[an error occurred while processing the directive]
RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2024/02/27 13:06:42

Phishing in Russia

Content

Main article: Phishing

2024: Cyber ​ ​ group sends very convincing phishing emails to Russian industrial companies allegedly from government agencies

BI.Zone, a Russian digital risk management company, on January 30, 2024 announced a relatively new cyber campaign aimed at Russian enterprises. The group behind it, Scaly Wolf, is hunting for corporate data. Most of the targets of attacks are industrial and logistics companies from Russia. The last such attack was noted in January 2024. Read more here.

2023

Increase in the share of phishing sites in the.ru zone by 3.6 times

At the end of 2023, the share of phishing resources located in the.ru domain zone reached 46.5%. For comparison, a year earlier, the figure was 12.9%. Thus, 3.6-fold growth was recorded. Such data at the end of February 2024 are provided in a study by the phishing protection group CERT-F.A.C.C.T. (formerly Group-IB).

We are talking about sites aimed at Russian-speaking users and/or using Russian brands. The negative trend is confirmed by the Solar group of companies: according to the monitoring of external digital threats Solar Aura, approximately 50% of blocked resources in 2023 were registered in the zone.ru.

The share of phishing resources located in the.ru domain zone reached 46.5%

According to the Vedomosti newspaper, the increase in the number of malicious resources in the.ru domain zone is partly due to the fact that Russians have become more vigilant towards foreign domains. In addition, the popularity of the.ru zone among fraudsters is explained by the possibility of buying a domain in the country without the need to issue a foreign bank card. This reduces the financial cost of organizing malicious campaigns.

F.A.S.S.T. experts also identified major trends in malicious mailings in 2023. It turned out that most phishing emails are sent by attackers at the beginning of the week: the peak of mailings falls on Tuesday - 19.7% of all such emails in a week. After Wednesday, there is a decline, and the least malicious messages are sent on Sunday - 7.1%. In 2023, cybercriminals in mass phishing mailings used investments as the main way to deliver malware: the share of such messages in the total volume of phishing emails reached 98%. The number of letters with malicious links is decreasing: the result for the year is a little more than 1.5%. Attackers mainly pack viruses into archives of.rar (23.3%),.zip (21.1%) and.z (7.7%) formats[1]

The number of blocked phishing links in Russia has increased 5 times

According to Kaspersky Lab, in 2023, online fraud in Russia increased significantly. The number of phishing and spam links in the .RU domain zone, which the company blocked, increased more than 5 times compared to 2022. Kaspersky Lab reported this on January 22, 2024[2].

Trends in 2023. One of the most common targets of phishers in Russia during the year is people's accounts in instant messengers. Attackers often used them as part of multi-stage telephone fraud schemes and to carry out phishing attacks on users from the victims' contact list.

File:Aquote1.png
We see no prerequisites for phishing and scams to decline in the near future. On the contrary, attackers continue to develop their tactics and develop multi-stage schemes for luring data, for example, referring to the scope of the victim. Such attacks are much more complicated in cases where they begin with a message in the messenger allegedly from a friend or employee of the same area or are accompanied by fake voice messages, "said Sergey Golovanov, chief expert at Kaspersky Lab.
File:Aquote2.png

Also in 2023, the number of malicious links increased in Russia - 2.5 times compared to 2022. This category includes pages containing links to malware, as well as Internet resources necessary for malware to work.

Telephone fraud. The volume of telephone fraud remains at a consistently high level. So, in 2023, 43% of users of the Kaspersky Who Calls application received calls from unknown numbers with suspected fraud *. At the same time, the peak occurred in November - this month 18.5% of users received such calls. 94% faced various spam calls in 2023.

File:Aquote1.png
Attackers are constantly improving their tools and methods of persuasion, so solutions for protecting against telephone spam are becoming more and more relevant. They will tell you if the incoming call is unwanted. For example, our application warns that the number received complaints of fraud not only within the framework of "classic" calls, but also in the messenger. In general, it is important to remember that in no case should you call outsiders codes from SMS and push notifications, and if the conversation seems suspicious, immediately end the call, "recalled Vladimir Grigoriev, an analyst at Kaspersky Who Calls.
File:Aquote2.png

In response to current calls in 2023, the Kaspersky Who Calls solution introduced the functionality of determining numbers in WhatsApp (owned by Meta, its activities are recognized as extremist and banned in Russia). With its help, you can see from which organization a call is received (for example, from a delivery service or store), as well as identify and block spam numbers and calls with suspected fraud in the messenger.

The number of fraudulent sites in Russia for the year increased by 86% to 207.1 thousand units

The number of fraudulent sites Russia in 2023 increased by 86% compared to the same period in 2022 and reached 207.1 thousand units. The Bi.Zone company announced this at the end of December 2023.

According to Yevgeny Voloshin, Director of the Bi.Zone Security and Anti-Fraud Analysis Department, the main jumps in the registration of fraudulent resources occurred in March, September and October, when a significant increase in the number of domains imitating the venues for drawing prizes was noticed.

The number of fraudulent sites in the Russian Federation increased by 86%

One of the most popular schemes has become. phishing According to the Coordination Center for Domains.RU/.RF, 89% of requests from organizations were associated with it. This is also caused by the transfer of financial services to digital format and an increase in the popularity of online services, Voloshin emphasized.

Another popular scam on the Internet is "quick earnings." Under the pretext of profitable investments, they attracted victims to a site that imitates the page of a large Russian or world company. Such fake resources ran into the thousands. To register there, the user answered questions of a confidential and financial nature, as well as left personal data. All this information fell into the hands of fraudsters, according to a study by Bi.Zone.

As the head of the phishing protection group of F.A.C.C.T. Ivan Lebedev noted to Izvestia, attackers automate and speed up processes in their schemes - this is one of the reasons for the emergence of a large number of phishing and fraudulent pages.

File:Aquote1.png
Today, in a few clicks, criminals can create a phishing page and massively distribute a link to it through social networks or instant messengers. This does not require deep technical knowledge, as a result, the entry threshold is reduced, the influx of new members of the groups is maintained, he added.[3]
File:Aquote2.png

New partner programs of fraudsters with draws and crypto investments revealed

On December 14, 2023, F.A.S.S.T., a Russian developer of technologies to combat cybercrime, announced that it had identified 10 active fraudulent partner programs since the beginning of 2023 to coordinate owners and distributors of links to scamming and phishing sites aimed at users from Russia. The most popular schemes among partners in 2023 are fake prize draws and crypto investments. One such program can bring about 4,300,000 rubles to the participants of the "partner community" every month.

Fig. 1. Fraudulent Partner Program Resource

As reported, a study by analysts at the Digital Risk Protection department of F.A.C.C.T. says that partner programs allow fraudsters to scale illegal businesses, attract more victims and increase profits by separating the tasks of attracting traffic, generating phishing pages, sending letters and messages. On special resources - shadow marketplaces and in closed Telegram channels - fraudsters purchase both ready-made phishing resources and page templates, blocks and forms for payment, as well as traffic for a share of the money stolen from victims.

According to F.A.C.C.T. Digital Risk Protection analysts, since the beginning of 2023, 10 large active partner programs have been identified aimed at potential victims from Russia. In general, about 87% of detected resources distributed in this way are directed to Russian-speaking users.

Fig. 2. Partner programs of fraudsters in numbers

Specialists at the F.A.C.C.T. have studied the infrastructure of several partner programs in detail. As of the summer of 2023, on average, 156 active offers were posted on the partner program platform, the maximum number of partners in one offer was 746.

For a month, participants in partner programs steal more than 17,400,000 rubles from victims for 23,500 payments. The "average check" is 740 rubles.

In one of the partner programs, launched in the second quarter of 2023, in the three summer months, profit tripled: from 908,000 rubles in June to 3,118,000 rubles in August.

The author of the offer (offer) registers the domain, creates fraudulent web pages with thematic design, places them on hosting. Then it puts up an offer with a created site on the partner program platform. Basically, fraudulent pages are devoted to lotteries with the choice of a box with a prize, investments in cryptocurrencies, especially "profitable" shares from marketplaces. Less common are offers to victims to buy a "beautiful" domain name for the site.

The Partner Program Administration reviews the hosted site and provides phishing forms or payment acceptance forms to add to the site.

Partners choose an offer, receive a referral link for distribution and attract traffic to this link in available ways - emails, messages on social networks, SMS and instant messengers, advertising.

As a rule, the partner receives an average of 60-90% of the amount of stolen money, and the author of the offer - 10-40%.

File:Aquote1.png
Despite the fact that partner programs have existed since at least 2018, such forms of illegal business have recently been especially popular with cybercriminals and continue to pose a threat to Internet users. If some "partners" close, their place is taken by other projects that are very quickly gaining popularity. The number of brands used in the schemes is actively expanding, causing both material damage to the victims of the scheme and reputational damage to the operated brands. Based on the growth dynamics, we predict the further expansion of "partners" and urge users to remain vigilant so as not to become an easy profit for attackers.

told Evgeny Egorov, leading analyst of the Digital Risk Protection department of F.A.C.C.T.
File:Aquote2.png

F.A.C.C.T. experts are reminded of the need to follow the basic rules of digital literacy:

  • Check the domain name of the site on which the user is located. Use Whois services to determine the date the domain was created. If a site pretends to be a popular brand but was created recently, it should be alerting.
  • Do not pay for goods or services or enter your personal data if you are not sure that the user is on a legitimate site.
  • Skeptical of advertising on the Internet. Even legitimate resources can host ads that lead to fraudulent resources.

To protect brands from reputational risks and the direct damage associated with their illegal use on fake sites, companies should use automated solutions that combine analysis of cyber intelligence data and machine learning capabilities .

Most phishing attacks help generate software from the darknet

More than 80% phishing of mailings are made with, software which attackers buy in. Darknet The most popular programs cost from 299, and rubles some are distributed free of charge. With their help, you can steal passwords and accounts. There are data also expensive programs that give access Telegram to the user and allow you to intercept keystrokes - their cost reaches $15,000. This was announced on November 21, 2023 by the press service of the deputy. State Duma of the Russian Federation Anton Nemkin

As the authors of the study, BI.ZONE Threat Intelligence, emphasize, as of November 2023, the threshold for entering cybercrime is greatly reduced - software purchased on the darknet allows using fraudulent tools for hacktivists and cybercriminals of any level. In addition, some proposals provide users with designers to create malicious software with the ability to access manage victims' accounts.

File:Aquote1.png
The proliferation of phishing emails with commercial malware ON is one of the easiest ways to gain initial access to the infrastructure. The shadow market for such products will grow and develop, - said Oleg Skulkin, head of BI.ZONE Threat Intelligence.
File:Aquote2.png

According to experts, in 2023, hackers used shadow software to attack more than 100 thousand companies. Among the most popular malware are AgentTesla, FormBook, White Snake, RedLine, Snake Keylogger, DarkCrystal, DarkGate. Free AgentTesla software is used, for example, in almost half of phishing mailings. FormBook is in second place.

File:Aquote1.png
For example, thanks to the well-coordinated work of authorized bodies, fraudsters can now be used less often Russian hosting to host fraudulent sites aimed at users from. RUSSIAN FEDERATION Because of this, they switch to hosting services in and, Netherlands which means USA the cost of servicing phishing resources is growing, since hosting abroad is usually more expensive. In total, in the first 9 months of 2023, the company F.A.S.S.T. identified 10.4 thousand phishing sites that were aimed at users from the Russian Federation. This is a year-on-year increase of 5%. Most often, users "come across" phishing resources under the guise of online services, banks delivery services social networks , and mail services, - said the deputy.
File:Aquote2.png

File:Aquote1.png
In particular, AI helps them maintain the illusion of meaningful dialogue with victims, as well as generate phishing emails, create deepfakes of voices, images and videos. In addition, as of November 2023, there are already generative neural networks that are created specifically for illegal activities - for example, WormGPT, which is designed to carry out phishing attacks and compromise corporate mail. It can be used even by an attacker who does not have any special competencies and at the same time create convincing fake letters, conduct prolonged attacks, "the deputy said.
File:Aquote2.png

Cybercriminals are 11 times more likely to use replaced letters in malicious emails

F.A.S.S.T. has recorded a sharp increase in attempts to bypass antispam solutions using homoglyphs - graphically identical or similar signs in malicious mailings. In the third quarter of 2023, the number of such letters was 11 times higher than in the same period in 2022. The most popular replacement letters among cybercriminals were E, O, C, A. The company announced this on October 31, 2023.

According to experts at the F.A.C.C.T. Cybersecurity Center, a sharp surge in substitutions in the symbols of themes and text in letters with a malicious attachment has been observed since early 2023. Thus, such a technique is used by the operators of the WhiteSnake styler, a malware for stealing credentials from browsers, applications and victims' crypto wallets. In August, the steeler was distributed under the guise of a letter from the investigator. Then employees of companies received letters allegedly with a request to testify in a criminal case. In fact, the newsletter contained an archive with malware.

On the one hand, the arrangement of homoglyphs allows cybercriminals and simply spammers to send out more letters, bypassing the built-in filters of mail services for outgoing messages and reducing the likelihood of operational blocking of the mail address from which the mailing was sent. On the other hand, malicious letters thus bypass antispam systems in incoming letters and can reach the addressees.

As a rule, attackers add Latin omoglyphs to letters in Russian. The most popular letters for replacements were E, O, C, A, while the use of special characters or other alphabets was not found. In letters from one malicious mailing, there may be various options for replacing letters.

File:Aquote1.png
Apparently, the old trick with omoglyphs works quite well. In 2023, we see a sharp surge in the use of letter substitution in Latin in malicious letters in Russian. - said Yaroslav Kargalev, head of the Cybersecurity Center F.A.S.S.T. - Such a simple trick can deceive an ordinary antispam system, and the recipient of the letter risks compromising his email, device or the entire network infrastructure of the company by following a phishing link or opening an archive with malware. And you can't do an automated email protection system against phishing emails so easily.
File:Aquote2.png

Spy virus apps revealed to steal money from lovers

On October 27, 2023, F.A.C.C.T. announced another version of the Fake Date fraudulent scheme. Now criminals are trying to steal money from the victim even before buying tickets to a movie or theater under the guise of paying for home Internet or ordering a taxi, while using fake mobile applications. In the fall of 2023, 6 fraudulent groups worked in Russia under the Fake Date scheme, the illegal earnings of only one of them in 10 days exceeded 6.5 million rubles.

The classic Fake Date scheme is as follows: under the guise of an attractive girl, a fraudster meets a potential victim on social networks or on a dating site and offers to spend a romantic evening in the theater, at a stand-up show, in an antikino, hookah bar or order dinner delivery. The victim receives a link to a phishing site, pays for "tickets," and money and card details are stolen by attackers. It happens that money is written off twice or three times - when buying a ticket for a "girlfriend" or issuing a "refund."

After this scheme became known in some detail, the scammers decided to change the mechanics. Now they steal money much earlier than going on a first date, and instead of phishing resources, they already use a mobile application with embedded spyware.

After interest and trust has already arisen between young people, the "girl" can suddenly disappear from the correspondence or her candid photos and videos will be uploaded for a very long time. It turns out that the beauty had problems paying for home Internet and the new gentleman will have to contribute a small amount.

The girl drops a link to the fake website of the service from which you need to download a mobile application. The spy program hidden in it is capable of intercepting the entered data of the bank cards and incoming SMS codes to steal money from the accounts of customers of Russian banks. Similarly, there is a scheme with a taxi order, which the young lady can also ask for her new acquaintance.

As of to data September 2023 Russia , 6 active fraudulent groups worked under the Fake Date scheme. Acting on a scheme with fake dates, only one criminal community in 10 days was able to receive more than 6.5 million rubles for 721 operations. The average amount stolen from one victim was about 9,000 rubles, despite the fact that one victim could have several write-offs in a row. For comparison, at the beginning of 2023, the 7 most active groups in Russia earned 5 million rubles for those wishing to go on a date (from February 12 to 14, February 21-23 and March 6-8).

File:Aquote1.png
In Russia, the classic Fake Date fraudulent scheme appeared back in 2018. And after the pandemic, with the advent of new tools for generating phishing sites and using card-to-card transfers, it is experiencing a "rebirth," said Evgeny Egorov, a leading analyst at Digital Risk Protection at F.A.C.C.T. - some groups of scammers earn twice as much on Fake Date as those who work according to the classic Mammoth scheme with payment for goods. This may be due to the fact that the dating scheme already uses more brands (Internetoperators, taxis, theaters, movies) for attack scenarios than through the sale of non-existent goods on message boards - only brands of two popular services are used there.
File:Aquote2.png

All "technical support" of Fake Date is still carried out through Telegram: here workmen (community members who attract victims to download a malicious application) receive a link to download a mobile application - an APK file, conduct their shadow online accounting, buy chat bots or "voicebooks" - pre-recorded audio and video messages on behalf of the girls.

Against such advanced cyber threats, brands can only protect themselves and their customers using automated solutions that combine cyber intelligence data analysis and machine learning capabilities. The F.A.C.C.T. Digital Risk Protection platform allows you to identify threats in the early stages of their occurrence and detect fraudulent resources even before attackers bring traffic there.

Users are reminded by F.A.C.C.T. experts of the need to follow the basic rules of digital literacy:

  • Do not transfer communication from ad service chats to instant messengers.
  • Do not follow links from strangers in instant messengers or mail.
  • Download only official applications that you independently found in the mobile application store, or on the legitimate website of the service.

Sticky Werewolf attacks state organizations of Russia and Belarus

The Sticky Werewolf group attacks state organizations Russia and. Belarus This was announced on October 13, 2023 by the company. BI.Zone

Sticky Werewolf gets access to the systems state of organizations in Russia and Belarus phishing using letters with links to. harmful files Commercial malware is used to create links. According to to data BI.ZONE cyber intelligence, Sticky Werewolf has been active since at least April 2023 and has implemented at least 30 by October 2023. attacks

Attackers create links for phishing emails using the IP Logger service. It allows you to collect information about clicked users: transition time, IP address, country and city, browser version and operating system. This helps Sticky Werewolf immediately conduct basic profiling, weed out systems that are not of interest to them, and focus attacks on the highest priorities.

In addition, thanks to IP Logger, the grouping can use its own domain names when creating links. This makes it difficult to recognize phishing, since the address does not look suspicious.

Links in letters lead to malicious files with the extension.exe or.scr, disguised as Word or PDF documents. Opening the file, the victim sees the expected content, for example: an emergency warning from the Ministry of Emergency Situations, a statement of claim or an order to eliminate violations. At this time, commercial NetWire RAT malware is installed on the device in the background. It allows attackers to collect information about a compromised system, receive data about keystrokes, video from the screen and webcam, record the sound of a microphone and perform other actions for the purpose of espionage.

NetWire is copied to a temporary folder on the device under the guise of a legitimate application. To further complicate its detection, Sticky Werewolf uses the Themida protector, which provides obfuscation - counteracting malware analysis.

Шаблон:Quote 'author = said Oleg Skulkin, head of cyber intelligence at BI.ZONE.

New Trojan under the guise of a delivery application steals money from Russians

The company's experts F.A.S.S.T. have discovered a new fraud scheme that involves installing Trojan programs under the guise of an application to order the delivery of popular, electronic engineers clothing or shoes. The company announced this in October 2023. According to researchers, bank customers both in Russia and have already suffered from the actions of fraudsters in September. In Belarus 10 days in September, using fake applications, attackers were able to steal almost 3 million according to the modified Mammoth scheme, rubles making 76 write-offs. The average check from one victim was 67 thousand rubles.

A new fraud scheme involving the installation of a Trojan under the guise of an application to order the delivery of popular electronics, clothes or shoes has been discovered

The classic fraudulent scheme "Mammoth" involves the design of a fake purchase and delivery of goods from popular marketplaces, real estate rental or joint trip. Usually, when the victim turns to them to clarify the details of delivery or rental, fraudsters offer to go to the chat platform or messenger, due to which they get out of the built-in protection mechanisms of the marketplace. There they offer to make payment for the delivery of the goods themselves using a specially prepared link allegedly to the bank's website.

In the modified Mammoth scheme, at that moment they ask you to download and install a special Android application, with which you can only order the corresponding product. Payment for the purchase is also carried out through this application, and this is where the bank card data and SMS notification from the bank are intercepted, which allows fraudsters to steal all the money from the victim's account.

According to the company F.A.S.S.T., at the end of the summer of 2023, 17 active criminal groups worked in Russia under the classic Mammoth scheme. In September, a new fraudulent community, Mammoth, was discovered, which uses Android Trojans in its attacks. Community members who attract victims to download a malicious application create fake ads for the sale of goods using a special Telegram bot and receive a link for downloading a mobile application in the form of an APK file, which is sent by attackers in the messenger. At the same time, the link leads to a fake site of the application store, that is, the victim's malware must be delivered independently from an untrusted source.

File:Aquote1.png
Sooner or later, old tricks cease to bring the desired income to scammers, and then they come up with new scenarios, decoys, change mechanics, - explained the emergence of new phishing modifications by the leading analyst of the Digital Risk Protection department of F.A.C.C.T. Evgeny Egorov. - We saw how fraudsters used phishing pages generated by Telegram bots in the Mammoth scheme, then they began to infect victims with steelers who stole password logins. Now one of the groups has begun to use mobile Trojans. Some users may decide that mobile applications similar to well-known services, as if from an official store, are unlikely to hide the danger - this is what the attackers rely on.
File:Aquote2.png

In order not to become a victim of fraudsters under the new scheme, it is recommended not to switch to communication in external messengers when buying expensive goods. Check the external links offered by the "sellers" before clicking on them, and it is better not to follow the links received from unfamiliar interlocutors at all. It is also worth downloading and installing applications only from official stores and not using ready-made links for this - it is better to search for the application in the search for the platform.

Spy Trojan disguises itself as letters from the Investigative Committee of the Russian Federation and steals passwords for Outlook, Telegram and crypto wallets

BI.Zone in October 2023 discovered a new malicious mailing of the spy Trojan White Snake, which now pretends to be a message from the Investigative Committee. For the first time, the same malicious code was discovered by the company in another phishing newsletter distributed on behalf of Roskomnadzor in August this year. Cases of the spread of such a malicious program under the guise of a commercial offer were also recorded.

White Snake Trojan Letter Example

White Snake is a spy Trojan (infostiler) that collects classified data on an infected computer through popular browsers such as Chrome and FireFox, and has the ability to collect passwords and credentials for client programs such as Outlook, Discord, Telegram and others. In particular, he steals secret addresses of crypto wallets that can be used to steal cryptocurrency. This is a commercial spy who for $140 allows you to organize a turnkey attack for any fraudster.

In the current version of the phishing attack, the victim received a letter allegedly from the Investigative Committee of the Russian Federation. The subject line of the letter included an indication of an alleged criminal investigation. For example, the headline could be: "Request in connection with the investigation of the criminal case No. 11091007706001194 of the Investigative Committee of the Russian Federation" or "Requirement in the framework of the investigation of the criminal case No. 11091007706011194 of the Investigative Committee of the Russian Federation." The letter was accompanied by a PDF file with an order to appear in the Investigative Committee and a password-protected archive. Moreover, the password for decryption was in the file name: "The requirement of 19098 of the RF IC from the PASSWORD 07.09.23 is 123123123.zip." If the victim unpacked the archive and clicked on a file called "List of legal entities and enterprises, tax evasion, claims and additional.exe," then the main body of the White Snake Trojan, which was fixed in the system and was already engaged in its black espionage activities, was launched.

In order not to get on the bait of intruders, you need to carefully look at the attributes of the correspondence. In particular, the sender's return address was specified in the mail.ru domain, although the Investigative Committee has its own domain sledcom.ru. In addition, you need to carefully look at file extensions by setting up your email client to display them. Clicking on executable files (with the.EXE extension) is extremely discouraged, although there may be malicious attachments in PDF and DOCX formats. It is better to open such files not with a full-fledged reader, but with a simplified reader with limited functions for the execution of built-in elements. In addition, you need to understand that encoded archives are often used by cybercriminals to hide malware from an antivirus program. Therefore, the requirement to unpack the archive can be a sign of malicious distribution. If you did do the actions indicated in the mailing list and suspect that your computer is infected, then you should contact the corporate information security service and check your system with an antivirus program. After treatment for malware, do not forget to change passwords for services, applications and crypto wallets.

Attackers have become better at hiding phishing resources

Attackers in 2023 became better at hiding phishing resources. This was announced on September 28, 2023 by Solar (formerly Rostelecom-Solar).

Over the past six months, non-personalized phishing attacks have become noticeably more complicated, more than 98% of all phishing. Attackers began to use and improve methods of hiding harmful content from tools to find it.

Such conclusions were made by experts from the Solar AURA External Digital Threat Monitoring Center Solar group of companies based on an analysis of hundreds of thousands of malicious resources.

As of September 2023, over 53% of phishing resources detected by Solar AURA specialists use certain means of protection against their detection. For comparison, in 2022 this figure was 27%, and in 2021 - 11%.

One of the most difficult ways to hide phishing was the Chameleon scheme. Its essence is that the malicious site could dynamically change the content, and showed its true "face" only to those users who met the parameters set by the attackers - for example, the territorial ownership of the IP address, screen resolution, version of the operating system and browser, etc.

According to attackers, this approach was supposed to prevent anti-phishing services from recognizing malicious content.

Also notable is the scheme, which experts called "Chameleon 2.0." In it attackers used chains of dozens arbitrarily generated domains, each of which served to redirect the user to a malicious resource. The scheme was actively used at the turn of 2022-2023 in a large-scale phishing campaign that affected more than 300 large brands.

{{quote "In addition to such technically complex variations as" Chameleon "or" Chameleon 2.0, "other techniques are actively used - for example, the use of domains that are not related to the brand on behalf of which the attack is carried out. Also, "gasket sites" are used that redirect the user to the desired URL and at the same time notify him that the portal is allegedly checked by an antivirus and does not pose a danger, "explained Diana Selekhina, an expert at the Solar AURA Solar Group of Companies external digital threat monitoring center. }}

Attackers steal blogger Telegram accounts under the guise of representatives of the partner program

Attackers steal Telegram accounts bloggers under the guise of representatives of the partner program. This was announced on September 28, 2023. "Kaspersky Lab

The attack begins with the fact that the blogger is allegedly written by a representative of a large company in the field of online retail and offers advertising cooperation. In the course of communication, attackers adhere to the standard business communication scheme for such interactions. The manager says that the blogger can choose any positions presented on the site, arrange unpacking for subscribers and post links to goods in his account. Further in the dialogue, the cost of advertising integration is discussed. If the blogger agrees to the terms and selects goods, the brand representative states that he sends them for approval with the management. Correspondence with a fake manager can last several days.

At a certain stage, the blogger is asked to register on the partner program website and send a link to the resource - of course, fake. It looks believable: it contains a logo, a description of the partner program and bonuses that its participants receive. On the phishing page, the blogger needs to specify the name, mail address, number of subscribers and channel coverage, as well as phone number. However, after that, the person is automatically redirected to a fake Telegram authorization form and asked to enter a one-time code to log into the Telegram account. In some cases, the need for such information is explained by the allegedly updated requirements of the advertising law. If a person enters this data, they will leave the attackers, and with their help phishers will be able to access the account in the messenger and all Telegram channels associated with it.

File:Aquote1.png
Some elements of this campaign indicate that it is targeted and aimed specifically at bloggers. Attackers can use stolen accounts to blackmail, post their content or further fraudulent schemes. Bloggers receive dozens of advertising offers a day, so they may not notice the trick. Attackers, in turn, develop legends in such a way as to lull the vigilance of potential victims, for example, refer to regulations and corporate policy. However, the request to transfer confidential data, which includes a password and a one-time code from SMS or push notification, should immediately alert, "said Olga Svistunova, senior content analyst at Kaspersky Lab.
File:Aquote2.png

In order not to fall for the bait of intruders, Kaspersky Lab experts recommend:

  • be critical of any messages and suggestions on the network;
  • configure two-factor authentication in Telegram;
  • do not click on links from questionable messages;
  • do not transfer confidential data to anyone, including passwords from accounts;

Russian clinics were subjected to mass mailing of letters from scammers

The Russian medical institutions have faced sending letters from scammers who Roskomnadzor demand on behalf of them to eliminate "violations" in the storage of personal data patients. To do this, they offer their services, thus trying to get full access to the sensitive. information This was announced on September 18, 2023 by the press service of the deputy. State Duma of the Russian Federation Anton Nemkin More. here

In Russia, use a non-standard scheme to steal credentials from e-mail

On September 7, 2023, it became known about a new non-standard scheme for stealing credentials from e-mail in Russia. She was told in Kaspersky Lab.

According to experts, in a phishing newsletter, attackers inform a potential victim about the need to verify an email account. However, they are asked to send the information they need (name, last name, login and password) by reply, and not follow the link to the phishing page for this. Otherwise, scammers threaten to deactivate the account.

Example of a fraudulent letter

According to Kaspersky Lab, the letters come from a certain "web mail hosting messaging center." The authors of the mailing list report that they are updating the database for 2023 and deleting all unused accounts. They strongly recommend confirming email and updating data - so they will allegedly know that the account is active and will not delete it. In the text of the message, attackers leave room to fill in the data. The recipient is frightened by the fact that since receiving the notification he has 48 hours to verify.

To arouse less suspicion, attackers issue some letters as technical: a notification code consisting of a set of numbers and letters is added to the subject of the letter, and "copyright" and the phrase "all rights reserved" are added to the signature.

File:Aquote1.png
We see similar letters, without a phishing link, but with a place to fill in the data, now exclusively in Russian. This is probably due to several factors. Firstly, it is becoming more and more difficult for attackers to create phishing sites in the domain zone of.ru. Secondly, it is simply cheaper to make a letter without a link to a fake resource. In some cases, such messages may cause even less suspicion among users: many know that you should not click on dubious links, but here they do not ask for it. In addition, such mailings are often harder to detect with security solutions, - said Roman Dedenok, an expert on cybersecurity at Kaspersky Lab.
File:Aquote2.png

Fraudsters write to Russians on behalf of law enforcement officers

In August 2023, the center for monitoring external digital threats of Solar AURA the company "" RTK-Solar recorded a mass phishing mailing on behalf of law enforcement agencies. RUSSIAN FEDERATION Using the domains most similar to the official domain names of the investigating authorities, fraudsters send letters demanding to familiarize themselves with the materials of the criminal case. For plausibility, attackers use real data citizens obtained from large-scale ones, leaks Solar AURA specialists have established. RTK-Solar announced this on August 30, 2023.

Mailings are carried out targeted: attackers take personal data of potential victims from previously leaked databases and turn to them by the name of the patronymic. In some cases, attackers also indicate passport data and registration addresses in letters. The numbers of criminal cases appearing in the text are real and received from open sources. All this creates the illusion of interaction with the government body and increases the chances that the recipient of the letter will launch a malicious program.

The data contained in phishing emails refers to large-scale leaks. In particular, it was found that the attackers took advantage of one of the leaks of 2022: then the total number of published records reached 30 million, including more than 6 million unique e-mail, among which 78 thousand belong to corporate domains. These facts explain the massive nature of the spread of phishing mailing.

The scheme used in this attack is not new and is extremely common. Attackers systematically use phishing emails to access sensitive data or inject malicious software. But this scheme has undergone some changes. Previously, attackers put malicious ZIP files directly into letters, but due to tightening security measures, such messages will now most likely be automatically filtered as spam. Therefore, instead of the usual attachments, attackers insert a link to the file sharing, through which, as expected, the victim will download malicious content. In this attack, it is disguised as a text recognition program.

File:Aquote1.png
It is important for citizens to remember that law enforcement agencies do not notify about procedural actions by e-mail. If you unexpectedly received a letter from state authorities in which you are invited to take any actions (download the file, follow the link, fill out the form), contact the relevant body for clarification using the contact details from its official website, - said Sergey Trukhachev, Deputy Director of the Solar AURA External Digital Threat Monitoring Center of RTK-Solar.
File:Aquote2.png

Fraudsters massively send letters to companies in the Russian Federation with "criminal cases" on behalf of the TFR

Fraudsters massively send letters to companies in the Russian Federation with "criminal cases" on behalf of the Investigative Committee of Russia (TFR). At the end of August 2023, the information security companies RTK-Solar and Kaspersky Lab spoke about the new scheme.

According to Vedomosti, using domains that are as similar as possible to the official domain names of the investigating authorities, they send letters demanding to familiarize themselves with the materials of the criminal case. Such a letter was received by an employee of the publication, in which the attackers write that the addressee is a witness in a certain criminal case, and asked to inform about the possibility of attending the court session in person. The sender of the letter was "Roman Anatolyevich Dvornikov, senior investigator of the Investigative Committee for Moscow," and the mail domain imitated the real mail of the investigative committee-mail - server1 - sledcom.org instead of sledcom.ru. Also attached to the letter was a malicious link that allegedly led to the case card, but in fact activated the malware.

Fraudsters massively send letters to companies on behalf of the TFR

Clicking on links from such letters will lead to downloading an archive with a malicious styler file from the file-sharing service, warned RTK-Solar, Kaspersky Lab and F.A.C.C.T. (formerly Group IB). This program steals user data - from the victim's browsers, applications and crypto wallets - and sends it to attackers, experts explained.

The distribution is carried out targeted, notes Sergey Trukhachev, deputy director of the Solar AURA external digital threat monitoring center at RTK-Solar. Fraudsters take personal data of potential victims from previously leaked databases, turn to the addressee by name and patronymic, sometimes indicate his passport data and registration address, use real numbers of criminal cases obtained from open sources. So swindlers create the illusion that the letter came from a real body of state power.[4]

The number of phishing domains that disguise themselves as Russian online cinemas and music services is growing on Runet

RuNet There is a growing number phishing domains that disguise themselves as Russian online cinemas music services - a round of activity cybercriminals in this area was discovered by experts on. According to cyber security Angara Security to data the company, content the number of fake services with video and music increased by 10 and 15%, respectively, compared to the same period in 2022. Angara Security announced this on August 23, 2023.

Most often, fraudsters fake kinopoisk.ru and ivi.ru resources - fake domains are formed by adding one or more letters to the name of the real service. If the domain is blocked, the owners immediately register a new one: in 2023, cybercriminals have already created several dozen similar sites. Angara Security analysts warn: most such sites lure visitors with online screenings of pirated films and can steal payment and personal data.

File:Aquote1.png
The trend to fake online cinema sites appeared during the pandemic, but then fraudsters sought to fake Netflix sites and only "mastered" the Russian "Kinopoisk," said Victoria Varlamova, Angara Security brand protection expert. - Now that the Russian viewer is cut off from the world's new films, it is very easy to attract him with the promise of an online show of the sensational Barbie or Oppenheimer. Moreover, modern phishing sites that our analysts discover mimic not only for legal streaming services, but even for well-known pirated video resources like Kinogo.
File:Aquote2.png

The most popular trap among fake music services was the fake "VK Music" - domains with this name are leading Angara Security analytics in studying phishing sites. Experts remind that all advertisements for a real service are marked with a tick on the official VK page, and registration or payment of a subscription must lead the buyer only to the official website of the service with a domain vk.com.

In the segment of digital services of electronic and audiobooks, the number of phishing sites decreased by 20% - experts explain this by the fact that Telegram channels have become the main channel for distributing books. In them, the number of fake resources has grown significantly: in the first half of 2023, about 5,000 phishing TG channels were registered, which is five times more than in 2022.

{{quote 'We note the migration of cybercrimes to Telegram, - said Victoria Varlamova. - This platform provides great opportunities for the distribution of video and audio content, while it is very difficult for copyright holders to track the distribution of pirated content. We have no reason to believe that the pace of cybercrime will decrease in the near future, so we urge online services to be more vigilant and improve measures to protect their users from phishing and fraud. }}

Document templates that contain viruses. The Central Bank of the Russian Federation announced a new scheme of fraudsters

On August 8, 2023, the Central Bank of the Russian Federation announced a new fraud scheme that uses document templates containing viruses. According to the regulator, fraudsters create fake websites of government departments and well-known reference and legal systems and publish infected documents available for download. Swindlers often use the SEO-poisoning method, which allows these sites to occupy the first lines in the search.

File:Aquote1.png
The user downloads the document, after which the remote access program is launched on his computer. With its help, hackers can remotely change bank details in company contracts - for example, with contractors or suppliers. Instead of the data of the real recipient of funds, they indicate their own, - reported in the Telegram channel of the Central Bank.
File:Aquote2.png

Central Bank announced a new fraud scheme that uses document templates

The Bank of Russia noted that, as a rule, the company's employees do not immediately detect viral software. Sometimes scammers block access to work computers, and they extort money for its recovery. In order not to become a victim of such scammers, the regulator recommends:

  • install and regularly update the antivirus;
  • Configure the prohibition to automatically install and run different programs.
  • pay attention to the address of the site - fake can differ from the official one with just one symbol. In addition, official websites of government agencies are usually marked with a blue circle with a tick;
  • be careful when working with sites, if their address bar does not contain a secure connection icon (locks)
  • downloading a document, pay attention to its format. Safe, pdf docx, xlsx, jpg, png.


In July 2023, Russian banks revealed a new fraud scheme that uses fake bank card photos. Attackers gain access to a person's account in the messenger and ask acquaintances to transfer money. For greater persuasiveness, scammers send photos of cards with the name of the desired person. Outwardly, the cards are similar to those of large credit institutions, but in fact the account is opened in another lesser-known bank.[5]

Cobalt Strike phishing attacks hit Russian companies again

Cyber ​ ​ intelligence specialists BI.ZONE have discovered large-scale attacks Lone Wolf groups aimed at, the Russian logistic production, financial organizations and companies from the sphere. retail BI.Zone announced this on August 4, 2023.

Attackers from Lone Wolf implemented at least four mass phishing mailings from July 21 to 28. Letters were sent to corporate databases e-mail addresses allegedly on behalf of JSC "," TAIF-NK DC "Motor Show 152," "Rusagro-Primorye" and OFAS of Russia on. Magadan region

In three of the four mailings, criminals notify the recipient of a pre-trial claim and demand to pay off the debt under the contract in a short time, including penalties for overdue payment. Otherwise, the attackers threaten to file a claim with the arbitration court. All documents showing indebtedness are attached to the letter. The fourth mailing list - allegedly from the Magadan OFAS of Russia - contains a copy of the resolution without additional clarification.

To understand the situation, the victim is in a hurry to see the attachments: in the identified mailings, the files were called Pre-Trial.doc, pp-as32-4783.doc, act.xls. When you open any of them, a chain of commands starts on the device, as a result of which attackers download Cobalt Strike Beacon software.

Cobalt Strike Beacon is a component of the Cobalt Strike solution. This is a commercial tool that penetration testers use to emulate the actions of attackers, and attackers use to solve problems at different stages of a cyber incident. Depending on the targets of the attackers, the launch of Cobalt Strike can lead to the theft of sensitive data or their encryption, and in some cases - to the theft of money from the accounts of the organization.

File:Aquote1.png
For quite some time now, tools like Cobalt Strike have been popular among various groups. They open up ample opportunities to achieve the target of an attack using a minimum of additional malicious tools or allow you to abandon them altogether. Moreover, Cobalt Strike is often used in companies for legitimate purposes, which significantly reduces the speed of detecting its suspicious activity,
said Oleg Skulkin, head of cyber intelligence at BI.ZONE.
File:Aquote2.png

Fraudsters hacked Uralsib social networks and posted phishing links there

On August 3, 2023, Uralsib Bank reported a massive cyber attack that hacked its social networks. In addition, the network resources of a number of other financial organizations were affected. Read more here.

Phishing emails on behalf of Roskomnadzor contain software for stealing company credentials

Experts from the cyber intelligence department BI.ZONE have discovered a phishing campaign aimed at Russian organizations. Under the guise of notifications from Roskomnadzor, attackers distribute the White Snake styler, a malware for stealing passwords and other data from an infected device. BI.Zone announced this on August 1, 2023.

Criminals send an archive with several files to corporate email addresses. The first document allegedly contains an official notification from Roskomnadzor. It reports that "during selective monitoring of activity, a visit to prohibited Internet resources was established," that is, the recipient of the letter violated law No. 255-FZ "On control over the activities of persons under foreign pressure."

In the same notification, the attackers demand "to immediately check the attached materials and give an explanation within two working days." Otherwise, they threaten to "take measures of an administrative and criminal law nature." All this is for the victim to quickly open the second file, that is, the White Snake styler.

The malicious ON White Snake allows attackers to retrieve saved files, passwords copy files, record keystrokes, sound from a microphone, video from a web, cameras as well as gain remote access to a compromised device and corporate systems. All information collected criminals are often resold after a while, so companies are not immediately able to feel all the damage caused.

If the listed styler functions are not enough for an attacker, he can use White Snake to download and run any malicious tools he needs. A subscription to a steeler costs only $140 per month, and unlimited access costs $1950.

Шаблон:Quote 'author = said Oleg Skulkin, head of cyber intelligence at BI.ZONE.

Phishing is one of the main ways to gain initial access during targeted attacks. To protect against it, you should use specialized solutions that block spam and malicious emails. If the company has already suffered from a cyber attack, it is necessary to promptly respond to the incident and investigation.

Hacker detained for stealing accounts of 130 Russians on the State Public services portal

In Ufa, St. Petersburg police detained a hacker from St. Petersburg who stole data from accounts on the State Public services portal from 130 Russians. The press service of the Ministry of Internal Affairs of Russia announced this on July 13, 2023.

According to law enforcement agencies, the attacker created several phishing sites on the Internet. Their appearance copied the official pages of various government agencies. When trying to use the services, citizens entered the data of their accounts registered on the Unified Portal of State and Municipal Services. Thus, the swindler gained access to other people's accounts and, changing passwords, used them to submit applications to microcredit organizations. The listed money was withdrawn through anonymous electronic wallets and cashed. After the limit on obtaining a loan was exhausted, the account was destroyed along with all information about its use, the Ministry of Internal Affairs said in a statement.

Police detained a hacker who stole data from accounts on the Public services portal

The investigator of the Investigative Department of the Ministry of Internal Affairs of Russia in the Krasnoselsky district of the city of St. Petersburg opened a criminal case on the grounds of a crime under Article 272 of the Criminal Code of the Russian Federation. The suspect was detained by police in the city of Ufa. During the search at the place of his temporary residence, 25 SIM-cards, means of communication, bank cards were seized.

File:Aquote1.png
Currently, the defendant has been taken to St. Petersburg, a preventive measure has been chosen against him in the form of a ban on certain actions. Operational-search measures are being carried out aimed at establishing all episodes of illegal activities, - said the official representative of the Ministry of Internal Affairs of Russia Irina Volk on July 13, 2023.[6]
File:Aquote2.png

XDSpy group attacked Russian organizations on behalf of the Ministry of Emergency Situations

On July 12, 2023, the center cyber security F.A.C.C.T. discovered on July 11, 2023, phishing harmful emails conducted by cyber espionage group XDSpy. A system for proactive search and protection against complex and unknown cyber threats F.A.S.S.T. Managed XDR has targeted mailings aimed at the Russian organizations, including one of the well-known research institutes.

In the text of the letter, the recipients are asked to see a list of company employees who "can sympathize with groups that destabilize the internal situation in Russia." The senders of the letter threaten that if there is no response, legal action will be taken against employees.

Under the guise of a decoy file Spisok_rabotnikov.pdf with a list of random people, a malware is downloaded that collects sensitive data and documents from the victim's computer.

XDSpy has used similar techniques before: in mid-March 2023, cyber spies attacked structures, and in MFA Russia October 2022 the Russian , organizations fake with subpoenas on behalf of them. Ministry of Defence

For the first time, the XDSpy group, which attacks the organizations of Russia and [7], was discovered by the Belarusian CERT in February 2020, although experts believe that the group itself has been active since at least 2011. Despite the long history of XDSpy, international experts have not decided in the interests of which country this group works. Most of the group's goals are in Russia - government, military, financial institutions, as well as energy, research and mining companies.

Fraudsters began to steal money from the accounts of Russians, sending messages with an offer to make money on the valuation of hotels

In Russia, fraudsters began to steal money from the accounts of Russians, sending messages with an offer to make money on the valuation of hotels. This became known on June 20, 2023. Read more here.

Fraudsters in Russia began to use ChatGPT in phishing attacks

Fraudsters in Russia began to use ChatGPT in phishing attacks. This was announced in mid-June 2023 by the managing director of Kaspersky Lab in the Russian Federation and the countries of SNGANNA Kulashova. Read more here.

Massive phishing email detected under the guise of mobilization documents

BI.ZONE on June 10, 2023 announced the fixation of the distribution of phishing emails. The attackers used spoofing, that is, they forged the sender's address: for the recipient, the letter looked like a message from government agencies.

The victims received letters with the topics: "Call for mobilization," "General mobilization 2023," "Reconciliation of documents Voenkomat," "Conscripts 2023 list," etc. Both the topic and the text of the message convinced the user to open the attached archive or download it from the link.

In the archive was, harmful file which installed trojan DCRat on the device. This ON allows attackers to gain full control over the compromised system.

Using DCRat, attackers take screenshots, record the sequence of keystrokes, receive the contents of the clipboard, etc. As a result, criminals may have logins passwords from corporate accounts,,, financial information personal data as well as other confidential information.

File:Aquote1.png
Even unprepared attackers achieve goals when they use topical topics and the human factor. Unfortunately, it is almost impossible to avoid such threats. Therefore, organizations must provide adequate protection against phishing attacks,
said Oleg Skulkin, head of cyber intelligence at BI.ZONE.
File:Aquote2.png

Protecting against such mailings is not a trivial task. Server email security settings will be ineffective without software add-ons, behavioral and signature analysis of emails. Therefore, it is important to use specialized security services that can weed out spoofing even before it reaches the recipient.

A group of cybercriminals who stole money from BlaBlaCar users for 1.5 years was liquidated in Russia

The Russian Ministry of Internal Affairs has liquidated the Jewelry Team, a group of scammers who stole money from Russians for a year and a half who decided to use the popular BlaBlaCar travel companion search service. This was reported on June 5, 2023 by F.A.C.C.T. (formerly Group-IB in Russia), which helped the department identify and detain cybercriminals. Read more here.

The number of phishing data theft schemes through Telegram in Russia has grown 67 times over the year

The number of phishing data theft schemes through Telegram in Russia increased 67 times over the year - from 7 in May 2022 to 470 a year later. This was announced at the end of May 2023 by RTK-Solar. Read more here.

Cyber ​ ​ fraudsters in Russia began to send fake letters on behalf of military registration and enlistment offices

Cyber ​ ​ fraudsters in Russia began to send fake letters on behalf of military registration and enlistment offices. This became known on May 10, 2023.

As the Telegram channel "Mash on Moika" writes, fake mobilization instructions for e-mail come, including to residents of St. Petersburg. Recipients of letters are urged to appear at the military registration and enlistment office on May 11, 2023 to clarify the data and register. At the same time, it is noted that a non-existent department is indicated as the sender of the mobilization order - "The Main Directorate of the Military Commissariat of the Ministry of Defense of the Russian Federation." There is also no appeal to the addressee by name and surname. According to the Telegram channel, these letters contain malicious software - a ZIP archive with a virus.

In addition, residents began to receive such letters, Amur region reports Komsomolskaya Pravda"." At the same time, in reality, the regional military commissariat does not send mobilization instructions by e-mail.

Close to Ministry of Defence Telegram the channel "War on Fakes" confirmed that the department does not send such letters - "Russia does not provide for the distribution of mobilization orders or subpoenas by e-mail."

By May 10, 2023, the only legal way is to personally present the order for signature. In the future, it is also planned to use the Public services portal to send subpoenas, but this notification system will not work until the fall of 2023.

According to WHOIS, phishing emails are sent to Russians from an address located on a domain from Britain. According to Kommersant, a file with the.exe extension is attached to the email. When you save it to your computer and open it, your device is infected with a virus. Presumably, we are talking about the so-called DarkWatchman RAT Trojan, which provides senders with remote access to the recipient's computer.[8]

Victory RKN: Phishing resources almost left the domain.ru

According to the results of the first quarter of 2023, more than 7.2 thousand phishing resources were removed and blocked in Russia against about 2 thousand for the same period of 2022. Such data in Roskomnadzor led on May 10, 2023. According to the statistics of the department, the largest number of domains with links to illegal financial activities and fake documents fell on the.com domain zone (52%), in second place -.ru (13%), in third place -.xyz and.site (8%). The remaining share was distributed between.top,.io,.net,.pro,.ws domains. The Ministry of Digital Development engaged in blocking phishing sites through the Antifishing system, which has been operating since June 2022.

Companies working in the field of information security confirm this trend. According to Kaspersky Lab, in January-May 2023, the domain zones.com (48%),.ru (12%) and.ws (6%) accounted for the largest number of attempts to switch to phishing pages of Russian users.

More than 7.2 thousand phishing resources were removed and blocked

The departure of scammers to new domains may be due to the fact that registration there is cheaper or generally free. In addition, as noted by Aleksei Kuznetsov, head of security analysis at the Future Crew MTS RED innovation center, in a conversation with Kommersant, it is easier for Roskomnadzor to block fraudulent resources on the.ru domain, which partly restrains the growth of phishing sites in Runet.

File:Aquote1.png
There are gTLD (generic Top-Level Domain) top-level domains, for example.com, which are centrally managed, and country-specific domains - ccTLD (country code Top-Level Domain, including.ru, as well as other national zones), and in ccTLD zones it is often difficult to get to the registrar and force him to take the domain name from the resource owner, the expert explained.[9]
File:Aquote2.png

Found 80,000 phishing emails sent using IPFS

According to data to, Kaspersky Lab"" attacks mail through phishers began to actively use Web 3.0 ― IPFS technology. The company announced this on March 30, 2023. Attackers place - in phishing HTMLfiles IPFS to reduce the cost of. hosting The attackers use this method for both mass and mass. In the targeted phishing attacks. first three months of 2023, the company discovered about 80 thousand letters in sent in Russia this way.

How attacks occur through IPFS. Attackers place HTML files with phishing forms in IPFS and use gateways as proxy servers so that victims can open the file regardless of the presence of an IPFS client on their devices. Attackers insert links to access the file through the gateway into phishing emails that are sent to potential victims.

The use of a distributed file system allows attackers to save on hosting phishing pages. You cannot also delete a file from IPFS that is hosted by another user or multiple users. If someone wants the file to completely disappear from the system, they may require their owners to delete it themselves, but this method is unlikely to work with scammers.

Features of phishing emails and links sent via IPFS. Usually phishing emails containing an IPFS link do not differ in originality - this is typical phishing, the purpose of which is to obtain a login and password from the victim's account.

Otherwise, the situation is with the HTML page, which is located on the link. The URL parameter contains the recipient's email address. If you change it, the content of the page will also change: the company logo above the phishing form and the email address entered in the login field. Thus, one link can be used in several phishing campaigns aimed at different users, and sometimes in several dozen campaigns.

File:Aquote1.png
Attackers have used and will continue to use the latest technologies for their own purposes. time Recently, we have seen an increase in the number of phishing attacks through IPFS - both massive and targeted. A distributed file system allows scammers to save money on buying a domain. Plus, deleting the file completely is not easy, although there are attempts to combat fraud at the IPFS gateway level. The good news is that spam anti-solutions detect and block links to phishing files in IPFS, like any other phishing links. In particular, Kaspersky Lab solutions use a number of heuristics aimed at detecting phishing through IPFS, - comments Roman Dedenok, an expert on spam analysis at Kaspersky Lab.
File:Aquote2.png

Fraudsters in Russia began to use ChatGPT for phishing

Scammers Russia in began to use ChatGPT for. phishing information security Specialists in the company told about this at the end of March 2023. According T.Hunter to experts, cybercriminals are actively using opportunities in AI order to increase the accuracy of texts, automate the process and increase the likelihood of deceiving users.

File:Aquote1.png
We record that the first phishing letters written using this software began to arrive en masse to users in March this year, "Igor Bederov, head of the information and analytical research department at T.Hunter, told Izvestia.
File:Aquote2.png

The first phishing emails written with ChatGPT appeared in March 2023

The expert is confident that due to the use of artificial intelligence, the number of victims of fraud will increase. The fact is that most phishing emails came from abroad, and poor translation helped people figure out scammers.

However, ChatGPT writes letters that are as close as possible to what people write. Scammers can only add a phishing link, and then send an email to millions of users.

The press service of Group-IB told the newspaper that the "problem" of many phishing emails written in Russian by foreigners is that they are illiterate, contain a lot of stylistic, spelling and grammatical errors. Online technical translation is also highly visible. Such "imperfection" reduces the effect that attackers want to achieve, since people do not trust illiterate letters and less often click on links.

According to the director of the Coordination Center for Domains.RU/.RFndrey Vorobyov, in the future it is possible to use ChatGPT in phishing chats, which are becoming more widespread. There, AI will be able to simulate live communication, allegedly with the company manager, arousing user confidence.[10]

The growth in the number of new phishing sites 3 times to 5.2 thousand.

In January-March 2023, 5.2 thousand phishing sites were identified in Russia, which is almost three times more than a year earlier. This was reported in mid-March 2023 in the ANO "Coordination Center of Domains."

ANO Director Andrei Vorobyov said that one of the reasons for this was the confusion with SSL certificates that arose after the refusal of Western certification centers to work in the Russian Federation.

The number of phishing sites in Russia has grown faster

Until February 2022, SSL certificates were issued by foreign certification centers, but after February 24 of the same year, many of them refused to work with the Russian Federation. Over the past year, several local certification centers have begun to work in Russia and the problem is gradually losing its severity, Vorobyov said in mid-March 2023.

The increase in the number of phishing sites was also noted in Roskomnadzor (RKN). The press service of the department told the publication that from January to February 2023, the ILV removed and blocked 523 fraudulent resources. Among them were sites related to the credit and financial sector. For the same period in 2022, 313 resources were removed.

Specialists of the Domain Coordination Center told Izvestia that most often fraudsters imitate the sites of the largest Russian banks that have fallen under sanctions, as well as marketplaces and ad services.

According to experts from the Domain Coordination Center, an effective measure to counter fraudsters could be to confirm the passport data of an individual registering a domain name through the ESIA, the newspaper writes.

One of the reasons for the growth in the number of phishing sites is the development of technologies. For example, site designers are becoming increasingly widespread, which can be used by any person familiar with a computer who does not even have programming skills, explained Sergei Trukhachev, head of Internet threat analytics at RTK-Solar.[11]

2022

The number of phishing sites blocked in Russia has more than doubled

On March 3, 2023, Group-IB announced that it had blocked more than 59,000 phishing sites in 2022, of which more than 7,000 were in the Russian segment of the Internet, which is twice as much as a year earlier. Fraudulent resources stole logins and passwords, data bank cards, accounts in instant messengers from users from Russia. So, in 2022 there was a wave of attacks using phishing resources on Telegram users.

According to the company, if in 2021 the number of blocked resources by the Group-IB - CERT-GIB Information Security Incident Response Center (24/7) on the Internet amounted to 31,455, then in 2022 their number increased to 59,282. Pages of cybercriminals, among other things, copied the resources of brands, services, games popular with Russian users. In zones .ru and .rf. the number of sites blocked more than doubled from 3,210 to 7,121.

In general, specialists of the round-the-clock CERT-GIB revealed in 2022 only in zones.ru and.rf. 20,170 phishing domains, and in 2021 their number was 15,363 domains.

Phishing sites blocked by the Group-IB Information Security Incident Response Center.

Most often, scammers disguised phishing resources as social networks, banks, and postal services. The attackers used the services of hosting providers located mainly in the United States, Russia and Germany. Every third site of scammers was posted in the.com domain zone - 33.8% of the total number of resources.

Phishing pages were used in a scheme to steal user accounts on Telegram in December 2022. Victims received a message asking them to support the sender's goddaughter or niece in a children's drawing competition, vote for the "author" of the message in any online quiz, and receive a gift in the form of a premium subscription in the messenger. The link in the message led to a phishing resource. Messages were sent to the address books of hacked accounts in the messenger and chats where their owners were. With stolen accounts, the scheme was repeated: according to their contact lists, attackers sent messages with links to phishing resources. In 2023, attackers to steal Telegram accounts also use a script with a message from the messenger support service about limiting the user's account.

File:Aquote1.png
Phishing remains the most common threat on the Internet, its scale continues to grow. Such sites make up 98-99% of the blocked resources of cybercriminals. First of all, these are resources that play the role of one of the main elements of the popular Mammoth scheme (FakeCourier) and its versions, where money and bank card data are stolen from the victim under the pretext of fake buying, delivery, rent or dating.

noted Ivan Lebedev, head of the CERT-GIB phishing protection group
File:Aquote2.png

Distribution of identified phishing resources by industries and domain zones.

Group-IB specialists resemble the basic rules that are important to comply with in order not to become a victim of phishing:

  • Due to the emergence of a large number of fakes and phishing resources aimed at well-known brands, customers should be especially vigilant, even downloading applications from official stores.
  • You should check the domain names of suspicious sites. Most often, attackers use domains consonant with popular brands. You need to use official applications.
  • When shopping online, you should always check all the details of transfers and payments. Do not give anyone codes from SMS and push notifications, card data (PIN and CVV codes), personal data.
  • Never click on suspicious links from unknown senders, scammers can infect a computer or phone and steal data.
  • You can trust the links that are indicated in the verified accounts of companies in social networks and instant messengers.

Fraudsters in Russia began to create fake car sharing sites to steal data

At the end of 2022, it became known that fraudsters in Russia began to actively create fake sites of car-sharing companies to steal data, as well as to steal cars and remove spare parts from them.

As RIA Novosti was told in NTI Avtonet, fraudsters create fake sites and lure victims to them with the help of non-existent actions. After the user enters the car data, login, password and driver's license data, the attackers take possession of them.

By the end of 2022, fraudsters in Russia created more than 130 fake car sharing sites

When registering on such sites, the user reveals his personal data and gives fraudsters the opportunity to steal car-sharing cars on their own behalf. The trigger for registration is the low cost of renting a car. It is noted that many of the sites have already begun to be blocked.

In 2022, the number of schemes related to theft of automotive data increased sharply, analysts said. This may be due to a lack of auto parts and a shortage of cars, as well as the departure from the Russian Federation of a number of popular fraudulent schemes related to the banking segment due to the blocking of the SWIFT system.

According to NTI "Autonet," by the end of 2022 there are at least 130 fake sites of car-sharing companies in Runet.

In September 2022, Kaspersky Lab said that hackers began to offer to buy access to the administrator account of one of the car-sharing companies in one of the ads on the darknet. The proposal says that the buyer will be able to remotely control several service machines at once. For example, track the location of a car, open and close it, turn the engine on and off. Fraudsters can use access to the car sharing control panel, for example, to extort money.[12]

The number of fraudulent sites in Runet increased by 15%

The company, Group-IB one world of the experts in the field, cyber security announced on November 11, 2022, the discovery Russian Internet of about 18,000 phishing sites in the segment in 2022, which is 15% more than in 2021. Experts attribute this growth to the scaling of the fraudulent Mammoth scheme. Most often, scammers use phishing resources under the guise of, and as bait. banks online services payment systems

For 9 months of 2022, CERT-GIB identified 17,742 phishing sites in the domain zones.ru and.rf. For comparison, for the same period in 2021, 15,363 domains were recorded. A steady increase in the number of fraudulent resources was observed throughout the year: if 1295 domains were discovered in January, in May already 1936, and in October - 2402.

According to analysts, the growth in the number of phishing sites is associated with the growing spread of the FakeCourier scheme, where deliveries money is stolen from the victim under the pretext of fake buying or renting. data bank cards The main spikes in the appearance of fraudsters' pages were observed in May, August and October 2022, which is also due to the "seasonal" scenarios of the schemes. cybercriminals

Earlier, Group-IB identified at least 300 skam groups operating under the Mammoth scheme. Fraudsters earned on the topics of courier delivery, real estate rental, sale of cars, joint trips and even going on dates. After the scheme was released to Europe, the total annual earnings of all criminal groups using this fraud scheme, according to the most conservative estimates, were estimated at more than $6.2 million.


In general, according to the data, the Domain Coordination Center. RU/.RF (CC) number of requests for blocking harmful sites in 2022 increased by 25%. The largest number sent CERT-GIB - 5,343 requests. First of all, the resources that the affected users and companies complained about were subject to blocking. In just 10 months, competent organizations - partners of the CC - sent 11,936 requests, time while in 2021 9556 requests were sent over the same period. As a result, hostingproviders 11,514 malicious resources were blocked by registrars. The average response time was 23.2 hours.

File:Aquote1.png
Phishing remains the most massive threat to users on the Internet, and its scale is steadily growing. It is phishing sites that make up 98-99% of the blocked resources of cybercriminals. The remaining share of the total number of blocked pages falls on sites with malware,
emphasized Ivan Lebedev, head of the CERT-GIB phishing protection group.
File:Aquote2.png

The CERT-GIB Information Security Incident Response Center is one of 12 competent organizations that provide the Coordination Center and accredited domain name registrars with information about resources with illegal content, cases of phishing, unauthorized access to information systems and the spread of malware from domain names located in zones.ru and.rf. Registrars have the right to stop delegating domain names for such resources.

Fraudsters used the brands "Red and White" and "Dodo Pizza" to steal money from citizens

For July-August 2022, the RTK-Solar team "" discovered more than 2,000 malicious ones that were domains used by attackers for the massive phishing on behalf of the brands "" and Red and White"." Dodo pizza Under the pretext of receiving pizza or a bottle of wine for just 1 ruble card victim, she was tied to a non-existent paid service with regular debits. It is blocked for September 2022 attack , but in the coming months it is possible to reincarnate this scheme in a new form. The company announced this on September 12, 2022.

The identified phishing attacks were a continuation of the malicious campaign, the bursts of which are observed every 4-6 months, the specialists of the special services team Solar JSOC of the RTK-Solar company note. Thanks to interaction with registrars domains and regulators, it was possible to stop phishing activity in time, and operational communication with the one bank who connected it Internetacquiring helped to reduce the damage to users several times.

The current attack demonstrated the ability of fraudulent schemes to develop. As before, the attackers used the human factor: to receive a "prize," the victim was asked to independently send a link to the malicious site 10-20 to his friends in the messenger. This approach has significantly increased the effectiveness of fraudsters: a link from a friend causes much more trust than an impersonal mailing list.

The remaining elements of the attack were carefully redesigned. So, to disseminate information about the "action," not only instant messengers were used, but also specially created groups on social networks. It was they who launched a self-propagating chain of mailings about non-existent prizes.

Taking into account the experience of previous attacks, attackers took all necessary measures to make fake resources work as long as possible, and their detection and blocking were difficult. If previously sent messages usually contained a link to a static site, now it led to one of thousands of domains, which redirected the victim to a malicious resource through a constantly changing chain of intermediate sites.

File:Aquote1.png
Malicious domains had no brand binding - this is a set of generated character sequences in exotic.ml,.tk,.cf,.ga and.gq domain zones. Registration there is free and can be carried out through the API, that is, automatically. It is easy to find scripts in the public domain that allow you to register such domain names in batches, "said Alexander Vurasko, an expert in the direction of special services Solar JSOC of RTK-Solar. - But the most interesting thing in the new round of the scheme is directly the process of embezzlement of money. Entering the card data, the victim took out a subscription, in which 889 rubles were debited from her every 5 days. The money came to the account of a real legal entity in a bank from TOP-20. In most cases, such payments of the bank's anti-fraud system are not noticed, and the small amount was more than compensated by a large number of "subscribers."
File:Aquote2.png

To withdraw money, attackers registered more than two dozen domains on one day, on which they posted sites of the same type dedicated to online training for "burning fat." It was this course that victims of the attack, who left the details of their bank cards, imperceptibly subscribed to themselves. At the same time, fake fitness sites were as dysfunctional as possible: most of the options did not work, there was no detailed information about the subscription being issued, and the public offer, although it had information about the legal entity, was in fact legally null and void. All this once again proves that these sites were used exclusively as part of a fraudulent scheme with drinks and pizza.

As of September 2022, the peak of the attack passed. Malicious sites are blocked, mass mailings in instant messengers and social networks are not recorded.

Fraudsters have repeatedly increased activity using the names of well-known companies

On August 30, 2022, Group-IB announced that in the first half of 2022, an explosive increase in cases of online fraud using well-known brands was 579% compared to the same period in 2021. According to analysts at Group-IB Digital Risk Protection, which specializes in combating illegal use of brands, more than half of all sites discovered were linked to the use of a targeted fraud scheme - fake polls with draws of valuable prizes on behalf of well-known companies.

According to Group-IB estimates, to attract the attention of victims, attackers are already using more than 2,100 world brands and brands of companies from online retail, telecommunications, services, banking, etc. For comparison: at the end of 2021 there were only 120 of them. Most often, fraudsters promise users a large reward or a valuable prize for passing the survey, but in the end the victim herself loses money and bank card data. Group-IB estimates monthly user losses from targeted fraud in the world at $80 million (5.9 billion rubles) according to minimum estimates.

As part of this type of fraud, an individual, so-called targeted link is generated "for purpose," using the parameters of a potential victim (country, time zone, language, IP, browser type, etc.) Links are both reusable and disposable - which is why fraudulent resources are difficult to detect and block.

File:Aquote1.png
The reasons for such a rapid growth of online fraud under well-known brands in H1 2022 lie, as in the growth of cyber crime in general against the background of an unstable geopolitical situation, so the departure of popular brands and the appearance on the market of new ones - maybe not so well-known, but popular brands, - said Evgeny Egorov, leading analyst at Group-IB of the Digital Risk Protection department. - Another technical feature of scaling the scheme - to receive a "prize" you need to share a link with several friends through instant messengers, which causes more trust in the recipient and, accordingly, increases the effectiveness of the scheme.
File:Aquote2.png

In addition to the scheme with fake polls, in the first half of 2022, fraudsters used several dozen different scenarios of online scams, actively playing out the topic of sanctions and the termination of work in Russia of well-known international brands:

  • fraudulent schemes related to the sale of fake virtual payment cards in the App Store and PlayStation Store or the purchase of access to services that have left the Russian market - Spotify Premium, Pornhub, etc.
  • sale of goods from world brands that stopped working in - for example Russia , the Mammoth fraudulent scheme was replenished with an additional scenario for buying suddenly "scarce" goods from. IKEA
  • an increase in the activity of scammers operating in the field of lotteries - in the first half of 2022, Group-IB, together with Stoloto, discovered and blocked 18,709 resources that operated under the guise of popular state lotteries.
  • "Seasonal scams" are fake sites for booking hotel rooms and paying for motorway fares. Most of the resources appeared by the beginning of the vacation season. In the summer, more than 30 phishing resources were recorded copying popular Sochi hotels.
  • Since spring, amid instability in the financial market, there has been an increase in the number of fraudulent resources and online broadcasts dedicated to "profitable investments" in cryptocurrencies, investments in securities or withdrawal of funds from Russian banks to "secure accounts" abroad.

Group-IB recalled the basic rules that users should follow in order not to become a victim of scammers:

  • Due to the emergence of a large number of fakes and phishing resources aimed at well-known brands, customers should be especially vigilant, even downloading programs from official storks - the App Store and Google Play.
  • You should check the domain names of suspicious sites. Most often, attackers use domains consonant with popular brands. We need to use official applications.
  • When shopping online, you always need to check all the details of transfers and payments. No one can be informed of codes from SMS and push notifications, card data (PIN and CVV codes), personal data;
  • Do not follow suspicious links from unknown senders, fraudsters can infect a computer or phone and steal data.

The danger is that such types of online fraud carry risks not only for users, but also for businesses and brands that are illegally exploited by fraudsters. Once you lose money due to a fake brand, the user is unlikely to return to it.

To companies whose brands are a significant asset, in order to combat targeted fraud, experts recommend using high-tech products of the Digital Risk Protection class. The use of patented Group-IB developments for searching and tracking attackers, automated graph analysis and real-world tracking of time the attacker's infrastructure allow you to detect the entire network of fraudsters at once, blocking it, and not separate links to phishing and scam resources. Thus, 85% of violations related to any type of fraud are eliminated in pre-trial order, saving the resources of protected organizations. The company notes that the level of protection of Digital Risk Protection is checked by large brands, and if a user initiates litigation with a company whose brand was used by a fraudulent scheme, Group-IB is ready to shoulder all the costs.

The Ministry of Digital Development creates a pre-trial blocking system for fraudulent sites

On August 11, 2022, it became known about the decision, Ministry of Digital Development communications and mass media RUSSIAN FEDERATION to block fraudulent resources disguised as official sites without a court ruling. To do this, the department will expand interaction with the Prosecutor General's Office within the framework of the Antifishing information system. More here

Over the year, the number of phishing attacks in Russia doubled

Over the year, the number phishing attacks Russia has doubled. This was announced on June 22, 2022 by the company. Trust Technologies (Trust Technologies)

Every year, companies increase investment in information security by 15%. The number of cybercrimes is growing exponentially, and in the last year alone (from May 2021 to May 2022) their number in Russia has almost doubled.

Expensive equipment, modern systems often turn out to be powerless, since the weakest link in the protection system is the company's employees.

Attacks using phishing sites show their effectiveness from year to year. The opening of phishing emails entails significant financial losses for the company. Users have long been accustomed to numerous mailings: stores, services, verified sources of information. According to statistics, malicious letters are opened by up to 85 percent of employees, most often these are specialists not directly related to IT: backophis, managers, assistants, interns. However, they may not have access rights of interest to attackers, so the damage to the company from the theft of such accounts is rarely significant. Another thing is IT specialists, financiers and, surprisingly, information security specialists. As a rule, they have elevated privileges, but they do not always have the necessary ones to recognize and counter cyber attacks.

For example, an accountant of a large company receives a letter from his favorite store about discounts on goods for summer cottages, follows the link to see something or tries to make a purchase. At this time, the malware has already started working. Data from the accountant's computer becomes known to cybercriminals: you can conduct transactions with financial resources or obtain confidential information.

It is difficult to distinguish phishing mailing from a real unprepared user. The best advice given by experts is not to open suspicious letters coming to a corporate email at all. especially from external mail domains. At the same time, attackers can use personal data to employees. How can you still understand that a phishing email has arrived? What to look out for?

  • Is there a missing letter in the domain?
  • Is there an files unknown format in the attachment?
  • From whom is this letter known?

Quite often, employees forget about fairly simple safety rules. A separate "find" of cybercriminals is a newsletter stylized as a corporate letter, where the main bet is made on the curiosity of employees. A case from practice, when the secretary was unable to open a letter with an alleged salary statement, sent to a colleague, another sent to the system administrator, who also tried to open the attachment. The result is a hacking of the corporate server, leakage of personal data of the company's customers.

The most popular phishing topics:

  • Information on discounts and promotions from well-known retail chains;
  • Seasonal sales in the country season and for the holidays;
  • Gift information;
  • Confidential information about employees or management of the company.

To improve employee literacy in information security issues, companies are increasingly conducting practical training using specialized platforms that allow you to conduct a training attack, collect statistics on the company, and also send "caught" users to the training portal to take an information security course.

Example of a training phishing attack:

During the holiday season, we take a real relevant newsletter. We change some of the data: the subject of the letter, adjust the content, insert the necessary link and send our version to the company's employees.

In this case, the training attack was carried out in an IT company with a high level of training in information security. The link in the letter was followed by no more than 15% of the employees who were sent to the training course. The more often preventive measures are taken, the lower the risk of wrong actions in a real cyber attack.

According to experts, attackers will only increase their activity. Unprotected organizations with a low level of knowledge of are most at risk. cyber security

Ministry of Digital Development has launched a phishing site monitoring system

On June 6, 2022, the Ministry of Digital Development announced the launch of a phishing site monitoring system. Read more here.

Scammers use phishing for Apple services

On May 17, 2022, the company Group-IB announced the emergence of fraudulent schemes to steal money, data bank cards and Apple accounts under the pretext of paying and using services, and. Apple Store Apple Pay In total, iTunes over the past two years, Group-IB experts have discovered more than 5,000 in the RU zone, domains created for only phishing attacks Russians to gain access to and services iPhone. Apple More. here

Russian hackers launched a large-scale targeted phishing campaign

On May 3, 2022, it became known that the Russian hackers they had launched a large-scale targeted phishing campaign.

The APT29 group attacks diplomats and government organizations. Read more here.

Scammers send phishing emails on behalf of the Ministry of Digital Development and Roskomnadzor

Scammers phishing send letters on behalf of Ministry of Digital Development and. Roskomnadzor This became known on March 31, 2022.

Malwarebytes, a cybersecurity company, spoke about this deception scheme.

Since March 23 email the Russian , users regularly receive messages, allegedly on behalf of representatives of the Ministry of Digital Development and Roskomnadzor. The letters warn about the illegality of using banned Russia websites,, and social networks- messengers VPN services to bypass their blocks. The message is attached file in RTF format with a list of prohibited resources.

Experts found that when a document is opened on a smartphone PC or any other device, the user downloads - HTMLfile which activates a script that allows fraudsters to gain remote access to data to the device.

Phishing emails are configured primarily to email addresses with, yandex.ru, mvd.ru, cap.ru and minobr-altai.ru Scammers send phishing emails on behalf of domains mail.ru[13]

2021

A significant increase in the share of phishing in the total volume of fraudulent attacks was recorded

On February 22, 2022, Kaspersky Lab and Raiffeisen Bank shared online fraud trends in 2021.

Illustration: zen.yandex.ru

In 2021, among the areas that fraudsters used in their schemes, Kaspersky Lab researchers highlight the use of the coronavirus topic, offers of easy earnings, including scams with draws and prizes allegedly from well-known brands, as well as the creation of a large number of fake pages payment systems. Raiffeisen Bank experts also note a significant increase in the share of phishing in the total volume of fraudulent attacks.

File:Aquote1.png
"We notice a significant increase in phishing compared to phone fraud over the past six months. In 2021, phishing attacks accounted for 35% of all fraud cases encountered by our clients - in 2020 this share was only 5%. Fraudsters fully automate their actions: the launch of phishing resources and their distribution on the network takes minutes. We monitor the emergence of such sites and block them, but it is also important for customers to remain vigilant, "-

commented Ilya Zuev, Head of Information Security at Raiffeisen Bank.
File:Aquote2.png

One of the topics that was relevant in 2021 was: investments banks other organizations purposefully promoted investment brokerage accounts. According to to data Kaspersky Lab, they did not malefactors stay away from this trend and tried to make their "investment projects" look especially tempting. To attract attention and gain the trust of potential depositors, fraudsters distributed ads RuNet on behalf of well-known businessmen and large companies. They proposed to contribute a small amount in order to time get a significant profit in return after some. In some cases, attackers emphasized the stability and lack of risks to the investor, as well as the status of the organization. To give solidity to the procedure, victims were asked to take a test or leave an application, and sometimes get specialist advice. The result was one: having given the money to the fraudsters, the investor did not receive anything.

In general, phishing schemes often use the names of large well-known companies as bait. According to the Kaspersky Fraud Prevention report, in 2021, global online portals and online stores most often suffered from misuse of the brand. Each of these two categories accounted for almost 21% of similar cases. In 12% of cases, the names of banks were used, in 8% - payment systems.

According to the same report, most often in 2021, attackers tried to make unauthorized money transfers using compromised accounts. The share of such incidents was 73%. In 21% of cases, bots and automation tools were used.

File:Aquote1.png
"Attackers are attracted to hot topics, especially related to new types of earnings. Fraudsters manage to effectively use social engineering techniques and pull out other people's money. In addition, with the development of protective technologies and an increase in the level of digital literacy of users, fraudsters complicate the development of content - they hide traces and "noisy" texts, distort pages so that their dubious content is difficult to track. We urge you to remain vigilant, not to trust suspicious messages in the mail, instant messengers or on the Internet. Critical treatment of questionable proposals and the use of a proven security solution will help save money, data and nerves, "-

says Tatyana Shcherbakova, senior content analyst at Kaspersky Lab.
File:Aquote2.png

In order not to become a victim of scams or phishing schemes, experts from Kaspersky Lab and Raiffeisen Bank advise:

  • do not follow dubious links from mail, messages in instant messengers and SMS;
  • if the sender is trustworthy and the content of the message is not, it is better to make sure that the message was sent by the one you are thinking about, for example, to ask the person directly by voice, if there is such an opportunity;
  • check the spelling of site addresses before entering data on them;
  • Use a security solution that prevents an attempt to go to a phishing or scam site.

45% of Russians faced phishing in 2021

On December 3, 2021, Avast published the results of a survey on phishing. Experts wanted to find out how often people have faced phishing attacks over the past two years. According to the data received, in 2021, people more often became victims of such attacks: 45% of Russians surveyed told about this. This figure increased by 4% compared to the results of 2020.

File:Aquote1.png
Before the holidays, everyone is looking for gifts to loved ones, purchased at sales. Due to supply disruptions related to the pandemic, people are more likely to believe reports in which scammers say they will deliver popular goods, said Louis Korrons, an information security evangelist for Avast. - If we compare the results of polls in 2020 and in 2021, we will see that the number of Russians who faced phishing attacks increased by 7%. By raising awareness of scams, we hope we make life safer for users.
File:Aquote2.png

In 2021, 72% of respondents from Russia faced them, while in 2020 only 56% of respondents told about it in a similar survey. In second and third place, respectively, are malicious emails (60%) and mixing (SMS phishing) (52%). The number of attacks with social engineering in real life has slightly decreased: from 16% in 2020 to 15% in this.

In 2021, the number of victims of phishing attacks increased by 4%. At the same time, more respondents talked about spam: 48% reported fraud to the police, the security service at work and the antivirus vendor. Most often, people went to the police (49%), to a company that was imitated by attackers (38%) and to one of their colleagues (17%).

File:Aquote1.png
According to a previous survey we conducted with YouGov, online purchases during the pandemic were expected to be extremely popular in Russia. 24% of Russians began to buy more on the network than before the lockdown. 15% of respondents at this time first tried online shopping. The latter category may be especially vulnerable to phishing attacks related to online purchases, since they do not have much experience yet and they may not notice and recognize the threat on time, "said Luis Corrons.
File:Aquote2.png

Of the Russians who became victims of phishing, a little more than a third (38%) said that they had to change passwords from accounts, 29% said that money was stolen from them, and personal data was stolen from 15%. 29% of victims had to cancel credit or debit cards - a year ago, only 17% of respondents told about it.

The 2021 phishing survey was conducted among 1,372 Avast users in Russia in July-October 2021.

Rubitech is the creator of the phishing site monitoring system

In November Ministry of Digital Development 2021, she signed a Rubitech contract with the company "" for the creation of systems phishing site monitoring. The winner of the competition proposed to implement the project for 128.3 million with rubles an initial (maximum) contract price of 132.2 million rubles. The contractor will need to perform the work until June 1, 2022. More. here

Mass appearance of fake public services sites

From October 18 to October 21, 2021, 48 domain names were registered in the .ru zone, imitating the portal of public services (gosusliga.ru, gosusluni.ru, etc.). This was reported by experts from Infosecurity a Softline Company. Read more here.

Russians faced mass malicious mailing allegedly from the Federal Tax Service

At the end of September 2021, the Federal Tax Service (FTS) warned of malicious mailing, which was started by attackers using the name of the department.

File:Aquote1.png
Since September 29, the Federal Tax Service of Russia has been receiving complaints about the receipt of suspicious letters. Unknown persons on behalf of the Federal Tax Service of Russia send messages to corporate mail addresses that it is necessary to provide documents. The text of the email is designed so that the recipient opens the attached file, the service said in a statement.
File:Aquote2.png

The Federal Tax Service recalled that the department does not send such messages and has nothing to do with these letters. Taxpayers receive notifications of accrued taxes either in personal accounts or by mail. In addition, the tax authorities do not send anything to the taxpayers' email addresses.

Russians faced mass malicious mailing allegedly from the Federal Tax Service

On September 30, 2021, Kaspersky Lab reported that the company's experts recorded a malicious mailing list on behalf of the Federal Tax Service - more than 11 thousand attempts to launch a malicious investment were detected. At the same time, it was noted that the real department has nothing to do with this newsletter.

According to Kaspersky Lab, the letter contains a malicious archive with a password weighing about 20 megabytes, the attachment is of the RMS type - software for obtaining remote access. The application uses IP addresses and a domain in the.ru zone, when connecting to command servers, ports 5651, 4443, 8080 are involved.

Those who opened the attachment are advised to download the antivirus to the infected device, disconnect it from the network and restart it in safe mode, delete temporary files, start the scanner, remove the virus or move it to quarantine, then restart the computer, change passwords.

Kaspersky Lab products block this viral software with a Backdoor.Win32.RABased verdict.[14][15]

Fraud using the domain of government agencies gov.ru

In July 2021, it became known about a new type of fraud with the domain of gov.ru government agencies - it is used to send phishing emails. This was reported in the administration of the RSNet network (Russian State Network, the Internet segment for the Russian authorities). Read more here.

1,500 false banks identified in Russia

On April 6, 2021, it became known about the identification of 1529 false banks in Russia following the results of the first quarter. This is 20% more compared to the first three months of 2020. This is evidenced by the data of BI.ZONE, a company specializing in information security technologies.

Fraudsters disguise themselves as real credit organizations and trick their victims into entering logins and passwords from their real bank accounts or making a preliminary commission to receive the service at a reduced price. To protect themselves, attackers often copy the bank's corporate identity, and change one or two letters in the legal name.

File:Aquote1.png
As with Chinese fakes of famous brands, - compared the vice-president of Renaissance Credit Bank Sergei Afanasyev in a conversation with Izvestia.
File:Aquote2.png

1,500 false banks identified in Russia in the first quarter

The increase in the number of phishing sites of false banks is explained by the fact that this type of fraud is the cheapest and most widespread, said Yevgeny Voloshin, director of the organization's expert services block. According to him, the attackers intensified in 2020 against the background of a massive transition to remote control and do not slow down. On average, it takes 10 to 70 hours to block phishing sites, but in some cases it takes several weeks to restrict access to the resource.

In credit institutions, the publication confirmed an increase in the number of fake pages through which citizens are lured out of bank card data or information to log into the account of a credit institution. In addition, attackers earn on commissions or insurance that a person allegedly needs to receive services on favorable terms.

The bank Tinkoff"" reported that in the first quarter of 2021 the number of fakes for their site increased by 70% compared to the fourth quarter of 2020. The head of the information security service of Elexnet the GC "" (part of the group) ICD Ivan Shubin believes that the growth in the number of fake sites is associated, among other things, with the widespread spread of online loans in 2021.[16]

2020

Phishing campaign targeting Russian fuel and energy enterprises discovered

On September 24, 2020, it became known that the developer of information security tools, Doctor Web, published a study of a phishing campaign that was aimed at Russian enterprises in the fuel and energy complex. The first wave was dated April 2020, the last manifestations of activity occurred in September 2020. Read more here

In the Russian Federation, a sharp increase in the number of phishing domain names of Russian banks was recorded

In July, a record was set for phishing among customers of Russian banks: 312 domain names appeared, which is more than in all previous months of 2020, combined, Kommersant reported in August. Since the beginning of 2020, the total number of such domains has been 618.

Two-thirds of domain names are issued through Russian registrars, many in exotic.cf or.icu domain zones.

New phishing sites are arranged according to the same scheme. Fraudsters add one or more characters or prefixes "online," "cabinet," "vhod" and "login" to the official domain of the bank.

Such sites mimic the login pages of a personal banking account, with attacks targeting the corporate sector. After entering the login and password, the user is invited to download the browser plugin, under the guise of which the Trojan is delivered.

Roskachestvo warned of a wave of fraud with phishing sites before the election

June 19 Roskachestvo , 2020 warned of a wave frauds phishing with sites before the elections. The date of the start of voting on the adoption of amendments to the Constitution is nearing. RUSSIAN FEDERATION RuNet Clone sites began to appear in on portal changes to the basic law of the country -. With 2020og.ru domains similar names and designs, only information about voting is contained, but the situation will undoubtedly change in 7 days when voting begins. As a result, there will be a wave of scams related to phishing sites.

File:Aquote1.png
"As of June 17, 2020, experts have discovered more than 10 similar domains: 20200g.ru, 2020og-ru.ru and others. Among domain names, for example, lk-gosuslug1.ru or rf-gosuslugi.ru, but so far it is impossible to unambiguously associate them with the topic of voting. On the other hand, suspicious sites appear that do not try to copy the domains of official portals, but play up the topic of voting in the name. For example, sites golosovanie2020.ru or konstituciya-rf.ru, "

' TASS News Agency of Russia reports
File:Aquote2.png

Taking advantage of the inattention of users, fraudsters begin to collect personal data, with the help of which funds will be stolen in the future. How to prevent yourself from being deceived? The Center for Digital Expertise of Roskachestvo has prepared recommendations for protection against fraudulent phishing sites.

A few basic anti-phishing rules when handling emails:

  1. Be sure to check the address from which the letter came. Often, scammers try to make the addresses of their fraudulent sites very similar to the original ones and when you quickly view the letter, it may seem that everything is in order, but it is better to check the address, especially if the letter somehow gets out of the usual style of communication with this addressee (and it is definitely always worth checking the letters that came from someone for the first time).
  2. You need to check if the letter is impersonal. It is worth paying attention to whether there is a name in the letter, and to whom the appeal is going. Sometimes scammers in letters simply say "Hello" and do not enter the name of the addressee, in other cases the addressee's email address will be used after "Hello." This impersonal approach to contact is another sign that a fraudster is most likely behind the email. The misuse of cases (in case criminals are international) or the mechanical construction of sentences are also a sure sign that this is phishing.
  3. You need to check the dates. Sometimes scammers can forget to specify the correct dates. For example, in a letter they are invited to an event, but the time for this event has already expired.
  4. Check the links. Almost always, scammers in phishing emails try to impersonate large companies and organizations. The letter may contain a link to the site, the design of which, as a rule, copies this organization. It is better not to follow such links (the act of crossing itself can already start a malicious process), but if it so happens that the user clicked on the website, considering it genuine, you must definitely check that this is a reliable site of the company. To do this, you can open a new tab and search for an organization. Click on their website and then compare the URLs. You need to take as a rule not to follow the links from the letters, but instead manually enter the site address in the search bar. If the user has an account on the site on which he has a new message, you need to log in manually in the browser and check if the message is really there. If this is not the case, then the email received was most likely sent by a fraudster.
  5. Check whether the bank data is requested. Most legal organizations will not request bank or other personal data in the letter. Personal information includes things like a credit card number, PIN or credit card security code, the mother's maiden name, or any other answers to security questions that the user may have entered. If an email asks you to update or re-enter personal or bank information, it's almost always a fraud.
  6. Pressure, emphasis on haste. Scammers will try to apply pressure by encouraging the user to act right now or miss out on an offer. You cannot rush, you need to do all the possible authentication of the message.
File:Aquote1.png
"Once again, it must be emphasized that it is from the actions of the user (whether he comes across the" bait "of the phisher) that it depends in nine out of ten cases whether his phone or computer will be compromised (which is practically the same in the modern home digital ecosystem when devices work within the same network). Advice - you need to be careful and check everything that comes, not open everything on the machine, "
File:Aquote2.png

According to a study by Positive Technologies, an attacker previously "requires any user action" to exploit 87% of vulnerabilities in mobile applications. As a rule, we are talking about phishing mailings and subsequent visits to suspicious sites via links from letters, instant messengers or SMS. Security is also weakened by factors such as elevating privileges in the mobile OS to administrative ones and installing applications not from the official App Store and Google Play stores.

Roskachestvo gave recommendations to combat phishing:

  1. Be sure to ignore all links and attachments that are posted in letters from unknown addresses. As a rule, such files hiding under reports or incomprehensible graphics can have serious virus programs.
  2. Make sure that anti-virus software you are always enabled and updated to the latest version, as this will provide an additional level of protection if the user still accidentally downloaded computer virus after clicking on the link or downloading the attachment.
  3. Regularly back up all important files. If all the frontiers of antivirus protection are overcome, and the user loses important files, then at least a copy of them will be safe. Store the copy physically on a separate disk or in the cloud (in this case, be sure to protect the files with a password).[17]

Raiffeisen Bank warns of new phishing scheme in e-commerce

Raiffeisen Bank analyzed the activity of fraudsters in the e-commerce segment. According to the bank, since January 2020, they have been more actively using fake web pages, involving gullible citizens in schemes related to "cheap buying" and "returning" money for goods at the largest ecommerce sites. This data is partially confirmed by the statistics of Kaspersky Lab - since the beginning of the year, the company's anti-phishing bases have been replenished with more than 4 thousand Russian-language phishing resources pretending to be well-known online stores.

Scammers use phishing pages that mimic the'payment services' of well-known e-commerce sites, luring buyers with the ability to profitably buy, sell or return goods. To do this, the'seller' in a personal message prompts you to go to a page that simulates the e-commerce page of the resource, and prompts you to enter the card data. After receiving these cards, fraudsters use them to pay for online purchases, try to withdraw funds using a card-to-card transfer, or sell them to Darknet.

In order to put vigilance to sleep, fraudsters use language such as' transferred the product to the delivery service ', explaining the refusal of a safe deal on the site's website and offering to make a' safe payment '/' safe deal'through the link sent in the message.

To protect yourself from scammers' tricks while shopping online, don't forget that:

  • Real online stores or ecommerce platforms always use the principle of a safe deal;
  • Carefully evaluate the offer: if the product costs significantly less than in other stores, it is probably scammers;
  • Before buying, do at least a minimal check of the online store - study the site, read customer reviews, information on the organization's TIN. Check how delivery is carried out from the online store, its timing, whether there is a pickup point for goods. For unknown sites, it is better to search for reviews on the Internet;
  • A separate suspicion should be caused by the use of the insecure http protocol instead of https;
  • It is better to use a unique complex password for each of your accounts, even if we are talking about online stores, as well as, where possible, configure two-factor login authorization. Do not use passwords from social networks and banking programs for online stores;
  • Before entering card data, check the name of the resource on which you enter them. Switch to payment links from verified resources only. Open a separate card for online purchases and replenish it with the required amount immediately before payment;
  • Connect alerts or regularly view card transactions in the bank's Internet application. This will reduce the risk that the amount will be written off unnoticed, as often fraudsters check the correctness of card data by making transactions for small amounts. It will also help prevent further charges with a timely card lock.

Phishing scheme with courier delivery of online orders

On May 19, 2020, it became known about a new phishing scheme, which fraudsters began to actively apply during the period of self-isolation of Russians in the context of the COVID-19 coronavirus pandemic. We are talking about scams with courier delivery of online orders.

According to Group-IB, on the services of free ads, attackers create decoys - publications about the sale of goods at low prices. To bypass the protection of the message board, attackers only contact the victim through the service, after which they offer to go to the messenger to "discuss the purchase." After that, they find out from the buyer the name, address and phone number allegedly for the delivery and ask to fill out the form on a page similar to the sites of well-known courier services. In fact, this is fake, and the bank card information goes to scammers. The average check of one such "purchase" is about 15-30 thousand rubles.

Fraudsters in Russia earn hundreds of thousands a day on fake courier delivery of Internet orders

It is noted that all members of the criminal community have their own roles. Some create phishing resources, hire "employees" and distribute stolen goods. Others will post "decoys" on free ads and communicate with "customers," calling them "mammoths." Still others call the victims and "breed" them for a "refund."

Group-IB sent almost 250 phishing resources working on a scheme with fake courier delivery of goods ordered via the Internet. Experts have uncovered the criminal group Dreamer Money Gang (DMG), which organized a phishing scheme through a Telegram bot. DMG's daily turnover exceeded 200 thousand rubles.

The revenue of another criminal group (the name is not indicated) has grown rapidly in recent months. So, in January, fraudsters earned 784, 6 thousand rubles, in February - 3.5 million rubles, in March - 6.2 million rubles, and in April - 8.9 million rubles.[18]

The number of fraudulent sites in Russia doubled in a year

By the end of March 2020, the number of fraudulent sites in Russia doubled compared to the same period in 2019, and the number of transitions to such resources increased 10 times - to 15 million. Such data on May 6, 2020 were brought to Kaspersky Lab.

The company's specialists have identified about 10 thousand phishing sites on which Russians are trying to lure money. The schemes are different. In them, as a rule, users are promised a large monetary reward for passing a survey or participating in voting. To receive money, a person needs to pay a "commission" or "fixing payment." Usually this is a small amount of about 200 rubles. But the user will not see any payments, and the "commission" goes to the attackers. In addition, a person risks the safety of his payment information if he entered the card data.

By the end of March 2020, the number of fraudulent sites in Russia doubled compared to the same period in 2019

If each blocked attempt to go to a fraudulent page entailed the deception of at least one user, then the potential amount of damage in the first quarter of 2020 alone could exceed 3 billion rubles, according to Kaspersky Lab.

According to the company, the most attractive categories for fraudsters are banks, pension funds, celebrities and state lotteries, the latter of which began to be actively used by attackers at the beginning of this year.

In addition, state lotteries came to the attention of the attackers. Kaspersky Lab discovered 219 pseudo-lottery fraudulent resources on which swindlers ask to transfer money for winning. Attackers create phishing sites to collect personal data, send email and SMS links to them and ask users to enter personal data - passwords and card details, and then steal money from accounts.[19]

The Ministry of Internal Affairs and Group-IB detained the administrators of a fraudulent online service that traded fake passes

Employees of the Moscow Criminal Investigation Department, with the assistance of experts from Group-IB, an international company specializing in preventing cyber attacks, detained administrators of a fraudulent service that sold fake digital passes for the quarantine period for residents of Moscow and Russian regions. Group-IB announced this on April 27, 2020. In total, experts found 126 fraudulent Internet resources - sites, channels and groups in social networks, where fake certificates and passes are illegally sold. More than half of the services have already been blocked.

The first fraudulent schemes for the sale of electronic passes, according to Group-IB, appeared in late March - early April 2020, when the city authorities tightened requirements for self-isolation and limited movement around the city. By the decree of the mayor of Moscow, three official methods of free receipt of digital passes were established: online on the mos.ru portal, by phone +7 (495) 777-77-77 and by SMS to 7377. However, starting from April 13, Group-IB recorded an explosive increase in the registration of fraudulent services: sites, Telegram channels, VK, OK and Instagram accounts offering to buy pass certificates for the quarantine period at an average price of 3,000 to 5,500 rubles.

Experts of the Group-IB investigation department calculated the administrators of one of the criminal groups who offered through the popular messenger the purchase of passes for free movement in Moscow, St. Petersburg and Krasnodar. Fraudsters introduced themselves as law enforcement officers and in personal correspondence promised to help clients with issuing passes, as they claimed, according to a "gray scheme through the State Public services portal." To obtain a fake pass, Internet swindlers asked to send them passport data, and if a pass for a car was required, its license plate. However, after receiving money on a bank card, the scammers deleted the chat with the victim, including her phone in the "black list." For two weeks of the service, fraudsters were able to make several transactions - the price of their services ranged from 2500-3500 rubles. As a rule, the victim of fraud was those who were especially worried about the restriction of movement and did not wait for the start of official registration of passes.

During the investigation, the threat officers and Group-IB experts obtained evidence confirming the involvement of two residents of Moscow and the Moscow region, 19 and 23 years old, in the administration of the service. Both suspects were detained on April 21, gave confessions. A criminal case was initiated on the grounds of a crime under Article 159 of the Criminal Code of the Russian Federation (Fraud). Mobile phones and laptops were seized during the search.

File:Aquote1.png
Recently, fraudsters have been very actively using the topics of coronavirus, self-isolation and the introduction of access control for schemes: fake mailings, calls on behalf of social protection, offers to buy digital passes. The danger is that victims, paying for a pass, can not only lose money, bank card details, but also personal information. Having received the passport data, fraudsters can take a loan in the name of the victim from microfinance organizations or issue a consumer loan,
warns Group-IB Head of Investigations Sergey Lupanin
File:Aquote2.png

As of April 26, 2020, the Department of Innovative Brand and Intellectual Property Protection Group-IB discovered 126 fraudulent resources selling digital passes: 25 sites, 35 groups and accounts in social networks and 66 telegram channels. Group-IB has already blocked 78 resources, the rest during the blocking process. Monitoring work is ongoing.

Group-IB reveals fraudulent scheme under the guise of "Like of the Year 2020" award

On February 20, 2020, Group-IB announced that, together with Rambler Group, it had identified a multi-stage fraudulent scheme under the guise of a fictitious Like of the Year 2020 Season Award. As part of a large-scale phishing attack, users were invited to win a large cash prize for a randomly chosen like they set on social networks. In total, more than 1,000 related domains used in the attack were found.

"Like of the Year 2020" awards phishing

According to the company, in order to attract those wishing to receive a premium, fraudsters hacked post servers one of the fiscal operators (data OFDs) and massively sent RuNet messages to users on behalf of the "Rambler team." Following user appeals to Rambler Group, the company conducted its investigation and engaged Group-IB to respond to the incident.

The CERT-GIB Computer Emergency Response Team - Group-IB Cyber ​ ​ Incident Response Center revealed that scammers used several attack vectors to lure users to participate in the Like of the Year 2020 award. In addition to sending mail messages, they also delivered phishing messages through other channels, in particular, sent cash reward alerts to the Google calendar. Using common social engineering methods based on the desire to win, fraudsters have lured users' bank card data for a long time. The topic of the messages was somehow related to cash payments. The recipients were congratulated on their victory in the competition and on the cash prize, which ranged from $100 to $2,000.

As a result of the events, the distribution under the guise of Rambler Group was stopped. For its part, Rambler Group contacted public mail services, warned them about the attack and asked them to proactively move fraudulent emails to Spam. As part of further work, Group-IB specialists managed to block most of the attack-related sites to which transitions from received letters and invitations were carried out. In total, the scheme has more than 1000 domains. As of February 2020, work on blocking continues.

File:Aquote1.png
We pay special attention to users for such phishing attacks. Most often, scammers hide behind well-known brands and companies in order to rub into the confidence of recipients, collect their personal data and use them for selfish purposes. Having received a suspicious letter, you should treat it with caution - do not follow the indicated links. Therefore, we advise in this case to contact representatives of the brand and clarify whether there was really such a mailing list.

told Ilya Zuev, Director of Cybersecurity, Rambler Group
File:Aquote2.png

File:Aquote1.png
We tested the "Like of the Year" scheme on the desktop and mobile platforms - it is well-built everywhere and at all stages of implementation is designed to arouse user confidence. This explains her long period of activity. In addition to "like," graph analysis reveals about 6 different scenarios of fraudulent campaigns with the same logic, including, for example, payments from the non-existent "Video Blogger Fund," Financial Protection Centers and others. From 100 to 350 domains are associated with each scenario. This is a fairly extensive infrastructure. In some scenarios, postal addresses used as support and consultation were registered to Ukrainian numbers.

narrated by Yaroslav Kargalev, Deputy Head of CERT-GIB
File:Aquote2.png

The "Like of the Year" attack is distinguished by a number of features. The use of the calendar in the Gmail service for February 2020 is a relatively fresh trend in social engineering. In the default calendar settings, these prompts are automatically added to the calendar along with the reminder. Thus, any user of the Google calendar can send an invitation to events to other Gmail users, even if they are not in his address book. As a result, the victim will receive a notification about the creation of the event by mail. The keywords in the content will be as follows: "bank, approved, payment of funds, program, reimbursement, receipt, agreed, federal, service, details," etc.

"Like of the Year 2020" awards phishing

In both cases, when clicking on a link in an email or invitation, the user gets to the bait site. The screen displays the winning amount, for example, $1735, and to create trust in the competition, the site also hosts rave reviews of users who have already won their prize.

"Like of the Year 2020" awards phishing

Then the "operator" gets in touch, who advises the user on the next steps. In this case, instead of the standard chat window with an avatar, for greater realism, scammers use video, instructions are shown in the window nearby.

"Like of the Year 2020" awards phishing

Then redirect - this time the user is asked to enter the number of the bank card to transfer the win to him. The next stage of the scheme is a twist (a term for an unexpected turn in the movie): the bank suddenly rejects the user's card. To solve the problem, it is proposed to convert the currency, since the payment can be made only in rubles. The user needs to pay a small commission - about 270 rubles.

"Like of the Year 2020" awards phishing

The user agrees to pay the commission. The culmination of the scheme is a redirect to the site with a "safe" entry of bank details: card number, validity period and CVV, in order to pay the commission on services allegedly verified by all possible payment systems.

"Like of the Year 2020" awards phishing

It is here that the user's bank card data is stolen. In the scheme with "Like of the Year," at the last stage of data entry, a real payment gateway is used. That is, fraudsters really write off the "commission," but their main goal is card data. As a rule, in the future, collections of text data of cards are sold in cardshops or goods are purchased on them for the purpose of further resale and sale.

In order not to become a victim of fraudsters, you need to know the basics of digital hygiene and constantly update your knowledge. Below are some tips from Rambler Group on how to independently identify signs of phishing and protect your account:

  • The user needs to be wary of messages and forms in which they are asked to specify personal data.
  • The user needs to turn off the ability to automatically add invitations and events to the Google calendar (Settings > > Events > > Automatically add events (disable)).
  • Do not click on links sent in suspicious or incomprehensible email messages or through social networks.
  • The user should not download and run attached files from email messages that the user did not expect.
  • The user needs to carefully analyze the addresses of the sites to which links from letters lead.
  • On all accounts, where possible, it is recommended to connect two-factor authentication. This will help if the main password gets to the hackers.
  • It is necessary to update the system and application software in a timely manner and install security updates.

2019

Kaspersky Lab spoke about a corporate phishing scheme that simulates the process of employee certification

According to Tatyana Shcherbakova, senior content analyst at Kaspersky Lab, a little-known corporate phishing scheme simulates the process of certification of company employees. This became known on November 6, 2019.

According to her, Kaspersky Lab learned about this phishing method from its clients. Fraudsters send letters with fake links to the addresses of employees of various companies, including the banking sector, which contain a proposal to undergo an assessment of knowledge and skills on an alleged HR portal by logging in with a login and password from work mail.

As a result, fraudsters can gain access to corporate correspondence, including logins and passwords from databases with personal information of clients or to the databases themselves, if they are sent in clear text.

Alexey Golenishchev, director of e-business monitoring at Alfa-Bank, agreed to call the described method a "new scheme" of corporate phishing, but as part of "sending fraudulent emails."

File:Aquote1.png
Previously, these were letters with files disclosed by "infected" viruses, links to fake resources, etc. Obviously, the knowledge and experience of users of corporate computer systems is growing, including in terms of security, and fraudsters have to come up with new schemes
shared Alexey Golenishchev
File:Aquote2.png

However, the expert believes that with the help of the described phishing scheme, you can extract logins and passwords from corporate mail of specific employees if the company does not pay due attention to external and internal IT security[20].

Silence group cyber attack on Russian banks under the guise of an invitation to the forum

On January 18, 2019, Group-IB announced a large-scale wave of malicious mailings of the Silence group in Russia. Since the beginning of the year, this is the largest attack, with more than 80,000 recipients - employees of Russian credit and financial institutions, among which the main share is occupied by banks and large payment systems.

The massive attack began with Silence phishing mailings on January 16. The malicious attachment was disguised as an invitation to the iFin-2019. Read more here.

2018

Hackers under the guise of the Central Bank attacked Russian banks through phishing

On November 15, 2018, the hacker group Silence attacked Russian banks, Kommersant[21] said[22]Under the guise CENTRAL BANK OF THE RUSSIAN FEDERATION of attackers sent letters with malicious. software To do this, the attackers stylized letters and documents for those that they send out. Bank of Russia According to experts, hackers obtained samples of these documents by hacking into the mailboxes of bank employees.

Silence hacker group attacked Russian banks

The fact that Russian banks received a malicious newsletter allegedly from the mailbox of the Central Bank of the Russian Federation was told in Group-IB and confirmed in Kaspersky Lab. Hackers forged the sender's address, but for some reason did not use SSL certificates to pass authentication. In total, the recipients of the November mailing list, according to Group-IB, were at least 52 banks in Russia and 5 banks abroad. The letters, entitled "Information of the Central Bank of the Russian Federation," invited bankers to familiarize themselves with the decree "On the unification of the format of electronic banking messages of the Central Bank of the Russian Federation" and immediately proceed with the execution of the "order." To do this, the recipient had to unpack the archive.

Unpacking the archive led to the download of the Silence.Downloader malware. This tools are used by hackers from Silence.

File:Aquote1.png
The style and design of the letter are almost identical to the official mailings of the regulator, - said in Group-IB. Most likely, hackers had access to samples of genuine messages.
File:Aquote2.png

The company believes that for this, attackers either hacked the mailboxes of bank employees, or were engaged in legal work - penetration tests (testing the security of computer systems using hacker attack modeling) and reverse engineering (attempts to reproduce the code of any programs). That is why they are well acquainted with document management in the financial sector and the operation of banking systems, according to Group-IB.

Prior to that, a similar attack was recorded on October 23. Then, allegedly, from the address of FinCERT (the structure of the Central Bank engaged in cybersecurity), banks received a letter with attachments stylized as regulator documents that contained malware - the Meterpreter Stager loader. Self-signed SSL certificates were used to control this attack.

The server infrastructure used by the attackers has previously been used in attacks allegedly followed by hackers from the MoneyTaker group.

File:Aquote1.png
Silence and MoneyTaker are two of the four most dangerous hacker groups that pose a real threat to international financial organizations, says Rustam Mirkasymov, a cyber intelligence expert. - Hackers from MoneyTaker use all possible vectors of attacks on banks, and Silence, in turn, is less inventive and use only a fail-safe and proven attack method - phishing emails. But, unlike their colleagues, they pay more attention to the content and design of the text of the letters.
File:Aquote2.png

File:Aquote1.png
The attackers use a well-known and still very effective method - they gain access to the internal banking network and gain a foothold in it, "Sergey Golovanov, a leading antivirus expert at Kaspersky Lab, explained to Kommersant. - For a long time, cybercriminals have been studying the internal infrastructure of the network and recording from the machine screens of bank employees.
File:Aquote2.png

After analyzing how the intra-bank software is used, hackers transfer funds from the bank.

Silence is a small Russian hacker group recorded in 2016. Experts believe that they are behind attacks on ATM management systems, card processing and the Russian system of interbank transfers of CBD AWS. Hackers attack targets mainly in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan.

The daily number of successful phishing attacks in Russia has grown to 1274

On October 9, 2018, Group-IB introduced the information security paradigm.

Attacks on bank customers

Web phishing is a method of theft that showed growth in both Russia and the international market in 2018. The number of groups that create phishing sites for Russian brands has grown from 15 to 26. In Russia, the total number of daily successful phishing attacks increased to 1274 (previously - 950). With the help of web phishing, 251 million rubles were stolen in Russia, which is 6% more than in 2017.

In the international market, in contrast to the previous period, the first position was taken by phishers aimed at, and cloudy storages not at the financial sector. In terms of the volume of phishing sites in the world USA , it takes 1st place (80%), 2nd place -, France 3rd -. Germany According to the Group-IB report, 73% of all phishing resources fall into the following three categories:

  • cloud storage (28%),
  • financial (26%),
  • online services (19%).

Bank card fraud remains among the most dangerous threats to individuals: the insufficient spread of behavioral analysis systems during transactions leads not only to direct damage, but also to the growth of the card shop business. About 686 thousand text data of compromised bank cards and 1.1 million dumps are downloaded monthly in the world for sale in card shops. The total volume of the carding market for the analyzed period amounted to $663 million.

The decline in threats from banking Trojans for PCs in Russia has continued since 2012. Attacks on individuals are a thing of the past, and the damage to legal entities at the end of the reporting period decreased by another 12% and amounted to 547 800 000 ₽ (8.3 million).

After several years of growth, the Android Trojan market has stopped in Russia, but continues to develop on the world stage. The number of daily thefts using Android Trojans in Russia has almost tripled. It is also worth noting the reduction in the average size of thefts. If in 2017 it was 11 thousand rubles, then this year it is already 7 thousand.

On the international market, the situation is radically different: during the analyzed period, 6 additional Trojans for PCs were identified, and 5 more Trojans were laid out or sold.

Sabotage and espionage are the main goals of pro-government hackers

The focus of promising development and innovation in creating complex viruses, as well as conducting multi-stage targeted attacks, has shifted from financially motivated cybercriminals to pro-government hackers. Their actions are aimed at ensuring a long-term presence in the networks of critical infrastructure facilities in order to sabotage and spy on companies in the energy, nuclear, commercial, water, aviation and other sectors.

The top 3 countries of origin of the most active pro-government hacker groups include China, North Korea and Iran. Espionage also remains a key focus of groups sponsored by states of different countries. According to the results of H2 2017 - H1 2018, the Asia-Pacific region (APAC) has become the most actively attacked by hackers in different countries. During the year, the activity of 21 different groups was recorded here, which is more than in the United States and Europe combined. Another vector of espionage in Group-IB is the hacking of home and personal devices of state officials.

The Group-IB report presents about 40 active groups, but there are many more. They are sponsored by various states, including: North Korea,, Pakistan China, the United States,, Russia Iran and. Ukraine The country affiliation of some of the groups has not yet been established. As a rule, the discovered groups or government campaigns have already existed for several years, but for various reasons have not been noticed. The Group-IB report section on attacks on critical infrastructure makes a disappointing conclusion: the APT threat landscape, characteristic of each region, is constantly changing, hackers are trying to use widespread tools, including penetration tests, which makes it difficult for researchers to work. The lack of data on detected attacks in an individual country or sector of the economy most likely means that they are not yet known, not that they are missing.

The financial sector is again under threat

Traditionally, one of the most extensive blocks of the report is devoted to the tactics of attackers and the damage caused by cybercriminals to financial organizations. In 2018, a hacker group, Silence, was revealed. In addition to it, the most dangerous for banks around the world are MoneyTaker, Lazarus and Cobalt. They are able to break into a bank, get to isolated financial systems and withdraw money. Three groups of four are Russian speakers.

On average, 1-2 banks successfully attack in Russia every month: the average damage from the attack is 132 million rubles ($2 million). Group-IB experts state that the number of targeted attacks on banks for theft through SWIFT during the reporting period has tripled. The average time to cash out of an ATM with drops or mules is only about 8 minutes.

Among the other most likely regions for cybercriminal organizations are Latin America, as well as Asian countries. Most likely, their first goals will be banks. Group-IB experts warn that the collaboration of hacker groups, their use of legal tools and deliberate copying of each other's tactics will lead to numerous attribution errors.


Crypto industry

About 56% of all funds stolen from the ICO were stolen through phishing attacks. In 2017 and 2018, the attention of hackers increased to attacks to hack crypto exchanges. A total of 14 cryptocurrency exchanges were robbed. Total damage - more than $882 million.

Cryptojacking (hidden mining), as a direction of fraud, received the greatest development in 2017-2018. After the release of Coinhive hidden mining software, another 7 programs of this type appeared. Group-IB experts predict that the largest miners in the world can become the target of not only cybercriminals, but also pro-state attackers. With some preparation, this could allow them to take control of 51% of the mining capacity and take over cryptocurrency management. Immediately 5 successful "attacks of 51%" were recorded in the first half of 2018: the amount of direct financial damage ranged from $0.55 million to $18 million.

Hacking technologies

If in 2017 the main attention of security specialists was associated with the epidemics of WannaCry, NotPetya, BadRabbit, then the beginning of 2018 showed that the next source of the global threat to information security is side-channel attacks and vulnerabilities of microprocessors from different vendors. The Group-IB report analyzes many examples showing the real danger of hardware "holes" and their key problem: all these vulnerabilities cannot be quickly and effectively closed with software updates. That is why research activity devoted to searching for vulnerabilities in BIOS/UEFI increases every year in proportion to the increased number of threats that are used in real targeted attacks. At the same time, they become known thanks to leaks, and not the study of attacks: there are no solutions on the market that could effectively identify such threats.

Group-IB states that research on finding vulnerabilities in BIOS/UEFI, as well as the development of real exploits, are quite time-consuming and expensive processes: not many hackers are able to carry out such attacks, but this situation may change, which will fundamentally change the approach to cybersecurity in the coming years.

Reducing the share of Runet in the total number of sites with phishing or malware

On July 5, 2019, the company Group-IB announced that the Russian domain the zone, at the end of 2018, reached record levels for reducing the volume of toxic sites. This was announced by the Incident Response Center. cyber security CERT-GIB Computer Emergency Response Team - Group-IB With an increase of 30% in 2018, the number of potentially dangerous resources containing or phishing malicious software (HVE) RuNet accounted for less than 20% of such sites, while in 2017 the share of toxic resources in the zone RP was almost 50% among all those blocked by CERT-GIB specialists. In addition, experts note that phishing is becoming cheaper and more sophisticated, but malefactors are gradually leaving the RU. Users still open malicious exe-, and files HTTPS no longer synonymous. safety

Group-IB noted that despite a 30 percent increase in the number of dangerous websites containing phishing or malware detected and blocked by CERT-GIB (from 4264 websites in 2017 to 6217 in 2018), the use of domains in the RU zone has become less attractive for attackers: the number of dangerous domains blocked by CERT-GIB in Runet has decreased by 40% compared to 2017. Attackers are increasingly preferring the.com zone: the number of toxic resources there has increased almost 3 times 2018 year. Also, attackers began to choose more often top-level domains "New gTLD" (.online;.website;.space, etc.).

Group-IB reported that the Russian domain zone reached record levels for reducing the volume of toxic sites

This trend is explained, among other things, by the active work of teams for monitoring and responding to computer incidents and the efforts of the Coordination Center for.RU/.RF domains to create favorable conditions for the work of competent organizations. With the expansion of the international partner network and automation of malicious content detection processes, the average time from CERT-GIB response to malicious content neutralization decreased by 20% in 2018 compared to last year.

The total number of phishing resources located in various domain zones, including RPs identified and blocked by CERT-GIB in 2018, increased by 44% compared to 2017. Each quarter, on average, growth was 15%. So, in 2018, as part of the work of CERT-GIB, the activities of 4494 sites used for phishing purposes were suspended.

Group-IB reported that the Russian domain zone reached record levels for reducing the volume of toxic sites

However, only 10% of this number fell on domains in the Russian zone - 458, while in 2017 they accounted for 27%. The number of resources distributing or controlling malware ON in the Russian zone in 2018 also decreased by 44% compared to 2017. The total number of such resources identified and blocked by CERT-GIB remained at the level of 2017 - 1736 web resources in 2017 and 1723 sites in 2018, respectively.

2017

At the initiative of Sberbank, over 600 phishing domains and 1,300 sites with viruses were identified in Russia over the year

At the initiative of the Service cyber security Sberbank , since the beginning of the year, Internet over 600 domain names used for phishing attacks, about 200 fraudulent sites and more than 1,300 sites that distributed have been identified and closed in the Russian space. malicious software This was announced on September 15, 2017 by Sberbank.

File:Aquote1.png
We pay close attention to the fight against phishing, "said Stanislav Kuznetsov, Deputy Chairman of the Board. - However, it is half the battle to identify and carry out the necessary actions on the sites of criminals. The "fishing rod" of scammers comes across gullible people who do not have the proper skills to protect against cyber fraud. That is why Sberbank's priorities are shifting towards preventive measures to improve the financial literacy of the population.
File:Aquote2.png

According to Sberbank, one of the most common phishing schemes is as follows: the victim receives a message of tempting or, conversely, frightening content with a proposal to either send personal data (logins, bank card passwords), or follow a link to a certain site on which you again need to enter your data. More than 48% of Internet users who receive phishing emails respond to them and become victims of criminals.

Since the number one goal for phishers is financial services, most of which were online banks, Sberbank has developed a special program for representatives of the sphere to increase the level of cyber literacy, including interactive courses and the subsequent determination of signs of phishing attacks in practice.

Central Bank for 8 months revealed 481 fraudulent sites

The report of the Center for Monitoring and Responding to Computer Attacks in the Financial Sphere (FinCERT) notes that "from January 1 to September 1, 2017, the Center sent information about 481 domains of various fraudulent topics to be separated."

As a result of the review, 367 domains were blocked by registrars. Among them are resources such as 84 sites with R2R transfers that collect user payment card data (owner's name, number, validity date, card authenticity code) for illegal purposes, 44 false bank resources, 45 "insurance companies" and 39 financial pyramids.

Also blocked are from 20 to 30 sites of "airlines," online stores, "microfinance organizations," resources from malicious ON and platforms dedicated to financial fraud and sales of dumps (copies) of bank cards.

CC: Phishing leads among types of malicious activity

In May 2017, 329 requests for removal from delegation of domain names were sent to registrars by competent organizations cooperating with the Coordination Center of.RU/.RF domains.

An analysis of violating domains by the type of detected malicious activity in the reporting period showed that the leading place still belongs to domain names associated with phishing (257 requests). This is followed by the spread of malware (65 calls) and botnet controllers (7). It is worth noting that phishing has remained the leader in the number of requests for 10 months already - with the exception of March, when phishing accounted for "only" 49% of all requests.

During the reporting period, 313 domain names were removed from delegation at the request of competent organizations. For 15 domain names, delegation removal was not required, since the reasons for the blocking were promptly eliminated (or the resource was blocked by the hosting provider).

AlfaStrakhovanie prevented the work of two fake sites for the sale of E-OSAGO

In 2016-2017 "" AlfaStrakhovanie twice faced attempts to create phishing sites that issued their CTP calculator as a company calculator in order to collect information about customer payment cards and further fraud with them. The company fully supports the decision FinCERT Central Bank of Russia of the Russian Union of Auto Insurers (RSA) to track sites offering fake E-OSAGO policies. More. here

2016

Central Bank received the right to block sites with malicious content

Internet sites with malicious content related to the financial markets and the national payment system will be blocked based on data received from the Central Bank. This was reported by TASS The Russian Information Agency of the [23].

Such actions are provided for in the agreement between the Bank of Russia and the Coordination Center for the National Internet Domain - the administrator of the national top-level domains. "rf" and ".ru."

The Central Bank received the status of a competent organization with the right to identify violating sites that distribute malware, resources with illegal content, phishing sites, and provide this information to the coordination center and accredited domain name registrars to block such resources.

In addition, the Bank of Russia urged citizens to inform the regulator about unscrupulous sites located in the domestic domain space.

Russian cybercriminals refuse phishing in favor of skimming

Due to the measures taken to strengthen the security of mobile and online services, the popularity of the carding is growing. According to Izvestia, citing experts from Zecurion, attackers are increasingly stealing bank card data using skimmers installed in ATMs instead of phishing.

For the period from January to June 2016, the carding accounted for 87% of all stolen funds of Russians. The remaining 13% of cybercriminals "earned" through phishing. According to experts, the number of crimes carried out on the Internet decreased by 3% compared to last year. The share of offline crimes increased by exactly the same amount.

In January-June 2016, skimming brought income to attackers in the amount of 900 million rubles, while phishing - 140 million rubles.

The Bank of Russia wants to get the right to disable the domains of phishing sites

and negotiate Central Bank of the Russian Federation National Internet Domain Coordination Center (CC) to grant the organization the FinCert right to disable in national zones .ru and through . rf domains whose sites the theft of funds is carried out. The parties plan to sign the corresponding agreement by the end of this summer, according to media reports.

We are talking about disabling phishing sites that allow attackers to gain access to the credit card numbers of bank customers and other confidential information. After signing the agreement, FinCert will receive the authority to separate domains used for phishing, stealing credit card data or forging pages of financial and credit institutions. According to the publication, the Central Bank is currently working to remove the delegation of domains through whose sites phishing attacks are carried out.

According to Internet Ombudsman Dmitry Marinichev, granting the Central Bank the right to disable phishing sites is the right initiative, since the regulator has up-to-date information about embezzlement of funds via the Internet. The appointment of the Central Bank by a competent organization will reduce the risk that someone "will get on the money," Marinichev said.

2014: APWG: The number of phishing incidents in the Russian Federation is decreasing

According to the Anti-Phishing Working Group report for the 1st quarter of 2014, there is a decrease in phishing-related incidents in the Russian Federation. The share of ip addresses located in the Russian Federation from which fraudulent actions were carried out decreased significantly and averaged 1.6% in the first quarter of 2014 against 15.3% in the same quarter of 2013.

Obviously, cybercrimes related to phishing have changed their geographical affiliation, having met a strong rebuff on the territory of the Russian Federation. At the moment, a surge in incidents by geographical affiliation falls on the United States, Turkey and China. However, Group-IB believes that this is a temporary phenomenon and cybercriminals are preparing to strike a new blow soon.

The fact that Group-IB knocked down cybercriminals is directly indicated by the work analyst CERT-GIB for the first half of 2013 and 2014. Thus, in the first half of 2014, CERT-GIB specialists processed 52% fewer applications: 1537 in 2013 against 800 applications for the same period in 2014. Phishing was reduced by 70%. 762 incidents in the first half of 2013 to 235 incidents in the same period of 2014. Thus, the connection with the number of incoming applications with the share of phishing incidents is more than obvious. Group-IB emphasizes that this is a temporary phenomenon. The financial sector in Russia is still an object of increased interest from cybercriminals.

The amount of funds in payment systems is steadily growing., in Banks turn, online services are constantly improving, thereby attracting an increasing number of users, and these are more and more new, personal data which attackers need as air. The company warns not to reduce vigilance in matters. information security The fact that cybercriminals are preparing to strike a new blow is obvious and quite predictable. It is worth noting that the victory in the won round in the fight against cybercrime owes much to the competencies of Group-IB, endowed with the Coordination Center of the national domain of the Internet, which includes countering phishing, malicious ON and botnet controllers.

Notes

  1. Phishing resources in 2023 massively moved to the zone.ru
  2. In 2023, the number of blocked phishing links in Russia increased 5 times
  3. The number of fraudulent sites in 2023 increased by 86%
  4. Fraudsters disguised themselves as the Investigative Committee
  5. Another scheme of fraudsters - document templates containing viruses
  6. St. Petersburg police detained a suspect in illegal access to computer information
  7. Belarus
  8. Telegram channel "Mash on the Moika"
  9. Hackers groped for growth point
  10. Bot almighty: scammers started using ChatGPT for phishing
  11. Alarming click: the number of phishing sites has tripled over the year
  12. Fraudsters create fake car sharing sites in Russia to steal data
  13. the Ministry of Digital Development and Roskomnadzor.
  14. Federal Tax Service of Russia warns of fraudulent mailings on the Internet
  15. Russians are faced with mass malicious mailings allegedly from the Federal Tax Service
  16. Present the details: in 2021, 1.5 thousand false banks appeared in the Russian Federation
  17. Roskachestvo warned of a wave of fraud with phishing sites before the election
  18. Cyber ​ ​ fraudsters engaged in the delivery of goods
  19. Sign of trust: Russians have become 10 times more likely to click on the sites of scammers
  20. Kaspersky Lab spoke about the new phishing scheme
  21. [https://www.kommersant.ru/doc/3800158 Hackers
  22. under the guise of the Central Bank attacked Russian banks. ]
  23. Central Bank will help block sites with malicious content