Apple is Most Imitated Brand for Phishing in Q1 2020, Shows Check Point Research

We all like to think we would never fall for a phishing attempt.  Unfortunately, none of us are immune because we all make mistakes.  Verizon’s 2019 Data Breach Investigations Report showed that nearly one-third (32%) of data breaches involved phishing activity.  What’s more, phishing was present in 78% of cyber-espionage incidents and the installation and use of backdoors to networks.  It’s no surprise that phishing continues to be a key weapon in cyber-criminals’ arsenals, to try and trick users into giving up sensitive information by impersonating familiar brands.

Brand phishing involves the attacker imitating an official website of a known brand by using a similar domain or URL, and usually a web page similar to the original website. The link to the deceptive website can be sent via email or text message, a user can be redirected during web browsing, or it may be triggered from a fraudulent mobile application. In many cases the website contains a form intended to steal credentials, personal information or payments.

Check Point Research’s latest Brand Phishing Report for Q1 2020 shows that Apple was the most imitated brand, rising from 7th place in Q4 of 2019 to the top spot. This was due in part to the anticipated launch of the new Apple Watch, with criminals exploiting the online buzz to launch several credential theft attempts. The total number of Brand Phishing detections remains stable compared to Q4 of 2019.

Furthermore, in Q1 Mobile Phishing was the second most common attack vector compared to Q4 of 2019 where it ranked in third place. This may be due to the Coronavirus pandemic which has caused people to rely more on their mobile phones for information and work. There are also similarities in the brands being used in web and mobile phishing vectors, such as Netflix and PayPal, which have risen in popularity due to an increase in the number of people working from home as a result of the Coronavirus

The examples below show a series of phishing campaigns which aim to generate direct profit by impersonating Chase, Netflix and other brands.

Top Phishing Brands

Below are the top 10 brands ranked by their overall appearance in brand phishing events during Q1 2020:

Top Phishing brands per platform

During Q1 2020, similar brands were used in mobile and web phishing vectors, which included banking and streaming services such as Chase and Netflix. Web phishing was the most prominent vector at 59%, followed by mobile phishing as the second most common attack vector compared to Q4 of 2019, where it ranked third. This is due to people spending more time on their mobile phones during the Coronavirus pandemic, which cybercriminals are taking advantage of.

Email (18% of attacks)

  1. Yahoo
  2. Microsoft
  3. Outlook
  4. Amazon

Web (59% of attacks)

  1. Apple
  2. Netflix
  3. PayPal
  4. eBay

Mobile (23% of attacks)

  1. Netflix
  2. Apple
  3. WhatsApp
  4. Chase

Top brands industries

  1. Technology
  2. Banking
  3. Media

Netflix – fraudulent domain example

In February, an attacker was trying to imitate Netflix services using fraudulent domain (netflix-pagos\.com)

Chase login page – Credentials theft example

During this quarter we noticed dozens of detections of fraudulent websites trying to imitate login pages of banks. Such websites, as the one below, is trying to steal Chase Bank login credentials and listed under the address chasecovid19s\.com/home/myaccount/access\.php which was first active in March 2020 and registered under the IP – 23.229.221.103, located in United States.

According to research, the attacker used several similar fraudulent domains such as:

chasecovid19v\.com, chasecovid19t\.com

Airbnb – Corona update scam

During March, we noticed a fraudulent website which was trying to imitate the Airbnb login page and supposedly intended to give updates regarding Airbnb Service during this period. The website is listed under the address hxxps://airbnb.id-covid19\.com/update/login\.php. The domain is registered under Russian IP – 91.210.107.54

Unicredit login page – Credentials theft example

In mid-February, we noticed that this URL mastriapaypal\­.com (Registered On:2020-02-03 and hosted in this IP – 216.239.38.21) is redirecting users to Unicredit bank login page in Bulgarian language under the URL below:

ghlinkup­\.­com/wp-content/plugins/wp-component/wp-com/img/js/pp/ – the domain is hosted in this is IP address  – 198.54.120.52

Yahoo Japan domain scam

Towards the end of March, we noticed that the domain yahoo-mask\.com offered face masks to Japanese people via what appeared to be Yahoo Japan.

The domain is hosted in this IP address – 45.34.181.228 and was registered by this email address [email protected]

WhatsApp log in page – Credentials theft example

In February, we noticed this URL mail\.whatsapp\.vvipx9\.com/login.php is presenting a fraudulent WhatsApp web login page in Indonesian language requesting Facebook credentials in order to connect. The domain is hosted in this IP address 5.189.170.134

To avoid falling victim to these scam attempts, we recommend the following actions:

  1. Verify you are using or ordering from an authentic website. One way to do this is NOT to click on promotional links in emails, and instead Google your desired retailer and click the link from the Google results page.
  2. Beware of “special” offers. An 80% discount on the new iPhone is usually not a reliable or trustworthy purchase opportunity.
  3. Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.