ThreatLabZ's 2023 Phishing Report confirms that organisations need to be more vigilant than ever when it comes to protecting themselves and their customers from phishing scams, as cybercriminals become increasingly active.

In 2022, the number of phishing attacks increased by almost 50 per cent compared to 2021. And in the past year, the number of phishing attacks has increased by a staggering 472%!

The report also shows that the US, UK, Netherlands, Canada and Russia are among the top five most targeted countries, with Microsoft, Binance, Netflix, Facebook and Adobe being the biggest targets.

Cybercriminals are effectively using the latest technologies, artificial intelligence tools such as ChatGPT and phishing kits to lower technical barriers, save time and resources and increase the scale of attacks.

As cybercriminals continue to use a variety of tactics to lure victims, it is critical for organisations to adopt a layered approach to security.

Today's defences are automated and we rely on them, but they cannot provide complete protection. 74% of information security incidents are due to human error (Verizon report).

The conclusion is clear: regularly check employee awareness, educate and train!

Months after an international law enforcement operation dismantled the notorious QakBot botnet, a new phishing campaign distributing the same malicious payload has been discovered.

QakBot (also known as “QBot,” “QuackBot” and “Pinkslipbot”) was one of the most deployed malware loaders in 2023 until an FBI-led takedown in August took the operation offline and untethered 700,000 compromised machines from the botnet.

In a Dec. 15 posted on X (previously Twitter), Microsoft’s Threat Intelligence team said they had identified a new QakBot phishing campaign.

“The campaign began on December 11, was low in volume, and targeted the hospitality industry,” the researchers said.

Targets of the new campaign received an email purporting to be from a U.S. Internal Revenue Service (IRS) employee. The email included a PDF attachment containing a URL that downloaded a digitally signed Windows Installer (.MSI) file.

If victims executed the MSI file, it launched QakBot malware. The payload was configured with a previously unseen version of the malware, 0x500, the Microsoft researchers said.

While the unique versioning suggested updates may have been introduced over the past few months, another researcher said on X: ““All in all, this new Qbot version feels basically the same as the old stuff just with some minor tweaks.”

As well as dismantling the botnet in August – in what was dubbed “Operation Duck Hunt” – authorities also seized infrastructure and $8.6 million in cryptocurrency belonging to the gang responsible for QakBot.

While taking out such a major botnet that had taken years to build was considered a significant victory, researchers warned at the time that because arrests were not made, there was a possibility the threat actors responsible for QakBot could regroup.

In October, Cisco Talos said it believed the same gang had been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails in the weeks prior to the QakBot takedown. Talos researchers said while the August raid took down the group’s command-and-control servers, it had not impacted their spam delivery infrastructure.

QakBot was first observed in 2008 and has been regularly updated over the years. Once it has compromised a victim’s computer, the malware can deliver additional malicious payloads, including ransomware, to the infected system.
It has been used as an initial means of infection by several ransomware groups including Conti and Black Basta.

Qakbot was leveraged in the 2021 attack against meat processor JBS, which disrupted its production facilities and forced an $11 million ransom payment. To untether the 700,000 compromised computers from the botnet in August, the FBI redirected Qakbot traffic to and through servers controlled by the agency. The infected machines – located in the U.S. and around the world – were then instructed to download a file created by law enforcement that uninstalled the malware.

Business email phishing (BEC) attacks continue to evolve with more sophisticated targeting and social engineering. These attacks are wreaking havoc on businesses around the world, costing more than $50 billion in the last 10 years alone.

Email is the most widely used business application. Its use provides attackers with an entry point and access to large amounts of business information, personal data, financial data and other sensitive material that is valuable to attackers.

By gaining access to a single email account, an attacker can impact a wide range of internal systems. Phishing attacks are relevant in both the public and private sectors, and in addition to the financial impact, they can also damage a company's reputation.

Cloudflare recently released its report on phishing threats in 2023. There are three key findings from this report:

1. Attackers are increasingly using links as a primary phishing tactic, and are using increasingly sophisticated methods to get you to click on these links.
2. Scammers are adept at impersonating different people and can easily bypass standard email authentication methods.
3. Attackers can impersonate hundreds of different organisations, but most often they pretend to be organisations we trust.

So friends, we encourage you to raise awareness within your organisation. Try our courses - they are simple and easy for any employee to understand.