October 18, 2024
Phishing-related attacks remain a highly effective method used by actors to gain initial access to victims’ environments. Despite increased efforts in cybersecurity education, phishing attacks continue to rise, posing a threat to individuals and organizations alike. According to IBM’s 2024 Threat Intelligence Index Report, initial access due to phishing increased from 30% in 2022 to 41% in 2023. DarkOwl regularly collects discussions on the dark web where bad actors share TTPs (tactics, techniques, and procedures) to perform more sophisticated phishing-related campaigns, some of which we will highlight below.
In the early days of phishing attacks, bad actors simply used emails with malicious links to lure their victims into exposing their credentials. Although this is still very prevalent, these techniques are quickly evolving as threat actors adopt adjacent styles of phishing, like voice phishing (vishing), SMS phishing (smishing), QR code phishing (Quishing), deepfake phishing (AI phishing), and more. It’s important to understand how these attacks are evolving and how threat actors are adjusting their approach to increase the likelihood of success.
Emerging Phishing Techniques
Voice Phishing (Vishing)
Vishing is one of the most common forms of social engineering used by threat actors. This method can be highly effective because, unlike traditional email phishing, communicating over the phone (or voicemail) adds a psychological trust element, boosting immediate credibility. A charismatic, personable, professional, or sincere caller can more easily trick a victim into providing sensitive details over the phone.
This tactic becomes even more difficult to prevent or identify due to how easily accessible VoIP (Voice over IP) software is, which enables anyone to spoof any phone number. This allows attackers to mimic the phone number of the entity they are impersonating, making their scam appear even more legitimate. Instead of targeting a specific individual, actors also use automated robocalls to reach thousands of potential victims around the clock. Like phishing emails, this method relies on the “it only takes one” strategy to make the fraud successful.
In 2020, a U.S. federal court indicted an India-based VoIP company on charges related to robocalls originating from their servers that impacted American victims. These robocalls were estimated to be in the tens of millions and resulted in losses of 20 million dollars.
SMS Phishing (Smishing)
Very similar to Vishing, is Smishing which also focuses on mobile devices to lure potential victims into gaining trust and exposing sensitive data. This attack vector also has much in common with traditional Phishing because malicious links are the primary source of exposure. Whether it’s a claim for a digital coupon, a USPS tracking code, or an Amazon shipment update, the actor wants to direct you to another page that entices you to provide your credentials or other sensitive data.
With the 2024 presidential election rapidly approaching, the United States has seen a surge in smishing messages involving fake voter registration pages. According to a recent CBS News report, these text messages claim to provide forms to register to vote online. This dangerous trend highlights the significant impact mass smishing campaigns can have on the public if malicious actors are able to tamper with, misuse, or impersonate citizens’ voter registration data.
Shameless Plug: If you haven’t registered for our webinar on Dark Web Influence on the 2024 U.S. Presidential Election, make sure to register!
QR Code Phishing (Quishing)
Although not as common as other phishing methods, quishing has been observed in the wild to trick victims into navigating to malicious links or downloading malware. A QR code can embed any text or data, with capacities of up to 4,296 alphanumeric characters or 2,953 bytes for binary data, encoded into a digital square. This means bad actors can devise creative and novel ways to lure someone into believing the content is genuine, such as placing malicious QR codes over legitimate ones in public places or online. For this reason, it’s vitally important to use a QR code scanner that provides you with a visual of the URL or data before you interact with it.
The following excerpt, discovered on DarkOwl’s Vision platform, showcases a dark web conversation in which the author explains how QR code exploitation occurs in the wild.
Figure 1: Two criminals putting fake QR codes over the ones on carparks, pub tables and EV charger points that redirect to a lookalike site and steal your credentials; Source: DarkOwl Vision
Deepfake Phishing (AI Phishing)
A more theoretical type of phishing tactic, not yet widespread, involves the use of artificial videos, photos, and audio—also known as deepfakes or AI phishing. Security researchers have explored potential ways actors could utilize these new forms of technology to perform malicious actions, but thus far, the impact has not materialized at a large scale. However, as this technology becomes cheaper, harder to detect, and more accessible, it is likely to become a popular mode of exploitation.
The implications of this attack are not difficult to imagine. In a Financial Times article, UK banks were cited as already grappling with how to best handle Know Your Customer (KYC) regulations, voice impersonation attacks, and other types of AI impersonation tactics that could impact global finance, as well as individual customers.
Summary
As phishing attacks continue to evolve beyond traditional email scams, it’s important for individuals and organizations to stay informed of the tactics cybercriminals employ. From vishing and smishing to quishing and deepfake phishing, threat actors are constantly adapting their methods to exploit new technologies and vulnerabilities.
Keep up with the latest from DarkOwl. Follow Us on LinkedIn.
The post The Rising Tide of Phishing: Exploring Emerging Threats Beyond Email appeared first on DarkOwl, LLC.