Netskope, a leader in Secure Access Service Edge (SASE), has unveiled research that shows how the prevalence of cloud applications is changing the way threat actors are using phishing attack delivery methods to steal data.
The Netskope Cloud and Threat Report: Phishing, details trends in phishing delivery methods such as fake login pages and fake third-party cloud applications designed to mimic legitimate apps, the targets of phishing attacks, where the fraudulent content is hosted and more.
Although email is still a primary mechanism for delivering phishing links to fake login pages to capture usernames, passwords, MFA codes and more, the report reveals that users are more frequently clicking phishing links arriving through other channels, including personal websites and blogs, social media and search engine results. The report also details the rise in fake third-party cloud apps designed to trick users into authorising access to their cloud data and resources.
Phishing comes from all directions
Traditionally considered the top phishing threat, 11% of the phishing alerts were referred from webmail services, such as Gmail, Microsoft Live and Yahoo. Personal websites and blogs, particularly those hosted on free hosting services, were the most common referrers to phishing content, claiming the top spot at 26%. The report identified two primary phishing referral methods: the use of malicious links through spam on legitimate websites and blogs and the use of websites and blogs created specifically to promote phishing content.
Search engine referrals to phishing pages have also become common, as attackers are weaponising data voids by creating pages centred around uncommon search terms where they can readily establish themselves as one of the top results for those terms. Examples identified by Netskope Threat Labs include how to use specific features in popular software, quiz answers for online courses, user manuals for a variety of business and personal products and more.
“Business employees have been trained to spot phishing messages in email and text messages, so threat actors have adjusted their methods and are luring users into clicking on phishing links in other, less expected places,” said Ray Canzanese, Threat Research Director, Netskope Threat Labs. “While we might not be thinking about the possibility of a phishing attack while surfing the Internet or favourite search engine, we all must use the same level of vigilance and scepticism as we do with inbound email and never enter credentials or sensitive information into any page after clicking a link. Always browse directly to login pages.”
The rise of fake third-party cloud apps
Netskope’s report discloses another key phishing method: tricking users into granting access to their cloud data and resources through fake third-party cloud applications. This early trend is particularly concerning because access to third-party applications is ubiquitous and poses a large attack surface.
On average, end-users in organisations granted more than 440 third-party applications access to their Google data and applications, with one organisation having as many as 12,300 different plugins accessing data – an average of 16 plugins per user.
Click below to share this article
