Netskope threat research identifies next gen phishing tactics

SANTA CLARA, Calif. – Netskope, the SASE computer security platform provider has released their new threat research which reveals the top sources of phishing attacks and cloud vulnerabilities.

Threats this go around are led by fake login page referrals, fake third-party cloud apps and more as detailed in the Netskope Cloud and Threat Report: Phishing. These threats mimic legitimate apps in order gain access to unsuspecting users’ information.

“Although email is still a primary mechanism for delivering phishing links to fake login pages to capture usernames, passwords, MFA codes and more, the report reveals that users are more frequently clicking phishing links arriving through other channels, including personal websites and blogs, social media, and search engine results,” Netskope wrote. “The report also details the rise in fake third-party cloud apps designed to trick users into authorizing access to their cloud data and resources.”

Email has been the traditional delivery method for phishing attempts however Netskope’s report notes that webmail made up 11% of attempts recorded as opposed to personal sites and blogs which were responsible for 26% of referrals to phishing content. That’s extrapolated from roughly 8 out of every 1000 enterprise users who clicked on phishing links or accessed phishing content during Q3 2022.

Search engines have also seen a rise of referrals to phishing pages due to attackers creating pages based on uncommon or obscure search terms, which sees them becoming the top link for search results. “Business employees have been trained to spot phishing messages in email and text messages, so threat actors have adjusted their methods and are luring users into clicking on phishing links in other, less expected places,” said Ray Canzanese, Threat Research Director, Netskope Threat Labs. “While we might not be thinking about the possibility of a phishing attack while surfing the internet or favorite search engine, we all must use the same level of vigilance and skepticism as we do with inbound email, and never enter credentials or sensitive information into any page after clicking a link. Always browse directly to login pages.”

Another phishing method on the rise has been to trick users into granting access to cloud data and resources via third-party cloud applications. Netskope describes this nascent trend as being a great concern because access to third part apps has become such an omnipresent problem that presents what Netskope called a “large attack surface”. Netskope said that organizations were seen granting as many as 440 or more third party apps access to their Google data and applications, 44% of those apps having access to either sensitive data, or all data on a user’s Google Drive.

“The next generation of phishing attacks is upon us. With the prevalence of cloud applications and the changing nature of how they are used, from Chrome extensions or app add-ons, users are being asked to authorize access in what has become an overlooked attack vector,” added Canzanese. “This new trend of fake third-party apps is something we’re closely monitoring and tracking for our customers. We expect these types of attacks to increase over time, so organizations need to ensure that new attack paths such as OAuth authorizations are restricted or locked down. Employees should also be aware of these attacks and scrutinize authorization requests the same way they scrutinize emails and text messages.”

Additional key findings from the report include:

•Employees continue to click, fall victim to malicious links. It is widely understood that it takes just one click to severely compromise an organization. While enterprise phishing awareness and training continues to be more prevalent, the report reveals that an average of eight out of every 1,000 end-users in the enterprise clicked on a phishing link or otherwise attempted to access phishing content.

•Users are being lured by fake websites designed to mimic legitimate login pages. Attackers primarily host these websites on content servers (22%) followed by newly registered domains (17%). Once users put personal information into a fake site, or grant it access to their data, attackers are able to capture usernames, passwords, and multi-factor authentication (MFA) codes.

•Geographic location plays a role in the access rate of phishing. Africa and the Middle East were the two regions with the highest percentages of users accessing phishing content. In Africa, the percentage of users accessing phishing content is more than 33% above average, and in the Middle East, it is more than twice the average. Attackers frequently use fear, uncertainty, and doubt (FUD) to design phishing lures and also try to capitalize on major news items. Especially in the Middle East, attackers appear to be having success designing lures that capitalize on political, social, and economic issues affecting the region.

Readers can access the full Netskope report by clicking here or visit www.netskope.com to learn more about their services.