Beware, your login details are being targeted more than ever - here's what to look out for

News
By published

Phishing scams are constantly changing tactics - here’s how to stay ahead of the curve

Man holding a mobile phone with warning notification and spam message icon
(Image credit: Getty Images)

Research from Cofense has found that user credentials are being targeted by hackers and scammers on a scale never seen before.

Indicators of compromise (IOC), digital evidence of a cyber attack, for credential phishing have increased in Q3 by close to 45% over Q2, the company's report found.

Article continues below

 Don’t take the bait from phishy emails

This significant increase in phishing attacks could be attributed to several factors. Scammers have adapted their tactics to bypass email spam filters by employing Google AMP to make their phishing links appear more legitimate by utilizing the recognized ‘www.google.com’ domain to make a phishing link appear more trustworthy.

Another factor contributing to the rise of phishing in Q3 is the use of QR codes. By looking at a QR code with the human eye, it is impossible to tell where it will take you. But scammers can direct you to a legitimate looking website that will then ask you to provide your credentials to log in.

The most prevalent malware associated with phishing in Q3 was the Agent Tesla keylogger, closely followed by FormBook information stealer. The most popular delivery methods to infect your computer with these forms of malware are the CVE-2017-11882 exploit, which uses a corrupt memory exploit to run arbitrary code, and PDF droppers, which are specially built PDFs that execute a document file when clicked, installing malware onto your system.

In terms of the domains most used in phishing attempts, .com has remained as the most prevalent domain, however .ru has seen a significant rise in popularity over the previous quarter most likely due to an increasing use and success of Phishing as a Service (PhaaS)  tool Caffeine.

While it is difficult to identify where threat actors launch campaigns and attacks due to the use of VPNs, Cofense identified malicious cyber activities through the use of Command and Control (C2) servers which are used to deliver phishing campaigns on behalf of threat actors. The US remained as the main location for C2 nodes, with 71% of phishing campaigns utilizing a C2 source with a US based IP. 

The report states that “This is likely to continue as many cloud hosting services abused by threat actors are hosted in the United States.”

More from TechRadar Pro

TOPICS
Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.