The Top 3 Trends in Phishing Right Now (Part 2)

What are the 2018 cybercrime trends?

Well, there are a lot, from cryptocurrency – a new, emerging threat that I feel like we’ll be talking more about as the year goes on – to rising concerns over the Internet of Things attacks. Plus there are the tried-and-true attacks: classic phish, smishing and vishing that are still very effective.

For the purpose of this two part series, I will focus on three prevalent trends that are most egregiously targeting our branded customers.

Most commonly detected trends in the first quarter of 2018:

Part 1:
• SSL certs used in phishing
• BEC scams and targeted spearphishing

Part 2:
• One-time use URLs

Additionally, I’ll cover the value of enforcing on the collection point email addresses found in phish kits. Shutting down the collection point email address (where phishing credentials are collected) can disrupt a phisher’s business and make your brand a harder target.

Part 2: One-time use URLs

One-time use URLs are just a clever way for the phishers with the intention of circumventing detection and blocking to spawn multiple unique URLs intended for one recipient.

Looking at the examples below, there are three legitimate domains that have been hacked to host phishing content. The unique identification of the individual URLs is signified in red; this part of the URL is automatically generated random text spawning a new, unique version of the same phishing site:


Harvesting phish kits can provide a lot of usable information about the phishing site. Capturing the phish kit (the software kit powering the phishing site) isn’t always possible without hacking, but when they can be harvested they can provide a lot of valuable intelligence about the kit, the site, and the phisher. Within the PHP code of the phish kit, it’s easy for the trained analyst to discover how the source file for each phishing site is being spawned in milliseconds to each unique visitor, providing their own custom, one-time use phishing site.

My first concern was how this trend would affect compliance; however, this hasn’t been as much of a challenge since the root phishing site generates a new URL. This provides the proof a hosting ISP needs to mitigate the site. At MarkMonitor, we enforce at the source folder, and that knocks out all the unique URLs. Clustering like this can reduce the time and effort spent on shutdowns, however each unique URL is logged for Fraudcasting for consumer blocking.

This chart of MarkMonitor data illustrates where the number of unique URL detections (the blue line) has jumped significantly over the past year but the number of unique domain names (the red line) has basically stayed flat:


Collection Point Email Addresses

I’ve summarized three of the most common phishing trends right now, but I also want to provide a proactive action that can be taken to beyond whack-a-mole shutdowns. This is the value of data obtained from phishing kits, and the action of shutting down identified collection point email addresses.

As discussed earlier, phishing kits can yield a lot of usable data. By fingerprinting the kit, MarkMonitor can cluster it with other, related kits – thus creating phish kit families. Measuring phish kit families can be an indication of how heavily a brand is being targeted at any given time.

Identification of collection point email addresses – these are the addresses where the stolen credentials submitted into the phishing site are being sent externally – can yield additional mitigation steps that have the added benefit of disrupting a phisher’s business processes. Shutting down these email addresses can reduce risk of consumer exposure, even if your customer had submitted credentials. Many phishers use the same email address multiple times, as indicated in the below screenshot of the MarkMonitor portal, where the same email addressed is used multiple times in kits targeting this example customer and other kits detected in the customer’s industry. The effect of this action is not limited to just one phishing incident:


Key Takeaways:

SSL certs can be misused. Losses may increase. One-time use URLs are extremely prevalent right now, causing inflated volumes, but enforcement is largely the same.
Be proactive! Push back on phishers and impact their bottom-line.

Mike Tyson once said, everybody has a plan until they get punched in the mouth.” This can apply to myriad situations. Have a plan and a backup plan and you may still get punched in the mouth but the only thing that counts is how you rally.

Watch an on-demand webinar of these topics here.