A specialist in secure access service edge (SASE), Netskope, has unveiled new research showing how cloud applications’ prevalence is changing the way threat actors use phishing attack delivery methods to steal data.
As per the Netskope Cloud and Threat Report, phishing details trends in phishing delivery methods like fake login pages and fake third-party cloud applications designed to mimic legitimate apps, the targets of phishing attacks, and where the fraudulent content is hosted.
Although email is still a primary mechanism for delivering phishing links to fake login pages to capture usernames, passwords, MFA codes, and more, the report shows that users are more often clicking phishing links arriving through other channels, including personal websites, blogs, social media, and search engine results.
The report also details the increase in fake third-party cloud apps that trick users into authorizing access to their cloud data and resources.
Phishing Comes From All Directions
11% of the phishing attacks alerts were referred from webmail services, like Gmail, Microsoft Live, and Yahoo. Personal websites and blogs, especially those hosted on free hosting services, were the most regular referrers to phishing content, claiming the top spot at 26%.
The report found two primary phishing referral methods.
- The use of malicious links through spam on legalized websites and blogs.
- The use of websites and blogs explicitly created to promote phishing content.
Search engine referrals to phishing pages have also become common since attackers are weaponizing data voids by creating pages centered around uncommon search terms where they can readily establish themselves.
Examples identified by Netskope Threat Labs are: how to use specific features in popular software, quiz answers for online courses, user manuals for various business and personal products, and more.
Ray Canzanese, threat research director at Netskope Threat Labs, said that business employees had been trained to spot phishing messages in email and text messages, so that threat actors have adjusted their methods and are luring users into clicking on phishing attack links in other, less expected places.