Earlier this year, Akamai discovered a publicly available plug-in that is being used to collect analytics and various stats on a number of phishing campaigns. Using our own data, we were able to correlate the analytics and view the IP addresses of the victims, since the phishing campaigns were directing victims to one of our customers.
The logged analytics included the victim's geography, browser details, operating system, and all related statistics, such as User Agent, version numbers, and referral information.
The phishing kits used in the scams covered by the discovered analytics have been reported before by Akamai. They're the Three Questions Quiz variety. Late last year, Akamai reported on these campaigns, which covered 689 instances that abused more than 100 different commercial brands, including those in the airline, retail, food and beverage, and entertainment sectors.
Based on these analytics, a few choice metrics stand out. First, while the campaigns only last for a few weeks, they were able to spread quickly due to social media. Secondly, the rapid spread of the attack and mobile footprint cements the fact that phishing and socially-based attacks are not just an email problem. Relying on email filtering alone isn't enough.
Social Media and Mobile Metrics
The analytics directly track victims the moment the scam starts, and according to the recorded stats, nearly 100% of the traffic to the scam pages comes directly from Facebook. Part of the scam's conclusion required that the victim share a message about their "winnings" on Facebook, so this could be one of the leading contributing factors to the social spread. However, references to the scam have also been spotted on Twitter, which could be promotions by the criminals (via bots), another social promotion requirement, or excited victims who truly believe they've won something. Either way, this brings attention to the scam, and along with that, new victims.
The analytics show that nearly 96% of the victims were on mobile devices. The majority were using iOS (54%), followed immediately by Android (41.9%). This is significant because mobile devices are often used for work, but rarely defended outside of the office network - if they're defended at all. Instead most organizations treat phishing as an email-only attack type, overlooking the fact that socially-based attacks can come from anywhere.
The scam analytics show that the reach is global. Clearly, as is the case with most quiz scams, the goal is to collect data from as many people possible for as long as possible. While Akamai was only able to track data for a few weeks, the scam itself spread to hundreds of domains and reached thousands of people.
More Than Just Email
As phishing attacks become more targeted and take advantage of local brands, criminals have evolved their planning to include analytical metrics, and adjust their campaigns accordingly.
This is why many crime kits, from phishing to malware, include dashboards to track and monitor campaigns. Over the years, security companies have gotten better at protecting against email-based attacks, which forced criminals to adapt and adjust their tactics. Everything is connected these days, so the natural evolution was for criminals to move outside of email and target victims via other attack surfaces, such as social media and mobile devices.
Based on our data, phishing is more than an attack driven by email. Instead, it's an attack that's focused on the human element and our natural need to interact and share. By offering something of value in exchange for something that isn't viewed as important, victims are trading personal information for a thing that does not exist and opening themselves up to additional exploitation, which could leverage the very information they've traded away.
The fix, if there is to be one, is to keep pressing awareness training and to remind users and staff that there is no such thing as a free lunch. More pointedly, random contests discovered on social media often cost them more than they'll gain.