Phishing is an extremely common attack vector that has been used for many years, and the potential impact and risks involved are well known to most Internet users. Despite this, phishing is still a highly relevant attack method being used in the wild, affecting many people. The question is, how can a security threat continue to have a significant impact, even though many Internet users know about the risks and potential impact? Akamai's Enterprise Threat Research team decided to dive deeper into several recent phishing scams to provide insights into the modern phishing scam landscape and what makes these campaigns an effective and an ongoing security threat.
Our research shows that despite broad awareness of phishing attack risks, they are still a relevant threat. More importantly, we found the attack techniques and elements being used in recent phishing campaigns to be highly effective, highly distributed, and long-living.
We believe the threat actors have evolved and elevated their attacks to counter the improved Internet user awareness of phishing exploits. The techniques used in recent campaigns seek to remove user caution about phishing and gain higher levels of trust, while avoiding antagonism. Attacks are made more effective through positive interaction with the users and encourage them to unknowingly spread the attack payload within their own social media circles. We refer to such attacks as "positive" phishing campaigns.
Unlike "negative campaigns", which are a more well-known style of attacks (e.g., a screen that says "your computer is infected") which triggers feelings such as fear, and doubt, "positive" campaigns highlight feelings of excitement and hope and are gaining momentum in the wild. "Positive" campaigns interact with victims and are frequently combined with elements of social networks to reinforce trust, making these campaigns much more effective.
As part of our research, we were able to see growing momentum in the threat landscape, with attacks that are include elements of gaming, social networks, and prize-winning. All of these elements serve the threat actor's main goal: to gain the user's trust and lead victims to divulge personal information. This trust is also used to spread the phishing campaign by integrating steps that require sharing the content via the target's social network, thereby increasing the campaign's impact and distribution.
Read more about this research.