Phishing Campaigns Became a Lot More Sinister in 2024

The growing variety of threats targeting people and companies.

\ Phishing is one of the most prevalent and damaging threats, accounting for almost a third of all cyberattacks last year. In the second half of 2024, phishing attacks surged by 202% with users receiving at least one advanced phishing message capable of evading security defenses per week. Below are some noteworthy 2024 examples that illustrate how phishing threats have grown and evolved in complexity. Organizations should closely examine these examples to prepare their defenses for 2025.

\

1. Accelerated Mobile Page Obfuscation Leveraged For Phishing

\ Google originally developed AMP URLs to boost user experience and performance of content-heavy website pages. Threat actors are now exploiting this functionality to mask malicious URLs and evade email security defenses. By employing legitimate domains and adding multiple layers of redirections in these URLs, attackers can conceal the true destination of the URLs and slip past URL scanners undetected because these security tools are only designed to verify the reputation of visible domains. Attackers know that users tend to hover on URL links before clicking them and therefore this obfuscation method helps them deceive the user into thinking that they are clicking on a URL from a trusted domain.

\

2. YouTubers Targeted With Phishing Attacks

\ Most cyberattacks are financially motivated. It’s therefore not surprising to see cyber criminals targeting affluent YouTube influencers. According to a report by CloudSEK, threat actors are contacting YouTubers on the pretext of brand promotion requests or collaboration deals. They impersonate trusted brands and deliver malware-spiked files that are disguised as contracts or promotional material, hosting them on cloud platforms like OneDrive. When such malicious attachments are downloaded and opened on the victim’s machine, the malware installs itself and steals sensitive data such as financial information, intellectual property and login credentials.

\

3. Phishers Ramp Up BEC Attacks Against Retailers

\ Some sources claim 3.4 billion phishing emails are sent out daily. Business email compromise (BEC) attacks cost businesses almost $5 million per incident. In one such incident, the Pepco group’s Hungarian business unit was targeted by a BEC campaign where attackers impersonated a senior executive by forging their email address. The email contained convincing language that prompted the recipient to transfer €15.5 million without verifying the sender’s authority. Although BEC attacks can affect any business regardless of its size, revenue or industry, studies show that higher-revenue organizations are at a greater risk of BEC attacks than lower-revenue businesses. The prevalence of BEC attacks is the highestin the retail trade. \n

4. AI Obituary Scams On The Rise

\ Researchers at Secureworks stumbled upon a social engineering scam that targets individuals searching for information about recently deceased people. The scam involves publishing fake obituary notices on fraudulent websites and using SEO poisoning techniques to drive traffic to these sites. Attackers use AI technology to fabricate a lengthy tribute from facts extracted from a shorter tribute. The objective being to redirect users to malicious sites where they are exposed to adware, infostealers, and other malicious programs.

\

5. Hijacked Attachments In Invoice Email Threads

\ Researchers at IBM detected a new kind of phishing attack impacting financial, technology, manufacturing, media, and e-commerce organizations across Europe. The attack begins with bad actors sending real invoice notifications that have been stolen or hijacked using compromised email credentials. What is different about these emails from the original email is that they contain a switched ZIP attachment that is password protected to avoid email filtering and sandbox inspection. The file names are even tailored to the target organization to make them appear more authentic. When a recipient unzips the file, an infostealer malware (like StrelaStealer) infects the victim’s machine and steals email credentials stored in MS Outlook or Mozilla Thunderbird.

\ Key Takeaways

\ No single tool in the world can provide foolproof protection against phishing. To mitigate phishing, organizations must focus on security basics:

\

1. Build a security-conscious workforce: Through regular training, awareness exercises, and phishing simulation tests, build a workforce that is responsible and vigilant about cybersecurity.

\

2. Update software regularly: Ensure that systems, hardware, applications, and software are up to date to prevent attackers from exploiting any new or existing vulnerabilities.

\

3. Adopt a zero-trust mindset: Implement zero-trust (never trust, always verify) tools and processes that focus on verifying user identity prior to granting access to company resources or data. \n
4. Empower staff: Provide security tools like password managers to employees so they don’t fall victim to threats like password reuse. Make it easy for staff to contact the security team and report phishing messages. Establish and communicate clear and transparent security policies, dos and don’ts, etc.

\

5. Deploy robust email security: Employ advanced email filters (preferably AI-based) that can detect suspicious patterns such as unusual sender addresses, malicious URLs and domains.

\ The phishing techniques described above highlight the growing sophistication and variety of threats targeting individuals and organizations. These novel methods demonstrate the need for heightened vigilance and proactive security measures. Building a security-conscious workforce, empowering them with tools, adopting zero trust, updating software regularly, and deploying robust email security can provide critical defenses against future waves of phishing attacks.