Microsoft, American Express most spoofed brands in financial services phishing emails

Technology giant Microsoft and multinational banking firm American Express are the most spoofed companies in phishing emails targeting financial services. That’s according to the 2023 Financial Services Sector Threat Landscape report by Trustwave SpiderLabs, which examines a multitude of threats faced by the financial services industry. The report cited phishing and email-borne malware as the most exploited methods for gaining an initial foothold into organizations, with Trustwave SpiderLabs observing “interesting developments” in the delivery methods, techniques, themes, and targeted brands of attacks on financial services in the last year. Such developments have contributed to the continuing relevance and effectiveness of these types of attacks, according to the report.

Financial services are increasingly coming into the crosshairs of cybercriminals. Recent research from Akamai discovered a surge in web application and application programming interface (API) attacks targeting the global financial services industry. These attacks grew by 65% in Q2 2023 compared to Q2 2022, accounting for 9 billion attacks in 18 months with banks bearing the brunt, according to the vendor’s High Stakes of Innovation: Attack Trends in Financial Services report. The research also found that the financial services sector is now the top vertical for DDoS attacks, with the EMEA region accounting for 63.5% of global DDoS events.

HTML files most common malicious attachments

Data from Trustwave SpiderLabs’ financial services client base indicated that HTML files are the most common malicious attachments in emails, making up 78% of all malicious attachments assessed, according to the report. These are mainly used for credential phishing, redirectors, and HTML smuggling, with 33% of HTML files employing obfuscation as a means of defense evasion, it added.

Aside from HTML, Trustwave SpiderLabs observed executables as the next most prevalent type of malicious attachment, accounting for 14%. Information stealing malware such as Gootloader, XLoader, Lokibot, Formbook, and Snake Keylogger were among the most spotted attachments, while Agent Tesla (RAT) was also detected in the dataset. Attackers’ use of PDFs (3%), Excel (2%), and Word documents (1%) was sparse in comparison, according to the report.

Voicemail notifications, payment receipts, purchase orders, remittances, bank deposits, and quotation requests were the most common themes in malicious attachment emails, with American Express (24%), DHL (21%), and Microsoft (15%) the brands most spoofed.

The most prevalent, non-malicious attachment phishing themes cited in the report include “Urgent Action” messages, mailbox elated alerts, document sharing, e-signing, account-related alerts, missed communications, meeting-related notifications, and payment/invoice-related alerts. The brands most spoofed in these types of attacks are Microsoft (52%), DocuSign (10%), and American Express (8%). As for business email compromise (BEC), “Payroll Diversion” is the most used theme at 48% with “Request for Contact” and “Task” at 23% and 13%, respectively.

Phishing tactics evolve as attackers adopt AI, LLMs

During the past year, Trustwave SpiderLabs has discovered and analyzed new phishing techniques that attackers have actively used to target the financial services sector. These include IPFS-based phishing, Cloudflare Pages.dev and Workers.dev Phishing, and RPMSG campaigns, the report read.

Trustwave SpiderLabs has also been monitoring the impact of AI and large language models (LLMs) like ChatGPT on phishing attacks. The quick maturity and expanded use of LLM technology makes crafting believable emails that appear genuine easier, more compelling, highly personalized, and harder to detect, it said.

“Lately, we have noted the emergence of LLMs like WormGPT and FraudGPT on underground forums, highlighting the potential cybersecurity risks posed by their criminal use,” the report read. WormGPT’s and FraudGPT’s capabilities include not only crafting convincing phishing emails, but also assisting in creating undetectable malware, writing malicious code, and finding vulnerabilities.

Phishing mitigation should include tests, anti-spoofing measures, layered email scanning

The Trustwave SpiderLabs report included a list of recommendations for mitigating email phishing risks. It said that organizations should:

• Consistently conduct mock phishing tests to assess the effectiveness of anti-phishing training and retrain repeat offenders.
• Implement robust anti-spoofing measures, including deploying technologies on email gateways.
• Deploy layered email scanning with a solution to provide better detection and protection.
• Use techniques to detect domain misspellings to enable the identification of phishing and BEC attacks.