The 2nd Annual March Hackness Phishing Bracket
The Top 64 Brands Hackers Pretend To Be
Shalabh Mohan | Area 1 Security | @area1security
It’s March, which means it’s time for heroes and heartbreaks, last second threes, and Cinderellas. It’s time for college basketball. Mr. Trump didn’t fill out a bracket this year, but our Ex-POTUS and one-on-none basketball champion, Barack Obama, picked North Carolina. Statistics website 538.com says the best money is on Villanova and Vegas likes Duke.
For us here at Area 1 Security, while we pretend to watch the Michigan game on one of our monitors, March marks the time for another type of bracket — a cybersecurity bracket. Area 1 investigates millions of cyber attacks from the past year and predicts the 64 worst threats that will show up in your inbox as phishing attacks in the coming year (in the spirit of the 64 best teams in the NCAA tournament). You can find last year’s bracket here.
Area 1 Security’s 2017 Perfect Phishing Bracket
I think we can all agree that 2016 was an upset year in cybersecurity. Top seeds — Yahoo, LinkedIn, and the U.S. Government to name a few — all with world class cyber defense, were defeated by teams you’d never even heard of. There were countless incidences of massive data loss, CFOs were tricked across the globe to wire money to “Joe, from accounting” (really Vlad, from Russia), and of course we saw the latest and greatest hacking use case: a brand new way to manipulate politics.
While perpetrators, targets, and the paths between the two may have evolved and proliferated, some things have remained exactly the same. Like the technique that attackers use.
Phishing is still the #1 preferred method of hackers across the globe. Over 95% of breaches begin with phishing attacks.
The Area 1 Security March Hackness Phishing Bracket illustrates the brands used most prominently as bait in phishing attacks. To reiterate from last year, the “bait companies” mentioned are the top 64 most-referenced brands used in phishing scams. “These are not the companies that were victimized, but those the attacker referenced to fool a victim into opening an email or clicking on an attachment,” as SC Magazine described the bracket last year.
And as was the case last year, the big, consumer brands were used most prominently as phishing bait to attract bites from targets.
Does the name John Podesta ring a bell? Well, if it doesn’t, does this screen look familiar?
Of course it does. It’s a Gmail “reset password” screen. Even if you have never personally received this, you likely have a pretty good idea of what it is. This was the actual phishing email sent to John Podesta (former chairman of the 2016 Hillary Clinton presidential campaign) which subsequently lead to the leaking of thousands of confidential emails.
Podesta got plenty of bad press on this, so let me be the first to give the guy a break. Looks real, right? Looks like something I might click. There’s no point in treating these clever, sophisticated attacks like user errors.
Attack Breakdown in Phishing Terms
Attacker: Unknown (cough, Russia)*
Target: The Democratic National Convention
Bait: Google (Gmail password reset)
Phish Caught (Point of Breach): John Podesta
*I would like to take this opportunity to point out that attribution in cybersecurity is virtually useless. Knowing who to blame — after the fact — is not eliminating or even decreasing the damage caused
It is clear why recognized brands (in this case, Google) are used to trick victims into clicking. We trust them so we usually don’t think twice about their legitimacy. It is the oldest and truest social-engineering trick in the book.
The 2017 Perfect Phishing Bracket explores the 64 brands used most often as phishing bait. And below, we can see who made it all the way to the Sweet Sixteen and the Phinal Phour. Google, the bait used for the DNC hack, didn’t quite make it to the Phinal Phour in our bracket this year, but came in close at number five.
Yes, a simple spoofed Google login was the fifth most used trick by hackers. If this well-known, widely used trick was good enough to fool a major organization like the DNC, what does that mean for the rest of us? We are making it aggravatingly easy for hackers to leak our data, steal our money, and alter our views.
Our analysis of millions of attack records from April 2016 to today reveals that the top 64 brands were referenced in 79.65% of all phishing attacks seen during this analysis period. That is up from 70% in 2016. Hackers have a method that works, is cheap, and is totally repeatable.
Predictably, while the US remains the #1 most targeted country via phishing attacks, it’s also home to the overwhelming majority of brands used as phishing bait. 48.5% of the top 64 brands are American, up more than 10% from 2016. And check out the Sweet 16. A remarkable 14/16 (that’s 87.5%) are U.S. companies. We are perpetually under attack — whether it is for money, data, or intellectual property, political gain or disrupt, or perhaps just a bone to pick — so we need to get ahead of these attacks and preempt damaging breaches.
Hackers will exploit human trust as long as human trust exists. Fortunately for humanity, but unfortunately for the security of your network, human trust will always exist — regardless of how well trained we are or how calloused we become. It only takes one click from one unsuspecting victim to bring an entire network to its knees.
The only way to defeat a well-executed and extremely targeted socially-engineered attack is to make sure that it never appears in front of its target in the first place.
While our goal for the Phishing Bracket is to make people think and to illustrate the repetitive and predictable nature of socially-engineered attacks, I am hopeful that in the future this exercise will become obsolete. It’s time to force hackers to look elsewhere for techniques and eliminate phishing all together.
Learn more about how Area 1 discovers and eliminates phishing attacks at their origins, before they can get inside of organizations and cause damage.
