In early August 2023, the UK Electoral Commission disclosed a massive data breach exposing personal information collected over the course of eight years, with anyone who registered to vote in the UK between 2014 and 2022 affected, says Yuval Pe’er, chief cyber threat intel analyst (Israel), BlueVoyant.
The Electoral Commission says the exposed voter information included personal data contained in their email system such as full name, email and home addresses, telephone numbers, and more. Such exposed information, particularly phone numbers and email addresses, can be incredibly valuable for threat actors to use in targeted phishing attacks. Subsequently, the Commission has warned all UK voters to look out for targeted phishing emails attempting to gather further sensitive information, such as passwords, account numbers, or financial information.
The oldest trick in the security playbook
Today, phishing is one of the oldest as well as one of the most common types of cyberattack, with an estimated 135 million phishing emails sent every day worldwide. Traditionally, phishing websites exclusively target users of one organisation, whether they be employees or customers. These websites tend to follow a similar cadence: attackers deploy a phishing kit to create a near-identical, or convincing enough spoofed website of a corporate brand, using a lookalike domain to further a sense of legitimacy.
While phishing scammers use different distribution methods to lure in unsuspecting victims, such as phishing emails with links to their sites or links posted on social media platforms, the end goal of tricking a user into entering their login credentials, payment card information, or other personally identifiable information (PII) is always the same. Later on, the threat actor collects these credentials and sells them or uses them to defraud the victim by convincing the recipient to transfer money, share sensitive personal information, enter login or credit card details to a fake site or download malware by clicking on a link or an attachment.
Ever-more deceptive methods are being used
Over the years, threat actors have started to deploy ever-more deceptive methods, finding new ways to carry out increasingly sophisticated attacks that circumvent the various cyber defence protocols security teams have in place. To this point, in the first half of 2023, our expert cyber threat analysts started investigating one such tactic that they first identified in 2020, but that has now dramatically increased in volume: third-party phishing.
The scale, complexity, and successful deployment of advanced evasion mechanisms make this phishing technique far more efficient and effective than traditional standalone phishing sites. Third-party phishing targets hundreds of global financial institutions using intermediary sites that redirect victims to a phishing site impersonating a brand they trust. By impersonating an ostensibly unrelated brand, threat actors can better evade detection, while collecting credentials and PII from customers of a wider array of companies.
Over the past year, BlueVoyant has witnessed a major increase in the number of phishing sites originating in third-party phishing campaigns. One major European client saw an increase from just 2% of all detected phishing attacks in 2022 to 21% in 2023.
Casting the net wider to catch more fish
Third-party phishing adds a new wrinkle to the oldest trick in the book. Having intermediary sites directing victims to various different phishing sites provides two benefits to attackers: it allows them to cast a wider net and catch more fish, and it provides another degree of separation between them and threat hunters who may be on their trail.
This means that organisations now need to not only monitor for cyber threat activity targeting their own domains; but also for third-party phishing attempts making use of an intermediary to direct traffic to a different phishing page sometimes hosted on the same domain as the intermediary site that may be harder to detect on its own. The increased risk associated with one website acting as a gateway to dozens of financial institutions is substantial, and security teams will need to increase their efforts to find third-party phishing sites that could be targeting them and many of their peers.
We regularly track large scale third-party phishing campaigns from different geographies around the world, and we alert both the intermediary brands and the destination brands on these and remediate active threats on their behalf.
Taking action four key steps
Below are four key steps your organisation can take to help mitigate the risk of third-party phishing:
- Monitor for lookalike domains and illicit use of corporate brand assets across the web to identify potential phishing sites.
- Educate clients and employees on third-party phishing and encourage them to closely inspect any URL they click on for pages that require credentials or PII to be entered.
- Remediate malicious domains using third-party phishing quickly to mitigate risk and potentially thwart large-scale attacks.
- Work with an end-to-end Digital Risk Protection vendor to proactively detect third-party phishing campaigns, receive validated alerts, and take down the threats rapidly.
Picking up on step two, for individuals and employees keen to ensure that they spot a phishing email our advice includes:
- If an offer looks too good to be true it probably is
- Watch out for unusual or look-a-like email addresses
- If a recognised contact asks you to do something unusual, like pay an invoice or transfer money, be sure to verify with them through a different channel e.g. phone
- Be vigilant on bad spelling and or formatting, which is becoming harder to spot as threat actors use AI tools like ChatGPT to write phishing emails
- If you are unexpectedly asked to supply sensitive or financial information, be suspicious
- If you find hyperlinks redirect you to an unexpected site, close the site immediately
- If the email contains urgent language, especially if the reason is vague, be suspicious
Phishing attacks will continue to become more sophisticated as threat actors look for ways to avoid threat hunters. Being vigilant and alert to the schemes attackers have cooked up to carry out third-party phishing campaigns, as well as adopting best practices for defending against this type of attack, which users may not recognise even if they are security-savvy, is paramount to avoid becoming the latest victim of a data breach.
Anyone interested in learning more about third-party phishing attacks, please download our latest report here.
The author is Yuval Pe’er, chief cyber threat intel analyst (Israel), BlueVoyant.
Follow us and Comment on Twitter @TheEE_io