Publications – Securelist https://securelist.com Tue, 27 Jun 2023 10:06:30 +0000 en-US hourly 1 https://wordpress.org/?v=6.2.2 https://securelist.com/wp-content/themes/securelist2020/assets/images/content/site-icon.png Publications – Securelist https://securelist.com 32 32 How cybercrime is impacting SMBs in 2023 https://securelist.com/smb-threat-report-2023/110097/ https://securelist.com/smb-threat-report-2023/110097/#comments Tue, 27 Jun 2023 06:00:36 +0000 https://kasperskycontenthub.com/securelist/?p=110097

According to the United Nations, small and medium-sized businesses (SMBs) constitute 90 percent of all companies and contribute 60 to 70 percent of all jobs in the world. They generate 50 percent of global gross domestic product and form the backbone of most countries’ economies. Hit hardest by the COVID pandemic, geo-political and climate change, they play a critical role in a country’s recovery, requiring greater support from governments to stay afloat.

In the past, the perception was that large corporations were more attractive to cybercriminals. Yet in reality, cybercriminals can target anyone, especially those who are less protected, while small businesses typically have smaller budgets and are not as securely protected as larger companies.

According to a report by the Barracuda cybersecurity company, in 2021, businesses with fewer than 100 employees experienced far more social engineering attacks than larger ones. That same year saw one of the worst ransomware incidents in history, the Kaseya VSA supply-chain attack. By exploiting a vulnerability in the software, the cybergang REvil infiltrated between 1,500 and 2,000 businesses around the world, many of which were SMBs. For example, the attack hit a small managed service provider Progressive Computing, and, by virtue of the domino effect, the company’s 80 clients, which were mainly small businesses. Although the attack was stopped fairly quickly, the SME sector was understandably shaken, alerting businesses to the fact that everyone was vulnerable.

According to the Kaspersky cyber-resilience report, in 2022, four in ten employers admitted that a cybersecurity incident would be a major crisis for their business, superseded only by a slump in sales or a natural disaster. A cybersecurity crisis would also be the second most difficult type of crisis to deal with after a dramatic drop in sales if judged by the results of the survey.

In this report, we have analyzed the key threats to small and medium-sized companies in 2022 and 2023, and provided advice on how to stay safe.

Methodology

The statistics used in this report were collected from January through May 2023 by Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users.

To assess the threat landscape for the SMB sector, Kaspersky experts collected the names of the most popular software products used by its clients who owned small or medium-sized businesses around the world. The final list of the software includes MS Office, MS Teams, Skype and others used by the SMB sector. We then ran these software names against Kaspersky Security Network (KSN)* telemetry to find out how much malware and unwanted software was distributed under the guise of these applications.

Malware attacks

Between January 1 and May 18, 2023, 2,392 SMB employees encountered malware or unwanted software disguised as business applications, with 2,478 unique files distributed this way. The total number of detections of these files was 764,015.

Below is a brief description of the most popular types of threats that SMB employees encountered in January–May 2023:

Exploits

The biggest threat to SMBs in the first five months of 2023 were exploits, which accounted for 483,980 detections. Malicious and/or unwanted software often infiltrates the victim’s computer through exploits, malicious programs designed to take advantage of vulnerabilities in software. They can run other malware on the system, elevate the attackers’ privileges, cause the target application to crash and so on. They are often able to penetrate the victim’s computer without any action by the user.

Trojans

The second-biggest threat were Trojans. Named after the mythical horse that helped the Greeks infiltrate and defeat Troy, this type of threat is the best-known of them all. It enters the system in disguise and then starts its malicious activity. Depending on its purpose, a Trojan can perform various actions, such as deleting, blocking, modifying or copying data, disrupting the performance of a computer or computer network, and so on.

Backdoors

The third most common threat are backdoors. These are among the most dangerous types of malware as, once they penetrate the victim’s device, they give the cybercriminals remote control. They can install, launch and run programs without the consent or knowledge of the user. Once installed, backdoors can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity, and more.

Not-a-virus

Potentially unwanted applications (PUAs) that can be inadvertently installed on your device are labeled “not-a-virus” by our solutions. Although they are listed among the most widespread threats and can be used by cybercriminals to cause harm, they are not malicious per se. Nonetheless, their behavior is annoying, sometimes even dangerous, and the antivirus alerts users because, despite being legal, they often sneak onto the device without the user realizing.

TOP 10 threats for SMBs, January-May 2022 (download)

TOP 10 threats for SMBs, January-May 2023 (download)

Cybercriminals attempt to deliver this and other malware and unwanted software to employees’ devices by using any means necessary, such as vulnerability exploitation, phishing e-mails and fake text messages. Even something totally unrelated to business, such as a YouTube link, may be used to target SMBs, as their employees often use the same devices for work and personal matters.

One of the methods often utilized to hack into employees’ smartphones is so-called “smishing” (a combination of SMS and phishing). The victim receives a link via SMS, WhatsApp, Facebook Messenger, WeChat or some other messaging app. If the user clicks the link, malicious code is uploaded into the system.

Examples of scam threats and phishing

Phishing and scam can pose a significant threat to SMBs, as scammers try to mimic payment, loan and other services, as well as cloud service providers like Microsoft, in order to obtain confidential information or company funds. Often, the phishing pages where the employees land if they click a link in a scam e-mail are tailored to look like login pages to the target systems with the corresponding logo on the page. Below, we provide several examples of phishing pages that imitate various services in an attempt to get hold of the target company’s data and money.

  • An insurance company

    Scammers trying to hack the work account of an insurance company employee

    On the screenshot above scammers are trying to hack the insurance company account of its client’s employee.

  • A “personal” banking service

    These scammers disguise themselves as a financial institution. On the phishing page that claims to offer personal banking services, they ask users to log in with their corporate banking account credentials. If an employee enters their credentials, the scammers get access to their account.

  • A fake website pretending to be a legitimate delivery service

    Here, the cybercriminals imitate the website of a well-known delivery provider in order to fool businesses into giving away their corporate DHL accounts.

Scammers often reach employees by e-mail. Attackers use social engineering techniques to try to trick employees into following a phishing link, revealing the company’s confidential data or transferring money.

For example, in late 2022, scammers posing as top-level executives of a company sent out e-mails to their employees, instructing them to move money from a business account into another account urgently. Fake e-mails were thoroughly crafted, so that the employees would not question their authenticity.

Some spammers pretend to be representatives of financial organizations offering attractive deals to startup businesses. However, by applying for funding thus offered, an employee may give out sensitive data or even lose company money.

SMB employees and especially managers are often the target of spam campaigns touting collaborations and B2B services, such as SEO, advertising, recruitment assistance and lending. Small and little-known firms with questionable service quality typically promote themselves that way. Often they send their offer repeatedly, even if they never receive an answer.

Qbot Trojan using a conversation hijacking technique

Recently, Kaspersky researchers discovered a new campaign employing the “conversation hijacking” technique. The attackers gained access to the victim’s e-mail and replied to their conversations. Posing as one of the respondents in the e-mail chain, the fraudsters sent a message with a PDF attachment asking the victim to download it. The PDF contained a fake notification from Microsoft Office 365 or Microsoft Azure which unleashed the Qbot Trojan when downloaded. The attackers also sent messages containing a URL that was supposed to lead to an “important business document”.

Qbot (aka QakBot, QuackBot, and Pinkslipbot) has been around since 2007. This malware is classified as a banking Trojan as it enables hackers to mine their victims’ banking credentials. The malware can also collect cookies from victims’ browsers, access their correspondence, spy on their banking activities and record keystrokes. Finally, the Trojan can install other malware, such as ransomware.

Conclusion

As cybercriminals target SMBs with all types of threats — from malware disguised as business software to elaborate phishing and e-mail scams — businesses need to stay on high alert. This is critical, because a single cyberattack can lead to catastrophic financial and reputational losses for a company. To keep your business protected from cyberthreats, we recommend you do as follows:

  • Provide your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure that they know how to recognize phishing e-mails.
  • Use a security solution for endpoints, such as Kaspersky Endpoint Security for Business or Cloud-Based Endpoint Security, to minimize the chances of infection.
  • If you are a Microsoft 365 user, remember to protect that too. Kaspersky Security for Microsoft Office 365 includes dedicated apps that target spam and phishing, and protect SharePoint, Teams and OneDrive for secure business communications.
  • Set up a policy to control access to corporate assets, such as e-mail boxes, shared folders and online documents. Keep it up to date and remove access if the employee has left the company or no longer needs the data. Use cloud access security broker software that can help manage and monitor employees’ cloud activity and enforce security policies.
  • Make regular backups of essential data to ensure that corporate information stays safe in an emergency.
  • Provide clear guidelines on the use of external services and resources. Employees should know which tools they should or should not use and why. Any new work software should go through a clearly outlined approval process by IT and other responsible roles.
  • Encourage employees to create strong passwords for all digital services they use and to protect accounts with multi-factor authentication wherever applicable.
  • Use professional services to help you get the most out of your cybersecurity resources. The new Kaspersky Professional Services Packages for SMB provides access to Kaspersky’s expertise on assessment, deployment and configuration: all you need to do is add the package to the contract, and our experts will do the rest.
]]>
https://securelist.com/smb-threat-report-2023/110097/feed/ 1 full large medium thumbnail
New ransomware trends in 2023 https://securelist.com/new-ransomware-trends-in-2023/109660/ https://securelist.com/new-ransomware-trends-in-2023/109660/#comments Thu, 11 May 2023 08:00:13 +0000 https://kasperskycontenthub.com/securelist/?p=109660

Ransomware keeps making headlines. In a quest for profits, attackers target all types of organizations, from healthcare and educational institutions to service providers and industrial enterprises, affecting almost every aspect of our lives. In 2022, Kaspersky solutions detected over 74.2M attempted ransomware attacks which was 20% more than in 2021 (61.7M). Although early 2023 saw a slight decline in the number of ransomware attacks, they were more sophisticated and better targeted.

On the eve of the global Anti-Ransomware Day, Kaspersky looks back on the events that shaped the ransomware landscape in 2022, reviews the trends that were predicted last year, discusses emerging trends, and makes a forecast for the immediate future.

Looking back on last year’s report

Last year, we discussed three trends in detail:

  • Threat actors trying to develop cross-platform ransomware to be as adaptive as possible
  • The ransomware ecosystem evolving and becoming even more “industrialized”
  • Ransomware gangs taking sides in the geopolitical conflict

These trends have persisted. A few months after last year’s blog post came out, we stumbled across a new multi-platform ransomware family, which targeted both Linux and Windows. We named it RedAlert/N13V. The ransomware, which focused on non-Windows platforms, supported the halting of VMs in an ESXi environment, clearly indicating what the attackers were after.

Another ransomware family, LockBit, has apparently gone even further. Security researchers discovered an archive that contained test builds of the malware for a number of less common platforms, including macOS and FreeBSD, as well as for various non-standard processor architectures, such as MIPS and SPARC.

As for the second trend, we saw that BlackCat adjusted their TTPs midway through the year. They registered domains under names that looked like those of breached organizations, setting up Have I Been Pwned-like websites. Employees of the victim organizations could use these sites to check if their names had popped up in stolen data, thus increasing the pressure on the affected organization to pay the ransom.

Although the third trend we spotted last year was one of ransomware gangs taking sides in the geopolitical conflict, it does not apply to them exclusively. There was one peculiar sample: a stealer called Eternity. We created a private report about this after an article claimed that the malware was used in the geopolitical conflict. Our research showed that there was a whole malware ecosystem around Eternity, including a ransomware variant. After the article appeared, the author made sure that the malware did not affect users in Ukraine and included a pro-Ukrainian message inside the malware.

 The developer warns against using their malware in Ukraine

The developer warns against using their malware in Ukraine

Pro-Ukrainian message inside the malware code

Pro-Ukrainian message inside the malware code

What else shaped the ransomware landscape in 2022

Ransomware groups come and go, and it is little wonder that some of them ceased operations last year as others emerged.

For example, we reported on the emergence of RedAlert/N13V, Luna, Sugar, Monster, and others. However, the most active family that saw light in 2022 was BlackBasta. When we published our initial report on BlackBasta in April 2022, we were only aware of one victim, but the number has since sharply increased. Meanwhile, the malware itself evolved, adding an LDAP-based self-spreading mechanism. Later, we encountered a version of BlackBasta that targeted ESXi environments, and the most recent version that we found supported the x64 architecture.

As mentioned above, while all those new groups entered the game, some others, such as REvil and Conti, went dark. Conti was the most notorious of these and enjoyed the most attention since their archives were leaked online and analyzed by many security researchers.

Finally, other groups like Clop ramped up their activities over the course of last year, reaching their peak in early 2023 as they claimed to have hacked 130 organizations using a single zero-day vulnerability.

Interestingly, the top five most impactful and prolific ransomware groups (according to the number of victims listed on their data leak sites) have drastically changed over the last year. The now-defunct REvil and Conti, which were second and third, respectively, in terms of attacks in H1 2022, gave way to Vice Society and BlackCat in Q1 2023. The remaining ransomware groups that formed the top five in Q1 2023, were Clop and Royal.

Top five ransomware groups by the number of published victims

H1 2022 H2 2022 Q1 2023
LockBit 384 LockBit 368 LockBit 272
REvil 253 BlackBasta 176 Vice Society 164
Conti 173 BlackCat 113 BlackCat 85
BlackCat 100 Royal 74 Clop 84
Vice Society 54 BianLian 72 Royal 65
Other 384 Other 539 Other 212

Ransomware from an incident response perspective

Global Emergency Response Team (GERT) worked on many ransomware incidents last year. In fact, this was the number-one challenge they faced, although the share of ransomware in 2022 decreased slightly from 2021, going from 51.9% to 39.8%.

In terms of initial access, nearly half of the cases GERT investigated (42.9%) involved exploitation of vulnerabilities in public-facing devices and apps, such as unpatched routers, vulnerable versions of the Log4j logging utility, and so on. The second-largest category of cases consisted of compromised accounts and malicious emails.

The most popular tools employed by ransomware groups remain unchanged from year to year. Attackers have used PowerShell to collect data, Mimikatz to escalate privileges, PsExec to execute commands remotely, or frameworks like Cobalt Strike for all attack stages.

As we looked back on the events of 2022 and early 2023, and analyzed the various ransomware families, we tried to figure out what the next big thing in this field might be. These observations produced three potential trends that we believe will shape the threat landscape for the rest of 2023.

Trend 1: More embedded functionality

We saw several ransomware groups extend the functionality of their malware during 2022. Self-spreading, real or fake, was the most noteworthy new addition. As mentioned above, BlackBasta started spreading itself by using the LDAP library to get a list of available machines on the network.

LockBit added a so-called “self-spreading” feature in 2022, saving its operators the effort needed to run tools like PsExec manually. At least, that is what “self-spreading” would normally suggest. In practice, this turned out to be nothing more than a credential-dumping feature, removed in later versions.

The Play ransomware, for one, does have a self-spreading mechanism. It collects different IPs that have SMB enabled, establishes a connection to these, mounts the SMB resources, then copies itself and runs on the target machines.

Self-propagation has been adopted by many notorious ransomware groups lately, which suggests that the trend will continue.

Trend 2: Driver abuse

Abusing a vulnerable driver for malicious purposes may be an old trick in the book, but it still works well, especially on antivirus (AV) drivers. The Avast Anti Rootkit kernel driver contained certain vulnerabilities that were previously exploited by AvosLocker. In May 2022, SentinelLabs described in detail two new vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in the driver. These were later exploited by the AvosLocker and Cuba ransomware families.

AV drivers are not the only ones to be abused by malicious actors. Our colleagues at TrendMicro reported on a ransomware actor abusing the Genshin Impact anti-cheat driver by using it to kill endpoint protection on the target machine.

The trend of driver abuse continues to evolve. The latest case reported by Kaspersky is rather odd as it does not fit either of the previous two categories. Legitimate code-signing certificates, such as Nvidia’s leaked certificate and Kuwait Telecommunication Company’s certificate were used to sign a malicious driver which was then used in wiper attacks against Albanian organizations. The wiper used the rawdisk driver to get direct access to the hard drive.

We continue to follow ransomware gangs to see what new ways of abusing drivers they come up with, and we will be sharing our findings both publicly and on our TIP page.

Trend 3: Code adoption from other families to attract even more affiliates

Major ransomware gangs are borrowing capabilities from either leaked code or code purchased from other cybercriminals, which may improve the functionality of their own malware.

We recently saw the LockBit group adopt at least 25% of the leaked Conti code and issue a new version based entirely on that. Initiatives like these enable affiliates to work with familiar code, while the malware operators get an opportunity to boost their offensive capabilities.

Collaboration among ransomware gangs has also resulted in more advanced attacks. Groups are working together to develop cutting-edge strategies for circumventing security measures and improving their attacks.

The trend has given rise to ransomware businesses that build high-quality hack tools and sell them to other ransomware businesses on the black market.

Conclusion

Ransomware has been around for many years, evolving into a cybercriminal industry of sorts. Threat actors have experimented with new attack tactics and procedures, and their most effective approaches live on, while failed experiments have been forgotten. Ransomware can now be considered a mature industry, and we expect no groundbreaking discoveries or game-changers any time soon.

Ransomware groups will continue maximizing the attack surface by supporting more platforms. While attacks on ESXi and Linux servers are now commonplace, top ransomware groups are striving to target more platforms that might contain mission-critical data. A good illustration of this trend is the recent discovery of an archive with test builds of LockBit ransomware for macOS, FreeBSD, and unconventional CPU architectures, such as MIPS, SPARC, and so on.

In addition to that, TTPs that attackers use in their operations will continue to evolve — the driver abuse technique, which we discussed above, is a good example of this. To effectively counter ransomware actors’ ever-changing tactics, we recommend that organizations and security specialists:

  • Update their software in a timely manner to prevent infection through vulnerability exploitation, one of the initial infection vectors most frequently used by ransomware actors.
  • Use security solutions that are tailored protecting their infrastructure from various threats, including anti-ransomware tools, targeted attack protection, EDR, and so on.
  • Keep their SOC or information security teams’ knowledge about ransomware tactics and techniques up to date by using the Threat Intelligence service, a comprehensive source of crucial information about new tricks that cybercriminals come up with.
]]>
https://securelist.com/new-ransomware-trends-in-2023/109660/feed/ 1 full large medium thumbnail
The state of stalkerware in 2022 https://securelist.com/the-state-of-stalkerware-in-2022/108985/ https://securelist.com/the-state-of-stalkerware-in-2022/108985/#comments Wed, 08 Mar 2023 10:00:44 +0000 https://kasperskycontenthub.com/securelist/?p=108985

 The state of stalkerware in 2022 (PDF)

Main findings of 2022

The State of Stalkerware is an annual report by Kaspersky which contributes to a better understanding of how many people in the world are affected by digital stalking. Stalkerware is a commercially available software that can be discretely installed on smartphone devices, enabling perpetrators to monitor an individual’s private life without their knowledge.

Stalkerware can be downloaded and easily installed by anyone with an Internet connection and physical access to a smartphone. A perpetrator violates the victim’s privacy as they can then use the software to monitor huge volumes of personal data. Depending on the type of software, it is usually possible to check device location, text messages, social media chats, photos, browser history and more. Stalkerware works in the background, meaning that most victims will unaware that their every step and action is being monitored.

In most countries around the world, the use of stalkerware software is currently not prohibited but installing such an application on another individual’s smartphone without their consent is illegal and punishable. However, it is the perpetrator who will be held responsible, not the developer of the application.

Along with other related technologies, stalkerware is part of tech-enabled abuse and often used in abusive relationships. As this is part of a wider problem, Kaspersky is working with relevant experts and organizations in the field of domestic violence, ranging from victim support services and perpetrator programs through to research and government agencies, to share knowledge and support professionals and victims alike.

2022 data highlights

  • In 2022, Kaspersky data shows that 29,312 unique individuals around the world were affected by stalkerware. Compared to the downwards trend that has been recorded in previous years, this is similar to the total number of affected users in 2021. Taking into account the developments in digital stalking software over the past few years, the data suggests there is a trend towards stabilization. More broadly, it is important to note that the data covers the affected number of Kaspersky users, with the global number of affected individuals likely to be much higher. Some affected users may use another cybersecurity solution on their devices, while some do not use any solution at all.
  • In addition, the data reveals a stable proliferation of stalkerware over the 12 months of 2022. On average, 3333 users each month were newly affected by stalkerware. The stable detection rate indicates that digital stalking has become a persistent problem that warrants wider societal attention. Members from the Coalition Against Stalkerware estimate that there could be close to one million victims globally affected by stalkerware every year.
  • According to the Kaspersky Security Network, stalkerware is most commonly used in Russia, Brazil, and India, but continues to be a global phenomenon affecting all countries. Regionally, the data reveals that the largest number of affected users can be found in the following countries:
    • Germany, Italy, and France (Europe);
    • Iran, Turkey, and Saudi Arabia (Middle East and Africa);
    • India, Indonesia, and Australia (Asia-Pacific);
    • Brazil, Mexico, and Ecuador (Latin America);
    • United States (North America);
    • Russian Federation, Kazakhstan and Belarus (Eastern Europe (except European Union countries), Russia and Central Asia).
  • Globally, the most commonly used stalkerware app is Reptilicus with 4,065 affected users.

Methodology

The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network. The Kaspersky Security Network is dedicated to processing cybersecurity-related data streams from millions of volunteer participants around the world. All received data is anonymized. To calculate the statistics, the consumer line of Kaspersky’s mobile security solutions has been reviewed according to the Coalition Against Stalkerware’s detection criteria on stalkerware. This means that the affected number of users have been targeted by stalkerware only. Other types of monitoring or spyware apps that fall outside of the Coalition’s definition are not included in the report statistics.

The statistics reflect unique mobile users affected by stalkerware, which is different from the total number of detections. The number of detections can be higher as stalkerware may have been detected several times on the same device of the same unique user if they decided not to remove the app upon receiving a notification.

Finally, the statistics reflect only mobile users using Kaspersky’s IT security solutions. Some users may use another cybersecurity solution on their devices, while some do not use any solution at all.

Global detection figures: affected users

This section compares the global and regional statistics collected by Kaspersky in 2022 with statistics from previous years. In 2022, a total number of 29,312 unique users were affected by stalkerware. Graphic 1, below, shows how this number has varied from year to year since 2018.

Graphic 1 – Evolution of affected users year-on-year since 2018

Graphic 1 – Evolution of affected users year-on-year since 2018

Graphic 2, below, shows the number of unique affected users per month from 2021 to 2022. In 2022, the situation is almost identical to 2021, indicating that the rate of stalkerware proliferation has stabilized. On average, 3333 users were newly affected by stalkerware every month.

Graphic 2 – Unique affected users per month over the 2021-2022 period

Global and regional detection figures: geography of affected users

Stalkerware continues to be a global problem. In 2022, Kaspersky detected affected users in 176 countries.


Countries most affected by stalkerware in 2022

In 2022, Russia (8,281), Brazil (4,969), and India (1,807) were the top 3 countries with the most affected users. Those three countries remain in leading positions according to Kaspersky statistics since 2019. Compared to previous years, it is noteworthy that the number of affected users in the U.S. has dropped down the ranking and now features in fifth place with 1,295 affected users. Conversely, there has been an increase noted in Iran which has moved up to fourth place with 1,754 affected users.

Compared to 2021, however, only Iran features as a new entrant in the top 5 most affected countries. The other four countries – Russia, Brazil, India, and the U.S. – have traditionally featured at the top of the list. Looking at the other half of the top 10 most affected countries, Turkey, Germany, and Mexico have remained among the countries most affected compared to last year. New entrants into the top 10 most affected countries in 2022 are Saudi Arabia and Yemen.

Country Affected users
1 Russian Federation 8,281
2 Brazil 4,969
3 India 1,807
4 Iran 1,754
5 United States of America 1,295
6 Turkey 755
7 Germany 736
8 Saudi Arabia 612
9 Yemen 527
10 Mexico 474

Table 1 – Top 10 countries most affected by stalkerware in the world in 2022

In Europe, the total number of unique affected users in 2022 was 3,158. The three most affected countries in Europe were Germany (737), Italy (405) and France (365). Compared to 2021, all countries up to including seventh place in the list (the Netherlands) continue to feature as the most affected countries in Europe. New entrants in the list are Switzerland, Austria, and Greece.

Country Affected users
1 Germany 736
2 Italy 405
3 France 365
4 United Kingdom 313
5 Spain 296
6 Poland 220
7 Netherlands 154
8 Switzerland 123
9 Austria 71
10 Greece 70

Table 2 – Top 10 countries most affected by stalkerware in Europe in 2022

In Eastern Europe (excluding European Union countries), Russia, and Central Asia, the total number of unique affected users in 2022 was 9,406. The top three countries were Russia, Kazakhstan, and Belarus.

Country Affected users
1 Russian Federation 8,281
2 Kazakhstan 296
3 Belarus 267
4 Ukraine 258
5 Azerbaijan 130
6 Uzbekistan 76
7 Moldova 34
8 Tajikistan 32
9 Kyrgyzstan 31
10 Armenia 27

Table 3 – Top 10 countries most affected by stalkerware in Eastern Europe (excluding EU countries), Russia and Central Asia in 2022

In the Middle East and Africa region, the total number of affected users was 6,330, slightly higher than in 2021. While Iran with 1,754 affected users features at the top of this list in 2022, Turkey’s 755 affected users has seen the country move up to second in the region, followed closely by Saudi Arabia with 612 affected users.

Country Affected users
1 Iran 1,754
2 Turkey 755
3 Saudi Arabia 612
4 Yemen 527
5 Egypt 469
6 Algeria 407
7 Morocco 168
8 United Arab Emirates 155
9 South Africa 145
10 Kenya 123

Table 4 – Top 10 countries most affected by stalkerware in Middle East & Africa in 2022

In the Asia-Pacific region, the total number of affected users was 3,187. India remains far ahead of the other countries in the region, with 1,807 affected users. Indonesia occupies second place with 269 affected users, while Australia is third with 190 affected users.

Country Affected users
1 India 1,807
2 Indonesia 269
3 Australia 190
4 Philippines 134
5 Malaysia 129
6 Vietnam 109
7 Bangladesh 105
8 Japan 95
9 Thailand 52
10 Pakistan 48

Table 5 – Top 10 countries most affected by stalkerware in Asia-Pacific region in 2022

The Latin America and the Caribbean region is dominated by Brazil with 4,969 affected users. This accounts for approximately 32% of the region’s total number of affected users. Brazil is followed by Mexico and Ecuador in the list, while Colombia has moved into fourth place. A total number of 6,170 affected users were recorded in the region.

Country Affected users
1 Brazil 4,969
2 Mexico 474
3 Ecuador 146
4 Colombia 120
5 Peru 111
6 Argentina 85
7 Chile 49
8 Bolivia 32
9 Venezuela 30
10 Dominican Republic 24

Table 6 – Top 10 countries most affected by stalkerware in Latin America in 2022

Finally, in North America, 87% of all affected users in the region are found in the United States. This is to be expected given the relative size of the population in the United Sates compared to Canada. Across the North America region, 1,585 users were affected in total.

Country Affected users
1 United States of America 1,295
2 Canada 299

Table 7 – Number of users affected by stalkerware in North America in 2022

Global detection figures – stalkerware applications

This section lists the stalkerware applications most commonly used to control smartphones around the world. In 2022, the most popular app was Reptilicus (4,065 affected users). This year, Kaspersky detected 182 different stalkerware apps.

Application name Affected users
1 Reptilicus (aka Vkurse) 4,065
2 Cerberus 2,407
3 KeyLog 1,721
4 MobileTracker 1,633
5 wSpy 1,342
6 SpyPhone 1,211
7 Anlost 1,189
8 Track My Phones 1,137
9 MonitorMinor 864
10 Hovermon 827

Table 8 – Top 10 list of stalkerware applications in 2022

Stalkerware provides a means to gain control over a victim’s life. Their capabilities vary depending on the type of application and whether it has been paid for or obtained freely. Typically, stalkerware masquerades as legitimate anti-theft or parental control apps, when in reality they are very different – most notably due to their installation without consent and notification of the person being tracked, and their operation in stealth mode on smartphone devices,

Below are some of the most common functions that may be present in stalkerware applications:

  • Hiding app icon
  • Reading SMS, MMS and call logs
  • Getting lists of contacts
  • Tracking GPS location
  • Tracking calendar events
  • Reading messages from popular messenger services and social networks, such as Facebook, WhatsApp, Signal, Telegram, Viber, Instagram, Skype, Hangouts, Line, Kik, WeChat, Tinder, IMO, Gmail, Tango, SnapChat, Hike, TikTok, Kwai, Badoo, BBM, TextMe, Tumblr, Weico, Reddit etc.
  • Viewing photos and pictures from phones’ image galleries
  • Taking screenshots
  • Taking front (selfie-mode) camera photos

Are Android OS and iOS devices equally affected by stalkerware?

Stalkerware tools are less frequent on iPhones than on Android devices because iOS is traditionally a closed system. However, perpetrators can work around this limitation on ‘jailbroken’ iPhones, but they still require direct physical access to the phone to jailbreak it. iPhone users fearing surveillance should always keep an eye on their device.

Alternatively, an abuser can offer their victim an iPhone – or any other device – with pre-installed stalkerware. There are many companies that make these services available online, allowing abusers to have these tools installed on new phones, which can then be delivered in factory packaging under the guise of a gift to the intended victim.

Together keeping up the fight against stalkerware

Stalkerware is foremost not a technical problem, but an expression of a problem within society which therefore requires action from all areas of society. Kaspersky is not only actively committed to protecting users from this threat but also maintaining a multilevel dialogue with non-profit organizations, and industry, research and public agencies around the world to work together on solutions that tackle the issue.

In 2019, Kaspersky was the first cybersecurity company in the industry to develop a new attention-grabbing alert that clearly notifies users if stalkerware is found on their device. While Kaspersky’s solutions have been flagging potentially harmful apps that are not malware – including stalkerware – for many years, the new notification alerts the user to the fact that an app has been found on their device that may be able to spy on them.

In 2022, as part of Kaspersky’s launch of a new consumer product portfolio, the Privacy Alert was expanded and now not only informs the user about the presence of stalkerware on the device, but also warns the user that if stalkerware is removed the person who installed the app will be alerted. This may lead to an escalation of the situation. Moreover, the user risks erasing important data or evidence that could be used in a prosecution.

In 2019, Kaspersky also co-founded the Coalition Against Stalkerware, an international working group against stalkerware and domestic violence that brings together private IT companies, NGOs, research institutions, and law enforcement agencies working to combat cyberstalking and help victims of online abuse. Through a consortium of more than 40 organizations, stakeholders can share expertise and work together to solve the problem of online violence. In addition, the Coalition’s website, which is available in 7 different languages, provides victims with help and guidance in case they may suspect stalkerware is present on their devices.

From 2021-2023, Kaspersky was a consortium partner of the EU project DeStalk, co-funded by the Rights, Equality, and Citizenship Program of the European Union. The five project partners that formed the consortium combined the expertise of the IT Security Community, Research, and Civil Society Organizations, and Public Authorities. As a result, the DeStalk project trained a total of 375 professionals directly working in women’s support services and perpetrator programs, and officials from public authorities on how to effectively tackle stalkerware and other digital forms of gender-based violence, as well as raising public awareness on digital violence and stalkerware.

As part of the project, Kaspersky developed an e-learning course on cyberviolence and stalkerware within its Kaspersky Automated Security Awareness Platform, a freely available online micro learning training platform which can be accessed in five different languages. To date, more than 130 professionals have completed the e-learning course with a further 80 currently participating. Although the DeStalk project has ended, the e-learning course is still available on the DeStalk project website.

In June 2022, Kaspersky launched a website dedicated to TinyCheck to disseminate further information about the tool. TinyCheck is a free, safe and open-source tool that can be used by non-profit organizations and police units to help support victims of digital stalking. In 2020, the tool was created to check devices for stalkerware and monitoring apps without making the perpetrator aware of the check. It does not require installation on a user’s device because it works independently to avoid detection by a stalker. TinyCheck scans a device’s outgoing traffic using a regular Wi-Fi connection and identifies interactions with known sources such as stalkerware-related servers. TinyCheck can also be used to check any device on any platform, including iOS, Android, or any other OS’.

Think you are a victim of stalkerware? Here are a few tips…

Whether or not you are a victim of stalkerware, here are a few tips to better protect yourself:

  • Protect your phone with a strong password that you never share with your partner, friends, or colleagues.
  • Change passwords for all of your accounts periodically and don’t share them with anyone.
  • Only download apps from official sources, such as Google Play or the Apple App Store.
  • Install a reliable IT security solution like Kaspersky for Android on devices and scan them regularly. However, in the case of potentially already installed stalkerware, this should only be done after the risk to the victim has been assessed, as the abuser may notice the use of a cybersecurity solution.

Victims of stalkerware may be victims of a larger cycle of abuse, including physical.

In some cases, the perpetrator is notified if their victim performs a device scan or removes a stalkerware app. If this happens, it can lead to an escalation of the situation and further aggression. This is why it is important to proceed with caution if you think you are being targeted by stalkerware.

  • Reach out to a local support organization: to find one close to you, check the Coalition Against Stalkerware website.
  • Keep an eye out for the following warning signs: these can include a fast-draining battery due to unknown or suspicious apps using up its charge, and newly installed applications with suspicious access to use and track your location, send or receive text messages and other personal activities. Also check if your “unknown sources” setting is enabled, it may be a sign that unwanted software has been installed from a third-party source. However, the above indicators are circumstantial and do not indicate the unequivocal presence of stalkerware on the device.
  • Do not try to erase the stalkerware, change any settings or tamper with your phone: this may alert your potential perpetrator and lead to an escalation of the situation. You also risk erasing important data or evidence that could be used in a prosecution.

For more information about our activities on stalkerware or any other request, please write to us at: ExtR@kaspersky.com.

]]>
https://securelist.com/the-state-of-stalkerware-in-2022/108985/feed/ 2 full large medium thumbnail
Web beacons on websites and in e-mail https://securelist.com/web-beacons-on-websites-and-in-email/108632/ https://securelist.com/web-beacons-on-websites-and-in-email/108632/#respond Tue, 07 Feb 2023 08:00:09 +0000 https://kasperskycontenthub.com/securelist/?p=108632

There is a vast number of trackers, which gather information about users’ activities online. For all intents and purposes, we have grown accustomed to online service providers, marketing agencies, and analytical companies tracking our every mouse click, our social posts, browser and streaming services history. The collected data can be used for improving their user interfaces or the overall user experience, or to personalize ads.

There exist various types of trackers meant for collecting different types of information: advertising (AdAgency) trackers, analytics (WebAnalytics) trackers, and so on. Most of these are largely used on websites and inside applications. There are more versatile trackers too, used on websites, inside applications, and even in e-mail. This article describes one of these tracker types: web beacons. We demonstrate what tracking systems’ and companies’ web beacons our security products (anti-tracking browser extensions and antispam technology) detect most often.

What web beacons are

Web beacons, or web bugs, also known as tracker pixels or spy pixels, among other names, are tracking elements used on web pages, inside applications and in e-mail for checking that the user has accessed certain content (opened an e-mail or visited a web page). Their main purpose is to collect statistics and build analytical reports on the user’s activities.

Web beacons on websites track visitors. Analytical marketing agencies or website owners themselves can use these to measure how well certain content or promotional campaigns performed, or how their audiences responded. Some websites use tracker pixels as watermarks for their content, for example, to track down illegal copies.

The main purpose of web beacons in e-mail, just as those on websites, is to count users who interact with the content. For example, tracker pixels can be used to make a report on e-mail open rates. These help companies to find out which e-mail campaigns their users find interesting and which they do not. For example, if an e-mail campaign sees declining open rates, the company may choose to either replace the subject with something more eye-catching or clickbaity, or on the contrary, make it more matter-of-fact and informative.

How web beacons work

A beacon on a web page is typically an image that loads from an external source. The size is usually one or even zero pixels, so invisible to the human eye. Hence the name: “spy pixel”. Additionally, the CSS display property can be set to “none” (do not display) to hide the image. Less common are JavaScript beacon implementations, such as Beacon API: an interface that allows sending requests to a server without expecting a response.

Example of web beacon location in the HTML code of a website

Example of web beacon location in the HTML code of a website

E-mail web beacons are implemented in a similar way: invisible images are placed within the e-mail body, or JavaScript code is added in an HTML attachment.

Example of web beacon location in the HTML part of an e-mail

Example of web beacon location in the HTML part of an e-mail

When the web page or e-mail is opened, a request is sent to the web beacon server. If the web beacon is an image the request is to upload this image. Otherwise it is a request specified in the JavaScript code, usually one that doesn’t require a response. The following information is typically communicated to the server:

  • Date and time of opening the web page or e-mail
  • Operating system version
  • Browser or e-mail client type and version
  • Screen resolution
  • IP address

Example of user data transmission

Example of user data transmission

The most common website and e-mail beacons

We have analyzed the web beacons detected by our systems in December 2022, and ranked twenty companies whose beacons interacted with our users while browsing websites or opening e-mail messages most often.

Twenty most common beacons on websites

This section uses anonymous statistics collected from December 1 through 31, 2022 by the Do Not Track (DNT) component, which blocks loading of website trackers. DNT, which is disabled by default, is part of Kaspersky Internet Security, Kaspersky Total Security, and Kaspersky Security Cloud. The statistics consist of anonymized data shared by users with their consent. We have compiled a list of twenty companies whose content DNT detected around the world the most frequently. One hundred percent represents the total number of DNT detections triggered by these twenty systems.

Most of the twenty companies according to DNT have at least some connection to digital advertising and marketing. For example, Aniview, in sixth place with 2.68%, specializes in video advertising. OpenX (2.19%), Taboola (1.63%), Smart AdServer (1.55%), and many others are advertising or marketing agencies.

Even tech giants, such as Google (32.53%), Microsoft (21.81%), Amazon (13.15%) and Oracle (2.86%), who lead in our rankings, operate marketing and advertising subsidiaries, and product enhancement is by far not the only reason why they use web beacons.

Twenty most common website beacons in December 2022 (download)

Twenty most common beacons in e-mail

This section presents anonymized Anti-Spam detection data from Kaspersky users’ devices. The Anti-Spam component is part of Kaspersky Security for Linux Mail Server, Kaspersky Security for Microsoft Exchange Server, Kaspersky Secure Mail Gateway, and Kaspersky Security for Microsoft Office 365.

Unlike the website beacons rankings, the list of the most common e-mail beacons is not dominated by the big tech: Adobe Analytics (4.49%) is eighth, and Google (3.86%) and Microsoft (3.18%) have even humbler shares. The fact that there is a fairly large number of companies specializing in e-mail marketing could explain that. These companies can be broken down into two categories:

  • Email service providers (ESP): companies that manage and maintain e-mail campaigns for their clients.
  • Customer relationship management (CRM): companies that specialize in building platforms for managing every type of customer communications at various stages in the sales process.

The tech giants own major advertising networks that are used by most websites, and hence their trackers dominate these websites, whereas ESP and CRM companies manage most e-mail campaigns, and so their trackers dominate e-mail. ESP and CRM beacons collect user data to track their responses to e-mail campaigns: the percentage of users who open the messages, how the open rate changes from region to region, and so on. Most of the beacons we detected in e-mail traffic were by Mailchimp (21.74%) and SendGrid (19.88%), two major American e-mail marketing players.

Besides ESP and CRM, our e-mail beacon rankings included the large Japanese online retailer Rakuten (5.97%), the business networking website LinkedIn (4.77%), the ride-hailing platform Uber (1.49%), and Booking.com (0.56%), a major accommodation booking service. These companies share their reasons for using web beacons with the ESP and CRM players: to evaluate e-mail campaign impact and collect aggregate user statistics.

Twenty most common web beacons in e-mail, December 2022 (download)

Conclusion

Companies strive to collect as much data on their users as they can, to add as much detail to each user profile as possible, so that they can personalize their offerings, and sell their goods and services more efficiently. Various tracking systems enable companies to track users on websites, inside applications, and in e-mail.

Rather than outsourcing these services, many large companies are able to set up advertising subsidiaries of their own, selling the same services as advertising specialists do. They often merge their information about users obtained from diverse sources to enrich and extend each user profile that they already have. Meanwhile, others use the services of the Internet giants, marketing agencies, ESP and CRM companies, helping these to amass even more data.

The user would find it sufficiently difficult, if at all possible, to track down where their data ends up. Even more, you sometimes may not even notice that data is being collected. Beacons on websites and in e-mail are invisible to the user, and companies that put them there give no warning, as opposed to cookies. The beacons, meanwhile, allow the companies to find out how many times the users visited the website, where they came from, and who opened the e-mail, when and where. By gathering all that information on a regular basis, one can get an idea of not just the user’s reaction to specific e-mail messages or landing pages, but also the user’s habits, such as when they typically get online.

If cybercriminals were to obtain that information, for example, as result of a leak, they could use it for their own purposes. In particular, they could try hacking your online accounts or send fake e-mail in your name if they found out your usual offline hours. Moreover, attackers use the web beacon technology too. It is worth adopting at least minimal anti-tracking measures to protect yourself from unwanted attention by companies, let alone cybercrooks. You can install a special browser extension that prevents loading of trackers on web pages and configure your browser for increased privacy. Many VPN services offer tracker blocking as an added feature. When it comes to e-mail, you can prevent images from loading automatically. Even if you do open an e-mail that contains a spy pixel, it will not be functional, as any images — a web beacon is an image too — will not load unless you explicitly permit it. As for more advanced JavaScript beacons, these are located in the attachment and only load once you open that.

]]>
https://securelist.com/web-beacons-on-websites-and-in-email/108632/feed/ 0 full large medium thumbnail
Main phishing and scamming trends and techniques https://securelist.com/phishing-scam-techniques-tricks/108247/ https://securelist.com/phishing-scam-techniques-tricks/108247/#respond Tue, 06 Dec 2022 10:00:01 +0000 https://kasperskycontenthub.com/securelist/?p=108247

There are two main types of online fraud aimed at stealing user data and money: phishing and scams. Phishers primarily seek to extract confidential information from victims, such as credentials or bank card details, while scammers deploy social engineering to persuade targets to transfer money on their own accord.

The history of scams and phishing

The term “phishing” was coined back in 1996, when cybercriminals attacked users of America Online (AOL), the largest internet provider at that time. Posing as AOL employees, the scammers sent messages asking users to verify their accounts or asking for payment details. This method of phishing for personal data is still in use today, because, unfortunately, it continues to yield results.

Also in the 1990s, the first online scams appeared. When banks began to roll out internet banking, scammers sent text messages to users supposedly from relatives with an urgent request to transfer money to the details given in the message.

By the early 2000s, charity had become a common scam topic: for example, after the massive Indian Ocean earthquake and tsunami of 2004, users received messages from fake charities pleading for donations. At around the same time, phishers started targeting online payment systems and internet banks. Since user accounts in those days were protected only by a password, it was enough for attackers to phish out this information to gain access to victims’ money. To do this, they sent e-mails in the name of companies such as PayPal, asking users to go to a fake site displaying the corporate logo and enter their credentials. To make their sites look more credible, cybercriminals registered multiple domains all very similar to the original, differing by just two or three letters. An inattentive user could easily mistake a fake for a genuine bank or payment system website. In addition, scammers often used personal information from victims’ own social media pages to make their attacks more targeted, and thus more successful.

As time progressed, online fraud became ever more sophisticated and persuasive. Cybercriminals learned how to successfully mimic the official websites of brands, making them almost indistinguishable from the original, and to find new ways to approach victims. There appeared services specializing in creating fake content, at which point phishing really took off. Now not only the personal data and finances of ordinary users were in the firing line, but politicians and big business as well.

This report examines the main phishing trends, methods, and techniques that are live in 2022.

Phishing and scams: current types of fraud

Phishing:

Phishers can target credentials in absolutely any online service: banks, social networks, government portals, online stores, mail services, delivery companies, etc. But it is customers of top brands that are most often at risk, because people use and trust them more than smaller brands, increasing the likelihood of a successful attack.

To extract the coveted information, cybercriminals try to persuade victims that they are logging in on the real website of the respective company or service, or that they are sharing their credentials with a company employee. Often, fake sites look no different from the original, and even an experienced user might be fooled. Phishers skillfully copy the layout and design of official sites, adding extra details to their pages, such as live chat support (usually inactive), and linking to real services to inspire confidence.

Phishing site with chat support

Recently, alongside online phishing, vishing (voice phishing) has been on the rise. Scammers either call victims directly, or employ various tricks to get them to make the call, after which they attempt to extract their personal data and money over the phone.

Fake message about Windows-related issues in connection with which the victim must call the scammers

Also current is targeted or spear phishing, which, as the name suggests, is aimed at a specific individual or organization. Spear-phishing e-mails and sites are far more personalized than bulk ones, making them very difficult to distinguish from genuine ones.

Scams

While phishers target both businesses and ordinary internet users, scammers prey mostly on the latter. Most scams work by offering the victim an easy way to earn a chunk of money, or the chance to win a valuable prize or get something for free or at a huge discount. The main goal of this type of threat is to raise money, but scammers can also harvest the victim’s personal data to sell later or use in other schemes.

In the screenshot below, for example, the victim is informed they have won a smartphone and asked to pay a small fee to have it delivered, as well as specify their e-mail address, date of birth, gender, phone number, and home address.

Form for collecting personal data to send the bogus prize

In most cases, scammers ask for this data to convince the victim that the prize will indeed be sent, and do not store it. However, some scammers may save all the information entered on their sites for the purpose of later sending malicious e-mails supposedly from victims, using their names and addresses.

Besides promises of easy money and valuable prizes, scammers actively lure users to non-existent dating sites. For example, they might send an invitation to chat with other users, together with a link to a scam site and attractive photos. Once on the fake site, the user is told they can get premium access to the dating platform for next to nothing, but the offer expires today. They just need to sign up and pay a small fee.

Offer to activate a premium account on a fake dating site

There are other ways to attract victims to scam sites: by “selling” sought-after or scarce goods, or trips with like-minded travelers, etc. In general, if something’s popular with users, fraudsters will use it as bait.

Distribution

Although most scams and phishing attacks begin with mass e-mails containing links to fake websites, alternative attack vectors are gaining ground today. There are so many different communication and data sharing platforms that attackers can use to distribute phishing links.

Messengers

One of the main vectors for phishing and scaming are messengers such as WhatsApp and Telegram.

WhatsApp users might receive a fraudulent message from either the cybercriminals themselves or someone in their contact list. To spread their scams, attackers send messages in the name of popular brands or government agencies, but have no qualms about involving users too. In particular, to receive a gift promised in a message, they often get the victim to forward it to all or some of their contacts.

Cybercriminals get the victim to forward a link to a fake giveaway to their WhatsApp contacts

Recently, many channels have appeared on Telegram promising prizes or get-rich cryptocurrency investment schemes. The chats of popular Telegram channels are also home to scammers who, posing as ordinary users, post juicy money-making and other offers. For posting comments en masse, cybercriminals can use bots. To discover the secret of easy money, the user is invited to contact the scammers or go to their channel.

Comment in a Telegram chat promoting a currency exchange scheme

Social networks

Comments offering easy profits are also found on social networks, for example, under photos in popular accounts, where messages are more likely to be read than on a page with fewer followers. Cybercriminals invite users to follow a link in a profile header, send them a direct message, or join a secret group chat. A message can also contain a link to a phishing or scam site. Posts promising well-paid part-time work with a link to a mini app are also common on VK, the Russian equivalent of Facebook. In addition, cybercriminals can use social networks to send direct messages to users, promote their offers, or create fake accounts promising valuable gifts, in-game currency, and gift cards. These are hyped up through ads, hashtags, or mass tagging of users in posts, comments, or on photos.

Instagram account “giving away” free smartphones

Marketplaces

Marketplaces act as an intermediary between the user and the seller, to some extent ensuring the security of the transaction for both parties. But their functionality is open to abuse by scammers as well. A widespread scheme on Russian marketplaces is when the seller appears reluctant to communicate on the site and tries to move the conversation to a third-party messenger where they can send a malicious link without fear of triggering the marketplace’s built-in defenses.

Also on marketplaces, scammers often comment on other users’ reviews of products, assuring potential buyers that an item can be purchased for far less elsewhere, and attaching a link to a scam site.

Scammers distribute links to fake sites through comments on product reviews on marketplaces

Phishing and scam attack methods

To carry out attacks, cybercriminals employ a wide range of technical and psychological tricks to dupe as many users as possible while minimizing the risk of detection.

Below are the main phishing and scam techniques used in 2022.

Spoofing

To increase the victim’s trust in a fake resource, scammers often try to make it as similar as possible to the original. This technique is known as spoofing. In the context of website spoofing, there are two main types:

  • Domain spoofing, when attackers fake a website domain to fool users,
  • Content spoofing, when they mimic the appearance of a legitimate site.

It’s common for attacks to deploy both of these.

Domain spoofing involves registering a domain similar to that of the target organization. Phishers are careful to choose domains that don’t look suspicious to victims. Domain spoofing can be divided into three categories:

  • Typosquatting is the use of the original domain name with typos commonly made by users when inputting the URL, such as missing or extra characters, or letters in the wrong order.

Misspelling of the domain Instagram.com, where the number 9 appears instead of the letter “g”

  • Combosquatting is the use of additional words, often related to authorization or online security, in a domain name similar to that of the brand whose users are the target. For example, words like “login”, “secure”, “account”, “verify”, and so on.

The word “account” in a domain name alongside the name of a bank

  • Internationalized domain name (IDN) homograph attacks work by using Unicode characters that closely resemble letters in the Latin alphabet. For example, the most commonly used Cyrillic letters in such attacks are a, c, e, o, p, x, y, because they look identical to Latin a, c, e, o, p, x, y.

Content spoofing is used to fake the appearance of a legitimate site. Here, the following methods can be singled out:

  • Legal iFrame Background is when an iFrame is used to load a legitimate site onto a rogue one, on top of which a phishing form is overlaid.

Legitimate site serving as a background for a phishing form

  • HTML spoofing is the visual imitation of a legitimate site by, among other things, partially copying its style and HTML code. Scammers often use software for creating mirror sites, such as HTTrack and Website Downloader.
  • Comment in the HTML code of a phishing page indicating that HTTrack was used

    Website hacking

    Sometimes it’s easier for scammers to hack others’ sites to host malicious content than to create their own from scratch. Such phishing pages tend to be short-lived, because the site owners quickly detect and remove scam content, as well as regularly patch holes and vulnerabilities in their infrastructure. That said, if cybercriminals break into an abandoned site, phishing pages hosted there can survive a long time. Phishers can exploit compromised sites in several ways:

    • iFrame Injection is when a login form or other part of a phishing page is inserted through an iFrame. Whereas the Legal iFrame Background method involves the use of an iFrame with a legitimate website as the background for a phishing form, in the case of iFrame Injection the URL of the page is legitimate, while the iFrame contains a phishing form, whose background is most often homemade content using brand logos.

    Login form created using an iFrame on a hacked site

    • Subfolder Hijacking is the partial hacking of a site to gain access to its subdirectories to place fraudulent content there. Such attacks can either use existing directories on the legitimate site or create new ones.

    Home page of a hacked site that looks normal

    Phishing page placed in a subdirectory of a hacked site

    • Site Swapping is the complete replacement of a legitimate site with a phishing one. The original content is usually removed.

    Using legitimate services

    Some internet scammers, instead of bothering to create or hack sites, prefer to exploit the features of services trusted by users. As such, forms for creating online surveys and collecting data (Google Forms, MS Forms, HubSpot Form Builder, Typeform, Zoho Forms, etc.) are very often used to perform an attack.

    For example, in the screenshot below, scammers under the guise of technical support for a popular cryptowallet use a Google form to coax identification data out of users, such as e-mail address and secret phrase.

    Fraudsters try to finagle confidential data through Google Forms

    Although such services have started to warn users about the dangers of sharing passwords through forms, as well as to implement automatic protection (such as blocking forms containing keywords like “password”), this method remains popular with scammers due to the ability to mass-create phishing surveys. To bypass built-in security, they often use text spoofing, that is, they replace characters in keywords with visually similar ones: for example, they write pa$$w0rd instead of password, making such words unrecognizable to automated systems.

    Besides forms, cybercriminals make active use of cloud documents. Not least, they can send e-mails with a link to a document in a legitimate service that contains a phishing link.

    Avoiding detection

    Scammers use various techniques to hide from detection. Some are quite effective but not so common, because they require more advanced technical know-how than many scammers possess.

    One method to avoid detection is obfuscation, where the user-invisible source code of a scam page is scrambled to make the attack hard to detect by automated means. We talked in detail about obfuscation methods in our post about the phishing-kit market.

    Another way to protect a scam site from detection is to use methods to hide page content from automated analysis. Here are some of them:

    • Use of images. If text is replaced with images of text, content engines will be unable to see and analyze the text, so users will read it.
    • Browser notifications. Links to scam resources can be distributed through browser notifications. Unlike e-mails and public websites, browser notifications are processed in several stages, and not all anti-phishing engines analyze them. This allows cybercriminals to bypass at least some detection technologies.

    To download a song on a scam site, the user is asked to allow browser notifications from that site

    • Pop-up windows. Scam content can open in pop-up windows on a site. Pop-up windows load later than the site’s main window, so not all anti-phishing technologies see them. In addition, pop-up windows furnish attackers with additional tools to copy the appearance of a legitimate site. In particular, cybercriminals can use the Browser-in-the-Browser method, when a pop-up window imitates a browser window with an address bar showing the URL of a legitimate site.

    Browser-in-the-Browser attack: a pop-up window mimics a browser window with an address bar

    Along with content, scammers try to hide the URLs of malicious sites from detection technologies. For this purpose, they can use:

    • URL links randomly generated using hashes. Each victim receives a unique link, which makes it difficult to block a malicious site.
    • URL shorteners. Attackers can mask malicious addresses using legitimate URL shorteners, such as bit.ly.

    Social engineering elements

    Cybercriminals’ tricks often target the user and not the security system’s vulnerabilities. Scammers employ their knowledge of the human psyche to deceive victims. These can be combined with technical means to achieve a devastating effect.

    • Fake CAPTCHA. Cybercriminals mimic CAPTCHA technology on scam sites to persuade victims to perform certain actions.

    Fake CAPTCHA on a phishing page asking for permission to show browser notifications, supposedly to prove you’re not a robot

    • User-Related Dynamic Content. The page content changes depending on the user and their data, such as e-mail address: to fake the domain, images are downloaded from the user’s mail and inserted into the phishing page.

    Attackers use the victim’s mail domain to create content on a scam site

    • Intimidation and threats. Cybercriminals can intimidate victims to make them panic and act rashly. For example, they may threaten legal action and demand payment of a “fine” for the victim to be left in peace. Attackers can also threaten to block the victim’s account to force them to click a phishing link.

    Scammers threaten to seize all the user’s property and accounts if they fail to pay off a bogus debt

    • Attackers give victims a limited time window to respond to their message in one way or another to make them act rashly.

    Scam site demands urgent payment of “COVID-19-related expenses” for delivery of a parcel

    • An appeal to pity. Cybercriminals try to arouse people’s sense of pity to get them to part with their cash.
    • Lucrative offers. Scammers tempt victims with lip-smacking offers that are hard to refuse.

    Cybercriminals lure the user with the chance to win an Amazon gift card

    Conclusion

    Most users today are more or less aware of the current web threats. Many have either experienced internet scams themselves, or know about them from the news or other sources, making it harder for attackers to dupe victims and so requiring the use of ever more sophisticated methods. Instead of slapdash phishing and scam sites, high-quality fakes are becoming increasingly common. This includes mimicking a browser window with a legitimate URL in a pop-up window, as well as phishing pages with a legitimate site in the background, loaded via an iFrame. We’ve also seen elements of targeted attacks in phishing and scams, such as downloading content related to the target’s mail domain or using data got from large-scale leaks to make contact with potential victims.

    At the same time, vishing is on the rise, because it’s easier to apply pressure over the phone, giving the victim no time to mull things over. In addition, cybercriminals use other available communication channels: e-mail, popular messengers, social networks, marketplaces.

    To implement attacks, they employ a variety of techniques, such as spoofing, social engineering, site hacking, and code and content hiding. Alongside this, detection avoidance methods also continue to evolve. Attackers are increasingly using one-time generated links with hashes to prevent web threat detection technologies from blocking them.

    Note, too, that scammers continue to base their malicious campaigns on the hottest topics in the news. If there’s a major event going on somewhere, a problem on a country or global scale, or some service or technology is becoming all the rage, be sure that cybercriminals will seek to exploit it. For instance, the lockdown period was beset by large-scale “financial aid” scams, while last year’s upturn in cryptocurrency prices went hand in hand with numerous fraudulent investment schemes. So it pays to be vigilant online, especially when it comes to money: no matter how much you want to believe that good fortune has fallen from the sky, if something sounds too good to be true, it probably is.

    ]]> https://securelist.com/phishing-scam-techniques-tricks/108247/feed/ 0 full large medium thumbnail Black Friday shoppers beware: online threats so far in 2022 https://securelist.com/black-friday-report-2022/108042/ https://securelist.com/black-friday-report-2022/108042/#respond Wed, 23 Nov 2022 08:00:00 +0000 https://kasperskycontenthub.com/securelist/?p=108042

    The shopping event of the year, Black Friday, is almost here, and while the big day does not officially arrive until Friday, November 25th, deals are already starting. The day kickstarts the frenzied holiday shopping season with eye-catching promotional deals that lure shoppers into spending more of their hard-earned cash. In the weeks leading up to Black Friday, we have already seen discounts reaching 70% and even 80%, grabbing the attention of millions of customers.

    Today, e-commerce sales make up 21% of global retail sales, which is a 50% increase on the pre-pandemic levels. Besides, 94% of shoppers now do at least some of their shopping online. As the volume of purchases around Black Friday increases, the attention of cybercriminals to e-commerce intensifies proportionally. The risk of being scammed runs even higher. While on ordinary days, the customer can easily see that if the product is too cheap, it is most likely a scam, during the Black Friday sales, it gets harder to tell. Shoppers become less vigilant, and therefore, an easy target for cybercriminals. That is why we constantly monitor the landscape of shopping-related cyberthreats and protect users from these risks. Here is what we have found this year.

    Methodology

    In this research, we analyze various types of threats, such as financial malware and phishing pages mimicking the world’s biggest retail platforms, banking and payment systems, and discuss recent trends. The threat statistics we use come from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period from January through October 2022. In addition, we analyzed Black Friday-related spam and phishing pages mimicking popular BNPL (buy now, pay later) services, which have proven to be particularly popular during shopping seasons like Black Friday.

    Key findings

    • Over the first ten months of 2022, Kaspersky prevented 38,596,555 financial phishing attacks.
    • In 2022, the number of attacks using banking Trojans doubled when compared to the same period of 2021, reaching almost 20 million.
    • The number of financial phishing attempts for online shopping platforms (16,424,303) comprised 42.55% of all financial phishing attempts.
    • The number of phishing pages mimicking the most popular shopping platforms (Apple, Amazon, eBay, Walmart, Aliexpress, and Mercado Libre) totaled 12,787,534 in the first ten months of 2022.
    • Apple was consistently the most popular lure among online shopping platforms, with phishing attempts using its name reaching 9,858,254 in the first ten months of 2022.
    • Spam campaigns intensify as Black Friday approaches. In the first three weeks of November, Kaspersky telemetry spotted 351,800 spam emails that contained the word combination “Black Friday”. This is five times more than September’s figure.

    Phishing for shopping credentials: financial threats in numbers

    One of the prime threats during the shopping season is financial phishing. Kaspersky distinguishes several types of financial phishing: banking, payment system, and online store phishing. Banking phishing includes fake banking websites that cybercriminals create to mislead their victims into giving up their credentials and card details. Payment system phishing involves pages mimicking well-known payment systems, such as PayPal, Visa, MasterCard and American Express. The third type of phishing mimics online stores, such as Amazon, eBay, Aliexpress, or smaller ones.

    Number of attempts to visit phishing pages using banking, online payment and online retail brands as a lure, January–October 2022 (download)

    During the first ten months of 2022, Kaspersky products detected 38,596,555 phishing attacks targeting users of online shopping platforms, payment systems and banking institutions. We count one attempt to open a phishing link detected by Kaspersky as one phishing attack. During the first ten months of this year, the number of financial phishing attempts for online shopping platforms comprised 42.55% of all financial phishing attempts, which is 10.19 p.p. higher than the share of online payment phishing (32.36%), and 17.47 p.p. higher than the share of banking phishing (25.08%). Moreover, some of the payment system and banking phishing cases may be related to online store phishing. For example, if a phishing or scam page mimicking Amazon redirects the user to a payment page mimicking PayPal, these two pages will be categorized as online store and payment system phishing, respectively. In total, Kaspersky solutions detected 16,424,303 online store phishing attacks, 12,491,239 online payment phishing attacks, and 9,681,013 banking phishing attempts. We also observed a sharp spike in the number of attacks on online store users in June–July 2022. This was caused by a massive phishing campaign involving a fake Apple device giveaway, which Kaspersky security solutions successfully repelled.

    Number of attempts to visit phishing pages using Apple as a lure, January–October 2022 (download)

    Overall, the number of phishing attacks mimicking the most popular shopping platforms (Apple, Amazon, eBay, Walmart, Aliexpress, and Mercado Libre) amounted to 12,787,534 for the ten months of 2022. The majority of these attacks targeted Apple users: 9,858,254 phishing attempts, most of them occurring during the summer campaign mentioned above.

    Number of attempts to visit phishing pages using popular shopping platforms (excluding Apple) as a lure in 2022 (download)

    Amazon was the second most popular lure, with phishing attempts using its name peaking in April at 342,829. In total, 2,101,599 phishing attacks exploiting the Amazon brand were detected between January and October of 2022. The third most popular lure was, for most of 2022, Mercado Libre. Although the marketplace is local to Latin America, cybercriminals notably abused it much more via phishing attacks than global corporations like eBay or Walmart. Specifically, attackers used the brand name of Mercado Libre most heavily during the summer season, with 56,099 attempts in June and 42,862 in August, which is more than the summer figures for eBay, Walmart, and Aliexpress. Curiously, the number of phishing sites mimicking Walmart’s platform peaked in February, likely because of Valentine’s Day. During that month, we detected 76,618 phishing attempts abusing Walmart, which is 45% of all phishing attempts that targeted Walmart users in the first ten months of 2022.

    “Pick a prize and cry in surprise”

    A large share of fake e-commerce pages comprises scams: juicy fake offers, often made in the name of a popular brand, which draw buyers. Scam websites will typically display a discount, giveaway or another attractive deal that supposedly expires soon, urging the user to hurry while the products are free or heavily discounted. This is where cybercriminals catch customers who are hungry for freebies and fail to double-check where they are about to enter their details: on a phishing page or the official website.

    A brightly colored phishing site with a Mercado Libre logo on it lights up with, “Pick a prize and cry in surprise” written in Spanish. The surprise box can contain anything: the latest iPhone, an expensive TV set, or a much-needed lawn mower for the garden. To get it, the user just needs to pay a small delivery fee. However, all they really get if they fall for the trick is their money lost and bank card details compromised.

    Fake Mercado Libre site in Spanish that reads, “Pick a prize and cry in surprise”

    Cybercriminals often start to spread phishing and scam pages even before Black Friday sales begin in order to squeeze out the shopping season as much as possible. One scam site, for example, offers users early access to all Amazon deals a few days before the discounts become effective, to grab everything they want before other customers sweep the shelves. To get the “early access”, you have to subscribe to “Amazon Prime” on the scammers’ website. However, paying for the subscription will not get users access to Amazon’s offers. Instead of being the first among buyers, they will join the ranks of scam victims.

    Users are offered early access to Amazon sales

    Users are offered early access to Amazon sales

    In addition to promises of early access, attackers use other tricks to lure victims. For example, they offer eBay gift cards for free. In order to generate a gift card code, users are asked to select an amount to add to the gift card account: from $10 to $300. They will then be asked to fill out a simple survey and to pay a small fee for the card, which the scammers promise to send by email. However, victims will not get any gift cards, but just lose their money to the scammers.

    Victims are promised that gift card codes will be sent to their emails, which does not happen

    Victims are promised that gift card codes will be sent to their emails, which does not happen

    A promise of cashback is another kind of bait used by cyberthieves. That is how they lured victims into a phishing scheme that targeted users of the Indian payment system PhonePe. The attackers sent out text messages promising cashback to users who followed a link. The phishing page urged victims to enter their UPI PIN: the secret code that is used to confirm transactions.

    Fake cashback page phishing for UPI PINs

    Fake cashback page phishing for UPI PINs

    In certain cases, cybercriminals exploited several brands with one phishing page. On the screenshot below, the fake website mimics the login page for Landesbank Berlin’s Amazon.de cards. It offers users to “activate Visa Secure to pay safely with their Amazon.de Visa card”. To do that, the victim needs to enter their Landesbank Berlin login credentials, which will then be stolen by the attackers.

    Users are prompted to log in to their Landesbank Berlin account to allegedly activate Visa Secure option

    Users are prompted to log in to their Landesbank Berlin account to allegedly activate Visa Secure option

    “Buy now, regret later”: phishing examples for BNPL services

    “Buy now, pay later” (BNPL) services allow customers to split the cost of a purchase into several interest-free installments. These services appeal to consumers, especially youngsters, and have proven to be particularly popular during shopping days like Black Friday. Juniper Research assesses the BNPL user base at 360 million in 2022 and predicts this number to surpass 900 million globally by 2027. All of this makes BNPL an attractive target for cybercriminals.

    BNPL phishing on the eve of Black Friday 2022

    One of the most popular BNPL services is Affirm, with around 12.7 million active users worldwide. According to the official website, a user can shop online or in-store and pay later with the service at checkout. Another option is to request a virtual card in the app. Payments are managed in the app or online. The service offers a browser extension for Chrome.

    Cybercriminals have created a nearly perfect replica of the official Affirm login page—the only difference is missing links to the privacy policy and merchant login. By creating the malicious lookalike, the attackers are trying to gain access to victims’ Affirm accounts.

    Affirm phishing page

    Affirm phishing page

    The real Affirm login page (Differences highlighted)

    The real Affirm login page (Differences highlighted)

    Another pre-Black Friday phishing site found by Kaspersky researchers spoofs an even more popular service named Afterpay (Clearpay in the U.K. and Italy), which has 20 million active users globally. Perpetrators have set up a page that mimics the official website, apparently trying to trick unsuspecting visitors into entering their bank card details, including the CVV, into a fake form.

    A further example of a phishing page mimicking Afterpay is aimed at gaining access to potential victims’ accounts.

    Phishing distribution

    To attract potential victims to phishing pages, attackers usually send links to these pages by email. The email body employs social engineering techniques, for instance, to convince the user that they need to update their payment data, or that a lucrative deal awaits them on the phishing site. However, there are other ways of delivering phishing links, such as instant messages, social media, or SMS.

    Phishing and scam: red flags

    More often than not, a vigilant user can recognize phishing and scam pages. The text on the page can contain typos, while the domain name in the URL can differ from that of the official website by a few characters, contain extra words, or look totally unrelated to the brand whose users it targets. The only functional buttons are often those related to the main phishing or scam functionality: “pick your prize”, submit buttons, etc. All other buttons such as “I forgot my password”, the menu, etc. are typically unclickable or lead nowhere. That said, links to the terms of use and privacy policy in the footer of a phishing page can lead to the documents published on the original website, and thus help to conceal the website’s malicious purpose.

    Spam

    Despite all the benefits of online shopping, one of its most annoying downsides is finding your inbox clogged up with unsolicited email. Spam campaigns tend to intensify dramatically around the shopping and holiday seasons. From November 1 through November 17, 2022, Kaspersky telemetry recorded 351,800 emails containing the word combination “Black Friday”. This is more than five times the number of such emails recorded in October, when we saw 65,608. Compared to September, the increase is more than 32 times.

    The number of spam emails containing “Black Friday”; September, October, and November 2022 (download)

    When left unfiltered by antispam systems, spam is an annoyance and a waste of time. Our recent study revealed that employees who receive 30–60 external emails per day could be wasting as much as 11 hours annually looking through and identifying spam messages. For employees receiving between 60–100 emails a day, the figure increases to 18 hours per year, which is more than two business days.

    Additionally, an important email might be lost in a deluge of spam and unintentionally deleted. Needless to say, many spam emails contain links to phishing and scam websites, or malicious attachments.

    Banking Trojans go after payment credentials

    Banking Trojans (bankers) are a staple in the arsenal of cyberthieves who seek to profit from the sales season. These are malicious computer programs that obtain access to confidential information stored or processed by online banking and payment systems. Bankers use webinjects and form-grabbing functionality to steal credentials, card details, or even all of the data a user enters on the target website.

    After a sharp drop in banking Trojan attacks in 2021, cybercriminals reverted to using the tool heavily: from January through October 2022, Kaspersky products detected and prevented almost 20 million attacks, a 92% increase year on year.

    Overall number of banking Trojan attacks, January–October 2020–2022 (download)

    Conclusion

    The shopping season is a profitable time not just for stores owners and consumers but also for cybercrooks. Every year, we see how fraudsters step up their activities amid the sales season by exploiting the names of popular stores, retail platforms and financial services. Unfortunately, the trend is not likely to go anywhere. This means users should be prepared and know how to stay protected at least from the “traditional” types of threats we observe every year: spam, phishing, and banking Trojans.

    To enjoy the best that Black Friday has to offer this year, be sure to follow a few safety tips.

    • Protect all devices that you use for online shopping with a reliable security solution.
    • Do not trust any links or attachments received by email; double-check the sender’s name and email address before opening anything.
    • Check that the online store address is correct and the page has no errors or visual defects on it before filling out any forms there.
    • In order to protect your data and finances, it is a safe practice to make sure the checkout page is secure, and there is a locked padlock icon beside the address.
    • If you want to buy something from an unfamiliar company, check customer reviews before making the decision.
    • Despite taking as many precautions as possible, you probably will not know whether something is amiss until you see your bank account statement. So, if you are still getting paper statements, do not wait until they hit your mailbox. Get online to see if all of the charges look legitimate, and if not, contact your bank or card issuer immediately.
    ]]>
    https://securelist.com/black-friday-report-2022/108042/feed/ 0 full large medium thumbnail
    Good game, well played: an overview of gaming-related cyberthreats in 2022 https://securelist.com/gaming-related-cyberthreats-2021-2022/107346/ https://securelist.com/gaming-related-cyberthreats-2021-2022/107346/#respond Tue, 06 Sep 2022 08:18:10 +0000 https://kasperskycontenthub.com/securelist/?p=107346

    The gaming industry went into full gear during the pandemic, as many people took up online gaming as their new hobby to escape the socially-distanced reality. Since then, the industry has never stopped growing. According to the analytical agency Newzoo, in 2022, the global gaming market will exceed $ 200 billion, with 3 billion players globally. Such an engaged, solvent and eager-to-win audience becomes a tidbit for cybercriminals, who always find ways to fool their victims. One of the most outstanding examples involves $2 million’s worth of CS:GO skins stolen from a user’s account, which means that losses can get truly grave. Besides stealing personal credentials and funds, hackers can affect the performance of gaming computers, infecting these with unsolicited miner files.

    In this report, we provide the latest statistics on cyberthreats to gamers, as well as detailed information on the most widespread and dangerous types of malware that players must be aware of.

    Methodology

    To assess the current landscape of gaming risks, we observed the most widespread PC game-related threats and statistics on miner attacks, threats masquerading as game cheats, stealers, and analyzed several most active malware families, giving them detailed in-depth characteristics. For these purposes, we analyzed threat statistics from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period between January 2021 and June 2022.

    To limit the research scope, we analyzed several lists of most popular games and based on this, created a list of TOP 28 games and game series available for download or about to be released on the streaming platforms Origin and Steam, as well as platform-independent titles. To make the overview more in-depth, we included both mobile and PC games. Thus, we analyzed threats related to the following titles:

    1. Minecraft
    2. Roblox
    3. Need for Speed
    4. Grand Theft Auto
    5. Call of Duty
    6. FIFA
    7. The Sims
    8. Far Cry
    9. CS:GO
    10. PUBG
    11. Valorant
    12. Resident Evil
    13. Command & Conquer
    14. Hitman
    15. Total War
    16. Cyberpunk 2077
    17. Elden Ring
    18. Final Fantasy
    19. Halo
    20. Legend of Zelda
    21. League of Legends
    22. Dota 2
    23. Apex Legends
    24. World of Warcraft
    25. Gears of War
    26. Tomb Raider
    27. S.T.A.L.K.E.R.
    28. Warhammer

    We used the titles of the games as keywords and ran these against our KSN telemetry to determine the prevalence of malicious files and unwanted software related to these games, as well as the number of users attacked by these files. Also, we tracked the number of fake cheat programs for the popular games listed above, and an amount of miners that dramatically affect the performance of gamers’ computers.

    Additionally, we looked at the phishing activity around gaming, specifically that related to cybersports tournaments, bookmakers, gaming marketplaces, and gaming platforms, and found numerous examples of scams that target gamers and esports fans.

    Key findings

    • The total number of users who encountered gaming-related malware and unwanted software from July 1, 2021 through June 30, 2022 was 384,224, with 91,984 files distributed under the guise of twenty-eight games or series of games;
    • The TOP 5 PC games or game series used as bait in the attacks targeting the largest number of users from July 1, 2021 to June 30, 2022 were Minecraft, Roblox, Need for Speed, Grand Theft Auto and Call of Duty;
    • The number of malicious and unwanted files related to Minecraft dropped by 36% compared to the previous year (23,239 against 36,336), and the number of affected users decreased by almost 30% year on year (131,005 against 184,887);
    • The TOP 5 mobile games that served as a lure targeting the largest number of users from July 1, 2021 to June 30, 2022 were Minecraft, Roblox, Grand Theft Auto, PUBG and FIFA;
    • In the first half of 2022, we observed a noticeable increase in the number of users attacked by programs that can steal secrets, with a 13% increase over the first half of 2021;
    • In the first half of 2022, attackers cranked up their efforts to spread Trojan-PSW: 77% of secret-stealing malware infection cases were linked to Trojan-PSW;
    • Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers’ security, especially for those who are keen on popular game series: from July 1, 2021 to June 30, 2022 we detected 3,154 unique files of this type that affected 13,689 users;
    • Miners pose an increasing threat to gamers’ productivity, with Far Cry, Roblox, Minecraft, Valorant, and FIFA topping the list of games and game series that were used as a lure for cyberthreats; 1,367 unique files and 3,374 users who encountered these files from July 1, 2021 to June 30, 2022.

    Over the course of last year, from July 2021 through June 2022, 91,984 files that included malware and potentially unwanted applications were distributed using the popular game titles as a lure, with 384,224 users encountering these threats globally.

    Continuing the trend observed in 2021, Minecraft, the famous sandbox game that has been one of the most-played titles around the world for more than a decade, took first place among the games most often used as bait, with 23,239 files distributed using the Minecraft name affecting 131,005 users from July 2021 through June 2022. However, the number of malicious and unwanted files related to Minecraft dropped by 36% compared to the previous year (36,336), and the number of affected users decreased by almost 30% year on year (184,887).

    Roblox, too, entered the TOP 3 games both by number of related malicious or unwanted files (8,903) and affected users (38,838).

    Other titles that were most often used as a lure were FIFA, Far Cry, and Call of Duty. A large number of users encountered threats while searching for content related to Need for Speed, GTA, and Call of Duty. These game series, too, have been winning the hearts of players around the world for years.

    The TOP 10 games by number of related unique malicious and unwanted files:

    Name Number of unique files*
    Minecraft 23239
    FIFA 10776
    Roblox 8903
    Far Cry 8736
    Call of Duty 8319
    Need for Speed 7569
    Grand Theft Auto 7125
    Valorant 5426
    The Sims 5005
    CS:GO 4790

    * Total number of detected files using game title, from July 1, 2021 to June, 30 2022

    The TOP 10 games by number of unique users attacked using the game as a lure:

    Name Number of users*
    Minecraft 131005
    Roblox 38838
    Need for Speed 32314
    Grand Theft Auto 31752
    Call of Duty 30401
    FIFA 26832
    The Sims 26319
    Far Cry 18530
    CS:GO 18031
    PUBG 9553

    Number of unique users affected by threats related to the game, from July 1, 2021 to June, 30 2022

    As the mobile gaming market continues to grow, we analyzed KSN data specifically on mobile threats. For the period from July 1, 2021 through June 30, 2022, our telemetry shows that 31,581 mobile users were exposed to game-related malware and potentially unwanted software. The number of unique malicious and unwanted files discovered within the given period is 5,976. Minecraft, Roblox, Grand Theft Auto, PUBG, and FIFA are among the games that ranked highest by number of related threats and affected users.

    Name Number of unique users
    Minecraft 26270
    Roblox 1186
    Grand Theft Auto 927
    PUBG 666
    FIFA 619

    TOP 5 mobile games used as a lure for distribution of malware and unwanted software, by users, from July 1, 2021 through June, 30 2022

    Name Number of unique files
    Minecraft 2406
    Grand Theft Auto 948
    PUBG 624
    Roblox 612
    FIFA 293

    TOP 5 mobile games used as a lure for distribution of malware and unwanted software, by files, from July 1, 2021 through June, 30 2022

    Cyberthreats using games as a lure

    The overall landscape of threats that affect gamers has not changed much since last year. Still, downloaders (88.56%) top the list of malicious and unwanted software being spread using the names of popular games: this type of unsolicited software might not be dangerous in and of itself, but it can be used for loading other threats onto devices. Adware (4.19%) comes second: this type of software displays unwanted (and sometimes irritating) pop-up ads which can appear on a user’s computer or mobile device.

    The share of various Trojans that use popular games as a lure remains solid, with Trojan-SMS, Trojan-Downloader, and Trojan-Spy among the TOP 10 threats.

    Threat Infection cases, %
    not-a-virus:Downloader 88.56
    not-a-virus:AdWare 4.19
    Trojan 2.99
    DangerousObject 0.86
    Trojan-SMS 0.49
    Trojan-Downloader 0.48
    not-a-virus:WebToolbar 0.47
    not-a-virus:RiskTool 0.45
    Exploit 0.34
    Trojan-Spy 0.29

    TOP 10 threats distributed worldwide under the guise of popular games, July 1, 2021 through June 30, 2022

    Game over: cybercriminals targeting gamers’ accounts and money

    When downloading the games from untrustworthy sources, players may receive malicious software that can gather sensitive data like login information or passwords from the victim’s device; and in an attempt to download a desired game for free, find a cool mod or cheat, gamers can actually lose their accounts or even money. The research revealed an increase in attacks using malicious software that steals sensitive data from infected devices. It included such verdicts as Trojan-PSW (Password Stealing Ware) which gathers victims’ credentials, Trojan-Banker which steals payment data, and Trojan-GameThief which collects login information for gaming accounts. From July 1, 2021 through June 30, 2022, Kaspersky security solutions detected a total of 6,491 users affected by 3,705 unique malicious files of these types. In the first half of 2022, we observed a noticeable year-on-year increase in the number of users attacked: 13 percent against the first half of 2021 (2,867 vs 2,533). The number of unique files used to attack users also increased in the first half of 2022 by nearly a quarter, compared to the first half of 2021: from 1,530 to 1,868.

    From July 1, 2021 through June 30, 2022, 77% of various data stealer infection cases were Trojan-PSW infections. Another 22% of infection attempts were related to Trojan-Bankers, and Trojan-GameThief files accounted for just 1% of cases.

    Types of malicious software that steals sensitive data from infected devices, distributed worldwide using popular game titles as a lure, July 1, 2021 through June 30, 2022 (download)

    The TOP 3 threat families, stealing data from the infected devices, by number of attacked users from July 1, 2021 through June 30, 2022:

    • Trojan-PSW.MSIL.Reline/RedLine

      RedLine Stealer is a password-stealing software that cybercriminals can buy on hacker forums for a very low price. From July 1, 2021 through June 30, 2022 2,362 unique users were attacked by RedLine, spread by using popular game titles and series as a lure, which makes it the most active data-stealing malware family for the period given. Once executed on the attacked system, RedLine Stealer collects system information, including device user names, the operating system type, and information about the hardware, installed browsers, and antivirus solutions. Its main stealer functionality  involves extracting data such as passwords, cookies, card details, and autofill data from browsers, cryptocurrency wallet secrets, credentials for VPN services, etc. The stolen information is then sent to a remote C&C server controlled by the attackers, who later drain victims’ accounts.

      The RedLine code specifies that, depending on the configuration the malicious software can steal passwords from browsers, cryptocurrency wallet data, and VPN client passwords

      The RedLine code specifies that, depending on the configuration the malicious software can steal passwords from browsers, cryptocurrency wallet data, and VPN client passwords

    • Trojan-PSW.Win32.Convagent and Trojan-PSW.Win32.Stealer

      Both of these verdicts are generic verdicts for various families of malicious software that collect, analyze, and steal data from victims’ infected devices. From July 1, 2021 through June 30, 2022, 1,126 unique users encountered Convagent and 1,024 users encountered Stealer.

    Most often, players get malicious software, stealing sensitive data, on their devices when trying to download a popular game from a third-grade website instead of buying it on the official one. For example, under the guise of a number of cracked popular games, attackers spread the Swarez dropper, which we analyzed in detail in our previous gaming-related threats report. Swarez was distributed inside a ZIP archive which contained a password-protected ZIP file and a text document with a password. Launching the malware resulted in decryption and activation of a Trojan-stealer dubbed Taurus. The latter had a wide range of functions: it could steal cookies, saved passwords, autofill data for browser forms and cryptocurrency wallet data, collect system information, steal .txt files from the desktop and make screenshots.

    Attackers often purposely seek to spread threats under the guise of games and game series that either have a huge permanent audience (such as Roblox, FIFA, or Minecraft) or were recently released. We found that from July 1, 2021 through June 30, 2022, the TOP 5 game titles that cybercriminals used as a lure to distribute secret-stealing software included Valorant, Roblox, FIFA, Minecraft, and Far Cry.

    Name Number of unique users affected
    Valorant 1777
    Roblox 1733
    FIFA 843
    Minecraft 708
    Far Cry 389

    TOP 5 game titles used by cybercriminals to lure users into downloading malicious software, stealing secrets from infected devices, from July 1, 2021 through June 30, 2022

    Risky money: how to lose instead of gaining

    One of the most widespread cyberthreats gamers are exposed to is phishing, a social engineering scheme where an attacker masquerades as a legal and trustworthy entity to encourage the user to give out sensitive data, such as account credentials or financial information.

    For the period from July 1st 2021 through June 30th 2022, Kaspersky security solutions detected 3,116,782 attacks connected to phishing activities in online games. One of the key findings in this segment was connected to the attacks aimed at gaining users’ credentials or taking over gaming accounts – especially through social network login.

    For instance, we found several examples of phishing activity of this type targeting Grand Theft Auto Online gamers: the cybercriminals created a fake website that launched an in-game money generator. To use it, you have to login with your gaming account. Once the credentials are shared, the cybercrooks get access to such sensitive information as gaming account, telephone number, and even banking details.

    A fraudulent money generator offered to GTA Online players

    A fraudulent money generator offered to GTA Online players

    Offering easy in-game money to achieve phishers’ malicious goals was a noticeable trend in the previous reporting period and remains one. By mimicking Apex Legends, a multiplayer free-to-play hero shooter, scammers created a fake website that invited gamers to take part in a lottery to win in-game coins. To try their luck, players were asked to share their game credentials. Once the username or player ID alongside with password were entered, the account was taken over by the scammers.

    The Fake Apex Legends website that invited players to take part in a giveaway of in-game coins. Once the player typed in their username and password, scammers got access to his account

    The Fake Apex Legends website that invited players to take part in a giveaway of in-game coins. Once the player typed in their username and password, scammers got access to his account

    This year, cybercriminals have learned to mimic the entire interfaces of the in-game stores for many popular game titles. The most notable examples include fake marketplaces launched under the names of CS:GO, PUBG and Warface, which are popular esports disciplines. To achieve better results, players need a decent arsenal of weapons and artifacts that are available in the in-game stores. The scammers created fraudulent stores by copying the appearance of the actual in-game marketplaces to fool players, with the final aim of taking over their accounts or stealing their money.

    Fake CS:GO in-game stores created by cybercriminals Fake CS:GO in-game stores created by cybercriminals

    Fake CS:GO in-game stores created by cybercriminals

    Scammers create fake in-game store mimicking the PUBG mobile interface. The scheme encourages users to log in using their social media credentials Scammers create fake in-game store mimicking the PUBG mobile interface. The scheme encourages users to log in using their social media credentials
    Scammers create fake in-game store mimicking the PUBG mobile interface. The scheme encourages users to log in using their social media credentials

    Scammers create fake in-game store mimicking the PUBG mobile interface. The scheme encourages users to log in using their social media credentials

    Unsolicited mining: programs that ruin the gaming experience

    Miners are programs that may adversely affect a computer’s productivity. Once a miner file is launched on an affected computer, it starts using the machine’s energy to mine cryptocurrency. When it comes to unsolicited miners that interfere with users’ operating systems against their will, the situation might get even worse – especially for gamers who value the computer’s productivity above all.

    According to our analysis, Far Cry, a gaming series that spans 18 years and six editions, proved to be the most popular title among unsolicited miners – both in terms of affected users (1,050) and unique malicious files (510). Other games that make the perfect bait for miners include Minecraft with 406 unique files and Valorant with 93 files. Overall, from July 1st 2021 through June 30th 2022, we managed to detect 1,367 unique mining files which affected 3,374 users. That said, the number of users affected by miners halved in H1 2022 (1002) compared to H1 2021 (2086), which may be linked to the sharp drop in the bitcoin exchange rate. Interestingly, the number of unique miner files rose by 30% in H1 2022 (497) compared to H1 2021 (383).

    Under the guise of one of the biggest novelties of 2022, cybercriminals have also distributed malware related to miners. The fantasy role-playing game Elden Ring was used as a lure by cybercriminals who spread OpenSUpdater. OpenSUpdater is a Trojan that pretends to be a cracked version of a game, and, once installed, downloads and installs various unwanted programs and miners to the victim’s device.

    The OpenSUpdater campaign only targets users from certain countries, so if the user’s IP address does not satisfy the regional requirements of the distribution server, clean software will be downloaded, e.g., the 7zip archive manager. Less fortunate users will receive an installer that delivers various payloads, including legitimate software, potentially unwanted applications, and miners. Infection chain consists of two stages. At the first stage, a malicious downloader is installed. The code of this downloader is updated by threat actors several times a week by using various obfuscation and anti-emulation techniques. The main purpose of these changes is to complicate threat investigation and detection. The second stage is the installer itself.

    Cheating in games, or being cheated?

    Every gamer aims for the best performance and results – even when they are not competing for a precious trophy. This explains why cheating will never go out of style. However, some of the cheats can bring more harm than good.

    What exactly are cheats? When we talk about cheats, we refer to the programs that help gamers create an advantage beyond the available capabilities by applying special cheat codes or installing software that allows sideways. Cybercriminals try to fool gamers by creating fake cheat programs which, instead of providing advantages, negatively affect computers’ performance or even steal player’s data.

    From July 1st 2021 through June 30th 2022, we detected 3,154 unique files distributed as cheat programs for the most popular game titles, with a total of 13,689 users affected. The vast majority of the files mimicking cheat programs were related to Counter Strike: Global Offense (418), Roblox and Valorant (332 files for both), and Total War (284). At the same time, Need for Speed came first by number of unique users exposed to this type of threats (3,256) – this series of games has not lost in its broad popularity after several decades and generations.

    Conclusion and Recommendations

    The pandemic times greatly boosted the gaming industry, increasing the number of computer game fans several times over.

    Despite the fact that the number of users affected by gaming-related threats has dropped, certain gaming threats are still on the rise. Over the past year, we have seen an increase in cybercriminal activity around stealers, which allow attackers to steal bank card data, credentials, and even crypto wallets data from infected devices. In the first half of 2022, we observed a noticeable increase in the number of users attacked by stealers, with a 13 percent increase over the first half of 2021.

    We also analyzed which popular games were used as a lure by cybercriminals who distributed malware and unwanted software, and found that most often these were multiplayer gaming platforms, such as Minecraft and Roblox. Worryingly, the primary target audience for these games is children and teenagers, who have much less knowledge of cybersecurity due to a lack of experience. Because of this, we assume that they could become an easy prey for cybercriminals, which means we need to pay special attention to cybersecurity hygiene training for kids.

    Traditionally, we have found a lot of different examples of phishing tools spread by cybercriminals to get access to gaming accounts, in-game items or money. Cybercriminals mostly created phishing pages that mimicked the appearance of the games whose users they were targeting. For example, we observed fake in-game stores for PUBG and CS:GO.

    Over the years, the gaming industry has grown more and more, and we expect to see new ways of abusing users next year, e.g. by exploiting the theme of esports, which are now gaining popularity around the world. That is why it is so important to stay protected, so you do not lose your money, credentials, or gaming account, which you have built over the years.

    Here is what we recommend to stay safe while gaming.

    • Protect your accounts with two-factor authentication whenever possible. At least comb through account settings if you cannot.
    • Use a unique, strong password for each of your accounts. Should one of your passwords get leaked, the rest of your accounts would remain safe.
    • You will benefit greatly from a robust security solution that will protect you from every possible cyberthreat without interfering with your computer’s performance while you are playing.  Kaspersky Total Security plays nicely with Steam and other gaming services.
    • Download your games from official stores like Steam, Apple App Store, Google Play, or Amazon Appstore only. While not 100 % safe, games from these stores undergo a screening process, which makes sure that a random app cannot be published.
    • If your desired title is not available from the official store, purchase it from the official website only. Double-check the URL of the website to make sure it is authentic.
    • Avoid buying the first thing that pops up. Even during Steam’s summer sale, make sure you read a few reviews before forking out the dough for a little-known title. If something is fishy, other people will have figured it out.
    • Beware of phishing campaigns and unfamiliar gamers. Do not open links received by email or in a game chat unless you trust the sender. Do not open files from strangers.
    • Carefully check the address of any website asking for your username and password, as it might be fake.
    • Avoid downloading cracked software or any other illegal content, even if you are redirected to it from a legitimate website.
    • Keep your operating system and other software up to date. Updates can help address many security issues.
    • Do not visit dubious websites when these are offered in search results and do not install anything they offer.
    • Use a robust security solution to protect yourself from malicious software on mobile devices, such as Kaspersky Internet Security for Android.
    ]]>
    https://securelist.com/gaming-related-cyberthreats-2021-2022/107346/feed/ 0 full large medium thumbnail
    ‘Unpacking’ technical attribution and challenges for ensuring stability in cyberspace https://securelist.com/unpacking-technical-attribution/106791/ https://securelist.com/unpacking-technical-attribution/106791/#respond Mon, 20 Jun 2022 10:00:07 +0000 https://kasperskycontenthub.com/securelist/?p=106791

    Introduction

    When reports of a cyberattack appear in the headlines, questions abound regarding who launched it and why. Even if an attacker has what are to it perfectly rational reasons for conducting such an attack, these reasons are often known only to them. The rest of the world, including the victims of the attack, must often engage in some degree of speculation to explain the events and devise ways to protect themselves accordingly. Knowing the technical aspects of an attack may allow victims to build stronger defences, patch gaps and increase their cyber-resilience. This is why both policymakers and industry leaders are usually eager to have this knowledge as a possible ‘cure’ to mitigate or prevent such cyberattacks from happening again.

    A constant challenge in such an endeavour is that the cyber context, in all its complexity and interconnectedness, remains a dark, unknown forest for many decision-makers. How then can they find out who was behind an attack and why?

    Attribution of a cyberattack is not ‘magic’. It is a complex process where technical, legal and political discussions intertwine to produce as complete a narrative as possible – with as many plausible answers as possible (though not always comprehensive ones). Technical attribution relates to a technical investigation to identify who was behind a cyberattack or cyber operation. Legal attribution assesses if there has been a breach of international law. Finally, political attribution implies the political decision to publicly or privately announce those assessments and tie them to a particular state or private actor.

    Security researchers and private cybersecurity companies can typically analyse cyber incidents from a technical standpoint and cluster them into groups, which they then tie to particular threat actors. However, the only actors that deliver the entire narrative of a cyberattack – discussing accountability and international law – are nation states. The decision-making of states is highly complex in nature, often involving multiple considerations – from domestic issues to foreign affairs. Publicly attributing cyberattacks, meaning announcing who is thought to be responsible, is therefore often not straightforward, and states might not always be willing to make such announcements.[1]

    Within this piece, we, a collection of policy scholars and industry experts, discuss how technical attribution – identifying who is behind a cyberattack – can become more transparent and better understood by the wider public. Our key discussion points include: How is technical attribution carried out? What are the key challenges in conducting reliable technical attribution? And finally, how can this be more accessible to the multitude of stakeholders who are operating in cyberspace and/or have interests there?

    Below are our reflections on these questions, divided into several parts. Firstly, we discuss technical attribution and options to make it more transparent and accessible; next we reflect on how, given existing limitations within multilateral initiatives, the international community might make incremental improvements towards ensuring that technical attribution is made more transparent and more accessible and ensure the stability and security of cyberspace.

    Why would anyone want to know details of technical attribution?

    Cyber attribution is a necessary step to accountability in cyberspace.[2] It serves as a basis for a response: for states in accordance with international law, and for the private sector (if it owns or manages attacked infrastructure) in accordance with national applicable laws. Cyber attribution is a necessary precursor to retaliation – technical, legal or political. And if a state has advanced attribution capabilities, it is in a better position to understand what has happened and appropriately react to a cyberattack. Attribution capabilities are therefore a crucial element in building a deterrence strategy against malicious behaviour.

    Besides states and security researchers, why would anyone else be interested in conducting technical attribution and finding out all possible details?

    Given the multistakeholder nature of cyberspace, a state’s sovereign decision on cyber attribution – whether public or private – may have far-reaching consequences for other stakeholders. The increasingly relevant discussions, from scholars, academia and civil society,[3] further signal interest in greater transparency of and accessibility to, at least, technical attribution.

    These decisions impact geopolitical realities, and in this regard the more information other decision-makers (e.g., owners of ICT infrastructure that procure tools and services for critical functions and sectors) have, the better they are informed about these geopolitical realities to make decisions that would, in turn, impact users of such ICT infrastructure.

    In addition, accessibility to information about technical attribution provides third parties with the ability to assess the results of technical analysis and investigation. Third parties may spot gaps and inconsistencies in the evidence presented and thus help increase the credibility and quality of technical attribution.

    In practice, some States have clearly communicated that there is no obligation under international law to disclose underlying evidence of attribution. Scholars also highlight the significant security risks that public (technical) attribution brings and thus argue that “public attribution is not always better.” Nonetheless, the idea of an international attribution mechanism has been floated by several experts and organizations, proposing an independent mechanism for impartial analysis and decision-making in cyber attribution to complement and assist in states’ sovereign decisions.[4] [5] While states’ reservations regarding calls for greater transparency in cyber attribution and the risks it may carry for strategic competition are valid and do have merit,[6] the benefits of making technical attribution more accessible and better understood by the wider international community should also be explored.

    Following on from the previously discussed key thought that cyber attribution as states’ sovereign prerogative has wider impacts on non-state actors, we hope that more transparent and accessible technical attribution would be important for states to develop better and fact-based assessments, and thus contribute to greater stability and predictability in cyberspace. After discussing how technical attribution is conducted and current difficulties and limitations with it, we reflect on suggestions for the continuing negotiations in the United Nations Open-Ended Working Group on Developments in Information and Telecommunications in the Context of International Security (UN OEWG) and for the international community broadly.

    How the pie gets made: steps in conducting technical attribution

    While the idea of cyber attribution – i.e., determining who is responsible for an attack – is generally understandable by anyone, its technical underpinnings usually rely on domain-specific knowledge. In almost all cases, with the exception of attribution provided through human intelligence (or HUMINT), it is based on careful analysis of available technical information. The end result of this process is technical attribution: intelligence that informs readers about the identity of the attackers. But in this specific context, ‘identity’ should not be understood in the traditional sense: this type of attribution is not aimed at pointing to a door that law enforcement can then kick down. This would in fact require leaps that are usually impossible based on the information available. Instead, the objects crucial to the process of technical attribution are threat actors and attack campaigns. Such ‘objects’, as referred to here, point to things such as malware and hijacked servers, which, when put together and ‘manipulated’, inform the technical attribution process. The process produces clusters that represent malicious cyber activity, which can be grouped together based on identifiable characteristics of the attack and previous attacks.

    Technical attribution may lead the conclusion that, e.g., “APT 41 is responsible for this attack”, where APT 41 is a term used to consistently designate a specific attacker in the context of different incidents. Figuring out who the people behind APT 41 are would be the prerogative of political, rather than technical, attribution. Technical attribution is only concerned with understanding what characterizes APT 41 as an attacker, and which cyberattacks they are responsible for. But how does this process take place?

    To understand this, one must first understand what information is used in the technical attribution process and where such information comes from. Taking control of an IT system implies a lot of interaction with it: using vulnerabilities to acquire privileges on the machine, deploying programs to exert control over it, and so on. All these operations affect the target computer or device in very specific ways: files are created, log entries are written, network traffic is generated, and so on. Despite the best efforts of the attackers to leave the smallest possible footprint, it is almost impossible to erase all traces of an attack. The main reason for this is that some of the technical information generated during the interaction is not stored in the compromised machine, or even in the target network (i.e., within network activity logs collected by the Internet Service Provider (ISP), etc.). Below are some examples of the type of data collected and strategies of collection and analysis during the technical attribution process.

    Tooling

    Most readers will be familiar with ‘backdoors’, ‘Trojans’ and the like – computer programs used to send arbitrary commands to a compromised device, but where do these tools come from? Some of them can be purchased as commercial products, others are open-source and freely available. Some of these tools have even been created by threat actors themselves.

    In the latter case, discovering the same unique malware family in two separate cyber-incidents is a strong indication that they share the same perpetrator. A significant part of the work that cyberthreat intelligence teams perform is meticulously indexing known and unknown attack software, and keeping track of which entities use it.

    Infrastructure

    The tools described in the previous paragraph and deployed in victims’ networks do not function in a vacuum. The stolen data needs to be exfiltrated somewhere, and the backdoor needs a place (like a dead-drop) where it obtains the commands to execute. Servers and domain names purchased online serve this function and are collectively seen as the ‘infrastructure’.

    When the same server is used simultaneously in the context of two apparently uncorrelated attacks, conventional wisdom suggests that whoever owns it must therefore be responsible for them both. Technical attribution can take the investigation process further, often by noting attacker habits – such as which resellers they favour, the specific way they configure their machines, and so on. All of this makes it possible to tie together incidents that do not involve the exact same servers (i.e., servers with different IP addresses), or sometimes even discover the infrastructure of a given threat actor before it is used in an operation.

    Attacker procedures

    Finally, it is sometimes possible to obtain a clear picture of what the attackers do once they are inside a network: this encompasses the deployment of additional offensive tools and utilities, but also the commands they type. Due to the number of members of attack groups, some of them have to put strict and repeatable procedures in place – allowing for various operators to fill in for one another. Identifying such recurrent patterns, such as a sequence of information gathered in a specific order from a new machine, can allow defenders to recognise a threat actor across multiple incidents.

    Beyond this, other aspects that can hint at the identity of attacks include more trivial elements – such as which encryption algorithm, network protocol or attack vector an attacker favours.

    The above strategies form a key aspect of the technical attribution process: they transcend individual incidents and aim at building knowledge that can be useful within a larger context. However, no vendor or intelligence service has full visibility over all cyber incidents taking place: defenders only know about what is going on inside their network; incident responders are only aware of the incidents they are asked to remediate; security vendors only obtain limited telemetry from their customer base.

    It follows that no single entity can be successful at attribution alone: it is only by sharing information about threat actors (i.e., through whitepapers, conferences and blog posts) that the industry’s knowledge has allowed us to keep track of the hundreds of threat actors identified over the years.

    What are the difficulties, uncertainties and limitations of technical attribution?

    Even assuming that it is fully available to those performing cyber attribution, technical information is limited, and does not always allow for robust answers. The obvious blind spot is that private cybersecurity vendors often have no investigative powers. This precludes everyone in the industry from ‘following the money’. In the case of attacker infrastructure, servers and domain names are not obtained for free: one way or another, threat actors must find a way to pay for them. Traces generated at this stage are simply unavailable at the technical level.

    Tool-based attribution (i.e., grouping together attacks that leverage the same unique malware families) has also been getting more difficult over the years – for two reasons. Firstly, a number of attackers have eschewed homemade backdoors to solely rely on open-source software. These publicly available backdoors can be used by anyone and cannot characterize a single threat actor unless some significant and unique modifications have been made to them. Secondly, Kaspersky has also observed the tendency to share tools and procedures between close yet distinct threat actors, e.g., instance hacker groups from the same region, working for the same sponsor, but going after different target verticals (e.g., the education, energy, or fintech sectors).

    Adding to the uncertainty of technical attribution are two important issues that need mentioning. The first is that a number of attackers are acutely aware of the technical attribution process and will therefore attempt to impede it by misleading analysts. The issue is further compounded by the fact that attackers interact with each other and may steal tools from one another – how would defenders then be able to distinguish between the original owner and the copycat? Threat actors may also try to purposefully leave behind ‘false flags’ – indicators that incriminate other groups. Such false flags may only be discovered through very careful analysis and are likely happening more frequently than the industry is aware of.

    The second issue is that the technical information analysts work with is very ambiguous. High-profile victims may be compromised by several attackers at once: each of them deploying their tools and generating a muddled footprint. This means that those performing technical attribution are unable to clarify whether it is one, two, or even more distinct groups that are responsible for the activity they are investigating. The risk that a tool would be attributed to the wrong group always exists, with the implication of poisoning the global knowledge-well for years.

    What are the obstacles to a transparent technical attribution process?

    The lack of a global database and the inherent ambiguity of the attribution process imply that cooperation and verifiable procedures are necessary to bolster existing technical attribution efforts. But arguments against global information sharing and transparency in this sphere suggest that a call for such procedures is not a straightforward solution.

    One key objection in this regard stems from the possibility of attackers gaining access to such a global knowledge pool of information. Attribution reports contain precise indicators (e.g., file hashes, IP addresses, domain names, and so on), which would allow attackers to see which incidents led to their discovery and how defenders tied the activity to them. The immediate consequence of transparent attribution is that it provides resources for attackers to tap into to further hone their methodologies and cover up the most characteristic aspects of their operations. There is therefore arguably value in protecting methods used to track threat actors from interception, even at the expense of wider cooperation.

    A further argument against global information sharing and transparency in technical attribution processes is that disclosing how an attack is attributed also provides information about the capabilities of the defender. Such information might involve trade/industry secrets or even sensitive and/or classified information. Government actors use their signals intelligence (SIGINT) capabilities to provide invaluable data for the cyber attribution process (including political and legal) and would rather not attribute an attack publicly at all than have to disclose their SIGINT capabilities and the extent of their visibility. In a limited number of instances, covertly discovering who the attacker is allows analysts to engage in a post-discovery reconstruction of an alternate trail of technical data. By covert means, we refer to signals intelligence, illegal wiretapping and sometimes even plain hacking. But this process – called ‘parallel construction’ – cannot always be performed, sometimes leaving only a choice between unsubstantiated attribution or no attribution at all.

    Paths forward?

    There is clearly a cat-and-mouse aspect to technical attribution. As attackers update their methodologies in order to avoid blame, defenders look for new sources of information to help them produce intelligence. The first observation is that tool-based attribution is on the decline. The global availability of sophisticated and free cyber offensive programmes means that attackers will not need to create their own anymore. On the other hand, new capabilities are offered to defenders in response. For instance, there are now offerings for private SIGINT capabilities, where defenders can purchase raw network data collected from the whole world, allowing them to see operators connecting to their attack servers.

    Given all the limits discussed above, what could be a way forward for technical attribution that is both more transparent and more accessible?

    Building upon existing discussions already taking place at various multilateral fora, such as the first iteration of the UN OEWG or the UN Group of Governmental Experts on advancing responsible State behaviour in cyberspace in the context of international security (UN GGE), this paper suggests some areas through which technical attribution can be made more transparent and accessible. These generally focus on issues pertaining to norm implementation (i.e., norm 13(b) of the UN GGE report concerning cyber attribution) and creating more clarification and guidance for policymakers. Both areas are outlined below:

    Building consensus amongst states regarding (technical) attribution

    The lack of consensus amongst states regarding the necessity of technical attribution and its associated processes remains to be addressed. For example, regarding Norm 13(b), the UN GGE report has noted that “attribution is a complex undertaking” and that “a broad range of factors should be considered before establishing the source of an ICT incident”.[7] While this acknowledges the complexity of attribution (including technical) that practitioners have raised, it leaves various questions unanswered. Given that attribution is complex and involves many factors, what is the “agreed-upon baseline” for such technical attribution to occur?

    Based on documents submitted by states (to both the UN OEWG and UN GGE), it appears that the international community is divided along the lines of whether providing the technical details of ICT incidents (i.e., part of technical attribution) ought to be made compulsory. Some states, such as Russia, have called for legally formalising the need for technical attribution. Others, such as China, while highlighting that states should “demonstrate genuine, reliable and adequate proof” when attributing ICT incidents, hold back from making the provision of evidence a mandatory requirement – note the distinction between use of the term “states should…” and “states must…”.

    Additionally, paragraph 24 of the GGE report highlighted the need for states who have suffered cyberattacks to “include the incident’s technical attributes…including the incident’s bearing on international peace and security; and the results of consultations between the States concerned”. However, there remains much potential for future discussions on the topic (such as at the second iteration of the UN OEWG) to take the discussion further to specify or outline what such technical data collection actually entails, as well as the processes for sharing information and consulting with other concerned states.

    Fostering mechanisms for multistakeholder cooperation at the regional and international levels

    While the UN GGE (July 2021) aimed to promote “cooperative measures to address existing and potential threats” in the ICT sphere, support for mechanisms that promote such cooperation remains lacking. Although states recognise the importance of information-sharing and the value that exchanging best practices could bring,[8] it concedes that considerations on how cooperation regarding attribution can actually occur will have to be addressed in future discussions.

    Additionally, the call for increased regional and international cooperation is limited to national-level representatives such as Computer Emergency Response Teams (CERTs) or Computer Security Incident Response Teams (CSIRTs) and national ICT authorities. Considering that private sector partners (e.g., cybersecurity vendors) have a significant amount of cybersecurity expertise, the involvement of such private sector partners in international cooperation efforts could significantly assist the international community in gaining more insight into cyberattacks, and aid in attribution processes. It must be noted that expanding the ‘playing field’ to bring in private sector entities would entail significant national security considerations. Successfully addressing this issue would allow private sector expertise to be utilised and further elevate the technical attribution capabilities that states currently possess. Identifying the channels and mechanisms for private sector involvement seems therefore critical for future discussions on building trusted and verifiable technical attribution.

    As demonstrated, there is a clear need for greater communication, transparency, and accessibility to information amongst states, while paying some degree of consideration to national security concerns. However, this is not the first time the international community has faced such transnational problems, which require capacity and expertise-building, as well as cooperation among actors from both the public sector and private industry, in order to solve them. As outlined in the Annex, examples from such disparate areas as piracy, nuclear non-proliferation, and space offer us lessons as to how technical cooperation can operate globally. Information-sharing, a key barrier to international cooperation due to national security concerns, can be effectively implemented once the necessary supporting structures (i.e., agreed-upon definitions and norms) are in place. Potential cooperation can also initially take the form of ‘minilaterals’ or technical ad-hoc groups, where good practices are first shared across a small number of states before being scaled up. Private sector expertise can also be shared with national-level agencies via an array of carefully crafted private-public partnerships (PPP).

    Lastly, capacity building to help the multitude of stakeholders as well as states (with less cyber capacities) to learn complexities of technical attribution should be another critical element in ongoing international efforts. Examples of this could be security training sessions, roundtable discussions (e.g., such as those organized by UNIDIR), gamified virtual exercises (e.g., the Cyber Stability Games developed by Kaspersky with the support of DiploFoundation), amongst others.

    Conclusion

    It is hoped this piece has shed more light on the nuances and caveats of technical attribution, which could be used for further research and analysis by other actors. As no one cybersecurity vendor or any other actor in cyberspace has comprehensive visibility into the threat landscape, closer cooperation among security researchers and cybersecurity companies is necessary for building fact and evidence-based technical attribution as well as public research. Greater dialogue between security researchers, diplomats, and academia is necessary to avoid their ‘worlds’ existing in silos. Furthermore, technical attribution and its nuances need to be better understood and more accessible for both diplomatic negotiations within the bodies like the UN First Committee (which is responsible for dealing with disarmament and international security matters) and evidence-based academic research (which may also inform the former).

    An international attribution mechanism could be a solution to greater transparency in, and accessibility of technical attribution in an ideal world. However, the likelihood of this being set up in the near future remains relatively low. The lack of political will of states to tie themselves to formal legal obligations in cyberspace means that an effective information-sharing mechanism resembling that which exists in the Somali piracy context is highly unlikely, at least for the near-term. The UN and International Atomic Energy Agency’s nuclear information-sharing mechanisms further point to the institutional limits of any such international body. A more feasible alternative would be the building of technical ad-hoc groups, or various mini-lateral groupings, following the examples of from the nuclear and space policy realm. Such groups, represented by a diverse security research community and academics, could serve as a technical consultative tool for intergovernmental negotiations taking place within various international fora, such as the UN First Committee. Leadership efforts of a few states, coupled with a global recognition of the danger the lack of information sharing mechanisms creates, is therefore urgently required for any such group to be effectively set up.

    Annex: Lessons from past global information-sharing initiatives

    Information-sharing on Piracy in Somalia

    Although it exists in a totally different domain, the case of piracy off the coast of Somalia can give us insights into how information-sharing to tackle a common threat might actually occur.[9] A series of UN Security Council (UNSC) Resolutions have bolstered several informal information-sharing mechanisms, aiming to aid in the direct enforcement of international law and the prosecution of piracy crime. The Contact Group on Piracy off the Coast of Somalia (CGPCS) is one such mechanism. An international forum bringing together more than 60 States and international organisations, the CGPCS meets in plenary sessions and various issue-based working groups to share data and enforce coordination strategies. Piracy-related information-sharing mechanisms have been praised as instrumental in lowering rates of Somali piracy over the past two decades. Why then has this area proven so fertile for functional and effective information-sharing regimes and how might this measure up in the case of technically attributing cyberattacks?

    First and foremost, the piracy context enjoys a well-established customary legal practice in international law. The nature of the crime means it is carried out in ‘international waters’, removing jurisdictional conflicts, giving any State the right to seize and penalise pirate ships in high seas. Secondly, the information that is shared among States and organisations for prosecution purposes rarely relies on data protected under the umbrella of ‘national security’. This is not to say that counter-piracy information-sharing mechanisms do not face obstacles. Investigators and prosecutors use similar techniques to cyber attributors of ‘following the money’ and mapping data on group activities and group characteristics. However, unlike in cyber attribution cases, piracy prosecutions centre on relatively unambiguous sets of perpetrators (i.e., Somali pirates), a shared public venue for apprehension activities (i.e., international waters), and less sensitive data required to prosecute piracy (e.g., GPS-based location data, photographs of attacks on vessels). Drawing upon such criteria, technical attribution would therefore require a mechanism to unambiguously identify the sets of perpetrators (i.e., cyberattackers/attack groups), a shared venue that is clearly outlined (i.e., public vs private cyberspace), and data that is both valuable yet falling short of the ‘classified’ threshold. All the above need to be established within the international ‘cyber environment’ via clear and widely-accepted cyber norms. Their relative absence is therefore indicative of the fact that the success of CGPCS and other piracy-related information sharing mechanisms may be difficult to replicate in the cyber context.

    Nuclear non-proliferation and space cooperation as possible PPP models

    Nuclear non-proliferation, or nuclear weapons disarmament, is another issue of international concern where, like in cyber attribution cases, information sharing is recognisably important yet swarmed with political and security apprehension. The widely ratified Treaty on the Non-Proliferation of Nuclear Weapons (‘NPT’) governs the international efforts to prevent the spread of nuclear weapons and to promote cooperation in the peaceful uses of nuclear energy. Article IV of the Treaty specifically states that parties undertake to facilitate and have the right to participate in the fullest possible exchange of information, with the International Atomic Energy Agency (‘IAEA’) being entrusted with key verification responsibilities under the NPT. Additional Protocols to the IAEA’s Statute have, over the years, improved the Agency’s ability to verify the integrity of information provided by states regarding their nuclear activities. Replicating this system in the cyber context would be difficult primarily because of the lack of a treaty that comprehensively regulates state behaviour in cyberspace.

    Indeed, there is little unified political will for any such international agreement in the foreseeable future. Despite the limited powers that the IAEA has over sovereign states, it nonetheless has the authority to conduct inspections, gather data and share information because signatory state parties (to the NPT and IAEA Statue) have willingly given up some of their sovereign rights for these purposes. The existence of the NPT, as a formal source for state obligations, establishes expectations that states can be held to, and provides any mechanisms stemming from it with a degree of authority and political weight. Furthermore, this makes ad-hoc and informal mechanisms in the nuclear context easier to establish and find global support for. The International Partnership for Nuclear Disarmament Verification (IPNDV) is one example of a public-private partnership that brings global actors together to identify and solve technical challenges in monitoring and verifying nuclear disarmament that formal state agreements are not equipped to solve. The fact that states have legal obligations to participate in information sharing means that research opportunities, funding and solutions to information protection issues are also more likely.

    The realm of nuclear non-proliferation, where a comprehensive treaty and a slew of associated organisations and bodies support it, is unlike the cyber domain where the quantity of agreements is lower and less comprehensive in terms of issue-area coverage. Yet it is also worth pointing out that the lack of an international treaty does not preclude actors from working together. Initiatives undertaken by just a few states (termed ‘minilaterals’) can lead to the development of good practices, which can be scaled up and tweaked to accommodate additional members. An example of such an initiative is the Space Situational Awareness (‘SSA)’ Sharing Program set up by the US Air Force Space Command in recognition that space situational awareness is critical to avoiding unintentional collisions and detecting and attributing attacks to space assets. Initially, the Program suffered from severe asymmetries of information among the interested parties, with the US Air Force having access to an internal catalogue with detailed information on all tracked objects, while the publicly accessible catalogue contained only basic information on a subset of space assets. Such an approach, justified through national security concerns, showed its limitations in 2009, when a commercial communication satellite and a defunct Russian Cosmos satellite collided without advanced warning to the commercial operators. Through series of multistakeholder agreements in 2019 between the US Strategic Command, 19 states, two international organisations, and more than 77 commercial satellite owners, operators and launchers, data that is of a significantly higher-quality has begun to be shared in a more systematic manner between all parties. Such an outcome can perhaps offer us some insight, not just to the benefits of private-public partnerships (PPP), but how such PPPs can benefit all actors that operate within the realm of both space and/or cybersecurity. The increased frequency and impact of cyberattacks targeted at governmental infrastructure over the past years has to some extent pushed the international community to explore such coordinated responses. Whether or not these events will have a sufficient impact for a coordinated effort like with the SSA remains to be seen.

     

    [1] E.g., Estonia has expressed that “attribution remains a national political decision based on technical and legal considerations regarding a certain cyber incident or operation. Attribution will be conducted on a case-by-case basis, and various sources as well as the wider political, security and economic context can be considered”. https://front.un-arm.org/wp-content/uploads/2021/08/A-76-136-EN.pdf

    [2] E.g., Germany has expressed that “Attributing a cyber incident is of critical importance as a part of holding States responsible for wrongful behavior and for documenting norm violations in cyberspace.” https://front.un-arm.org/wp-content/uploads/2021/08/A-76-136-EN.pdf

    [3] E.g., submissions from some multistakeholders to the 2019-2021 UN OEWG highlight the need for a “multistakeholder approach which engages all relevant stakeholders to build strong, impartial and verifiable verification mechanisms that build trust and confidence” (https://front.un-arm.org/wp-content/uploads/2020/04/cs-coordination-perspectives-on-oewg-pre-draft.pdf) and support to “support multistakeholder, independent and coordinated attribution efforts” (https://front.un-arm.org/wp-content/uploads/2020/04/oewg-pre-draft-gpd-response-final.pdf).

    [4] Mueller, M. et al, (2019) ‘Cyber Attribution: Can a New Institution Achieve Transnational Credibility?’, The Cyber Defense Review, 4(1): 107-122; https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/CSSAnalyse244-EN.pdf.

    [5] https://ict4peace.org/wp-content/uploads/2019/08/ICT4Peace-2019-Submission-UN-Open-Ended-Working-Group.pdf; https://front.un-arm.org/wp-content/uploads/2021/02/WILPF_zero-draft_23Feb2021.pdf.

    [6] E.g., through signaling their own capabilities and technical advances to adversaries who could use this as an additional advantage.

    [7] Ibid, paragraph 22.

    [8] UN GGE Report 2021 (n 17), paragraph 27 and 28.

    [9] McLaughlin, R. and Paige, T. (2015) ‘The Role of Information sharing in Counter Piracy in the Horn of Africa Region: A Model for Transnational Enforcement Operations’, Journal of International Law and International Relations, 12(1).

    ]]>
    https://securelist.com/unpacking-technical-attribution/106791/feed/ 0 full large medium thumbnail
    The Verizon 2022 DBIR https://securelist.com/the-verizon-2022-dbir/105844/ https://securelist.com/the-verizon-2022-dbir/105844/#comments Wed, 25 May 2022 15:57:59 +0000 https://kasperskycontenthub.com/securelist/?p=105844

    The Verizon 2022 Data Breach Investigations Report is out. We are proud to collaborate as a supporting contributor to this year’s data efforts once again and to have contributed for the past 8 years. The report provides interesting analysis of a full amount of global incident data.

    Several things stand out in the 2022 report:

    • Ransomware challenges continue to mount — “Ransomware’s heyday continues, and is present in almost 70% of malware breaches this year.”
    • Social engineering became an overwhelming problem this past year, highlighting the surge in repeated cybercrime tactics — 1. “The human element continues to be a key driver of 82% of breaches and this pattern captures a large percentage of those breaches.” 2. “Actor Motives: Financial (89%), Espionage (11%).”
    • APT activity continues to be high, was underreported in the past, and while it possibly continues to be underreported, its reporting is increasing: “Financial has been the top motive since we began to track it in 2015. However, that same year the rise of hacktivism (particularly leaks) accounted for many attacks. Espionage-related attacks were not even on the radar, but seven years later the world is a very different place. Espionage has taken the 2nd place spot for years, and hacktivism is, for the most part, simply an afterthought. Before we move on, however, it should be noted that while espionage has almost certainly increased over the last few years, the fact that it did not appear at all in 2015 was quite likely due to our contributors and general case load at the time.”
    • System intrusions were heavily weighted at the top by two vectors: “‘Partner’ and ‘Software update’ as the leading vectors for incidents. This is primarily attributed to one very large and very public security incident that happened last year. We’ll give you a hint, it rhymes with ‘PolarShins’.” These data points fall under the supply chain discussion for us, and we continue to see that trend into this year — the “supply chain” is actively targeted and abused as a deployment tactic around the world, and we expect it to continue.

    Business leaders should be sure to check out Appendix C — Behavior. It maintains an interesting approach on quantifying success in training programs, “In 2021 we reported that the human element impacted 85% of breaches, which decreased slightly to 82% this year. Unfortunately, strong asset management and a stellar vulnerability scanner aren’t going to solve this one.”

    Perhaps next year we will read more about IoT and industrial issues, we’ll see. In the meantime, enjoy this year’s publication!

    ]]>
    https://securelist.com/the-verizon-2022-dbir/105844/feed/ 3 full large medium thumbnail
    What’s wrong with automotive mobile apps? https://securelist.com/third-party-automotive-app-security/106538/ https://securelist.com/third-party-automotive-app-security/106538/#respond Wed, 25 May 2022 10:00:41 +0000 https://kasperskycontenthub.com/securelist/?p=106538

    Introduction

    The recent story about the 19-year-old hacker who took control of several dozen Tesla cars has become something of a sensation. We already know that there was an issue with a third-party app that enabled access to data from Teslas. This made it possible for the security researcher to lock and unlock the cars, turn the lights on and off, and even enable keyless driving. All the functions in the native Tesla application became available due to a misconfiguration in third-party data logging software. So, let’s try to get a better understanding of what these apps are, why they appear on the market, and the risks they pose.

    First public notice about the incident involving Tesla

    First public notice about the incident involving Tesla

    The majority of modern vehicles are equipped with a special telematics module. The electronic control unit with a built-in SIM card provides the manufacturer with the vehicle’s location, warns the owner about upcoming vehicle inspections, and can even contact emergency services. In addition, the car owner gets some handy functions, such as the ability to check the vehicle’s location, control the door locks, remotely turn on climate control, and even automatically park the car. And all that by just using a mobile application.

    Interface of a typical companion app

    Interface of a typical companion app

    But why do people need a third-party app when all these functions are available in the car manufacturer’s application?

    Native apps simply can’t satisfy the demand for features among modern car owners. For example, some users want to see how the fuel/energy consumption changes depending on their route. Some want to warm up the vehicle interior while their smart coffee machine starts making coffee in the morning. And others are not happy that they need to use several mobile applications for different car brands, and want to manage them all from a single universal application.

    So, what can go wrong? The same sort of things that occur in other walks of life. A key is needed to gain access to a car, but in this case instead of a key there is a login or email and a password. And the prerequisite for the automaker’s backend to send a command to the owner’s vehicle if it receives these credentials. They are intended to be transferred directly from the automaker’s native app, but third-party apps can ask a user for the original credentials and send them to the automaker’s API on their behalf.

    Communication between apps and vehicle

    Communication between apps and vehicle

    The risk is obvious: third parties get the ability, for example, to unlock the car or track all its movements on behalf of the car owner.

    What’s the scope?

    How many of these solutions are out there? Kaspersky analysts checked among mobile applications, open-source software and searched web services to find out. The research scope included 155 of the most popular solutions that require the vehicle owner’s credentials (login and password pair or API key) to interact with the vehicle. A total of 69 mobile apps and 81 solutions were discovered in open repositories, such as API clients in various programming languages. The findings also included web services, as well as a few other things of interest.

    Types of applications (download)

    Each of these discovered application types is described below.

    About mobile applications

    Let’s start with mobile apps as the most accessible and most understandable for the average user. If we look closer at the descriptions of these apps, they usually talk about their great functionality, convenience, and even comparisons to the “slow” apps provided by automakers.

    Description of a random application

    Description of a random application

    An analysis of these descriptions showed that more than half the applications fail to mention that they use the owner’s account with the automaker’s native service.

    Share of applications that don’t notify users on credential usage (download)

    Yes, that’s right. The important thing to note here is that the second smaller share is made up of developers that explicitly state their apps do not store the user’s data, or store it in encrypted form or only use the credentials to obtain authorization tokens. But, to be clear, you are basically handing over your car keys to a complete stranger and taking them at their word, because there’s no way of verifying those statements.

    Some of the developers also suggest using an authorization token instead of a username and password to look more credible. But the catch there is that this token makes it possible to access the car in the same way as user credentials. And, once again, the user should be aware that all this is at their own risk. Only 19% of developers feel the need to mention this fact and warn the user without hiding behind several screens of fine print.

    Share of apps warning users about their liability (download)

    The most common way for a user to contact the application developer is usually via feedback in the review section of the mobile app store. But what if the question is more serious and requires an immediate response? Here we can thank the application stores and their placement rules. The contact information for 86% of the app authors was found without much effort, although quite often it is just an email without any additional information. But for some applications the search can lead to a deleted social network page or a stub page with no contacts.

    Share of apps with available contacts (download)

    Based on this, it’s clear that most of these applications are developed by enthusiasts. Is that necessarily a bad thing? No. But there’s no onus on the enthusiast developer to care about your vehicle’s safety and data security to the same extent that state regulators demand of automakers.

    Which vehicle brands are most often subject to control by third-party apps? In total, we counted 31 brands, with the top five shown below. Note, some applications enable control of more than one type of car brand, so the number of mentions is not equal to the total number of apps.

    Top five affected automotive brands (download)

    Tesla leads by a considerable margin, followed by Nissan. It appears that electric vehicle owners, who are usually car enthusiasts, are interested in these apps.

    When it comes to the cost, 46 of the 69 apps are free of charge or at least have a demo mode. If a program can do cool tricks with a car and costs a lot of money, there may well be a free counterpart.

    Free to paid allocation (download)

    This, combined with the fact that such applications have been downloaded from Google Play more than 239,000 times, makes you wonder just how many people have given strangers free access to their cars.

    Open-source API clients and web services

    It is worth noting that slightly more advanced users tend to use software from GitHub. And indeed, it is pretty easy to check it to see if an API client is transferring sensitive information to third parties. But what if the source code is a bit more complicated? Would all the users check the code, and how thoroughly? And, of course, this won’t guarantee there are no vulnerabilities in the application itself or its components. The example in the first link of this article illustrates that rather well.

    The third type of application in our selection is web services. These services are provided to users on a commercial basis. But even though they may be developed by organizations with highly skilled developers and well-established management, the authorization scheme is not that different. The user still needs to provide their credentials, but to a web form and not to a mobile application or API endpoint.

    What didn’t fit our data?

    One other type of application stands a little apart from the rest. That’s because unlike the regular add-ons or classic “give the username and password – get the token”, they are designed as full-fledged B2B solutions. B2B? Yes, that’s right. Take, for instance, a company that wants to sell an application or service to a user without diving deep into the specific implementations of different car manufacturers. And a B2B provider provides universal solutions that are capable of interacting with multiple automakers and facilitates their work, becoming an intermediate link.

    Schematically, an example would be as follows:

    • The user registers in an online third-party service like those mentioned in the previous section. That service helps estimate the optimal time and location to charge a vehicle.
    • The system of the service has no direct access to the automaker’s API, so it passes the user’s credentials to the aforementioned B2B provider.
    • In its turn, the B2B provider sends the credentials to the automaker’s API and gets an authorization token in return, allowing direct access to the user’s vehicle and its data.

    Thus, the username and the password go to both the third-party application and the B2B provider at the same time. In this case, both the owner and developer “in the middle” are at risk because the security of the user data now depends on yet another company.

    There is also some risk here for the automakers because these services process the data of lots of users. Yes, all of this only works with the end user’s consent, but, as recent events show, it is the car brand that makes the headlines, rather than the app name.

    Conclusion

    If you decide to stop using such apps after reading this article, there are a few things to consider:

    • It’s not enough to just delete the app – some services require that you end the subscription or delete your account on their website;
    • A password change is mandatory;
    • Even after a password reset, it is better to try to revoke access via the manufacturer’s website (if there is such a feature) or customer support service.

    Of course, not all these companion applications should be treated as insecure or untrusted. Some of them use specially designed solutions from automakers, which, for example, make it impossible to unlock the doors remotely for security reasons. Instead, access to the vehicle data is given via the manufacturer’s website, and there is no need to provide credentials to a particular application. Users can also revoke this access at any time. Unfortunately, there still aren’t many apps capable of this.

    Hence, we urge the app developers to make user protection a priority and take precautionary measures so as not to compromise their customers or themselves. Instead of assuming their customers are prepared for potential threats, developers can proactively equip their apps with additional user-protection technologies.

    Kaspersky recommends the following for application developers:

    • Since supply-chain attacks through public repositories have become more frequent of late, the development process needs enhanced protection against outside interference. Adopt solutions that can secure the software development process by application control at runtime, scanning for vulnerabilities before deployment, routine security vetting of containers and anti-malware testing of the production artifacts. Kaspersky Hybrid Cloud Security meets development needs. It secures Docker and Windows containers and provides a ‘security-as-code’ approach, with containerization host memory protection, tasks for containers, image scanning and scriptable interfaces, so you can integrate security tasks into CI/CD pipelines without impacting the development process.
    • Implement protection mechanisms into the app. Kaspersky Mobile SDK enables customer data protection, as well as malware detection, secure connectivity and more.
    ]]>
    https://securelist.com/third-party-automotive-app-security/106538/feed/ 0 full large medium thumbnail