In this Insights piece, cybersecurity firm Check Point Software shares its predictions on what companies and organizations can expect from an evolving threat landscape in the country.
Key highlights:
Malware dominance: Malware attacks, particularly InfoStealers, surged as remote work expanded. Employee devices, often unsecured, have become prime targets for data breaches.
Social engineering Innovation: Sophisticated phishing and smishing campaigns now exploit device and geo-filtering techniques to avoid detection.
Decline in ransomware: The Philippines saw a decline in ransomware incidents stemming from local threat actors’ limited resources, shifts in ransomware group operations, and a preference for targeting larger international entities over smaller, less lucrative Philippine businesses.
Data exposure alarming: A sharp rise in data leaks has been observed, with exposed source codes, credentials, and confidential files providing avenues for exploitation.
Emerging underground marketplaces: A 100% increase in malicious activities on platforms like Telegram highlights the evolving capabilities of local threat actors.
Cyber threats continue to rise globally in 2024, with Philippine organizations in government, education, finance, and telecommunications facing significant risks.
A new report from Cyberint, a Check Point Software company, highlights the prevalence of social engineering, malware, social media impersonations, and distributed denial-of-service (DDoS) attacks, revealing an evolving cyber security landscape driven by unique socio-political and technological environments in the Philippines.
A positive note – the Philippines does seem to be noting a decline in ransomware incidents in 2024, compared to 2023. Analyzing data from December 1, 2021, to December 1, 2024, the report provides key insights into cybercriminal tactics and offers forecasts for emerging threats in 2025.
Deeper look into the Philippine threat Landscape in 2024
Let’s dive into the most prominent threats to the Philippines over the past few years with a focus on trending threats:
Malware: Malware is the most prevalent cyber threat in the Philippines. As with many other countries globally, the majority of these malware infections came from the personal devices of clients’ employees, which were utilized for work-related activities. InfoStealers are a particularly concerning type of malware that has become a gateway for unauthorized access to vulnerable portals, leading to data breaches. The widespread adoption of work-from-home setups due to the COVID-19 pandemic has further amplified the risk of Infostealer infections, especially when employees utilize personal devices for work purposes.
Ransomware: While ransomware remains a significant global threat, the report indicates a decrease in ransomware attacks targeting the Philippines in 2024 compared to 2023. The Philippines is less targeted by ransomware compared to other countries, mainly due to:
Limited resources for local threat actors – most of the local threat actors and groups conduct malicious attacks using only open-source tools, where many of them are referred to as “Script Kiddies” (a term used for an unskilled individual in terms of technology and uses tools developed by others).
The shift in the ransomware landscape – many of the well-known ransomware groups are currently shifting their operations (i.e., enhancing their operation, shifting their tactics, etc.), while some of them have been disbanded in the past months, thus, giving way to newly-discovered ransomware groups. Newer groups, often choose to target international entities to immediately gain recognition in the ransomware landscape.
Ransomware Targets of larger payouts versus local challenges – major ransomware groups typically focus on larger countries and organizations for higher payouts to justify their efforts versus small to medium businesses in the Philippines which might not be valuable enough for major ransomware groups and a higher likelihood of non-payment, reducing their appeal as targets.
Social Engineering: Social engineering remains a highly effective tactic in the Philippines. Phishing campaigns are a common method, with some threat actors employing innovative techniques to lure victims.
Phishing and Smishing: Smishing, a form of phishing via SMS, gained significant traction in the Philippines during 2024. In general, email phishing is taking on higher protection so threat actors prefer to focus on historical methods to bypass protection. These campaigns often impersonate government and logistics organizations to trick users into revealing sensitive information.
The report acknowledges the efforts of the National Bureau of Investigation (NBI) Philippines in apprehending individuals involved in such scams which helps to stem such attacks. However, the use of new tactics, like device and geo-filtering, by threat actors necessitates continuous vigilance.
Device and Geo-Filtering: Recent phishing campaigns leverage device and geo-filtering techniques to ensure that phishing domains are only accessible when visited from Philippine IP addresses using mobile devices. This approach helps cybercriminals evade detection by traditional security measures.
Smishing via IMSI-Catcher Devices: The report sheds light on the concerning use of IMSI-Catcher devices by smishing operators. IMSI-Catcher devices, also known as cell-site simulators or ‘stingrays’, are used to intercept mobile phone traffic. The report highlights a smishing campaign that targeted Filipinos during the All Saints’ and Souls’ Day holidays, exploiting the increased mobile network traffic during this period.
Social Media Impersonation: There has been a recent a rise in social media impersonation attempts. Here, cybercriminals create fake social media profiles to lure victims with fraudulent promotions and services.
This radical increase in numbers can be attributed to evolving tactics of cybercriminals (who no longer solely rely on phishing and more traditional methods) and heightened global awareness and detection capabilities. Scam operators and threat actors are shifting to these new social media impersonation tactics as they are a relatively easy way to run successful scam operations.
These threat actors are continuously exploring the latest technologies for Social Media Impersonation campaigns, such as AI (i.e., Deepfake, Chatbots, Large Language Models, etc.), social media advertisements, etc. With fake social media profiles, gullible citizens can easily be tricked into believing the posts coming from these profiles, making it easier even for non-technical scam operators to conduct their fraudulent activities.
Supply Chain Attacks: Cyberint’s Supply Chain Intelligence identified eight third-party vendor breaches impacting Philippine clients in 2024, highlighting the growing risk of supply chain attacks. These Supply Chain alerts were observed in several of our Philippine clients, mainly in the Finance and Energy sectors. These Supply Chain incidents occurred as these organisations were being targeted by local and international threat actors, resulting in data leaks which took place, because of unsecured systems, vulnerabilities, and credential exposures due to malware.
A concerning rise in data exposure
Data breaches and leaks are a growing concern in the Philippines. These incidents can involve various sectors, including government, finance, retail, healthcare, education, and media. There has been a concerning rise in exposure of company source code, internal email correspondence, exposed cloud storage and confidential files, which can be exploited by threat actors.
The increase in company source code exposure can be attributed the increase in APIs (i.e., UAT, tokens, secrets, and requests), internal projects, amongs others, which offers increased chances for these threat actors to abuse these source codes for fraudulent activities.
When a company’s source code is exposed, it can lead to attackers analyzing it to identify and exploit vulnerabilities, intellectual property theft, reputational damage, legal and compliance issues and code manipulation.
The financial sector remains the most targeted, accounting for 66% of critical alerts from 2021-2024. Other impacted industries include media (11%), technology (8%), and real estate (6%). Attackers continue to exploit the interconnectivity of critical infrastructure and digital services to wreak havoc in the Philippines.
Underground marketplaces
Cyberint actively monitors underground marketplaces where various malicious tools and services are traded. The report noted a 100% increase in underground marketplace activity on Telegram related to the Philippines in 2024, compared to 2023. This surge was primarily observed through our sources monitoring marketplace activities, such as the offering of illicit wares, malware, DDoS services, and other malicious activities targeting the Philippines.
The growing number of underground marketplaces offering illicit goods and attackware targeting Philippine entities makes it increasingly easier for threat actors and non-technical scam operators to carry out fraudulent campaigns.
These marketplaces offer a range of illicit items, including:
“FULLZ”: This slang term refers to “Full Information” obtained through various means like phishing, carding, and malware. This data is then traded and used to support further malicious campaigns.
Exploit Tools and Attackware: These include tools like webshells, RDP, and SSH tools, enabling attackers to exploit vulnerabilities.
Malware/Malware-as-a-Service: Malware such as Infostealers and backdoors are readily available, often offered as a service, lowering the barrier to entry for aspiring cybercriminals.
Email and SMS Tools and Services: These include bulk SMS services, email blasting tools, and access to cPanels, along with resources like phone numbers, OTPs, and e-SIMs.
Fake Documents: These are used for social engineering attacks, such as bypassing KYC processes or enhancing phishing campaigns. Examples include fake bank statements, invoices, and IDs.
Money Laundering Services: These services facilitate the laundering of illicit funds through fraudulent cashouts and money transfers using mule accounts, remittance accounts, or digital wallets.
Mule Accounts: These accounts, used for money laundering, are often obtained through carding, phishing, malware logs, or Quid Pro Quo (offering something in exchange for the account).
Emerging threats and strategic priorities in 2025 for Philippines
The cyber threat landscape is expected to become even more complex in 2025 due to rapid technological advancements, changes in work environments, and geopolitical tensions. Key emerging threats include:
Sophisticated Social Engineering and Phishing through AI and IMSI-Catchers: AI will be used to create highly personalised phishing attacks, making them harder to detect. The continued use of IMSI-Catchers was seen when IMSI-Catcher devices were utilised during the November 1 and 2 holidays—All Saints and Souls’ Day (a.k.a. Undas).
Enhanced Brand Impersonation Techniques: Threat actors will continue to leverage fake social media pages and may increasingly use AI-powered deepfakes for impersonation attacks.
Supply Chain Vulnerabilities: Attacks targeting vulnerabilities in third-party vendors and software suppliers are expected to increase.
Geopolitical Cyber Campaigns: Geopolitical tensions, such as those in the South China Sea, could lead to increased cyber warfare activities. The report mentions a campaign known as #OpChina initiated by Philippine threat actors and attempts by Chinese APT groups to recruit local threat groups.
Continuous monitoring, vulnerability management to mitigate supply chain vulnerabilities, incident response planning and a comprehensive public awareness campaign to address evolving social engineering tactics are essential to mitigating the evolving risks in the digital realm.
READ MORE INSIGHTS.
