- David Goldstein -
The UK cybersecurity centre, the National Cyber Security Centre – a part of the Government Communications Headquarters, commonly known as GCHQ, the UK’s intelligence and security organisation – disclosed it had taken down more scams in the last year than in the previous three years combined, according to its fourth annual Active Cyber Defence (ACD) report, as the UK’s share of global phishing dropped to a 4-year low.
The work by the NCSC has in part increased since the COVID-19 pandemic with more people working from home and the organisation has sought to further protect the UK public and critical services such as the NHS during the coronavirus pandemic.
In total, the NCSC took down 700,595 campaigns (1,448,214 URLs) in 2020: a massive fifteen-fold increase in campaign takedowns on 2019 (45,603 campaigns and 192,256 URLs). This increase was possible because the intelligence and security organisation invested in a wider set of takedown measures during the year, allowing them to address different categories of campaigns.
These different categories have large numbers of URLs associated with them, such as the fake celebrity endorsement scams (286,213 campaigns, 731,080 URLs) and fake webshops (139,522 campaigns, 222,353 URLs), and this is the principal reason for the overall increase in takedowns. There was also a decrease in the percentage of attacks taken down within 24 hours, from 64.6% in 2019 to 55.5% in 2020 (excluding new attack types).
The NCSC provides UK government departments and services with brand protection, and in 2020 they oversaw the removal of 27,611 campaigns that used UK government branding in some way, not all of which were phishing sites. The number of UK government-themed phishing campaigns (11,286) and URLs (59,435) more than doubled compared with 2019's figures (4,471 campaigns and 25,741 URLs). The median availability also increased from 15 to 21 hours, although this trend was not mirrored in other attack categories, such as web shells where the median fell from 50 to 23 hours.
The most-targeted UK government brand was Her Majesty's Revenue and Customs (HMRC), responsible for the collection of taxes. The HMRC was the target of 22,148 attacks (URLs) and 4,249 attack groups (campaigns). The next category was generic gov.uk sites followed by TV Licensing, responsible for the collection of television license fees, with 16,948 and 13,658 attacks (URLs) and 3,322 and 3,035 attack groups (campaigns) respectively. These were the only 3 categories with five figure attacks (URLs) and 4 figure attack groups (campaigns).
Perhaps surprisingly the level of Brexit-themed UK government phishing was low during 2020, possibly due the report notes because it was eclipsed by the coronavirus pandemic. However, on 14 December the Takedown service discovered such an attack that cloned large parts of the official gov.uk website.
Despite the increase in scams in 2020, the UK’s global share of phishing has continued its decline since the first ACD report in 2016. Since 2016 the UK share of global phishing has declined from over 5% in January 2016 when the takedown service began to 1.27% in August 2020, which is the lowest seen since the Takedown service began, but it jumped to over 2% for the rest of the year.
In 2020, the NCSC took down 17,947 phishing campaigns hosted on UK IP addresses, a total of 122,109 URLs. The median availability of these attacks was 14.5 hours, with 58% taken down within 24 hours of discovery. Comparatively, in 2019 the NCSC took down 18,202 phishing campaigns hosted on UK IP addresses, a total of 155,319 URLs, with a median availability of 12.0 hours, and 63% were down within 24 hours.
The most targeted cybercrimes targeted by the NCSC in 20202 were COVID-19 themed cybercrime: (phishing, malware, fake webshops, advance fee fraud, vaccine fraud), fake online shops with websites offering heavily discounted goods which either were hosted in the UK or offered transactions in UK sterling (hosted anywhere), fake celebrity endorsement scams using bogus content and fake endorsements from well-known figures, hosted on sites that claim to be UK newspapers or similar publications, remote access trojans (RATs) and banking trojans.
Over the year the types of attacks that used COVID-19 themes varied, however the NCSC observed they were particularly attractive to 419 scammers with advance fee fraud, where the scammer purports to be dying and wanting to give away their fortune, to be the most popular attack in this category. Despite the challenges of removing false positives and authenticating these attacks, the NCSC took down 29,959 COVID-19 themed attack groups (comprising 33,313 URLs) between March 2020 and the end of the calendar year.
Fake online or web shops were another target of the NCSC. Between April 2020 and the end of the calendar year, the NCSC identified and took down 139,522 fake shops (222,353 URLs). Hosters were slow to remove these attacks and the report notes a high median attack availability of 341 hours. There were also widely varying median availability of fake webshops according to the hoster with variations among the 10 worst hosters ranging from 1,571 hours to 2.
Fake celebrity endorsement scams became a target of the NCSC in April 2020. The articles themselves feature fake endorsements for cryptocurrency investment schemes, which are linked within the article. Though the theme of these attacks is cryptocurrency, the template could be used to promote any type of fake investment opportunity and the NCSC expects this theme to change over time. Links to these fake articles were heavily promoted in mass mail campaigns and also via SMS and online adverts on many websites. Between April 2020 and the end of the calendar year, the NCSC took down 286,322 campaigns (731,080 URLs) of this type, with a median attack availability of 32 hours.
The NCSC delivered more takedowns in 2020 than all the previous years combined, with the goal of reducing the potential harms that malware, phishing and other scams could inflict on UK citizens. The organisation has also sought to lower the value proposition for internet-enabled fraud in the UK (or that targets UK citizens) through its efforts. Going forward the organisation will continue to engage directly with hosting companies and other responsible organisations who can assist in taking the malicious sites down quickly and efficiently.
If you would like to learn more about how to protect your brand from phishing attacks, please contact the Brandshelter team.