Office 365 Top Brand Targeted by Phishing Kits in 2018

by Magni Sigurdsson, Sarah Neubauer PhishingSecurity Research & Analysis

As 2018 comes to a close, Cyren security researchers wanted to contribute to the customary year-end wrap-ups by sharing:

  • The 20 Most Targeted Brands
  • The 5 Most Used Phishing Kits by Attackers
  • Three Phishing Trends to Look for in 2019

Criminals are nothing if not financial opportunists, and the boom in phishing has been like a cybercrime gold rush: While some are panning for gold, others are selling the tools and equipment. In 2018, the underground phishing economy has come of age, with the evolution of phishing kits offering spoofed web pages – basic ‘equipment’ for any phishing attack – a prime example. “Phishing-as-a-Service” as a broader phenomenon has ushered in a new era of sophistication and access for the low-level cybercriminal – democratizing phishing attacks. What used to take a team of skilled designers, developers, and hackers to architect, build and deploy can now be purchased on the internet for as little as fifty bucks, or rented as a turn-key service for roughly the same amount a month.

Top 20 Brands Most Targeted in 2018 by Professional Phishing Kits

Cyren analyzed 2,025 phishing kits during Q3 and Q4 2018, and our study showed which brands are most targeted by phishing kit developers, and also revealed which specific phishing kits are the most used—effectively, which kits have the highest “market share.” As we dug deeper, we found three notable trends that have upped the ante in 2018 – and are critically important to understand as we look ahead to 2019.

From our analysis of 2,025 phishing kits, below is a list of the brands most frequently targeted by phishing kits:

1 Microsoft Office 25.4%
2 Yahoo 17.2%
3 Paypal 17.1%
4 Dropbox 9.8%
5 Apple 5.0%
6 Gmail 3.9%
7 AOL 3.8%
8 Bank of America 3.7%
9 Excel 2.8%
10 Chase 2.7%
11 Facebook 1.6%
12 Instagram 1.4%
13 DHL 1.0%
14 Wells Fargo 1.0%
15 Netflix 0.8%
16 Onedrive 0.6%
17 Twitter 0.3%
18 Skype 0.3%
19 Google Drive 0.1%
20 USAA 0.1%

5 Top Phishing Kits of 2018

In 2018, the number of phishing attacks has risen along with the sophistication of attackers. The top five phishing kits highlighted below are notable because they are high in volume, highly targeted and highly sophisticated – a trifecta that is emboldening low-level criminals to take on some of the biggest brands…and enterprises.

#1 - Multi-brand Microsoft Office 365 Phishing Kit

The most-used phishing kit targets Microsoft Office 365 and Outlook credentials. While consumer brands still get the most overall phishing activity, it’s clear that the phishing-as-a-service market is meeting demand to penetrate enterprises, with the goal of finding deeper pockets. This kit was found in use most frequently with spoofed Office 365 login pages, but it is a “multi-brand” kit—it also provides spoofed pages for AOL, Bank of America, Chase, Daum, DHL, Dropbox, Facebook, Gmail, Skype, USAA, Webmail, Wells Fargo, and Yahoo.

Top Phishing kits of 2018

#2 – Microsoft Office 365 Phishing Kit

This kit is specific to Office 365 phishing, and includes built-in techniques to evade detection, including blocking IPs and security bots and user agents to hide from standard phishing defenses.

Top Phishing kits of 2018

#3 -- PayPal Phishing Kit

Unlike cheap and phony PayPal emails from yesteryear, this phishing kit employs new levels of sophistication, with several evasive techniques. Buyer (and spender) beware.

Top Phishing kits of 2018

#4 – Multi-brand Kit

If the Fortune 100 and a Swiss Army Knife had a Phishing Kit Baby, this would be it. For the cybercriminal who loves to steal all sorts of stuff, there’s this ever-popular multi-brand kit. Want to hack into lifestyle brands? Apple and Netflix are included. Looking for data? You can target Dropbox and Excel. Email credentials? Gmail and Yahoo are here. How about banking? Chase, PayPal and Bank of America. This one-stop shop for many of the most-targeted brands also includes significant sophistication to avoid detection – it analyzes and blocks specific IPs, hosts, user agents, and offline browsers in order to make it harder to detect.

Top Phishing kits of 2018

#5 – Dropbox Phishing Kit

When it comes to enterprise phishing attacks, context and credentials are power. In this attack, cybercriminals are looking to capture credentials – both to access any enterprise files that might be stored there, and to see if those same credentials might unlock access to other enterprise accounts. It’s example of how more phishing attacks are moving upstream and targeting enterprises.

Top Phishing kits of 2018

Key Phishing Trends to Watch

While phishing has targeted large brands for some time, our analysis points to three significant trends brought on by a new generation of highly professional phishing kits:

  1. Phishing-made-easy means more targeted attacks. With the new phishing kits, even technically unsophisticated would-be criminals have the tools, services and support they need to pursue specific, even local targets and evade detection.
  2. The professional phishing industry is prioritizing enabling enterprise attacks. While consumers (and consumer brands) still bear the brunt of most phishing activity, the most in-demand phishing attacks are exhibiting higher demand to penetrate enterprise accounts.
  3. “Evasive phishing” is a thing. The five top phishing kits are notable because they are high in volume, highly targeted and highly sophisticated – a trifecta that is emboldening low-level criminals to take on some of the biggest brands.

To learn more, click here to download our special report on phishing, "Phishing: From Targeted Attacks to High-Velocity Phishing".

Go back