- Phishing -
Last update 09.10.2017 13:16:51
Home Analysis Android Apple APT Attack BigBrothers BotNet Congress Crime Crypto Cryptocurrency Cyber CyberCrime CyberSpy CyberWar Exploit Forensics Hacking ICS Incindent iOS IT IoT Mobil OS Phishing Privacy Ransomware Safety Security Social Spam Vulnerebility Virus EN List Czech Press Page
Introduction List Kategorie Subcategory 0 1 2 3 4 5
|No Smoking Gun Tying Russia to Spear-Phishing Attack, Microsoft Says||Phishing||Securityweek|
|Phishing Campaign Delivers FlawedAmmyy, RMS RATs||Phishing||Securityweek|
|26.11.18||Very trivial Spotify phishing campaign uncovered by experts||Phishing||Securityaffairs|
|19.11.18||Hacking Gmail’s UX with from fields for phishing attacks||Phishing||PBWCZ.CZ|
|16.11.18||Report Shows Increase in Email Attacks Using .com File Extensions||Phishing||PBWCZ.CZ|
|7.11.18||Spam and phishing in Q3 18||Phishing||PBWCZ.CZ|
|30.10.18||AI-Facilitated Product Aims to Stop Spear-Phishing Attacks||Phishing||PBWCZ.CZ|
|26.10.18||Phishing for knowledge||Phishing||PBWCZ.CZ|
|18.8.18||Spam and phishing in Q2 18||Analysis Spam Phishing||PBWCZ.CZ|
PhishPoint Phishing Attack – A new technique to Bypass Microsoft Office 365 Protections
16.8.18 securityweek Attack Phishing
Security experts from the cloud security firm Avanan have discovered a new technique dubbed PhishPoint, that was used by hackers to bypass Microsoft Office 365 protections.
PhishPoint is a new SharePoint phishing attack that affected an estimated 10% of Office 365 users over the last 2 weeks.
The experts are warning of the new technique that was already used in attacks by scammers and crooks to bypass the Advanced Threat Protection (ATP) mechanism implemented by most popular email services, Microsoft Office 365.
“Over the past two weeks, we detected (and blocked) a new phishing attack that affected about 10% of Avanan’s Office 365 customers. We estimate this percentage applies to Office 365 globally. PhishPoint marks an evolution in phishing attacks, where hackers go beyond just email and use SharePoint to harvest end-users’ credentials for Office 365.” reads the analysis published by Avanan.
“Essentially, hackers are using SharePoint files to host phishing links. By inserting the malicious link into a SharePoint file rather than the email itself, hackers bypass Office 365 built-in security. “
In a PhishPoint attack scenario, the victim receives an email containing a link to a SharePoint document. The content of the message is identical to a standard SharePoint invitation to collaborate.
Once the user clicked the hyperlink included in the fake invitation, the browser automatically opens a SharePoint file.
The SharePoint file content impersonates a standard access request to a OneDrive file, with an “Access Document” hyperlink that is actually a malicious URL that redirects the victim to a spoofed Office 365 login screen.
This landing page asks the victim to provide his login credentials.
Experts highlighted that Microsoft protection mechanisms scan the body of an email, including the links provided in it, but since the URL points to an actual SharePoint document, the protections fail in identifying the threat.
“To protect against potential threats, Office 365 scans links in email bodies to look for blacklisted or suspicious domains. Since the link in the email leads to an actual SharePoint document, Microsoft did not identify it as a threat.” the researchers said.“The crux of this attack is that Microsoft link-scanning only goes one level deep, scanning the links in the email body, but not within files hosted on their other services, such as SharePoint. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks,”
The problem is that Microsoft cannot blacklist links associated with SharePoint documents.
“Even if Microsoft were to scan links within files, they would face another challenge: they could not blacklist the URL without blacklisting links to all SharePoint files. If they blacklisted the full URL of the Sharepoint file, the hackers could easily create a new URL.”
Experts recommend being suspicious of the URLs in the email body if it uses URGENT or ACTION REQUIRED in the subject line.
Every time a login page is displayed it is necessary to double check the address bar in the web browser to discover if the link points to a legitimate resource, and of course, always use two-factor authentication (2FA).
If you are interested in other attack techniques discovered in the last months by Avanan give a look at the post titled “Five Techniques to Bypass Office 365 Protections Used in Real Phishing Campaigns”
DarkHydrus Uses Open Source Phishery Tool in Middle-East Attacks
9.8.18 securityweek Phishing
The recently detailed DarkHydrus threat group is leveraging the open-source Phishery tool to create malicious documents used in attacks on government entities in the Middle East, Palo Alto Networks warns.
Just weeks ago, the security firm revealed that the actor is employing numerous free or open-source utilities for their malicious purposes. They have leveraged tools such as Meterpreter, Mimikatz, PowerShellEmpire, Veil, and CobaltStrike, as well as a PowerShell-based backdoor called RogueRobin.
With a focus on credential harvesting, the attacker(s) employs spear-phishing emails to deliver malicious Office documents and is using an infrastructure dating back to fall 2017.
The malicious documents, which use the attachedTemplate technique, load a template from a remote, attacker-controlled location to prompt users to provide login credentials. The login information is then sent to the attacker’s server.
Last year, the FBI and the DHS issued a joint report warning of cyber-attacks targeting energy facilities in the U.S. and elsewhere and leveraging the same template injection technique. Those attacks, however, were attributed to a different actor.
Palo Alto Networks’ security researchers believe that DarkHydrus used the open-source Phishery tool to create two of the Word documents observed in the observed credential harvesting attacks.
One of these attacks was observed on June 24, 18, targeting an educational institution in the Middle East. The subdomain (of attacker-controlled 0utl00k[.]net) used in this incident was the domain of the targeted educational institution, which made the malicious document and the authentication request look credible.
The security researchers discovered additional documents that employed the same malicious domain for credential harvesting and say that the malicious campaign has been ongoing for almost a year.
Previously, Palo Alto Networks uncovered additional domains the threat actor has been using in assaults, including anyconnect[.]stream, Bigip[.]stream, Fortiweb[.]download, Kaspersky[.]science, microtik[.]stream, owa365[.]bid, symanteclive[.]download, and windowsdefender[.]win.
The RogueRobin backdoor, the security firm says, can determine whether it runs in a sandbox. It provides attackers with various remote administration capabilities, including file upload, PowerShell command, DNS queries, download of content from the command and control (C&C), and the addition of PowerShell modules to the script.The researchers were able to confirm that the Phishery tool was used to create DarkHydrus documents. The open-source utility allows for the injection of remote template URLs into Word documents and is also capable of hosting a C&C server to gather the user-provided credentials.
“We discovered DarkHydrus carrying out credential harvesting attacks that use weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions. This threat group not only used the Phishery tool to create these malicious Word documents, but also to host the C2 server to harvest credentials,” Palo Alto Networks concluded.
Industrial Sector targeted in surgical spear-phishing attacks
3.8.18 securityaffairs Phishing
Industrial sector hit by a surgical spear-phishing campaign aimed at installing legitimate remote administration software on victims’ machines.
Attackers carried out a spear-phishing campaign against entities in the industrial sector, the messages disguised as commercial offers where used by attackers to deliver a legitimate remote administration software on victims’ systems (TeamViewer or Remote Manipulator System/Remote Utilities (RMS)).
Attackers personalized the content of each phishing email reflecting the activity of the target organization and the type of work performed by the employee to whom the email is sent.
The campaign was discovered by experts from Kaspersky Lab who speculate the attackers are financially motivated.
“Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.” reads the blog post published by Kaspersky.
“According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts,”
Once the attackers have gained access to the victim’s system they will search for any purchase documents, as well as the financial and accounting software. Then the crooks look for various ways in which they can monetize their effort, for example, by spoofing the bank details used to make payments.
According to Kaspersky, there was a spike in the number of spear phishing messages in November 2017 that targeted up to 400 industrial companies located in Russia.
The spear-phishing campaign is still ongoing, the messages purported to be invitations to tender from large industrial companies.
The quality of the phishing messages suggests the attackers have spent a significant effort in the reconnaissance phase.
“It is worth noting that the attackers addressed an employee of the company under attack by his or her full name,” state the researchers. “This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.”
The attackers used both malicious attachments and links to external resources that are used to download the malicious code.
“Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.” states the researchers.
“For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.”
Regarding the legitimate software used by the attackers, TeamViewer or Remote Manipulator System/Remote Utilities (RMS), for both, the attackers performed a DLL injection attack by injecting the malicious code directly into the process by substituting a malicious library for system DLL.
The malicious library includes the system file winspool.drv that is located in the system folder and is used to send documents to the printer.
The winspool.drv decrypts the attackers’ configuration files, including software settings and the password for remotely controlling the target machine.
In the case of RMS, one of the configuration files includes the email address used by the attacker to receive the information (i.e. computer name, username and the RMS machine’s internet ID) about the infected system.
When the attackers use TeamViewer software to exfiltrate system information, a file in a malicious library contains various parameters, including the password used for remotely controlling the system and a URL of the attackers’ command-and-control server.
Unlike RMS, Team Viewer also uses a built-in VPN to remotely control a computer located behind NAT.
“After launching, the malicious library checks whether an internet connection is available by executing the command “ping 126.96.36.199” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.” continues the analysis.
“Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.”
Kaspersky highlighted that the industrial sector is becoming a privileged target for crooks, they are able to make profits even using simple techniques and known malware.
The use of legitimate Remote administration software allows crooks to gain full control of compromised systems avoiding detection.
“This choice on the part of the cybercriminals could be explained by the fact that the threat-awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies),” Kaspersky concludes.
Phishing Campaign Targets 400 Industrial Organizations
3.8.18 securityweek Phishing
A new wave of spear-phishing emails masquerading as legitimate procurement and accounting letters have hit over 400 industrial organizations, according to Kaspersky Lab.
Data collected by Kaspersky showed that the malware associated with the campaign attacked nearly 800 company PCs across various industries. The attacks, which are ongoing, attempt to steal money and confidential data from the targeted organizations, which include oil and gas to metallurgy, energy, construction and logistics.
The spear-phishing emails, Kaspersky’s security researchers discovered, are tailored with “content that corresponded to the profile of the attacked organizations and took into account the identity of the employee – the recipient of the letter.”
“This suggests that the attacks were carefully prepared and that criminals took the time to develop an individual letter for each user,” the researchers say.
The emails either contain malicious attachments designed to silently install modified legitimate software onto the victim’s machine, such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS), or try to trick victims into following external links and downloading malicious objects from there.
Analysis of the attacks has revealed the use of various techniques to mask the presence of malware on the system. Incidents involving RMS software relied on exfiltrating data over email, while those abusing legitimate TeamViewer software sent the data directly to a command and control (C&C) server.
The main goals of these attacks is to steal money from the victim organizations’ accounts. After gaining access to a victim’s system and gathering required information by accessing documents and financial and accounting software, the attackers would engage in various financial fraud operations, such as spoofing the bank details used to make payments.
When needed, the attackers would also upload additional malware onto the compromised machines, specifically crafted for each attack. They have been using spyware, remote administration tools to expand their control over the infected systems, Mimikatz, and malware to exploit different vulnerabilities in the operating system.
Some of the malicious programs found on compromised machines includes the Babylon RAT, Betabot/Neurevt, AZORult stealer, Hallaj PRO Rat families. These allowed attackers to log keystrokes, take screenshots, collect system information, download additional malware, steal passwords and crypto-currency wallets, intercept traffic, and conduct distributed denial of service (DDoS) attacks.
In some attacks, the remote administration tool called RemoteUtilities was used to remotely control the infected system, transfer files, manage running applications, manage hardware, remote shell, capture screenshots and screen videos, and record audio and video.
While the attacks did not appear to concentrate on companies in a specific industry or sector, the actors did focus on compromising systems belonging to industrial companies. Furthermore, most of the organizations that were hit are located in Russia, Kaspersky said.
“The attackers demonstrated a clear interest in targeting industrial companies in Russia. Based on our experiences, this is likely to be due to the fact that their level of cybersecurity awareness is not as high as it is in other markets, such as financial services. That makes industrial companies a lucrative target for cybercriminals – not only in Russia, but across the world,” Vyacheslav Kopeytsev, security expert, Kaspersky Lab, said.
Microsoft uncovered and stopped attempts to launch spear-phishing attacks on three 18 congressional candidates
20.7.18 securityaffairs Phishing
Microsoft helped the US Government is protecting at least three 18 midterm election candidates from attacks of Russian cyberspies.
Microsoft revealed that Russian cyberspies attempted to hack at least three 18 midterm election candidates and it has helped the US government to repeal their attacks.
A Microsoft executive speaking at the Aspen Security Forum revealed the hacking attempts against at least three unnamed congressional candidates, all the attacks were detected this year,
The company executive only added that the three candidates were “people who, because of their positions, might have been interesting targets from an espionage standpoint as well as an election disruption standpoint.”
The hackers sent spear-phishing messages to the candidates, the messages included links to a fake Microsoft website used by the cyberspies to trick victims into providing their credentials.
“Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks,” said Tom Burt, Microsoft’s vice president for customer security.
“And we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for election in the midterm elections.”
Once Microsoft discovered the phishing website it has taken down it and helped the US government to “avoid anybody being infected by that particular attack.”
Microsoft blamed the Russian APT28 group for the attacks.
We “discovered that the [fake domains] were being registered by an activity group that at Microsoft we call Strontium…that’s known as Fancy Bear or APT 28,” Burt explained.
“The consensus of the threat intelligence community right now is [that] we do not see the same level of activity by the Russian activity groups leading into the mid-year elections that we could see when we look back at them at that 2016 elections,”
Burt compared the recent activities with the hacking campaign conducted to interfere with the 2016 Presidential election, he pointed out that differently from 2016 campaigns, 18 attacks do not target think tanks and academic experts that they did during the 2016 presidential election.
“That does not mean we’re not going to see it, there is a lot of time left before the election.” Burt added.
Trezor users targeted by phishing attacks, experts blame DNS Poisoning or BGP Hijacking
2.7.18 securityaffairs Phishing
The maintainers of the Trezor multi-cryptocurrency wallet service reported a phishing attack against some of its users that occurred during the weekend.
· 1 Jul
Replying to @TREZOR
More details will be published soon in the form of a blog post.
I had some issues yesterday, when accessing your site. It seems to be related with DNS. Is http://beta-wallet.trezor.io legit?
1:13 PM - Jul 1, 18
See Carsten's other Tweets
Twitter Ads info and privacy
The attack appears more complex respect a simple phishing campaign, hackers may have powered a DNS poisoning attack or a BGP hijacking to redirect users to a rogue phishing site that mimic the legitimate one.
“DNS poisoning or BGP hijacking point toward DNS poisoning or BGP hijacking” explains the Trezor team.
Hackers redirected legitimate traffic for the official wallet.trezor.io domain to a rogue copy of the website.
The team launched an investigation to shed the light on the attack. The experts spotted the incident after users reported HTTPS certificate error while landing on web wallet portal.
The error alerted the users, this kind of error suggests users are visiting a rogue website that attempts to pose as a legitimate one.
The users quickly reported the anomaly to the team of maintainers that confirmed the phishing attack and published a security advisory to warn users about the phishing attacks.
“Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of authenticity of our web services. This can happen for a few reasons, some of which are less serious. Unfortunately, after investigating these reports closer, we found out that the invalid certificate warning appeared because of phishing attempts against Trezor users.” reads the security advisory.
“The fake Trezor Wallet website was served to some users who attempted to access wallet.trezor.io — the legitimate address. We do not yet know which attack vector was used, but the signs point toward DNS poisoning or BGP hijacking.”
The company also reported two other issues for the bogus website:
The first issue was an error message that was different from the original Trezor site, which told users that syncing data their Trezor hardware wallet and their Trezor web account had failed.
The second issue was that the fake website was asking users to provide a copy of their “recovery seed,” Trezor warns that users should never enter the recovery seed on a PC or app. If the attackers obtain the recovery seed they can take over the accounts.
The company took down the malicious website with the support of the hosting provider.
"At this moment, the fake Wallet has been taken down by the hosting provider. However, you should remain vigilant and report all suspicious sites. It is possible that this attack method will be used repeatedly in the future."https://blog.trezor.io/psa-phishing-alert-fake-trezor-wallet-website-3bcfdfc3eced …
5:43 PM - Jul 1, 18
[PSA] Phishing Alert: Fake Trezor Wallet website – TREZOR Blog
Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of…
75 people are talking about this
Twitter Ads info and privacy
At the time it is not clear if the attackers stole user funds.
Let’s close with suggestions provided by the company:
So how should I recognize the original Trezor Wallet?
Look for the “Secure” sign in your browser’s address bar. If the certificate is invalid, your browser will warn you, and you should heed the warning. (Make sure you are accessing the correct URL: wallet.trezor.io)
Always verify all operations on your Trezor device. You should only trust the device display and what is written on it. For other sources of information, always maintain a healthy amount of skepticism.
Thirdly, never divulge sensitive or private data to anyone. This includes us at SatoshiLabs. We will never ask you for your recovery seed. Wallet will never ask you for your recovery seed. Only your device may, but it will do so securely.
ZeroFont phishing attack can bypass Office 365 protections
21.6.18 securityaffairs Phishing
ZeroFont phishing attack – Crooks are using a new technique that involves manipulating font sizes to bypass Office 365 protections.
According to cloud security firm Avanan, one of the detection mechanisms in Office 365 involves natural language processing to identify the content of the messages typically used in malicious emails.
For example, an email including the words “Apple” or “Microsoft” that are not sent from legitimate domains, or messages referencing user accounts, password resets or financial requests are flagged as malicious.
Experts from Avanan discovered phishing campaigns using emails in which some of the content is set to be displayed with zero-size font using <span style=”FONT-SIZE: 0px”>, for this reason, they dubbed the technique ZeroFont.
“Recently, we have been seeing a number of phishing attacks using a simple strategy to get their blatant email spoofs past Microsoft’s phishing scans. The tactic, which we are calling ZeroFont, involves inserting hidden words with a font size of zero that are invisible to the recipient in order to fool Microsoft’s natural language processing.” reads the analysis published by Avanan.
The email appears to the recipient as normal, but Microsoft’s filters are able to analyze also the text having a font size of “0”.
Summarizing, while the user sees a classic phishing content like this:
Microsoft’s filter will see the overall text including words written with “FONT-SIZE: 0px” attribute. This text, of course, doesn’t appear as a malicious content:
“Microsoft can not identify this as a spoofing email because it cannot see the word ‘Microsoft’ in the un-emulated version. Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user,” Avanan’s Yoav Nathaniel said in a blog post.
Natural language processing is essential to prevent phishing attacks, but a technique like ZeroFont demonstrated that attackers can bypass filters with a trick.
In the past, other techniques were devised to bypass anti-phishing filters, for example, the Punycode phishing attack, the baseStriker phishing attack, the Unicode phishing attack, and the Hexadecimal Escape Characters phishing attack.
Phishers Use 'ZeroFont' Technique to Bypass Office 365 Protections
20.6.18 securityweek Phishing
Cybercriminals have been leveraging a technique that involves manipulating font sizes in an effort to increase the chances of their phishing emails bypassing the protections implemented by Microsoft in Office 365.
According to cloud security company Avanan, one of the phishing protections in Office 365 involves natural language processing in order to identify text typically used in fraudulent or malicious emails.
For instance, researchers say the system flags emails mentioning “Apple” or “Microsoft” but not coming from legitimate domains, or messages referencing user accounts, password resets or financial requests.
In recent attacks spotted by Avanan, cybercriminals sent out phishing emails in which some of the content is set to be displayed with zero-size font using <span style="FONT-SIZE: 0px">. The security firm has dubbed this technique ZeroFont.
The email looks normal to the user, but Microsoft’s filters read the entire text, even if it’s displayed with a font size of “0”. The user sees this:
But Microsoft’s systems will analyze the following text, which includes strings that are invisible to the user due to the "FONT-SIZE: 0px" attribute:
“Microsoft can not identify this as a spoofing email because it cannot see the word ‘Microsoft’ in the un-emulated version. Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user,” Avanan’s Yoav Nathaniel said in a blog post.
Last month, Avanan reported that cybercriminals had been splitting malicious URLs in an effort to bypass the Safe Links security feature in Office 365.
Spam and phishing in Q1 18
27.5.18 Kaspersky Analysis Phishing
Early 18 will be remembered for a series of data leak scandals. The most high-profile saw Facebook CEO Mark Zuckerberg grilled by US Congress, with many public figures supporting the Delete Facebook campaign. As a result, Zuckerberg promised to get tough and make it more difficult to harvest data from third-party apps.
But the buck doesn’t stop entirely with the tech giants—personal data often ends up in cybercriminal hands due to user carelessness. Some techniques may be timeworn, but one in particular still reels in the victims: Facebook users are one of the juiciest targets for cyberfraudsters looking to launch mass phishing attacks. Last year Facebook was one of the Top 3 most exploited company names. The schemes are numerous, but fairly standard: the user is asked to “verify” an account or lured into signing into a phishing site on the promise of interesting content.
Examples of phishing pages mimicking Facebook login
Fake pages such as these exist in all languages supported by the social media. Sometimes the correct localization is selected automatically based on the victim’s IP address.
Example of code used by cybercriminals to determine the victim’s location and adapt the phishing page
Data often falls into the hands of cybercriminals through third-party apps that users themselves give access to their accounts and sometimes even allow to post messages on their own behalf.
In early March, for instance, several hundred VKontakte users were hit when third parties gained access to their private correspondence. This happened as a result of apps using the social network’s open API to request access to personal data without guaranteeing its safe storage and use.
In the headline-grabbing case of Cambridge Analytica’s This Is Your Digital Life app, users also handed over personal information voluntarily. Carelessness is the culprit: many people are unaware of just how much data they give away in personality quizzes.
Social media quizzes often ask for a lot of user data,
Remember that cybercriminals often use social media to spread malicious content. For example, we wrote about fake airline giveaways, adult video spam, and even an Alberto Suárez phishing petition.
Another major personal data story was the appearance in Russia of the GetContact app for smartphones, which not only tells users who’s calling, but shows the names under which their contacts are saved in other app users’ phone books. For this, the program needs to be fed not just the user’s own data, but the entire address book (photos, email addresses, even conversation history). That earned GetContact a ban in several countries (even before it appeared in Russia).
Telegram, ICOs, cryptocurrencies
In Q1 a battle royale broke out over the Telegram messenger. It all began late last year with talk of an upcoming ICO. That provided the backdrop for cybercriminals to create, which by the end of Q1 had allegedly raked in as much as the company’s rumored private ICO.
Fake site offering the chance to participate in the Telegram ICO
That was followed by a wave of phishing mailshots to owners of major Russian channels in Telegram. An account under the name Telegram (or something similar) sent a message informing potential victims that suspicious activity had been detected on their account and that confirmation was required to avoid having it blocked. A link was provided to a phishing site masquerading as the login page for the web version of Telegram.
Phishing site mimicking the web version of the Telegram app
If the victim agreed to fill out the form, the cybercriminals gained access to their account, plus the ability to link it to another phone number.
Another spike in scamming activity was recorded when the Internet was buzzing about the imminent takedown of the messenger in Russia. And when the messenger suffered a power outage in a server cluster, it was widely perceived as the start of the ban. Replying to Pavel Durov’s tweet about the malfunction, enterprising cybercriminals offered compensation on his behalf in cryptocurrency. To claim it, users had to follow a link to a site where they were asked to transfer a sum of money to a specified wallet number to receive their “compensation.”
But Telegram does not have a monopoly over the cryptocurrency topic this quarter. We repeatedly encountered phishing sites and email messages exploiting the launch of new ICOs. Cryptocurrency scams often bring in millions of dollars, which explains why cybercriminals are so fond of them.
For instance, on January 31–February 2 the Bee Token startup held an ICO for which participants had to register in advance on the project website, specifying their email address. Cybercriminals managed to get hold of a list of email addresses of potential investors and send out a timely invitation containing e-wallet details for making Ethereum-based investments.
Phishing email supposedly sent from the ICO organizers
123,3275 ether were transferred to this wallet (around $84,162.37). Fraudsters also set up several phishing sites under the guise of the platform’s official site.
A similar scam occurred with the Buzzcoin ICO. The project website invited users to subscribe to a newsletter by leaving an email address. The day before the official ICO start, subscribers received a fraudulent message about the start of pre-sales with a list of cryptowallets to which money should be transferred.
Phishing email supposedly sent from the ICO organizers
Cybercriminals scooped about $15,000 before the organizers took action.
One measure that addresses user safety is the General Data Protection Regulation (GDPR), a general policy on the protection and privacy of individuals. This EU regulation has a direct bearing on all companies that process data belonging to EU residents, and therefore has an international scope. The GDPR becomes enforceable on May 25 this year and stipulates large fines (up to EUR 20 million or 4% of annual revenue) for companies whose information activity does not comply with the regulation.
Such a landmark event in the IT world could hardly fail to attract cybercriminals, and in recent months (since the end of last year) we have registered a large number of spam emails related one way or another to the GDPR. It is generally B2B spam—mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business.
We also came across spam offers to install on the target company’s main website or landing page special fee-based software providing web resources with everything necessary to comply with the new rules. Moreover, the site owner would supposedly be insured against problems relating to user data security.
Spam traffic also contained offers to acquire ready-made specialized databases of individuals and legal entities broken down by business division or other criteria. The sellers had no scruples about stressing that all addresses and contacts for sale were already GDPR-compliant. In fact, harvesting user data and reselling it to third parties without the consent of the owners and data carriers violates not only this regulation, but also the law in general.
Example of a spam message exploiting the GDRP topic
Note that legitimate mailers also became more active. They are already sending notices to users describing the new rules and asking for consent to use and process their data under the new policy. When the new regulation enters into force, the number of such notices will skyrocket, so we predict a surge in scam mailings aimed at obtaining personal info and authentication data for access to various accounts. We urge users to pay close attention to the new regulation and carefully study any notifications related to it. Links should be checked before clicking: they should not contain redirects to third-party sites or domains unrelated to the service on whose behalf the message was sent.
In the runup to the Russian presidential elections, we observed a range of political spam, including messages promoting or slurring various candidates. The election topic was used for fraud: cybercriminals sent email messages offering a financial reward for taking part in public opinion polls, as a result of which money ended up being transferred in the opposite direction.
Example of a message inviting recipients to take part in a poll
Phishing for taxpayers
Every country has its own tax year, but as a rule the most active period for dealing with tax services comes at the start of the year. In Q1 we registered many phishing pages mimicking the IRS, HMRC, and other countries’ tax services.
Fake tax service websites
Back in Q1 2017 we wrote about a mailout disguised as a resume concealing a malicious file from the Fareit Trojan spyware family. The same quarter 18, cybercriminals attempted to infect users’ computers with the Smoke Loader backdoor, also known as Dofoil. Its toolbox includes downloading and installing malware such as cryptocurrency miners, banking Trojans, and ransomware. Smoke Loader could also disable some antivirus software and hide from detection by integrating itself into system processes.
The text of the malicious mailshot varied, with some messages imitating the business correspondence of real company employees. To open the password-protected DOC attachment, the user had to enter the password specified in the message, which triggered a request to enable macros (disabled by default); confirmation proved fatal for message recipients. We observed a trend for password-protected malicious attachments in Q1 18: such protection hinders detection and increases the chances that the message will reach the recipient.
Examples of emails with malicious attachments
Another long-established social engineering method exploits user fears of infection, data leakage, access denial, and other bugbears. In Q1, this old trick was used to dupe users into parting with cryptocurrency. Most messages tried to scare recipients by reporting that malware was installed on their computer and that personal info (lists of contacts, monitor screenshots, webcam videos, etc.) was compromised. If the scammers didn’t receive a hush payment, it was said, the harvested information would be sent to all the victim’s contacts.
Example of a message with a ransom demand in exchange for not publicizing the victim’s personal data
Some messages from cybercriminals tried not only to extract money, but to install malware on recipients’ computers. The malware was located in a protected archive attachment that the attackers claimed was proof that they had the victim’s data.
Malware under the guise of proving cybercriminal intent
Proportion of spam in email traffic
Proportion of spam in global email traffic, Q4 2017 and Q1 18
In Q1 18, the largest share of spam was recorded in January (54.50%). The average share of spam in global email traffic was 51.82%, down 4.63 p.p. against the figure for Q4 2017
Sources of spam by country
Sources of spam by country, Q1 18
Q1 18 results put Vietnam (9.22%) top of the leaderboard of spam sources by country. In second place, just 0.64 p.p. behind, came the US (8.55%). The rating’s frequent leader China (7.87%) slipped to third, while India (7.10%) and Germany (6.35%) claimed fourth and fifth. The Top 10 is rounded off by Iran (2.51%).
Spam email size
Spam email size, Q4 2017 and Q1 18
In Q1 18, the share of very small emails (up to 2 KB) in spam increased by 19.79 p.p. to 81.62%. Meanwhile,the proportion of emails between 5 and 10 KB in size fell (by 6.05 p.p.) against the previous quarter to 4.11%.
The number of emails between 10 and 20 KB also decreased (by 4.91 p.p.). Likewise, there were fewer emails sized 20 to 50 KB—this quarter they made up just 2.72% of the total, which represents a drop of 6.81 p.p. compared to the previous reporting period.
Malicious attachments in email
Top 10 malware families
Top 10 malware families, Q1 18
The most widespread malware family in email traffic this quarter was Trojan-PSW.Win32.Fareit (7.01%), with Backdoor.Java.QRat (6.71%) and Worm.Win32.WBVB (5.75%) completing the Top 3. Fourth place went to Backdoor.Win32.Androm (4.41%), and Trojan.PDF.Badur (3.56%) rounds off the Top 5.
Countries targeted by malicious mailshots
Distribution of Mail Anti-Virus triggers by country, Q1 18
Germany (14.67%) was this quarter’s leader by number of Mail Anti-Virus triggers, followed by Russia on 6.37% and Britain with a score of 5.43%. Fourth and fifth positions were occupied by Italy (5.40%) and the UAE (4.30%).
In Q1 18, the Anti-Phishing module prevented 90,245,060 attempts to direct users to scam websites. The share of unique users attacked made up 9.6% of all users of Kaspersky Lab products worldwide.
Geography of attacks
The country with the largest percentage of users affected by phishing attacks in Q1 18 was Brazil (19.07%, -1.72 p.p.).
Geography of phishing attacks*, Q1 18
* Number of users on whose computers Anti-Phishing was triggered as a percentage of the total number of Kaspersky Lab users in that country
Second came Argentina (13.30%), and third place was taken by Venezuela (12.90%). Fourth and fifth went to Albania (12.56%) and Bolivia (12.32%).
Top 10 countries by percentage of users attacked by phishers
Organizations under attack
Rating of categories of organizations attacked by phishers
The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab’s heuristic Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.
In Q1 18, the Global Internet Portals category again took first place with 23.7% (-2.56 p.p.).
Distribution of organizations affected by phishing attacks by category, Q1 18
However, the combined financial category—banks (18.25%), online stores (17.26%), payment systems (8.41%)—still accounted for almost half of all attacks (43.92%), which is up 4.46 p.p. against the previous quarter . The next categories in descending order were Government Organizations (4.75%), Social Networks and Blogs (4.11%), Telecommunications Companies (2.47%), IT Companies (1.55%), Messengers (0.66%), Online Games (0.43%), and Airlines (0.07%).
The quarter’s main topic, one that we will likely return to many times this year, is personal data. It remains one of the most sought-after wares in the world of information technology for app and service developers, owners of various agencies, and, of course, cybercriminals. Unfortunately, many users still fail to grasp the need to protect their personal information and don’t pay attention to who and how their data is transferred in social media.
Cybercriminal interest in personal data is confirmed by our analysis of spam traffic, where one of the main topics remains mail phishing employing a range of social and technical engineering methods. Throughout the quarter, we observed fake notifications on behalf of social media and popular services, bank phishing, and “Nigerian prince” emails.
The GDPR, set to come on stream in late May, is intended to correct the situation regarding personal data, at least in the EU . Time will tell how effective it is. But one thing is clear: even before its introduction, the new regulation is being actively exploited as a topic by cybercriminals and many others. Regrettably, the GDPR is unlikely to fix the situation.
In Q1 18, the average share of spam in global email traffic was 51.82%, down 4.63 p.p. against Q4 2017; the Anti-Phishing module blocked 90,245,060 attempts to direct users to fraudulent pages; and Brazil (19.07%, -1.72 p.p.) had the largest share of users attacked by phishers.
Based on the quarter results, it is safe to predict that scammers will continue to exploit “fashionable” topics, two of which are cryptocurrencies and new ICOs. Given that these topics have begun to attract interest from the general public, a successful attack can reap vast rewards.