- by David Goldstein -
The number of brands targeted by phishing campaigns has been growing rapidly in the third quarter of 2020 according to the Anti-Phishing Working Group’s latest report, from 374 in January, hovering in the 300s for the first six months of the year, and in the third quarter, averaging over 500 each month – July (478), August (575) and September (505).
Likewise, according to APWG’s report, the number of unique phishing websites detected has trebled, even quadrupled. For the first six months of 2020, the number ranged from just under 49,000 to just over 60,000 websites. But in the third quarter, this number jumped to 171,040 (July), 201,591 (August) and 199,133 (September).
In the third quarter of 2020, the report found SaaS and webmail sites remained the most frequent targets of phishing, with 31.4 percent of all attacks, down from 35 percent in the second quarter and 34 percent in the first quarter. Phishing against social media companies crept up from 8.3 to 10.8 to 12.6 percent in each quarter as the year went on.
Phishing, the APWG explains, is a crime employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. The social engineering tricks unwary victims by fooling them into believing they are dealing with a trusted, legitimate party, such as by using deceptive email addresses and email messages. Technical subterfuge schemes plant malware onto computers to steal credentials directly, often using systems that intercept consumers’ account usernames and passwords or misdirect consumers to counterfeit websites.
There are several means that can be deployed to improve website security and fight phishing. But cybercriminals are managing to thwart these. One of these is SSL, or the Secure Sockets Layer protocol. But according to the APWG report, 80 percent of phishing sites have SSL encryption enabled to fool victims, more than general SSL deployment – at just 66.8 percent of websites. And in the third quarter, 40 percent of all SSL certificates used by phishers were issued by a certificate authority that offers free certificates: Let’s Encrypt.
And which top-level domains are the most used for phishing. According to an analysis for the APWG report, there were 2,019 confirmed phishing URLs reported to the APWG’s eCrime Exchange in the third quarter, hosted on 1,274 unique second-level domains (and 15 were hosted on unique IP addresses, without domains). The top eight TLDs that had the most unique second-level domains used for phishing were: