The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of phishing kits from around the world and recently discovered a few notable trends, including what data these kits targeted the most, and what brands were the most exploited.

Phishing kit durations, victims and data targeted

Phishing kit deployment durations—how long the attack was active before getting taken down by hosting services or the attacker that deployed the kit—are down slightly, while the median number of victims impacted has risen significantly in the past three years.

Half of the deployments lasted less than 3.2 days in 2023, which is a small drop from 3.7 days in 2022. A lower deployment duration might indicate a faster detection rate of these phishing attacks at different levels such as emails blocked by an email service provider, a server shutdown by a hosting service or a URL blocked by a browser. However, the duration of a phishing kit deployment should not be confused with the lifespan of a phishing campaign, which can last for weeks or months. Why?  Because a “phishing kit” can be redeployed over and over again on different servers. While every deployment may last only a few days, attackers typically launch many deployments over the lifespan of a single phishing campaign.

In 2023, half of all reported phishing kit deployments impacted fewer than 160 potential victims, showing an increase from the previous year (93 potential victims in 2022) and the year before that (75 in 2021). The significance here is that more potential victims could equate to more successful compromises. We anticipate this number to continue to rise, especially as attackers potentially employ AI to sift through stolen data to identify additional potential victims.

In terms of categories of data targeted in each kit, only credit card data was sought in a higher percentage of kits in 2023 relative to the previous year. The top three categories of data sought by phishing kits analyzed were the same as in 2022—names (85% of kits), emails (66%) and addresses (62%). Landing in fourth place, passwords were sought in half the kits. With the use of valid credentials observed in a third of cases that X-Force responded to last year, it is no surprise to see emails and passwords high on the list of data that was targeted by phishing kits.

Figure 1: Demand of categories of data sought in 2022 vs 2023.

Read the Threat Intelligence Index

Top spoofed brands: Information technology industry dominates top 10, financial services second-most targeted overall

X-Force has looked at phishing kit telemetry for the top spoofed brands for the past three years. Cyber criminals often leverage phishing kits to create fraudulent web pages of well-known brands to lure victims into giving up their sensitive information. Last year saw a mild shake-up in the top spoofed brands, with new companies that were not among the top 10 in either 2022 or 2021. Not only are Telegram and Visa new to the top 10 in 2023, but they also out-ranked some of the top brands from previous years, including Microsoft and Apple. Mastercard is also new to the top 10 in 2023. Google was the most spoofed brand in 2023 after Microsoft took the top spot in the two years prior.

Top 10 spoofed brands: 2021-2023

2023

2022

2021

1

Google

Microsoft

Microsoft

2

Telegram

Google

Apple

3

Microsoft

Yahoo

Google

4

Visa

Facebook

BMO Harris Bank

5

Apple

Outlook

Chase

6

Facebook

Apple

Amazon

7

Yahoo

Adobe

Dropbox

8

Outlook

AOL

DHL

9

PayPal

PayPal

CNN

10

Mastercard

Office365

Hotmail

Scroll to view full table

In more than half of all kits, information technology was the most spoofed industry in 2023. Most of the top brands observed being spoofed include some of the biggest names in the information industry or the brands of the software or technology they provide. But the finance and insurance industry was the second most spoofed, in just over 20% of phishing kits. Notably, many spoofed domains targeted credit card issuers or banks, while a few spoofed cryptocurrency exchange platforms. Phishing kits also frequently targeted brands like DHL, FedEx and the U.S. Postal Service in the transportation, warehousing and delivery industry.

Figure 2: Spoofed brands targeted by phishing kits listed by industry and percentage of demand.

Phishing is down, but not gone

Although phishing was down 44% from 2022 to 2023, according to analysis found in the most recent X-Force Threat Intelligence Index, phishing remains one of the top methods attackers are using to compromise environments, tied for first with abuse of valid accounts at 30% of incidents. Therefore, it’s important for organizations to continue to assess their phishing detection methods and user awareness training – especially with the prevalence of AI and the expectancy that attackers will leverage this technology to generate more deceptive phishes. Below are our recommendations for mitigating phishing:

  • Ensure existing security awareness training covers how to identify current phishing campaigns, including the use of Adversary-in-the-Middle (AitM) phishing pages and the use of QR codes.
  • Develop best practices for employees to report any suspicious emails and text messages.
  • Require employees to verify any request for personal or sensitive information by contacting the sender or visiting the sender’s legitimate site directly, rather than clicking links in the email.
  • Employ solutions that analyze network behavior and network flows to determine whether there are any phishing attempts.
  • Use web filters that prevent users from visiting known malicious websites (blocklist sites) and display alerts whenever users visit suspected malicious or fake websites.

More from X-Force

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today