More than 50.000 fake login pages were identified in the first half of 2020, many of which are diverse and represent different companies. According to a survey conducted by Ironscales, fake login pages are commonly used for support hacking campaigns such as spear-phishing, while its researchers found that fake login pages had been falsified by more than 200 well-known companies of world renown. The researchers also found that about 2.500 of the more than 50.000 fake login pages were polymorphic, with one fake link representing more than 300 different login pages.
According to Ironscales Brendan Roddas, diversity is due to the fact that an intruder applies small but significant and often random changes to a e-mail, such as content, copy, subject line, and sender name.
This allows attackers to quickly execute phishing attacks, with which they cheat tools signature email security not designed to recognize such modifications to the threats, allowing different variants of the same attack to reach employees' incoming messages without being detectable.
Ironscales reports that the most common recipients of fake login emails are in the financial services, healthcare services, technology companies as well as government agencies.
According to Chris Hauk, who deals with consumer privacy at Pixel Privacy, as long as fake login pages are still effective and deceive unsuspecting targets, the malicious agents behind them will continue to use them. Hauk added that the best way to tackle and eliminate these fake login pages is to properly and substantially educate users about the risks posed by these threats, but also about how they can be effectively dealt with. Hauk also suggested the use of utilities, which can identify such pages as the Ironscales URL and the link scanner.
Niamh Muldoon, senior security director at OneLogin, explained the main reasons why fake logins work. Initially, he pointed out that the key to the success of fake link pages is the huge lack of education, training and awareness of users about the threats that appear in the field of cyberspace - a gap that has grown significantly in recent months after the outbreak of the pandemic of COVID-19.
Muldoon then reported that the lack of control associated with creating websites, subscribing domain and related management, is another factor that contributes to the intensification of this phenomenon. This includes verifying the integrity of websites and / or domains in a preventive manner. Although there are procedures for removing sites and domains they contain malware or are not legal, these processes are extremely time consuming, resulting in end users being exposed in time between the fake pages that appear and the domains and IPs that are blacklisted or removed. In addition, Muldoon concluded that a global working group and international cooperation are needed to enforce domain and site registration and site management regulations to stop these pages from appearing.
Hugo van der Toorn, security officer at Outpost24, said the attacks were not aimed at a company, but at the names, trademarks and overall identities of the trademarks used to achieve certain goals. Therefore, rapid reporting and monitoring of attempts should be facilitated Phishing who infringe on branded companies and threaten their customers and, consequently, their reputation. Toorn added that once a phishing attempt is detected, companies should be able to issue a notice and, within hours, stop the phishing campaign. Finally, Toorn stressed that the main goal is the rapid and effective response of people who recognize and report these phishing attempts.