Research from Cofense has found that user credentials are being targeted by hackers and scammers on a scale never seen before.
Indicators of compromise (IOC), digital evidence of a cyber attack, for credential phishing have increased in Q3 by close to 45% over Q2, the company's report found.
Compared to the Q3 period of 2022, IOCs of credential phishing are up 85% with PDFs being the most common malicious file extension attached to a phishing email.
Don’t take the bait from phishy emails
This significant increase in phishing attacks could be attributed to several factors. Scammers have adapted their tactics to bypass email spam filters by employing Google AMP to make their phishing links appear more legitimate by utilizing the recognized ‘www.google.com’ domain to make a phishing link appear more trustworthy.
Another factor contributing to the rise of phishing in Q3 is the use of QR codes. By looking at a QR code with the human eye, it is impossible to tell where it will take you. But scammers can direct you to a legitimate looking website that will then ask you to provide your credentials to log in.
The most prevalent malware associated with phishing in Q3 was the Agent Tesla keylogger, closely followed by FormBook information stealer. The most popular delivery methods to infect your computer with these forms of malware are the CVE-2017-11882 exploit, which uses a corrupt memory exploit to run arbitrary code, and PDF droppers, which are specially built PDFs that execute a document file when clicked, installing malware onto your system.
In terms of the domains most used in phishing attempts, .com has remained as the most prevalent domain, however .ru has seen a significant rise in popularity over the previous quarter most likely due to an increasing use and success of Phishing as a Service (PhaaS) tool Caffeine.
While it is difficult to identify where threat actors launch campaigns and attacks due to the use of VPNs, Cofense identified malicious cyber activities through the use of Command and Control (C2) servers which are used to deliver phishing campaigns on behalf of threat actors. The US remained as the main location for C2 nodes, with 71% of phishing campaigns utilizing a C2 source with a US based IP.
The report states that “This is likely to continue as many cloud hosting services abused by threat actors are hosted in the United States.”
More from TechRadar Pro
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Before settling into journalism Ben worked as a Livestream Production Manager, covering games in the National Ice Hockey League for 5 years and contributing heavily to the advancement of livestreaming within the league.
He has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham. Outside of work Ben follows many sports; most notably ice hockey and rugby. When not running or climbing, Ben can most often be found deep in the shrubbery of a pub garden.