Akamai just released the 2019 State of the Internet (SOTI) security report: Phishing - Baiting the Hook featuring findings from the enterprise and carrier research teams. They've been collaborating for two years to develop better methods for evaluating massive volumes of anonymized, live-streamed DNS query data to uncover more phishing, bots and other threats.
This new SOTI report has great background on phishing, and the research focuses on phishing kits used to enable landing pages where usernames and passwords or other valuable information are gathered and subsequently monetized to fund phishers' exploits. Akamai's enterprise team developed a zero-day phishing detection engine to identify different phishing kits, and tracked their life cycles to understand how attacks change to avoid detection. They also analyzed brands being targeted and segmented them by industry. The top industries targeted were high tech (companies like Microsoft, Dropbox, and LinkedIn), followed by media and then financial companies.
These findings are supplemented with research from the carrier team which shows longevity statistics for domain names used for phishing (and other exploits) ranked by Top Level Domain. The work showed short life times for malicious domains - 89% had a lifespan of less than 24 hours, and 94% had a lifespan of less than three days.
Since it relies on human factors instead of software flaws, the basic approach for phishing has endured for decades. But that doesn't mean phishers haven't innovated. A section covering phishing in the European Union Agency for Cybersecurity (ENISA) Threat Landscape Report 2018 states: "From the available evidence, it is clear that the scale and sophistication of attacks are increasing, with evermore avenues being exploited to reach users (including email, instant messaging, and social networking sites)." This suggests organizations can not necessarily depend on phishing protections built into email to cover all of their exposure since phishing urls are being presented in other places.
A paper presented at Usenix Security 2019 adds another dimension. In addition to copying logos and web pages and mimicking legitimate email addresses, sophisticated phishers have become masters of persuasion. The authors of the paper presented examples of phishing messages segmented based on the different ways human emotions can be manipulated to obtain a desired result. It's a little unnerving reading these messages because it becomes clear even trained or experienced viewers could be susceptible if they don't pause for a moment.
Attackers are innovating in other ways. Some attackers cleverly substitute lookalike characters in domain names so a destination appears to users to be familiar but is actually completely different than what is perceived. It's a big enough problem that most of the major browser vendors have taken steps to make the substitutions more obvious to (attentive) users by displaying the actual domain names, which appear as somewhat cryptic character strings (called punycode) in the address bar. The carrier research team has also started seeing domain names that render as emojis - imagine the ambiguities that introduces for hackers to take advantage of! The team has added protections for them and we'll offer more details about these tactics in upcoming blog posts.
Phishing impacts everyone who uses the internet, although some are more targeted than others. Findings presented at BlackHat 2019 from researchers at the University of Florida and Google showed that business users are 4.8 times more likely to receive phishing emails than consumers. Nonprofits are 3.8 times more likely to be targeted than consumers, followed by government (2.8X) and education (2.1X). Today's hackers want to maximize their return on investment and, accordingly, bias their efforts toward organizations with more monetizable assets.
In the same BlackHat presentation, the researchers presented survey results that showed 45% of users don't understand what phishing is. This is in contrast to generally high awareness about internet security exposure and may indicate many people simply don't have the time or desire to educate themselves about the details of internet exploits.
Phishing isn't going away anytime soon because the barriers to entry are low. Technical skills aren't necessarily required anymore since phishing kits are readily available from many sources on the dark web and there are services available to distribute malicious links. Even amateur phishers can refine their messaging based on observing what works and the professionals can invest in more advanced forms of social engineering. As revealed in the paragraph above gaps in awareness suggest internet users could use help.
ISPs are well-positioned to protect their consumer and small/midsize business subscribers. They already have a trusted contractual relationship, scale and reach, and security and operational expertise. There's an opportunity to move beyond speed and reliability and differentiate internet access services based on security. Akamai Security and Personalization Services play to provider strengths, while meeting subscriber requirements for ease of use, broad coverage of devices, and price points compatible with modest budgets.
Bruce Van Nice is a Senior Product Marketing Manager at Akamai.