Over 50,000 fake login pages were detected in the first half of 2020, with some able to be polymorphic and represent different brands.
According to research from Ironscales, fake login pages are commonly used to support hacks and spear-phishing campaigns, and its researchers found more than 200 of the world’s most prominent brands were spoofed with fake login pages.
It also found nearly 5% (2500) of the 50,000+ fake login pages were polymorphic, with one fake login able to represent more than 300 different login pages.
Ironscales’ Brendan Roddas explained polymorphism occurs when an attacker implements “slight but significant and often random change to an emails’ artifacts, such as its content, copy, subject line, sender name or template in conjunction with or after an initial attack has deployed.”
This allows attackers to quickly develop phishing attacks that trick signature-based email security tools that were not built to recognize such modifications to threats, ultimately allowing different versions of the same attack to land undetected in employee inboxes. In this research, Microsoft and Facebook led the list with 314 and 160 permutations, respectively.
The research also determined the brand with the largest number of fake login pages to be PayPal with 11,000, followed by Microsoft with 9500 and Facebook with 7000.
Ironscales said the most common recipients of fake login page emails work in the financial services, healthcare and technology industries as well as at government agencies.
Commenting, Chris Hauk, consumer privacy champion at Pixel Privacy, said: “We see fake login pages being used for one very good reason: they work. As long as users fall for this trick, the bad actors of the world will continue to use them.
“Perhaps the best way to fight these fake login pages is to better educate users as to the hazards of such pages and how to best identify when a fake login page is being visited. I also suggest using utilities that can identify such pages, such as Ironscales URL and link scanner.”
Niamh Muldoon, senior director of trust and security at OneLogin, highlighted the main reasons why fake logins work: firstly there is still a huge lack of cybersecurity education, training and awareness amongst the internet end user community globally. “This gap in end user knowledge has grown significantly over the last six months with the pandemic,” she said. “While we have asked the public to upend their lives and transfer it online to help them maintain social distancing and keep them physically safe, many do not have the knowledge to keep themselves cyber-safe.”
Secondly, there is a lack of governance associated with website creation, domain registration and associated management. She said: “This includes verifying the integrity of sites and/or domains in a proactive fashion. While there are clear procedures and processes to have websites and domains taken down where they contain malware and/or are not legitimate, these processes are extremely time consuming, resulting in end users being exposed in the time between the fake pages appearing and the domains and IPs being blacklisted or taken down.”
However, she said “trust and security platform leaders in this field are making the threat landscape harder to traverse for malicious attackers, through clever security consciousness messaging on legitimate login pages.” She recommended partnering with a trusted identity partner that provides multi-factor authentication to reduce the risk of account compromise via these fake login pages/sites. “Ultimately, a global task force and international collaboration is needed to implement regulations associated with domain and website registration and management, to stop these sites appearing in the first place,” she added.
Hugo van der Toorn, manager offensive security at Outpost24, said this is not about attacks targeted against your company, but the names, trademarks and overall recognition of the brands which are used to achieve certain goals. “As organizations, we need to facilitate the swift reporting and follow-up on phishing attempts that infringe our brands and threaten our customers and ultimately our reputations. After receiving a positively identified phishing attempt, we need to be able to issue a notice and takedown and, within hours, shut down this one phishing campaign,” he said.
“It’s not about stopping all phishing and training employees until no one clicks. It is all about responding swiftly and adequality on behalf of the people that do recognize and report these phishing attempts.”