Third-Party Phishing: How Phishers Leverage Intermediary Sites to Expand Their Attack Radius

Phishing is already near or at the top of every organization’s security concerns. It’s the foothold attackers use to exploit businesses and users alike by stealing credentials or personally identifiable information (PII) for account takeover attacks and fraud campaigns, distributing malware, attacking high-value corporate VIPs and executives, and more.

But as security teams and threat hunters chase down threat activity as it emerges across the open, deep, and dark web, attackers have to get creative to evade detection. In the first half of 2023, BlueVoyant’s expert cyber threat analysts began investigating one such tactic that they first identified in 2020 but has now dramatically increased in volume: third-party phishing.

BlueVoyant recently published a comprehensive research report, Phishing Off a Peer: How Threat Actors Use Third Parties to Execute Advanced Phishing Campaigns, which provides a deep dive into the techniques and scope of this trend.

Traditionally, phishing websites exclusively target users of one organization, whether they are employees or customers. These websites tend to follow a similar cadence: attackers deploy a phishing kit to create a near-identical (or convincing enough) spoofed website of a corporate brand, using a lookalike domain to further a sense of legitimacy.

Third-party phishing is a phenomenon targeting hundreds of global financial institutions using intermediary sites impersonating a brand or entity users trust, before redirecting them to a phishing page. By impersonating an ostensibly unrelated brand, threat actors can better evade detection, while collecting credentials and PII from customers of a wider array of companies.

This tactic now extends across a number of sectors: e-commerce, logistics and shipping, mobile carriers, government institutions, payment transaction platforms, and more.

While phishing scammers use different distribution methods to lure in unsuspecting victims – phishing emails with links to their sites, links posted on social media platforms, etc. – the end goal of tricking a user into entering their login credentials, payment card information, or other personally identifiable information (PII) is always the same. Later, the threat actor collects these credentials and sells them or uses them to defraud the victim.

Third-party phishing sites, on the other hand, will include some characteristics of the original flow, with an added step – the initial impersonation that establishes credibility to the end user is a service that is not connected to the targeted organization. Furthermore, the third-party phishing page itself won't ask the victim to submit their personal credentials. The fraud occurs in the final phishing page to which the client has been redirected, impersonating the chosen financial institution.

Here’s a look at the typical workflow of a third-party phishing attack:

Third-party phishing websites are growing in use across all geographies. Over the past year, BlueVoyant has witnessed a major increase in the number of phishing sites originating in third-party phishing campaigns. One major European client saw an increase from just 2% of all detected phishing attacks in 2022 to 21% in 2023.

In Europe and the UK, BlueVoyant has detected third-party phishing sites targeting dozens of financial institutions via intermediary websites impersonating postal services, e-commerce platforms, tax payment platforms, mobile carriers, and government services.

In North America, BlueVoyant has identified third-party phishing sites targeting financial institutions, shipping and logistics companies, and e-commerce retailers. One specific campaign targeted Interac, a Canadian interbank network offering online payments. The campaign often used Amazon to initiate the phishing chain, leading victims to a spoofed Interac intermediary site, and finally to the destination phishing page impersonating the victim’s selected financial institution.

The screenshot below depicts the intermediary site offering a dozen different options for users to click – all of which lead to corresponding phishing sites portraying the respective brands.

In the Asia-Pacific region, BlueVoyant has detected third-party phishing campaigns targeting various shipping and logistics companies as well as government services. The example below displays a third-party phishing site masquerading as an Australian government tax payment site, which then redirects users to a phishing page impersonating the financial institutions of their choice – designed to collect the victim’s PII and credentials.

Third-party phishing adds a new wrinkle to the oldest trick in the book. Intermediary sites directing victims to various phishing sites provides two benefits to attackers: it allows them to cast a wider net and catch more fish (so to speak), and it provides another degree between them and threat hunters who may be on their trail. We’ve previously published research highlighting how attackers use redirects as an evasion mechanism – third-party phishing builds on that concept, while also giving the threat actor a greater chance of ensnaring their targets.

Organizations now need to not only monitor cyber threat activity targeting their own domains; but for third-party phishing attempts making use of an intermediary to direct traffic to a different phishing page that may be harder to detect on its own. The increased risk associated with one website acting as a gateway to dozens of financial institutions is substantial, and security teams will need to increase their efforts to find third-party phishing sites that could be targeting them and many of their peers.