Many detection engines crawl websites and follow links to determine whether a website is malicious or masquerading as another. The difficulty threat actors face combatting these advanced technologies is that their phishing websites must bypass the detection engine, while simultaneously gaining a victim’s trust by displaying images and themes that mimic the targeted website.

Threat actors target a range of services often either due to credential resale value or to target higher value accounts in credential stuffing campaigns. Last month, WMC Global tracked three unique Netflix-branded phishing campaigns that resulted in over 390,000 unique URLs (Figure 1). These campaigns were solely distributed via text messages (SMS) to US mobile numbers. WMC Global’s analysis in the campaigns provides unparalleled visibility into Netflix-branded phishing attacks.

At WMC Global, we analyze hundreds of phishing kits every week, which use a range of lures to steal credentials from victims, and we examine the exfiltration mechanisms used by threat actors to harvest stolen credentials from victims. The majority of phishing kits use a simple email exfiltration method to send victims’ data—compromised credentials—to a mailbox owned by the threat actor; the second most common method of exfiltration was writing the stolen data to a file stored on the website host. Though there are many exfiltration methods available to threat actors, our analysis found email and file write exfiltration to be amongst the most common.

Using a variety of tools and techniques, WMC Global actively tracks threat actors engaged in credential phishing attacks—from canary detection to phishing site launch to the selling of compromised credentials, WMC Global monitors phishing activities the world over. 

Throughout the early months of the COVID-19 pandemic, when companies and consumers were forced to adapt to remote working arrangements and adopt digital interactions with family and friends to stay connected, PhishFeed witnessed a stark rise in phishing attacks, particularly in attacks configured to show only on mobile devices. Since January 2020, PhishFeed has collected tens of thousands of phishing URLs and kits, many of which were branded with COVID-themed domains, URLs, or attack content by the responsible threat actors, as seen in Figure 1.

WMC Global proactively tracks phishing sites and analyzes the backend code to understand tactics, techniques, and procedures (TTPs) used by threat actors to steal consumers' credentials and other personally identifiable information (PII) for financial gain.