Translated by
2019/11/07 14:33:45

Phishing phishing

Type of Internet fraud which aim gaining access to confidential data of the user (logins and passwords). The user thinks that he passes to the stated website, however actually it is redirected on the false website. As a rule, clients of banks and payment systems become the victims of phishers.


Hackers used e-mails for implementation of this sort of the attacks, but thanks to wide circulation of social networks and smartphones with Internet access of steel is multiplied also types of phishing attacks.

These e-mails contain the reference which allegedly conducts the user on the website of some company with the high level of confidentiality though, actually, such website is only simulation of the original website without any confidentiality.

Thus, the self-confident user who has no reliable antivirus protection can fall a victim of the attack intended for theft of personal data.

Phishing — one of types of social engineering based on ignorance by users of bases of network security: in particular, many do not know the simple fact: services do not send letters with requests to give the credentials, the password and other.

For protection against a phishing producers of the main Internet browsers agreed about application of identical methods of informing users that they opened the suspicious website which can belong to swindlers. New versions of browsers already have such potential which respectively hereinafter is referred to "anti-phishing".

Schemes of a phishing

Upon what heartstrings phishers play

Most of cybercriminals rely not only upon technology, but also upon human carelessness and trustfulness. In 2011 seven human weaknesses operated by criminals who use psychological methods of impact on people via e-mail, social networks and telephone communication were listed in the report of Cisco company. It is about:

  • sexualities,
  • greed,
  • vanity,
  • excessive trustfulness,
  • laziness,
  • compassion and
  • haste in the made decisions.

As the phishing letter looks:


  • Executive authorities;
  • Large telecommunication operators;
  • Profile Internet forums;
  • Credit and financial organizations;
  • Partner organizations;
  • Organizations clients.


  • The requirement which arrived from executive authorities;
  • Mailing of changes in regulations;
  • Collecting/repayment of a debt/penalty, payment of services;
  • Document retrieval for check.

At the beginning of 2017 experts paid attention to the new phishing campaign directed against users of Gmail. Letters contain so well veiled malicious URLs that even advanced users often do not notice a dirty trick and enter the credentials on a phishing analog of Gmail. As soon as the victim is compromised, malefactors immediately intercept access over its account and attack all contacts of the victim.

The harmful letters going from the compromised users allegedly contain the PDF document which can be browsed previously directly in the web interface of mail. However having clicked on such "investment" which actually is the simple image which is built in the letter, the user initiates readdressing on the phishing page[1].

Phishing URL begins with "data:text/html,https://accounts/" that can mislead the user, having forced to believe that it still is on this website of Google. Actually, for opening of the phishing page in a new tab the special script is used, and the page has no relation to Google.

E-mail compromise

Main article: Fraud with e-mail (business email compromise, invoice fraud)

The compromise of corporate e-mail (engl. business email compromise or invoice fraud) is a fraud at which the criminal represents from himself the seller or the business partner and convinces the representative of the company to transfer the large amount to the offshore account as "payment" for services which never rendered.

Calendar phishing

At the beginning of 2019 experts of Kaspersky Lab recorded a wave of phishing attacks on users of a Google service the Calendar. For May cybercriminals repeatedly sent to the victims fraudulent messages, forging them under automatic notifications in the calendar on the smartphone. This new method of carrying out phishing attacks potentially gives to malefactors more opportunities as can theoretically mislead even experienced users who are knowledgeable about threat of spam and phishing in e-mail or messengers.

The messages sent by malefactors operate function of automatic adding of the invitation in the calendar and notifications on this event. At many users this function is included by default. If the victim opens a pop-up window on the smartphone which is externally very similar to the notification of the Google application, then, most likely, will see the link to a phishing site on which simple survey for remuneration is allegedly conducted. For receiving a monetary prize as it will become clear later, the user needs to pay the small commission — and for this purpose to specify data of the bank card and some personal information, in particular a name, the phone number and the address. Certainly, all this goes directly to malefactors.

"This "a calendar phishing' — very effective scheme. Many users already got used to spam messages in mail and messengers and often just ignore and delete them. In the calendar everything is not so obvious — this application is created for ordering of information, but not for its transfer. So probability that the fraudulent message in the calendar will be open, can be a little higher — Maria Vergelis, the senior spam analyst of "Kaspersky Lab' told. — So far all samples of such phishing notifications detected by us contain extremely strange offers, and it is visible to any user at once. But each simple scheme becomes more difficult also produmanny over time. There is however in all this story also good news: not to fall a victim of such fraud, no special precautions and tricks are necessary — function of the automatic notification can be turned off easily in settings of the calendar".

"Conditions of provision of services of Google and policy for products prohibit distribution of harmful content, and we work preventing abuses and to warn them hard. Fight against spam is an infinite fight, and though we achieved big progress, sometimes spam passes. We are still deeply committed to protection of all our users against spam: we scan content in photos regarding spam and we give to users an opportunity to announce spam in the calendar, Google Forms, on Google Drive, in Google of the Photo and in Hangouts. Besides, we offer users of means of protecting, warning them about the known harmful URL addresses using filters of safe viewing Google Chrome" — said in the press service of Google.

Smishing (SMiShing)

Within several years hackers used the equipment known as a phishing. With its help they sent to the victims e-mails allegedly from bank therefore fraudulently tried to obtain registration data for access to the bank account. Since people became more informed and better began to recognize phishing letters therefore the victims of a phishing became less, hackers changed the tactics and focused the attention on our phones.

The Smishing is conceptually very similar: instead of sending e-mails hackers began to send to the victims text Sms. Each of such messages is developed to deceive people for the purpose of receiving from them extremely important personal information, for example, the PIN code for access to their online bank. Some smishingovy messages will direct the victims to the false website or will ask to download the necessary application which is actually infected with the malware.

How to recognize the smishingovy message

Almost each smishingovy message has one common feature: feeling of urgency. You will be told that your bank account is cracked and you should be connected urgently to it using the enclosed link. Or within normal check of security systems access to your bank account was blocked, and therefore for restoring access it is necessary to confirm the password. You can even ask to download a special application to raise the security level of your account, and the earlier, the better.

Actually, no bank sends urgent Sms: most of them for transfer of important information use e-mail and normal letters. If you received the text message from your bank, then it will not contain the reference: at the first opportunity you will be just redirected on the page of the website of bank with a form for authorization or with a contact information of service of clients of bank.

The same way, your bank will never send you the link to the website for downloading of the new application. They can send you to official shops App Store or Google Play, but most of them will direct the pop-up notification via the official application, but not through a text Sms.

If you have any (starting up even the slightest) doubts of rather text message which you got, then delete it better. If the question really is very urgent, then your bank will contact you repeatedly. You can also call them and receive confirmation whether there is a problem actually[2].

Measures of protection from a phishing

Councils for private users

Check of a source of each e-mail received by you and transition to the website of your bank not according to the link from the letter, and by a set of the address in an address bar of the browser – here two main precautionary measures which you can undertake not to fall into a trap cyber-criminals.

1. Learn to reveal suspicious phishing letters

There are several signs which identify the attack by e-mail[3]:

  • They duplicate an image of the known company.
  • They copy the company name or the Full Name of the real employee of the company.
  • They contain the websites which are visually similar to the websites of the real companies.
  • They offer gifts or frighten by loss of the existing account.

2. Check information source

Your bank will never ask you to send your passwords or personal information by e-mail. Never answer similar questions but if you have though a little doubts, then call your bank for receiving explanations better.

3. Never you pass to the website of your bank, clicking on the links in letters

Do not click on the links in the letter since as a result of it you can appear on the false website.

Better manually gather the website address in an address bar of your browser or use earlier configured tab in Favorites if you want to pass quicker.

4. Raise the security level of your computer

Not lose feeling common sense and have judiciousness also important, as well as to protect the computer using the antivirus capable to block this type of the attacks.

Besides, you should set always the latest updates of your operating system and web browsers.

5. You enter your critical data only on safe websites

To learn whether this website is "safe", check an address bar in your browser: the address of the website should begin with "https://", and near it the icon of the closed lock should be shown.

6. Periodically verify your accounts

Never will prevent to check periodically your bank accounts to do not miss any suspicious actions in your online transactions.

7. The phishing belongs not only to online banks

The majority of phishing attacks are directed against banks, however for theft of personal data they can use also other popular websites: eBay, Facebook, PayPal and others.

8. The phishing knows all languages

The phishing knows no limit, and can overtake you in any language. In general, they are badly written or translated, and therefore it can serve as one more indicator of the fact that something is not right.

For example, if you never were on the Spanish website of your bank, then why now information for you should be in this language?

9. If there are though slightest doubts, you should not risk

The best method of prevention of a phishing is not to react to any letters or news which ask you to provide confidential data.

Delete these messages and call your bank for clearing of your doubts.

10. Periodically read information on development of malware

If you want to be aware of the last harmful attacks, recommendations or councils to avoid any dangers on the Internet, you can read specialized blogs about cyber security in Facebook, VK, Twitter, etc.

Recommendations for the organizations

Not to fall a victim of a phishing it is always recommended to users to calibrate authenticity of the website on which they are going to enter financial information and to check whether connection is protected by the safe https protocol. Besides, you should not follow the suspicious links and to fulfill all requirements stated in e-mails from a bank name if they cause even the smallest share of doubt — better in this case to contact financial institution directly. And, of course, it is necessary to use the protective solution including pro-active functions of recognition and blocking of a phishing.

What needs to be done to avoid danger:

  • Regularly update an antivirus and the browser.
  • Guide the cursor at the link to look where it conducts.
  • Check the letter regarding existence of the following signs: incorrectly written words, the wrong URL domains, low quality of graphics and unknown senders.
  • Instead of click-through in the letter it is necessary to visit the site of the company which sent the letter to be convinced of accuracy of the information.

What cannot be done:

  • Do not click on the links in the letters received from unknown or suspicious sources.
  • Do not send suspiciously looking letter to friends or family members.
  • Do not load content which your browser or an antivirus considers suspicious.
  • Do not leave personal information on the website.

Personnel training of the company

The project on increase process building [4]

  • Responsible, terms, project budget
  • Training program
  • Development materials / choice of a ready system

We provide training:

  • Basic program for new employees
  • Periodic mailings on separate subjects
  • Single mailings with important information on relevant threats

We check:

  • Assessment of knowledge
  • Testing in "fighting" conditions"

Market of the systems of increase in awareness

Simulation of action of the malefactor: phishing mailings in the educational purposes

Phishing rassylk: implementation options
Phishing rassylk: implementation options

The threats connected with use of social engineering will not get to in the near future anywhere (and most likely, will only grow)

  • Such attacks are universal for penetration into any systems, are easily replicated
  • There is enough one "got" for a compromise of all network
  • You should not rely only on technical means

It is possible to reduce risks, training employees and effectively checking their knowledge

  • We supplement organizational measures with "fighting exercises"
  • Testing by carrying out phishing mailings can be supplemented with simulation of other actions of malefactors: telephone fraud, penetration tests

Important not what tools we use, and qualitatively organized learning process and testings

  • All provided solutions are only private examples of implementation
  • If there are no processes, then and there will be nothing to automate.

Phishing in Russia

Main article: A phishing in Russia


the System of a corporate phishing imitating process of employee assessment of the company

According to the senior content analyst of Kaspersky Lab Tatyana Scherbakova, the little-known scheme of a corporate phishing imitates process of employee assessment of the company. It became known on November 6, 2019.

According to her, the Kaspersky Lab learned about this method of a phishing from the clients. Swindlers send to the addresses of staff of the different companies, including banking sector, the letter with counterfeit links which contain the offer to pass assessment of knowledge and skills on allegedly HR portal, having authorized with the login and the password from working mail.

As a result swindlers can get access to corporate correspondence, including to logins and passwords from databases with personal information of clients or to bases if they are sent in open form.

Alexey Golenishchev, the director of monitoring of electronic business of Alfa-Bank, agreed to call the described method "the new scheme" of a corporate phishing, but a framework of "mailings of fraudulent e-mails".

Earlier it were letters with the opened files "infected" with viruses, links to fake resources and so forth. Obviously, knowledge and experience of users of corporate computer systems grows, including regarding security, and swindlers should think out all new schemes
shared Alexey Golenishchev

However the expert considers that using the described scheme of a phishing it is possible to get logins and passwords from corporate mail of specific employees if in the company due attention of external and internal IT security is not paid [5].

The organizer of phishing attacks will pay to the victims more than $1.1 million

The cybercriminal attacking such large companies as Uber, Sainsbury's, Nectar, Groupon, T Mobile, and Argos will pay[6] more than $1.1 million as compensation to the victims of phishing attacks[7].

27-year-old Grant West famous in Network as "Courvoisier", began the phishing campaign in 2015. He attacked the popular companies for access to financial data of ten thousand of clients which he then sold in the Darknet for different cryptocurrencies. Based on investigation, West was identified as the leader of the Organised Crime Network grouping attacking the organizations located in London. Along with financial data he also sold instructions for carrying out cyber attacks.

Law enforcement officers during transaction code-named of "Operation Draba" confiscated all means of the criminal. Also in the house Uesta was detected the SD card from 78 million unique user names and passwords and also these 63 thousand bank cards. Further investigation revealed that the criminal organized the attacks from the notebook of the girl. On the device the file with the name "fullz" containing financial information more than 100 thousand users was detected.

Having studied case papers, the court decided to sell all confiscated digital currency of West (for the amount more than £922 thousand) and to pay to victims compensation.

Telecom operators in Europe blocked on average 20 million phishing attacks monthly

On July 23, 2019 the Allot company issued the report from the Telco Security Trends series. Based on private and industry researches, it considers growth of phishing attacks, their financial effects and how service providers can help with fight against this growing threat.

In 2018 the phishing was one of the most widespread types of cybercrimes

As it was reported, the main outputs include:

  • Phishing – the growing problem for users, business and service providers worldwide. Consumers are the main targets of these attacks, and they demand increase in security of the data and financial information. According to Telco Security Trends Report, during the first quarter 2019 telecom operators in Europe blocked every month on average 20 million phishing attacks on devices of seven million mobile subscribers.
  • Phishing – the global billion industry. The research showed that for the three-months period the mobile phishing made 35% of number of all activated blocking at the clients using service of security of telecom operator. Adware took the second place from 34%, having outstripped number of blocking of malware, racketeers and a kriptodzheking.

The countries Top-10 where the greatest number of phishing attacks in 2018 is recorded

Service providers have an opportunity to lower number of phishing attacks.

  • In spite of the fact that the phishing technically depends on to what sources users trust, service providers can protect the subscribers from a phishing proactively.
  • Service providers should adopt approach "Train, warn and protect" for protection of clients against cybercriminals.
  • Protection against a phishing gives to service providers an opportunity to differentiate itself and to create income sources, at the same time protecting Internet users.

For many years clients of service providers became the direct or indirect victims of a phishing, and time to work came now. For July, 2019 hackers aim to deceive users and to convince them to divulge personal and confidential information, skillfully manipulating such human emotions as greed, fear and hope. Thanks to pro-active approach of the notification of clients about phishing campaigns, to training in their bases of Internet security and implementation of anti-phishing technologies for protection at the network layer, service providers can not only gain consumer confidence, but also create additional sources of income acquisition for themselves.

Hagay Katz, the vice president for strategic accounts for cyber security in Allot told


E-mail - the most popular delivery mode of the malware

According to CERT-GIB, e-mail finally affirmed as the status of the most popular delivery mode of the malicious software in 2018. The ratio of delivery of a Higher Professional Education on email and loadings via the web browser for 2018 remained at the level of 12 to 1. At the same time in the second half of 2018 the share of loadings of the malware by means of the web browser was reduced to a historic low and made about 3%.

According to CERT-GIB, use of public mail services for sending the letters containing a Higher Professional Education became one of key a trend of 2018. So, in top-5 the mail domains which are most actively used by malefactors entered popular in Russia, and For comparison in 2017 only one public mail service ( entered this five, other four – the domains registered specially under harmful mailings or just counterfeit addresses. The trend speaks simply: on the one hand, authors of phishing mailings aim to use most entrusted addresses – from what users got used to receive e-mail. About other, such method of mailing is much cheaper – there is no need to register the mail domain, it is possible to use ready infrastructure, and in case of detection by one mail service of suspicious activity, without loss "to move" to another.

As well as in 2017, in 2018 in most cases (82%) malefactors preferred to deliver a Higher Professional Education in an investment to the letter. The quantity of the facts of use of URL links in the letters conducting on loading of the malware in 2018 increased not considerably – by 10%.

Favourite format of packaging of a Higher Professional Education in 2018 malefactors had archives. For all 2018 in archives more than a half of all harmful objects was delivered. ZIP archives which unpacking, as a rule, does not require separate software enjoyed the greatest popularity. 20% of all harmful files analyzed within CERT-GIB work were the share of them.

In 2018 among malefactors files with the.exe expansion were still popular in spite of the fact that this performed format already had to develop care of work with it at Internet users. 12% of all analyzed harmful objects fell to the share of the delivered Higher Professional Education by means of.exe of files.

For the purpose of a bypass of traditional systems of detection of harmful mailings malefactors go for different tricks, one of which is mailing of a Higher Professional Education in the archives requiring the password for interpretation of contents. CERT-GIB fixes the tenfold growth of number of such archives: in 2017 only 0.08% of a total quantity of harmful objects were the share of archives with the password, and in 2018 their quantity grew up up to 0.9%. In simple schemes of the attacks the password, as a rule, is specified in the letter with a harmful investment. The multi-stage attacks using social engineering, use issue of the password at an input stage in communication with the user, for creation of trusted relationships which purpose – to force the victim to open archive with the malware.

Other known method of a bypass of traditional detection systems is sending malicious URLs with the postponed activation. For 2018 CERT-GIB fixed slightly distinguishing scenarios of the targeted attacks when letters were delivered to addressees in time off, and at the time of anti-virus check the link from the letter was unavailable thanks to what the harmful letter was successfully delivered. Malefactors activated the malicious URL only in working time of the victim when the virus scanner already "permitted" delivery of the letter.

"More and more cybercriminals locate the tools allowing to be convinced that the sent copy is not detected by popular traditional antivirus tools. But the protection class based on the behavioural analysis allows to detect behavior, earlier unknown copies of the malware and to block suspicious activity which the antivirus can pass",

'Yaroslav Kargalev, the deputy manager of CERT-GIB noted'

49% of phishing sites use SSL for creation of illusion of security

According to CERT-GIB, the ratio of the phishing resources using safe connection (SSL/TLS) to a total quantity of phishing sites shows that malefactors even more often operate false feeling of safety at the users staking on HTTPS. Statistics shows that in the 4th quarter 2018 nearly a half of all phishing resources uses "safe connection".

Group-IB reported that the Russian domain zone reached record levels on decrease in volume of the toxic websites
"Users should not rely on the connection type used by the website as criterion of its security. It became also simple to receive HTTPS the certificate for malefactors, as well as any other. Online it is possible to detect a large number of services which allow to make it quickly and free of charge",

'Yaroslav Kargalev, the deputy manager of CERT-GIB noted'

Kaspersky Lab blocked 137 million attempts of users to pass to phishing pages

On November 6, 2018 "Kaspersky (earlier Kaspersky Lab)" reported that its solutions blocked for trety quarter 2018 more than 137 million attempts of users to pass to phishing pages – it is 28% more, than in a previous period. At the same time over a third of phishing attacks (35%) was the share of the organizations of financial category: banks, payment systems, online stores. All these numerous fake pages were created with one purpose – to obtain confidential data of users which would open for malefactors, in addition, access to private purses and bank accounts of the victims.

However, cybercriminals tried to earn from users and in a different way. At the end of summer of 2018 Kaspersky Lab recorded in spam traffic surge in fraudulent mailings in which demanded the redemption for nondisclosure of the "compromising evidence" collected on them from receivers. These letters even contained personal data of users – thus malefactors tried to convince the victims that they really have important information. The redemption was required in bitcoins, and its amount varied from several hundred to thousands of dollars, at the same time swindlers specified in different mailings different bitcoin purses for money transfer. As analysts of Kaspersky Lab found out, only on one such purse in one month 17 transaction for the total amount about 18 thousand US dollars were made.

In Russia swindlers, certainly, tried to exploit one of the hottest topics of the last months – pension reform. For example, Kaspersky Lab detected several mailings with offers to check the amount of pension savings in non-state funds and to withdraw money "from pension". To convince receivers of legitimacy of letters, malefactors referred to nonexistent laws and structures (for example, to certain "National department of return of pension savings"). With pension charges receivers of letters were offered to pay small "duty" which, naturally, went to a pocket of swindlers for an output of nonexistent savings and "access" to the database.

Amounts of a phishing continue to grow for all 2018, and there is enough in high gear. That number of the attacks which we recorded only in the third quarter 2018 was a half (and even more) that value which was detected by us in 2017. It is promoted by a set of factors. Swindlers constantly invent schemes and tricks, borrow the ideas foreign "colleagues", involve different channels of distribution of spam and phishing links, operate popular subjects and events as a bait. Generally, malefactors obviously have no lack of occasions and tools.
Nadezhda Demidova, leading content analyst of Kaspersky Lab

Not to fall a victim of a phishing, Kaspersky Lab recommends to users to follow enough simple rules.

  • Always verify authenticity of a source address of the letter and the link which is contained in it – if are not sure of their reliability, do not open. If all of you appeared on the website raising at you doubts do not leave any personal data there. If you think that in a random way you could transfer the password to malefactors, urgently replace it.
  • Use the protected connection, especially when you visit the important websites (for example, in the system of Internet banking). Whenever possible avoid unsafe public Wi-Fi of networks. All this will reduce risk of imperceptible hit on the phishing page. For the maximum confidence use special solutions for protection of network connections – for example, Kaspersky Secure Connection.
  • Use the suitable protective solution with anti-phishing technologies – for example, Kaspersky Security Cloud. The program will warn you if you try to pass to a moshennicheskuyustranitsa, and will block it.

The boom of ICO stimulates a new wave of phishing attacks

According to the research Qrator Labs, most often the companies from the financial sector face a phishing (30%) and DDoS attacks (26%). Preserving of attention to DDoS attacks from the banking sector at rather high level is caused by a wave of the massed DDoS attacks on a number of large Russian banks: in 2016 websites of many known financial institutions from top-10 were attacked, and on January 28, 2018 there was the biggest in recent years DDoS attack on the world financial sector using the botnet Mirai.

For the last year nearly a half of respondents experienced at least one DDoS attack. Among the basic reasons leading to hit of financial institution in focus of organizers of DDoS attacks it is possible to call as organization sizes and its popularity in the market, and lack of the implemented adequate counter-measures for fight against DDoS attacks owing to what the organization can become an easy mark for cyberracketeers, - Artem Gavrichenkov, the technical director of Qrator Labs notes.

According to Qrator Labs poll if earlier financial institutions aimed to build solutions entirely of in-house, then today most the polled companies (68%) already consider the most effective remedy of counteraction of DDoS hybrid solutions (on client side with participation of the operator solution, or a distributed network). However this method also has a number of nuances which need to be considered. Hybrid solutions do not compensate each other shortcomings, and combine advantages and negative properties in these or those proportions that can negatively affect protection level.

In the industry there was no clear understanding of similar risks yet: many still rely on hybrid solutions. However with growth of threats it is possible to expect that further the market will belong to this situation more seriously, having realized that the combined systems cannot provide protection against the whole classes of the attacks, - Artem Gavrichenkov says.

The threat of a phishing significantly increased including in connection with the companies coming to ICO. The unceasing agiotage around ICO led to a high fraud risk, and average users have no faithful representation how to provide own protection, and are inclined not to notice Internet fraud.

In the field of ICO the phishing became a serious problem, and it allows to judge that, as in allied industries, for example, in the financial sector, focus of malefactors is also displaced towards such method of gaining access to confidential data of users, - the technical director of Qrator Labs notes.

The average number of the attacks on web applications in the financial sphere, by data Valarm, makes 1500 a day. The main part of them are the automated tools and scanners. Such activity of the automated means creates a big information background and complicates identification of real incidents. In spite of the fact that the number of cracking in unit of time in general in recent years remains at one level, financial institutions already can not always timely detect and precisely fix similar incidents.

Cyberswindlers send phishing letters under the guise of standings of World Cup 2018

The Check Point Software Technologies company, solution provider in the field of cyber security, announced on June 19, 2018 identification of the phishing campaign connected with the beginning of the FIFA World Cup of 2018. Cyberswindlers send the infected file under the guise of the schedule of games and standings.

The malware under the name "DownloaderGuide" which is known as the loader of potentially undesirable programs disappears in an investment of phishing letters. Most often it is used as the installer of applications, such as toolbar, advertizing by softwares or utilities for optimization. Researchers of Check Point found out that phishing mailing includes different executable files, all from which were sent by e-mail using a subject: "World_Cup_2018_Schedule_and_Scoresheet_V1.##_CB-DL-Manager".

The campaign for the first time was detected on May 30, 2018 and reached a pica on June 5, however in the tenth of June researchers of Check Point recorded the next splash which is connected with the beginning of a tournament.

The company expects new surges in online frauds and phishing attacks during the FIFA World Cup 2018 and urge Internet users to save vigilance, and to the organizations recommend to apply the multilevel strategy of security which protects as from the known malware, and threats of zero day.

Phishing — among the most serious threats for users of Office 365

The Microsoft corporation published in April, 2018 the report on threats of information security of Security Intelligence Report from February, 2017. It is based on the data obtained by protective programs and services of the company (Data on the number of the detected threats, but not about infection cases). Information was provided by corporate and private users who agreed to share it with a binding to a geolocation.

Wide circulation of botnets and viruses racketeers led to the fact that the number of the devices in Russia which collided cyberthreats during the period from February, 2017 to January, 2018 reached 25-30% on average in a month whereas a similar indicator in the first quarter 2017 was almost twice less – 15%. The highest rates the lowest were recorded in Pakistan, Nepal, Bangladesh and Ukraine (33.2% or above), – in Finland, Denmark, Ireland and the USA (11.4% or below).

In 2017 methods of receiving "easy mark", such as phishing, were used to obtain credentials and other confidential information from users. According to data of Microsoft Advanced Threat Protection (ATP) the phishing was among the most serious threats in mailboxes of users of Office 365 in the second half of the year 2017 (53%), 180-200 million phishing letters were detected monthly. In Russia, in particular, it was revealed 7.01 (in the world – 5.85) phishing sites per each 1000 hosts. Malware loaders (29%) and Java backdoors (11%) became the threats following on prevalence.

Other target for malefactors are cloud applicaions with the low level of security. During the research it became clear that 79% of the SaaS-applications for cloud data storage and 86% of the SaaS-applications for joint work do not provide enciphering stored, the transmitted data. For protection of corporate infrastructure of the organization should limit use by users of the cloud applicaions which are not using enciphering and to control it using the broker of safety of cloud access (Cloud Access Security Broker, CASB).

One more trend of the second half of 2017 – cybercriminals use the legitimate built-in means of a system to distribute the infected document (for example, the document Microsoft Office) which is contained in the phishing letter and to load the program racketeer. By the best method to avoid such type of threat timely updating of the operating system and software is.


Google: Phishing attacks it is more dangerous than keyloggers and date leaks

Specialists of Google together with scientists of the University of California in Berkeley and the International institute of computer sciences (International Computer Science Institute) published results of a research of modern cyberthreats. According to the report, phishing attacks constitute more serious danger, than keyloggers and reuse of the password[8] for users[9][10].

Researchers came to this conclusion, having analyzed several black markets selling accounts and credentials. In a research data from March, 2016 till March, 2017 were considered.

Experts detected more than 788 thousand credentials stolen using keyloggers, 12.4 million credentials stolen by means of a phishing, and 1.9 billion credentials which snared during leaks. At the same time 12% of the accounts compromised during leaks were registered through Gmail service. In 7% of cases users reused the password from Google for access to other account, having threatened thus both accounts of cracking.

According to representatives of Google, from 12% to 25% of the detected passwords still were applied by users. Google stated that results of a research will be used including for reset of passwords in the compromised accounts.

"Estimating risks, we found out that the phishing poses the greatest threat for users. Further keyloggers and date leaks follow. Probability that the account of the victim of a phishing will be cracked in 400 times more in comparison with the average user of Google. This indicator is 10 times less at the victims of date leaks and is about 40 times less at the victims of keyloggers", - experts noted.

In addition, researchers also paid attention to the growing trend to turn on in keyloggers and phishing software tools for a registriration of the IP addresses and other data for a bypass of location-based filters. More difficult versions of the malware also register phone numbers and these user-agent.

Facebook will pay $100 thousand to researchers for development of the technology of detection of a purposeful phishing

In August, 2017 the social network Facebook declared the winner of competition of "2017 Internet Defense Prize". The team of researchers from the University of California in Berkeley and National laboratory of Lawrence Berkeley earned an award in the amount of $100 thousand for the invention of the new technology of detection of purposeful phishing attacks (spear-phishing) in corporate environment.

The method provided within USENIX Security Symposium combines the new equipment of assessment of anomalies for creation of rating of notifications of security and functionality of the analysis purposeful phishing email messages.

For testing of the method researchers analyzed more than 370 million email of the messages received by the staff of the large companies during the period from March, 2013 to January, 2017.

The first part of detection of a purposeful phishing relies upon the analysis of two main components: reputations of the domain and reputation of the sender. The reputation of the domain is performed by check of reputation of the link in the letter. The link is considered dangerous if it was not visited by many staff of the company or if the activity according to the link began quite recently.

The functionality of check of reputation of the sender tries to find out whether text fields are counterfeit, for example, a name of the sender and the heading From.

After carrying out the analysis a system should make the decision on the basis of collected data and, in case of need, create the notification on danger. The system offered by scientists is called direct assessment of anomalies - 'Directed Anomaly Scoring (DAS)'. It consists in determination of suspiciousness of each event in relation to other events. After the analysis of all events, DAS selects the events which received the appreciation and announces them to a security service.

According to the statement of experts, the new technology is capable to detect 17 of 19 phishing letters, and the number of false operations makes only 0.005%[11].

Swindlers attack users of Apple devices under the guise of employees of iTunes

On July 17 the Eset company warned users of products of Apple about new swindle. Swindlers collect data of bank cards and other personal information, sending letters on nonexistent purchase in iTunes Store.

The potential victim receives on behalf of online store the letter in which it is reported that Apple ID was used on the unknown device for purchase of an album of Rihanna. To the user suggest to ignore the message, having confirmed thereby purchase, or to cancel transaction, having followed the link.

Counterfeit letter on use of Apple ID
Counterfeit letter on use of Apple ID

If the user does not pay attention to grammatical errors in the letter and the fact that the source address has no relation to Apple, it gets on a phishing site where it is offered to enter Apple ID and the password, and then to fill out the questionnaire "for confirmation of the personality".

According to Eset, swindlers request exhaustive data: name, surname, postal address, phone, date of birth and data of bank cards. Cards of all widespread payment systems, including Visa, MasterCard, American Express, etc. "are accepted".

After data entry on the page the message that the account successfully underwent testing will appear. The user will be redirected on the homepage of the present of iTunes Store, and its personal data will appear at malefactors.

Eset recommends to ignore spam mailing and to use complex anti-virus products with functions of an antispam and anti-phishing.

Kaspersky Lab found out who stands behind phishing attacks on the industrial companies

The center of response to incidents of information security of industrial infrastructures of Kaspersky Lab ICS CERT announced in iyune2017 years splash in number of phishing attacks on the industrial companies from Nigerian malefactors. Only in three months of researches experts of the center detected more than 500 attacked enterprises in more than 50 countries of the world: the share of the industrial companies among them exceeded 80%.

The letters sent at the attacks were made so that the employee who received the letter considered it legitimate and opened a harmful investment. Messages were sent including on behalf of the companies — partners of the potential victims: suppliers, customers, commercial organizations and delivery services. In them receivers were offered to check urgently information on the account, to specify quotations on products or to receive a load according to the delivery note. At the same time all letters contained the harmful investments intended for theft of confidential data and also installation of the hidden means of remote administration of systems.

Also specialists found out that the most part of the domains used for command servers of the malware was registered on the persons living in Nigeria. Having selected from the preparing transactions the most perspective for itself, attacking registered domains which names resembled very much names of selling companies. Then they intercepted messages with accounts from these companies and sent them to buyers, having replaced details with own.

The described attacks belong to the well-known Business Email Compromise (BEC) type. Such threats usually not only are aimed at industrial enterprises, but at business in general. By estimates FBI, the damage from the similar attacks for the last few years exceeded 3 billion dollars USA, and the number of victims kept 22,143 companies in 79 countries of the world.

However in a case with the industrial companies financial losses — not the only risk from the similar attacks. As a part of the malware used in the attacks gives the chance of remote access to the infected computer, malefactors can use it for penetration from office network into industrial. Effects of it are absolutely unpredictable: cases when attacking changed any process parameters even without obvious malicious intent — just out of curiosity are known. Besides, in the course of the attack malefactors get access to a huge number of information on the industrial companies: to data on contracts and projects, estimates of works, drawings, plans of buildings, schemes of electric and information networks. As phishers dispose of this information, experts did not find out yet, however it is obvious that in bad hands it constitutes serious danger.

The speculator from Lithuania robbed Google and Facebook for $100 million

In March, 2017 to media there went information that two leading American Internet companies suffered from the phishing attack organized by the swindler from Lithuania. Company names did not reveal, but it was noted that the malefactor managed to jockey out more than $100 million Read more here.


APWG: The number of phishing incidents grew by 65%

2016 set up a record by quantity of phishing attacks, - the Working group on fight against a phishing (The Anti-Phishing Working Group) reported in the report: 1,220,523 incidents. It is 65% more, than in 2015.

Retail (nearly 42%) became the most attacked sector; on the second place there was a financial sector, on the third and fourth places, respectively, there were Internet service providers and payment services.

The most part (more than 6 thousand) of phishing domains steadily is located in the domain

It should be noted that statistics of APWG did not include the "spier-phishing", i.e. narrowly targeted fraudulent attacks: it is only about a traditional phishing.

According to the research APWG, in the IV quarter 2016 every month made 92,564 incidents. In 2004 for the same period the number of phishing incidents was only 1609. Thus, fraudulent business showed growth more than by 50 times in 12 years.

The purpose of every second phishing attack — money of users

Distribution of different types of financial phishing attacks in 2016
Distribution of different types of financial phishing attacks in 2016

Nearly a half of phishing attacks in 2016 was aimed at direct theft of money from users — experts of Kaspersky Lab came to such conclusion, having analyzed financial threats of 2016 (the number of operations heuristic components of the Antifishing system in protective products of the company was considered). In comparison with an indicator of 2015, the number of financial phishing attacks increased by 13 percent points and made 47%. For all history of studying by the company of a financial phishing this indicator the highest.

Main objective of malefactors at such attacks is collecting of the confidential information opening access to someone else's money. Phishers hunt for bank account numbers or cards, social security numbers, logins and passwords from the systems of online banking or payment systems.

Banks were a favourite target of phishers traditionally: in every fourth attack they used counterfeit bank information. Thus, the share of the attacks on these financial institutions in comparison with 2015 increased by 8 percent points. Besides, approximately every eighth phishing attack was directed to users of payment systems, and every tenth — to buyers of online stores.

"The phishing directed to users of financial services is one of the most effective methods for cybercriminals to steal money. The attacks using methods of social engineering do not demand from the criminal of high technical qualification and big investments. Using carelessness of the victims and their technical illiteracy, swindlers get access to personal financial information of users and, further, to their money — Nadezhda Demidova, the senior content analyst of Kaspersky Lab told. — Certainly, it is easy to recognize the vast majority of phishing attacks. But statistics says that many people continue to show carelessness on the Internet, even when case concerns money".

Ukraine: The number of the fraudulent websites collecting bank details increased by 4.5 times in 2016

For 2016 in Ukraine by 4.5 times the quantity of phishing sites grew. If in 2015 web resources which forced users to leave data of payment cards under the pretext of rendering nonexistent services it was revealed 38, then in 2016 specialists of the Ukrainian interbank association of members of payment systems (EMA) revealed 174 such services on the Internet[12].

The number of phishing sites in Ukraine in a year increased by 4.5 times. In 2016 specialists of the Ukrainian interbank association of members of payment systems (EMA) 174 fraudulent resources were revealed though a year ago 38 resources such were recorded.

The purpose of these pseudo-services one – the user should leave data of the card on the website. Her swindlers by different methods reach. As note in EMA, 90 of 174 fraudulent resources suggested "recharge" the mobile phone, 54 allegedly made "transfer" of money from the card for the card, and 28 phishing sites allowed to execute also that, and other transaction at the same time. Also such services on which in a payment form occurred substitutions of the card number of the receiver on the card number of swindlers were noticed, the payment at the same time was made, but money was transfered to the criminal's card.

Mailing of phishing spam on behalf of the Ukrainian banks

On July 14, 2016 the Ukrainian OPT Bank announced virus mailing of the letters masked under notifications on a credit debt. Opening the attached file, users risk leak of the data. Read more here.

2015: Intel Security: 97% of people are around the world not capable to distinguish a phishing

Intel Security published in the summer of 2015 results of the test of an examination of users and their ability to recognize the e-mails sent by swindlers for the purpose of gaining access to logins, passwords and other confidential data.

About 19,000 people from 144 countries participated in a research. It was offered to them to study 10 messages which are specially prepared by Intel Security. Some samples contained threats of theft of information, i.e. phishing attacks. Only 3% from all respondents could define precisely whether it is possible to trust this or that message whereas 80% of respondents considered safe at least one of letters with threat.

Cybercriminals send phishing e-mails in order that receivers followed the links to the websites created for the purpose of stealing of personal data of users which are contained in letters. Swindlers deception force people to enter the names and surnames, the addresses, passwords and/or information on credit cards on false resources which look as if belong to the real companies. In some cases even click-through in the letter leads to automatic loading of malware on the user's device. So malefactors can easily steal information without the knowledge of the victim

Within the research Intel Security it is the is best of all the group of respondents aged from 35 up to 44 years coped with a task. On average they answered correctly 68% of questions. The difficulties with detection of phishing letters in mail are experienced by women is younger 18 and 55 years are more senior, they could define only 6 of 10 letters. Men better than women protect themselves from hackers (67% of accuracy in determination of harmful messages against 63%).

From 144 countries which participated in poll it is the is best of all than cyberthreat in e-mail residents of France, Sweden, Hungary, the Netherlands and Spain saw (they gave to more than 70% of the correct answers). The Russian users could define precisely existence or lack of a phishing in 62.5% of cases.

It turned out that participants of testing most often incorrectly defined safe letters. And in what there was a request "take away the prizes". People often associate free prizes with spam, it, probably, and became the reason that respondents incorrectly defined the status of letters. "In reality the electronic messages containing threat of theft of information often look as if they are really sent from these websites, – Hary Davies, the chief specialist on Intel Security security issues tells. – It is necessary to study extremely attentively such letters and to pay attention to grammatical errors and also to bad quality of images".

2014: A third of phishing attacks are directed to theft of money

It agrees to the research conducted by Kaspersky Lab, malefactors became more often began to create the online resources copying appearance of the websites of financial companies for obtaining confidential information and theft of money from accounts of Internet users. Statistics shows that the share of phishing attacks using names of popular banks, payment systems or online stores in 2013 made 31.45% that on 8.5 percent points it is more, than the previous year.

In 2013 products of Kaspersky Lab protected 39.6 million people from a phishing. According to cloud infrastructure of Kaspersky Security Network, the fastest growth rates showed the attacks operating bank names: 70.6% of all financial phishing against 52% in 2012 fell to their share. At the same time in the lump of all similar attacks of bank brands it became twice more — 22.2%.

According to data retrieveds, malefactors are most often covered with names of the large companies: about 60% of phishing attacks used names of 25 brands. Among the sphere of payment systems statistics is more unambiguous: in case of 88.3% of the attacks from this group criminals imitated the websites of only four organizations: PayPal, American Express, Master Card and Visa. As for online stores, the name of Amazon remains several years the most operated: for the studied period the company name was used in 61% of the phishing attacks connected with online trade. With big lag from Amazon in top three — network shops Apple and an Internet auction of eBay. Along with web resources of financial institutions malefactors often forge the websites of social networks. In 2013 the share of the attacks using the pages imitating Facebook and similar to it resources grew by 6.8 points up to 35.4%.

"The popularity of phishing attacks among malefactors is caused by relative simplicity of their carrying out together with sufficient efficiency. The fraudulent websites which are carefully copying a type of official happens not easy to distinguish from legitimate even to experienced Internet users that emphasizes once again importance of use of specialized protective products. In solutions of "Kaspersky Lab' for home users and small business standard locking gears of a phishing are complemented with technology "Safe payments' which reliably protects personal data during the work with online banking and payment systems" — Sergey Lozhkin, the anti-virus expert of Kaspersky Lab commented.

For larger companies aiming to protect the clients from cyberswindlers and to protect the reputation, "with Kaspersky (earlier Kaspersky Lab)" offers the complex Kaspersky Fraud Prevention platform. The platform is created for multilevel protection of electronic transactions and includes software tools for end users, server solution for check of transactions and a set of components for development of the protected mobile applications.

2013: 72 thousand phishing attacks in the 1st half-year

The anti-phishing working group conducted in the fall of 2013 researches how the situation with a phishing in the world develops. In the first half of the year 2013 the number of the attacks was more than 72 thousand. It is less, than in the second half of the year 2012 (124 thousand) that is caused by use of the same domains for the different attacks[13].

On more than 53 thousand domains phishing attacks were registered. From them about 12 thousand were intentionally registered by malefactors, other 40 thousand were cracked or used illegally because of unreliability of a web hosting.

Cases of a phishing were observed in 195 top-level domains, however 82% of the attacks were made on specially registered domains.COM. TK and. INFO. The zone was the most slabozashchishchenny from the attacks. PW which was restarted on March 25, 2013.

In 2013 the anti-phishing working group counted 720 institutes which became the purposes of phishers while in their 2012 there were about 611. Malefactors had the most demanded sector of payment services — the Electronic payment system of PayPal became the purpose more than 13 thousand attacks.

See Also