Check Point Research (CPR) releases its Q4 2022 Brand Phishing Report, highlighting the brands that were most frequently imitated by criminals during October, November and December 2022. Yahoo became the top brand impersonated in phishing attacks last quarter, climbing 23 spots in the ranking from the previous quarter. Cybercriminals are sending emails with subject lines that suggest a recipient has won awards and prize money. CPR warns people to think twice when receiving emails that sound ‘too good to be true’.
- 20% of all brand phishing attempts last quarter were related to Yahoo
- DHL (16%), Microsoft (11%), Google (5.8%) and Linkedin (5.7%) followed
- CPR provides visual examples of brand phishing attempts recently caught, including Instagram, Microsoft and Adobe
Top 10 Most Imitated Brands
- Yahoo (20%)
- DHL (16%)
- Microsoft (11%)
- Google (5.8%)
- Linkedin (5.7%)
- Wetransfer (5.3%)
- Netflix (4.4%)
- FedEx (2.5%)
- HSBC (2.3%)
- WhatsApp (2.2%)
What are Brand Phishing Attacks?
In a brand phishing attack, criminals try to imitate the official website of a well-known brand by using a similar domain name or URL, and web-page design to the genuine site. The link to the fake website can be sent to targeted individuals by email or text message. A user can be redirected during web browsing, or it may be triggered from a fraudulent mobile application. The fake website often contains a form intended to steal users’ credentials, payment details or other personal information.
Spotlight on Yahoo
In Q4 of 2022, 20% of all brand phishing attempts were related to Yahoo. CPR found campaigns that included malicious phishing emails that used Yahoo’s branding, containing the subject “YAHOO AWARD” which were sent by senders with user names such as “Award Promotion”, “Award Center”, “info winning” or “Award Winning”.
The content of the email distributed in the campaign informed the victims that they have ‘won’ prize money worth hundreds of thousands of dollars, in contests organized by Yahoo. The email then asks the recipients to send their personal and bank details, claiming this information was necessary to transfer the winning prize money to their account. In addition, the email contains a warning that the victim must not tell people about winning the prize, because of legal issues.
Omer Dembinksy, Data Group Manager at Check Point Software, said, “Last quarter, 20% of all brand phishing attempts were related to Yahoo, placing it at the very top of the list for most imitated brands. We’re seeing hackers trying to bait people through awards and prize money to be won. If it’s too good to be true, it almost always is. In general, the technology sector was the most likely industry to be imitated by brand phishing this past quarter, followed by Shipping and Social Networks. DHL reached second position in Q4 with 16% of all brand phishing attempts, ahead of Microsoft in third place with 11%. DHL’s second position could possibly be due to the usual online buying season of Black Friday, Cyber Monday and the lure of online Christmas presents, with hackers using their name for ‘fake’ deliveries notifications.
You can protect yourself from a brand phishing attack by not clicking on suspicious links or attachments and by always checking the URL of the page you’re directed to. Look for misspellings and don’t volunteer unnecessary information.”
Examples: Instagram, Microsoft, and Adobe
CPR observed a malicious phishing email that was sent from “badge@mail-ig[.]com“. The email was sent with the subject “blue badge form”, and the content tries to persuade the victim to click on a malicious link claiming that the victim’s Instagram account has been reviewed by the Facebook team (the owner of the Instagram brand) and has been deemed eligible for the Blue Badge.
Below we see an attempt to steal a user’s Microsoft account information. The email, which was sent from the address “teamsalert_Y3NkIGpoY2pjc3dzandpM3l1ODMzM3Nuc2tlY25taXc@gmx[.]com[.]my“ under a fake sender’s name – “Teams”, contained the subject “you have been added to a new team”.
The attacker tries to lure the victim to click on the malicious link claiming that they have been added to a new team in the app. Choosing to Confirm the collaboration leads to the malicious website “https://u31315517[.]ct[.]sendgrid[.]net/ls/click” which is no longer active.
This phishing email below, using Abode’s branding, was sent from the address “grupovesica@adobe-partner[.]com”, and its subject, originally in Spanish, reads – “Activate your license! Take advantage of its benefits” (originally: “¡Activa tu licencia! Aprovecha sus beneficios”). In the email the victim is encouraged to contact experts to help utilize the application license.
Clicking the link in the email (“https://adobeconciergeservices[.]com/_elink/bfgkw374wekci/bcplw9h143poj/bdpip0zrm95o3”), opens up a new draft message in Outlook addressed to a foreign email (not associated to Adobe), in which the user is intended to insert credit details and information for the “activation” of the license.