Staying Safe in Times of Cyber Uncertainty
Check Point Press Releases

Social Media Network LinkedIn Ranks First in List of Brands Most Likely to be Imitated in Phishing Attempts in Q1 2022

Check Point Research issues its Q1 Brand Phishing Report, highlighting the brands that hackers most often imitate to lure people into giving up their personal data


San Carlos, CA  —  Tue, 19 Apr 2022

Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP) and a leading provider of cyber security solutions globally, has published its Brand Phishing Report for Q1 2022. The report highlights the brands which were most frequently imitated by cybercriminals in their attempts to steal individuals’ personal information or payment credentials during January, February and March.

Social media network, LinkedIn, dominated the rankings for the first time ever, accounting for more than half (52%) of all phishing attempts during the quarter. This represents a dramatic 44% uplift from the previous quarter, where the professional networking site was in fifth position accounting for only 8% of phishing attempts. LinkedIn overtook DHL as the most targeted brand, which is now in second position and accounted for 14% of all phishing attempts during the quarter.

The latest report highlights an emerging trend toward threat actors leveraging social networks, now the number one targeted category ahead of shipping companies and technology giants such as Google, Microsoft and Apple. As well as LinkedIn being the most targeted brand by a considerable margin, WhatsApp maintained its position in the top ten, accounting for almost 1 in 20 phishing-related attacks worldwide. The report highlights a particular example where LinkedIn users are contacted via an official-looking email in an attempt to lure them to click on a malicious link. Once there, users would be again prompted to log-in via a fake portal where their credentials would be harvested.

Shipping is now the second most targeted category, with threat actors continuing to take advantage of the general rise in e-commerce by targeting consumers and shipping companies directly. DHL is second to LinkedIn, accounting for 14% of phishing attempts; FedEx has moved from seventh position fifth, now accounting for 6% of all phishing attempts; and Maersk and AliExpress have entered the top ten list for the first time.  The report highlights one particular phishing strategy that used Maersk-branded emails to encourage the download of spoof transport documents, infecting workstations with malware.

“These phishing attempts are attacks of opportunity, plain and simple. Criminal groups orchestrate these phishing attempts on a grand scale, with a view to getting as many people to part with their personal data as possible,” said Omer Dembinsky, Data Research Group Manager at Check Point Software. “Some attacks will attempt to gain leverage over individuals or steal their information, such as those we’re seeing with LinkedIn. Others will be attempts to deploy malware on company networks, such as the fake emails containing spoof carrier documents that we’re seeing with the likes of Maersk.”

He continued: “If there was ever any doubt that social media would become one of the most heavily targeted sectors by criminal groups, Q1 has laid those doubts to rest. While Facebook has dropped out of the top ten rankings, LinkedIn has soared to number one and has accounted for more than half of all phishing attempts so far this year. The best defense against phishing threats, as ever, is knowledge. Employees in particular should be trained to spot suspicious anomalies such as misspelled domains, typos, incorrect dates and other details that can expose a malicious email or text message. LinkedIn users in particular should be extra vigilant over the course of the next few months.”

In a brand phishing attack, criminals try to imitate the official website of a well-known brand by using a similar domain name or URL and web-page design to the genuine site. The link to the fake website can be sent to targeted individuals by email or text message, a user can be redirected during web browsing, or it may be triggered from a fraudulent mobile application. The fake website often contains a form intended to steal users’ credentials, payment details or other personal information.

Top phishing brands in Q1 2022

Below are the top brands ranked by their overall appearance in brand phishing attempts:

  1. LinkedIn (relating to 52% of all phishing attacks globally)
  2. DHL (14%)
  3. Google (7%)
  4. Microsoft (6%)
  5. FedEx (6%)
  6. WhatsApp (4%)
  7. Amazon (2%)
  8. Maersk (1%)
  9. AliExpress (0.8%)
  10. Apple (0.8%)

 

Maersk Phishing Email – Malware Example

During the first quarter of 2022, we observed a malicious phishing email that used Maersk’s branding and was trying to download the Agent Tesla RAT (Remote Access Trojan) to the user’s machine. The email (see Figure 1) which was sent from a webmail address and spoofed to appear as if it was sent from “Maersk Notification (service@maersk[.]com)”, contained the subject, “Maersk : Verify Copy for Bill of Lading XXXXXXXXX ready for verification.”. The content asked to download an excel file “Transport-Document”, that would cause the system to be infected with Agent Tesla.

maersk phishing email

Figure 1: The malicious email which was sent with the subject
“Maersk : Verify Copy for Bill of Lading XXXXXXXXX ready for verification.”

 
 

LinkedIn Phishing Email – Account Theft Example

In this phishing email, we see an attempt to steal a user’s LinkedIn account information. The email (see Figure 1) which was sent from the email address “LinkedIn (smtpfox-6qhrg@tavic[.]com[.]mx)”, contained the subject “M&R Trading Co.,Ltd 合作采购订单#XXXXXXXX”. The attacker was trying to lure the victim to click on a malicious link, which redirects the user to a fraudulent LinkedIn login page (see Figure 2). In the malicious link (https://carriermasr.com/public/linkedIn[.]com/linkedIn[.]com/login[.]php), the user needed to enter their username and their password.

As always, we encourage users to be cautious when divulging personal data and credentials to business applications or websites, and to think twice before opening email attachments or links, especially emails that claim to be from companies such as LinkedIn or DHL, as they are currently the most likely to be impersonated.

linkedin phishing email

Figure 1: The malicious email which was sent with the subject
M&R Trading Co.,Ltd
合作采购订单#XXXXXXXX

 
 

linkedin fraudulent login page

Figure 2: fraudulent login page
https://carriermasr.com/public/linkedIn[.]com/linkedIn[.]com/login[.]php

 
 

Follow Check Point Research via:
Blog: https://research.checkpoint.com/
Twitter: https://twitter.com/_cpresearch_

 

About Check Point Research 

Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

About Check Point Software Technologies Ltd.

Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading provider of cyber security solutions to governments and corporate enterprises globally. Its solutions protect customers from 5th generation cyber-attacks with an industry leading catch rate of malware, ransomware and other types of attacks. Check Point offers multilevel security architecture, “Infinity” Total Protection with Gen V advanced threat prevention, which defends enterprises’ cloud, network and mobile device held information. Check Point provides the most comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organizations of all sizes.

 

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK