The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of phishing kits from around the world and recently discovered a few notable trends, including what data these kits targeted the most, and what brands were the most exploited.

Phishing kit durations, victims and data targeted

Phishing kit deployment durations—how long the attack was active before getting taken down by hosting services or the attacker that deployed the kit—are down slightly, while the median number of victims impacted has risen significantly in the past three years.

Half of the deployments lasted less than 3.2 days in 2023, which is a small drop from 3.7 days in 2022. A lower deployment duration might indicate a faster detection rate of these phishing attacks at different levels such as emails blocked by an email service provider, a server shutdown by a hosting service or a URL blocked by a browser. However, the duration of a phishing kit deployment should not be confused with the lifespan of a phishing campaign, which can last for weeks or months. Why?  Because a “phishing kit” can be redeployed over and over again on different servers. While every deployment may last only a few days, attackers typically launch many deployments over the lifespan of a single phishing campaign.

In 2023, half of all reported phishing kit deployments impacted fewer than 160 potential victims, showing an increase from the previous year (93 potential victims in 2022) and the year before that (75 in 2021). The significance here is that more potential victims could equate to more successful compromises. We anticipate this number to continue to rise, especially as attackers potentially employ AI to sift through stolen data to identify additional potential victims.

In terms of categories of data targeted in each kit, only credit card data was sought in a higher percentage of kits in 2023 relative to the previous year. The top three categories of data sought by phishing kits analyzed were the same as in 2022—names (85% of kits), emails (66%) and addresses (62%). Landing in fourth place, passwords were sought in half the kits. With the use of valid credentials observed in a third of cases that X-Force responded to last year, it is no surprise to see emails and passwords high on the list of data that was targeted by phishing kits.

Figure 1: Demand of categories of data sought in 2022 vs 2023.

Top spoofed brands: Information technology industry dominates top 10, financial services second-most targeted overall

X-Force has looked at phishing kit telemetry for the top spoofed brands for the past three years. Cyber criminals often leverage phishing kits to create fraudulent web pages of well-known brands to lure victims into giving up their sensitive information. Last year saw a mild shake-up in the top spoofed brands, with new companies that were not among the top 10 in either 2022 or 2021. Not only are Telegram and Visa new to the top 10 in 2023, but they also out-ranked some of the top brands from previous years, including Microsoft and Apple. Mastercard is also new to the top 10 in 2023. Google was the most spoofed brand in 2023 after Microsoft took the top spot in the two years prior.

Top 10 spoofed brands: 2021-2023

In more than half of all kits, information technology was the most spoofed industry in 2023. Most of the top brands observed being spoofed include some of the biggest names in the information industry or the brands of the software or technology they provide. But the finance and insurance industry was the second most spoofed, in just over 20% of phishing kits. Notably, many spoofed domains targeted credit card issuers or banks, while a few spoofed cryptocurrency exchange platforms. Phishing kits also frequently targeted brands like DHL, FedEx and the U.S. Postal Service in the transportation, warehousing and delivery industry.

Figure 2: Spoofed brands targeted by phishing kits listed by industry and percentage of demand.

Phishing is down, but not gone

Although phishing was down 44% from 2022 to 2023, according to analysis found in the most recent X-Force Threat Intelligence Index, phishing remains one of the top methods attackers are using to compromise environments, tied for first with abuse of valid accounts at 30% of incidents. Therefore, it’s important for organizations to continue to assess their phishing detection methods and user awareness training – especially with the prevalence of AI and the expectancy that attackers will leverage this technology to generate more deceptive phishes. Below are our recommendations for mitigating phishing:

• Ensure existing security awareness training covers how to identify current phishing campaigns, including the use of Adversary-in-the-Middle (AitM) phishing pages and the use of QR codes.
• Develop best practices for employees to report any suspicious emails and text messages.
• Require employees to verify any request for personal or sensitive information by contacting the sender or visiting the sender’s legitimate site directly, rather than clicking links in the email.
• Employ solutions that analyze network behavior and network flows to determine whether there are any phishing attempts.
• Use web filters that prevent users from visiting known malicious websites (blocklist sites) and display alerts whenever users visit suspected malicious or fake websites.