Latest APWG Phishing Statistics Show Evolving Attack Techniques

Recently released phishing statistics suggest that cybercriminals are turning to new techniques to launch and conceal their attacks, including web page redirects and using HTTPS to make phishing sites appear more trustworthy. Published in December by the Anti-Phishing Working Group (APWG), the Phishing Activity Trends Report, 3^rd Quarter 2018 compiles and analyzes data related to reported attacks and unique phishing websites. Following are some key takeaways from the report:

Phishing Reports Remained Steady

The APWG received 270,557 reports of unique phishing campaigns in Q3 2018 — numbers consistent with Q1 (262,704) and Q2 (264,483). In the APWG’s reporting methodology, a “campaign” is a unique email sent to multiple users, with the same subject line. Multiple unique email campaigns may direct potential victims to a single phishing website.

Unique Phishing URLs Dropped, Following Spring Peak

The number of unique phishing websites identified in Q3 2018 was 151,014 — significantly lower than in Q1 (263,538) and Q2 (233,040), following what the APWG describes as “an unusual rash of phishing in the spring of 2018.” But this apparent reduction may in part reflect a change in cybercriminals’ tactics: the increased use of redirectors. This technique is used by attackers to disguise the ultimate URL and help hide it from some phishing detection tools.

Malicious Use of HTTPS Increased Dramatically

One particularly concerning trend is the surge in phishing sites using HTTPS encryption, which can make them appear more legitimate to unsuspecting end users. According to the report, as of Q3 2018, nearly 50% of phishing sites used encryption. This represents a 40% increase over the previous quarter alone, and a nearly 900% increase since the end of 2016.

The problem this trend poses is that many people wrongly assume that a site with HTTPS encryption is safe to use. While HTTPS does indicate a site is secure — any data exchanged with it is encrypted — that doesn’t mean it’s safe. Attackers are taking advantage of this confusion and using it to fool victims.

As the APWG warned in its Q2 2018 report, “The general public’s misunderstanding of the meaning of the HTTPS designation and the confusing labeling of HTTPS websites within browsers are the primary drivers of why they have quickly become a popular preference of phishers to host phishing sites.” As an example of this confusion, some web browsers display a small padlock icon next to an encrypted URL, which users can easily misinterpret as an indication of safety.

The report also suggests that this HTTPS phishing trend is driven in part by legitimate websites, which are increasingly migrating to HTTPS infrastructure and thus creating more opportunities for attackers to compromise encrypted sites.

Effective security awareness training can help users better understand the role of HTTPS and how to practice safer web browsing, and dispel myths and confusion around cybersecurity.

Arming End Users Against Evolving Attacks

Since the phishing threat is constantly evolving, users need to be alerted to current attacks, in addition to being firmly grounded in cybersecurity best practices. To meet this need, we launched our Attack Spotlight series in mid-2018; it provides free, timely, actionable content you can use to arm your end users against emerging threats.

Each installment in the series includes a two-minute awareness mini-module and a downloadable PDF that feature an example of an actual phishing email seen in the wild, explaining the current threat in non-technical terms. Attack Spotlight is more timely and relevant than other services that list lures or traps, since the phishing email examples are drawn from Proofpoint’s world-class threat intelligence, which analyzes billions of emails each day to classify malicious content and identify lures being distributed at critical mass.

Visit the APWG website to obtain a copy of the Q3 2018 Phishing Activity Trends Report, as well as archived issues going back to 2004.