Check Point Research (CPR), its Threat Intelligence division Check Point Software Technologies Ltd. global cybersecurity solutions provider, has released its Brand Phishing Report for the third quarter of 2022.
The report shows the brands most often imitated by criminals in their attempts to steal people's personal information or payment credentials during July, August and September.
While LinkedIn was the most imitated brand in both the first and second quarters of 2022, shipping company DHL took the top spot in the third quarter, accounting for 22% of all phishing attempts worldwide. Microsoft is in second place (16%) and LinkedIn has dropped to third, accounting for just 11% of fraud, compared to 52% in Q1 and 45% in Q2.
DHL's rise could be partly due to a major global fraud and phishing attack about which the company itself warned a few days before the start of the quarter. Instagram also appeared in the top ten list for the first time this quarter, after a phishing campaign related to the "blue badge" was reported in September.
The transportation industry is one of the top industries for brand phishing, second only to technology. As we head into the most dynamic period for retail sales of the year, CPR will continue to monitor transport-related fraud as actions will likely increase their efforts to exploit online shoppers.
“Phishing is the most common type of social engineering, which is a general term that describes attempts to manipulate or deceive users. It is an increasingly common threat vector used in most security incidents,” commented Omer Dembinsky, Data Research Group Manager at Check Point. “In the third quarter, we saw a dramatic decrease in the number of LinkedIn-related phishing attempts, which reminds us that cybercriminals often change their tactics to increase their chances of success.
But it's still the third most copied company, so we'd urge all users to be wary of any emails or communications purporting to come from LinkedIn. Now that DHL is the brand most likely to be imitated, it is vital that anyone expecting a delivery goes straight to the official website to check progress and/or alerts. Do not trust any email, especially those that ask for information to be shared.”
In a phishing attack, criminals try to impersonate the official website of a well-known company, using a similar domain name or URL and web page design to the authentic website.
The link to the fake website can be sent to targeted individuals via email or text message, the user can be redirected while browsing the web, or it can be activated by a fraudulent mobile phone app. The fake site often contains a form designed to steal users' credentials, payment information, or other personal information.
Table of Contents
Top phishing brands in the 3rd quarter of 2022
The following are the top brands that rank based on their overall appearance in brand phishing attempts:
- DHL (related to 22% of all phishing attacks worldwide)
- Microsoft (16%)
- LinkedIn (11%)
- Google (6%)
- Netflix (5%)
- WeTransfer (5%)
- Walmart (5%)
- WhatsApp (4%)
- HSBC (4%)
- Instagram (3%)
DHL Phishing Email – Example of account theft
As part of campaigns using DHL branding that appeared during Q3 2022, we observed a malicious phishing email sent from a webmail address “info@lincssourcing[.]com” and spoofed to appear to be sent from by "DHL Express". The email contained the subject- “Undelivered DHL(Parcel/Shipment)”, and the content (see Figure 1) tries to convince the victim to click on a malicious link, claiming that there is a delivery intended for them and can be shipped immediately after updating the delivery address.
This link leads to a malicious website- “https://bafybeig4warxkemgy6mdzooxeeuglstk6idtz5dinm7yayeazximd3azai[.]ipfs[.]w3s[.]link/dshby[.]html/” (see Figure 2) which requires you to enter your username and password. victim's password.
OneDrive Phishing Email – Example of Account Theft
In this phishing email, we see an attempt to steal a user's Microsoft account information.
The email (see Figure 1), which was sent from the webmail address “[email protected]” with fake sender name – “OneDrive”, contained the subject “A document titled 'Proposal' has been shared with you on OneDrive”. The attacker tries to trick the victim into clicking on the malicious link by claiming that an important document titled “Proposal” has been shared with them on OneDrive.
This malicious link – ” https://mail-supp-365[.]herokuapp[.]com/” redirects the user to a fake Microsoft web app login page (see Figure 2) where the user has to enter his account password.
As always, we encourage users to exercise caution when disclosing personal data and credentials on business applications or websites and to think twice before opening email attachments or links, especially emails claiming to be from companies such as DHL, Microsoft or LinkedIn, as it is more likely to be an impersonation.