Phishing Attacks in the Finance Industry

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Cybercriminals typically look for the path of least resistance, which is frequently the end user. BlueVoyant’s October research of attacks within the financial industry confirms this. Phishing attacks occur as often as every other attack vector in the financial sector combined - surpassing the second top attack vector by 292%. Phishing has continued rapid growth through 2019, with a 400% increase in phishing URLs discovered from January to July 2019. According to a recent report from Webroot, the top industries impersonated by phishing are listed in the chart below. Phishing kits are one of the top methods of launching phishing campaigns. These kits are widely available, inexpensive, and easy to use. According to a recent report from Akamai, the top impersonated brands used by phishing kits include:

• Microsoft - 62 phishing kit variants, 3,897 domains
• PayPal - 14 phishing kit variants, 1,669 domains
• DHS - 7 phishing kit variants, 1,565 domains
• Dropbox - 11 phishing kit variants, 461 domains

As reported in previous BlueVoyant blogs, phishing is no longer just an email-based problem. This social engineering tactic has expanded to social media, mobile devices, and more, creating far reaching issues for all industries. Phishing has morphed into multiple subcategories such as Business Email Compromise (BEC), Pharming, SMiShing, Spear Phishing, Vishing, and Whaling. BEC has been the top subcategory in recent months outside of general deceptive phishing. The style of phishing attacks is not one size fits all; therefore, organizations will need to perform due diligence to stay ahead of business-minded criminals looking to abuse their trust. It Isn’t Always Easy to Spot! One easy way to ensure a potential phishing email is legitimate is by hovering over any link to confirm that destination is what it should be. However, a major campaign is currently underway impersonating the Stripe brand that defeats this easy trick. Stripe is a top online payment processor, providing payment logistics to internet businesses who accept payments from e-commerce customers. The company handles billions of dollars annually, making it a perfect target. The emails claim to be from Stripe Support, providing notification that the details associated with the victim’s account are invalid. The email goes on to claim that the account will be placed on hold if the victim fails to update the account details. The emails include a button to click to “update” the account details. This is where it gets a bit tricky. The attackers have added a custom title attribute to the link behind the button, so when the victim hovers over it, all they see is “Review your details.” Victims who take the bait will be sent to a cloned Stripe account page designed to steal user credentials, bank account information, and phone numbers. Stripe acknowledges on the company's support site that they will send email notifications to their customers once in a while, and they also provide the following tips that should help users avoid getting phished:

• Check the web address (URL) before you click on a link. On a web browser, hover over the link and look at the URL that shows up on the bottom of your browser. Is it pointing to a page at stripe.com?
• Stripe emails will come from the “stripe.com” or "e.stripe.com" domains, and you can always reply directly to the message to get in touch with us.
• Only type your password into a website after confirming that it is the website you want, not one that was created to look like Stripe:
  • Check the domain name for typos (such as “stirpe.com”).
  • Check for our Extended Validation Certificate; this usually looks like a green lock next to the URL, and it lets you know that you are on the genuine Stripe website.

BlueVoyant recommends always going to the site directly when receiving such emails instead of clicking on provided links. Especially if it’s unexpected.