Check Point Research (CPR), the Threat Intelligence division of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a global provider of cybersecurity solutions, has released its Brand Phishing Report for the third quarter of 2022.
The report highlights the brands that were most frequently imitated by criminals in their attempts to steal personal information or payment credentials from individuals during the months of July, August, and September.
While LinkedIn was the most imitated brand in both Q1 and Q2 of 2022, shipping company DHL took the top spot in Q3, accounting for 22% of all phishing attempts globally. Microsoft is second (16%), and LinkedIn is third, accounting for only 11% of scams, down from 52% in Q1 and 45% in Q2. DHL’s growth could be attributed in part to a major global scam and phishing attack that the logistics company warned about just days before the quarter began. Instagram has also entered the top ten list for the first time this quarter, following a phishing campaign involving a ‘blue badge’ that was reported in September.
Shipping is the second most common industry for brand phishing, after technology. CPR will continue to monitor shipping-related scams as we approach the busiest retail season of the year, as threat actors will likely increase their efforts to take advantage of online shoppers.
“Phishing is the most common type of social engineering, which is a general term describing attempts to manipulate or trick users. It is an increasingly common threat vector used in most security incidents,” commented Omer Dembinsky, Data Research Group Manager at Check Point.
“In Q3, we saw a dramatic reduction in the number of phishing attempts related to LinkedIn, which reminds us that cybercriminals will often switch their tactics to increase their chances of success. It is still the third most commonly impersonated brand though, so we’d urge all users to stay mindful of any emails or communications purporting to be from LinkedIn. Now that DHL is the brand most likely to be imitated, it’s crucial that anyone expecting a delivery goes straight to the official website to check progress and/or notifications. Do not trust any emails, particularly those asking for information to be shared.”
In a brand phishing attack, criminals attempt to imitate the official website of a well-known brand by using a domain name or URL and web-page design that is similar to the genuine site. The link to the fake website can be sent to specific individuals via email or text message, a user can be redirected while browsing the web, or it can be triggered by a fraudulent mobile app. A form on the fake website is frequently used to steal users’ credentials, payment information, or other personal information.
Below are the top brands ranked by their overall appearance in brand phishing attempts:
As part of campaigns using DHL’s branding that appeared during Q3 2022, we observed a malicious phishing email that was sent from a webmail address “info@lincssourcing[.]com” and spoofed to appear as if it was sent from “DHL Express”. The email contained the subject- “Undelivered DHL(Parcel/Shipment)”, and the content (see Figure 1) tries to persuade the victim to click on a malicious link claiming that there is a delivery intended for them that can be sent just after updating the delivery address. This link leads to a malicious website- “https://bafybeig4warxkemgy6mdzooxeeuglstk6idtz5dinm7yayeazximd3azai[.]ipfs[.]w3s[.]link/dshby[.]html/” (see Figure 2) that requires the victim’s username and password to be entered.
In this phishing email, we see an attempt to steal a user’s Microsoft account information. The email (see Figure 1) which was sent from the webmail address “email@example.com” under the fake sender name – “OneDrive”, contained the subject “ A document titled ‘Proposal’ has been shared with you on Onedrive”. The attacker tries to lure the victim to click on the malicious link claiming that an important document titled “Proposal” shared with them on their OneDrive. This malicious link – “ https://mail-supp-365[.]herokuapp[.]com/” redirects the user to a fraudulent Microsoft web app login page (see Figure 2), there the user needs to enter their account password.
As always, we advise users to exercise caution when providing personal information and credentials to business applications or websites, and to think twice before opening email attachments or links, particularly those claiming to be from companies such as DHL, Microsoft, or LinkedIn, which are the most likely to be impersonated.