A new report highlights the brands that were most often imitated by criminals in their attempts to steal personal information or payment credentials in July, August and September.
Stolen credentials sold on the dark web for the price of 3 liters of fuel – Report
Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd., one of the world’s leading providers of cybersecurity solutions, has released the Brand Phishing Report for the third quarter of 2022.
While LinkedIn was the most imitated brand in Q1 and Q2 2022, shipping company DHL took the top spot in Q3, accounting for twenty-two percent of all phishing attempts globally.
DHL Replaces Microsoft as Most Imitated Brand in Phishing Attempts in Q4 2021
Microsoft is in second place (16%) and LinkedIn has fallen to third place, accounting for just 11% of scams, down from 52% in Q1 and 45% in Q2.
DHL’s rise could be partly due to a major global scam and phishing attack that the logistics giant warned against itself days before the start of the quarter. Instagram also appeared in the top ten list for the first time this quarter, following a “blue badge” phishing campaign that was reported in September.
Shipping is one of the top industry sectors for brand phishing, second only to technology. As we head into the busiest retail time of the year, the CPR will continue to monitor shipping scams as threat actors will likely increase their efforts to take advantage of shoppers in line.
“Phishing is the most common type of social engineering, which is a general term describing attempts to manipulate or deceive users. It is an increasingly common threat vector used in most security incidents “Commented Omer Dembinsky, Head of Data Research Group at Check Point. “In the third quarter, we saw a dramatic reduction in the number of LinkedIn-related phishing attempts, which reminds us that cybercriminals often change tactics. to increase their chances of success. However, it is still the third most commonly impersonated brand, so we urge all users to remain alert to any emails or communications claiming to be from LinkedIn. Now that DHL is the brand most likely to be copied, it is crucial that anyone expecting a delivery goes directly to the official website to check progress and/or notifications. Do not trust any emails, especially those that request information to be shared.
In a brand phishing attack, criminals attempt to impersonate the official website of a well-known brand by using a domain name or URL and web page design similar to the genuine site. The link to the fake website can be sent to targeted people via email or SMS, a user can be redirected while browsing the web, or it can be triggered from a fraudulent mobile app.
The fake website often contains a form intended to steal user credentials, payment details or other personal information.
Top phishing brands in Q3 2022
Below are the top brands ranked by their general appearance in phishing attempts:
- DHL (linked to 22% of all phishing attacks worldwide)
- Microsoft (16%)
- LinkedIn (11%)
- Google (6%)
- Netflix (5%)
- WeTransfer (5%)
- Walmart (5%)
- WhatsApp (4%)
- HSBC (4%)
- Instagram (3%)
DHL Phishing Email – Account Theft Example
In campaigns using the DHL brand that emerged during Q3 2022, we observed a malicious phishing email sent from a webmail address. [email protected][.]com and spoofed to appear as if from “DHL Express”.
The email contained the subject- “DHL not delivered (parcel/shipping)”, and the content (see Figure 1) tries to persuade the victim to click on a malicious link claiming that there is a broadcast aimed at them that can be sent right after the delivery address is updated.
This link leads to a malicious website- https://bafybeig4warxkemgy6mdzooxeeuglstk6idtz5dinm7yayeazximd3azai[.]ipfs[.]w3s[.]link/dshby[.]html/ (see Figure 2) which requires entering the victim’s username and password.
OneDrive Phishing Email – Account Theft Example
In this phishing email, we see an attempt to steal a user’s Microsoft account information.
The email (see Figure 1) that was sent from the webmail address we*****@jo*****.hk below the fake sender name – “One Drive”contained the subject “A document titled ‘Proposal’ has been shared with you on Onedrive”.
The attacker attempts to trick the victim into clicking the malicious link by claiming that an important document titled “Proposal” has been shared with them on their OneDrive.
This malicious link – “https://mail-supp-365[.]herokuapp[.]com/” redirects the user to a fraudulent Microsoft web application login page (see Figure 2), where the user must enter their account password.
Check Point researchers urge users to be cautious when disclosing personal data and identifying information to business applications or websites, and to think twice before opening attachments or links, by especially emails that claim to be from companies such as DHL, Microsoft or LinkedIn, as they are most likely to be spoofed.