PTI 2018: The Rising Risk for SaaS

For years the financial industry and email providers have been the top targeted industries, making up more than 50 percent of the total pie. In 2017, this was certainly still the case, but there is a new rapidly rising threat to the software as a service (SaaS) space as well. 


With a 237 percent growth rate, SaaS-based branded attacks tripled in the past year and is only increasing in a dramatic way year-over-year. By comparison, the second industry with extensive growth goes to social media at 190 percent growth and in third telecommunications with a 67 percent growth rate. Because of this, one of the new key findings in this year’s PTI report highlights the rising risk to the SaaS industry:

Key Finding: Attacks targeting SaaS exploded with more than 237 percent growth.

“The volume more than tripled compared to what we saw in 2016,” said Crane Hassold, PhishLabs Director of Threat Intelligence. “While it only makes up seven percent of the total amount of phishing attacks targeting various industries, that number is dramatically increasing year over year.”

So why is this happening? It’s due to effectiveness and trust.

Increase in Enterprise-Level Brand Abuse Lures

With success comes a larger target, and that is exactly what happened for SaaS-based brands. After becoming the norm in 2015, the number of attacks targeting some of the most used systems more than doubled two years in a row. However, accessing the SaaS account in question isn’t the actual motive, but more so using the trust and familiarity users have with the platform to trick them into handing over their credentials. Through Lo-Fi lures, threat actors will steal the brands’ logos, messaging, and even mirror real emails in an attempt to socially engineer an interaction that would result in credential theft.

While the largest primary targets go to DocuSign and Adobe, there are some other entertainment platforms that run similar to SaaS, such as Netflix, that are also the target of these brand abuse lures. Like email/online service phish, SaaS phish often target companies frequently used by enterprises.

“It mirrors the overall threat landscape evolution that we’ve seen where phishing threat actors are moving away from targeting individual users and towards business and enterprise users,” said Hassold. “So when you look at the companies who are primarily affected from a SaaS space, they are Docusign and Adobe, those are the two primary companies that are being targeted and seen a big increase for. And when you look at why they are being targeted and some of the lures being used you can tell they are being primarily used to target business users for their credentials.”

Because enterprise employees are familiar with these brands, they are specifically the focus of these attacks. As a result the rise in SaaS-based phishing attacks mirrors our largest key finding from this year’s PTI report, which is the shift from consumer attacks to businesses.

The Impact

One of the largest concerns associated with credential theft is that the threat actors can then abuse and further propagate attacks like a spider web. One account leads to five, and five leads to more than a dozen. This is due to password reuse attacks.

A password reuse attack is a technique used by cyber threat actors that uses previously compromised user credentials to access accounts on other websites, generally using an automated tool. This attack vector became a major focus in 2016 due to a torrent of massive, high profile breaches. One of the biggest problems with password reuse attacks is that the websites affected are secondary casualties stemming from an initial infection. They fall victim to countless account compromises through no fault of their own.

“Phishers are able to use these credentials for a variety of different purposes. They can use them for business email compromise (BEC) attacks, use them to access data in a business’ cloud, they can also use it for intellectual property theft,” said Hassold.


Article Link: