As phishing websites become more advanced, by using rich functionality and customized workflows, evidence indicates that web analytics plugins are being commonly used in phishing kits. This enables threat actors to have stronger visibility into victim profiles and their behavior once they have landed on the scam website. This, in turn, can lead to future optimizations of the phishing kit and scam's distribution.
The most important metric that drives threat actors once an attack campaign is launched is the overall effectiveness. For phishing attacks, effectiveness is measured by engagement, with a focus on the number of unique victims and the amount of sensitive information that can be collected per victim.
A critical element of any phishing website is a seemingly trustworthy interface making the phishing scam appear as real as possible. This leads victims to a feeling of false confidence while engaging with the website. The more confident the victim feels, the more they're likely to engage.
The most common method of gaining a victim's trust and minimizing suspicion, is for attackers to create phishing websites that look almost identical to the website being abused, or to interact with victims through a quiz or survey that offers attractive prizes. Some of these websites will even use a live and dynamic interface, which holds the victim's attention. Akamai has also observed several examples were the threat actor has incorporated fake social network plugins in order to further sell the scam.
Another element that helps determine the effectiveness of a given phishing campaign is its timing and the victim's state of mind. A good example of this is an attack campaign that targets holiday season shoppers. Usually these campaigns start just before the holiday season and run until the end; in the United States, it is common to see retail phishing campaigns start just before Thanksgiving and end shortly after Christmas. Likewise, scams targeting tax preparation services often start just before tax time and end towards the end of the first quarter. But holidays are not the only aspect of timing used by threat actors, the seasons themselves, and associated activities are also prime targets.
The Akamai Enterprise Research Team recently spotted a phishing attack campaign targeting victims looking to go on a summer vacation. The criminals behind these attacks were doing so by abusing the reputation and name of a variety of amusements parks all over the world.
The attack used a phishing tool kit previously reported by Akamai, named "Three Question Quiz". The campaign included at least 17 brands and more than 30 phishing websites, targeting amusements parks located in the US, Europe, Asia, and Australia. While we won't name the brands targeted, all of them are household names and well known to summer vacationers.
The majority of the amusement park phishing campaigns were launched between April and July of 2019 and, according to our evidence, many of those campaigns were quite successful.
Based on evidence collected from one of the UK brands impacted by the phishing attacks, we were able to see that the campaign was mainly targeting victims in the first two weeks of June. This timeframe is considered rush hour for planning summer vacations, and for attracting more victims.
Over the duration of the attack, we were able to see a peak average of 25 victims per hour, representing over 500 victims daily and over 5,000 in total.
Image 1: Monthly view of number of victims landing on phishing website, presenting avg. victims hourly per day
A different view into a Polish brand reveals even more disturbing evidence, showing that in the initial 24 hours of the attack campaign, over 15,000 victims visited that phishing website.
Image 2: hourly view of number of victims landing on phishing website over the initial 24 hours of the campaign
An interesting insight from this wave of summer phishing campaigns is related to the brands being abused. Some of them aren't normally targeted; therefore, the organizations are probably unaware of the recent campaigns and are delayed in their efforts to fight back and eliminate the risks associated with such attacks to their brand and their customers.
Moreover, many of the abused brands are local to the victim, according to visibility we were able to gain into some of analytics maintained by the phishing websites themselves and left open to the public. The tracking shows that the brand's and victims' geographical location are correlated, as seen in the images below.
Image 3: brand's and victims' geographical location correlated - UK brand example <--same
Our research shows the usage of the same phishing tool kit in a variety of different campaigns. This represents an alarming, yet not surprising, trend of commoditization in the phishing landscape. We can see that attacks are better organized, scaled, and being launched in a timely manner using phishing toolkits that can be easily customized and deployed at scale, resulting in an increase to the overall victim count.
The data collected while researching this blog indicates that phishing isn't going away any time soon and that threat actors are willing and able to leverage a number of factors, from seasonal and targeted campaigns, to modular and easily customizable toolkits, in order to get as many victims possible for little to no effort. The fact that many campaigns are using metrics and scaled measurements to chart progress is another example of the phishing evolution Akamai has been discussing this year.
We see clear trends and patterns when we examine the attacks targeting amusement parks and vacation destinations. These patterns and trends follow other established attack motives, such as those that target holiday shoppers and tax preparation services. Moreover, through the use of social elements and dynamic, easy to navigate, websites, including those that are almost perfect mirrors of the original, threat actors are playing a social engineering game in order to lure victims into a false sense of security.
The success of the kits and scams examined this year lead to a single and almost certain conclusion: criminals are going to start ramping up their efforts and model themselves off the established marketing economy in order to establish a tighter Return on Investment (ROI). Not only does this mean more campaigns that are granular in nature and tightly-focused to a specific demographic, but phishing kit development will continue to improve and get more advanced.