Microsoft Dominates as the Most Impersonated Brand for Phishing Scams in Q2 2023

Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP) and a leading provider of cyber security solutions globally, has published its Brand Phishing Report for Q2 2023. The report highlights the brands that were most frequently imitated by cybercriminals in their attempts to steal individuals’ personal information or payment credentials during April, May and June 2023.
 

Last quarter global technology company Microsoft climbed up the rankings, moving from third place in Q1 2023 to top spot in Q2. The tech giant accounted for 29% of all brand phishing attempts. This may be partially explained by a phishing campaign that saw hackers targeting account holders with fraudulent messaging regarding unusual activity on their account. The report ranked Google in second place, accounting for 19% of all attempts and Apple in third, featuring in 5% of all phishing events during the last quarter. In terms of industry, the technology sector was the most impersonated, followed by banking and social media networks.
 

At the beginning of this year, CPR warned of an upward trend that saw phishing campaigns leveraging the finance industry, and this has continued over the last three months. For example, American banking organization Wells Fargo took fourth place this quarter due to a series of malicious emails requesting account information. Similar tactics were noted in other scams that imitated brands such as Walmart and LinkedIn, which also featured in this report’s top ten list taking sixth and eighth place.
 

“While the most impersonated brands move around quarter to quarter, the tactics that cybercriminals use scarcely do. This is because the method of flooding our inboxes and luring us into a false sense of security by using reputable logos has proven successful time and time again” said Omer Dembinsky, Data Group Manager at Check Point Software.
 

“This is why we all must commit to stop and review, taking a moment before clicking on any link we don’t recognize. Does something feel off? Is there bad grammar or any language that is prompting an instant response? If so, this may be an indicator of a phishing email. For organizations worried about their own data and reputation, it is key that they take advantage of the right technologies that can effectively block these emails before they have chance to dupe a victim.”
 

In its latest Titan release R81.20, Check Point has also announced an inline security technology called ‘Zero Phishing’ was enhanced now with a new engine called Brand Spoofing Prevention, designed to stop brand impersonation and scaled to detect and block also local brands that are used as lures, in any language, any country, and it’s also prevents pre-emptively – as the engine recognized the fake domains on registration stage and blocks access to them. The solution uses an innovative AI-Powered engine, advanced Natural Language Processes and improved URL scanning capabilities to auto-inspect possible malicious attempts and block access to impersonated local and global brands across multiple languages and countries, resulting in a 40% higher catch rate than traditional technologies.
 

In a brand phishing attack, criminals try to imitate the official website of a well-known brand by using a similar domain name or URL and a web-page design that resembles the genuine site. The link to the fake website can be sent to targeted individuals by email or text message, a user can be redirected during web browsing, or it may be triggered from a fraudulent mobile application. The fake website often contains a form intended to steal users’ credentials, payment details or other personal information.
 

Top phishing brands in Q2 2023

Below are the top brands ranked by their overall appearance in brand phishing attempts:

1. Microsoft (29%)
2. Google (19.5%)
3. Apple (5.2%)
4. Wells Fargo (4.2%)
5. Amazon (4%)
6. Walmart (3.9%)
7. Roblox (3.8%)
8. LinkedIn (3%)
9. Home Depot (2.5%)
10. Facebook (2.1%)

Microsoft Phishing Email – Unusual Activity Example

In the second quarter of 2023, a phishing campaign targeted Microsoft account holders by sending fraudulent messages regarding unusual sign-in activity. The campaign involved deceptive emails which were sent allegedly from inside the company with sender names such as “Microsoft on ”. The subject line of these phishing emails was “RE: Microsoft account unusual sign-in activity” and they claimed to have detected unusual sign-in activity on the recipient’s Microsoft account. The emails provided details of the alleged sign-in, such as the country/region, IP address, date, platform and browser.
 

To address this supposed security concern, the phishing emails urged recipients to review their recent activity by clicking on a provided link which leads to malicious websites unrelated to Microsoft. The URLs used in the campaign, such as hxxps://online.canpiagn[.]best/configurators.html and hxxps://bafybeigbh2hhq6giieo6pnozs6oi3n7x57wn5arfvgtl2hf2zuf65y6z7y[.]ipfs[.]dweb[.] The link is currently inaccessible, but the assumption is that they were designed to steal user credentials or personal information, or to download malicious content onto the user’s device.
 

 

LinkedIn Phishing Email – Account Theft Example

During Q2 of 2023 a phishing email imitating LinkedIn, a professional networking platform, was identified (figure 1). The email falsely claimed to be from “LinkedIn” and had the subject line “Revise PO June – Order Sheet.” It aimed to deceive recipients into clicking on a malicious link by disguising it as a report. The phishing link (which is no longer active) in the email led to a suspicious website located at hxxps://amazonlbb[.]ajimport[.]com[.]br/china/newcodingLinkedin/index.html (figure 2). Clicking on this link posed a risk of account theft and other malicious activities.
 

Figure 1: The malicious email “Revise PO June – Order Sheet.”

Figure 2: The malicious website
hxxps://amazonlbb[.]ajimport[.]com[.]br/china/newcodingLinkedin/index.html

Wells Fargo Phishing Email – Account Verification Scam

During Q2 of 2023 a phishing email campaign impersonating Wells Fargo, a prominent financial institution, was observed. The email was sent from the address “29@9bysix[.]co[.]za” and appeared to be from “Wellsfargo Online”. It had the subject line “Verification Required” and aimed to trick recipients into providing their account information by claiming that certain details were missing or incorrect.
The phishing email included malicious link (no longer active): hxxps://vmi1280477[.]contaboserver[.]net/pyfdwqertfdswwrty/wells/main[.]html. The link led to a malicious website where users were prompted to enter their account credentials, potentially resulting in unauthorized access or account compromise.
 

 

Walmart Phishing Email – False Gift Card Offer

In Q2 of 2023 a phishing email campaign impersonating Walmart, a retail company, was detected. The email was sent from the address “info@chatpood[.]info” and had the subject line “Walmart eGift Card Waiting.” The purpose of this fraudulent email was to deceive recipients by offering them a $500 Walmart Gift Card as a token of appreciation for their loyalty. The phishing email contained malicious link: hxxps://cloud[.]appsmtpmailers[.]com. Clicking on these links would redirect users to a fraudulent webpage where they would be asked to provide personal information such as their name and email address, to verify eligibility. Currently this site is inactive.
 

 

Follow Check Point Research via:
Blog: https://research.checkpoint.com/
Twitter: https://twitter.com/_cpresearch_
 

About Check Point Research

Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.
 

Follow Check Point Software via:
Twitter: https://www.twitter.com/checkpointsw
Facebook: https://www.facebook.com/checkpointsoftware
Blog: https://blog.checkpoint.com
YouTube: https://www.youtube.com/user/CPGlobal
LinkedIn: https://www.linkedin.com/company/check-point-software-technologies

About Check Point Software Technologies Ltd.
Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading provider of cyber security solutions to corporate enterprises and governments globally. Check Point Infinity’s portfolio of solutions protects enterprises and public organizations from 5th generation cyber-attacks with an industry leading catch rate of malware, ransomware, and other threats. Infinity comprises four core pillars delivering uncompromised security and generation V threat prevention across enterprise environments: Check Point Harmony, for remote users; Check Point CloudGuard, to automatically secure clouds; and Check Point Quantum, to protect network perimeters and datacenters, all controlled by the industry’s most comprehensive, intuitive unified security management; Check Point Horizon, a prevention-first security operations suite. Check Point protects over 100,000 organizations of all sizes.