Akamai: Cybercriminals Use Enterprise-Based Strategies for Phishing


Cybercriminals are developing custom tools to target tech brands and victimize their users, using enterprise-based deployment strategies, including phishing as a service (PaaS), according to a new report from Akamai.

More than 42% of domains observed targeted just four companies: Microsoft, PayPal, DHL, and Dropbox, according to Akamai’s “2019 State of the Internet / Security Phishing: Baiting the Hook” report, which detailed that phishing has become more than just an email-based threat, expanding to include social media and mobile devices.

“Phishing is a long-term problem that we expect will have adversaries continuously going after consumers and businesses alike until personalized awareness training programs and layered defense techniques are put in place,” said Martin McKeay, editorial director of the report.

Cybercriminals are targeting top brands and their users via highly-organized and sophisticated phishing kit operations, with the report finding 6,035 domains and 120 kit variations used against tech companies during the reporting period. E-commerce (1,979 domains, 19 kit variants) and media (650 domains, 19 kit variants) also saw heavy attacks.

The report says that phishing defenses have been forcing cybercriminals to change their operations, in order to remain undetected for as long as possible, with 60% of phishing kits observed active for 20 days or less. “This short lifespan is likely why criminals continue to develop new evasion methods to keep their kits undetected,” Akamai said in a statement.

Akamai’s report also detailed a research project by a phishing-kit developer who offered three types of kits with advanced evasion techniques, design and geo-targeting options. Low prices and top-tier brand targets in the kits create attractive, low-barrier entries into the phishing market.

“As the phishing landscape continues to evolve, more techniques such as BEC attacks will develop, threatening a variety of industries across the globe,” McKeay said. “The style of phishing attacks is not one size fits all; therefore, companies will need to do due diligence to stay ahead of business-minded criminals looking to abuse their trust.”