Top Ten Phish of the Year

While we’re all still reeling from 2021’s $3.4 billion pricetag on the Colonial Pipeline phishing attack, we still need to remember that sometimes the longest journey begins with a single tiny hook. Colonial’s actual ransom cost them a fractional 3.75 mil, but the cost of shutting down America’s major oil conduit was in the billions.

2022 only saw the criminals getting bolder and the industry consolidating into a manufacturing line starting with small-time phishers and ending in global crime syndicates and rogue states. It was the year that saw Elon Musk coming to a head with his former enabler, Twitter, war pitching cyberthugs on both sides of the Ukraine-Russia border sweeping up the world in a cataclysm of cyber attacks, and crypto firms left and right succumbing to an avalanche not much worse than the banking collapse of 2008.

Here is a list of the top breaches of 2022—most of them the result of a mere email sent to the wrong person at the wrong moment, opened, and clicked.

1. Crypto.com loses $30m

The year began auspiciously when hackers managed to bypass multi-factor authentication and steal the equivalent of $30m in Bitcoin and Ether from customers of e-wallet provider crypto.com. If anyone thought that MFA is the buy-all-to-end-all solution against identity theft or account breaching—think again. It’s a game of catch-up in which 2-factor became 3-factor became 3- and now 4FA techniques—each constantly upgraded to deal with their predecessor’s vulnerabilities.

2. FTX… ex

The year also seems to be ending in the crypto realm. For, so long as cryptocurrencies remain comparatively unregulated, users and suppliers remain in that unenviable position of having no legal recourse to attacks, placing them squarely within the target range of the phishing hook. All eyes blockchain are presently averted towards the FT X saga, which began when the now-bankrupt exchange platform spread its contagion to other related exchanges, such as FTT and Binance—not unlike their bricks-&-mortars competitors during their respective financial crises. Meanwhile, phishing schemes are quick to capitalize, as with free wallets, free coins, questionable offerings, and that famous Twitter video showing FTX founder Bankman-Fried (yes, that’s his real name) offering refunds before being apprehended.

3. Monkeying around

In March, email marketing champ, Mailchimp disclosed that attackers had convinced company employees to provide their credentials, enabling the attackers to breach several hundred user accounts. After phishing Mailchimp workers, the cyberthugs then proceeded to phish those clients’ mailing lists. Crypto ewallet company Trezor, for example, soon discovered that its clients were providing their data to phishing emails deemed safe, since the mails were coming from (wouldn’t you know it) Mailchimp—a perfect example of ‘downstream’ phishing.

4. Phishing healthcare

By now it’s no secret that healthcare is a prime target for cybercriminals—especially for ransom. Cynicism apparently knows no boundaries when a criminal hits out at the very people his own life may depend upon in a day’s time. In June, an Allegheny H ealth Network employee clicked on a malicious phishing link that resulted in the exposure of some 8,000 patient records. A month earlier, 4000 NuLife Med patient records were exposed, and in December, ATC Healthcare also fell victim, the number of compromised records yet to be disclosed.

5. Phish networking

Another popular target for phishers is social networks. So many small companies nowadays depend on LinkedIn for HR purposes, Instagram for influencer marketing, Twilio for mass phone and SMS marketing, and so on—what could be easier and more profitable than diving down into the communications networks themselves?

Twilio is a prime example of ‘phish me once, phish me again’. A company employee was successfully phished in June this year into handing over his creds. Although only a handful of customers lost their data in that attack, it alerted the scammers to Twilio’s apparently weak authentication methods. Thus, two months later, the crooks initiated a larger-scale attack. As with Mailchimp, the problem here is that, once accessed, Twilio, which is a messaging service, provides a gateway to downstream phishing of its clients—many of whom are major corporations. Content delivery service Cloudflare was hit at the same time by the same actors… but luckily had sturdier authentication protocols in place.

6. War of the Phish

In a globally interconnected world, war is no longer confined to a single geographically limited battlefield. This became immediately apparent days before Russia’s incursion into Ukraine, when Russian cyberthugs took the battle into the cybersphere, attacking anyone who dared express support for ‘the enemy’. In retaliation, pro-Ukrainian hackers attacked Belarusian railways in a bid to hamper arms delivery; pro-Russian hackers then attacked Ukrainian refugees; and so on.

And by phishing your opponent’s human networks, the fog of war sows distrust: ‘who has been compromised’ becomes a major headache, which undermines the very act of communications. So be careful of what you say on Facebook—you could be monitored, phished, and swept up into a battle raging continents away.

7. Phish making ‘tweet’ sounds

The Musk-Twitter saga could have been written by a major Hollywood soap-opera Shakespeare wanabee. What began years ago with the corporate bad boy tweeting to manipulate Tesla company shares, now has Elon in the driver’s seat of what is one of the world’s most powerful communications networks. Having last year obtained an option to buy the company at a discount, he was forced to then execute his buy at a premium against his will. Now he seems intent on destroying Twitter from within, claiming that he was not made aware of the scope of bot accounts and scam tweeting going on.

His latest escapade is an ill-thought-out attempt to designate accounts as safe, real, or not by the use of a blue badge (or is it a blue tick, or rather, a white tick on a blue badge…). Actually, this designation was free before for celeb accounts but would now cost 20 bucks for anyone who wanted it… Ostensibly a worthy initiative that could go wrong in so many ways, the immediate number of spoofers offering fake blue badges in return for personal data was astonishing—forcing Musk to take a well-needed nap on his laurels.

8. Eight million (8m) customers lose data to Cash App breach

A former employee of the mobile Cash App payment service decided to help himself to the data of over 8 million customer records when his work term ended, according to a CNN report in April. Though not a phishing story—this certainly is a whopper, and there’s no way we’re ignoring it!

9. Seven Million (7m) Beetle Eyes Swatted

As more and more companies leverage up with cloud services, we need to take notice of the exposure this may involve. 6,000 files, 1 GB of data, and all that thanks to a misconfigured AWS bucket (let’s call it Amazon Web Service’s version of folder, for now, ok). This specific batch of leaked records belonged to Beetle Eye customers—an email campaign automation platform. In another Amazon-related incident, 3.7m users were impacted when scheduling service FlexBooker’s databases were breached. Again—not phishing but we fear for Amazon (which for me has so far been really understanding with refunds and returned items) and—let’s face it—the headline is cool…

10. Microsoft – the king of all things computer

Luckily, not all is upstream in the phishing world. At least one positive story should make the list, and that is Microsoft’s blocking of billions of phishing emails in 2021: 35.7 billion, to be specific—this according to a company spokesman extolling the virtues of Defender for Office365. Still, it pays to remember that emails are only one way to stop a phishing attack, and that links can be transported upon SMSs, push notifications, social tweets and posts, WhatsApp and Telegram messages, etc. etc. ad nauseum.

And because sending 5 emails or messages or 5 million of them only costs an additional spurt of electricity and a mere nano–span of extra bandwidth, it’s a numbers game that cannot be quashed at the relay center. Besides, you’re probably reading most of your emails from your mobile phone using an Android or Apple mail app, not necessarily your networking, well-protected Windows 11 office computer.

In fact, Trueslist estimates that a billion phishing emails are sent each day (!), making the yearly number well over a trillion. Consequently, Win10-11 Defender—present on about half a billion computers worldwide—only blocks 3% of all phishing emails, or 2 mails per computer per year.

The phishing page, on the other hand, still requires work on the part of the scammer. It needs to be designed, written and hosted somewhere—even if automation can produce a new one every 2 seconds.

So, don’t give up on Defender yet, but definitely install novoShield—it’ll prevent the phishing page from opening even if you’re human, and you once in a while do get inadvertently suckered into clicking on a link.

And we’ll CERTAINLY block more than 2 phishing pages each year.