Getty Images/iStockphoto

Credential Theft Via Spoofed Login Pages Increase, Healthcare Top Target

Hackers are drastically increasing credential theft attempts through social engineering and spoofed login pages, and healthcare recipients are the biggest target, IRONSCALES finds.

A new IRONSCALES report found a drastic increase in successful credential theft attempts sent through spoofed login pages and social engineering attacks during the first half of 2020. And the most common recipients targeted with these attacks were those in the healthcare sector. 

Researchers identified and analyzed fake login pages sent during the first half of the year, which are commonly used in support of spear-phishing campaigns and other hacks. In total, they identified more than 50,000 fake login pages, which spoofed login pages from over 200 prominent global brands. 

Outside of healthcare, other leading recipients were those in financial services, government agencies, and technology industries. 

"The “growing cyber threat of fake login pages... [are] nefarious, yet often highly realistic looking pages [and] now a common tactic deployed by attackers seeking to obtain a person’s login credentials to a legitimate website, such as a bank, email client, or social media site, among many other popular services,” researchers explained. 

“The operation, commonly known as credential theft, is simple: target unsuspecting recipients with an email spoofing a trusted brand and persuade them via social engineering to insert their legitimate credentials, such as a username and password, into a fake login page either embedded within the body of an email or built into a phishing website,” they added. 

Once the victim has inputted their credentials, the hacker harvests the data to log into real accounts and commence further illegal activities. 

Just this week, the FBI and the Department of Homeland Security warned hackers were using voice phishing, or vishing, campaigns to build trust with victims, later duping them into logging into malicious websites made to appear as their employer’s webpages. 

Previous campaigns have spoofed ZoomGoogle, and Microsoft Office 365 executive accounts, among others. 

The IRONSCALES report found the top five brands with the most fake login pages are nearly identical to those that frequently have the most active phishing websites. 

PayPal was the leading brand with 11,000 fake login pages, or 22 percent, closely followed by Microsoft with 9,500, or 19 percent and Facebook with 7,500, or 15 percent. eBay was listed in fourth with 3,000 pages, or 6 percent, with Amazon in last, with 1,500 pages, or 3 percent. 

Other top brands with spoofed login pages included Aetna, Wells Fargo, Adobe, Apple, Tesco, and JP Morgan Chase, along with a host of others. 

“Although PayPal sits atop the list, the greatest risk may derive from the 9,500 Microsoft spoofs, as malicious Office 365, SharePoint and One Drive login pages put not just people but entire businesses a risk,” researchers warned. 

The researchers said it’s believed fake login pages are successful for two reasons. To start, malicious phishing emails containing spoofed logins often bypass technical controls like secure email gateways and SPAM filters, without requiring much investment in time, funds, or resources by the hacker. 

Secondly, the attack's success may be due to what is known as inattentional blindness – or when an individual does not perceive the unexpected change hiding in plain sight. 

“Inattentional blindness became an internet sensation in 2012 when a video posted asking viewers how many white shirted players passed a ball. Intently focused on the task at hand, more than 50 percent of the viewers failed to recognize a woman in a gorilla suit in the middle of the picture,” researchers wrote. “Even people with phishing awareness training are susceptible to inattentional blindness.” 

Notably, about 5 percent of these attacks leveraging fake login pages were polymorphic in nature, where a hacker implements “light but significant and often random change to an emails’ artifacts, such as its content, copy, subject line, sender name or template in conjunction with or after an initial attack has deployed.” 

An earlier IRONSCALES report showed 42 percent of phishing attacks are polymorphic. The technique allows for the quick development of phishing attacks able to dupe signature-based email security tools that aren’t designed to recognize the modifications. As a result, a targeted victim could receive different versions of the same attack in their email account without being detected.  

About 24 percent of the attacks spoofing Microsoft were polymorphic, with 314 permutations, followed by Facebook with 13 percent of permutation attacks or 160 permutations in total. 

“While we cannot say for certain why these brands’ have more permutations than others, we can make an educated guess that this occurred for one of two reasons: The security teams associated with these brands are actively looking to take down fake login pages, so attackers are forced to more frequently evolve the attack ever so slightly so to defeat human and technical controls,” researchers mused. 

“These brands are a priority and or easy target for a certain hacking group(s), so there is more activity and therefore a need to constantly evolve in order to stay one step ahead of security teams,” they added.

Microsoft has previously shared spear-phishing insights, which may help healthcare organizations better understand how these attacks work and mitigation techniques to harden enterprise defenses.

Next Steps

Dig Deeper on Cybersecurity strategies