In Q3 of 2023, cybersecurity researchers at Cofense noted a surge in phishing campaigns, with both credential phishing and malware attacks on the rise. Credential phishing indicators of compromise (IOCs) increased by almost 45% in Q3 compared to the previous quarter and surged by 85% from the same period in 2022. This significant increase may be attributed to the growing use of Google AMP in phishing campaigns and the rising popularity of QR codes embedded in images and PDFs within phishing emails.
PDFs remained the most favored phishing email attachment, accounting for nearly half of all malicious file extensions seen in email campaigns during the quarter. Notably, the infamous malware families QakBot and Emotet remained dormant throughout Q3, possibly due to law enforcement actions. The absence of these threats may pave the way for new botnets to emerge.
Additionally, Q3 saw an uptick in reconnaissance and utility tool malware, such as Browser Password Dump Utility and Email Password Dump Utility, making them the fifth most prevalent malware type of the quarter. Agent Tesla, a keylogger, retained its position as the most widespread malware family in Q3, contributing to keyloggers becoming the top malware type. Other prevalent malware families included FormBook, Loki Bot, Remcos RAT, and Banload, a Banker targeting Brazilian users.
In terms of delivery mechanisms, PDF droppers and the CVE-2017-1882 exploit saw consistent usage in Q3, while the CVE-2017-0199 exploit, often coupled with CVE-2017-11882, also gained traction. Microsoft HTML Application emerged as a notable delivery mechanism, likely connected to the Banload campaign.
Analysis of domain names and top-level domains (TLDs) used in credential phishing revealed that several trusted cloud platforms, including Google, LinkedIn, and Dropbox, were frequently abused by threat actors. Bing.com experienced a substantial increase in use as a redirection domain for credential phishing.
Overall, Q3 2023 witnessed a surge in phishing campaigns, highlighting the evolving tactics of cyber threat actors and the need for enhanced cybersecurity measures to combat these threats effectively.
###