Last week we discussed some trends that we observed in phishing over the past three months. We highlighted a campaign against Canadian banks hosted on compromised WordPress sites and techniques to disguise URLs.
Today in part two of our phishing roundup, we’re going to look at trending brands from the past three months.
Since June, 2019, we’ve been manually analyzing compromised domains reported by a specific intelligence feed, that many security vendors and researchers might consider benign at first glance. The small set of data we’re looking at is an average of 30 malicious URLs per day – enough to get an idea of what’s going on in some areas.
While compromised sites and custom domain names are still extremely common, phishing URL’s are commonly found on cloud providers such as onedrive.live[.]com, webcore.windows[.]net, and blob.core.windows[.]net.
These services make setting things up easier for an attacker, and they appear more legitimate to the victim.
Regardless of where the phish is stored, a significant amount of what we see are targeting just a few services and businesses.
Compromised vs Non-Compromised:
Compromised sites may end up targeting specific users of a service, but it’s the domains that were set up just for one kind of phish that will typically have more of a target demographic in mind.
Looking at three months of data, we observed 278 compromised domains and 504 non-compromised domains. This means we’re seeing a lot more domains set up just to get victim credentials or to deliver some kind of malware.
The majority of most common brands observed in our analysis over the three month time frame are not too surprising:
Microsoft Office 365 phishes are the most popular, and these are typically residing at URLs like:
The second most common phish from one of our intelligence sources that we’ve been seeing is an unexpected one: Banorte Bank. Banorte[.]com was created in 1998, so they’ve been around a while. It’s popularity on our resolvers is fairly high when viewing the number of DNS queries through Umbrella.
The phishes generally just mirror the Banorte home page in an attempt to steal credentials, and they are most-commonly found at URLs which have been set up using a name that is similar to ‘banorte’, rather than compromised:
After the Microsoft-themed phishes, we see a fairly even mix of many other brands. Banking (other than Banorte) is probably the largest industry being targeted. Social media and technology companies are the next largest after that.
If interested in finding lexically similar domains to your brand or company, we have a script available called ‘Brand Watch’.
Download Brand Watch here.
If you want more information on how Brand Watch works, check out this blog post.