Check Point Research, the research division of Check Point® Software Technologies Ltd (NASDAQ: CHKP), a global leader in cyber security solutions, has released the Brand Phishing Report for Q3 2022. The report highlights the brands most frequently imitated by criminals in July, August and September to steal personal data or payment information.

While LinkedIn was the most frequently imitated brand in both the first and second quarters of 2022, it is the shipping company DHL that tops the list in the third quarter, accounting for 22 per cent of all phishing attempts globally. Microsoft is in second place (16 per cent) and LinkedIn has dropped to third place with 11 per cent – a steep fall from 52 per cent in Q1 and 45 per cent in Q2. The rise in imposters on behalf of DHL may be partly due to a major global fraud and phishing attack that the logistics giant itself warned about just days before the quarter began. Instagram also appears on the list for the first time this quarter, following reports of a phishing campaign involving blue badges in September. These are usually used for verification and identify users as trustworthy.

After the technology sector, transport is one of the most lucrative industries for brand phishing. As most countries move towards the busiest time of the year for retail, due to upcoming festivals, CPR will continue to monitor scams related to mail order, as hackers are likely to increase their efforts in this area to defraud (online) shoppers.

“Phishing is the most common form of social engineering. This in turn is a general term for attempts to manipulate or deceive users and this avenue of attack is increasing in frequency overall. It is used in the majority of incidents. In Q3 2022, we did see a dramatic decrease in phishing attempts related to LinkedIn. However, this simply reminds us that cyber criminals often change their tactics to increase their chances of success. However, LinkedIn remains the third most frequently impersonated brand, which is why we urge all users to remain vigilant of emails or messages purporting to be from LinkedIn. As DHL is the company most often imitated, it is important that anyone expecting a delivery goes directly to the carrier’s official website to check the supposed progress and authenticity of the notification. No one should blindly trust emails, especially those that ask for information to be revealed. Especially before Halloween, it becomes important to check the shipping email after purchasing costumes and Halloween decorations. This email could be a phishing attack trying to get your personal information,” comments Omer Dembinsky, Data Research Group Manager at Check Point.

In a brand phishing attack, criminals try to imitate the official website of a well-known brand by using similar domain names, URL or designs that resemble those of the real website. The link to the fake site can be sent to the target via email or text message. Equally conceivable is that a user is redirected while surfing the web, or that a link is triggered by a fraudulent smartphone application. The fake website often contains a form with which the user’s login data, payment data or other personal information is to be requested and thus stolen.

Top phishing brands in Q3 2022.

The following are the top brands, ranked by their frequency in brand phishing attempts:

• DHL (abused for 22 per cent of all global brand phishing attempts).
• Microsoft (16 per cent)
• LinkedIn (11 per cent)
• Google (6 per cent)
• Netflix (5 per cent)
• WeTransfer (5 per cent)
• Walmart (5 per cent)
• WhatsApp (4 per cent)
• Bank HSBC (4 per cent)
• Instagram (3 per cent)
• DHL phishing email – example of account theft

As part of campaigns using DHL’s brand that occurred in Q3 2022, security researchers observed a fraudulent phishing email sent from the email address info@lincssourcing[.]com that was spoofed to appear to be from DHL Express. The email contained the subject line Undeliverable DHL(Parcel/Shipment), and the content (see Figure 1) attempts to get the victim to click on a malicious link. This claims that there is a delivery that can only be sent after the delivery address has been updated. The link then leads to a fraudulent website: https://bafybeig4warxkemgy6mdzooxeeuglstk6idtz5dinm7yayeazximd3azai[.]ipfs[.]w3s[.]link/dshby[.]html/ (see Figure 2), which requires the victim to enter their username and password.

Figure 1: The fraudulent email with the subject line Undeliverable DHL(package/shipment).

Figure 2: Fraudulent login page at the address https://bafybeig4warxkemgy6mdzooxeeuglstk6idtz5dinm7yayeazximd3azai[.]ipfs[.]w3s[.]link/dshby[.]html/.

OneDrive phishing email – example of account theft

This phishing email attempts to steal a user’s Microsoft account details. The email (see Figure 3), sent from the email address websent@jointak.com.hk under the fake sender name OneDrive, contained the subject A document titled ‘Proposal’ has been shared with you on Onedrive. The attacker attempts to trick the victim into clicking on the malicious link, claiming that an important document titled Proposal has been shared on the victim’s OneDrive folder. This malicious link – https://mail-supp-365[.]herokuapp[.]com/ – redirects the user to a fraudulent Microsoft web app login page (see Figure 4) where the user must enter their password.

Figure 3: The malicious email with the subject line A document titled ‘Proposal’ has been shared with you on Onedrive.

Figure 4: Fraudulent login page https://mail-supp-365[.]herokuapp[.]com/

As always, Check Point security researchers advise all users to be cautious when entering important data and credentials for business applications or websites. They advise to always think twice before opening email attachments or links, especially in emails claiming to be from well-known companies, such as DHL, Microsoft or LinkedIn, as these are most likely to be abused for brand phishing.

Social Media:

• Blog: https://research.checkpoint.com/
• Twitter: https://twitter.com/cpresearch
• Blog: https://blog.checkpoint.com
• Twitter: https://www.twitter.com/checkpointsw
• Facebook: https://www.facebook.com/checkpointsoftware
• YouTube: https://www.youtube.com/user/CPGlobal
• LinkedIn: https://www.linkedin.com/company/check-point-software-technologies