Financial institutions have experienced a 15.3% increase in share in phishing attacks, according to PhishLabs’ Quarterly Threat Trends & Intelligence Report. This increase establishes financial services as the top targeted industry and shows threat actors continue to place high value on compromised banking credentials. In this post, we take a look at the tools and infrastructure used by threat actors to target financial services.
Attack Staging Methods
Overwhelmingly, threat actors targeting financial institutions are abusing free tools and services to stage phishing sites. Free hosting contributes to the largest share of abuse, representing 80.6% of phishing sites targeting financial services. This is significantly higher than other industries, suggesting the actors and tools used to target financial services rely more on abusing free hosting services than other free staging methods such as tunneling services and free domain registrations.
It is worth noting that phishing sites set up on free hosting services typically have shorter lifespans and domains that look suspicious, reducing their effectiveness. Threat actors that abuse free hosting services heavily rely on volume and speed to harvest account credentials. Financial institutions should prioritize intelligence sources that can detect phishing sites staged on free hosting services early in the attack process and be prepared to mitigate these threats quickly.
An emerging trend across all industries is the use of tunneling services and developer tools to provide connectivity to phishing sites. While these staging methods represent more than a quarter of the volume for non-financials, attacks using these methods targeting the financial industry are nominal. This can change as there is no barrier to abusing these free services.
Threat actors are only compromising existing sites to target financial institutions 15.3% of the time, which is less than the number of compromised sites targeting non-financials (27.2%).
TLD Breakdown
In the financial sector, most phishing sites were on Legacy generic Top-level Domains (gTLDs). Legacy gTLDs were abused 70% of the time, with .com contributing to 56% of the share. Abuse of ccTLDs contributed to only 13% of TLDs targeting financials.
Reports of TLD abuse among all industries was less lopsided, with Legacy gTLD (49%) and ccTLD (43%) abuse divided similarly. The large portion of financial phishing sites on Legacy gTLDs is consistent with attack staging methods observed for financial services, as the most heavily abused free hosting services use Legacy gTLDs.
Of the New TLDs used in phishing attacks targeting financials, .monster and .xyz were the only two represented in the top ten. New gTLDs used to target financial institutions contributed to 17% of all phish, compared to only 8% targeting all industries.
Threat actors are using multiple attack vectors to target financial institutions and their customers. Phishing continues to increase quarter over quarter as varying tactics, tools, and channels aid in the success of campaigns. To learn more about phishing threats targeting enterprises, check out the PhishLabs Quarterly Threat Trends & Intelligence Report.
Additional Resources: