulnerable to identity-based threats and costly data breaches. As defenders, understanding phishing trends and tactics to proactively defend against the potential consequences is critical.
At SpyCloud, we specialize in recapturing stolen data from phishing campaigns, malware infections, and breaches, to empower organizations with much-needed defense levers. Here, we’ll review how phishing works, the types of data cybercriminals target in phishing campaigns, and strategies to protect your business.
What is phishing and why does it matter for businesses?
Phishing is a social engineering tactic where attackers trick individuals into providing sensitive information – like login credentials or financial details – through fraudulent emails, fake websites, or SMS messages. For businesses, falling victim to phishing can lead to account takeover, online fraud, ransomware attacks, and business email compromise (BEC).
Cybercriminals are increasingly targeting businesses due to the lucrative nature of stolen corporate credentials and other valuable identity data, like PII. Credential leaks from phishing attacks often serve as gateways to larger, more damaging cybercrimes. A single compromised account can provide attackers access to critical systems, enabling them to deploy ransomware or exfiltrate private data to sell on underground markets.
In fact, in our most recent ransomware research, we asked security professionals who had been affected by ransomware to share the entry points attackers used to gain initial access. The top entry point on the list? Phishing.
The threat posed by phishing emphasizes the need for defense strategies that are proactive in nature, which is why we focus on recapturing the data stolen in phishing attacks to help defenders prevent follow-on attacks like ransomware.
How phishing works and what bad actors are after
Phishing campaigns are more than just random emails – they are often meticulously designed criminal operations. Unfortunately, the phishing problem is now being fueled by AI, increased personalization tactics, and the opportunity presented to bad actors by the proliferation of user devices (including mobile devices). Together, these factors give criminals a leg up when it comes to tricking even the most discerning victims.
But let’s pause a second and revisit some basics.
Anatomy of a phishing attack
- The lure: This is the enticing message that captures the victim's attention. It may claim urgent action is needed, such as verifying a payment or confirming account details.
- The hook: The message often contains a link to a fake website that mimics a legitimate site. This is the vector that leads users to compromise their credentials.
- The payload: After the victim inputs their information, it is sent directly to the cybercriminal, often without any indication of wrongdoing. In some cases, the victim may even be redirected to a legitimate site, making it appear as if they successfully completed what the lure enticed them to do – and further allaying any suspicions.
Successful phishing attacks rely on social engineering. In phishing campaigns, criminals try to exploit human emotions like fear, urgency, or curiosity, to prompt a person to act quickly without thinking critically. For instance, a phishing email may threaten account suspension if immediate action is not taken, leveraging the victim’s anxiety to bypass their usual caution.
Breaking down the phishing attack lifecycle
- Creation: Attackers use phishing kits, which are pre-packaged tools containing email templates, fake website designs, and scripts, to craft convincing lures.
- Delivery: Messages are sent via email, SMS, or even messaging apps. Attackers often impersonate trusted brands or colleagues to exploit trust.
- Execution: Victims are directed to spoofed websites or prompted to download malware, capturing sensitive data once entered, or are prompted to call a phone number that leads to live interaction with a criminal.
- Evading detection: Techniques like URL shorteners, CAPTCHA challenges, and geofencing help bypass security measures.
The types of data cybercriminals target in phishing attacks
- Credentials: Stolen login information allows attackers to breach systems and execute account takeovers.
- Personally identifiable information (PII): Social Security numbers, addresses, and other details are used for identity theft or synthetic identity fraud.
- Financial details: Credit card numbers and bank information are frequently monetized on underground markets.
What happens to data stolen in phishing attacks?
Stolen credentials are used to infiltrate systems and encrypt data, demanding a ransom.
Access to corporate accounts can lead to unauthorized access to sensitive systems.
Stolen customer data can be used to create new accounts or to fraudulently log in to user accounts to conduct financial theft, including cashing out or liquidating victim accounts.
Attackers impersonate executives or employees to defraud companies and customers.
Imagine a scenario where stolen employee credentials grant attackers access to a cloud environment, enabling them to exfiltrate sensitive data, deploy malware, or escalate attacks across the supply chain.
Real or ph-ake: Recent phishing campaign examples
SpyCloud has investigated cases where phishing campaigns impersonate social media, telecommunications, and information technology providers. Here are a few examples of recent phishing campaigns.
Social Media
This phishing campaign targets users of Meta applications such as Facebook, Instagram, and Threads. The page, which was hosted at repportproblemscopyright[.]cloud, contains a fake warning apparently from Meta that tells the user that their fanpage has violated Meta’s “Terms of Service and Community guidelines.” It prompts the user to input their Meta account information to “request a review” of the TOS violation.
This phishing campaign impersonates a trusted brand – Meta – and attempts to create a sense of frustration and urgency by telling users that their Meta account has been restricted. This sense of urgency is meant to distract users from noticing inconsistencies, such as the fact that the page is not hosted on any of Meta’s well known domains like meta.com or facebook.com.
Software
This phishing page, which was hosted at lagencecom[.]github[.]io, uses Microsoft branding and has a simple user interface that prompts a user to input an email address to access a “secure Organization Office.” Then, this initial landing page validates the user-provided email address against a standard regular expression to make sure it is in a valid email format. The source code for the page also appears to have an option to check it against a targeting list of email addresses, so that only victims that the phishing page operators care about get through to the next page and are prompted to input more sensitive information and PII. However, in this deployment of the page, this useVerifiedEmailList option appears to be toggled off.
Similarly to the Meta campaign, this page impersonates a trusted well-known brand—Microsoft. While it does not explicitly prey on users’ sense of urgency, it does pique their curiosity by using phrases like “sensitive information” to entice victims by implying that the files are confidential and therefore might contain interesting material.
Telecom Provider
This phishing page, which was hosted at chartreuse-midnight-mambo[.]glitch[.]me, impersonates the Deutsche Telekom brand. Specifically, this page appears to impersonate their Telekom Mail consumer webmail service. Deutsche Telekom is a large German telecommunications company that operates subsidiaries around the world including T-Mobile.
In Germany, Deutsche Telekom also operates as an ISP and mobile phone carrier. Therefore if a phishing victim whose credentials are stolen by this page maintains the same username and password for all of their Deutsche Telekom accounts, a malicious user could gain access to a user’s accounts for their mobile phone service, internet service, and email all at once.
How SpyCloud helps neutralize phished data
SpyCloud’s solutions are designed to disrupt the lifecycle of follow-on attacks that leverage phished data through:
- Continuous identity exposure monitoring and detection: We detect compromised credentials, financial info, and other data stolen via phishing, alerting you to potential risks.
- Exposure remediation: SpyCloud enables businesses to understand what data criminals have in their hands and take action – like resetting stolen credentials, requiring enhanced authentication, or blocking account access – before criminals carry out attacks.
Regularly monitoring for identity exposures to detect risks early, and automatically resetting stolen credentials.
Aiding investigations of financial crime, insider risk, ransomware attacks, identity theft, supply chain exposures, and malware-infected hosts.
How to beat threats from phished data
Phishing remains one of the most pervasive cyber threats to businesses, because the data collected in the phish attack is so useful for the more malicious follow-on attack. Understanding its mechanics and impact can help organizations stay ahead. By recognizing the types of data targeted, mitigating stolen credential risks, and adopting SpyCloud’s proactive defenses, you can reduce your exposure to identity-based attacks that use phished data.
SpyCloud is at the forefront of phishing mitigation – helping businesses neutralize threats and protect employee and customer identities.
Keep reading
