Workplace social network LinkedIn has emerged as the brand most imitated by cyber criminals in their phishing attacks for the second quarter in a row, accounting for 45% of all phishing attacks in the three-month period to the end of June 2022, according to a Check Point Research report.
In its Brand phishing report for Q2 2022, Check Point’s threat research arm highlights how social networks in general are the most imitated brand category, followed by technology companies and then shipping.
The past three months saw a “striking rise” in big name technology companies being exploited, with Microsoft now making up 13% of all brand phishing attempts to place second, edging out DHL, which accounted for 12% of brand phishing emails.
Altogether, the top 10 imitated brands in the second quarter (Q2) – per data gleaned from Check Point’s own ThreatCloud – were: LinkedIn (45%), Microsoft (13%), DHL (12%), Amazon (9%), Apple (3%), Adidas (2%), Google (1%), Netflix (1%), Adobe (1%), and HSBC (1%).
Check Point data research group manager Omer Dembinsky said there was a good reason why phishing emails are such a prominent tool in the threat actor arsenal.
“They are fast to deploy and can target millions of users at relatively low cost. They give cyber criminals the opportunity to leverage the reputation of trusted brands to give users a false sense of security that can be exploited to steal personal or commercial information for financial gain,” he said.
“The criminals will use any brand with sufficient reach and consumer trust. Hence, we see hackers expanding their activities with the first appearance of Adidas, Adobe and HSBC in the top 10, The hackers trade on our trust in these brands and that very human instinct for ‘the deal.’ There’s a reason the hackers continue to use brand-based phishing. It works.
“So, consumers need to act with caution and look out for tell-tale signs of the fake email, like poor grammar, spelling mistakes or strange domain names. If in doubt, head for the brand’s own website rather than clicking any links.”
ESET global cyber security advisor Jake Moore added: “Using well-known, big names in phishing emails can help grab the attention of unsuspecting victims who act quickly without spending the time assessing the email for clues of its authenticity. LinkedIn is clearly a brand that works, so people need to remain aware of these tactics and steer clear of emails with links requesting a login.
“However, the best way to beat such attempts is to implement two-factor authentication on their accounts and make sure all of their online accounts are using unique passwords.”
Anatomy of a brand phishing attack
Typically, a brand phishing attack will take advantage of people’s implicit trust in familiar names, leveraging its imagery and URLs that at first glance will appear similar to the legitimate one.
In many cases, such attacks will also play on human emotions to create a sense of urgency, such as missing out on a potential discount, which can lead to people clicking in haste without being alert to the possibility they are being misled.
In the case of the three most imitated brands on Check Point’s list, all of these tactics can be clearly seen. For example, LinkedIn-based phishing campaigns observed tend to imitate LinkedIn’s corporate ‘style’, with subject lines that will seem familiar to any regular user of the platform, such ‘You appeared in x searches this week’ or ‘You have x new message(s)’.
LinkedIn-themed phishes can also prove particularly effective because the platform is frequently used by jobseekers, so approaches that appear, for example, to be good news from a recruiter will have instant emotional appeal. A recent campaign by North Korea’s Lazarus group demonstrated this effectively.
The increase in Microsoft-themed lures in some ways presents a greater threat than the LinkedIn ones because threat actors are easily able to compromise multiple applications – such as Teams or SharePoint – with a single account login.
Additionally, Microsoft’s ubiquity in the modern workplace means people will tend to trust its messages implicitly, particularly when they relate to services beneficial to people who are still working remotely or on a hybrid basis at this stage of the Covid-19 pandemic, such as Outlook Web App (OWA).
The pandemic is also clearly behind the continued prevalence of phishing lures themed around shipping companies such as DHL – other courier and delivery firms are also frequently spoofed.
This is due to the relentless growth of online shopping, and such attempts will generally purport to be information on a shipment, or, to play on the emotive angle, a missed delivery notification. Similar logic likely lies behind the appearance of brands such as Amazon in the figures.