According to the United Nations, small and medium-sized businesses (SMBs) constitute 90 percent of all companies and contribute 60 to 70 percent of all jobs in the world. They generate 50 percent of global gross domestic product and form the backbone of most countries’ economies. Hit hardest by the COVID pandemic, geo-political and climate change, they play a critical role in a country’s recovery, requiring greater support from governments to stay afloat.

In the past, the perception was that large corporations were more attractive to cybercriminals. Yet in reality, cybercriminals can target anyone, especially those who are less protected, while small businesses typically have smaller budgets and are not as securely protected as larger companies.

According to a report by the Barracuda cybersecurity company, in 2021, businesses with fewer than 100 employees experienced far more social engineering attacks than larger ones. That same year saw one of the worst ransomware incidents in history, the Kaseya VSA supply-chain attack. By exploiting a vulnerability in the software, the cybergang REvil infiltrated between 1,500 and 2,000 businesses around the world, many of which were SMBs. For example, the attack hit a small managed service provider Progressive Computing, and, by virtue of the domino effect, the company’s 80 clients, which were mainly small businesses. Although the attack was stopped fairly quickly, the SME sector was understandably shaken, alerting businesses to the fact that everyone was vulnerable.

According to the Kaspersky cyber-resilience report, in 2022, four in ten employers admitted that a cybersecurity incident would be a major crisis for their business, superseded only by a slump in sales or a natural disaster. A cybersecurity crisis would also be the second most difficult type of crisis to deal with after a dramatic drop in sales if judged by the results of the survey.

In this report, we have analyzed the key threats to small and medium-sized companies in 2022 and 2023, and provided advice on how to stay safe.

Methodology

The statistics used in this report were collected from January through May 2023 by Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users.

To assess the threat landscape for the SMB sector, Kaspersky experts collected the names of the most popular software products used by its clients who owned small or medium-sized businesses around the world. The final list of the software includes MS Office, MS Teams, Skype and others used by the SMB sector. We then ran these software names against Kaspersky Security Network (KSN)* telemetry to find out how much malware and unwanted software was distributed under the guise of these applications.

Malware attacks

Between January 1 and May 18, 2023, 2,392 SMB employees encountered malware or unwanted software disguised as business applications, with 2,478 unique files distributed this way. The total number of detections of these files was 764,015.

Below is a brief description of the most popular types of threats that SMB employees encountered in January–May 2023:

Exploits

The biggest threat to SMBs in the first five months of 2023 were exploits, which accounted for 483,980 detections. Malicious and/or unwanted software often infiltrates the victim’s computer through exploits, malicious programs designed to take advantage of vulnerabilities in software. They can run other malware on the system, elevate the attackers’ privileges, cause the target application to crash and so on. They are often able to penetrate the victim’s computer without any action by the user.

Trojans

The second-biggest threat were Trojans. Named after the mythical horse that helped the Greeks infiltrate and defeat Troy, this type of threat is the best-known of them all. It enters the system in disguise and then starts its malicious activity. Depending on its purpose, a Trojan can perform various actions, such as deleting, blocking, modifying or copying data, disrupting the performance of a computer or computer network, and so on.

Backdoors

The third most common threat are backdoors. These are among the most dangerous types of malware as, once they penetrate the victim’s device, they give the cybercriminals remote control. They can install, launch and run programs without the consent or knowledge of the user. Once installed, backdoors can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity, and more.

Not-a-virus

Potentially unwanted applications (PUAs) that can be inadvertently installed on your device are labeled “not-a-virus” by our solutions. Although they are listed among the most widespread threats and can be used by cybercriminals to cause harm, they are not malicious per se. Nonetheless, their behavior is annoying, sometimes even dangerous, and the antivirus alerts users because, despite being legal, they often sneak onto the device without the user realizing.

TOP 10 threats for SMBs, January-May 2022 (download)

TOP 10 threats for SMBs, January-May 2023 (download)

Cybercriminals attempt to deliver this and other malware and unwanted software to employees’ devices by using any means necessary, such as vulnerability exploitation, phishing e-mails and fake text messages. Even something totally unrelated to business, such as a YouTube link, may be used to target SMBs, as their employees often use the same devices for work and personal matters.

One of the methods often utilized to hack into employees’ smartphones is so-called “smishing” (a combination of SMS and phishing). The victim receives a link via SMS, WhatsApp, Facebook Messenger, WeChat or some other messaging app. If the user clicks the link, malicious code is uploaded into the system.

Examples of scam threats and phishing

Phishing and scam can pose a significant threat to SMBs, as scammers try to mimic payment, loan and other services, as well as cloud service providers like Microsoft, in order to obtain confidential information or company funds. Often, the phishing pages where the employees land if they click a link in a scam e-mail are tailored to look like login pages to the target systems with the corresponding logo on the page. Below, we provide several examples of phishing pages that imitate various services in an attempt to get hold of the target company’s data and money.

• An insurance company

  

  On the screenshot above scammers are trying to hack the insurance company account of its client’s employee.

• A “personal” banking service

  

  These scammers disguise themselves as a financial institution. On the phishing page that claims to offer personal banking services, they ask users to log in with their corporate banking account credentials. If an employee enters their credentials, the scammers get access to their account.

• A fake website pretending to be a legitimate delivery service

  

  

  Here, the cybercriminals imitate the website of a well-known delivery provider in order to fool businesses into giving away their corporate DHL accounts.

Scammers often reach employees by e-mail. Attackers use social engineering techniques to try to trick employees into following a phishing link, revealing the company’s confidential data or transferring money.

For example, in late 2022, scammers posing as top-level executives of a company sent out e-mails to their employees, instructing them to move money from a business account into another account urgently. Fake e-mails were thoroughly crafted, so that the employees would not question their authenticity.

Some spammers pretend to be representatives of financial organizations offering attractive deals to startup businesses. However, by applying for funding thus offered, an employee may give out sensitive data or even lose company money.

SMB employees and especially managers are often the target of spam campaigns touting collaborations and B2B services, such as SEO, advertising, recruitment assistance and lending. Small and little-known firms with questionable service quality typically promote themselves that way. Often they send their offer repeatedly, even if they never receive an answer.

Qbot Trojan using a conversation hijacking technique

Recently, Kaspersky researchers discovered a new campaign employing the “conversation hijacking” technique. The attackers gained access to the victim’s e-mail and replied to their conversations. Posing as one of the respondents in the e-mail chain, the fraudsters sent a message with a PDF attachment asking the victim to download it. The PDF contained a fake notification from Microsoft Office 365 or Microsoft Azure which unleashed the Qbot Trojan when downloaded. The attackers also sent messages containing a URL that was supposed to lead to an “important business document”.

Qbot (aka QakBot, QuackBot, and Pinkslipbot) has been around since 2007. This malware is classified as a banking Trojan as it enables hackers to mine their victims’ banking credentials. The malware can also collect cookies from victims’ browsers, access their correspondence, spy on their banking activities and record keystrokes. Finally, the Trojan can install other malware, such as ransomware.

Conclusion

As cybercriminals target SMBs with all types of threats — from malware disguised as business software to elaborate phishing and e-mail scams — businesses need to stay on high alert. This is critical, because a single cyberattack can lead to catastrophic financial and reputational losses for a company. To keep your business protected from cyberthreats, we recommend you do as follows:

• Provide your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure that they know how to recognize phishing e-mails.
• Use a security solution for endpoints, such as Kaspersky Endpoint Security for Business or Cloud-Based Endpoint Security, to minimize the chances of infection.
• If you are a Microsoft 365 user, remember to protect that too. Kaspersky Security for Microsoft Office 365 includes dedicated apps that target spam and phishing, and protect SharePoint, Teams and OneDrive for secure business communications.
• Set up a policy to control access to corporate assets, such as e-mail boxes, shared folders and online documents. Keep it up to date and remove access if the employee has left the company or no longer needs the data. Use cloud access security broker software that can help manage and monitor employees’ cloud activity and enforce security policies.
• Make regular backups of essential data to ensure that corporate information stays safe in an emergency.
• Provide clear guidelines on the use of external services and resources. Employees should know which tools they should or should not use and why. Any new work software should go through a clearly outlined approval process by IT and other responsible roles.
• Encourage employees to create strong passwords for all digital services they use and to protect accounts with multi-factor authentication wherever applicable.
• Use professional services to help you get the most out of your cybersecurity resources. The new Kaspersky Professional Services Packages for SMB provides access to Kaspersky’s expertise on assessment, deployment and configuration: all you need to do is add the package to the contract, and our experts will do the rest.

Financial gain remains the key driver of cybercriminal activity. In the past year, we’ve seen multiple developments in this area – from new attack schemes targeting contactless payments to multiple ransomware groups continuing to emerge and haunt businesses. However, traditional financial threats – such as banking malware and financial phishing, continue to take up a significant share of such financially-motivated cyberattacks.

In 2022, we saw a major upgrade of the notorious Emotet botnet as well as the launch of massive campaigns by Emotet operators throughout the year. For instance, malicious spam campaigns targeting organizations grew 10-fold in April 2022, spreading Qbot and Emotet malware. We also witnessed the emergence of new banking Trojans that hunt for banking credentials, and greater activity on the part of some well-known ones, such as Dtrack, Zbot and Qbot.

The good news is that regardless of these continuous advancements, we’ve witnessed a steady decrease in the number of attacks by banking Trojans. Security solutions integrated into operating systems, two-factor authentication and other verification measures have helped reduce the number of vulnerable users. Additionally, in many markets mobile banking has been pushing out online banking, with more and more convenient and secure banking apps emerging.

Meanwhile, cryptocurrency became a prominent target for those seeking monetary gain. The amount of cryptocurrency-related phishing grew significantly in 2022, and with an endless array of new coins, NFT and other DeFi projects, scammers are continuously duping users. Funds lost via cryptocurrency are hard to track and impossible to return with the help of a regulatory body, as is done with banks and fiat currency, so this trend is likely to continue gaining traction.

Some advanced persistent threat (APT) actors also started tapping into the cryptocurrency market. We previously reported on the Lazarus group, which developed VHD ransomware for the purpose of monetary gain. Now we see that APT actors have also switched to crypto. BlueNoroff developed an elaborate phishing campaign that targeted startups and distributed malware for stealing all crypto in the account tied to the device. They impersonated numerous venture capital groups and investors with considerable success. The NaiveCopy campaign, another example of an advanced threat, targeted stock and cryptocurrency investors in South Korea. And there is more room for further development – hardware wallets and smart contracts could provide a new juicy target for attackers.

This report shines a spotlight on the financial cyberthreat landscape in 2022. It presents a continuation of our previous annual financial threat reports (2018, 2019, 2020, 2021), which provide an overview of the latest trends across the threat landscape. We look at phishing threats commonly encountered by users and companies, as well as the dynamics of various Windows and Android-based financial malware.

Methodology

For this report, we conducted a comprehensive analysis of financial cyber threats in 2022. We focused on malicious software that targets financial services institutions such as online banking, payment systems, e-money services, online stores, and cryptocurrency services. This category of financial malware also includes those seeking unauthorized access to financial organisations’ IT infrastructures.

In addition to financial malware, we also examined phishing activities. This entailed studying the design and distribution of financially themed web pages and emails that impersonate well-known legitimate sites and organizations with the intention of deceiving potential victims into disclosing their private information.

To gain insights into the financial threat landscape, we analyzed data on malicious activities on the devices of Kaspersky security product users. Individuals who use these products voluntarily made their data available to us through Kaspersky Security Network. All data collected from Kaspersky Security Network was anonymized.

We compared the data from 2022 to that of 2021 to identify year-on-year trends in malware development. However, we also included occasional references to earlier years to provide further insights into the evolutionary trends in financial malware.

Key findings

Phishing

• Financial phishing accounted for 36.3% of all phishing attacks in 2022.
• E-shop brands were the most popular lure, accounting for 15.56% of attempts to visit phishing sites.
• PayPal was the almost exclusive focus of phishers in the electronic payment systems category, with 84% of phishing pages targeting the platform.
• Cryptocurrency phishing saw 40% year-on-year growth in 2022, with 5,040,520 detections compared to 3,596,437 in 2021

PC malware

• The number of users affected by financial malware continued to decline in 2022, dropping by 14% from 2021.
• Ramnit and Zbot were the most prevalent malware families, targeting over 50% of affected users.
• Consumers remained the primary target of financial cyberthreats, accounting for 61.8% of attacks.

Mobile malware

• The number of Android users attacked with banking malware decreased by around 55% in 2022 compared to the previous year.
• Bian surpassed Agent as the most active mobile malware family in 2022, with 22% of attacks compared to Agent’s 20%.
• The geographical distribution of affected users by Android banking malware in 2022 shows that Spain had the highest percentage of targeted users with 1.96%, followed by Saudi Arabia with 1.11% and Australia with 1.09%.

Financial phishing

Phishing continues to be one of the most widespread forms of cybercrime thanks to the low entry threshold and its effectiveness. As we covered previously, cybercriminals can launch phishing campaigns with minimal effort by purchasing ready-made phishing kits.

Phishing is typically built around a classic scheme: first create a website, then craft emails or notifications that mimic real organizations and prompt users to follow a link to the site, share their personal or payment information, or download a program disguised as malware. Phishers mimic every type of organization, including banks, government services, retail and entertainment, as long as the service has a strong user base.

Financial services in particular are of high interest to phishers due to the direct connection to money and payment data. In 2022, 36.3% of all phishing attacks detected by Kaspersky anti-phishing technologies were related to financial phishing.

Distribution of financial phishing cases by type, 2022 (download)

In this report, financial phishing includes banking-specific, but also e-shop and payment systems.

Payment-system phishing refers to phishing pages that mimic well-known payment brands, such as PayPal, MasterCard, Visa, and American Express. E-shops mean online stores and auction sites such as Amazon, Aliexpress, the App Store, and eBay.

In 2022, e-shop brands were the most popular type of lure used by phishers. 15.56% of attempts to visit phishing sites blocked by Kaspersky in 2022 were related to e-shops. If we look at the distribution within financial phishing, e-shops account for 42% of financial phishing cases. E-shops were followed by payment systems (10.39%) and banks (10.39%). Online shopping continues to grow worldwide and, accordingly, the number of brands that are being mimicked by phishers grows with novel schemes appearing on a regular basis.

E-shop brands most frequently exploited in financial phishing schemes, 2022 (download)

In 2022, Apple remains the most exploited brand by scammers, with almost 60% of attacks. The allure of winning the latest model of a new device has proved irresistible to many users, especially during the current global crisis with increasing prices. Not only did we see a spike in these types of scams during major Apple events, but also scammers frequently use Apple to lure victims by offering, for instance, newly released iPhones as prizes for predicting match outcomes during major events like the FIFA World Cup. Meanwhile, Amazon remained in second place with 14.81% of attacks.

In the realm of electronic payment systems, PayPal has traditionally been a popular target for exploitation by scammers. However, recent data indicates that this year it is not only the primary but the near exclusive focus of phishers, with a staggering 84.23% of phishing pages for electronic payment systems targeting PayPal. As a result, the shares of other payment systems have plummeted, with MasterCard International down to 3.75%, Visa Inc. down to 3.10%, and American Express down to 2.02% in 2022.

Payment system brands most frequently exploited in financial phishing schemes, 2022  (download)

Example of a phishing page mimicking the PayPal login page

Cryptophishing

In 2022, cryptocurrency phishing rose sufficiently to be included as a separate category. While the total number of attempts to visit such sites makes up just a fraction (0.87%) of all phishing, this category of phishing demonstrated 40% year-on-year growth with 5,040,520 detections in 2022 compared to 3,596,437 in 2021. This boom in cryptophishing may be partially explained by the cryptomarket havoc we saw last year. That said, it is so far unclear whether the trend will continue, and this will significantly depend on the trust users put in cryptocurrency.

Example of a phishing page offering crypto

Cryptoscams exploit the topic of cryptocurrency to deceive people and steal their money, often through promises of high returns on investments. Common types include Ponzi schemes, ICO scams, phishing scams, and fake wallet scams.

Example of a phishing page asking for crypto details

Banking malware

This section analyzes banking malware used for stealing login credentials for online banking or payment systems, as well as capturing one-time passwords for two-factor authentication.

Our analysis of financial cyberthreats in 2022 revealed that the number of users affected by financial malware continued to decline. The figures showed a decrease from 405,985 in 2021 to 350,808 in 2022, marking a 14% drop. This decline followed the trend observed over the previous years, with a 35% drop in 2021, a 20% decline in 2020, and a near 13% decrease in 2019. Financial PC malware is on the wane due to the challenges and costs associated with maintaining and developing a botnet capable of successfully attacking users. To execute a successful attack, the Trojan must wait until the user manually logs in to their bank’s website, which has become more infrequent with the growth in popularity of mobile banking apps. Furthermore, the latest versions of operating systems come with built-in security systems, and prolonged presence in the system raises the probability of malware detection. This might also indicate a pivot toward advanced targeted attacks as cybercriminals start to prioritize large business targets.

Additionally, cybercriminals are adapting their tactics to exploit the shift toward mobile banking. As users increasingly switch to phone banking, attackers are developing new techniques to compromise mobile devices and steal sensitive information.

Dynamic change in the number of unique users attacked by banking malware in 2021 – 2022  (download)

Main actors among banking malware

Our 2022 analysis of financial cyberthreats revealed the presence of several families of banking malware with varying lifecycles. Ramnit emerged as the most prevalent malware family with a share of 34.4%, followed by Zbot with 16.2%. Interestingly, the analysis highlights that over 50% of affected users were targeted only by these two families. Ramnit activity increased substantially compared to the previous year, when its slice was only 3.4%. This malware worm spreads through spam emails with links to infected websites, and steals financial information. Emotet, previously named by Europol the world’s most dangerous malware, made a return to the Top 3 most active malware families after law enforcement shut it down in January 2021.

The lifecycle of Emotet vividly demonstrates how malware families continue to evolve and expand their capabilities to infiltrate and compromise financial systems.

Top 10 PC banking malware families

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Geography of attacked users

In this year’s report, we calculated the percentage of Kaspersky users in each country that encountered a financial cyberthreat relative to all users that were attacked by financial malware. This approach helps us identify the countries with the highest risk of computer infection due to financial malware.

The 2022 report shows the distribution of financial malware attacks across different countries. The Top 20 countries in the list below account for more than half of all infection attempts.

Top 20 countries and territories by share of attacked users

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

The data shows that Turkmenistan has the highest share of attacked users with 6.6%, followed by Afghanistan and Tajikistan with 6.5% and 4.9% respectively.

Types of users attacked

The 2022 numbers show that the distribution of financial cyberthreats remained relatively stable, with consumers (61.8%) still being the primary target and corporate users (38.2%) accounting for a smaller percentage of attacks. The 2022 increase is relatively small, at less than 1%, and does not represent a significant shift in the overall distribution of attacks.

Malware attack distribution by type (corporate vs consumer), 2021 – 2022 (download)

This can be attributed to the fact that the world has become accustomed to the new style of post-pandemic work, with many companies continuing to operate in remote or hybrid work modes. The trend of working from home or remotely is no longer new, and many companies have adapted to it. As a result, they have also learned how to deal with potential threats and have implemented measures to ensure the security of their employees’ devices and data. Now employees are likely using similar devices and security measures for personal and work purposes, making it harder for cybercriminals to differentiate between consumer and corporate targets.

Mobile banking malware

We have been observing a steady and steep downward trend in the number of Android users affected by banking malware for at least four years now. In 2022, the number of Android users attacked with banking malware was 57,219, which is more than 2.5 times less than the figures reported in the previous year, representing a drop of around 55%.

This trend marked a continuation from previous years, with the number of Android users attacked dropping by 55% in 2020 and by almost 50% in 2021, resulting in a total of 147,316 users affected in 2021.

Number of Android users attacked by banking malware by month, 2020 – 2022 (download)

Despite the steady decline in the number of Android users affected by banking malware, it is important for users not to become complacent, as cybercriminals continue to evolve their malware and find new ways to carry out attacks. In 2022, we identified over 200,000 new banking Trojan installers, which is twice the number reported in the previous year.

Comparing the most active mobile malware families of 2021 to those of 2022, we see some significant changes. In 2021, Agent was the most prevalent mobile malware, representing 26.9% of attacks. However, in 2022, Bian surpassed Agent as the most active mobile malware family, with 24.25% attacks compared to Agent’s 21.57%.

As for the other malware families on the list, Anubis (11.24%) and Faketoken (10.53%) maintained their positions in the Top 5, respectively. Asacub also remained in the Top 5 list, with almost 10% of attacks, but dropped to fifth place from its third-place ranking in 2021.

Top10 Android banking malware families

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Svpeng, which was the third most prevalent malware family in 2021, with 21.4% of attacks, dropped to sixth place in 2022, with 6.08% attacks. Meanwhile, Cebruser, Gustuff, Bray, and Sova entered the list.

Geography of attacked users

The geographical distribution of affected users by Android banking malware in 2021 shows some differences between the two lists of Top 10 countries and regions. In the first list, Japan had the highest percentage of targeted users with 2.18%, followed by Spain with 1.55%, while in the second list, Spain had the highest percentage with 1.96%, followed by Saudi Arabia with 1.11%.

Australia appeared in both lists, with a 0.48% share in the first list and a 1.09% share in the second. Turkey also appeared in both lists, with a 0.71% share in the first list and a 0.99% share in the second. Italy had a 0.29% share in the first list and a 0.17% share in the second list, while Japan had a 0.30% share in the second list.

Top 10 countries and territories, 2021

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 25,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Top 10 countries and territories, 2022

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 25,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Overall, the two lists show that banking malware continues to be a global threat, affecting users in different countries and regions.

Conclusion

Year 2022 demonstrated that banking malware attacks continue to decline, both for PC and mobile malware. Still, the number of such attacks remains significant and users, as always, need to stay vigilant. At the same time, cybercriminals are switching their focus to cryptocurrency, as these attacks are harder to track. With new payment systems emerging, we are sure to see new attacks in the future and, potentially, yet more targeting of cryptocurrency.

Additionally, financial phishing schemes remain a top category in all phishing, with fraudsters continuing to hunt for banking and other sensitive data, exploiting trusted brands. This activity isn’t likely to die down, and we will continue to witness new schemes emerge on a regular basis.

For protection against financial threats, Kaspersky recommends to:

• Install only applications obtained from reliable sources
• Refrain from approving rights or permissions requested by applications without first ensuring they match the application’s feature set
• Never open links or documents included in unexpected or suspicious-looking messages
• Use a reliable security solution, such as Kaspersky Premium, that protects you and your digital infrastructure from a wide range of financial cyberthreats

To protect your business from financial malware, Kaspersky security experts recommend:

• Providing cybersecurity awareness training, especially for employees responsible for accounting, that includes instructions on how to detect phishing pages
• Improving the digital literacy of staff
• Enabling a Default Deny policy for critical user profiles, particularly those in financial departments, which ensures that only legitimate web resources can be accessed
• Installing the latest updates and patches for all software used

 The state of stalkerware in 2022 (PDF)

Main findings of 2022

The State of Stalkerware is an annual report by Kaspersky which contributes to a better understanding of how many people in the world are affected by digital stalking. Stalkerware is a commercially available software that can be discretely installed on smartphone devices, enabling perpetrators to monitor an individual’s private life without their knowledge.

Stalkerware can be downloaded and easily installed by anyone with an Internet connection and physical access to a smartphone. A perpetrator violates the victim’s privacy as they can then use the software to monitor huge volumes of personal data. Depending on the type of software, it is usually possible to check device location, text messages, social media chats, photos, browser history and more. Stalkerware works in the background, meaning that most victims will unaware that their every step and action is being monitored.

In most countries around the world, the use of stalkerware software is currently not prohibited but installing such an application on another individual’s smartphone without their consent is illegal and punishable. However, it is the perpetrator who will be held responsible, not the developer of the application.

Along with other related technologies, stalkerware is part of tech-enabled abuse and often used in abusive relationships. As this is part of a wider problem, Kaspersky is working with relevant experts and organizations in the field of domestic violence, ranging from victim support services and perpetrator programs through to research and government agencies, to share knowledge and support professionals and victims alike.

2022 data highlights

• In 2022, Kaspersky data shows that 29,312 unique individuals around the world were affected by stalkerware. Compared to the downwards trend that has been recorded in previous years, this is similar to the total number of affected users in 2021. Taking into account the developments in digital stalking software over the past few years, the data suggests there is a trend towards stabilization. More broadly, it is important to note that the data covers the affected number of Kaspersky users, with the global number of affected individuals likely to be much higher. Some affected users may use another cybersecurity solution on their devices, while some do not use any solution at all.
• In addition, the data reveals a stable proliferation of stalkerware over the 12 months of 2022. On average, 3333 users each month were newly affected by stalkerware. The stable detection rate indicates that digital stalking has become a persistent problem that warrants wider societal attention. Members from the Coalition Against Stalkerware estimate that there could be close to one million victims globally affected by stalkerware every year.
• According to the Kaspersky Security Network, stalkerware is most commonly used in Russia, Brazil, and India, but continues to be a global phenomenon affecting all countries. Regionally, the data reveals that the largest number of affected users can be found in the following countries:
  • Germany, Italy, and France (Europe);
  • Iran, Turkey, and Saudi Arabia (Middle East and Africa);
  • India, Indonesia, and Australia (Asia-Pacific);
  • Brazil, Mexico, and Ecuador (Latin America);
  • United States (North America);
  • Russian Federation, Kazakhstan and Belarus (Eastern Europe (except European Union countries), Russia and Central Asia).
• Globally, the most commonly used stalkerware app is Reptilicus with 4,065 affected users.

2022 trends observed by Kaspersky

Methodology

The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network. The Kaspersky Security Network is dedicated to processing cybersecurity-related data streams from millions of volunteer participants around the world. All received data is anonymized. To calculate the statistics, the consumer line of Kaspersky’s mobile security solutions has been reviewed according to the Coalition Against Stalkerware’s detection criteria on stalkerware. This means that the affected number of users have been targeted by stalkerware only. Other types of monitoring or spyware apps that fall outside of the Coalition’s definition are not included in the report statistics.

The statistics reflect unique mobile users affected by stalkerware, which is different from the total number of detections. The number of detections can be higher as stalkerware may have been detected several times on the same device of the same unique user if they decided not to remove the app upon receiving a notification.

Finally, the statistics reflect only mobile users using Kaspersky’s IT security solutions. Some users may use another cybersecurity solution on their devices, while some do not use any solution at all.

Global detection figures: affected users

This section compares the global and regional statistics collected by Kaspersky in 2022 with statistics from previous years. In 2022, a total number of 29,312 unique users were affected by stalkerware. Graphic 1, below, shows how this number has varied from year to year since 2018.

Graphic 1 – Evolution of affected users year-on-year since 2018

Graphic 2, below, shows the number of unique affected users per month from 2021 to 2022. In 2022, the situation is almost identical to 2021, indicating that the rate of stalkerware proliferation has stabilized. On average, 3333 users were newly affected by stalkerware every month.

Graphic 2 – Unique affected users per month over the 2021-2022 period

Global and regional detection figures: geography of affected users

Stalkerware continues to be a global problem. In 2022, Kaspersky detected affected users in 176 countries.

Countries most affected by stalkerware in 2022

In 2022, Russia (8,281), Brazil (4,969), and India (1,807) were the top 3 countries with the most affected users. Those three countries remain in leading positions according to Kaspersky statistics since 2019. Compared to previous years, it is noteworthy that the number of affected users in the U.S. has dropped down the ranking and now features in fifth place with 1,295 affected users. Conversely, there has been an increase noted in Iran which has moved up to fourth place with 1,754 affected users.

Compared to 2021, however, only Iran features as a new entrant in the top 5 most affected countries. The other four countries – Russia, Brazil, India, and the U.S. – have traditionally featured at the top of the list. Looking at the other half of the top 10 most affected countries, Turkey, Germany, and Mexico have remained among the countries most affected compared to last year. New entrants into the top 10 most affected countries in 2022 are Saudi Arabia and Yemen.

Table 1 – Top 10 countries most affected by stalkerware in the world in 2022

In Europe, the total number of unique affected users in 2022 was 3,158. The three most affected countries in Europe were Germany (737), Italy (405) and France (365). Compared to 2021, all countries up to including seventh place in the list (the Netherlands) continue to feature as the most affected countries in Europe. New entrants in the list are Switzerland, Austria, and Greece.

Table 2 – Top 10 countries most affected by stalkerware in Europe in 2022

In Eastern Europe (excluding European Union countries), Russia, and Central Asia, the total number of unique affected users in 2022 was 9,406. The top three countries were Russia, Kazakhstan, and Belarus.

Table 3 – Top 10 countries most affected by stalkerware in Eastern Europe (excluding EU countries), Russia and Central Asia in 2022

In the Middle East and Africa region, the total number of affected users was 6,330, slightly higher than in 2021. While Iran with 1,754 affected users features at the top of this list in 2022, Turkey’s 755 affected users has seen the country move up to second in the region, followed closely by Saudi Arabia with 612 affected users.

Table 4 – Top 10 countries most affected by stalkerware in Middle East & Africa in 2022

In the Asia-Pacific region, the total number of affected users was 3,187. India remains far ahead of the other countries in the region, with 1,807 affected users. Indonesia occupies second place with 269 affected users, while Australia is third with 190 affected users.

Table 5 – Top 10 countries most affected by stalkerware in Asia-Pacific region in 2022

The Latin America and the Caribbean region is dominated by Brazil with 4,969 affected users. This accounts for approximately 32% of the region’s total number of affected users. Brazil is followed by Mexico and Ecuador in the list, while Colombia has moved into fourth place. A total number of 6,170 affected users were recorded in the region.

Table 6 – Top 10 countries most affected by stalkerware in Latin America in 2022

Finally, in North America, 87% of all affected users in the region are found in the United States. This is to be expected given the relative size of the population in the United Sates compared to Canada. Across the North America region, 1,585 users were affected in total.

Table 7 – Number of users affected by stalkerware in North America in 2022

Global detection figures – stalkerware applications

This section lists the stalkerware applications most commonly used to control smartphones around the world. In 2022, the most popular app was Reptilicus (4,065 affected users). This year, Kaspersky detected 182 different stalkerware apps.

Table 8 – Top 10 list of stalkerware applications in 2022

Stalkerware provides a means to gain control over a victim’s life. Their capabilities vary depending on the type of application and whether it has been paid for or obtained freely. Typically, stalkerware masquerades as legitimate anti-theft or parental control apps, when in reality they are very different – most notably due to their installation without consent and notification of the person being tracked, and their operation in stealth mode on smartphone devices,

Below are some of the most common functions that may be present in stalkerware applications:

• Hiding app icon
• Reading SMS, MMS and call logs
• Getting lists of contacts
• Tracking GPS location
• Tracking calendar events
• Reading messages from popular messenger services and social networks, such as Facebook, WhatsApp, Signal, Telegram, Viber, Instagram, Skype, Hangouts, Line, Kik, WeChat, Tinder, IMO, Gmail, Tango, SnapChat, Hike, TikTok, Kwai, Badoo, BBM, TextMe, Tumblr, Weico, Reddit etc.
• Viewing photos and pictures from phones’ image galleries
• Taking screenshots
• Taking front (selfie-mode) camera photos

Are Android OS and iOS devices equally affected by stalkerware?

Stalkerware tools are less frequent on iPhones than on Android devices because iOS is traditionally a closed system. However, perpetrators can work around this limitation on ‘jailbroken’ iPhones, but they still require direct physical access to the phone to jailbreak it. iPhone users fearing surveillance should always keep an eye on their device.

Alternatively, an abuser can offer their victim an iPhone – or any other device – with pre-installed stalkerware. There are many companies that make these services available online, allowing abusers to have these tools installed on new phones, which can then be delivered in factory packaging under the guise of a gift to the intended victim.

Together keeping up the fight against stalkerware

Stalkerware is foremost not a technical problem, but an expression of a problem within society which therefore requires action from all areas of society. Kaspersky is not only actively committed to protecting users from this threat but also maintaining a multilevel dialogue with non-profit organizations, and industry, research and public agencies around the world to work together on solutions that tackle the issue.

In 2019, Kaspersky was the first cybersecurity company in the industry to develop a new attention-grabbing alert that clearly notifies users if stalkerware is found on their device. While Kaspersky’s solutions have been flagging potentially harmful apps that are not malware – including stalkerware – for many years, the new notification alerts the user to the fact that an app has been found on their device that may be able to spy on them.

In 2022, as part of Kaspersky’s launch of a new consumer product portfolio, the Privacy Alert was expanded and now not only informs the user about the presence of stalkerware on the device, but also warns the user that if stalkerware is removed the person who installed the app will be alerted. This may lead to an escalation of the situation. Moreover, the user risks erasing important data or evidence that could be used in a prosecution.

In 2019, Kaspersky also co-founded the Coalition Against Stalkerware, an international working group against stalkerware and domestic violence that brings together private IT companies, NGOs, research institutions, and law enforcement agencies working to combat cyberstalking and help victims of online abuse. Through a consortium of more than 40 organizations, stakeholders can share expertise and work together to solve the problem of online violence. In addition, the Coalition’s website, which is available in 7 different languages, provides victims with help and guidance in case they may suspect stalkerware is present on their devices.

From 2021-2023, Kaspersky was a consortium partner of the EU project DeStalk, co-funded by the Rights, Equality, and Citizenship Program of the European Union. The five project partners that formed the consortium combined the expertise of the IT Security Community, Research, and Civil Society Organizations, and Public Authorities. As a result, the DeStalk project trained a total of 375 professionals directly working in women’s support services and perpetrator programs, and officials from public authorities on how to effectively tackle stalkerware and other digital forms of gender-based violence, as well as raising public awareness on digital violence and stalkerware.

As part of the project, Kaspersky developed an e-learning course on cyberviolence and stalkerware within its Kaspersky Automated Security Awareness Platform, a freely available online micro learning training platform which can be accessed in five different languages. To date, more than 130 professionals have completed the e-learning course with a further 80 currently participating. Although the DeStalk project has ended, the e-learning course is still available on the DeStalk project website.

In June 2022, Kaspersky launched a website dedicated to TinyCheck to disseminate further information about the tool. TinyCheck is a free, safe and open-source tool that can be used by non-profit organizations and police units to help support victims of digital stalking. In 2020, the tool was created to check devices for stalkerware and monitoring apps without making the perpetrator aware of the check. It does not require installation on a user’s device because it works independently to avoid detection by a stalker. TinyCheck scans a device’s outgoing traffic using a regular Wi-Fi connection and identifies interactions with known sources such as stalkerware-related servers. TinyCheck can also be used to check any device on any platform, including iOS, Android, or any other OS’.

Think you are a victim of stalkerware? Here are a few tips…

Whether or not you are a victim of stalkerware, here are a few tips to better protect yourself:

• Protect your phone with a strong password that you never share with your partner, friends, or colleagues.
• Change passwords for all of your accounts periodically and don’t share them with anyone.
• Only download apps from official sources, such as Google Play or the Apple App Store.
• Install a reliable IT security solution like Kaspersky for Android on devices and scan them regularly. However, in the case of potentially already installed stalkerware, this should only be done after the risk to the victim has been assessed, as the abuser may notice the use of a cybersecurity solution.

Victims of stalkerware may be victims of a larger cycle of abuse, including physical.

In some cases, the perpetrator is notified if their victim performs a device scan or removes a stalkerware app. If this happens, it can lead to an escalation of the situation and further aggression. This is why it is important to proceed with caution if you think you are being targeted by stalkerware.

• Reach out to a local support organization: to find one close to you, check the Coalition Against Stalkerware website.
• Keep an eye out for the following warning signs: these can include a fast-draining battery due to unknown or suspicious apps using up its charge, and newly installed applications with suspicious access to use and track your location, send or receive text messages and other personal activities. Also check if your “unknown sources” setting is enabled, it may be a sign that unwanted software has been installed from a third-party source. However, the above indicators are circumstantial and do not indicate the unequivocal presence of stalkerware on the device.
• Do not try to erase the stalkerware, change any settings or tamper with your phone: this may alert your potential perpetrator and lead to an escalation of the situation. You also risk erasing important data or evidence that could be used in a prosecution.

For more information about our activities on stalkerware or any other request, please write to us at: ExtR@kaspersky.com.

The shopping event of the year, Black Friday, is almost here, and while the big day does not officially arrive until Friday, November 25^th, deals are already starting. The day kickstarts the frenzied holiday shopping season with eye-catching promotional deals that lure shoppers into spending more of their hard-earned cash. In the weeks leading up to Black Friday, we have already seen discounts reaching 70% and even 80%, grabbing the attention of millions of customers.

Today, e-commerce sales make up 21% of global retail sales, which is a 50% increase on the pre-pandemic levels. Besides, 94% of shoppers now do at least some of their shopping online. As the volume of purchases around Black Friday increases, the attention of cybercriminals to e-commerce intensifies proportionally. The risk of being scammed runs even higher. While on ordinary days, the customer can easily see that if the product is too cheap, it is most likely a scam, during the Black Friday sales, it gets harder to tell. Shoppers become less vigilant, and therefore, an easy target for cybercriminals. That is why we constantly monitor the landscape of shopping-related cyberthreats and protect users from these risks. Here is what we have found this year.

Methodology

In this research, we analyze various types of threats, such as financial malware and phishing pages mimicking the world’s biggest retail platforms, banking and payment systems, and discuss recent trends. The threat statistics we use come from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period from January through October 2022. In addition, we analyzed Black Friday-related spam and phishing pages mimicking popular BNPL (buy now, pay later) services, which have proven to be particularly popular during shopping seasons like Black Friday.

Key findings

• Over the first ten months of 2022, Kaspersky prevented 38,596,555 financial phishing attacks.
• In 2022, the number of attacks using banking Trojans doubled when compared to the same period of 2021, reaching almost 20 million.
• The number of financial phishing attempts for online shopping platforms (16,424,303) comprised 42.55% of all financial phishing attempts.
• The number of phishing pages mimicking the most popular shopping platforms (Apple, Amazon, eBay, Walmart, Aliexpress, and Mercado Libre) totaled 12,787,534 in the first ten months of 2022.
• Apple was consistently the most popular lure among online shopping platforms, with phishing attempts using its name reaching 9,858,254 in the first ten months of 2022.
• Spam campaigns intensify as Black Friday approaches. In the first three weeks of November, Kaspersky telemetry spotted 351,800 spam emails that contained the word combination “Black Friday”. This is five times more than September’s figure.

Phishing for shopping credentials: financial threats in numbers

One of the prime threats during the shopping season is financial phishing. Kaspersky distinguishes several types of financial phishing: banking, payment system, and online store phishing. Banking phishing includes fake banking websites that cybercriminals create to mislead their victims into giving up their credentials and card details. Payment system phishing involves pages mimicking well-known payment systems, such as PayPal, Visa, MasterCard and American Express. The third type of phishing mimics online stores, such as Amazon, eBay, Aliexpress, or smaller ones.

Number of attempts to visit phishing pages using banking, online payment and online retail brands as a lure, January–October 2022 (download)

During the first ten months of 2022, Kaspersky products detected 38,596,555 phishing attacks targeting users of online shopping platforms, payment systems and banking institutions. We count one attempt to open a phishing link detected by Kaspersky as one phishing attack. During the first ten months of this year, the number of financial phishing attempts for online shopping platforms comprised 42.55% of all financial phishing attempts, which is 10.19 p.p. higher than the share of online payment phishing (32.36%), and 17.47 p.p. higher than the share of banking phishing (25.08%). Moreover, some of the payment system and banking phishing cases may be related to online store phishing. For example, if a phishing or scam page mimicking Amazon redirects the user to a payment page mimicking PayPal, these two pages will be categorized as online store and payment system phishing, respectively. In total, Kaspersky solutions detected 16,424,303 online store phishing attacks, 12,491,239 online payment phishing attacks, and 9,681,013 banking phishing attempts. We also observed a sharp spike in the number of attacks on online store users in June–July 2022. This was caused by a massive phishing campaign involving a fake Apple device giveaway, which Kaspersky security solutions successfully repelled.

Number of attempts to visit phishing pages using Apple as a lure, January–October 2022 (download)

Overall, the number of phishing attacks mimicking the most popular shopping platforms (Apple, Amazon, eBay, Walmart, Aliexpress, and Mercado Libre) amounted to 12,787,534 for the ten months of 2022. The majority of these attacks targeted Apple users: 9,858,254 phishing attempts, most of them occurring during the summer campaign mentioned above.

Number of attempts to visit phishing pages using popular shopping platforms (excluding Apple) as a lure in 2022 (download)

Amazon was the second most popular lure, with phishing attempts using its name peaking in April at 342,829. In total, 2,101,599 phishing attacks exploiting the Amazon brand were detected between January and October of 2022. The third most popular lure was, for most of 2022, Mercado Libre. Although the marketplace is local to Latin America, cybercriminals notably abused it much more via phishing attacks than global corporations like eBay or Walmart. Specifically, attackers used the brand name of Mercado Libre most heavily during the summer season, with 56,099 attempts in June and 42,862 in August, which is more than the summer figures for eBay, Walmart, and Aliexpress. Curiously, the number of phishing sites mimicking Walmart’s platform peaked in February, likely because of Valentine’s Day. During that month, we detected 76,618 phishing attempts abusing Walmart, which is 45% of all phishing attempts that targeted Walmart users in the first ten months of 2022.

“Pick a prize and cry in surprise”

A large share of fake e-commerce pages comprises scams: juicy fake offers, often made in the name of a popular brand, which draw buyers. Scam websites will typically display a discount, giveaway or another attractive deal that supposedly expires soon, urging the user to hurry while the products are free or heavily discounted. This is where cybercriminals catch customers who are hungry for freebies and fail to double-check where they are about to enter their details: on a phishing page or the official website.

A brightly colored phishing site with a Mercado Libre logo on it lights up with, “Pick a prize and cry in surprise” written in Spanish. The surprise box can contain anything: the latest iPhone, an expensive TV set, or a much-needed lawn mower for the garden. To get it, the user just needs to pay a small delivery fee. However, all they really get if they fall for the trick is their money lost and bank card details compromised.

Fake Mercado Libre site in Spanish that reads, “Pick a prize and cry in surprise”

Cybercriminals often start to spread phishing and scam pages even before Black Friday sales begin in order to squeeze out the shopping season as much as possible. One scam site, for example, offers users early access to all Amazon deals a few days before the discounts become effective, to grab everything they want before other customers sweep the shelves. To get the “early access”, you have to subscribe to “Amazon Prime” on the scammers’ website. However, paying for the subscription will not get users access to Amazon’s offers. Instead of being the first among buyers, they will join the ranks of scam victims.

Users are offered early access to Amazon sales

In addition to promises of early access, attackers use other tricks to lure victims. For example, they offer eBay gift cards for free. In order to generate a gift card code, users are asked to select an amount to add to the gift card account: from $10 to $300. They will then be asked to fill out a simple survey and to pay a small fee for the card, which the scammers promise to send by email. However, victims will not get any gift cards, but just lose their money to the scammers.

Victims are promised that gift card codes will be sent to their emails, which does not happen

A promise of cashback is another kind of bait used by cyberthieves. That is how they lured victims into a phishing scheme that targeted users of the Indian payment system PhonePe. The attackers sent out text messages promising cashback to users who followed a link. The phishing page urged victims to enter their UPI PIN: the secret code that is used to confirm transactions.

Fake cashback page phishing for UPI PINs

In certain cases, cybercriminals exploited several brands with one phishing page. On the screenshot below, the fake website mimics the login page for Landesbank Berlin’s Amazon.de cards. It offers users to “activate Visa Secure to pay safely with their Amazon.de Visa card”. To do that, the victim needs to enter their Landesbank Berlin login credentials, which will then be stolen by the attackers.

Users are prompted to log in to their Landesbank Berlin account to allegedly activate Visa Secure option

“Buy now, regret later”: phishing examples for BNPL services

“Buy now, pay later” (BNPL) services allow customers to split the cost of a purchase into several interest-free installments. These services appeal to consumers, especially youngsters, and have proven to be particularly popular during shopping days like Black Friday. Juniper Research assesses the BNPL user base at 360 million in 2022 and predicts this number to surpass 900 million globally by 2027. All of this makes BNPL an attractive target for cybercriminals.

BNPL phishing on the eve of Black Friday 2022

One of the most popular BNPL services is Affirm, with around 12.7 million active users worldwide. According to the official website, a user can shop online or in-store and pay later with the service at checkout. Another option is to request a virtual card in the app. Payments are managed in the app or online. The service offers a browser extension for Chrome.

Cybercriminals have created a nearly perfect replica of the official Affirm login page—the only difference is missing links to the privacy policy and merchant login. By creating the malicious lookalike, the attackers are trying to gain access to victims’ Affirm accounts.

Affirm phishing page

The real Affirm login page (Differences highlighted)

Another pre-Black Friday phishing site found by Kaspersky researchers spoofs an even more popular service named Afterpay (Clearpay in the U.K. and Italy), which has 20 million active users globally. Perpetrators have set up a page that mimics the official website, apparently trying to trick unsuspecting visitors into entering their bank card details, including the CVV, into a fake form.

A further example of a phishing page mimicking Afterpay is aimed at gaining access to potential victims’ accounts.

Phishing distribution

To attract potential victims to phishing pages, attackers usually send links to these pages by email. The email body employs social engineering techniques, for instance, to convince the user that they need to update their payment data, or that a lucrative deal awaits them on the phishing site. However, there are other ways of delivering phishing links, such as instant messages, social media, or SMS.

Phishing and scam: red flags

More often than not, a vigilant user can recognize phishing and scam pages. The text on the page can contain typos, while the domain name in the URL can differ from that of the official website by a few characters, contain extra words, or look totally unrelated to the brand whose users it targets. The only functional buttons are often those related to the main phishing or scam functionality: “pick your prize”, submit buttons, etc. All other buttons such as “I forgot my password”, the menu, etc. are typically unclickable or lead nowhere. That said, links to the terms of use and privacy policy in the footer of a phishing page can lead to the documents published on the original website, and thus help to conceal the website’s malicious purpose.

Spam

Despite all the benefits of online shopping, one of its most annoying downsides is finding your inbox clogged up with unsolicited email. Spam campaigns tend to intensify dramatically around the shopping and holiday seasons. From November 1 through November 17, 2022, Kaspersky telemetry recorded 351,800 emails containing the word combination “Black Friday”. This is more than five times the number of such emails recorded in October, when we saw 65,608. Compared to September, the increase is more than 32 times.

The number of spam emails containing “Black Friday”; September, October, and November 2022 (download)

When left unfiltered by antispam systems, spam is an annoyance and a waste of time. Our recent study revealed that employees who receive 30–60 external emails per day could be wasting as much as 11 hours annually looking through and identifying spam messages. For employees receiving between 60–100 emails a day, the figure increases to 18 hours per year, which is more than two business days.

Additionally, an important email might be lost in a deluge of spam and unintentionally deleted. Needless to say, many spam emails contain links to phishing and scam websites, or malicious attachments.

Banking Trojans go after payment credentials

Banking Trojans (bankers) are a staple in the arsenal of cyberthieves who seek to profit from the sales season. These are malicious computer programs that obtain access to confidential information stored or processed by online banking and payment systems. Bankers use webinjects and form-grabbing functionality to steal credentials, card details, or even all of the data a user enters on the target website.

After a sharp drop in banking Trojan attacks in 2021, cybercriminals reverted to using the tool heavily: from January through October 2022, Kaspersky products detected and prevented almost 20 million attacks, a 92% increase year on year.

Overall number of banking Trojan attacks, January–October 2020–2022 (download)

Conclusion

The shopping season is a profitable time not just for stores owners and consumers but also for cybercrooks. Every year, we see how fraudsters step up their activities amid the sales season by exploiting the names of popular stores, retail platforms and financial services. Unfortunately, the trend is not likely to go anywhere. This means users should be prepared and know how to stay protected at least from the “traditional” types of threats we observe every year: spam, phishing, and banking Trojans.

To enjoy the best that Black Friday has to offer this year, be sure to follow a few safety tips.

• Protect all devices that you use for online shopping with a reliable security solution.
• Do not trust any links or attachments received by email; double-check the sender’s name and email address before opening anything.
• Check that the online store address is correct and the page has no errors or visual defects on it before filling out any forms there.
• In order to protect your data and finances, it is a safe practice to make sure the checkout page is secure, and there is a locked padlock icon beside the address.
• If you want to buy something from an unfamiliar company, check customer reviews before making the decision.
• Despite taking as many precautions as possible, you probably will not know whether something is amiss until you see your bank account statement. So, if you are still getting paper statements, do not wait until they hit your mailbox. Get online to see if all of the charges look legitimate, and if not, contact your bank or card issuer immediately.

A look back on the year 2022 and what to expect in 2023

Every year, as part of the Kaspersky Security Bulletin, we predict which major trends will be followed in the coming year by attackers, who target financial organizations. The predictions, based on our extensive experience, help individuals and businesses improve their cybersecurity and prevent the vast range of possible risks.

As the financial threat landscape has been dramatically evolving over the past few years, with the expansion of such activities as ransomware or cryptofraud, we believe it is no longer sufficient to look at the threats to traditional financial institutions (like banks), but rather assess financial threats as a whole. The cybercriminal market has been developing extensively, with the overwhelming majority of cybercriminals pursuing one goal — financial profit, no matter the source. However, the way they do it varies from year to year, and understanding the changes in their tactics and tools can help organizations improve their security.

This year, we have decided to adjust our predictions accordingly, expanding them to encompass crimeware developments and financial cyberthreats as a whole.

This report assesses how accurately we predicted the developments in the financial threats landscape in 2022 and ponder at what to expect in 2023.

Analysis of forecasts for 2022

• Rise and consolidation of information stealers. Our telemetry shows an exponential growth in infostealers in 2021. Given the variety of offers, low costs, and effectiveness, we believe this trend will continue. Additionally, they might even be used as bulk collectors for targeted and more complex attacks.

  Yes. While we haven’t seen exponential growth in the use of stealers, their advancement and evolution has been very noticeable. In 2022, we uncovered some new malicious families actively sold on dark markets, such as Rhadamanthys, BlueFox, and Parrot, stealing sensitive information from the victims’ devices. One of the most striking new stealers has been OnionPoison. Unlike common stealers, this malware gathered data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks. Previously discovered stealers have not been left behind. This year we observed the updates of AcridRain and Racoon stealers, and the remarkable evolution of RedLine stealer, making it a self-spreading threat that attacks gamers via YouTube. Also of note in 2022 are campaigns impersonating well-known software brands like Notepad++. The trend remains solid, and these types of campaigns impact a large number of users, hitting the target brand’s bottom line. Moreover, the ransomware gang ransomExx also abuses open source software by recompiling it to load a malicious shellcode; Notepad++ was also used in one of their attacks.

  While there are still top-level threats that are not distributed openly, the vast majority of stealers have become more affordable and cheaper for average cybercriminals, making this threat more likely to evolve even more in the following year.

• Cryptocurrency targeted attacks. The cryptocurrency business continues to grow, and people continue to invest their money in this market because it’s a digital asset and all transactions occur online. It also offers anonymity to users. These are attractive aspects that cybercrime groups will be unable to resist. And not only cybercrime groups, but also state-sponsored groups who have already started targeting this industry. After the Bangladesh bank heist, the BlueNoroff group is still aggressively attacking the cryptocurrency business, and we anticipate this activity will continue.

  Despite these uncovered campaigns, attackers were still more likely to hunt for cryptocurrency using phishing, offering dubious cryptocurrency exchange platforms, and launching cryptojacking to illicitly mint cryptocurrency. Previously, mining was mostly a threat for general users, but today miners are stealing power from large businesses and critical infrastructures. Even big ransomware operators, for example, AstraLocker, are shutting down their operations to switch to cryptojacking.

• More cryptocurrency-related threats: fake hardware wallets, smart contract attacks, DeFi hacks, and more. In the scramble for cryptocurrency investment opportunities, we believe that cybercriminals will take advantage of fabricating and selling rogue devices with backdoors, followed by social engineering campaigns and other methods to steal victims’ financial assets.

  Yes. In 2022, we observed many other cryptocurrency-related threats potentially costing users millions of dollars. Since the start of 2022, cybercriminals have stolen $3 billion from DeFi protocols, with 125 crypto hacks in total. According to the freshest data on DeFi, every hour 15 newly deployed scams against smart contracts are detected. At this rate, 2022 will likely surpass 2021 as the biggest year for hacking on record. The lack of state-of-the-art security for smart contracts leads to attacks on these platforms and, based on how the business model works, the potential theft of a lot of money.

• Targeted ransomware — more targeted and more regional. With the international efforts to crack down on major targeted ransomware groups, we will see a rise in small, regionally derived groups focused on local The adoption of Open Banking in more countries may lead to more opportunities for cyberattacks.

  Yes. We’ve observed a rise in the number of targeted and regional ransomware attacks. One of the reasons why ransomware attacks have become more regional is the decrease in collaboration between ransomware groups. In the past, many actors would join forces to attack and encrypt as many organizations around the world as possible. But thanks to international efforts, such as No More Ransom, to crack down on their work, global attacks have become much rarer.

  Interestingly, this trend was also influenced by geopolitical conflict, which we did not anticipate last year. Many ransomware groups took sides in the conflict between Russia and Ukraine, focusing their activities on destructive attacks or limiting the range of their targets by geography. The most significant reaction of all was likely by the Conti ransomware group, who announced that it would retaliate with full capabilities against any “enemy’s” critical infrastructure if Russia became a target of cyberattacks. On the other side, Kaspersky discovered Freeud, a wiper under the guise of ransomware whose creators proclaimed support for Ukraine.

• Access broker specialists — professionalize access to compromised networks. Instead of major efforts to compromise access to a corporate or public entity, we can expect Ransomware-as-a-Service operators to seek to buy access to another cybercriminal group that already has access to the target, focusing their activity on ransomware deployment.

  Yes. Attackers have indeed resorted to buying initial access to compromised services more often than hacking it themselves. This has become a real stand-alone business in the dark web (Malware-as-a-Service, MaaS). This year we detected a malicious spam campaign targeting organizations tenfold growth in a month, spreading Emotet malware, which is used by Conti ransomware affiliates to gain initial access. Once access is obtained, the organization is placed into a pool of potential ransomware targets. This growth in the Emotet campaign suggests that the Access-as-a-Service continues to be actively used by cybercriminal groups, and the trend of hiring access broker specialists is likely to continue in 2023.

• Mobile banking Trojans on the rise. As mobile banking experienced booming adoption worldwide due to the pandemic (in Brazil it represented 51% of all transactions in 2020), we can expect more mobile banking Trojans for Android, especially RATs that can bypass security measures adopted by banks (such as OTP and MFA). Regional Android implant projects will move globally, exporting attacks to Western European countries.

  Yes. Security remains the biggest problem for users who want to make regular mobile payments. As predicted, the number of mobile banking Trojan detections increased considerably in 2022 worldwide compared to the last year, reaching more than 55,000 attacks in the second quarter of 2022 alone. With the rising number of attacks, cybercriminals have evolved new banking Trojans, targeting mobile users. In 2022, Kaspersky researchers have so far discovered more than 190 applications distributing Harly Trojan with more than 4.8 million downloads. While these apps were available in official stores and disguised as legitimate apps, the fraudsters behind them subscribed unsuspecting users to unwanted paid services.

• Rise of threat to online payment systems. Amid the pandemic, many companies went digital and moved their systems online. And the longer people stay at home because of quarantine and lockdowns, the more they rely on online markets and payment systems. However, this rapid shift is not accompanied by the appropriate security measures, and it is attracting lots of cybercriminals. This issue is particularly severe in developing countries, and the symptoms will last for a while.

  No. This year, we have not observed a lot of new fintech players that went big and which could become new targets for cybercriminals.

• With more fintech apps out there, the increasing volume of financial data is attracting cybercriminals. Thanks to online payment systems and fintech applications, large amounts of important personal information is stored on mobile. Many cybercrime groups will continue to attack personal mobile phones with evolved strategies such as deep fake technology and advanced malware to steal victims’ data.

  No. Mobile malware techniques haven’t changed much in the course of 2022.

• Remote workers using corporate computers for entertainment purposes, such as online games, continue to pose financial threats organizations. In a previous post, we wrote that users rely on corporate laptops to play video games, watch movies, and use e-learning platforms. This behavior was easy to identify because there was a boom in the Intel and AMD mobile graphic cards market in 2020-2021 compared to previous years. This trend is here to stay, and while during 2020 46% of employees had never worked remotely before, now two-thirds of them state they wouldn’t go back to the office, with the rest claiming to have a shorter office work week.

  Yes. The level of cybersecurity after the pandemic and the initial adoption of remote work by organizations en masse has become better. Nevertheless, corporate computers used for entertainment purposes remain one of the most important ways to get initial access to a company’s network. Looking for alternative sources to download an episode of a show or a newly released film, users encounter various types of malware, including Trojans, spyware and backdoors, as well as adware. According to Kaspersky statistics, 35% of users who faced threats under the guise of streaming platforms were affected by Trojans. If such malware ends up on a corporate computer, attackers could even penetrate the corporate network and search for and steal sensitive information, including both business development secrets and employees’ personal data.

• ATM and PoS malware to return with a vengeance. During the pandemic, some locations saw PoS (point of sale) and ATM transaction levels drop significantly. Lockdowns forced people to stay at home and make purchases online, and this was mirrored in PoS/ATM malware too. As restrictions are lifted, we should expect the return of known PoS/ATM malware and the appearance of new projects. Cybercriminals will regain their easy physical access to ATMs and PoS devices at the same time as customers of retailers and financial institutions.

  Yes. As predicted, with the lift of COVID-19 restrictions, attackers have stepped up their activities again in 2022. In the first eight months of the year, the number of unique devices affected by ATM/PoS malware grew by 19% as compared to the same period in 2020, and by nearly 4% compared to 2021. Kaspersky researchers have also discovered cybercriminals creating and deploying new never-seen-before tools targeting ATM and PoS devices. For instance, the Prilex threat group, famous for stealing millions of dollars from banks, has evolved substantially. Specifically, Prilex has upgraded its tools from a simple memory scraper to an advanced and complex malware that now targets modular PoS terminals and is the first malware able to clone credit card transactions, even those protected by CHIP and PIN.

  Perhaps one of the biggest shifts is PoS malware becoming a service sold on the dark web, which means it is now available to other cybercriminals, and the risk of losing money is increasing for businesses worldwide.

Forecasts for 2023

Led by gaming and other entertainment sectors, Web3 continues to gain traction and so will threats for it

With the increasing popularity of cryptocurrencies, the number of crypto scams has also increased. However, we believe that users are now much more aware of crypto and will not fall for primitive scams, such as a video featuring an Elon Musk deepfake promising huge returns in a dodgy cryptocurrency investment scheme that went viral. Cybercriminals will continue to try to steal money through fake ICOs and NFTs along with other cryptocurrency-based financial theft (like exploitation of vulnerable smart contracts), but will make them more advanced and widespread.

Malware loaders to become the hottest goods on the underground market

Many actors have their own malware, but that alone is not enough. Entire samples used to consist solely of ransomware, but the more diverse the modules in a piece of ransomware, the better it will evade detection. As a result, attackers are now paying much more attention to downloaders and droppers, which can avoid detection. This has become a major commodity in the MaaS industry, and there are even already favorites among cybercriminals on the dark web — the Matanbunchus downloader, for example. All in all, stealth execution and bypassing EDRs is what malicious loader developers are going to focus on in 2023.

More new “Red Team” penetration testing frameworks deployed by cybercriminals

At the same time as vendors create and improve penetration testing frameworks to protect companies, crimeware actors are expected to use them much more actively for illegal activities. The most remarkable example of this trend starting to spread globally is Cobalt Strike. The tool is so powerful that threat groups have added it to their arsenal, already using it in a wide variety of attacks and cyberespionage campaigns. In 2022, the news hit the headlines that another pentester toolkit dubbed Brute Ratel C4 had been hacked, and is now being distributed on hacker forums. We predict that, along with the development of new penetration tools, cybercriminals will increasingly use them for their own malicious purposes — and Brute Ratel C4 and Cobalt Strike are just the beginning of this trend.

Ransomware negotiations and payments begin to rely less on Bitcoin as a transfer of value

As sanctions continue to be issued, the markets become more regulated, and technologies improve at tracking the flow and sources of Bitcoin, cybercrooks will rotate away from this cryptocurrency toward other forms of value transfer.

Ransomware groups following less financial interest, but more destructive activity

Perhaps a surprising prediction in a report about future financial threats, yet ransomware has been one of the biggest threats in recent years, inflicting massive financial damage on organizations. As the geopolitical agenda increasingly occupies the attention not only of the public but also of cybercriminals, we expect ransomware groups to make demands for some form of political action, instead of demands for ransom money. One of such examples is Freeud, a brand-new ransomware with wiper capabilities.

Knowing what the future holds can help with being prepared for emerging threats better. Every year, Kaspersky experts prepare forecasts for different industries, helping them to build a strong defense against any cybersecurity threats they might face in the foreseeable future. Those predictions form Kaspersky Security Bulletin (KSB), an annual project lead by Kaspersky experts.

As for KSB 2022, we invited notable experts to share their insights and unbiased opinions on what we should expect from cybersecurity in the following year. The contributors include representatives from government institutions: H.E. Dr.Mohamed Al Kuwaiti (UAE Cyber Security Council), and public organizations: Kubo Mačák, Tilman Rodenhäuser, Mauro Vignati (ICRC), Serge Droz (FIRST), Sven Herpig (the think tank Stiftung Neue Verantwortung). Also, we’d like to thank Prof. Dr. Dennis-Kenji Kipker (the University of Bremen; European Academy for Freedom of Information and Data Protection (EAID)), Arthur Laudrain (The Hague Centre for Strategic Studies), Stefan Soesanto (The Center for Security Studies (CSS) at ETH Zurich) for their scientific and profound contribution. Moreover, we included predictions made by our fellow commercial organizations – James Range (White Rock Security Group) and Irena Yordanova (Polycomp Ltd.).

The opinions shared by the contributing experts do demonstrate a complexity of the modern cybersecurity industry and a strong need for collaboration among different organizations in order to combat cyberthreats that companies, individuals or even whole countries are exposed to.

What cyberthreats for business will be the greatest in 2023?

Vladimir Dashchenko, Security Evangelist, Kaspersky

The ongoing geopolitical storm brings not only classical cyberthreats for business, but also unpredictable risks and ‘black swans’. The main problem for 2023 will be supply-chain stability and cybersecurity. While supply-chain is a big challenge for business right now, its cybersecurity is not merely an issue, it’s a major problem. Supply-chain will become more of a sweet spot for targeted ransomware and state-sponsored espionage campaigns.

Another big issue is global semiconductor shortage. This will definitely play its role in corporate cybersecurity. While many companies need increasingly more computing power, (servers, workstations, network hardware and so on…) the price on the equipment continues to rise. There’s a possibility that, to cover hardware needs, some of the businesses will have to cut planned cybersecurity expenses.

Yury Slobodyanuk, head of content filtering research, Kaspersky

I think we will continue seeing attacks targeting the infrastructure of different countries and organizations. Phishing attacks are going to become even more sophisticated, since a lot of basic tactics have already been tried this year, and businesses learned to repel those.

Ivan Kwiatkowski, senior security researcher, Global Research and Analysis Team, Kaspersky

Businesses will still be mostly concerned with ransomware. The conflict between Russia and Ukraine has marked an end to any possible law enforcement cooperation in the foreseeable future. We can therefore expect that cybercrime groups from either block will feel safe to attack companies from the opposing side. Some may even perceive this as their patriotic duty. The economic downturn (caused by energy prices, inflation, sanctions, etc.) will lead more people to poverty, which always translates to increased criminality (cyber or otherwise), and we know ransomware to be extremely profitable.

James Range, President of White Rock Security Group

Zero trust will take on greater prominence with the continued role of the remote and hybrid workplace. Remote work will continue driving the need for zero trust since hybrid work is now the new normal. With the federal government mandating agencies to adopt zero-trust network policies and design, we expect this to become more common and the private sector to follow suit as 2023 becomes the year of verifying everything.

Arthur Laudrain, Strategic Analyst (Cyber Program), The Hague Centre for Strategic Studies

In 2023, we might see a slight decline in the raw number of ransomware attacks, reflecting the slowdown of the cryptocurrency markets. However, ransomware operators will keep professionalizing their operations and will target higher value organizations. At the same time, state-sponsored attacks will remain high in the threat landscape, with no ease of geopolitical tensions with Russia, China, North Korea, and Iran in sight. Businesses most at risk are aerospace and defense contractors, as well as critical infrastructure operators (utilities such as water, electricity, and Internet, but also hospitals and operators of large cyber-physical systems such as dams).

Stefan Soesanto, Senior Cyber Defense Researcher, The Center for Security Studies (CSS) at ETH Zürich

If I had a magic 8-ball, I would predict that the greatest cyberthreats to businesses in 2023 will be a significant increase in foreign intelligence services conducting operations under the cover of hacktivist groups, fighting big oil, climate change, fiscal policies etc. And that (b) we are also likely to see a steep increase in DDoS extortion campaigns as the Cyberwar in Ukraine leads to all-time-high levels of DDoS attacks.

Irena Yordanova, Product Manager Software, Polycomp Ltd.

We expect cyberthreats to rise in 2023, as unrest in the world contributes to an increase in cybercrimes. Malware attacks like ransomware will happen to businesses more frequently. And IT teams should be prepared to deal with evolving threats posed by emerging technologies which are becoming widespread, such as geo-targeted phishing or attacks related to Cloud Security, IOT and AI. Most probably more attacks on the education and healthcare sectors will occur plus targeted campaigns against industry leaders – especially those that hold critical information: sensitive data, top expertise, and latest technologies. Given that, employees should be educated and equipped to fight these mature attacks; and their companies can contribute by having experienced outside security partners to support them on this issue. End-users can prepare themselves with an easy-to-use security solution for upcoming challenges, whether it’s phishing attacks or threats related to multiple layers of security.

What cybersecurity challenges will industries face next year?

Vladimir Dashchenko, Security Evangelist, Kaspersky

Threat modeling approaches will be changed in 2023. Internet ‘balkanization’, ongoing military conflicts, changes, and tensions in existing political groups of countries are influencing cyberspace and cybercrime. We will see an increasing number of cybercriminals taking political sides and breaking the law with political statements. Also, script-kiddies (low skilled hackers) will be joining groups of cybercriminals led by more skilled perpetrators, or state sponsored hackers more often.

The major challenge for cybersecurity itself will be a lack of transparency and information sharing between companies. It will be extremely difficult to follow the ‘business as usual’ concept and remain neutral. Global political conglomerates will unfortunately influence cyberspace and cybersecurity.

Arthur Laudrain, Strategic Analyst (Cyber Program), The Hague Centre for Strategic Studies

Next year should see a continuation of existing trends. In particular, governments, critical infrastructure operators, and businesses with a large international footprint will face the continued challenge of ensuring the safety and integrity of their supply-chains, both in terms of software and hardware. Often, this will require closer integration with their contractors and suppliers, none the least to comply with new regulatory obligations in the U.S. and the E.U.

James Range, President of White Rock Security Group

Given the continued surge of ransomware attacks, which soared 288% in the first half of 2022 alone, the need for cyber insurance will be a bigger priority, especially in the SMB market. Although many industry experts argue against payouts, making cyber coverage a controversial topic, the evolving threat landscape means cyber insurance should be a top consideration as part of organizations’ cyber strategy. As such, we anticipate a booming cyber insurance industry as many organizations heed these warnings and seek to guard against ransomware attacks. Yet, in addition to cyber insurance, companies will need a designated DR or RR (Rolling Recovery) plan.

Kubo Mačák, Legal Adviser, Tilman Rodenhäuser, Legal Adviser, Mauro Vignati, Adviser on Digital Technologies of Warfare, ICRC

A key concern for 2023 is that civilians will be further impacted by cyber operations during armed conflict. Civilian data, devices, and networks – such as government services, critical infrastructure, or companies – risk being deliberately disrupted or damaged, often in violation of the laws of war. Civilians – individuals and companies – may get drawn into digital warfare activities, encouraged to engage in cyber operations or to support kinetic military operations through digital means. Such developments put people and societies in danger and undermine the cardinal rule that belligerents must at all times distinguish between what is military and what is civilian.

Stefan Soesanto, Senior Cyber Defense Researcher, Center for Security Studies (CSS)

I expect that the theft of medical data (ex. Finland’s Vastamoo in 2020 & Australia’s Medibank in 2022), as well as highly private personal data (ex. Ashley Madison in 2015) will become the major focus of ransomware groups and other cybercriminal actors alike. Underpinning this trend, the lesson learned is that imposing massive psychological pressure directly on thousands of separate victims, increases the likelihood of individual extortion payouts being made.

What cyberthreats will pose the most danger to end-users?

Yury Slobodyanuk, head of content filtering research, Kaspersky

As the geopolitical situation is quite tense, different types of fraud will take advantage of new events that will take place. Also, various techniques of generating fake news using AI may be used.

Sven Herpig, Director Cybersecurity at think tank Stiftung Neue Verantwortung

I believe cybercrime is the biggest threat to end-users, but mainly in an indirect fashion. Cybercrime is looming over providers of essential services and goods such as municipalities, hospitals and even producers of baby food offline, rendering them less or non-operational for several days or weeks. This has a direct impact on citizens’ lives in the real world and is therefore something that I would see as one of the most prevailing threats to individuals.

Prof. Dr. Dennis-Kenji Kipker, Professor for IT Security Law at the University of Bremen; Visiting Professor at Riga Graduate School of Law; Member of the Board of the European Academy for Freedom of Information and Data Protection (EAID)

Remote workers in home offices continue to play a major role in everyday working daily life, along with the increased use of BYOD, which takes control of devices away from administrators. Since 2020, therefore, forms of spear phishing, social engineering and CEO fraud, as well as ransomware, become increasingly prevalent and will continue to be of considerable importance in 2023. The professionalization of cybercrime, now an independent “industry”, is contributing to a further tightening of the security situation for end users, as low-cost mass attacks are made possible in this way.

H.E. Dr.Mohamed Al Kuwaiti, UAE Cyber Security Council

IoT Vulnerabilities. Security issues keep plaguing IoT devices dominating the market today. As IoT combines the physical world and virtual space, home intrusions are being added to the list of the scariest possible threats that IoT brings.

Vulnerabilities in Autonomous Vehicles. Due to the inherent risks of Autonomous Vehicles, they are increasingly vulnerable to attacks resulting in data breaches, supply chain disruptions, property damage, financial loss, and injury or loss of life.

What are the main challenges cybersecurity will face in 2023?

Ivan Kwiatkowski, senior security researcher, GReAT Kaspersky

The security industry will face direct pressure resulting from the political situation. Things were complex before and they will only get worse. The biggest challenge that vendors will have to face in 2023 will be to remain neutral, if they haven’t decided to align with one block or the other already. (My opinion on this bigger matter is explained in this talk.) Generally speaking, politics and threat intelligence will become more and more entwined, and we’re very unprepared for this as a community.

Yury Slobodyanuk, head of content filtering research, Kaspersky

I think attacks will evolve a lot quicker next year, and a main challenge will be to still be a couple of steps ahead.

Sven Herpig, Director Cybersecurity at think tank Stiftung Neue Verantwortung

I don’t think that there will be anything substantially new in 2023 – one of the key challenges will still be the lack of adoption of basic security and resilience measures which cybercriminals will successfully exploit.

Prof. Dr. Dennis-Kenji Kipker, Professor for IT Security Law at the University of Bremen; Visiting Professor at Riga Graduate School of Law; Member of the Board of the European Academy for Freedom of Information and Data Protection (EAID)

Cybersecurity requires not only secure software, but also sufficiently trustworthy hardware. For too long, we have relied on globalization in IT security and placed too little emphasis on protecting the digital supply chain. In Germany, this was made clear by the debate about protecting sensitive 5G networks; in the geostrategic conflict between the People’s Republic of China and Taiwan, we are now seeing that we are already in the midst of a semiconductor crisis that threatens the security of supply with trustworthy IT. Here, it can be assumed that significant cybersecurity challenges will continue to rise in 2023 as political tensions grow.

Serge Droz, Technical Advisor, Member of the Board, FIRST

Cybercrime will continue to focus on optimizing gains per investment, meaning that smaller and/or less mature organizations will be targeted even more. These may be SMEs or businesses in sectors that don’t include IT in their core business, in particular health services. The problem with this target group is that they either have very different priorities (a ransomed hospital simply cannot afford to delay recovery, and thus pays) and don’t have the resources to defend themselves, or they just don’t have the expertise. This is what Wendy Nater calls “living below the security poverty line”. And this will be the challenge to our industry: how can we provide effective protection that works and is affordable to these types of organizations. Or in other words, can we provide security services to people other than for security specialists? My guess would be that reaching this goal requires different industries working together, in particular I feel the role of insurance needs to be clarified and aligned.

James Range, President of White Rock Security Group

Cyber teams are going to be in the spotlight now more than ever. Understanding your security posture is crucial; knowing what current tools are available and the gaps that currently exist in your infrastructure will help you to protect your enterprise. The need for bigger cyber budgets and having the right people in place is critical. With ongoing talent shortages, consider partnering with a third-party firm to ensure you have fail-proof processes, documentation, and regular third-party assessments.

H.E. Dr.Mohamed Al Kuwaiti, UAE Cyber Security Council

DDOS Botnets. One of the most recent severe attacks around the end of June 2021, was made using malware called the Mēris botnet which has climbed to the record. Due to the new nature of the malware as it has been described as a “new assaulting force on the Internet – a botnet of a new kind” and its impact is more likely to be that similar real-time emerging malware-related DDoS attacks like this one will be used in 2023.

Ransomware as a service (RaaS). Unlike other forms of malware, this new service provides “a sort of criminal Content Distribution Network (CDN) similar, in principle, to those used by major internet portals but used exclusively for malware”. Nearly half of breaches during the first six months of 2022 involved stolen credentials, Switzerland-based cybersecurity company Acronis reported in its Mid-Year Cyberthreat Report, published on August 24, 2022. This has probably been the most discussed attack in 2022 as it’s the first time a country declared a national emergency in response to a cyber-attack. Ransomware-based malware had been quite active in 2022.

Deep fake enabled business compromise. Deepfake-enabled compromise is a type of attack where threat actors leverage synthetic content. This includes video or audio altered or created using artificial intelligence and machine learning to impersonate C-suite executives and trick employees into transferring large sums of cash.

During the pandemic, lockdowns forced people to stay at home and do their shopping online, which was mirrored in point-of-sale (PoS) and ATM malware activity, as certain regions saw malicious transactions drop significantly. Now, as we predicted in last year’s forecast, many are returning to their usual ways of life, visiting stores and withdrawing cash, and the threat of PoS/ATM malware is also making a comeback: the cybercriminals are already implementing new ways to steal from banks and organizations, and the number of attacks is on the rise, too.

By cracking an ATM or PoS terminal, attackers can obtain tens of thousands of dollars overnight. The risk is the highest with older ATM models, as these are difficult to repair or replace and seldom use security software to avoid further degrading their already-subpar performance.

PoS terminals are attacked just as often: few people give a thought to the fact that these machines need protection, as they hold the key to the bank accounts of hundreds of customers. These devices can be found in almost every store, restaurant, or other type of establishment, but they can be even easier for fraudsters to access. The reason is the same as with attacks on ATM machines: due to the large number of PoS terminals, most owners take too long to update their equipment, using obsolete operating systems running old (and vulnerable) software, to preserve the compatibility with legacy hardware and software.

Perpetrators continue to spread already-existing, widely used malware to attack PoS terminals and ATMs. As a result, both the threat of these attacks and the number of incidents are growing.

Methodology

We observed the threat landscape of ATM/PoS malware attacks and how it changed in 2020-2022. Specifically, we looked at the number of affected ATMs and PoS terminals, geography of attacks and threat families used by cybercriminals to target victims. For these purposes, we analyzed threat statistics from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period between January 2020 and August 2022.

Key findings

• In the first eight months of 2022, the number of unique devices affected by ATM/PoS malware grew by 19% as compared to the same period in 2020, and by nearly 4% compared to 2021.
• Recovering from the 2020 slump, the number of attacks continued to grow steadily, and we expect cybercrime activity to increase further.
• HydraPOS and AbaddonPOS proved to be the most active families. The TOP-5 also included Ploutus, RawPOS, and Prilex.

ATM/PoS malware attacks: how COVID-19 affected the landscape, and what comes next

In 2020, the number of attacks significantly decreased in comparison to 2019 (see ATM/PoS malware report for 2017–2019). Specifically, the number of affected systems dropped to less than 5,000 in 2020 from more than 8,000 in 2019.

Number of unique devices affected by ATM/PoS malware in 2018–2021 (download)

There are several factors behind this. In Latin America, one of the most “restless” regions in terms of ATM/POS malware activity, many devices were turned off during the lockdowns and official restrictions. Apart from that, the number of cash machines around the world tends to decrease: for example, the total number of ATMs in the UK has been falling every year since 2015; in Saudi Arabia, the number of operating machines dropped by 10% in 2021. Consequently, attackers faced a shrinking market.

The trend could also be linked to consumers spending less during the COVID-19 outbreak in 2020. According to Central Bank of Ireland statistics, there were fewer purchases with cards and fewer cash withdrawals.

Successful vaccination programs and the lifting of COVID restrictions have allowed consumers to go back to their familiar lifestyles, and normal spending patterns are coming back. In 2021, the number of devices affected by ATM/PoS malware went up by 39% year on year.

In the first eight months of 2022, the number of unique devices hit by ATM/PoS malware grew by 19% as compared to the same period in 2020, and by nearly 4% compared to 2021. With these tendencies in mind, we expect further growth in ATM/PoS transactions and an associated increase in attacker activity.

Number of unique devices affected by ATM/PoS malware in the first halves of 2020–2022 (download)

Who should prick up their ears: the most “restless” regions in 2020–2022

Russia was a leader in 2017-2021 (see also our previous report). This country maintains a relatively outdated fleet of ATMs, making it a “piece of cake” for perpetrators to hack and a consistent target throughout the period in question. The older equipment is vulnerable to most malware families and has a relatively low level of cybersecurity. Many Windows versions used in the ATMs have long reached their end of support but still remain in service. Brazil, a consistent member of the TOP in 2017-2022, has a similar situation: its ATM fleet is rather old, too. In addition to this, the attackers in the region have been busy creating new variants of existing malware.

Zimbabwe debuted in the TOP-5 in 2021 and stayed among leaders in 2022. The country has strong economic ties with China, which invests and exports manpower to many places in Africa. This plays a key role in Zimbabwe’s economic growth: Chinese investors are opening a lot of new businesses, such as hotels and other types of establishments previously uncommon to Africa. This improvement in infrastructure is generating cash flows, turning the region into an attractive target for cybercriminals.

TOP 10 countries by number of unique devices affected by ATM/PoS malware in 2020—2022

2020

2021

2022

The most active malware families in 2022

HydraPoS and AbaddonPoS account for roughly 71% of all ATM/PoS malware detections^[1], with 36% and 35% respectively. The TOP-5 also includes Ploutus (3%), RawPoS, and Prilex (2% per each), whereas the remaining 61 families and modifications we reviewed account for less than 2% per each.

The TOP-5 families are primarily PoS malware, except from Ploutus, which is more widespread than ATM malware, as it preys on payment terminals. These systems are used in many shops, restaurants and other retail outlets, where the cybersecurity level is typically low, and therefore, are more accessible to attackers than cash machines, which are usually bank property and in many cases have solid security systems, not to mention restricted physical access.

HydraPoS
HydraPoS has not been seen releasing new versions recently, yet it holds a strong leading position in our rankings of malware families. This is a PoS malware tool originating in Brazil and notorious for cloning credit cards. HydraPOS combines several pieces of malware, with hundreds of different builds and versions, and a handful of legitimate third-party tools. In 2019, we reported on new features that had been added to the main module with the purpose of improving persistence and making HydraPOS stealthier.
HydraPOS has been spotted in attacks that employed social engineering techniques. Cybercriminals presented themselves as an employee of a credit card company on the phone, asking employees to access a website and install “an update”, which would trigger an infection giving the criminals access to the company’s systems.

AbaddonPoS
The AbaddonPoS family was discovered in 2015, when researchers spotted a download during a Vawtrak infection. AbaddonPoS, sometimes detected by our products as Trojan-Spy.Win32.POSCardStealer, is a generic, widespread type of PoS malware with features such as anti-analysis, code obfuscation, persistence, location of credit card data, and a custom protocol for exfiltrating data.

Ploutus
In 2021, a new version of Ploutus was found in the wild. Ploutus is one of the most advanced ATM malware families we have seen in the last few years. Discovered for the first time in Mexico back in 2013, the malware keeps evolving via new versions and has been seen targeting enterprises, such as ATM manufacturers, in Brazil among other places.
The malware is used to modify legitimate software and execute privilege escalation to control the ATM and obtain administrative permissions, allowing criminals to jackpot cash machines on demand.

RawPoS
Originally discovered by Visa, the RawPoS family has been in use at least since 2008. Initially targeting the hospitality sector, the malware comes in many modifications and is capable of extracting the full magnetic stripe data from volatile memory.

Prilex
Prilex was recently reported to be sold as malware-as-a-service (MaaS). Active since 2014, it hails from Brazil and has a global reach these days. In 2022, the group upgraded its attack methods to circumvent authorization policies, and still continue to abuse processes related to PoS software and card transactions.

Conclusions and recommendations

Life today is hard to imagine without easy access to automated cash withdrawal services. Embedded systems used in ATMs and PoS terminals are there to help us with that. The more money this market accumulates, the more attractive it becomes for intruders. Despite the drop during the pandemic, attackers have stepped up their activities again in the last two years: attacks and detections are on the rise, as new variants from well-known malware families are appearing. New cybercrime business models like malware-as-a-service are emerging to lower the skill bar for wannabe attackers.

Businesses need to be smarter than ever to keep their systems and data safe. To stay on top of the latest ATM/PoS threats, Kaspersky recommends implementing the following measures:

• Use a multi-layered solution, offering an optimal selection of protective layers to provide the best security possible for devices with different levels of processing power and implementation scenarios.
• Implement self-protection techniques in PoS modules, such as the protection available in our Kaspersky SDK, which aims to prevent malicious code from tampering with transactions managed by those modules.
• Protect older systems with up-to-date security that is optimized to provide the full range of usable features on both older versions of Windows and the latest releases. This keeps businesses confident they will both have full support for the older families in the foreseeable future and retain the opportunity to upgrade when needed.
• Install a security solution, such as Kaspersky Embedded Systems Security, that protects devices from various attack vectors. If the device has extremely low system specifications, the Kaspersky solution would still keep it protected with the Default Deny scenario.
• For financial institutions targeted by the kind of fraud discussed in this report, Kaspersky recommends the Threat Attribution Engine to help IR teams with finding and detecting Prilex files in environments under attack.
• Provide your team with access to the latest threat intelligence (TI) resources. The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over the past twenty years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced free access to independent, continuously updated, and globally sourced information on ongoing cyberattacks and threats. Request access online.

^[1] A detection is an instance of an application being blocked when suspicious activity is detected.

The gaming industry went into full gear during the pandemic, as many people took up online gaming as their new hobby to escape the socially-distanced reality. Since then, the industry has never stopped growing. According to the analytical agency Newzoo, in 2022, the global gaming market will exceed $ 200 billion, with 3 billion players globally. Such an engaged, solvent and eager-to-win audience becomes a tidbit for cybercriminals, who always find ways to fool their victims. One of the most outstanding examples involves $2 million’s worth of CS:GO skins stolen from a user’s account, which means that losses can get truly grave. Besides stealing personal credentials and funds, hackers can affect the performance of gaming computers, infecting these with unsolicited miner files.

In this report, we provide the latest statistics on cyberthreats to gamers, as well as detailed information on the most widespread and dangerous types of malware that players must be aware of.

Methodology

To assess the current landscape of gaming risks, we observed the most widespread PC game-related threats and statistics on miner attacks, threats masquerading as game cheats, stealers, and analyzed several most active malware families, giving them detailed in-depth characteristics. For these purposes, we analyzed threat statistics from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period between January 2021 and June 2022.

To limit the research scope, we analyzed several lists of most popular games and based on this, created a list of TOP 28 games and game series available for download or about to be released on the streaming platforms Origin and Steam, as well as platform-independent titles. To make the overview more in-depth, we included both mobile and PC games. Thus, we analyzed threats related to the following titles:

1. Minecraft
2. Roblox
3. Need for Speed
4. Grand Theft Auto
5. Call of Duty
6. FIFA
7. The Sims
8. Far Cry
9. CS:GO
10. PUBG
11. Valorant
12. Resident Evil
13. Command & Conquer
14. Hitman
15. Total War
16. Cyberpunk 2077
17. Elden Ring
18. Final Fantasy
19. Halo
20. Legend of Zelda
21. League of Legends
22. Dota 2
23. Apex Legends
24. World of Warcraft
25. Gears of War
26. Tomb Raider
27. S.T.A.L.K.E.R.
28. Warhammer

We used the titles of the games as keywords and ran these against our KSN telemetry to determine the prevalence of malicious files and unwanted software related to these games, as well as the number of users attacked by these files. Also, we tracked the number of fake cheat programs for the popular games listed above, and an amount of miners that dramatically affect the performance of gamers’ computers.

Additionally, we looked at the phishing activity around gaming, specifically that related to cybersports tournaments, bookmakers, gaming marketplaces, and gaming platforms, and found numerous examples of scams that target gamers and esports fans.

Key findings

• The total number of users who encountered gaming-related malware and unwanted software from July 1, 2021 through June 30, 2022 was 384,224, with 91,984 files distributed under the guise of twenty-eight games or series of games;
• The TOP 5 PC games or game series used as bait in the attacks targeting the largest number of users from July 1, 2021 to June 30, 2022 were Minecraft, Roblox, Need for Speed, Grand Theft Auto and Call of Duty;
• The number of malicious and unwanted files related to Minecraft dropped by 36% compared to the previous year (23,239 against 36,336), and the number of affected users decreased by almost 30% year on year (131,005 against 184,887);
• The TOP 5 mobile games that served as a lure targeting the largest number of users from July 1, 2021 to June 30, 2022 were Minecraft, Roblox, Grand Theft Auto, PUBG and FIFA;
• In the first half of 2022, we observed a noticeable increase in the number of users attacked by programs that can steal secrets, with a 13% increase over the first half of 2021;
• In the first half of 2022, attackers cranked up their efforts to spread Trojan-PSW: 77% of secret-stealing malware infection cases were linked to Trojan-PSW;
• Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers’ security, especially for those who are keen on popular game series: from July 1, 2021 to June 30, 2022 we detected 3,154 unique files of this type that affected 13,689 users;
• Miners pose an increasing threat to gamers’ productivity, with Far Cry, Roblox, Minecraft, Valorant, and FIFA topping the list of games and game series that were used as a lure for cyberthreats; 1,367 unique files and 3,374 users who encountered these files from July 1, 2021 to June 30, 2022.

Top game titles by number of related threats

Over the course of last year, from July 2021 through June 2022, 91,984 files that included malware and potentially unwanted applications were distributed using the popular game titles as a lure, with 384,224 users encountering these threats globally.

Continuing the trend observed in 2021, Minecraft, the famous sandbox game that has been one of the most-played titles around the world for more than a decade, took first place among the games most often used as bait, with 23,239 files distributed using the Minecraft name affecting 131,005 users from July 2021 through June 2022. However, the number of malicious and unwanted files related to Minecraft dropped by 36% compared to the previous year (36,336), and the number of affected users decreased by almost 30% year on year (184,887).

Roblox, too, entered the TOP 3 games both by number of related malicious or unwanted files (8,903) and affected users (38,838).

Other titles that were most often used as a lure were FIFA, Far Cry, and Call of Duty. A large number of users encountered threats while searching for content related to Need for Speed, GTA, and Call of Duty. These game series, too, have been winning the hearts of players around the world for years.

The TOP 10 games by number of related unique malicious and unwanted files:

* Total number of detected files using game title, from July 1, 2021 to June, 30 2022

The TOP 10 games by number of unique users attacked using the game as a lure:

Number of unique users affected by threats related to the game, from July 1, 2021 to June, 30 2022

As the mobile gaming market continues to grow, we analyzed KSN data specifically on mobile threats. For the period from July 1, 2021 through June 30, 2022, our telemetry shows that 31,581 mobile users were exposed to game-related malware and potentially unwanted software. The number of unique malicious and unwanted files discovered within the given period is 5,976. Minecraft, Roblox, Grand Theft Auto, PUBG, and FIFA are among the games that ranked highest by number of related threats and affected users.

TOP 5 mobile games used as a lure for distribution of malware and unwanted software, by users, from July 1, 2021 through June, 30 2022

TOP 5 mobile games used as a lure for distribution of malware and unwanted software, by files, from July 1, 2021 through June, 30 2022

Cyberthreats using games as a lure

The overall landscape of threats that affect gamers has not changed much since last year. Still, downloaders (88.56%) top the list of malicious and unwanted software being spread using the names of popular games: this type of unsolicited software might not be dangerous in and of itself, but it can be used for loading other threats onto devices. Adware (4.19%) comes second: this type of software displays unwanted (and sometimes irritating) pop-up ads which can appear on a user’s computer or mobile device.

The share of various Trojans that use popular games as a lure remains solid, with Trojan-SMS, Trojan-Downloader, and Trojan-Spy among the TOP 10 threats.

TOP 10 threats distributed worldwide under the guise of popular games, July 1, 2021 through June 30, 2022

Game over: cybercriminals targeting gamers’ accounts and money

When downloading the games from untrustworthy sources, players may receive malicious software that can gather sensitive data like login information or passwords from the victim’s device; and in an attempt to download a desired game for free, find a cool mod or cheat, gamers can actually lose their accounts or even money. The research revealed an increase in attacks using malicious software that steals sensitive data from infected devices. It included such verdicts as Trojan-PSW (Password Stealing Ware) which gathers victims’ credentials, Trojan-Banker which steals payment data, and Trojan-GameThief which collects login information for gaming accounts. From July 1, 2021 through June 30, 2022, Kaspersky security solutions detected a total of 6,491 users affected by 3,705 unique malicious files of these types. In the first half of 2022, we observed a noticeable year-on-year increase in the number of users attacked: 13 percent against the first half of 2021 (2,867 vs 2,533). The number of unique files used to attack users also increased in the first half of 2022 by nearly a quarter, compared to the first half of 2021: from 1,530 to 1,868.

From July 1, 2021 through June 30, 2022, 77% of various data stealer infection cases were Trojan-PSW infections. Another 22% of infection attempts were related to Trojan-Bankers, and Trojan-GameThief files accounted for just 1% of cases.

Types of malicious software that steals sensitive data from infected devices, distributed worldwide using popular game titles as a lure, July 1, 2021 through June 30, 2022 (download)

The TOP 3 threat families, stealing data from the infected devices, by number of attacked users from July 1, 2021 through June 30, 2022:

• Trojan-PSW.MSIL.Reline/RedLine

  RedLine Stealer is a password-stealing software that cybercriminals can buy on hacker forums for a very low price. From July 1, 2021 through June 30, 2022 2,362 unique users were attacked by RedLine, spread by using popular game titles and series as a lure, which makes it the most active data-stealing malware family for the period given. Once executed on the attacked system, RedLine Stealer collects system information, including device user names, the operating system type, and information about the hardware, installed browsers, and antivirus solutions. Its main stealer functionality  involves extracting data such as passwords, cookies, card details, and autofill data from browsers, cryptocurrency wallet secrets, credentials for VPN services, etc. The stolen information is then sent to a remote C&C server controlled by the attackers, who later drain victims’ accounts.

  

  The RedLine code specifies that, depending on the configuration the malicious software can steal passwords from browsers, cryptocurrency wallet data, and VPN client passwords

• Trojan-PSW.Win32.Convagent and Trojan-PSW.Win32.Stealer

  Both of these verdicts are generic verdicts for various families of malicious software that collect, analyze, and steal data from victims’ infected devices. From July 1, 2021 through June 30, 2022, 1,126 unique users encountered Convagent and 1,024 users encountered Stealer.

Most often, players get malicious software, stealing sensitive data, on their devices when trying to download a popular game from a third-grade website instead of buying it on the official one. For example, under the guise of a number of cracked popular games, attackers spread the Swarez dropper, which we analyzed in detail in our previous gaming-related threats report. Swarez was distributed inside a ZIP archive which contained a password-protected ZIP file and a text document with a password. Launching the malware resulted in decryption and activation of a Trojan-stealer dubbed Taurus. The latter had a wide range of functions: it could steal cookies, saved passwords, autofill data for browser forms and cryptocurrency wallet data, collect system information, steal .txt files from the desktop and make screenshots.

Attackers often purposely seek to spread threats under the guise of games and game series that either have a huge permanent audience (such as Roblox, FIFA, or Minecraft) or were recently released. We found that from July 1, 2021 through June 30, 2022, the TOP 5 game titles that cybercriminals used as a lure to distribute secret-stealing software included Valorant, Roblox, FIFA, Minecraft, and Far Cry.

TOP 5 game titles used by cybercriminals to lure users into downloading malicious software, stealing secrets from infected devices, from July 1, 2021 through June 30, 2022

Risky money: how to lose instead of gaining

One of the most widespread cyberthreats gamers are exposed to is phishing, a social engineering scheme where an attacker masquerades as a legal and trustworthy entity to encourage the user to give out sensitive data, such as account credentials or financial information.

For the period from July 1^st 2021 through June 30^th 2022, Kaspersky security solutions detected 3,116,782 attacks connected to phishing activities in online games. One of the key findings in this segment was connected to the attacks aimed at gaining users’ credentials or taking over gaming accounts – especially through social network login.

For instance, we found several examples of phishing activity of this type targeting Grand Theft Auto Online gamers: the cybercriminals created a fake website that launched an in-game money generator. To use it, you have to login with your gaming account. Once the credentials are shared, the cybercrooks get access to such sensitive information as gaming account, telephone number, and even banking details.

A fraudulent money generator offered to GTA Online players

Offering easy in-game money to achieve phishers’ malicious goals was a noticeable trend in the previous reporting period and remains one. By mimicking Apex Legends, a multiplayer free-to-play hero shooter, scammers created a fake website that invited gamers to take part in a lottery to win in-game coins. To try their luck, players were asked to share their game credentials. Once the username or player ID alongside with password were entered, the account was taken over by the scammers.

The Fake Apex Legends website that invited players to take part in a giveaway of in-game coins. Once the player typed in their username and password, scammers got access to his account

This year, cybercriminals have learned to mimic the entire interfaces of the in-game stores for many popular game titles. The most notable examples include fake marketplaces launched under the names of CS:GO, PUBG and Warface, which are popular esports disciplines. To achieve better results, players need a decent arsenal of weapons and artifacts that are available in the in-game stores. The scammers created fraudulent stores by copying the appearance of the actual in-game marketplaces to fool players, with the final aim of taking over their accounts or stealing their money.

Fake CS:GO in-game stores created by cybercriminals

Scammers create fake in-game store mimicking the PUBG mobile interface. The scheme encourages users to log in using their social media credentials

Unsolicited mining: programs that ruin the gaming experience

Miners are programs that may adversely affect a computer’s productivity. Once a miner file is launched on an affected computer, it starts using the machine’s energy to mine cryptocurrency. When it comes to unsolicited miners that interfere with users’ operating systems against their will, the situation might get even worse – especially for gamers who value the computer’s productivity above all.

According to our analysis, Far Cry, a gaming series that spans 18 years and six editions, proved to be the most popular title among unsolicited miners – both in terms of affected users (1,050) and unique malicious files (510). Other games that make the perfect bait for miners include Minecraft with 406 unique files and Valorant with 93 files. Overall, from July 1^st 2021 through June 30^th 2022, we managed to detect 1,367 unique mining files which affected 3,374 users. That said, the number of users affected by miners halved in H1 2022 (1002) compared to H1 2021 (2086), which may be linked to the sharp drop in the bitcoin exchange rate. Interestingly, the number of unique miner files rose by 30% in H1 2022 (497) compared to H1 2021 (383).

Under the guise of one of the biggest novelties of 2022, cybercriminals have also distributed malware related to miners. The fantasy role-playing game Elden Ring was used as a lure by cybercriminals who spread OpenSUpdater. OpenSUpdater is a Trojan that pretends to be a cracked version of a game, and, once installed, downloads and installs various unwanted programs and miners to the victim’s device.

The OpenSUpdater campaign only targets users from certain countries, so if the user’s IP address does not satisfy the regional requirements of the distribution server, clean software will be downloaded, e.g., the 7zip archive manager. Less fortunate users will receive an installer that delivers various payloads, including legitimate software, potentially unwanted applications, and miners. Infection chain consists of two stages. At the first stage, a malicious downloader is installed. The code of this downloader is updated by threat actors several times a week by using various obfuscation and anti-emulation techniques. The main purpose of these changes is to complicate threat investigation and detection. The second stage is the installer itself.

Cheating in games, or being cheated?

Every gamer aims for the best performance and results – even when they are not competing for a precious trophy. This explains why cheating will never go out of style. However, some of the cheats can bring more harm than good.

What exactly are cheats? When we talk about cheats, we refer to the programs that help gamers create an advantage beyond the available capabilities by applying special cheat codes or installing software that allows sideways. Cybercriminals try to fool gamers by creating fake cheat programs which, instead of providing advantages, negatively affect computers’ performance or even steal player’s data.

From July 1^st 2021 through June 30^th 2022, we detected 3,154 unique files distributed as cheat programs for the most popular game titles, with a total of 13,689 users affected. The vast majority of the files mimicking cheat programs were related to Counter Strike: Global Offense (418), Roblox and Valorant (332 files for both), and Total War (284). At the same time, Need for Speed came first by number of unique users exposed to this type of threats (3,256) – this series of games has not lost in its broad popularity after several decades and generations.

Conclusion and Recommendations

The pandemic times greatly boosted the gaming industry, increasing the number of computer game fans several times over.

Despite the fact that the number of users affected by gaming-related threats has dropped, certain gaming threats are still on the rise. Over the past year, we have seen an increase in cybercriminal activity around stealers, which allow attackers to steal bank card data, credentials, and even crypto wallets data from infected devices. In the first half of 2022, we observed a noticeable increase in the number of users attacked by stealers, with a 13 percent increase over the first half of 2021.

We also analyzed which popular games were used as a lure by cybercriminals who distributed malware and unwanted software, and found that most often these were multiplayer gaming platforms, such as Minecraft and Roblox. Worryingly, the primary target audience for these games is children and teenagers, who have much less knowledge of cybersecurity due to a lack of experience. Because of this, we assume that they could become an easy prey for cybercriminals, which means we need to pay special attention to cybersecurity hygiene training for kids.

Traditionally, we have found a lot of different examples of phishing tools spread by cybercriminals to get access to gaming accounts, in-game items or money. Cybercriminals mostly created phishing pages that mimicked the appearance of the games whose users they were targeting. For example, we observed fake in-game stores for PUBG and CS:GO.

Over the years, the gaming industry has grown more and more, and we expect to see new ways of abusing users next year, e.g. by exploiting the theme of esports, which are now gaining popularity around the world. That is why it is so important to stay protected, so you do not lose your money, credentials, or gaming account, which you have built over the years.

Here is what we recommend to stay safe while gaming.

• Protect your accounts with two-factor authentication whenever possible. At least comb through account settings if you cannot.
• Use a unique, strong password for each of your accounts. Should one of your passwords get leaked, the rest of your accounts would remain safe.
• You will benefit greatly from a robust security solution that will protect you from every possible cyberthreat without interfering with your computer’s performance while you are playing.  Kaspersky Total Security plays nicely with Steam and other gaming services.
• Download your games from official stores like Steam, Apple App Store, Google Play, or Amazon Appstore only. While not 100 % safe, games from these stores undergo a screening process, which makes sure that a random app cannot be published.
• If your desired title is not available from the official store, purchase it from the official website only. Double-check the URL of the website to make sure it is authentic.
• Avoid buying the first thing that pops up. Even during Steam’s summer sale, make sure you read a few reviews before forking out the dough for a little-known title. If something is fishy, other people will have figured it out.
• Beware of phishing campaigns and unfamiliar gamers. Do not open links received by email or in a game chat unless you trust the sender. Do not open files from strangers.
• Carefully check the address of any website asking for your username and password, as it might be fake.
• Avoid downloading cracked software or any other illegal content, even if you are redirected to it from a legitimate website.
• Keep your operating system and other software up to date. Updates can help address many security issues.
• Do not visit dubious websites when these are offered in search results and do not install anything they offer.
• Use a robust security solution to protect yourself from malicious software on mobile devices, such as Kaspersky Internet Security for Android.

Whether you want to block ads, keep a to-do list or check your spelling, browser extensions allow you to do all of the above and more, improving convenience, productivity and efficiency for free, which is why they are so popular. Chrome, Safari, Mozilla — these and many other major Web browsers — have their own online stores to distribute thousands of extensions, and the most popular plug-ins there reach over 10 million users. However, extensions are not always as secure as you might think — even innocent-looking adds-on can be a real risk.

Browser add-ons are in demand among people of different ages. For example, children can add virtual pets to their browser, while adults usually prefer productivity trackers and timers

First of all, not every innocent-looking extension is, in fact, innocent. Malicious and unwanted add-ons promote themselves as useful, and often do have legitimate functions implemented along with illegitimate ones. Some of them may even impersonate a popular legitimate extension, their developers going so far as to stuff keywords so that their extension appears near the top of the browser’s extension store.

Malicious and unwanted add-ons are often distributed through official marketplaces. In 2020, Google removed 106 browser extensions from its Chrome Web Store. All of them were used to siphon off sensitive user data, such as cookies and passwords, and even take screenshots; in total, these malicious extensions were downloaded 32 million times. Victims of these attacks were not only individuals, but also businesses. Overall, more than 100 networks were abused, giving threat actors a foothold on financial service firms, oil and gas companies, the healthcare and pharmaceutical industries, government and other organizations. Another malicious Google Chrome extension that was available for download even in the official store could recognize and steal payment card details entered in web forms. Google deleted it from the Chrome Web Store, but the malware had already infected more than 400 Chrome users, putting their data at huge risk.

Sometimes the user can assess the risks by looking at what permissions an extension requests when installed from the store. If you see that an add-on is asking for far more permissions than it theoretically needs, that’s a serious cause for concern. For example, if a regular browser calculator requires access to your geolocation or browsing history, or wants to take screenshots of pages, it’s better not to download it at all.

However, analyzing extension permissions may not always help. Often the wording provided by browsers is so vague that it is impossible to tell exactly how secure an extension is. For example, basic extensions often require permission to “read and change all your data on the websites you visit.” They may really need it to function properly, but this permission potentially gives them large power.

Even if extensions have no malicious functionalities, they can still be dangerous. The danger arises from the fact that many extensions, after gaining access to “read all the data on all websites,” collect massive amounts of data from web pages users visit. To earn more money, some developers may pass it on to third parties or sell it to advertisers. The problem is that sometimes that data is not anonymized enough, so even non-malicious extensions can harm users by exposing their data to someone who is not supposed to see what websites they visit and what they do there.

A regular spell checker asks permission to “read and change all your data on all websites,” which could potentially pose a risk

Additionally, extension developers are also able to push out updates without requiring any action by the end user, which means that even a legit extension could be later turned into malware or unwanted software. For instance, when an account of the developer of a popular add-on was hijacked after a phishing attack, millions of users received adware on their devices without their knowledge. Sometimes developers sell a browser extension after it has gained a huge following. After fraudsters purchase the extension, they can update it with malicious or unwanted features, and that update will be pushed to users. In that way, over 30,000 users got adware after an installed extension, dubbed Particle, was sold to new developers and later modified to inject ads into websites.

Methodology

In this research, we observed various types of threats that mimic useful web browser extensions, and the number of users attacked by them. For this purpose, we analyzed threat statistics from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period between January 2020 and June 2022. Additionally, we prepared in-depth characteristics of four popular threats, hiding as browser add-ons, with examples of which applications they can mimic and what danger they hold for users.

Key findings

• Throughout the first half of this year, 1,311,557 users tried to download malicious or unwanted extensions at least once, which is more than 70 percent of the number of users affected by the same threat throughout the whole of last year.
• From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70 percent of all users affected by malicious and unwanted add-ons.
• The most common threat in the first half of 2022 was the WebSearch family of adware extensions, able to collect and analyze search queries and redirect users to affiliate links.

Browser extensions threats: in figures

Since the beginning of 2020, Kaspersky products prevented 6,057,308 users from downloading malware, adware and riskware disguised as browser extensions. Our findings show that, during the analyzed period, the number of such users peaked in 2020 and reached 3,660,236. In 2021, the number of affected users halved, and we saw 1,823,263 unique users attempting to download malicious or unwanted extensions. This year shows that in H1 1,311,557 users tried to download malicious and unwanted extensions at least once. This is more than 70 percent of the number of users affected throughout the whole of last year, despite 2022 having six months left to run.

Number of unique users affected by malicious or unwanted browser extensions (download)

Our telemetry shows that the most common threat spread under the guise of browser extensions is adware — unwanted software designed to promote affiliates rather than improve user experience. Such ads are usually based on the browser history to tap users’ interests, redirect them to affiliate pages that the adware developers earn money from or embed affiliate banners and links in web pages. From January 2020 to June 2022, we observed more than 4.3 million unique users attacked by adware hiding in browser extensions, which means approximately 70 percent of all affected users encountered this threat. Of these, more than 1 million users encountered adware in the first half of 2022.

Affiliate ads even appear on the side of the search result page — all to draw the user’s attention to it

The second most widespread threat was malware (a type of computer program designed to infect a legitimate user’s computer and inflict harm on it in multiple ways). The aim of some malicious extensions is to steal login credentials and other sensitive information. In addition to stealing cookies and data copied to the clipboard, they can function as keyloggers — monitoring software that is able to track and capture everything users type, making it a huge threat to victims’ sensitive data, such as credentials and credit card details.

From January 2020 to June 2022, we observed over 2.6 million unique users who were attacked by malware in the guise of a browser extension. This is 44 percent of all users who encountered malicious or unwanted extensions during this period.

The most common threat families in 2022 hiding as browser extensions

To provide a more detailed insight into how malicious and unwanted extensions operate, we also compiled an in-depth analysis of four threat families. We analyzed if they are distributed in a legitimate web store or in a different way, what useful extension functions they can use as a disguise, and how active they were in the first half of 2022.

WebSearch

The most common threat in the first half of 2022 was the WebSearch adware family, detected as not-a-virus:HEUR:AdWare.Script.WebSearch.gen. In the first half of 2022, 876,924 unique users encountered WebSearch. Typically, this threat mimics tools for working with documents, such as DOC to PDF converters, document mergers, etc. First of all, WebSearch extensions change the browser’s start page so that, instead of the familiar Chrome page, the user sees a minimalistic site consisting of a search engine and several links to third-party resources, such as AliExpress or Farfetch. The transition to these resources is carried out through affiliate links — this is how attackers earn money from their extensions. The more often users follow these links, the more money the extension developers make.

The browser’s new-look home page after being hit by WebSearch

Also, the extension modifies the browser’s default search engine to search.myway[.]com, which can capture user queries, collect and analyze them. Depending on what the user searched for, most relevant partner sites will be actively promoted in the search results.

WebSearch extensions track everything the user searches for, then promote these products with affiliate ads on search engines

Office workers, who often have to use PDF viewers or converters at work, may be the most frequent victims of this threat, as WebSearch mostly hides behind this functionality. Usually, the extension performs its declared useful function so that the user doesn’t uninstall it.

Examples of this family are:

Currently this extension is no longer available in the Chrome Web Store, but can still be downloaded from third-party file-sharing resources and installed manually.

DealPly-related extensions

DealPly-related extensions are adware, the first variations of which appeared back in late 2018, but remain popular with cybercriminals. These extensions are detected with the following verdicts:

• HEUR:AdWare.Script.Generic
• HEUR:AdWare.Script.Extension.gen.

Between January and June 2022, 97,515 unique Kaspersky users encountered DealPly-related add-ons.

Unlike the WebSearch family, these extensions are not installed by the user, but by the adware executable DealPly, which Kaspersky products detect as not-a-virus:AdWare.Win32.DealPly. Usually users get infected with DealPly when trying to download a loader of some hacked software from untrustworthy resources. Similar to the previous threat family, DealPly-related extensions also change the start page of the browser to place affiliate links on it.

The new start page of the browser consists mainly of links to affiliate websites

In order to intercept user requests, the default search engine is changed. All queries that users make on this search engine are analyzed by the extension ⁠— based on the keywords entered in the queries, the user is redirected to a suitable partner site.

The threat analyzes the keyword “iPhone” and, based on this, suggests a suitable offer on the partner website

To provide persistence for its extensions, DealPly creates the following branches in the Windows registry:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\bifdhahddjbdbjmiekcnmeiffabcfjgh 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\bifdhahddjbdbjmiekcnmeiffabcfjgh 
HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\bifdhahddjbdbjmiekcnmeiffabcfjgh

with the value “update_url”=”hxxp[:]//juwakaha[.]com/update“. This value provides browsers with the path to extension updates. Even if the user removes the add-on, each time the browser is launched it will download and reinstall it using this path. Note that the browser updates DealPly-related extensions, although they are installed from third-party servers, and not from the official Chrome Web Store.
We assume that the most frequent victims of this threat are those who download hacked software from dubious resources; common examples of programs that DealPly mimics are KMS activators (programs that activate hacked Windows for free) or cheatengine, used to hack computer games. In addition, DealPly can also mimic installers of various software, including proprietary software.

Examples of DealPly-related extensions are:

AddScript

AddScript is another threat family, hiding under the guise of browser extensions. The first samples of this family were seen in early 2019, and it remains active. In the first half of 2022, we observed 156,698 unique users that encountered AddScript.

Typically, extensions of this family do have useful functions. For example, they can be tools for downloading music and videos from social networks or proxy managers. However, in addition to the useful functionality, such extensions also carry out malicious activity.

AddScript malicious code

The malicious code is obfuscated. When the extension is running, it contacts a hardcoded URL to get the C&C server address. It then establishes a connection to the C&C server, receives malicious JavaScript from it, and runs it covertly. The only way the user can notice the execution of third-party instructions is by the increased consumption of processor power.

The malicious script is updated from time to time and may perform various functions. For example, it can unobtrusively run videos on the victim’s computer, so that its owners profit from the video being “viewed.” Another variant of malicious JavaScript performs cookie stuffing (also called “cookie dropping”). Traditionally, different brands promote affiliate products on their sites. When a visitor clicks the affiliate link, an affiliate cookie is saved on their device. If the user then makes a purchase on the partner’s page, the owner of the site that saved the affiliate cookie gets a commission. AddScript drops multiple affiliate cookies without the user clicking any links on any sites, in order to claim the commission for transactions that happen in the browser. Put simply, the fraudsters trick websites into thinking they have sent them traffic without actually doing so.

Examples of this family are:

Kaspersky products detect AddScript extensions with the verdict HEUR:Trojan.Script.Generic.

FB Stealer

Another malicious browser extension family is FB Stealer. It is one of the most dangerous families, because in addition to the already traditional search engine substitution, FB Stealer is able to steal user credentials from Facebook. From January to June 2022, Kaspersky security solutions detected 3,077 unique users who encountered FB Stealer.

FB Stealer is installed by the malware rather than by the user. Once added to the browser, it mimics the harmless and standard-looking Chrome extension Google Translate.

Malicious FB Stealer extension added from third-party resources. Browser warns that it has no information about this extension

The Trojan delivering FB Stealer is called NullMixer. It masquerades as a cracked software installer, and thus reaches users.

NullMixer spreads through hacked software installers

Downloading a password-protected archive with NullMixer inside

The extension files are stored in the resources section of the NullMixer executable and, during installation, are copied to the %AppData%\Local\Google\Chrome\User Data\Default\Extensions folder. The installer also modifies the Secure Preferences file, which contains Chrome settings, including information about extensions. As soon as this is done, the extension becomes active.

Similar to previous families, the extension changes the default search engine. In this case, it sets it to hxxps[:]//www.ctcodeinfo[.]com. In addition, the attackers extract Facebook session cookies — secrets stored in the browser that hold identification data allowing users to stay logged in — and send them to their own servers. Using these cookies, they are able to quickly log in to the victim’s Facebook account and hijack it by changing the login details. Once inside the account, the attackers can ask the victim’s friends for money, trying to get as much as possible before the user regains access to the account.

Attackers use script obfuscation techniques to hide malicious code

Conclusion and recommendations

Browser extensions remain one of the most common ways for cybercriminals to get money, whether by redirecting users to affiliate pages, cookie stuffing or even stealing the victim’s credentials. Hence, numerous users might wonder: is it worth downloading browser extensions at all if they carry so many threats? We believe that extensions only improve the user online experience, and some add-ons can even make devices a lot safer. That said, it’s important to keep an eye on how reputable and trustworthy the developer is, and what permissions the extension asks for. If you follow the recommendations for safe use of browser extensions, the risk of encountering the threats described above will be minimal.

To stay safe while using browser add-ons:

• Only use trusted sources to download software. Malware and unwanted applications are often distributed through third-party resources, where no one checks their security like official web stores do. These applications may install malicious or unwanted browser extensions without the user knowing about it, and perform other malicious or unwanted activity.
• Since extensions add extra functionality to browsers, they require access to various resources and permissions — you should carefully examine add-on requests before agreeing to them.
• Limit the number of extensions used at any one time and periodically review your installed extensions. Uninstall extensions that you no longer use or that you do not recognize.
• Use a robust security solution. Private Browsing in Kaspersky Internet Security, for example, prevents online monitoring and protects you from web threats.

Indicators of compromise

WebSearch extension MD5
dd7bd821cd4a88e2540a01a9f4b5e209

WebSearch extension ID
kpocjpoifmommoiiiamepombpeoaehfh
fncbkmmlcehhipmmofdhejcggdapcmon
mallpejgeafdahhflmliiahjdpgbegpk
ceopoaldcnmhechacafgagdkklcogkgd
mabloidgodmbnmnhoenmhlcjkfelomgp

DealPly installer MD5
E91538ECBED3228FF5B28EFE070CE587

DealPly-related extension MD5
38a7b26c02de9b35561806ee57d61438

DealPly-related extension ID
bifdhahddjbdbjmiekcnmeiffabcfjgh
ncjbeingokdeimlmolagjaddccfdlkbd
nahhmpbckpgdidfnmfkfgiflpjijilce
pilplloabdedfmialnfchjomjmpjcoej

AddScript extension MD5
28a18438e85aacad71423b044d0f9e3c

AddScript extension ID
hdbipekpdpggjaipompnomhccfemaljm
lfedlgnabjompjngkpddclhgcmeklana
aonedlchkbicmhepimiahfalheedjgbh
oobppndjaabcidladjeehddkgkccfcpn

NullMixer MD5
F94BF1734F34665A65A835CC04A4AD95

FBStealer extension installer MD5
5010c3b42d269cb06e5598a5b1b143a5

FBStealer extension ID
colgdlijdieibnaccfdcdbpdffofkfeb
fdempkefdmgfcogieifmnadjhohaljcb

 The state of stalkerware in 2021 (PDF)

Main findings of 2021

Every year Kaspersky analyzes the use of stalkerware around the world to better understand the threat it poses. We partner with stakeholders across public and private sectors to raise awareness and find solutions to best tackle this important issue.

Stalkerware enables people to secretly spy on other people’s private lives via smart devices and is often used to facilitate psychological and physical violence against intimate partners. The software is commercially available and can access an array of personal data, including device location, browser history, text messages, social media chats, photos and more. The marketing of stalkerware is not illegal, but its use without the victim’s consent is. Perpetrators benefit from this vague legal framework that still exists in many countries. Stalkerware is a breach of privacy and a form of tech abuse. To address this complex threat in a comprehensive way that best supports victims and survivors, innovative tools from a legislative, social and technological point of view are needed.

2021 data highlights

• In 2021, Kaspersky’s data shows that 32,694 unique users were affected by stalkerware globally. This is a decrease from our 2020 numbers and a historic low since we first started gathering data on stalkerware in 2018. While this could be seen as a reason for celebration, it is not.
• Cyber-violence is on the rise, especially since the beginning of the pandemic. As people have continued to socialize less and spend more time at home, perpetrators feel more in control, possibly making them less prone to installing stalkerware to spy on their partner. In addition, abusers, unfortunately, have a wider range of means, in the form of smart devices, to spy on or stalk their victims. Non-profit organizations (NPOs) with which Kaspersky works closely have shared similar observations from working with perpetrators and victims of stakerware. It is important to remember that these numbers only include Kaspersky users: they do not take into account users who use the IT security solutions of our competitors or those who do not have any IT security solutions installed on their mobiles. Therefore, we see only the tip of the iceberg: while it is difficult to calculate the exact number of affected users in the world, members from the Coalition against Stalkerware estimate that it could be at least 30 times higher, with close to one million victims globally, each year.
• Based on data obtained from the Kaspersky Security Network, the most affected countries remain Russia, Brazil and the United States. This is in line with statistics from the past two years. At the regional level, we find the highest numbers of affected users in:
  • Germany, Italy and the UK (Europe)
  • Turkey, Egypt and Saudi Arabia (Middle East and Africa)
  • India, Indonesia and Vietnam (Asia-Pacific)
  • Brazil, Mexico and Columbia (Latin America)
  • The United States (North America)
  • The Russian Federation, Ukraine and Kazakhstan (Russia and Central Asia)
• Cerberus and Reptilicus were the most used stalkerware applications, with 5,575 and 4,417 affected users, respectively, globally.

Trends observed by Kaspersky

Methodology

The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network. The Kaspersky Security Network is dedicated to processing cybersecurity-related data streams from millions of volunteer participants around the world. All received data is anonymized. To calculate our statistics, we review the consumer line of Kaspersky’s mobile security solutions applying only the Coalition Against Stalkerware’s detection criteria on stalkerware. This means that the affected number of users were targeted by stalkerware only. Other types of monitoring or spyware apps that fall outside of the Coalition’s definition are not included in our statistics.

The statistics reflect unique mobile users affected by stalkerware: this is different from the number of detections. The number of detections can be higher as we may detect stalkerware several times on the same device of the same unique user if they decided not to remove the app after receiving our notification.

Finally, the statistics reflect only mobile users using Kaspersky’s IT security solutions. Some users may use another cybersecurity solution on their devices, while some do not use any solution at all.

Global detection figures: affected users

In this section, we highlight the global and regional numbers observed by Kaspersky in 2021 and how they compare with those from previous years.

In 2021, a total of 32,694 single users were affected by stalkerware. The graphic below shows the evolution of affected users year on year since 2018.

The graphic below shows unique affected users per month over the 2019-2021 period. We can see that in 2021 the trend was more stable than in 2020, which saw a visible decrease during the months most impacted by lockdowns and quarantine measures.

Global and regional detection figures: geography of affected users

Stalkerware continues to affect people across the world: in 2021, Kaspersky detected affected users in 185 countries or territories.

As in 2020, Russia, Brazil, the United States and India are, again, the top four countries with the most identified single affected users. Interestingly, Mexico has fallen from fifth to ninth place and Algeria, Turkey and Egypt have entered the top 10. They have replaced Italy, the United Kingdom and Saudi Arabia, which are no longer in the top 10 countries most affected by stalkerware.

Table 1 – 2021’s top 10 countries affected by stalkerware – globally

In this year’s report, we provide more detailed regional statistics with numbers for Europe, Asia-Pacific, Latin America, North America, Russia and Central Asia and the Middle East and Africa.

In Europe, the total number of single affected users was 4,236 in 2021. Germany, Italy and the United Kingdom rank at the top of the list, repeating their top rankings last year. Austria has been replaced in the top 10 by Czechia.

Table 2 – 2021’s top 10 countries affected by stalkerware – Europe

In Russia and Central Asia, the total number of single affected users was 9,207. The top three countries were Russia, Ukraine and Kazakhstan.

Table 3 – Eastern Europe (excluding EU countries), Russia and Central Asia

In the Middle East and Africa region, the total number of affected users in the entire region was 6,270 with Turkey, Egypt and Saudi Arabia having the most affected users.

Table 4 – 2021’s top 10 countries affected by stalkerware – Middle East and Africa

In APAC, the total number of affected users was 4,243. India was substantially ahead of other countries with 2,105 single users affected. It was followed by Indonesia and Vietnam.

Table 5  – 2021’s top 10 countries affected by stalkerware – Asia Pacific

The Latin America and Caribbean region ranking was dominated by one country: Brazil, which represented 72.5% of the total number of affected users in the region (and accounts for roughly 32% of the region’s population). Brazil was followed by Mexico and Colombia. The entire region had 6,609 affected users.

Table 6 – 2021’s top 10 countries affected by stalkerware – Latin America

Finally, in North America, the United States accounted for 87% of all affected users in the region, which was expected given that its population is ten times larger than that of Canada. The total number of affected users in North America, excluding Mexico which has been included with the Latin America data, is 2,666.

Table 7 – 2021’s affected users by stalkerware – North America

Common functionalities of stalkerware applications

This section lists the stalkerware applications that are the most used to control mobile devices on a global level. Cerberus and Reptilicus were the most used stalkerware applications with 5,575 and 4,417 affected users, respectively, globally.

Table 8 – 2021’s top list of stalkerware applications

Stalkerware applications can give tremendous power and access to its users, depending on the applications and whether they are used in free or paying mode. Some of them are marketed as anti-theft or parental control applications, however, they are different in many ways, beginning with the fact that they work in stealth mode without the consent and knowledge of the victim.

Most of the popular applications provide common stalkerware functionality such as:

• Hiding app icon
• Reading SMS, MMS and call logs
• Getting lists of contacts
• Tracking GPS location
• Tracking calendar events
• Reading messages from popular messenger services and social networks, such as Facebook, WhatsApp, Signal, Telegram, Viber, Instagram, Skype, Hangouts, Line, Kik, WeChat, Tinder, IMO, Gmail, Tango, SnapChat, Hike, TikTok, Kwai, Badoo, BBM, TextMe, Tumblr, Weico, Reddit etc.
• Viewing photos and pictures from phones’ image galleries
• Taking screenshots
• Taking front (selfie-mode) camera photos

Are Android OS and iOS equally affected by stalkerware?

Stalkerware tools are less frequent on iPhones than Android devices because iOS is traditionally a closed system. However, perpetrators can work around this limitation on jailbroken iPhones, but they still require direct physical access to the phone to jailbreak it. iPhone users who fear surveillance should always keep an eye on their device.

Alternatively, an abuser can offer their victim an iPhone – or any other device – with pre-installed stalkerware. There are many companies that make these services available online, allowing abusers to have these tools installed on new phones, which can then be delivered in factory packaging under the guise of a gift to the intended victim.

The use of stalkerware may be decreasing, but violence is not

While we observe a decrease of 39% of affected users from our 2020 data, the fight against stalkerware and against cyber violence is far from over. The number of affected users and some of the behaviors and perceptions around the use of stalkerware are still concerning. In November 2021, Kaspersky commissioned a global survey of more than 21,000 participants in 21 countries on their attitudes towards privacy and digital stalking in intimate relationships. While the majority of respondents (70%) do not believe it is acceptable to monitor their partner without consent, a significant share of people (30%) doesn’t see any issue with it and find it acceptable under certain circumstances. Of those who think there are justifiable reasons for secret surveillance, almost two thirds would engage in the behavior if they believed their partner was being unfaithful (64%) or if it was related to their safety (63%) and half would if they believed their partner was involved in criminal activities (50%).

High-speed internet in conjunction with the rapid spread of information and communication technology (ICT) has supported cyber-violence by creating another tool for abusers to share violent and dangerous materials or engage in behaviors that affect emotional, psychological or physical damage. While these technologies have given people the ability to maintain social and emotional relationships across wide-ranging physical distances, ICT has also enabled cyber-violence – a consequence that’s far-reaching effects extend to the offline world with real-life negative impacts on its victims.

The results of our survey corroborate this, with 15% of respondents worldwide being required by their partner to install a monitoring app and 34% of those also experiencing physical and/or verbal abuse by that intimate partner.

While it is too early to make definitive conclusions on the decrease of affected users in 2021, there are two theories that could explain this trend.

Firstly, we believe that all aspects of our lives are still heavily impacted by the pandemic. Recent studies^[1] show that new behaviors are emerging across areas of life such as work, learning, home, consumption, communications and information, travel and mobility. In short, people are staying at home more (49% avoid leaving their homes and 50% are working from home partially or entirely), reducing face to face interactions (57% indicate that they are socially distancing from friends and the community) and traveling, and shopping, educating and entertaining themselves increasingly online. From an abuser’s point of view, this could result in less need to spy on their partner, who is now in their sight most of the time.

Secondly, the Internet of Things (IoT) and digitization are now everywhere in our lives. It fills our daily routines and our homes, cars and offices. While the opportunities and advantages are endless, many devices also enable tracking by third parties. Our research suggests that perpetrators might also use other means, aside from stalkerware, to track their partners, with 50% of respondents to our survey indicating that they have been tracked through phone apps, another 29% mentioning they had been traced through tracking devices, 22% through webcams and 18% through smart home devices.

Apple’s recent January 2022 publication of a safety manual for its AirTag product marks a shift in the perception of the situation.

NNEDV, the National Network to End Domestic Violence and WWP EN, the European Network for the Work with Perpetrators of Domestic Violence share with us their experience and views on these two theories and on tech abuse in general.

How measures imposed by governments during the pandemic facilitated and reinforced perpetrators’ coercive control – Berta Vall Castelló, Research and Development manager and Anna McKenzie, Communications manager at WWP EN

The European Network for the Work With Perpetrators of domestic violence (WWP EN) is a membership association of organisations directly or indirectly working with people who perpetrate violence in close relationships. The main focus of WWP EN is violence perpetrated by men against women and children. The mission of WWP EN is to improve the safety of women and their children and others at risk from violence in close relationships, through the promotion of effective work with those who perpetrate this violence, mainly men.

Coercive control is defined as “a pattern of abusive behavior designed to exercise domination and control over the other party to a relationship. It can include a range of abusive behaviors – physical, psychological, emotional or financial – the cumulative effect of which over time robs victim-survivors of their autonomy and independence as an individual” (McGorrery and McMahon, 2020). As we write in our manual “Same Violence, New Tools – How to work with violent men who use cyberviolence,” perpetrators isolate their partners and make them emotionally dependent. They use assaults, threats, intimidation, humiliation, isolation and more to create a constant sense of fear, as well as a general loss of a sense of freedom. ICT technologies are powerful tools for perpetrators exerting coercive control, especially in relationships where violence is already present offline.

A recent review on domestic violence during the COVID-19 pandemic found that the measures imposed by the government during lockdown facilitate and reinforce perpetrators’ coercive control. The authors suggested that the conditions of isolation/physical distancing imposed by the governments overlap with coercive control strategies used by perpetrators to control their partners (Pentaraki and Speake, 2020). Considering these results, it seems likely that perpetrators feel less of a “need” to use stalkerware to exert coercive control over their partners. Moreover, recent research has observed that technology-facilitated abuse often escalates during a period of separation (George and Harris 2014; Woodlock 2016). Therefore, during a lockdown situation where couples were forced to stay together at home, they are less likely to use technology-facilitated abuse.

We must remember that a decrease in the use of stalkerware does not equal a decrease in overall intimate partner violence (IPV) during the pandemic. On the contrary, Boxall, Morgan and Brown (2020) note that IPV has increased during the COVID-19 pandemic. Therefore, the results in this report indicate that stalkerware has been replaced with other tools. As Elena Gajotto, from Italian NGO Una Casa per l’Uomo, remarks: “It is so easy to monitor and track someone, for example by using their Google account, that you don’t really need to use stalkerware.” The wide variety of possible technology-facilitated abuse might have had an impact on the decrease in the use of stalkerware specifically. Letizia Baroncelli, from Italian NGO Centro Ascolto Uomini Malttratanti (CAM), agrees and adds: “I think we see less stalkerware because there are so many other forms of perpetrating digital abuse.”

However, NGOs, governments and researchers have reported a substantial increase in image-based abuse and sextortion since the start of the pandemic (Boniello, 2020; CCRI, personal communication, June 2, 2020; FBI, 2020, 2021). It seems that this type of technology-facilitated abuse has escalated, especially among teenagers and couples who do not live together. As Letizia Baroncelli notes: “Sharing personal pictures has increased a lot since the pandemic, especially among young perpetrators. They do not understand that they are committing a crime.” As Elena Gajotto adds: “Image-based abuse causes devastating harm to the women who experience it, while the men don’t even understand that they did something bad.”

Several WWP EN members have shared that the most common form of digital violence is men monitoring their partners’ digital activities, e.g. by checking emails, phones and social accounts. This is in line with observations from Daniel Antunovic, from Croatian NGO UZOR, who agrees that the ‘primitive’ forms of digital stalking are the ones he sees most often.

At WWP EN, we consider it key to focus on tech-facilitated abuse to ensure victim safety. Elena Gajotto adds: “Around half of the men share their digital violence, without realizing that this is abuse. If we don’t explicitly focus on this violence in our work with perpetrators, it doesn’t come up.” Therefore, there is a need to increase the capacity of professionals working with perpetrators and professionals working with victims of domestic violence to screen for and intervene in cases of digital violence. As Daniel Antunovic adds: “We haven’t encountered as many cases of digital violence as I expected since COVID-19. However, technology-facilitated abuse is in some ways like sexualized violence. It happens a lot, but it remains hidden.”

There is a growing rate of “smart devices” used in intimate partner violence – Toby Shulruff, Tech Safety Project Manager at NNEDV

NNEDVs Safety Net Project focuses on the intersection of technology, privacy, confidentiality, and innovation, as it relates to safety and abuse by advocating for policies, educating and training advocates and professionals in the justice system, and working with communities, agencies, and technology companies to respond to technology abuse, support survivors in their use of tech, and harness tech to improve services.

While stalkerware is a common concern, there are many other tools available for tech abuse that may appear to be stalkerware, but are not. For example, personal information available online and the everyday features of devices and accounts can be used to find a person’s location or track their activity. The complexity and connections between devices, accounts, and information on the internet can make it difficult for victims and those who work with them to assess what’s happening, and to implement an effective response. It can be terrifying and overwhelming for a survivor to realize an abuser knows multiple details about their everyday lives.

Unfortunately, there is a growing rate of “smart” devices— including home assistants, connected appliances, and security systems connected to WiFi networks and smartphones—used in intimate partner violence.

In a survey conducted by the NNEDV in December 2020 and January 2021, responses revealed an increase in every type of tech abuse during the pandemic. While phones are the technology most often misused, NNEDV’s needs assessment shows this to be the case 87% of the time, “smart” or connected devices were also identified as technologies that are increasingly misused in the context of tech abuse, seen regularly by about a third of support professionals.

As more people adopt the use of IoT devices, this will likely grow. These products are intended to increase convenience and efficiency. The manufacture of IoT devices is a rapidly emerging global market with both larger, well-established players as well as many smaller, newer companies^[2]. IoT is made possible by several overlapping trends in technology: miniaturization, increased processing capacity, increased data storage, decreased cost of manufacturing, and connectivity.

Due to a variety of factors – market pressures, the rapid emergence of the technology, and the complexity of the IoT – profound risks to security and privacy are increasingly apparent^[3]. Smart home devices in particular are being misused in the context of intimate partner violence to control, threaten, and cause harm to victims. [Researchers at the Gender + IoT project at University College London^[4] have been exploring these harms] [and proposing remedies in partnership with support professionals in the field.]

NNEDV’s recent needs assessment documented increases in tech abuse tactics throughout the pandemic. We are concerned that as we emerge from this public health crisis, abusers who have adopted these tactics or have increased their misuse of technology during this time will not have any incentive to discontinue this form of abuse. Recent research^[5] suggests support professionals should ask about all kinds of tech abuse, including stalkerware and smart home devices. There is a strong likelihood the spike in tech abuse support professionals have seen will stay with us. It’s imperative we continue to support victims, and work to prevent technology abuse.

How Kaspersky and its partners are collaborating to fight stalkerware

The threat of stalkerware is not just a technical problem: all parts of society need to be involved in resolving the issue. For the past few years, Kaspersky has been at the forefront of the stalkerware debate. We are reaching out to public and private stakeholders to better understand this issue and find common solutions. We are contributing to the development of training materials and practical tools to support non-profit organizations, corporations, institutions and individuals with developing resilience to stalkerware. We are organizing and participating in webinars and roundtables with institutions to share our voices and contribute to discussions that will shape tomorrow’s legislation.

Kaspersky is one of the co-founders and drivers of the Coalition Against Stalkerware (CAS) – an international working group dedicated to tackling stalkerware and combating domestic violence. The Coalition brings together organizations that work with victims and abusers, digital activists and cybersecurity vendors. It is a unique platform that enables all relevant stakeholders to share best practices and join forces to tackle the issue of stalkerware.

Kaspersky is also one of the partners of the DeStalk project. Funded by the European Commission, this research project aims to develop a strategy to train and support professionals working in victims support services and perpetrator programmes, officers of institutions and local governments along with other relevant groups. The consortium plans to upgrade and test existing tools for practitioners and is developing a regional pilot awareness campaign in Italy.

In 2021, we teamed up with INTERPOL and two respected non-profit organizations from the US and Australia to provide law enforcement officials with two online training sessions. These courses were attended by over 210 participants from around the world.

At the end of 2021, Kaspersky also participated in an event, “Combating violence against women in a digital age – utilising the Istanbul Convention”, organized by the Council of Europe. This event was an opportunity to discuss the recommendations of the Group of Experts on combating violence against women and domestic violence (GREVIO).

TinyCheck: a tool to support victims of domestic violence

Kaspersky’s work with the TinyCheck tool is an initiative worth highlighting. It is a free, open-source tool developed and supported by Kaspersky. Initially created to help NPOs protect victims of domestic violence and their privacy, TinyCheck facilitates the detection of stalkerware on victims’ devices and on any OS in a simple, quick and non-invasive way without making the perpetrator aware. While security solutions can also check for and alert about stalkerware, they need to be installed on the device, so there is a risk of the perpetrator also being alerted. Developments like the TinyCheck tool aim to ensure that survivors can use their devices without concerns about being surveilled.

With TinyCheck, no application needs to be installed on the device to perform the check, and the results of the check are not displayed on or transmitted to the potentially infected device. In addition, TinyCheck allows victims to check any device regardless of whether it uses iOS, Android or another OS. These features address the two major issues in the fight to protect users against stalkerware. The tool has been developed to run on a Raspberry Pi, using a regular Wi-Fi connection. TinyCheck quickly analyzes a mobile device’s outgoing traffic and identifies Indicators of Compromise (IOCs), such as interactions with known malicious sources like stalkerware-related servers. Currently, the tool uses IOCs collected not only by Kaspersky researchers but also by repositories maintained by independent security researchers (special thanks to Etienne Maynier, also known as Tek, from Echap and Cian Heasley). We hope that the community will continue this work by keeping IOCs up-to-date.

Having said that, the limitations of TinyCheck need to be understood. The tool should be used with the following warning in mind: IOCs do not provide complete real-time detection of all stalkerware apps like an IT Security solution does. Therefore, a result detecting no stalkerware does not exclude the possibility that stalkerware has been installed but not detected by TinyCheck.

In 2021, more NPOs in the field of domestic violence tested TinyCheck and provided feedback to help improve the service. Police forces and judicial bodies in several countries have also taken an interest in the tool to better support victims.

2021 has seen positive developments on the regulatory and institutional fronts

Across the world, 2021 has seen some positive developments in the fight against stalkerware from a regulatory and institutional point of view. In May 2021, the Diet, Japan’s parliament, enacted a bill to amend their stalker regulation law. Under the revised law, in addition to other stipulations, obtaining location information of people’s smartphones through apps without their authorization is now illegal.

In August 2021, the Federal Trade Commission in the United States barred one app maker from offering stalkerware. It was the first ban of its kind.

On August 17, 2021, the German Bundestag passed the “Act to Amend the Criminal Code – More Effective Combating of Stalking and Better Coverage of Cyberstalking” (translated from German). The new law entered into force on October 1, 2021, and now includes cyberstalking in their catalog of offenses. The change is because of continued technological progress and the associated increase in cyberstalking, particularly via stalking apps or stalkerware. In addition, an important part of the new law is that it classifies a case as serious if the offender “in the course of an offense, uses a computer program whose purpose is the digital spying on other persons.”

The Council of Europe has been very active on this topic in 2021. In its first recommendation on the “digital dimension” of violence against women, the Council of Europe’s Group of Experts on Action against Violence against Women and Domestic Violence (GREVIO) defines and outlines the problems of both gender-based violence against women committed online and technology-enabled attacks against women, such as legally obtainable tracking devices that enable perpetrators to stalk their victims. This was shortly followed in December 2021 by a legislative initiative report on gender-based cyberviolence that was adopted by the European Parliament. The report calls for (i) a common definition of gender-based cyberviolence and (ii) capacity building for stakeholders. It highlights stalkerware among the key methods of cyberviolence and “dismisses the notion that stalkerware applications can be considered parental control applications”. Following the general recommendations of the Council of Europe, this report, although non-binding, is another positive official document highlighting the stalkerware issue and pushing European states to adapt their legislations and actions to counter the issue. Finally, on March 8^th, 2022, the European Commission published a proposal for a Directive of the European Parliament and of the Council on combating violence against women and domestic violence. The document covers cyber violence and dedicates two articles to cyber stalking (Art 8) and cyber harassment (Art 9) that it proposes to criminalize.

Think you are a victim of stalkerware? Here are a few tips

Whether or not you are a victim of stalkerware, here are a few tips if you want to better protect yourself:

• Protect your phone with a strong password that you never share with your partner, friends or colleagues
• Change passwords for all of your accounts periodically and don’t share them with anyone
• Only download apps from official sources, such as Google Play or the Apple App Store
• Install a reliable IT security solution like Kaspersky Internet Security for Android on devices and scan them regularly. However, in the case of potentially already installed stalkerware, this should only be done after the risk to the victim has been assessed, as the abuser may notice the use of a cybersecurity solution.

Victims of stalkerware may be victims of a larger cycle of abuse, including physical. In some cases, the perpetrator is notified if their victim performs a device scan or removes a stalkerware app. If this happens, it can lead to an escalation of the situation and further aggression. This is why it is important to proceed with caution if you think you are being targeted by stalkerware.

• Reach out to a local support organization: to find one close to you, check the Coalition Against Stalkerware website.
• Keep an eye out for the following warning signs: these can include a fast-draining battery due to unknown or suspicious apps using up its charge and newly-installed applications with suspicious access to use and track your location, send or receive text messages and other personal activities. Also check if your “unknown sources” setting is enabled, it may be a sign that unwanted software has been installed from a third party source. It is important to note that the above signs are only symptoms of possible stalkerware installation, not a definitive indication.
• Do not try to erase the stalkerware, change any settings or tamper with your phone: this may alert your potential perpetrator and lead to an escalation of the situation. You also risk erasing important data or evidence that could be used in a prosecution.

^[1] https://www.pwc.com/us/en/industries/consumer-markets/library/covid-19-consumer-behavior-survey.html; https://www.mckinsey.com/~/media/mckinsey/industries/retail/our%20insights/how%20covid%2019%20is%20changing%20consumer%20behavior%20now%20and%20forever/how-covid-19-is-changing-consumer-behaviornow-and-forever.pdf;

^[2] Internet Society. (2015). The Internet of Things: An overview. https://www.internetsociety.org/wp-content/uploads/2017/08/ISOC-IoT-Overview-20151221-en.pdf or https://www.internetsociety.org/iot/

^[3] Internet Society. (2015). The Internet of Things: An overview. https://www.internetsociety.org/wp-content/uploads/2017/08/ISOC-IoT-Overview-20151221-en.pdf or https://www.internetsociety.org/iot/

^[4] Tanczer, L., Neira, I. L., Parkin, S., Patel, T., & Danezis, G. (2018). The rise of the Internet of Things and implications for technology-facilitated abuse. University College London.

^[5] Freed, D., Palmer, J., Minchala, D., Levy, K., Ristenpart, T., & Dell, N. (2017). Digital technologies and intimate partner violence: A qualitative analysis with multiple stakeholders. Proceedings of the ACM on human-computer interaction, 1(CSCW), p.1-22.