There was a 569 percent increase in phishing emails in 2022 and a 478 percent increase in phishing attacks targeting credentials, email security firm Cofense said in a report published on Wednesday.
Cofense’s 2023 State of Email Security Report focuses on the emerging tactics and techniques used by cybercriminals and the various drivers of the email-based threat landscape.
Cofense said its threat analysis, which leverages a global, crowdsourced network of over 35 million people, artificial intelligence, and machine learning, was 99.996 percent accurate over the last year. Cofense said it observed many malicious emails that were “missed by Secure Email Gateways (SEGs).”
Leveraging a global, crowdsourced network of over 35 million people together with artificial intelligence and machine learning, Cofense’s phishing threat analysis was 99.996 percent accurate over the last year, the company said. According to Cofense, it observed a vast number of malicious emails that were “missed by Secure Email Gateways (SEGs).”
“Combined with crowdsourced intelligence, advanced AI and machine learning help organizations thwart BEC, as well as credential theft and costly ransomware attacks,” Cofence told VPNOverview.
The key trends in Cofense’s annual report include a significant year-to-year increase in credential phishing emails and the use of Telegram bots to exfiltrate data. The report also highlighted a 44 percent increase in malware, with Emotet, QakBot, and Agent Tesla among the top malware variants.
“In 2022, cybersecurity threats increased exponentially and it’s no surprise the vast majority involved phishing. As threats increase in frequency, intensity, and sophistication, the need for rapid and actionable intelligence has never been greater,” Cofense said.
‘Credential Phishing Was the Cyber Threat of Choice in 2022’
According to Cofense Intelligence, credential phishing was the top threat in 2022. The report also linked credential phishing to BEC and ransomware attacks.
Firms in the energy sector and other critical sectors remained on high alert in 2022 following a high volume of phishing attacks in 2021. However, there were comparatively fewer breaches last year, the report said. Other sectors targeted with phishing campaigns include healthcare, financial services, utilities, professional sectors, real estate, and government organizations.
“Ransomware is a primary downstream impact from email-based threats. In one common scenario, other malware families are delivered initially to gain a foothold, then followed by installation of ransomware anywhere from hours to weeks later,” the report said.
Cofense noted that BEC remains a top cybercrime for the eighth-year running.
“Wait, BEC? How does that connect? When a user falls susceptible to a credential push, while the password may have been reset, the threat actor remains persistent in the inbox by adding auto-forwarding rules for keywords related to financial transactions (i.e., invoice, purchase, order, quote). These emails are then, in turn, used to target downstream organizations with BEC/Vendor Email Compromise threats,” the report said.
This report comes days after the FBI warned that cybercriminals are using BEC tactics to swindle U.S. vendors and acquire various commodities without payment.
44 Percent Increase in Malware
Cofence said Emotet and QakBot were the top malware families leveraged in phishing emails in 2022. Although Emotet was shut down last year, variants have re-emerged.
“In the beginning of Q3 [2022], we saw large volumes of Emotet emails,” Cofense said. Between October and November 2022, Cofense observed a “sudden increase in Emotet C2 [criminal control server] traffic” after months of hibernation. Some financially-themed Emotet phishing emails used IRS forms to trick U.S. victims and deliver Emotet.dll payloads on their devices.
QakBot malware contributed to a 300 percent increase in “malicious HTML attachments,” Cofense said, and 54 percent of the targeted domains were .com domains. In descending order, the top five types of malicious attachments reaching inboxes were: .pdf, .HTML, .htm, .docx, and .zip files.
Phishing-as-a-Service Observed Throughout 2022
One of the key findings in the Cofense was the prevalence of Phishing as a Service (PaaS). The firm analyzed Ofux — a platform that serves several phishing groups — offering “everything a phishing threat actor might need: email sending capability, access to websites for hosting malicious content, and access to hacked individual email accounts,” the report said.
PaaS services “are more likely to reach targeted users, highlighting the need for robust email defenses and even stronger employee/user education,” Cofense noted.
Cybercrime “shops” are not uncommon. There are several similar ransomware-as-a-service outfits on the dark web.
Cofense said ransomware and phishing go hand-in-hand. Phishing was central to the business model of the infamous Conti ransomware gang, which was exposed and their data leaked in 2022. “At the time of the leaks, they were continuing to invest massive resources into it [phishing] as a pillar of their lucrative ransomware operations,” Cofense said.
Leveraging the Web3 Space, Use of Telegram Bots
In 2022, there was a 341 percent increase in threat actors leveraging Web3 technologies for link crafting in phishing campaigns. Web3 websites and apps are decentralized and on the blockchain, eliminating the need for cybercriminals to host their malicious tools on known servers.
“By leveraging Web3, they don’t have to burn their multi-stage infrastructure if they are detected,” Cofense said.
Nonetheless, cybercriminals still abused top domains such as Adobe, Dropbox, DocuSign, and cloud providers Amazon AWS, Google, and Sharepoint, among others, in 2022, to lure users.
“It’s important for threat actors to carefully craft links or carefully select hosts for links in order to bypass SEGs [email security],” the report said.
Throughout 2022, Cofense observed an influx of cryptocurrency-themed phishing campaigns aiming to steal digital wallet tokens.
The report also noted an 800 percent in automated bots on the anonymous messaging app Telegram between 2021 and 2022. Cybercriminals primarily use Telegram for data exfiltration and collaboration. The migration to highly anonymous messaging apps like Telegram is mainly due to law enforcement crackdown on the dark web.
“Threat actors appreciate the ease of setting up bots in a private or group chat, the bots’ compatibility with a wide range of programming languages, and ease of integrations into malicious mediums such as malware or credential phishing kits,” Cofense said.
Tips to Strengthen Your Organization’s Email Security
Cofense said organizations with end-to-end email security solutions and those who ran phishing simulation scenarios were twice as resilient to phishing threats.
To protect your organization from phishing threats, Cofense recommends holding “all-hands meetings” to discuss the threat landscape, sending work newsletters with real examples, ensuring vendor master changes and banking information is scrutinized, and adjusting email security gateways to block executive spoofing and communication with free email account domains.
Cofense also recommends removing “auto-forwarding rules” across your organization and enabling additional layers of authentication with Microsoft’s enhancements on the Azure platform, blocking potentially malicious file types (such as HTML, htm, and PDF), and removing local admin rights for certain users.
Organizations should report all losses to law enforcement within 24 hours, Cofense said, adding that BEC-related losses can be reported to the U.S. Global Incident Operations Center (GIOC).
Phishing has been around for decades, and, as Cofense puts it, criminals will closely follow technological advances in 2023 to fine-tune their phishing tactics and explore new attack surfaces. It is important to be aware of the latest email-borne threats. You can brush up your knowledge with our in-depth guide to phishing.
