Research Reveals Higher Credential Theft Using Spoofed Login Pages

IRONSCALES conducted a study that revealed a big increase in credential theft using spoofed webpages. In the first half of 2020, the researchers identified and analyzed fraudulent login pages that copied big brands. They identified over 50,000 bogus login pages with around 200 spoofed brands.

The login pages are built into compromised sites and various attacker-operated domains and closely imitate the real login pages the brands used. In certain instances, the attacker embeds the fake login within the email message.

The email messages used to lead naive recipients to the phony login pages employ social engineering techniques to persuade recipients to divulge their usernames and passwords. After capturing that information, the attacker uses it to sign in to the real accounts for different nefarious uses, for instance, bogus wire transfers, credit card scams, data theft, identity theft, etc.

IRONSCALES researchers discovered that the brands having many fake login pages closely imitated the brands having many active phishing webpages. Paypal had the most number (11,000) of fake login pages. Microsoft comes next with 9,500. Facebook has 7,500 fake login pages, eBay has 3,000, and Amazon has 1,500.

Though PayPal tops the list of spoofed brands, bogus Microsoft login pages present the biggest threat to companies. If attackers steal Office 365 credentials, they can use the information to gain access to corporate Office 365 email accounts that may have a variety of highly sensitive information and, even a considerable amount of protected health information (PHI) if accessing healthcare companies.

The following brands were also frequently impersonated: Adobe, Alibaba, Aetna, AT&T, Apple, Bank of America, DocuSign, Delta Air Lines, JP Morgan Chase, Netflix, LinkedIn, Squarespace, Wells Fargo and Visa.

The most typical email recipients in these fraud campaigns include people engaged in the financial providers, medical care, and technology sectors, not to mention government institutions.

About 5% of the fraudulent login pages were polymorphic, which means for one brand name there were over 300 permutations. Microsoft login pages got the greatest degree of polymorphism since it has 314 permutations. The reason behind the big number of permutations of login pages isn’t completely clear. IRONSCALES hints this is due to the fact Microsoft and other brand names are actively looking for fake login pages mimicking their brand. Utilizing several varied permutations makes it more difficult for human and technical settings to determine and shut down the pages.

The emails employed in these campaigns frequently circumvent security settings and reach the inboxes. Messages that contain bogus logins may now routinely circumvent technical controls, like SPAM filters and secure email gateways, without a lot of time, dollars, or resources spent by the attacker. This happens because both the sender and the message can pass different authentication standards and gateway controls that hunt for malicious payloads or identified signatures that are often missing from these kinds of messages.

Though the bogus login pages are different somewhat from the login pages spoofed, they are still good and frequently successful when a user gets to the page. IRONSCALES states that this is because of “inattentional blindness”, where people are not able to see a sudden change in plain view.