Throughout 2023, The WMC Globalthreat intelligenceteam remained steadfast in safeguarding users and clients against the relentless tide of credential phishing threats. As we bid farewell to the year, we reflect on significant events, emerging trends, and observedshifts in threat actor behavior and predict threat landscape highlights for the year ahead.
16 min read
19 min read
2022 Year In Review
By WMC Global Threat Intelligence Team on 1/31/23 1:51 PM
The WMC Global Threat Intelligence Team observed a noticeable escalation in targeted and sophisticated phishing campaigns throughout 2022, with a surge in SMS phishing and a decrease in campaigns featuring large corporations. Threat actors began to shift their focus to developing smish-to-vish campaigns — campaigns where threat actors use phone numbers in SMS messages as opposed to link-based phishing. In 2022, we also finally saw a move away from Covid-19 phishing lures as pandemic-related government funds and support stopped. Several new threat actors made an appearance in 2022 with prolific and novel campaigns explored below targeting banks and big name brands.
The latest US trend has seen threat actors moving from generic, wide-reaching phishing attacks using major banks as lures to targeted attacks featuring small credit unions. Although customers of financial institutions are the most common mark, there was a jump in threat actors specifically targeting credit union customers throughout the US, whereas in the UK a prevalent phishing campaign took advantage of the government-backed energy rebate scheme as energy prices peaked at an all-time high. As expected, big brands like Microsoft, Apple, Netflix, and PayPal were still targeted regularly throughout the year.
Topics: SMS Attack Phishing Phishing Kit Microsoft Office 365 Banking Hermes Courier Scam Food Delivery Service Phishing SMS Phishing Just Eat Uber Eats Credential Phishing Food Delivery App Phishing package delivery scam
6 min read
UK Private School Applicants Targeted With Phishing Attack
By WMC Global Threat Intelligence Team on 11/21/22 12:54 PM
Topics: Phishing Phishing Kit Threat Intel Data Exfiltration
1 min read
Emerging Trends in SMS Phishing
By WMC Global Threat Intelligence Team on 11/8/22 10:15 AM
WMC Global's Ben Coon, VP of Threat Intelligence, and Bobby Preston, Threat Analyst and Sr. Business Development Manager, presented at SaintCon this October.
Topics: SMS Attack Kit Analysis Phishing Phishing Kit Threat Intel finance 2FA Two-Factor Authentication Voice Passwords SMS Phishing Credential Phishing smishing Vishing financial institutions
8 min read
Introducing MRWEEBEE
By WMC Global Threat Intelligence Team on 11/2/22 3:20 PM
Since July 2021, WMC Global analysts have been tracking an emerging threat actor known as MRWEEBEE who is creating and selling phishing kits targeting customers of banks and credit unions in the United States. WMC Global threat analysts have been monitoring MRWEEBEE closely by investigating the threat actor’s tactics, techniques, and procedures (TTPs) found in their phishing kits. WMC Analysts paid close attention to how MRWEEBEE's kits collect personal identifiable information (PII), email credentials, banking details, payment information, and how they evade detection with extensive bot blocking.
Topics: Phishing Phishing Kit Threat Intel Data Exfiltration Victim File Credential Phishing
6 min read
Threat Actor "Robin Banks" Phishing Kit Revisions
By WMC Global Threat Intelligence Team on 8/31/22 10:22 AM
In July, a report was released spotlighting a threat actor known as Robin Banks. WMC Global was also tracking this threat actor and noticed the scammer's attack infrastructure quickly went offline at the time of the article’s publication. It is possible this was done by the intel vendor or the threat actor trying to hide but may also have been an unknown party. Only a matter of weeks later, WMC Global analysts discovered Robin Banks was still operating and had rebuilt their backend phishing operation to be more resilient to takedowns, highlighting their awareness of the original article.
Topics: SMS Attack Phishing Phishing Kit Threat Intel SMS Phishing Credential Phishing
7 min read
Evri- UK Package Delivery Scam
By WMC Global Threat Intelligence Team on 5/19/22 10:21 AM
Threat actors have found continuous success using package delivery services as SMS phishing lures since the start of the COVID-19 pandemic and package delivery phishing attacks are the number one harvester of credit cards that WMC Global is currently seeing. Scammers now gravitate towards any new courier as a lure because of the sheer effectiveness of the campaigns. These lures are often used to perform call back scams but consumers get wise to the same attack content, resulting in threat actors needing to diversify and increase their portfolio of campaigns. Introducing Evri, the latest UK courier company to be heavily targeted and brand abused for credential phishing attacks.
Topics: Covid SMS Attack Phishing Kit Threat Intel Banking Courier Scam SMS Phishing Credential Phishing package delivery scam
7 min read
Just Eat - UK Food Delivery Service Customers Targeted by SMS Phishing
By WMC Global Threat Intelligence Team on 4/12/22 9:53 AM
Over the last two years, threat actors have found many lucrative ways to exploit pandemic-induced lifestyle changes and financial strain by creating scams using package delivery services as well as unemployment payments, grants, and vaccine passports as lures. As the world begins to adjust to life beyond Covid-19, threat actors are creating new lures, while still focusing on consumer behavior driven by the pandemic.
Topics: Covid SMS Attack Phishing Covid-19 Food Delivery Service Phishing SMS Phishing Just Eat Deliveroo Uber Eats Credential Phishing Food Delivery App Phishing
12 min read
Microsoft Office 365 Voicemail Phishing Attack
By WMC Global Threat Intelligence Team on 12/9/21 10:00 AM
On December 1st, WMC Global encountered a large-scale email phishing campaign targeting Microsoft Office 365’s voicemail functionality. The email subject, “Voiceᴍᴀɪʟ,” uses several Latin characters in an attempt to bypass email filtering systems. The attack was live until December 4th.
Topics: Phishing Phishing Kit Threat Intel Microsoft Office 365 Voicemail Voice Victim File Passwords
6 min read
Phishing Lures Imitate Government Bodies Offering COVID-19 Relief
By WMC Global Threat Intelligence Team on 8/11/21 8:31 AM
This blog is released in partnership with Mobile Ecosystem Forum (MEF), of which WMC Global is a proud member.
Topics: Covid Phishing Covid-19 Phishing Kit Threat Intel Government US Government UK Government NHS
2 min read
Phishing for Finance - Akamai x WMC Global SOTI Report
By WMC Global Threat Intelligence Team on 5/19/21 3:00 PM
Cloud and enterprise security leader Akamai has partnered with WMC Global researchers to release their State of the Internet report focusing on phishing in the financial services industry. We have included key excerpts below and access the full report HERE.
HIGHLIGHTS
- In 2020, there were 193 billion credential stuffing attacks globally, with 3.4 billion of them in the financial services space, representing a 45% growth over 2019.
- The number of web attacks targeting the financial services industry grew by 62%. Akamai observed 736,071,428 web attacks recorded against financial services in 2020. What was the number one web attack type targeting financial services? Local File Inclusion (52%), followed by SQL Injection (33%) and Cross-Site Scripting (9%).
- The Kr3pto phishing kit, which targets financial institutions and their customers via SMS, has been observed spoofing 11 brands across more than 8,000 domains since May 2020. Akamai and WMC Global has tracked Kr3pto campaigns across more than 80 different hosts (ASNs), including one host that housed more than 6,000 Kr3pto domains.
- An API used by the Ex-Robotos phishing kit, which targets corporate credentials, logged more than 220,000 hits over 43 days, with peaks in the first week of February 2021 reaching tens of thousands per day.
FINANCIAL PHISHING
Over the past several years, phishing has remained a constant variable in many of the data breaches and security incidents that have dominated the headlines. Criminals have dedicated a good deal of energy and resources toward advancing the phishing economy on a regular basis. Gone are the days of basic cloned websites. Today, phishing is a turnkey business, even offered as a hosted solution for criminals who wish to leverage phishing-as-a-service developments.
As phishing attacks and kit development started to advance, defenders realized that usernames and passwords alone were not enough. To combat the phishing onslaught and other password-based attacks, defenders turned toward multi-factor authentication (MFA) and two-factor authentication (2FA) to help augment basic passwords. While 2FA is a subset of MFA, both provide the means of a second type of authentication, such as a PIN or one- time password (OTP). Often, 2FA is associated with SMS-based OTPs, whereas MFA is associated with authenticators, like Google Authenticator.
Fast-forward to today — the criminals have evolved. This change includes elements that target 2FA and MFA protections, where victims are tricked into filling out their OTP or revealing it to the threat actor during a conversation.
In this report, WMC Global and Akamai present research related to threat actors and the phishing kits being used to target the financial services industry, or people within it. One relatively new threat actor poses a serious threat to the financial services industry in the UK, with the development of dynamic phishing kits that effectively bypass secondary methods of authentication.
Topics: Phishing finance Banking
4 min read
Hermes SMS Courier Scam
By WMC Global Threat Intelligence Team on 4/27/21 1:05 PM
Threat Summary
New phishing campaigns are targeting mobile devices to deliver fraudulent courier delivery notifications to potential victims. While many organizations secure email and Microsoft Office applications directly within mobile phones, SMS threats are typically out of scope for many security teams, letting attackers exploit the lapse in coverage to leverage both consumer and business credentials. WMC Global's Threat Intelligence Team is currently tracking an increase in SMS-based courier scams in the United Kingdom. By the end of March over 5000 phishing URLs had been collected targeting Hermes alone. Targeted couriers are Hermes, DPD, and Royal Mail, with Hermes seeing a notable increase in distribution.
Topics: SMS Attack Phishing Hermes Courier Scam
16 min read
The Compact Campaign
By WMC Global Threat Intelligence Team on 3/4/21 12:27 PM
SuMMARY
Phishing campaigns continue to utilize the disruption of the pandemic to target victims, and a new campaign takes advantage of Zoom's rising popularity. Since December, the "Compact" Campaign has been targeting thousands of users by impersonating a Zoom invite and is estimated to have collected over 400,000 Outlook Web Access and Office 365 credentials. This campaign is unique in its use of trusted domains to ensure delivery of phishing emails and preventing phishing pages from being blocked. This is especially worrisome for organizations who will struggle to defend against this attack.
Topics: Phishing Phishing Kit Data Exfiltration Microsoft Office 365 Zoom
24 min read
Year-End Phishing Report - 2020 WMC GLOBAL
By WMC Global Threat Intelligence Team on 2/19/21 10:15 AM
Summary
WMC Global's Threat Intel Team analyzed thousands of phishing kits in 2020. While "16Shop" continues to be the most popular, kits capable of capturing gathering multi-factor authentication data, like "Puppeteer," are emerging. There was a large increase in SMS phishing compared to emails over 2020, indicating SMS will continue to be a substantial threat in 2021. WMC Global observed that consumer brands continued to be the primary target for phishing, with Netflix and Facebook being the most impersonated brands; however, WMC Global also observed new threat vectors for phishing in the form of COVID-themed phishing. The United States was the number one location for hosting phishing sites, with NameCheap being the provider hosting the most phishing sites over 2020. WMC Global predicts that in 2021 multi-factor authentication will become a focus for threat actors, phishing link delivery methods will continue to evolve, and phishing kit intelligence will be more prevalent in tracking threat actors.
Topics: SMS Attack Phishing Kit finance Netflix Puppeteer Kit
11 min read
Evolution of a Phish: Popular UPS Email Scam Now Targets Mobile Users
By WMC Global Threat Intelligence Team on 2/17/21 9:03 AM
Phishers are well known for identifying and exploiting security weaknesses. Many email and security teams are becoming more effective at blocking attacks, but phishers are targeting new gaps in remote workforce and SMS phishing detection. Specifically, threat actors are increasing the delivery of phishing campaigns via text message to avoid email vendor protections to deliver phishing directly to victims.
Topics: SMS Attack Phishing Phishing Kit Courier Scam UPS
2 min read
Threat Actor Update: Kr3pto
By WMC Global Threat Intelligence Team on 2/3/21 2:12 PM
The current biggest threat to the UK banking industry has just added a new target.
Topics: Phishing Phishing Kit Bank of Scotland Kr3pto
6 min read
Kr3pto Puppeteer Kits: Dynamic Phishing Kit Targeting UK Banking Customers
By WMC Global Threat Intelligence Team on 12/16/20 10:00 AM
At WMC Global, we are tracking a threat actor who goes by the alias "Kr3pto," a phishing kit developer who builds and sells unique kits targeting UK financial institutions amongst other brands.
Topics: Phishing Kit finance Kr3pto Banking Puppeteer Kit Multi-Factor Authentication
6 min read
Phishing Exfiltration Method: Email
By WMC Global Threat Intelligence Team on 11/13/20 10:06 AM
Phishing attacks have been on the rise in recent years, and 2020 in particular has seen a stark increase in phishing incidents since the start of the pandemic in January[i]. Tech companies and banks are the most commonly impersonated companies in phishing scams, which steal their victims credentials and other sensitive data and send them to the scammer[ii].
Topics: Kit Analysis Phishing Phishing Kit Data Exfiltration Cryptocurrency Blockchain Credentials Shadow Z118 Paypal
2 min read
Office 365 Phishing Uses Image Inversion to Bypass Detection
By WMC Global Threat Intelligence Team on 11/4/20 9:00 AM
Many detection engines crawl websites and follow links to determine whether a website is malicious or masquerading as another. The difficulty threat actors face combatting these advanced technologies is that their phishing websites must bypass the detection engine, while simultaneously gaining a victim’s trust by displaying images and themes that mimic the targeted website.
Topics: Phishing Microsoft Office 365 Image Inversion
4 min read
Bank of Guam Phishing Campaign Analysis
By WMC Global Threat Intelligence Team on 10/30/20 1:00 PM
Topics: Phishing Phishing Kit Banking 2FA Bank of Guam Two-Factor Authentication
9 min read
Netflix-Branded Mobile Phishing Campaigns in August
By WMC Global Threat Intelligence Team on 9/23/20 9:30 AM
Threat actors target a range of services often either due to credential resale value or to target higher value accounts in credential stuffing campaigns. Last month, WMC Global tracked three unique Netflix-branded phishing campaigns that resulted in over 390,000 unique URLs (Figure 1). These campaigns were solely distributed via text messages (SMS) to US mobile numbers. WMC Global’s analysis in the campaigns provides unparalleled visibility into Netflix-branded phishing attacks.
Topics: SMS Attack Phishing Phishing Kit Netflix
6 min read
Phishing Kit Exfiltration Methods
By WMC Global Threat Intelligence Team on 8/19/20 9:05 AM
At WMC Global, we analyze hundreds of phishing kits every week, which use a range of lures to steal credentials from victims, and we examine the exfiltration mechanisms used by threat actors to harvest stolen credentials from victims. The majority of phishing kits use a simple email exfiltration method to send victims’ data—compromised credentials—to a mailbox owned by the threat actor; the second most common method of exfiltration was writing the stolen data to a file stored on the website host. Though there are many exfiltration methods available to threat actors, our analysis found email and file write exfiltration to be amongst the most common.
Topics: Phishing Phishing Kit Data Exfiltration
4 min read
Cazanova Phisher Steals From Himself
By WMC Global Threat Intelligence Team on 8/14/20 10:30 AM
Using a variety of tools and techniques, WMC Global actively tracks threat actors engaged in credential phishing attacks—from canary detection to phishing site launch to the selling of compromised credentials, WMC Global monitors phishing activities the world over.
Topics: Phishing Phishing Kit Cazanova Phoenix Coder Threat Intel
3 min read
COVID Update
By WMC Global Threat Intelligence Team on 8/12/20 10:00 AM
Throughout the early months of the COVID-19 pandemic, when companies and consumers were forced to adapt to remote working arrangements and adopt digital interactions with family and friends to stay connected, PhishFeed witnessed a stark rise in phishing attacks, particularly in attacks configured to show only on mobile devices. Since January 2020, PhishFeed has collected tens of thousands of phishing URLs and kits, many of which were branded with COVID-themed domains, URLs, or attack content by the responsible threat actors, as seen in Figure 1.
Topics: Covid SMS Attack Phishing Covid-19
25 min read
Deep Dive Into Cazanova Morphine Phishing Kit
By WMC Global Threat Intelligence Team on 8/10/20 9:00 AM
WMC Global proactively tracks phishing sites and analyzes the backend code to understand tactics, techniques, and procedures (TTPs) used by threat actors to steal consumers' credentials and other personally identifiable information (PII) for financial gain.