Phishing websites, also known as spoofed websites, are a very common deception tactic that attackers now rely on to obtain a person’s login credentials to a legitimate website. The operation includes: send unsuspecting recipients an email spoofing a trusted brand and persuade them to click on a link that subsequently takes them to a login page where they will be asked to enter their username and password. Once completed, attackers have the information they need to login to a real account and commence with illegal activity, such as credit card fraud, data extraction, wire transfers and more.

While such fraudulent URLs aren’t new, the prevalence and sophistication have increased exponentially. In fact, a recent report by Webroot Security identified nearly a 400% increase in new phishing websites, equating to ~1.5 million coming online per month. This is an incredible number when considering phishing websites only stay active for 4-8 hours on average.

Attackers have turned to phishing websites, most commonly as a means to impersonate the world’s most popular brands, as gateway-level email security and anti-phishing tools have gotten smarter and more efficient at detecting emails with traditional malicious payloads, such as links that deliver automated malware downloads, and malicious attachments. Phishing websites are especially problematic for companies that rely on rules-based email security such as secure email gateways (SEGs), multi AV scanners and sandboxing solutions, as such tools and solutions lack visual anomaly detection capabilities required to assess a fake login page from a legit login page in real-time.

Analyzing 25,000 emails for links to phishing websites

To learn more about the prevalence of phishing websites, IRONSCALES analysts reviewed 25,000 emails in Q3 with verified malicious links and attachments. The 25,000 emails studied had either bypassed a secure email gateway or cloud email security tool, such as Office 365 Advanced Threat Protection (ATP).

In total, they found that 23% (5,750) of the 25,000 malicious emails included links to active phishing websites. This represents a 5% increase when compared to the previous 90-day period. Of that, the top five most spoofed websites they discovered were:

  • Microsoft (37%)
  • PayPal (25%)
  • HSBC Holdings (8%)
  • Adobe (5%)
  • Wells Fargo (3%)
  • Other (22%)

Why people struggle to identify visual similarities in phishing websites

Of the 5,750 phishing websites identified, each had a visual or verbal anomaly or flaw that wasn’t recognized by technology, such as blurred or resized images or an undue sense of urgency. This is because the closer the page looks to the real one, the easier advanced anti-phishing technology can detect that it’s a fake. Thus, attackers are constantly trying and make phishing websites different enough to defeat technical email controls but similar enough that a human would think it’s legit.

  • Specifically, they identified five categories to which each phishing website fell into. This included:
  • Blurred (45%) – When an image appears blurry and out of focus.
  • Resized – (25%) – When an image is appears stretched or elongated.
  • Creative – (15%)- When an attacker tries to make a connection through design.
  • Retro – (10%) When an image or copy uses outdated branding and messaging .
  • Sense of Urgency (5%) – When copy contains uncommon immediacy in copy and calls to action.

Thanks to inattentional blindness, most people do not immediately see these visual similarity clues, wrongly assuming the spoofed login page as legitimate and entering their credentials which unbeknown to them are about to be used in a cyberattack.

Can you spot the difference? Examples of fake Office 365 login pages captured by IRONSCALES’ visual similarity detection.

Resize: Users are expecting the login box and they are focused on it, not noticing the background – this is exactly what the attacker is relying on since they can change it slightly to evade visual similarity detection.

You’ve made it this far. Join thousands of your peers! Subscribe to our blog. Subscribe I consent to have IRONSCALES store my submitted information and sending me future communications on phishing threats and solutions

Blur: Blurring the background (user is focused on login) Blurring the background helps evade visual similarity detection.

Creative: Attacker leverages creativity to bypass visual similarity detection and the user. User thinks Office 365 has a design update, bypassing both user and visual similarity detection.

Retro: Attackers assume we don’t keep outdated profiles. These try to catch the user off guard as they may not pay attention to the retro landing page. Site created with Wix.

Sense of urgency: Trying to pressure the user into a timely action. Deviating from the original enough to evade detection.

The real Office 365 login page:

For more information on getting started with IRONSCALES’ email phishing, contact MessageOps at 877-788-1617 or email [email protected]

Was this article helpful?