RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2024/12/02 17:09:51

Phishing in Russia

Content

Main article: Phishing

Phishing sites in Russia

Main article: Phishing sites in Russia

2024

Cyber ​ ​ attacks hit Russian government agencies using viruses disguised as "Google Tables"

The hacker group Cloud Atlas has begun using Google cloud services to carry out phishing attacks on Russian government agencies. This became known on December 16, 2024 from the data of Positive Technologies. Read more here.

Wave of cyber attacks on Russian companies engaged in business automation. They steal data from them

A series of targeted cyber attacks on Russian companies specializing in the sale and maintenance of business automation software. This became known in early December 2024. The attackers used the new BrockenDoor backdoor and the well-known malware Remcos and DarkGate to gain remote access to devices and steal confidential data.

According to the press service of Kaspersky Lab, the attacks began with phishing mailings on behalf of existing companies that create solutions for business automation. Attackers sent letters to organizations that implement, configure and maintain such products.

A
wave of cyber attacks hit Russian business automation companies

Artem Ushkov, a threat researcher at Kaspersky Lab, explained that the campaign attracted the attention of specialists due to the non-standard use of Right-to-Left Override, a special Unicode encoding symbol that allows you to replace the name and file extension.

The new BrockenDoor backdoor, called the Brocken Ghost, collected and transmitted information about the user, computer, operating system and files on the desktop to attackers. When the data of interest was detected, the hackers sent commands to run further attack scenarios.

According to the press service, experts have identified two infection options: through an executable file using Right-to-Left Override and through a malicious shortcut in the archive with documents. In both cases, the ultimate goal was to gain remote access to victims' devices.

Kaspersky Lab experts continue to monitor the development of the malicious campaign. The company has protected more than 1 billion devices from massive cyber threats and targeted attacks since it was founded in 1997.[1]

How cyber fraudsters cheat Russian importers by email

A new scheme of fraud with the substitution of suppliers' email addresses has become a serious threat to Russian importers. This became known on November 25, 2024. Attackers, using almost identical email addresses, intercept payments sent to foreign counterparties. Read more here.

Telegram users in Russia began to receive phishing links under the guise of free Premium subscriptions

A new fraud scheme using hacked Telegram accounts has been recorded in Russia. The first cases of sending phishing links were recorded on November 17, 2024. Attackers send phishing links, offering recipients a free one-year subscription to Telegram Premium. Read more here.

Massive phishing attack on Russian industrial companies revealed

Experts from the Solar Cyber ​ ​ Threat Research Center 4RAYS the Solar Group of Companies have discovered a wave of phishing campaigns using the SnakeKeylogger stiller virus. The targets of the attackers are large Russian companies from the field of industry, agriculture and power. The malware appeared back in 2020, but as of November 2024, experts observe the peak of its activity. The popularity of the virus is facilitated by its availability even for low-skilled hackers. Solar announced this on November 14, 2024.

SnakeKeylogger HPE is delivered to the victim's computer via phishing. Attackers send malicious letters from fake or compromised addresses of Russian and foreign companies. The subject line of the letter usually contains the following keywords: "Contract" or "Contract." And the letter itself contains a nested archive named "Contract.bz." Here is an example of such a distribution:

The archive contains the executable file "Contract.exe," which is responsible for the delivery and installation of HVEs in the victim's system. After completing its work, the malware sends all the collected data to the attacker.

SnakeKeylogger is a stiller, that is, an HPE aimed at automatically collecting credentials on an infected system. At the same time, SnakeKeylogge has many additional features. In particular, the virus has keylogger functions, that is, it can record keystrokes and mouse movements, is able to create screenshots and collect data from the clipboard.

SnakeKeylogger also has extensive functionality for stealing credentials from many popular browsers, mail clients, etc. Another option is to find and terminate the processes of various antivirus solutions, debuggers and other processes related to monitoring host and network activity, which makes it difficult to detect it on an infected system.

File:Aquote1.png
Despite its external simplicity, SnakeKeylogger poses a serious threat to corporate and personal cybersecurity. This malicious software is distributed by subscription on the dark web, which allows cybercriminals to purchase a ready-made tool for a fee without the need to write their own malicious code. Therefore, even the most prepared attacker can easily use SnakeKeylogger to collect credentials for various web services of the company and beyond. Despite the fact that the malware has some detection evasion functions, most modern antiviruses, when updating signature databases in time, detect it when trying to upload to the attacked system, "said Dmitry Marichev, an expert at the Solar 4RAYS Solar Group Cyber ​ ​ Threat Research Center.
File:Aquote2.png

To prevent infection and further develop the Snake Keylogger attack (and similar HPE), experts advise regular cybersecurity training for company employees, as well as use Secure Email Gateway solutions that prevent the delivery of phishing emails to the end user.

3 most common computer viruses in Russia

On November 7, 2024, it became known that Formbook became the most active malicious software in Russia, taking 40% of all phishing mailings in the third quarter of 2024. According to a study by F.A.C.C.T., the second place was taken by the DarkGate virus with a 15% share, and AgentTesla was in third position, whose presence decreased to 13.4%.

Formbook took the lead after a significant drop in activity by AgentTesla, which previously met in every second malicious letter. The main functionality of Formbook is aimed at stealing user accounts and personal data. DarkGate is a modular malware that combines the functions of data theft, remote control and cryptocurrency mining.

cyber security Yaroslav Kargalev, head of the F.A.C.C.T. Center, noted the rapid increase in the number of attacks using spyware using ON the Malware-as-a-Service model. According to him, the successful use of such malicious software provides attackers with opportunities to gain financial benefits through the sale of stolen data or causing reputational damage by publishing classified information.

The study found that 99.1% of malware is spread through attachments in emails. In 82% of cases, malware is in ZIP and RAR archives. To send malicious emails, attackers most often use the Gmail mail service, the share of which reached 55.3%. At the same time, the use of Russian postal services decreased to 23.3%.

The greatest activity of cybercriminals was recorded on Wednesdays - 22% of all phishing mailings occur on this particular day of the week. More than 97% of emails are sent from individual domains, while 64% of malicious mailings are carried out using the.com domain zone, 5.4% -.ru, and 3% -.net.

The number of phishing attacks in the Russian Federation increased by 425%

The growth in the number per phishing attacks Russia year amounted to 425%. As of October 2024, more than 22 thousand such resources have already been blocked. This was announced on October 28, 2024 by the press service of a member of the committee on State Duma of the Russian Federation information policy, information technology and communications with Anton Nemkin reference to the director of the subordinate. To Roskomnadzor Public Communication Network Monitoring and Management Center (SMU DMS) Sergey Khutortseva

File:Aquote1.png
Phishing attacks are popular with scammers because of their simplicity and high probability of success. Unlike other types of cyber attacks, phishing does not require deep technical knowledge from scammers. It is enough to create a plausible message or website, masquerading as a well-known company or organization in order to gain access to user data, he said.
File:Aquote2.png

File:Aquote1.png
Unlike other methods, phishing allows you to send a huge number of messages at the same time, for example, using spam mailings or social networks. This greatly increases the chance of success, even if only a small percentage of users fall for the trick. At the same time, the costs of such an attack are minimal, and the possible benefit is enormous: having gained access to accounts, fraudsters can steal money, personal data or use it for further attacks, Nemkin added.
File:Aquote2.png

File:Aquote1.png
Fraudsters develop new methods, for example, using social networks or mobile applications, and also adapt to current events. They can fake letters from government agencies, banks, delivery services and other popular services that users are used to. Therefore, even with the development of antivirus and security technologies, phishing continues to be one of the most effective and popular tools for scammers. Mechanisms to combat it are one of the key tasks under study by authorized departments, the parliamentarian said.
File:Aquote2.png

Among the most popular phishing schemes in recent years, fake emails from "banks" or "payment systems" can be distinguished. The user receives a letter, allegedly from his bank, with a warning about suspicious activity or a request to update his account data. Fraudsters create convincing copies of official messages and even copy the design of the bank's website in order to get logins and passwords from the victim. This helps to take possession of the account and gain access to money. Often, such letters create a sense of urgency so that the user reacts faster.

File:Aquote1.png
Another common scheme is fake parcel notifications from delivery services. The scheme is especially popular during sales periods, when people often order online. The user receives a message that his parcel has been delayed, and to receive it, you need to follow the link and confirm your personal data. Scammers disguise messages as well-known delivery services, adding fake track numbers and logos to take possession of personal information. Such a scheme works successfully, since many are waiting for delivery and rarely suspect about the threat, - said the deputy.
File:Aquote2.png

File:Aquote1.png
In social networks, many people monitor security less, so such schemes are a great success, especially among young users, "Nemkin emphasized.
File:Aquote2.png

Cybercriminals disguise malicious file as medical document

Angara Security on October 21, 2024 announced another phishing scheme.

Cybercriminals sent harmful file as a medical document. The opening of such a file is installed on the ON hackers computer user, which allows hackers to download data and manage the device.

For this phishing scheme, you cannot select a circle of people who will be targeted.

{{quote 'Criminals are interested in everything that attracts attention and can arouse interest from a potential victim. Even if a person does not expect any medical document, interest is likely to prevail anyway. Concern for their health and curiosity is inherent in any sensible person, therefore, regardless of the number of years lived or the region of residence of the victim, everyone is at risk, "said Nikita Leokumovich, head of the Angara Security cyber intelligence and digital forensics department. }}

A similar scheme is a letter from the "law enforcement agencies," which reports on the offense and proposes to send a list of documents to clarify the circumstances of the case. Fraudsters attach a file to a letter containing a "list" of necessary documents. In fact, this file is a malware loader.

Cybercriminals attack with such schemes, both individuals and companies. Their main goal is for the victim to open the document from the letter, and they gain access to the device using malware.

File:Aquote1.png
These schemes are dangerous in that they can provide an attacker with direct access to your device and files on it, and if the device is on a corporate network, then to this network too. The main risks are information theft, extortion, loss of access to infrastructure, data destruction, "explained Nikita Leokumovich, head of the Angara Security cyber intelligence and digital forensics department.
File:Aquote2.png

The rules for protection against this type of phishing are the same as against phishing in general: do not open unknown attachments, or check them using antivirus programs before opening, and also do not follow unknown or suspicious links from emails.

If phishing was successful, individuals need to disconnect their device from the network and enable antivirus software scanning. If possible, it is recommended to reinstall the system. If the attack occurred on the organization's device, then it must be disconnected from the network and immediately reported to the information security engineer.

Fraudsters in Russia began to steal data using postcards in instant messengers

In Russia, a new method of stealing user personal data through popular instant messengers has been recorded, in particular WhatsApp (owned by Meta, which is recognized as extremist in Russia; its activities are prohibited). This became known in September 2024 from a statement by cybersecurity experts. Attackers use malicious postcards and links to gain unauthorized access to personal information of citizens.

According to Газета.ru, the head of the analytical center of the company Zecurion Vladimir Ulyanov warned about the risk of receiving fraudulent messages on behalf of familiar users. The expert explained that criminals can gain access to other people's accounts and send malicious postcards on behalf of trusted contacts.

Data theft by scammers using postcards in instant messengers

Vladimir Ulyanov stressed that it is extremely difficult for an ordinary user to independently recognize a malicious postcard, since it can be a set of program code that is visually displayed as a regular image. At the same time, such a code is able to steal the recipient's personal data.

Dmitry Galov, head of Kaspersky GReAT in Russia, confirmed that online greeting cards can indeed contain phishing links. He also noted cases when, under the guise of archives with images or presentations, users received executable files (.exe) containing malicious software.

Experts recommend that messenger users be vigilant and not send suspicious postcards, as well as not follow unknown links in messages. Particular attention should be paid to informing older users about potential threats associated with sending images and postcards through instant messengers.

File:Aquote1.png
It is better not to forward anything. The task of active users is to teach people of the older generation, their parents that there is no need to send pictures, because they can be potentially dangerous, "Vladimir Ulyanov emphasized.
File:Aquote2.png

Experts also warn of the possibility of receiving messages asking them to vote for a relative or acquaintance, which may be part of a fraudulent scheme.[2]

More than a third of corporate emails contain spam and phishing

More than a third (34%) of incoming emails in Russian organizations contain spam, phishing links and malware. This conclusion was reached by experts from the Security Awareness (SA) cybersecurity skills management service of Solar Group based on an analysis of customer data from Secure email gateway (SEG) email protection services and Sandbox advanced threat protection. At the same time, hackers more often disguise malware as office documents in docx, xls and pdf formats. About this GC "Solar" reported on September 23, 2024.

According to SA experts, most malware is hidden in files with the doc/docx extension (53%), xls (26%) and pdf (15%). Less commonly, viruses can be found in exe (3%) and jar (3%) files. Masking as office files shows a wide threat landscape, as office applications are present on almost all users' computers, jeopardizing the security of almost every employee.

As for the most popular types of viruses sent by mail, in 76% of cases, employees of Russian companies face Trojans (viruses are disguised as legal software to gain access to the user's system), 14% - with rootkits (software for gaining control over a computer or network), in 8% - with other types of viruses, and in 2% - with backdoors (software for hidden remote control of an infected PC).

At the same time, viruses can hide in letters with a variety of topics - here are some fairly common examples:

  • Mailbox is full
  • List from vulnerabilities FSTEC
  • Shipping documentation
  • Payment order due
  • System error. Letter not delivered
  • Order of the Ministry. Urgent to read!
  • Pre-trial claim
  • New Account Details
  • Settlement Reconciliation Act
  • Copy of quotation

File:Aquote1.png
In the face of ever-increasing cyber threats, it is not enough to introduce only technical means of protection against cyber attacks. According to our data, 71% of complex cyber attacks start with email phishing. Even one click on a phishing link or an open office file with malware can jeopardize the infrastructure of the entire company. That is why it is important to form an integrated approach to information security, which includes not only technical means of protecting information, but also increasing the cyber literacy of employees to minimize the risk of the notorious "human factor," since security is unified and indivisible, "said Alexander Sokolov, head of Security Awareness of Solar Group.
File:Aquote2.png

Hackers began to steal data from Russian companies under the pretext of conducting "information security lessons"

On July 17, 2024, it became known that information security specialists had identified a new fraud scheme aimed at stealing confidential data from Russian companies. Attackers, posing as employees of government departments, send fake notifications about conducting "information security lessons" and under this pretext try to gain access to classified information of organizations. Read more here

Fraudsters in Russia began to create fake offers of remote work in IT companies

A new fraud scheme has been recorded in Russia: attackers publish fake job advertisements for remote work in IT companies through popular Telegram channels. This information was released on July 1, 2024.

According to the Jet Infosystems company, fraudsters post fake vacancies on Telegram channels with tens of thousands of subscribers, disguising them as real offers from employers. According to Kommersant, at least 35 similar ads were found from only one fraudulent account in various channels and chats.

Fraudsters create fake offers of remote work in IT companies

The scheme of the attackers is that they suggest that candidates fill out a Google form or contact the allegedly HR manager directly. After passing a fictitious interview, fraudsters, posing as accountants, are trying to obtain personal data of applicants and link the number of the allegedly corporate SIM card to their personal account of the bank.

Cybersecurity experts attribute the scheme's growing popularity to several factors. First, there is a common belief about high salaries in the IT industry. Secondly, there is an increased demand for remote work. Thirdly, many people are looking for additional sources of income amid rising prices.

According to the head of the Internet Search company Igor Bederov, this trend may continue for one to two years. The expert draws a parallel with another fraudulent scheme - FakeBoss, in which attackers impersonate company leaders.

Experts recommend that applicants be vigilant and check the authenticity of vacancies on the official websites of companies or on verified job search portals. It is important to remember that legitimate employers never request access to personal devices or bank accounts of candidates.

To counter such fraud schemes, experts advise strengthening measures to verify employers on online platforms to find work and increase user awareness of potential risks when looking for remote work in the IT sphere.[3]

Network scammers began to introduce themselves as a technical support service

Russia In discovered new scenarios of target, phishing attacks the key audience of which are employees of companies. Attackers present themselves as technical support specialists and send letters to employees containing. malware This was announced on June 24, 2024 by the press service State Duma of the Russian Federation Anton Nemkin of the deputy with reference to "."News

to data According to the company's specialists, R-Vision the attackers began to impersonate employees of technical support services of various companies. R-Vision analysts noted that a key goal of such attacks is to gain access to sensitive data. The company stressed that attackers use two main scenarios for this.

File:Aquote1.png
Attackers ask employees to follow the link to the allegedly new address of the service to check access to their projects. At the same time, fraudsters are asked to use corporate passwords, - said Igor Shvetsov, information security engineer at R-Vision.
File:Aquote2.png

Also, some employees are sent information about allegedly selective testing of the transition of users to a new algorithm enciphering one when working with mail.

At the same time, attacks by cybercriminals are targeted. Thus, letters are sent to specific users from a person who actually exists in the organization. In addition, attackers call real services that are used in the company.

File:Aquote1.png
This is due to their effectiveness. Speaking on behalf of a person who really exists in the company, as well as mentioning the corporate services existing in the organization, they increase confidence in such letters multiple times. The effectiveness of the strategy is also confirmed statistically - every tenth cyber incident is a consequence of the wrong actions of the staff, - said the deputy.
File:Aquote2.png

File:Aquote1.png
To do this, attackers only need to hack one account. According to market analysts, for the most part, the success of cyber attacks in 30% of cases is associated with weak passwords of company employees. This is the largest value in comparison with the rest of the categories. Therefore, creating complex passwords for corporate services, especially for e-mail, is extremely important. In addition, it is important not to use mail data for registration on third-party services, - said the deputy.
File:Aquote2.png

Fake applications of VTB and Tinkoff Bank appeared in the App Store, which steal user data

Fake apps have appeared in the App Store VTB Tinkoff Bank that steal user data. This was Ministry of Internal Affairs (Ministry of Internal Affairs) of the Russian Federation reported on April 10, 2024. More. here

In Russia, fraudsters began to send push notifications to smartphones in order to get data to Public services

In Russia, fraudsters began to send push notifications to smartphones in order to get data to Public services. The new cyber fraud scheme became known on March 25, 2024.

On this day, the Kommersant newspaper, with reference to the True OSINT Telegram channel (Open Source Intelligence), published an article stating the appearance of phishing sites masquerading as large telecom operators, where the subscriber is invited to allegedly verify the number. Criminals send push notifications to confirm passport data using a link leading to the site of the alleged operator, and then to the State Public services portal, where the victim is asked to enter the login and password to his personal account. If such a scheme is successfully implemented, swindlers receive data on access to Public services and information about users.

Fraudsters began to send push notifications to smartphones in order to get data to Public services

True Osint experts draw attention to the fact that fraudsters use the obtained data for targeted attacks through calls (fraud). Alexander Vurasko, head of the Solar Aura external digital threat monitoring service of the Solar group of companies, confirmed the growth of phishing attacks "allegedly on behalf of operators." The cybersecurity company Angara Security warns that such schemes pose a threat not only to subscribers, but also to telecom operators themselves: confidence in communication with the company decreases, respectively, the conversion from brand advertising messages falls.

Telecommunications operators, at the request of the publication, commented on the appearance in the Russian Federation of a new fraud scheme. MegaFon and MTS noted that such phishing resources are identified using their own anti-phishing platforms. Tele2 told Kommersant that "there is no significant increase in phishing fraud."[4]

Cyber ​ ​ group sends very convincing phishing letters to Russian industrial companies allegedly from government agencies

BI.Zone, a Russian digital risk management company, on January 30, 2024 announced a relatively new cyber campaign aimed at Russian enterprises. The group behind it, Scaly Wolf, is hunting for corporate data. Most of the targets of attacks are industrial and logistics companies from Russia. The last such attack was noted in January 2024. Read more here.

2023

The number of blocked phishing links in Russia has increased 5 times

According to Kaspersky Lab, in 2023, online fraud in Russia increased significantly. The number of phishing and spam links in the .RU domain zone, which the company blocked, increased more than 5 times compared to 2022. Kaspersky Lab reported this on January 22, 2024[5].

Trends in 2023. One of the most common targets of phishers in Russia during the year is people's accounts in instant messengers. Attackers often used them as part of multi-stage telephone fraud schemes and to carry out phishing attacks on users from the victims' contact list.

File:Aquote1.png
We see no prerequisites for phishing and scams to decline in the near future. On the contrary, attackers continue to develop their tactics and develop multi-stage schemes for luring data, for example, referring to the scope of the victim. Such attacks are much more complicated in cases where they begin with a message in the messenger allegedly from a friend or employee of the same area or are accompanied by fake voice messages, "said Sergey Golovanov, chief expert at Kaspersky Lab.
File:Aquote2.png

Also in 2023, the number of malicious links increased in Russia - 2.5 times compared to 2022. This category includes pages containing links to malware, as well as Internet resources necessary for malware to work.

Telephone fraud. The volume of telephone fraud remains at a consistently high level. So, in 2023, 43% of users of the Kaspersky Who Calls application received calls from unknown numbers with suspected fraud *. At the same time, the peak occurred in November - this month 18.5% of users received such calls. 94% faced various spam calls in 2023.

File:Aquote1.png
Attackers are constantly improving their tools and methods of persuasion, so solutions for protecting against telephone spam are becoming more and more relevant. They will tell you if the incoming call is unwanted. For example, our application warns that the number received complaints of fraud not only within the framework of "classic" calls, but also in the messenger. In general, it is important to remember that in no case should you call outsiders codes from SMS and push notifications, and if the conversation seems suspicious, immediately end the call, "recalled Vladimir Grigoriev, an analyst at Kaspersky Who Calls.
File:Aquote2.png

In response to current calls in 2023, the Kaspersky Who Calls solution introduced the functionality of determining numbers in WhatsApp (owned by Meta, its activities are recognized as extremist and banned in Russia). With its help, you can see from which organization a call is received (for example, from a delivery service or store), as well as identify and block spam numbers and calls with suspected fraud in the messenger.

New partner programs of fraudsters with draws and crypto investments revealed

On December 14, 2023, F.A.S.S.T., a Russian developer of technologies to combat cybercrime, announced that it had identified 10 active fraudulent partner programs since the beginning of 2023 to coordinate owners and distributors of links to scamming and phishing sites aimed at users from Russia. The most popular schemes among partners in 2023 are fake prize draws and crypto investments. One such program can bring about 4,300,000 rubles to the participants of the "partner community" every month.

Fig. 1. Fraudulent Partner Program Resource

As reported, a study by analysts at the Digital Risk Protection department of F.A.C.C.T. says that partner programs allow fraudsters to scale illegal businesses, attract more victims and increase profits by separating the tasks of attracting traffic, generating phishing pages, sending letters and messages. On special resources - shadow marketplaces and in closed Telegram channels - fraudsters purchase both ready-made phishing resources and page templates, blocks and forms for payment, as well as traffic for a share of the money stolen from victims.

According to F.A.C.C.T. Digital Risk Protection analysts, since the beginning of 2023, 10 large active partner programs have been identified aimed at potential victims from Russia. In general, about 87% of detected resources distributed in this way are directed to Russian-speaking users.

Fig. 2. Partner programs of fraudsters in numbers

Specialists at the F.A.C.C.T. have studied the infrastructure of several partner programs in detail. As of the summer of 2023, on average, 156 active offers were posted on the partner program platform, the maximum number of partners in one offer was 746.

For a month, participants in partner programs steal more than 17,400,000 rubles from victims for 23,500 payments. The "average check" is 740 rubles.

In one of the partner programs, launched in the second quarter of 2023, in the three summer months, profit tripled: from 908,000 rubles in June to 3,118,000 rubles in August.

The author of the offer (offer) registers the domain, creates fraudulent web pages with thematic design, places them on hosting. Then it puts up an offer with a created site on the partner program platform. Basically, fraudulent pages are devoted to lotteries with the choice of a box with a prize, investments in cryptocurrencies, especially "profitable" shares from marketplaces. Less common are offers to victims to buy a "beautiful" domain name for the site.

The Partner Program Administration reviews the hosted site and provides phishing forms or payment acceptance forms to add to the site.

Partners choose an offer, receive a referral link for distribution and attract traffic to this link in available ways - emails, messages on social networks, SMS and instant messengers, advertising.

As a rule, the partner receives an average of 60-90% of the amount of stolen money, and the author of the offer - 10-40%.

File:Aquote1.png
Despite the fact that partner programs have existed since at least 2018, such forms of illegal business have recently been especially popular with cybercriminals and continue to pose a threat to Internet users. If some "partners" close, their place is taken by other projects that are very quickly gaining popularity. The number of brands used in the schemes is actively expanding, causing both material damage to the victims of the scheme and reputational damage to the operated brands. Based on the growth dynamics, we predict the further expansion of "partners" and urge users to remain vigilant so as not to become an easy profit for attackers.

told Evgeny Egorov, leading analyst of the Digital Risk Protection department of F.A.C.C.T.
File:Aquote2.png

F.A.C.C.T. experts are reminded of the need to follow the basic rules of digital literacy:

  • Check the domain name of the site on which the user is located. Use Whois services to determine the date the domain was created. If a site pretends to be a popular brand but was created recently, it should be alerting.
  • Do not pay for goods or services or enter your personal data if you are not sure that the user is on a legitimate site.
  • Skeptical of advertising on the Internet. Even legitimate resources can host ads that lead to fraudulent resources.

To protect brands from reputational risks and the direct damage associated with their illegal use on fake sites, companies should use automated solutions that combine analysis of cyber intelligence data and machine learning capabilities .

Most phishing attacks help generate software from the darknet

More than 80% phishing of mailings are made with, software which attackers buy in. Darknet The most popular programs cost from 299, and rubles some are distributed free of charge. With their help, you can steal passwords and accounts. There are data also expensive programs that give access Telegram to the user and allow you to intercept keystrokes - their cost reaches $15,000. This was announced on November 21, 2023 by the press service of the deputy. State Duma of the Russian Federation Anton Nemkin

As the authors of the study, BI.ZONE Threat Intelligence, emphasize, as of November 2023, the threshold for entering cybercrime is greatly reduced - software purchased on the darknet allows using fraudulent tools for hacktivists and cybercriminals of any level. In addition, some proposals provide users with designers to create malicious software with the ability to access manage victims' accounts.

File:Aquote1.png
The proliferation of phishing emails with commercial malware ON is one of the easiest ways to gain initial access to the infrastructure. The shadow market for such products will grow and develop, - said Oleg Skulkin, head of BI.ZONE Threat Intelligence.
File:Aquote2.png

According to experts, in 2023, hackers used shadow software to attack more than 100 thousand companies. Among the most popular malware are AgentTesla, FormBook, White Snake, RedLine, Snake Keylogger, DarkCrystal, DarkGate. Free AgentTesla software is used, for example, in almost half of phishing mailings. FormBook is in second place.

File:Aquote1.png
For example, thanks to the well-coordinated work of authorized bodies, fraudsters can now be used less often Russian hosting to host fraudulent sites aimed at users from. RUSSIAN FEDERATION Because of this, they switch to hosting services in and, Netherlands which means USA the cost of servicing phishing resources is growing, since hosting abroad is usually more expensive. In total, in the first 9 months of 2023, the company F.A.S.S.T. identified 10.4 thousand phishing sites that were aimed at users from the Russian Federation. This is a year-on-year increase of 5%. Most often, users "come across" phishing resources under the guise of online services, banks delivery services social networks , and mail services, - said the deputy.
File:Aquote2.png

File:Aquote1.png
In particular, AI helps them maintain the illusion of meaningful dialogue with victims, as well as generate phishing emails, create deepfakes of voices, images and videos. In addition, as of November 2023, there are already generative neural networks that are created specifically for illegal activities - for example, WormGPT, which is designed to carry out phishing attacks and compromise corporate mail. It can be used even by an attacker who does not have any special competencies and at the same time create convincing fake letters, conduct prolonged attacks, "the deputy said.
File:Aquote2.png

Cybercriminals are 11 times more likely to use replaced letters in malicious emails

F.A.S.S.T. has recorded a sharp increase in attempts to bypass antispam solutions using homoglyphs - graphically identical or similar signs in malicious mailings. In the third quarter of 2023, the number of such letters was 11 times higher than in the same period in 2022. The most popular replacement letters among cybercriminals were E, O, C, A. The company announced this on October 31, 2023.

According to experts at the F.A.C.C.T. Cybersecurity Center, a sharp surge in substitutions in the symbols of themes and text in letters with a malicious attachment has been observed since early 2023. Thus, such a technique is used by the operators of the WhiteSnake styler, a malware for stealing credentials from browsers, applications and victims' crypto wallets. In August, the steeler was distributed under the guise of a letter from the investigator. Then employees of companies received letters allegedly with a request to testify in a criminal case. In fact, the newsletter contained an archive with malware.

On the one hand, the arrangement of homoglyphs allows cybercriminals and simply spammers to send out more letters, bypassing the built-in filters of mail services for outgoing messages and reducing the likelihood of operational blocking of the mail address from which the mailing was sent. On the other hand, malicious letters thus bypass antispam systems in incoming letters and can reach the addressees.

As a rule, attackers add Latin omoglyphs to letters in Russian. The most popular letters for replacements were E, O, C, A, while the use of special characters or other alphabets was not found. In letters from one malicious mailing, there may be various options for replacing letters.

File:Aquote1.png
Apparently, the old trick with omoglyphs works quite well. In 2023, we see a sharp surge in the use of letter substitution in Latin in malicious letters in Russian. - said Yaroslav Kargalev, head of the Cybersecurity Center F.A.S.S.T. - Such a simple trick can deceive an ordinary antispam system, and the recipient of the letter risks compromising his email, device or the entire network infrastructure of the company by following a phishing link or opening an archive with malware. And you can't do an automated email protection system against phishing emails so easily.
File:Aquote2.png

Spy virus apps revealed to steal money from lovers

On October 27, 2023, F.A.C.C.T. announced another version of the Fake Date fraudulent scheme. Now criminals are trying to steal money from the victim even before buying tickets to a movie or theater under the guise of paying for home Internet or ordering a taxi, while using fake mobile applications. In the fall of 2023, 6 fraudulent groups worked in Russia under the Fake Date scheme, the illegal earnings of only one of them in 10 days exceeded 6.5 million rubles.

The classic Fake Date scheme is as follows: under the guise of an attractive girl, a fraudster meets a potential victim on social networks or on a dating site and offers to spend a romantic evening in the theater, at a stand-up show, in an antikino, hookah bar or order dinner delivery. The victim receives a link to a phishing site, pays for "tickets," and money and card details are stolen by attackers. It happens that money is written off twice or three times - when buying a ticket for a "girlfriend" or issuing a "refund."

After this scheme became known in some detail, the scammers decided to change the mechanics. Now they steal money much earlier than going on a first date, and instead of phishing resources, they already use a mobile application with embedded spyware.

After interest and trust has already arisen between young people, the "girl" can suddenly disappear from the correspondence or her candid photos and videos will be uploaded for a very long time. It turns out that the beauty had problems paying for home Internet and the new gentleman will have to contribute a small amount.

The girl drops a link to the fake website of the service from which you need to download a mobile application. The spy program hidden in it is capable of intercepting the entered data of the bank cards and incoming SMS codes to steal money from the accounts of customers of Russian banks. Similarly, there is a scheme with a taxi order, which the young lady can also ask for her new acquaintance.

As of to data September 2023 Russia , 6 active fraudulent groups worked under the Fake Date scheme. Acting on a scheme with fake dates, only one criminal community in 10 days was able to receive more than 6.5 million rubles for 721 operations. The average amount stolen from one victim was about 9,000 rubles, despite the fact that one victim could have several write-offs in a row. For comparison, at the beginning of 2023, the 7 most active groups in Russia earned 5 million rubles for those wishing to go on a date (from February 12 to 14, February 21-23 and March 6-8).

File:Aquote1.png
In Russia, the classic Fake Date fraudulent scheme appeared back in 2018. And after the pandemic, with the advent of new tools for generating phishing sites and using card-to-card transfers, it is experiencing a "rebirth," said Evgeny Egorov, a leading analyst at Digital Risk Protection at F.A.C.C.T. - some groups of scammers earn twice as much on Fake Date as those who work according to the classic Mammoth scheme with payment for goods. This may be due to the fact that the dating scheme already uses more brands (Internetoperators, taxis, theaters, movies) for attack scenarios than through the sale of non-existent goods on message boards - only brands of two popular services are used there.
File:Aquote2.png

All "technical support" of Fake Date is still carried out through Telegram: here workmen (community members who attract victims to download a malicious application) receive a link to download a mobile application - an APK file, conduct their shadow online accounting, buy chat bots or "voicebooks" - pre-recorded audio and video messages on behalf of the girls.

Against such advanced cyber threats, brands can only protect themselves and their customers using automated solutions that combine cyber intelligence data analysis and machine learning capabilities. The F.A.C.C.T. Digital Risk Protection platform allows you to identify threats in the early stages of their occurrence and detect fraudulent resources even before attackers bring traffic there.

Users are reminded by F.A.C.C.T. experts of the need to follow the basic rules of digital literacy:

  • Do not transfer communication from ad service chats to instant messengers.
  • Do not follow links from strangers in instant messengers or mail.
  • Download only official applications that you independently found in the mobile application store, or on the legitimate website of the service.

Sticky Werewolf attacks state organizations of Russia and Belarus

The Sticky Werewolf group attacks state organizations Russia and. Belarus This was announced on October 13, 2023 by the company. BI.Zone

Sticky Werewolf gets access to the systems state of organizations in Russia and Belarus phishing using letters with links to. harmful files Commercial malware is used to create links. According to to data BI.ZONE cyber intelligence, Sticky Werewolf has been active since at least April 2023 and has implemented at least 30 by October 2023. attacks

Attackers create links for phishing emails using the IP Logger service. It allows you to collect information about clicked users: transition time, IP address, country and city, browser version and operating system. This helps Sticky Werewolf immediately conduct basic profiling, weed out systems that are not of interest to them, and focus attacks on the highest priorities.

In addition, thanks to IP Logger, the grouping can use its own domain names when creating links. This makes it difficult to recognize phishing, since the address does not look suspicious.

Links in letters lead to malicious files with the extension.exe or.scr, disguised as Word or PDF documents. Opening the file, the victim sees the expected content, for example: an emergency warning from the Ministry of Emergency Situations, a statement of claim or an order to eliminate violations. At this time, commercial NetWire RAT malware is installed on the device in the background. It allows attackers to collect information about a compromised system, receive data about keystrokes, video from the screen and webcam, record the sound of a microphone and perform other actions for the purpose of espionage.

NetWire is copied to a temporary folder on the device under the guise of a legitimate application. To further complicate its detection, Sticky Werewolf uses the Themida protector, which provides obfuscation - counteracting malware analysis.

Шаблон:Quote 'author=said Oleg Skulkin, head of cyber intelligence at BI.ZONE.

New Trojan under the guise of a delivery application steals money from Russians

The company's experts F.A.S.S.T. have discovered a new fraud scheme that involves installing Trojan programs under the guise of an application to order the delivery of popular, electronic engineers clothing or shoes. The company announced this in October 2023. According to researchers, bank customers both in Russia and have already suffered from the actions of fraudsters in September. In Belarus 10 days in September, using fake applications, attackers were able to steal almost 3 million according to the modified Mammoth scheme, rubles making 76 write-offs. The average check from one victim was 67 thousand rubles.

A new fraud scheme involving the installation of a Trojan under the guise of an application to order the delivery of popular electronics, clothes or shoes has been discovered

The classic fraudulent scheme "Mammoth" involves the design of a fake purchase and delivery of goods from popular marketplaces, real estate rental or joint trip. Usually, when the victim turns to them to clarify the details of delivery or rental, fraudsters offer to go to the chat platform or messenger, due to which they get out of the built-in protection mechanisms of the marketplace. There they offer to make payment for the delivery of the goods themselves using a specially prepared link allegedly to the bank's website.

In the modified Mammoth scheme, at that moment they ask you to download and install a special Android application, with which you can only order the corresponding product. Payment for the purchase is also carried out through this application, and this is where the bank card data and SMS notification from the bank are intercepted, which allows fraudsters to steal all the money from the victim's account.

According to the company F.A.S.S.T., at the end of the summer of 2023, 17 active criminal groups worked in Russia under the classic Mammoth scheme. In September, a new fraudulent community, Mammoth, was discovered, which uses Android Trojans in its attacks. Community members who attract victims to download a malicious application create fake ads for the sale of goods using a special Telegram bot and receive a link for downloading a mobile application in the form of an APK file, which is sent by attackers in the messenger. At the same time, the link leads to a fake site of the application store, that is, the victim's malware must be delivered independently from an untrusted source.

File:Aquote1.png
Sooner or later, old tricks cease to bring the desired income to scammers, and then they come up with new scenarios, decoys, change mechanics, - explained the emergence of new phishing modifications by the leading analyst of the Digital Risk Protection department of F.A.C.C.T. Evgeny Egorov. - We saw how fraudsters used phishing pages generated by Telegram bots in the Mammoth scheme, then they began to infect victims with steelers who stole password logins. Now one of the groups has begun to use mobile Trojans. Some users may decide that mobile applications similar to well-known services, as if from an official store, are unlikely to hide the danger - this is what the attackers rely on.
File:Aquote2.png

In order not to become a victim of fraudsters under the new scheme, it is recommended not to switch to communication in external messengers when buying expensive goods. Check the external links offered by the "sellers" before clicking on them, and it is better not to follow the links received from unfamiliar interlocutors at all. It is also worth downloading and installing applications only from official stores and not using ready-made links for this - it is better to search for the application in the search for the platform.

Spy Trojan disguises itself as letters from the Investigative Committee of the Russian Federation and steals passwords for Outlook, Telegram and crypto wallets

BI.Zone in October 2023 discovered a new malicious mailing of the spy Trojan White Snake, which now pretends to be a message from the Investigative Committee. For the first time, the same malicious code was discovered by the company in another phishing newsletter distributed on behalf of Roskomnadzor in August this year. Cases of the spread of such a malicious program under the guise of a commercial offer were also recorded.

White Snake Trojan Letter Example

White Snake is a spy Trojan (infostiler) that collects classified data on an infected computer through popular browsers such as Chrome and FireFox, and has the ability to collect passwords and credentials for client programs such as Outlook, Discord, Telegram and others. In particular, he steals secret addresses of crypto wallets that can be used to steal cryptocurrency. This is a commercial spy who for $140 allows you to organize a turnkey attack for any fraudster.

In the current version of the phishing attack, the victim received a letter allegedly from the Investigative Committee of the Russian Federation. The subject line of the letter included an indication of an alleged criminal investigation. For example, the headline could be: "Request in connection with the investigation of the criminal case No. 11091007706001194 of the Investigative Committee of the Russian Federation" or "Requirement in the framework of the investigation of the criminal case No. 11091007706011194 of the Investigative Committee of the Russian Federation." The letter was accompanied by a PDF file with an order to appear in the Investigative Committee and a password-protected archive. Moreover, the password for decryption was in the file name: "The requirement of 19098 of the RF IC from the PASSWORD 07.09.23 is 123123123.zip." If the victim unpacked the archive and clicked on a file called "List of legal entities and enterprises, tax evasion, claims and additional.exe," then the main body of the White Snake Trojan, which was fixed in the system and was already engaged in its black espionage activities, was launched.

In order not to get on the bait of intruders, you need to carefully look at the attributes of the correspondence. In particular, the sender's return address was specified in the mail.ru domain, although the Investigative Committee has its own domain sledcom.ru. In addition, you need to carefully look at file extensions by setting up your email client to display them. Clicking on executable files (with the.EXE extension) is extremely discouraged, although there may be malicious attachments in PDF and DOCX formats. It is better to open such files not with a full-fledged reader, but with a simplified reader with limited functions for the execution of built-in elements. In addition, you need to understand that encoded archives are often used by cybercriminals to hide malware from an antivirus program. Therefore, the requirement to unpack the archive can be a sign of malicious distribution. If you did do the actions indicated in the mailing list and suspect that your computer is infected, then you should contact the corporate information security service and check your system with an antivirus program. After treatment for malware, do not forget to change passwords for services, applications and crypto wallets.

Attackers steal blogger Telegram accounts under the guise of representatives of the partner program

Attackers steal Telegram accounts bloggers under the guise of representatives of the partner program. This was announced on September 28, 2023. "Kaspersky Lab

The attack begins with the fact that the blogger is allegedly written by a representative of a large company in the field of online retail and offers advertising cooperation. In the course of communication, attackers adhere to the standard business communication scheme for such interactions. The manager says that the blogger can choose any positions presented on the site, arrange unpacking for subscribers and post links to goods in his account. Further in the dialogue, the cost of advertising integration is discussed. If the blogger agrees to the terms and selects goods, the brand representative states that he sends them for approval with the management. Correspondence with a fake manager can last several days.

At a certain stage, the blogger is asked to register on the partner program website and send a link to the resource - of course, fake. It looks believable: it contains a logo, a description of the partner program and bonuses that its participants receive. On the phishing page, the blogger needs to specify the name, mail address, number of subscribers and channel coverage, as well as phone number. However, after that, the person is automatically redirected to a fake Telegram authorization form and asked to enter a one-time code to log into the Telegram account. In some cases, the need for such information is explained by the allegedly updated requirements of the advertising law. If a person enters this data, they will leave the attackers, and with their help phishers will be able to access the account in the messenger and all Telegram channels associated with it.

File:Aquote1.png
Some elements of this campaign indicate that it is targeted and aimed specifically at bloggers. Attackers can use stolen accounts to blackmail, post their content or further fraudulent schemes. Bloggers receive dozens of advertising offers a day, so they may not notice the trick. Attackers, in turn, develop legends in such a way as to lull the vigilance of potential victims, for example, refer to regulations and corporate policy. However, the request to transfer confidential data, which includes a password and a one-time code from SMS or push notification, should immediately alert, "said Olga Svistunova, senior content analyst at Kaspersky Lab.
File:Aquote2.png

In order not to fall for the bait of intruders, Kaspersky Lab experts recommend:

  • be critical of any messages and suggestions on the network;
  • configure two-factor authentication in Telegram;
  • do not click on links from questionable messages;
  • do not transfer confidential data to anyone, including passwords from accounts;

Russian clinics were subjected to mass mailing of letters from scammers

The Russian medical institutions have faced sending letters from scammers who Roskomnadzor demand on behalf of them to eliminate "violations" in the storage of personal data patients. To do this, they offer their services, thus trying to get full access to the sensitive. information This was announced on September 18, 2023 by the press service of the deputy. State Duma of the Russian Federation Anton Nemkin More. here

In Russia, use a non-standard scheme to steal credentials from e-mail

On September 7, 2023, it became known about a new non-standard scheme for stealing credentials from e-mail in Russia. She was told in Kaspersky Lab.

According to experts, in a phishing newsletter, attackers inform a potential victim about the need to verify an email account. However, they are asked to send the information they need (name, last name, login and password) by reply, and not follow the link to the phishing page for this. Otherwise, scammers threaten to deactivate the account.

Example of a fraudulent letter

According to Kaspersky Lab, the letters come from a certain "web mail hosting messaging center." The authors of the mailing list report that they are updating the database for 2023 and deleting all unused accounts. They strongly recommend confirming email and updating data - so they will allegedly know that the account is active and will not delete it. In the text of the message, attackers leave room to fill in the data. The recipient is frightened by the fact that since receiving the notification he has 48 hours to verify.

To arouse less suspicion, attackers issue some letters as technical: a notification code consisting of a set of numbers and letters is added to the subject of the letter, and "copyright" and the phrase "all rights reserved" are added to the signature.

File:Aquote1.png
We see similar letters, without a phishing link, but with a place to fill in the data, now exclusively in Russian. This is probably due to several factors. Firstly, it is becoming more and more difficult for attackers to create phishing sites in the domain zone of.ru. Secondly, it is simply cheaper to make a letter without a link to a fake resource. In some cases, such messages may cause even less suspicion among users: many know that you should not click on dubious links, but here they do not ask for it. In addition, such mailings are often harder to detect with security solutions, - said Roman Dedenok, an expert on cybersecurity at Kaspersky Lab.
File:Aquote2.png

Fraudsters write to Russians on behalf of law enforcement officers

In August 2023, the center for monitoring external digital threats of Solar AURA the company "" RTK-Solar recorded a mass phishing mailing on behalf of law enforcement agencies. RUSSIAN FEDERATION Using the domains most similar to the official domain names of the investigating authorities, fraudsters send letters demanding to familiarize themselves with the materials of the criminal case. For plausibility, attackers use real data citizens obtained from large-scale ones, leaks Solar AURA specialists have established. RTK-Solar announced this on August 30, 2023.

Mailings are carried out targeted: attackers take personal data of potential victims from previously leaked databases and turn to them by the name of the patronymic. In some cases, attackers also indicate passport data and registration addresses in letters. The numbers of criminal cases appearing in the text are real and received from open sources. All this creates the illusion of interaction with the government body and increases the chances that the recipient of the letter will launch a malicious program.

The data contained in phishing emails refers to large-scale leaks. In particular, it was found that the attackers took advantage of one of the leaks of 2022: then the total number of published records reached 30 million, including more than 6 million unique e-mail, among which 78 thousand belong to corporate domains. These facts explain the massive nature of the spread of phishing mailing.

The scheme used in this attack is not new and is extremely common. Attackers systematically use phishing emails to access sensitive data or inject malicious software. But this scheme has undergone some changes. Previously, attackers put malicious ZIP files directly into letters, but due to tightening security measures, such messages will now most likely be automatically filtered as spam. Therefore, instead of the usual attachments, attackers insert a link to the file sharing, through which, as expected, the victim will download malicious content. In this attack, it is disguised as a text recognition program.

File:Aquote1.png
It is important for citizens to remember that law enforcement agencies do not notify about procedural actions by e-mail. If you unexpectedly received a letter from state authorities in which you are invited to take any actions (download the file, follow the link, fill out the form), contact the relevant body for clarification using the contact details from its official website, - said Sergey Trukhachev, Deputy Director of the Solar AURA External Digital Threat Monitoring Center of RTK-Solar.
File:Aquote2.png

Fraudsters massively send letters to companies in the Russian Federation with "criminal cases" on behalf of the TFR

Fraudsters massively send letters to companies in the Russian Federation with "criminal cases" on behalf of the Investigative Committee of Russia (TFR). At the end of August 2023, the information security companies RTK-Solar and Kaspersky Lab spoke about the new scheme.

According to Vedomosti, using domains that are as similar as possible to the official domain names of the investigating authorities, they send letters demanding to familiarize themselves with the materials of the criminal case. Such a letter was received by an employee of the publication, in which the attackers write that the addressee is a witness in a certain criminal case, and asked to inform about the possibility of attending the court session in person. The sender of the letter was "Roman Anatolyevich Dvornikov, senior investigator of the Investigative Committee for Moscow," and the mail domain imitated the real mail of the investigative committee-mail - server1 - sledcom.org instead of sledcom.ru. Also attached to the letter was a malicious link that allegedly led to the case card, but in fact activated the malware.

Fraudsters massively send letters to companies on behalf of the TFR

Clicking on links from such letters will lead to downloading an archive with a malicious styler file from the file-sharing service, warned RTK-Solar, Kaspersky Lab and F.A.C.C.T. (formerly Group IB). This program steals user data - from the victim's browsers, applications and crypto wallets - and sends it to attackers, experts explained.

The distribution is carried out targeted, notes Sergey Trukhachev, deputy director of the Solar AURA external digital threat monitoring center at RTK-Solar. Fraudsters take personal data of potential victims from previously leaked databases, turn to the addressee by name and patronymic, sometimes indicate his passport data and registration address, use real numbers of criminal cases obtained from open sources. So swindlers create the illusion that the letter came from a real body of state power.[6]

The number of phishing domains that disguise themselves as Russian online cinemas and music services is growing on Runet

RuNet There is a growing number phishing domains that disguise themselves as Russian online cinemas music services - a round of activity cybercriminals in this area was discovered by experts on. According to cyber security Angara Security to data the company, content the number of fake services with video and music increased by 10 and 15%, respectively, compared to the same period in 2022. Angara Security announced this on August 23, 2023.

Most often, fraudsters fake kinopoisk.ru and ivi.ru resources - fake domains are formed by adding one or more letters to the name of the real service. If the domain is blocked, the owners immediately register a new one: in 2023, cybercriminals have already created several dozen similar sites. Angara Security analysts warn: most such sites lure visitors with online screenings of pirated films and can steal payment and personal data.

File:Aquote1.png
The trend to fake online cinema sites appeared during the pandemic, but then fraudsters sought to fake Netflix sites and only "mastered" the Russian "Kinopoisk," said Victoria Varlamova, Angara Security brand protection expert. - Now that the Russian viewer is cut off from the world's new films, it is very easy to attract him with the promise of an online show of the sensational Barbie or Oppenheimer. Moreover, modern phishing sites that our analysts discover mimic not only for legal streaming services, but even for well-known pirated video resources like Kinogo.
File:Aquote2.png

The most popular trap among fake music services was the fake "VK Music" - domains with this name are leading Angara Security analytics in studying phishing sites. Experts remind that all advertisements for a real service are marked with a tick on the official VK page, and registration or payment of a subscription must lead the buyer only to the official website of the service with a domain vk.com.

In the segment of digital services of electronic and audiobooks, the number of phishing sites decreased by 20% - experts explain this by the fact that Telegram channels have become the main channel for distributing books. In them, the number of fake resources has grown significantly: in the first half of 2023, about 5,000 phishing TG channels were registered, which is five times more than in 2022.

{{quote 'We note the migration of cybercrimes to Telegram, - said Victoria Varlamova. - This platform provides great opportunities for the distribution of video and audio content, while it is very difficult for copyright holders to track the distribution of pirated content. We have no reason to believe that the pace of cybercrime will decrease in the near future, so we urge online services to be more vigilant and improve measures to protect their users from phishing and fraud. }}

Document templates that contain viruses. The Central Bank of the Russian Federation announced a new scheme of fraudsters

On August 8, 2023, the Central Bank of the Russian Federation announced a new fraud scheme that uses document templates containing viruses. According to the regulator, fraudsters create fake websites of government departments and well-known reference and legal systems and publish infected documents available for download. Swindlers often use the SEO-poisoning method, which allows these sites to occupy the first lines in the search.

File:Aquote1.png
The user downloads the document, after which the remote access program is launched on his computer. With its help, hackers can remotely change bank details in company contracts - for example, with contractors or suppliers. Instead of the data of the real recipient of funds, they indicate their own, - reported in the Telegram channel of the Central Bank.
File:Aquote2.png

Central Bank announced a new fraud scheme that uses document templates

The Bank of Russia noted that, as a rule, the company's employees do not immediately detect viral software. Sometimes scammers block access to work computers, and they extort money for its recovery. In order not to become a victim of such scammers, the regulator recommends:

  • install and regularly update the antivirus;
  • Configure the prohibition to automatically install and run different programs.
  • pay attention to the address of the site - fake can differ from the official one with just one symbol. In addition, official websites of government agencies are usually marked with a blue circle with a tick;
  • be careful when working with sites, if their address bar does not contain a secure connection icon (locks)
  • downloading a document, pay attention to its format. Safe, pdf docx, xlsx, jpg, png.


In July 2023, Russian banks revealed a new fraud scheme that uses fake bank card photos. Attackers gain access to a person's account in the messenger and ask acquaintances to transfer money. For greater persuasiveness, scammers send photos of cards with the name of the desired person. Outwardly, the cards are similar to those of large credit institutions, but in fact the account is opened in another lesser-known bank.[7]

Cobalt Strike phishing attacks hit Russian companies again

Cyber ​ ​ intelligence specialists BI.ZONE have discovered large-scale attacks Lone Wolf groups aimed at, the Russian logistic production, financial organizations and companies from the sphere. retail BI.Zone announced this on August 4, 2023.

Attackers from Lone Wolf implemented at least four mass phishing mailings from July 21 to 28. Letters were sent to corporate databases e-mail addresses allegedly on behalf of JSC "," TAIF-NK DC "Motor Show 152," "Rusagro-Primorye" and OFAS of Russia on. Magadan region

In three of the four mailings, criminals notify the recipient of a pre-trial claim and demand to pay off the debt under the contract in a short time, including penalties for overdue payment. Otherwise, the attackers threaten to file a claim with the arbitration court. All documents showing indebtedness are attached to the letter. The fourth mailing list - allegedly from the Magadan OFAS of Russia - contains a copy of the resolution without additional clarification.

To understand the situation, the victim is in a hurry to see the attachments: in the identified mailings, the files were called Pre-Trial.doc, pp-as32-4783.doc, act.xls. When you open any of them, a chain of commands starts on the device, as a result of which attackers download Cobalt Strike Beacon software.

Cobalt Strike Beacon is a component of the Cobalt Strike solution. This is a commercial tool that penetration testers use to emulate the actions of attackers, and attackers use to solve problems at different stages of a cyber incident. Depending on the targets of the attackers, the launch of Cobalt Strike can lead to the theft of sensitive data or their encryption, and in some cases - to the theft of money from the accounts of the organization.

File:Aquote1.png
For quite some time now, tools like Cobalt Strike have been popular among various groups. They open up ample opportunities to achieve the target of an attack using a minimum of additional malicious tools or allow you to abandon them altogether. Moreover, Cobalt Strike is often used in companies for legitimate purposes, which significantly reduces the speed of detecting its suspicious activity,
said Oleg Skulkin, head of cyber intelligence at BI.ZONE.
File:Aquote2.png

Fraudsters hacked Uralsib social networks and posted phishing links there

On August 3, 2023, Uralsib Bank reported a massive cyber attack that hacked its social networks. In addition, the network resources of a number of other financial organizations were affected. Read more here.

Phishing emails on behalf of Roskomnadzor contain software for stealing company credentials

Experts from the cyber intelligence department BI.ZONE have discovered a phishing campaign aimed at Russian organizations. Under the guise of notifications from Roskomnadzor, attackers distribute the White Snake styler, a malware for stealing passwords and other data from an infected device. BI.Zone announced this on August 1, 2023.

Criminals send an archive with several files to corporate email addresses. The first document allegedly contains an official notification from Roskomnadzor. It reports that "during selective monitoring of activity, a visit to prohibited Internet resources was established," that is, the recipient of the letter violated law No. 255-FZ "On control over the activities of persons under foreign pressure."

In the same notification, the attackers demand "to immediately check the attached materials and give an explanation within two working days." Otherwise, they threaten to "take measures of an administrative and criminal law nature." All this is for the victim to quickly open the second file, that is, the White Snake styler.

The malicious ON White Snake allows attackers to retrieve saved files, passwords copy files, record keystrokes, sound from a microphone, video from a web, cameras as well as gain remote access to a compromised device and corporate systems. All information collected criminals are often resold after a while, so companies are not immediately able to feel all the damage caused.

If the listed styler functions are not enough for an attacker, he can use White Snake to download and run any malicious tools he needs. A subscription to a steeler costs only $140 per month, and unlimited access costs $1950.

Шаблон:Quote 'author=said Oleg Skulkin, head of cyber intelligence at BI.ZONE.

Phishing is one of the main ways to gain initial access during targeted attacks. To protect against it, you should use specialized solutions that block spam and malicious emails. If the company has already suffered from a cyber attack, it is necessary to promptly respond to the incident and investigation.

Hacker detained for stealing accounts of 130 Russians on the State Public services portal

In Ufa, St. Petersburg police detained a hacker from St. Petersburg who stole data from accounts on the State Public services portal from 130 Russians. The press service of the Ministry of Internal Affairs of Russia announced this on July 13, 2023.

According to law enforcement agencies, the attacker created several phishing sites on the Internet. Their appearance copied the official pages of various government agencies. When trying to use the services, citizens entered the data of their accounts registered on the Unified Portal of State and Municipal Services. Thus, the swindler gained access to other people's accounts and, changing passwords, used them to submit applications to microcredit organizations. The listed money was withdrawn through anonymous electronic wallets and cashed. After the limit on obtaining a loan was exhausted, the account was destroyed along with all information about its use, the Ministry of Internal Affairs said in a statement.

Police detained a hacker who stole data from accounts on the Public services portal

The investigator of the Investigative Department of the Ministry of Internal Affairs of Russia in the Krasnoselsky district of the city of St. Petersburg opened a criminal case on the grounds of a crime under Article 272 of the Criminal Code of the Russian Federation. The suspect was detained by police in the city of Ufa. During the search at the place of his temporary residence, 25 SIM-cards, means of communication, bank cards were seized.

File:Aquote1.png
Currently, the defendant has been taken to St. Petersburg, a preventive measure has been chosen against him in the form of a ban on certain actions. Operational-search measures are being carried out aimed at establishing all episodes of illegal activities, - said the official representative of the Ministry of Internal Affairs of Russia Irina Volk on July 13, 2023.[8]
File:Aquote2.png

XDSpy group attacked Russian organizations on behalf of the Ministry of Emergency Situations

On July 12, 2023, the center cyber security F.A.C.C.T. discovered on July 11, 2023, phishing harmful emails conducted by cyber espionage group XDSpy. A system for proactive search and protection against complex and unknown cyber threats F.A.S.S.T. Managed XDR has targeted mailings aimed at the Russian organizations, including one of the well-known research institutes.

In the text of the letter, the recipients are asked to see a list of company employees who "can sympathize with groups that destabilize the internal situation in Russia." The senders of the letter threaten that if there is no response, legal action will be taken against employees.

Under the guise of a decoy file Spisok_rabotnikov.pdf with a list of random people, a malware is downloaded that collects sensitive data and documents from the victim's computer.

XDSpy has used similar techniques before: in mid-March 2023, cyber spies attacked structures, and in MFA Russia October 2022 the Russian , organizations fake with subpoenas on behalf of them. Ministry of Defence

For the first time, the XDSpy group, which attacks the organizations of Russia and [9], was discovered by the Belarusian CERT in February 2020, although experts believe that the group itself has been active since at least 2011. Despite the long history of XDSpy, international experts have not decided in the interests of which country this group works. Most of the group's goals are in Russia - government, military, financial institutions, as well as energy, research and mining companies.

Fraudsters began to steal money from the accounts of Russians, sending messages with an offer to make money on the valuation of hotels

In Russia, fraudsters began to steal money from the accounts of Russians, sending messages with an offer to make money on the valuation of hotels. This became known on June 20, 2023. Read more here.

Fraudsters in Russia began to use ChatGPT in phishing attacks

Fraudsters in Russia began to use ChatGPT in phishing attacks. This was announced in mid-June 2023 by the managing director of Kaspersky Lab in the Russian Federation and the countries of SNGANNA Kulashova. Read more here.

Massive phishing email detected under the guise of mobilization documents

BI.ZONE on June 10, 2023 announced the fixation of the distribution of phishing emails. The attackers used spoofing, that is, they forged the sender's address: for the recipient, the letter looked like a message from government agencies.

The victims received letters with the topics: "Call for mobilization," "General mobilization 2023," "Reconciliation of documents Voenkomat," "Conscripts 2023 list," etc. Both the topic and the text of the message convinced the user to open the attached archive or download it from the link.

In the archive was, harmful file which installed trojan DCRat on the device. This ON allows attackers to gain full control over the compromised system.

Using DCRat, attackers take screenshots, record the sequence of keystrokes, receive the contents of the clipboard, etc. As a result, criminals may have logins passwords from corporate accounts,,, financial information personal data as well as other confidential information.

File:Aquote1.png
Even unprepared attackers achieve goals when they use topical topics and the human factor. Unfortunately, it is almost impossible to avoid such threats. Therefore, organizations must provide adequate protection against phishing attacks,
said Oleg Skulkin, head of cyber intelligence at BI.ZONE.
File:Aquote2.png

Protecting against such mailings is not a trivial task. Server email security settings will be ineffective without software add-ons, behavioral and signature analysis of emails. Therefore, it is important to use specialized security services that can weed out spoofing even before it reaches the recipient.

A group of cybercriminals who stole money from BlaBlaCar users for 1.5 years was liquidated in Russia

The Russian Ministry of Internal Affairs has liquidated the Jewelry Team, a group of scammers who stole money from Russians for a year and a half who decided to use the popular BlaBlaCar travel companion search service. This was reported on June 5, 2023 by F.A.C.C.T. (formerly Group-IB in Russia), which helped the department identify and detain cybercriminals. Read more here.

The number of phishing data theft schemes through Telegram in Russia has grown 67 times over the year

The number of phishing data theft schemes through Telegram in Russia increased 67 times over the year - from 7 in May 2022 to 470 a year later. This was announced at the end of May 2023 by RTK-Solar. Read more here.

Cyber ​ ​ fraudsters in Russia began to send fake letters on behalf of military registration and enlistment offices

Cyber ​ ​ fraudsters in Russia began to send fake letters on behalf of military registration and enlistment offices. This became known on May 10, 2023.

As the Telegram channel "Mash on Moika" writes, fake mobilization instructions for e-mail come, including to residents of St. Petersburg. Recipients of letters are urged to appear at the military registration and enlistment office on May 11, 2023 to clarify the data and register. At the same time, it is noted that a non-existent department is indicated as the sender of the mobilization order - "The Main Directorate of the Military Commissariat of the Ministry of Defense of the Russian Federation." There is also no appeal to the addressee by name and surname. According to the Telegram channel, these letters contain malicious software - a ZIP archive with a virus.

In addition, residents began to receive such letters, Amur region reports Komsomolskaya Pravda"." At the same time, in reality, the regional military commissariat does not send mobilization instructions by e-mail.

Close to Ministry of Defence Telegram the channel "War on Fakes" confirmed that the department does not send such letters - "Russia does not provide for the distribution of mobilization orders or subpoenas by e-mail."

By May 10, 2023, the only legal way is to personally present the order for signature. In the future, it is also planned to use the Public services portal to send subpoenas, but this notification system will not work until the fall of 2023.

According to WHOIS, phishing emails are sent to Russians from an address located on a domain from Britain. According to Kommersant, a file with the.exe extension is attached to the email. When you save it to your computer and open it, your device is infected with a virus. Presumably, we are talking about the so-called DarkWatchman RAT Trojan, which provides senders with remote access to the recipient's computer.[10]

Found 80,000 phishing emails sent using IPFS

According to data to, Kaspersky Lab"" attacks mail through phishers began to actively use Web 3.0 ― IPFS technology. The company announced this on March 30, 2023. Attackers place - in phishing HTMLfiles IPFS to reduce the cost of. hosting The attackers use this method for both mass and mass. In the targeted phishing attacks. first three months of 2023, the company discovered about 80 thousand letters in sent in Russia this way.

How attacks occur through IPFS. Attackers place HTML files with phishing forms in IPFS and use gateways as proxy servers so that victims can open the file regardless of the presence of an IPFS client on their devices. Attackers insert links to access the file through the gateway into phishing emails that are sent to potential victims.

The use of a distributed file system allows attackers to save on hosting phishing pages. You cannot also delete a file from IPFS that is hosted by another user or multiple users. If someone wants the file to completely disappear from the system, they may require their owners to delete it themselves, but this method is unlikely to work with scammers.

Features of phishing emails and links sent via IPFS. Usually phishing emails containing an IPFS link do not differ in originality - this is typical phishing, the purpose of which is to obtain a login and password from the victim's account.

Otherwise, the situation is with the HTML page, which is located on the link. The URL parameter contains the recipient's email address. If you change it, the content of the page will also change: the company logo above the phishing form and the email address entered in the login field. Thus, one link can be used in several phishing campaigns aimed at different users, and sometimes in several dozen campaigns.

File:Aquote1.png
Attackers have used and will continue to use the latest technologies for their own purposes. time Recently, we have seen an increase in the number of phishing attacks through IPFS - both massive and targeted. A distributed file system allows scammers to save money on buying a domain. Plus, deleting the file completely is not easy, although there are attempts to combat fraud at the IPFS gateway level. The good news is that spam anti-solutions detect and block links to phishing files in IPFS, like any other phishing links. In particular, Kaspersky Lab solutions use a number of heuristics aimed at detecting phishing through IPFS, - comments Roman Dedenok, an expert on spam analysis at Kaspersky Lab.
File:Aquote2.png

Fraudsters in Russia began to use ChatGPT for phishing

Scammers Russia in began to use ChatGPT for. phishing information security Specialists in the company told about this at the end of March 2023. According T.Hunter to experts, cybercriminals are actively using opportunities in AI order to increase the accuracy of texts, automate the process and increase the likelihood of deceiving users.

File:Aquote1.png
We record that the first phishing letters written using this software began to arrive en masse to users in March this year, "Igor Bederov, head of the information and analytical research department at T.Hunter, told Izvestia.
File:Aquote2.png

The first phishing emails written with ChatGPT appeared in March 2023

The expert is confident that due to the use of artificial intelligence, the number of victims of fraud will increase. The fact is that most phishing emails came from abroad, and poor translation helped people figure out scammers.

However, ChatGPT writes letters that are as close as possible to what people write. Scammers can only add a phishing link, and then send an email to millions of users.

The press service of Group-IB told the newspaper that the "problem" of many phishing emails written in Russian by foreigners is that they are illiterate, contain a lot of stylistic, spelling and grammatical errors. Online technical translation is also highly visible. Such "imperfection" reduces the effect that attackers want to achieve, since people do not trust illiterate letters and less often click on links.

According to the director of the Coordination Center for Domains.RU/.RFndrey Vorobyov, in the future it is possible to use ChatGPT in phishing chats, which are becoming more widespread. There, AI will be able to simulate live communication, allegedly with the company manager, arousing user confidence.[11]

2022

Fraudsters used the brands "Red and White" and "Dodo Pizza" to steal money from citizens

For July-August 2022, the RTK-Solar team "" discovered more than 2,000 malicious ones that were domains used by attackers for the massive phishing on behalf of the brands "" and Red and White"." Dodo pizza Under the pretext of receiving pizza or a bottle of wine for just 1 ruble card victim, she was tied to a non-existent paid service with regular debits. It is blocked for September 2022 attack , but in the coming months it is possible to reincarnate this scheme in a new form. The company announced this on September 12, 2022.

The identified phishing attacks were a continuation of the malicious campaign, the bursts of which are observed every 4-6 months, the specialists of the special services team Solar JSOC of the RTK-Solar company note. Thanks to interaction with registrars domains and regulators, it was possible to stop phishing activity in time, and operational communication with the one bank who connected it Internetacquiring helped to reduce the damage to users several times.

The current attack demonstrated the ability of fraudulent schemes to develop. As before, the attackers used the human factor: to receive a "prize," the victim was asked to independently send a link to the malicious site 10-20 to his friends in the messenger. This approach has significantly increased the effectiveness of fraudsters: a link from a friend causes much more trust than an impersonal mailing list.

The remaining elements of the attack were carefully redesigned. So, to disseminate information about the "action," not only instant messengers were used, but also specially created groups on social networks. It was they who launched a self-propagating chain of mailings about non-existent prizes.

Taking into account the experience of previous attacks, attackers took all necessary measures to make fake resources work as long as possible, and their detection and blocking were difficult. If previously sent messages usually contained a link to a static site, now it led to one of thousands of domains, which redirected the victim to a malicious resource through a constantly changing chain of intermediate sites.

File:Aquote1.png
Malicious domains had no brand binding - this is a set of generated character sequences in exotic.ml,.tk,.cf,.ga and.gq domain zones. Registration there is free and can be carried out through the API, that is, automatically. It is easy to find scripts in the public domain that allow you to register such domain names in batches, "said Alexander Vurasko, an expert in the direction of special services Solar JSOC of RTK-Solar. - But the most interesting thing in the new round of the scheme is directly the process of embezzlement of money. Entering the card data, the victim took out a subscription, in which 889 rubles were debited from her every 5 days. The money came to the account of a real legal entity in a bank from TOP-20. In most cases, such payments of the bank's anti-fraud system are not noticed, and the small amount was more than compensated by a large number of "subscribers."
File:Aquote2.png

To withdraw money, attackers registered more than two dozen domains on one day, on which they posted sites of the same type dedicated to online training for "burning fat." It was this course that victims of the attack, who left the details of their bank cards, imperceptibly subscribed to themselves. At the same time, fake fitness sites were as dysfunctional as possible: most of the options did not work, there was no detailed information about the subscription being issued, and the public offer, although it had information about the legal entity, was in fact legally null and void. All this once again proves that these sites were used exclusively as part of a fraudulent scheme with drinks and pizza.

As of September 2022, the peak of the attack passed. Malicious sites are blocked, mass mailings in instant messengers and social networks are not recorded.

Fraudsters have repeatedly increased activity using the names of well-known companies

On August 30, 2022, Group-IB announced that in the first half of 2022, an explosive increase in cases of online fraud using well-known brands was 579% compared to the same period in 2021. According to analysts at Group-IB Digital Risk Protection, which specializes in combating illegal use of brands, more than half of all sites discovered were linked to the use of a targeted fraud scheme - fake polls with draws of valuable prizes on behalf of well-known companies.

According to Group-IB estimates, to attract the attention of victims, attackers are already using more than 2,100 world brands and brands of companies from online retail, telecommunications, services, banking, etc. For comparison: at the end of 2021 there were only 120 of them. Most often, fraudsters promise users a large reward or a valuable prize for passing the survey, but in the end the victim herself loses money and bank card data. Group-IB estimates monthly user losses from targeted fraud in the world at $80 million (5.9 billion rubles) according to minimum estimates.

As part of this type of fraud, an individual, so-called targeted link is generated "for purpose," using the parameters of a potential victim (country, time zone, language, IP, browser type, etc.) Links are both reusable and disposable - which is why fraudulent resources are difficult to detect and block.

File:Aquote1.png
The reasons for such a rapid growth of online fraud under well-known brands in H1 2022 lie, as in the growth of cyber crime in general against the background of an unstable geopolitical situation, so the departure of popular brands and the appearance on the market of new ones - maybe not so well-known, but popular brands, - said Evgeny Egorov, leading analyst at Group-IB of the Digital Risk Protection department. - Another technical feature of scaling the scheme - to receive a "prize" you need to share a link with several friends through instant messengers, which causes more trust in the recipient and, accordingly, increases the effectiveness of the scheme.
File:Aquote2.png

In addition to the scheme with fake polls, in the first half of 2022, fraudsters used several dozen different scenarios of online scams, actively playing out the topic of sanctions and the termination of work in Russia of well-known international brands:

  • fraudulent schemes related to the sale of fake virtual payment cards in the App Store and PlayStation Store or the purchase of access to services that have left the Russian market - Spotify Premium, Pornhub, etc.
  • sale of goods from world brands that stopped working in - for example Russia , the Mammoth fraudulent scheme was replenished with an additional scenario for buying suddenly "scarce" goods from. IKEA
  • an increase in the activity of scammers operating in the field of lotteries - in the first half of 2022, Group-IB, together with Stoloto, discovered and blocked 18,709 resources that operated under the guise of popular state lotteries.
  • "Seasonal scams" are fake sites for booking hotel rooms and paying for motorway fares. Most of the resources appeared by the beginning of the vacation season. In the summer, more than 30 phishing resources were recorded copying popular Sochi hotels.
  • Since spring, amid instability in the financial market, there has been an increase in the number of fraudulent resources and online broadcasts dedicated to "profitable investments" in cryptocurrencies, investments in securities or withdrawal of funds from Russian banks to "secure accounts" abroad.

Group-IB recalled the basic rules that users should follow in order not to become a victim of scammers:

  • Due to the emergence of a large number of fakes and phishing resources aimed at well-known brands, customers should be especially vigilant, even downloading programs from official storks - the App Store and Google Play.
  • You should check the domain names of suspicious sites. Most often, attackers use domains consonant with popular brands. We need to use official applications.
  • When shopping online, you always need to check all the details of transfers and payments. No one can be informed of codes from SMS and push notifications, card data (PIN and CVV codes), personal data;
  • Do not follow suspicious links from unknown senders, fraudsters can infect a computer or phone and steal data.

The danger is that such types of online fraud carry risks not only for users, but also for businesses and brands that are illegally exploited by fraudsters. Once you lose money due to a fake brand, the user is unlikely to return to it.

To companies whose brands are a significant asset, in order to combat targeted fraud, experts recommend using high-tech products of the Digital Risk Protection class. The use of patented Group-IB developments for searching and tracking attackers, automated graph analysis and real-world tracking of time the attacker's infrastructure allow you to detect the entire network of fraudsters at once, blocking it, and not separate links to phishing and scam resources. Thus, 85% of violations related to any type of fraud are eliminated in pre-trial order, saving the resources of protected organizations. The company notes that the level of protection of Digital Risk Protection is checked by large brands, and if a user initiates litigation with a company whose brand was used by a fraudulent scheme, Group-IB is ready to shoulder all the costs.

Russian hackers launched a large-scale targeted phishing campaign

On May 3, 2022, it became known that the Russian hackers they had launched a large-scale targeted phishing campaign.

The APT29 group attacks diplomats and government organizations. Read more here.

2021

A significant increase in the share of phishing in the total volume of fraudulent attacks was recorded

On February 22, 2022, Kaspersky Lab and Raiffeisen Bank shared online fraud trends in 2021.

Illustration: zen.yandex.ru

In 2021, among the areas that fraudsters used in their schemes, Kaspersky Lab researchers highlight the use of the coronavirus topic, offers of easy earnings, including scams with draws and prizes allegedly from well-known brands, as well as the creation of a large number of fake pages payment systems. Raiffeisen Bank experts also note a significant increase in the share of phishing in the total volume of fraudulent attacks.

File:Aquote1.png
"We notice a significant increase in phishing compared to phone fraud over the past six months. In 2021, phishing attacks accounted for 35% of all fraud cases encountered by our clients - in 2020 this share was only 5%. Fraudsters fully automate their actions: the launch of phishing resources and their distribution on the network takes minutes. We monitor the emergence of such sites and block them, but it is also important for customers to remain vigilant, "-

commented Ilya Zuev, Head of Information Security at Raiffeisen Bank.
File:Aquote2.png

One of the topics that was relevant in 2021 was: investments banks other organizations purposefully promoted investment brokerage accounts. According to to data Kaspersky Lab, they did not malefactors stay away from this trend and tried to make their "investment projects" look especially tempting. To attract attention and gain the trust of potential depositors, fraudsters distributed ads RuNet on behalf of well-known businessmen and large companies. They proposed to contribute a small amount in order to time get a significant profit in return after some. In some cases, attackers emphasized the stability and lack of risks to the investor, as well as the status of the organization. To give solidity to the procedure, victims were asked to take a test or leave an application, and sometimes get specialist advice. The result was one: having given the money to the fraudsters, the investor did not receive anything.

In general, phishing schemes often use the names of large well-known companies as bait. According to the Kaspersky Fraud Prevention report, in 2021, global online portals and online stores most often suffered from misuse of the brand. Each of these two categories accounted for almost 21% of similar cases. In 12% of cases, the names of banks were used, in 8% - payment systems.

According to the same report, most often in 2021, attackers tried to make unauthorized money transfers using compromised accounts. The share of such incidents was 73%. In 21% of cases, bots and automation tools were used.

File:Aquote1.png
"Attackers are attracted to hot topics, especially related to new types of earnings. Fraudsters manage to effectively use social engineering techniques and pull out other people's money. In addition, with the development of protective technologies and an increase in the level of digital literacy of users, fraudsters complicate the development of content - they hide traces and "noisy" texts, distort pages so that their dubious content is difficult to track. We urge you to remain vigilant, not to trust suspicious messages in the mail, instant messengers or on the Internet. Critical treatment of questionable proposals and the use of a proven security solution will help save money, data and nerves, "-

says Tatyana Shcherbakova, senior content analyst at Kaspersky Lab.
File:Aquote2.png

In order not to become a victim of scams or phishing schemes, experts from Kaspersky Lab and Raiffeisen Bank advise:

  • do not follow dubious links from mail, messages in instant messengers and SMS;
  • if the sender is trustworthy and the content of the message is not, it is better to make sure that the message was sent by the one you are thinking about, for example, to ask the person directly by voice, if there is such an opportunity;
  • check the spelling of site addresses before entering data on them;
  • Use a security solution that prevents an attempt to go to a phishing or scam site.

45% of Russians faced phishing in 2021

On December 3, 2021, Avast published the results of a survey on phishing. Experts wanted to find out how often people have faced phishing attacks over the past two years. According to the data received, in 2021, people more often became victims of such attacks: 45% of Russians surveyed told about this. This figure increased by 4% compared to the results of 2020.

File:Aquote1.png
Before the holidays, everyone is looking for gifts to loved ones, purchased at sales. Due to supply disruptions related to the pandemic, people are more likely to believe reports in which scammers say they will deliver popular goods, said Louis Korrons, an information security evangelist for Avast. - If we compare the results of polls in 2020 and in 2021, we will see that the number of Russians who faced phishing attacks increased by 7%. By raising awareness of scams, we hope we make life safer for users.
File:Aquote2.png

In 2021, 72% of respondents from Russia faced them, while in 2020 only 56% of respondents told about it in a similar survey. In second and third place, respectively, are malicious emails (60%) and mixing (SMS phishing) (52%). The number of attacks with social engineering in real life has slightly decreased: from 16% in 2020 to 15% in this.

In 2021, the number of victims of phishing attacks increased by 4%. At the same time, more respondents talked about spam: 48% reported fraud to the police, the security service at work and the antivirus vendor. Most often, people went to the police (49%), to a company that was imitated by attackers (38%) and to one of their colleagues (17%).

File:Aquote1.png
According to a previous survey we conducted with YouGov, online purchases during the pandemic were expected to be extremely popular in Russia. 24% of Russians began to buy more on the network than before the lockdown. 15% of respondents at this time first tried online shopping. The latter category may be especially vulnerable to phishing attacks related to online purchases, since they do not have much experience yet and they may not notice and recognize the threat on time, "said Luis Corrons.
File:Aquote2.png

Of the Russians who became victims of phishing, a little more than a third (38%) said that they had to change passwords from accounts, 29% said that money was stolen from them, and personal data was stolen from 15%. 29% of victims had to cancel credit or debit cards - a year ago, only 17% of respondents told about it.

The 2021 phishing survey was conducted among 1,372 Avast users in Russia in July-October 2021.

1,500 false banks identified in Russia

On April 6, 2021, it became known about the identification of 1529 false banks in Russia following the results of the first quarter. This is 20% more compared to the first three months of 2020. This is evidenced by the data of BI.ZONE, a company specializing in information security technologies.

Fraudsters disguise themselves as real credit organizations and trick their victims into entering logins and passwords from their real bank accounts or making a preliminary commission to receive the service at a reduced price. To protect themselves, attackers often copy the bank's corporate identity, and change one or two letters in the legal name.

File:Aquote1.png
As with Chinese fakes of famous brands, - compared the vice-president of Renaissance Credit Bank Sergei Afanasyev in a conversation with Izvestia.
File:Aquote2.png

1,500 false banks identified in Russia in the first quarter

The increase in the number of phishing sites of false banks is explained by the fact that this type of fraud is the cheapest and most widespread, said Yevgeny Voloshin, director of the organization's expert services block. According to him, the attackers intensified in 2020 against the background of a massive transition to remote control and do not slow down. On average, it takes 10 to 70 hours to block phishing sites, but in some cases it takes several weeks to restrict access to the resource.

In credit institutions, the publication confirmed an increase in the number of fake pages through which citizens are lured out of bank card data or information to log into the account of a credit institution. In addition, attackers earn on commissions or insurance that a person allegedly needs to receive services on favorable terms.

The bank Tinkoff"" reported that in the first quarter of 2021 the number of fakes for their site increased by 70% compared to the fourth quarter of 2020. The head of the information security service of Elexnet the GC "" (part of the group) ICD Ivan Shubin believes that the growth in the number of fake sites is associated, among other things, with the widespread spread of online loans in 2021.[12]

2020

Phishing campaign targeting Russian fuel and energy enterprises discovered

On September 24, 2020, it became known that the developer of information security tools, Doctor Web, published a study of a phishing campaign that was aimed at Russian enterprises in the fuel and energy complex. The first wave was dated April 2020, the last manifestations of activity occurred in September 2020. Read more here

In the Russian Federation, a sharp increase in the number of phishing domain names of Russian banks was recorded

In July, a record was set for phishing among customers of Russian banks: 312 domain names appeared, which is more than in all previous months of 2020, combined, Kommersant reported in August. Since the beginning of 2020, the total number of such domains has been 618.

Two-thirds of domain names are issued through Russian registrars, many in exotic.cf or.icu domain zones.

New phishing sites are arranged according to the same scheme. Fraudsters add one or more characters or prefixes "online," "cabinet," "vhod" and "login" to the official domain of the bank.

Such sites mimic the login pages of a personal banking account, with attacks targeting the corporate sector. After entering the login and password, the user is invited to download the browser plugin, under the guise of which the Trojan is delivered.

Raiffeisen Bank warns of new phishing scheme in e-commerce

Raiffeisen Bank analyzed the activity of fraudsters in the e-commerce segment. According to the bank, since January 2020, they have been more actively using fake web pages, involving gullible citizens in schemes related to "cheap buying" and "returning" money for goods at the largest ecommerce sites. This data is partially confirmed by the statistics of Kaspersky Lab - since the beginning of the year, the company's anti-phishing bases have been replenished with more than 4 thousand Russian-language phishing resources pretending to be well-known online stores.

Scammers use phishing pages that mimic the'payment services' of well-known e-commerce sites, luring buyers with the ability to profitably buy, sell or return goods. To do this, the'seller' in a personal message prompts you to go to a page that simulates the e-commerce page of the resource, and prompts you to enter the card data. After receiving these cards, fraudsters use them to pay for online purchases, try to withdraw funds using a card-to-card transfer, or sell them to Darknet.

In order to put vigilance to sleep, fraudsters use language such as' transferred the product to the delivery service ', explaining the refusal of a safe deal on the site's website and offering to make a' safe payment '/' safe deal'through the link sent in the message.

To protect yourself from scammers' tricks while shopping online, don't forget that:

  • Real online stores or ecommerce platforms always use the principle of a safe deal;
  • Carefully evaluate the offer: if the product costs significantly less than in other stores, it is probably scammers;
  • Before buying, do at least a minimal check of the online store - study the site, read customer reviews, information on the organization's TIN. Check how delivery is carried out from the online store, its timing, whether there is a pickup point for goods. For unknown sites, it is better to search for reviews on the Internet;
  • A separate suspicion should be caused by the use of the insecure http protocol instead of https;
  • It is better to use a unique complex password for each of your accounts, even if we are talking about online stores, as well as, where possible, configure two-factor login authorization. Do not use passwords from social networks and banking programs for online stores;
  • Before entering card data, check the name of the resource on which you enter them. Switch to payment links from verified resources only. Open a separate card for online purchases and replenish it with the required amount immediately before payment;
  • Connect alerts or regularly view card transactions in the bank's Internet application. This will reduce the risk that the amount will be written off unnoticed, as often fraudsters check the correctness of card data by making transactions for small amounts. It will also help prevent further charges with a timely card lock.

Phishing scheme with courier delivery of online orders

On May 19, 2020, it became known about a new phishing scheme, which fraudsters began to actively apply during the period of self-isolation of Russians in the context of the COVID-19 coronavirus pandemic. We are talking about scams with courier delivery of online orders.

According to Group-IB, on the services of free ads, attackers create decoys - publications about the sale of goods at low prices. To bypass the protection of the message board, attackers only contact the victim through the service, after which they offer to go to the messenger to "discuss the purchase." After that, they find out from the buyer the name, address and phone number allegedly for the delivery and ask to fill out the form on a page similar to the sites of well-known courier services. In fact, this is fake, and the bank card information goes to scammers. The average check of one such "purchase" is about 15-30 thousand rubles.

Fraudsters in Russia earn hundreds of thousands a day on fake courier delivery of Internet orders

It is noted that all members of the criminal community have their own roles. Some create phishing resources, hire "employees" and distribute stolen goods. Others will post "decoys" on free ads and communicate with "customers," calling them "mammoths." Still others call the victims and "breed" them for a "refund."

Group-IB sent almost 250 phishing resources working on a scheme with fake courier delivery of goods ordered via the Internet. Experts have uncovered the criminal group Dreamer Money Gang (DMG), which organized a phishing scheme through a Telegram bot. DMG's daily turnover exceeded 200 thousand rubles.

The revenue of another criminal group (the name is not indicated) has grown rapidly in recent months. So, in January, fraudsters earned 784, 6 thousand rubles, in February - 3.5 million rubles, in March - 6.2 million rubles, and in April - 8.9 million rubles.[13]

The Ministry of Internal Affairs and Group-IB detained the administrators of a fraudulent online service that traded fake passes

Employees of the Moscow Criminal Investigation Department, with the assistance of experts from Group-IB, an international company specializing in preventing cyber attacks, detained administrators of a fraudulent service that sold fake digital passes for the quarantine period for residents of Moscow and Russian regions. Group-IB announced this on April 27, 2020. In total, experts found 126 fraudulent Internet resources - sites, channels and groups in social networks, where fake certificates and passes are illegally sold. More than half of the services have already been blocked.

The first fraudulent schemes for the sale of electronic passes, according to Group-IB, appeared in late March - early April 2020, when the city authorities tightened requirements for self-isolation and limited movement around the city. By the decree of the mayor of Moscow, three official methods of free receipt of digital passes were established: online on the mos.ru portal, by phone +7 (495) 777-77-77 and by SMS to 7377. However, starting from April 13, Group-IB recorded an explosive increase in the registration of fraudulent services: sites, Telegram channels, VK, OK and Instagram accounts offering to buy pass certificates for the quarantine period at an average price of 3,000 to 5,500 rubles.

Experts of the Group-IB investigation department calculated the administrators of one of the criminal groups who offered through the popular messenger the purchase of passes for free movement in Moscow, St. Petersburg and Krasnodar. Fraudsters introduced themselves as law enforcement officers and in personal correspondence promised to help clients with issuing passes, as they claimed, according to a "gray scheme through the State Public services portal." To obtain a fake pass, Internet swindlers asked to send them passport data, and if a pass for a car was required, its license plate. However, after receiving money on a bank card, the scammers deleted the chat with the victim, including her phone in the "black list." For two weeks of the service, fraudsters were able to make several transactions - the price of their services ranged from 2500-3500 rubles. As a rule, the victim of fraud was those who were especially worried about the restriction of movement and did not wait for the start of official registration of passes.

During the investigation, the threat officers and Group-IB experts obtained evidence confirming the involvement of two residents of Moscow and the Moscow region, 19 and 23 years old, in the administration of the service. Both suspects were detained on April 21, gave confessions. A criminal case was initiated on the grounds of a crime under Article 159 of the Criminal Code of the Russian Federation (Fraud). Mobile phones and laptops were seized during the search.

File:Aquote1.png
Recently, fraudsters have been very actively using the topics of coronavirus, self-isolation and the introduction of access control for schemes: fake mailings, calls on behalf of social protection, offers to buy digital passes. The danger is that victims, paying for a pass, can not only lose money, bank card details, but also personal information. Having received the passport data, fraudsters can take a loan in the name of the victim from microfinance organizations or issue a consumer loan,
warns Group-IB Head of Investigations Sergey Lupanin
File:Aquote2.png

As of April 26, 2020, the Department of Innovative Brand and Intellectual Property Protection Group-IB discovered 126 fraudulent resources selling digital passes: 25 sites, 35 groups and accounts in social networks and 66 telegram channels. Group-IB has already blocked 78 resources, the rest during the blocking process. Monitoring work is ongoing.

Group-IB reveals fraudulent scheme under the guise of "Like of the Year 2020" award

On February 20, 2020, Group-IB announced that, together with Rambler Group, it had identified a multi-stage fraudulent scheme under the guise of a fictitious Like of the Year 2020 Season Award. As part of a large-scale phishing attack, users were invited to win a large cash prize for a randomly chosen like they set on social networks. In total, more than 1,000 related domains used in the attack were found.

"Like of the Year 2020" awards phishing

According to the company, in order to attract those wishing to receive a premium, fraudsters hacked post servers one of the fiscal operators (data OFDs) and massively sent RuNet messages to users on behalf of the "Rambler team." Following user appeals to Rambler Group, the company conducted its investigation and engaged Group-IB to respond to the incident.

The CERT-GIB Computer Emergency Response Team - Group-IB Cyber ​ ​ Incident Response Center revealed that scammers used several attack vectors to lure users to participate in the Like of the Year 2020 award. In addition to sending mail messages, they also delivered phishing messages through other channels, in particular, sent cash reward alerts to the Google calendar. Using common social engineering methods based on the desire to win, fraudsters have lured users' bank card data for a long time. The topic of the messages was somehow related to cash payments. The recipients were congratulated on their victory in the competition and on the cash prize, which ranged from $100 to $2,000.

As a result of the events, the distribution under the guise of Rambler Group was stopped. For its part, Rambler Group contacted public mail services, warned them about the attack and asked them to proactively move fraudulent emails to Spam. As part of further work, Group-IB specialists managed to block most of the attack-related sites to which transitions from received letters and invitations were carried out. In total, the scheme has more than 1000 domains. As of February 2020, work on blocking continues.

File:Aquote1.png
We pay special attention to users for such phishing attacks. Most often, scammers hide behind well-known brands and companies in order to rub into the confidence of recipients, collect their personal data and use them for selfish purposes. Having received a suspicious letter, you should treat it with caution - do not follow the indicated links. Therefore, we advise in this case to contact representatives of the brand and clarify whether there was really such a mailing list.

told Ilya Zuev, Director of Cybersecurity, Rambler Group
File:Aquote2.png

File:Aquote1.png
We tested the "Like of the Year" scheme on the desktop and mobile platforms - it is well-built everywhere and at all stages of implementation is designed to arouse user confidence. This explains her long period of activity. In addition to "like," graph analysis reveals about 6 different scenarios of fraudulent campaigns with the same logic, including, for example, payments from the non-existent "Video Blogger Fund," Financial Protection Centers and others. From 100 to 350 domains are associated with each scenario. This is a fairly extensive infrastructure. In some scenarios, postal addresses used as support and consultation were registered to Ukrainian numbers.

narrated by Yaroslav Kargalev, Deputy Head of CERT-GIB
File:Aquote2.png

The "Like of the Year" attack is distinguished by a number of features. The use of the calendar in the Gmail service for February 2020 is a relatively fresh trend in social engineering. In the default calendar settings, these prompts are automatically added to the calendar along with the reminder. Thus, any user of the Google calendar can send an invitation to events to other Gmail users, even if they are not in his address book. As a result, the victim will receive a notification about the creation of the event by mail. The keywords in the content will be as follows: "bank, approved, payment of funds, program, reimbursement, receipt, agreed, federal, service, details," etc.

"Like of the Year 2020" awards phishing

In both cases, when clicking on a link in an email or invitation, the user gets to the bait site. The screen displays the winning amount, for example, $1735, and to create trust in the competition, the site also hosts rave reviews of users who have already won their prize.

"Like of the Year 2020" awards phishing

Then the "operator" gets in touch, who advises the user on the next steps. In this case, instead of the standard chat window with an avatar, for greater realism, scammers use video, instructions are shown in the window nearby.

"Like of the Year 2020" awards phishing

Then redirect - this time the user is asked to enter the number of the bank card to transfer the win to him. The next stage of the scheme is a twist (a term for an unexpected turn in the movie): the bank suddenly rejects the user's card. To solve the problem, it is proposed to convert the currency, since the payment can be made only in rubles. The user needs to pay a small commission - about 270 rubles.

"Like of the Year 2020" awards phishing

The user agrees to pay the commission. The culmination of the scheme is a redirect to the site with a "safe" entry of bank details: card number, validity period and CVV, in order to pay the commission on services allegedly verified by all possible payment systems.

"Like of the Year 2020" awards phishing

It is here that the user's bank card data is stolen. In the scheme with "Like of the Year," at the last stage of data entry, a real payment gateway is used. That is, fraudsters really write off the "commission," but their main goal is card data. As a rule, in the future, collections of text data of cards are sold in cardshops or goods are purchased on them for the purpose of further resale and sale.

In order not to become a victim of fraudsters, you need to know the basics of digital hygiene and constantly update your knowledge. Below are some tips from Rambler Group on how to independently identify signs of phishing and protect your account:

  • The user needs to be wary of messages and forms in which they are asked to specify personal data.
  • The user needs to turn off the ability to automatically add invitations and events to the Google calendar (Settings > > Events > > Automatically add events (disable)).
  • Do not click on links sent in suspicious or incomprehensible email messages or through social networks.
  • The user should not download and run attached files from email messages that the user did not expect.
  • The user needs to carefully analyze the addresses of the sites to which links from letters lead.
  • On all accounts, where possible, it is recommended to connect two-factor authentication. This will help if the main password gets to the hackers.
  • It is necessary to update the system and application software in a timely manner and install security updates.

2019

Kaspersky Lab spoke about a corporate phishing scheme that simulates the process of employee certification

According to Tatyana Shcherbakova, senior content analyst at Kaspersky Lab, a little-known corporate phishing scheme simulates the process of certification of company employees. This became known on November 6, 2019.

According to her, Kaspersky Lab learned about this phishing method from its clients. Fraudsters send letters with fake links to the addresses of employees of various companies, including the banking sector, which contain a proposal to undergo an assessment of knowledge and skills on an alleged HR portal by logging in with a login and password from work mail.

As a result, fraudsters can gain access to corporate correspondence, including logins and passwords from databases with personal information of clients or to the databases themselves, if they are sent in clear text.

Alexey Golenishchev, director of e-business monitoring at Alfa-Bank, agreed to call the described method a "new scheme" of corporate phishing, but as part of "sending fraudulent emails."

File:Aquote1.png
Previously, these were letters with files disclosed by "infected" viruses, links to fake resources, etc. Obviously, the knowledge and experience of users of corporate computer systems is growing, including in terms of security, and fraudsters have to come up with new schemes
shared Alexey Golenishchev
File:Aquote2.png

However, the expert believes that with the help of the described phishing scheme, you can extract logins and passwords from corporate mail of specific employees if the company does not pay due attention to external and internal IT security[14].

Silence group cyber attack on Russian banks under the guise of an invitation to the forum

On January 18, 2019, Group-IB announced a large-scale wave of malicious mailings of the Silence group in Russia. Since the beginning of the year, this is the largest attack, with more than 80,000 recipients - employees of Russian credit and financial institutions, among which the main share is occupied by banks and large payment systems.

The massive attack began with Silence phishing mailings on January 16. The malicious attachment was disguised as an invitation to the iFin-2019. Read more here.

2018

Hackers under the guise of the Central Bank attacked Russian banks through phishing

On November 15, 2018, the hacker group Silence attacked Russian banks, Kommersant[15] said[16]Under the guise CENTRAL BANK OF THE RUSSIAN FEDERATION of attackers sent letters with malicious. software To do this, the attackers stylized letters and documents for those that they send out. Bank of Russia According to experts, hackers obtained samples of these documents by hacking into the mailboxes of bank employees.

Silence hacker group attacked Russian banks

The fact that Russian banks received a malicious newsletter allegedly from the mailbox of the Central Bank of the Russian Federation was told in Group-IB and confirmed in Kaspersky Lab. Hackers forged the sender's address, but for some reason did not use SSL certificates to pass authentication. In total, the recipients of the November mailing list, according to Group-IB, were at least 52 banks in Russia and 5 banks abroad. The letters, entitled "Information of the Central Bank of the Russian Federation," invited bankers to familiarize themselves with the decree "On the unification of the format of electronic banking messages of the Central Bank of the Russian Federation" and immediately proceed with the execution of the "order." To do this, the recipient had to unpack the archive.

Unpacking the archive led to the download of the Silence.Downloader malware. This tools are used by hackers from Silence.

File:Aquote1.png
The style and design of the letter are almost identical to the official mailings of the regulator, - said in Group-IB. Most likely, hackers had access to samples of genuine messages.
File:Aquote2.png

The company believes that for this, attackers either hacked the mailboxes of bank employees, or were engaged in legal work - penetration tests (testing the security of computer systems using hacker attack modeling) and reverse engineering (attempts to reproduce the code of any programs). That is why they are well acquainted with document management in the financial sector and the operation of banking systems, according to Group-IB.

Prior to that, a similar attack was recorded on October 23. Then, allegedly, from the address of FinCERT (the structure of the Central Bank engaged in cybersecurity), banks received a letter with attachments stylized as regulator documents that contained malware - the Meterpreter Stager loader. Self-signed SSL certificates were used to control this attack.

The server infrastructure used by the attackers has previously been used in attacks allegedly followed by hackers from the MoneyTaker group.

File:Aquote1.png
Silence and MoneyTaker are two of the four most dangerous hacker groups that pose a real threat to international financial organizations, says Rustam Mirkasymov, a cyber intelligence expert. - Hackers from MoneyTaker use all possible vectors of attacks on banks, and Silence, in turn, is less inventive and use only a fail-safe and proven attack method - phishing emails. But, unlike their colleagues, they pay more attention to the content and design of the text of the letters.
File:Aquote2.png

File:Aquote1.png
The attackers use a well-known and still very effective method - they gain access to the internal banking network and gain a foothold in it, "Sergey Golovanov, a leading antivirus expert at Kaspersky Lab, explained to Kommersant. - For a long time, cybercriminals have been studying the internal infrastructure of the network and recording from the machine screens of bank employees.
File:Aquote2.png

After analyzing how the intra-bank software is used, hackers transfer funds from the bank.

Silence is a small Russian hacker group recorded in 2016. Experts believe that they are behind attacks on ATM management systems, card processing and the Russian system of interbank transfers of CBD AWS. Hackers attack targets mainly in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan.

The daily number of successful phishing attacks in Russia has grown to 1274

On October 9, 2018, Group-IB introduced the information security paradigm.

Attacks on bank customers

Web phishing is a method of theft that showed growth in both Russia and the international market in 2018. The number of groups that create phishing sites for Russian brands has grown from 15 to 26. In Russia, the total number of daily successful phishing attacks increased to 1274 (previously - 950). With the help of web phishing, 251 million rubles were stolen in Russia, which is 6% more than in 2017.

In the international market, in contrast to the previous period, the first position was taken by phishers aimed at, and cloudy storages not at the financial sector. In terms of the volume of phishing sites in the world USA , it takes 1st place (80%), 2nd place -, France 3rd -. Germany According to the Group-IB report, 73% of all phishing resources fall into the following three categories:

  • cloud storage (28%),
  • financial (26%),
  • online services (19%).

Bank card fraud remains among the most dangerous threats to individuals: the insufficient spread of behavioral analysis systems during transactions leads not only to direct damage, but also to the growth of the card shop business. About 686 thousand text data of compromised bank cards and 1.1 million dumps are downloaded monthly in the world for sale in card shops. The total volume of the carding market for the analyzed period amounted to $663 million.

The decline in threats from banking Trojans for PCs in Russia has continued since 2012. Attacks on individuals are a thing of the past, and the damage to legal entities at the end of the reporting period decreased by another 12% and amounted to 547 800 000 ₽ (8.3 million).

After several years of growth, the Android Trojan market has stopped in Russia, but continues to develop on the world stage. The number of daily thefts using Android Trojans in Russia has almost tripled. It is also worth noting the reduction in the average size of thefts. If in 2017 it was 11 thousand rubles, then this year it is already 7 thousand.

On the international market, the situation is radically different: during the analyzed period, 6 additional Trojans for PCs were identified, and 5 more Trojans were laid out or sold.

Sabotage and espionage are the main goals of pro-government hackers

The focus of promising development and innovation in creating complex viruses, as well as conducting multi-stage targeted attacks, has shifted from financially motivated cybercriminals to pro-government hackers. Their actions are aimed at ensuring a long-term presence in the networks of critical infrastructure facilities in order to sabotage and spy on companies in the energy, nuclear, commercial, water, aviation and other sectors.

The top 3 countries of origin of the most active pro-government hacker groups include China, North Korea and Iran. Espionage also remains a key focus of groups sponsored by states of different countries. According to the results of H2 2017 - H1 2018, the Asia-Pacific region (APAC) has become the most actively attacked by hackers in different countries. During the year, the activity of 21 different groups was recorded here, which is more than in the United States and Europe combined. Another vector of espionage in Group-IB is the hacking of home and personal devices of state officials.

The Group-IB report presents about 40 active groups, but there are many more. They are sponsored by various states, including: North Korea,, Pakistan China, the United States,, Russia Iran and. Ukraine The country affiliation of some of the groups has not yet been established. As a rule, the discovered groups or government campaigns have already existed for several years, but for various reasons have not been noticed. The Group-IB report section on attacks on critical infrastructure makes a disappointing conclusion: the APT threat landscape, characteristic of each region, is constantly changing, hackers are trying to use widespread tools, including penetration tests, which makes it difficult for researchers to work. The lack of data on detected attacks in an individual country or sector of the economy most likely means that they are not yet known, not that they are missing.

The financial sector is again under threat

Traditionally, one of the most extensive blocks of the report is devoted to the tactics of attackers and the damage caused by cybercriminals to financial organizations. In 2018, a hacker group, Silence, was revealed. In addition to it, the most dangerous for banks around the world are MoneyTaker, Lazarus and Cobalt. They are able to break into a bank, get to isolated financial systems and withdraw money. Three groups of four are Russian speakers.

On average, 1-2 banks successfully attack in Russia every month: the average damage from the attack is 132 million rubles ($2 million). Group-IB experts state that the number of targeted attacks on banks for theft through SWIFT during the reporting period has tripled. The average time to cash out of an ATM with drops or mules is only about 8 minutes.

Among the other most likely regions for cybercriminal organizations are Latin America, as well as Asian countries. Most likely, their first goals will be banks. Group-IB experts warn that the collaboration of hacker groups, their use of legal tools and deliberate copying of each other's tactics will lead to numerous attribution errors.


Crypto industry

About 56% of all funds stolen from the ICO were stolen through phishing attacks. In 2017 and 2018, the attention of hackers increased to attacks to hack crypto exchanges. A total of 14 cryptocurrency exchanges were robbed. Total damage - more than $882 million.

Cryptojacking (hidden mining), as a direction of fraud, received the greatest development in 2017-2018. After the release of Coinhive hidden mining software, another 7 programs of this type appeared. Group-IB experts predict that the largest miners in the world can become the target of not only cybercriminals, but also pro-state attackers. With some preparation, this could allow them to take control of 51% of the mining capacity and take over cryptocurrency management. Immediately 5 successful "attacks of 51%" were recorded in the first half of 2018: the amount of direct financial damage ranged from $0.55 million to $18 million.

Hacking technologies

If in 2017 the main attention of security specialists was associated with the epidemics of WannaCry, NotPetya, BadRabbit, then the beginning of 2018 showed that the next source of the global threat to information security is side-channel attacks and vulnerabilities of microprocessors from different vendors. The Group-IB report analyzes many examples showing the real danger of hardware "holes" and their key problem: all these vulnerabilities cannot be quickly and effectively closed with software updates. That is why research activity devoted to searching for vulnerabilities in BIOS/UEFI increases every year in proportion to the increased number of threats that are used in real targeted attacks. At the same time, they become known thanks to leaks, and not the study of attacks: there are no solutions on the market that could effectively identify such threats.

Group-IB states that research on finding vulnerabilities in BIOS/UEFI, as well as the development of real exploits, are quite time-consuming and expensive processes: not many hackers are able to carry out such attacks, but this situation may change, which will fundamentally change the approach to cybersecurity in the coming years.

2017: CC: Among types of malicious activity, Phishin

In May 2017, 329 requests for removal from delegation of domain names were sent to registrars by competent organizations cooperating with the Coordination Center of.RU/.RF domains.

An analysis of violating domains by the type of detected malicious activity in the reporting period showed that the leading place still belongs to domain names associated with phishing (257 requests). This is followed by the spread of malware (65 calls) and botnet controllers (7). It is worth noting that phishing has remained the leader in the number of requests for 10 months already - with the exception of March, when phishing accounted for "only" 49% of all requests.

During the reporting period, 313 domain names were removed from delegation at the request of competent organizations. For 15 domain names, delegation removal was not required, since the reasons for the blocking were promptly eliminated (or the resource was blocked by the hosting provider).

2016: Russian cybercriminals abandon phishing in favor of skimming

Due to the measures taken to strengthen the security of mobile and online services, the popularity of the carding is growing. According to Izvestia, citing experts from Zecurion, attackers are increasingly stealing bank card data using skimmers installed in ATMs instead of phishing.

For the period from January to June 2016, the carding accounted for 87% of all stolen funds of Russians. The remaining 13% of cybercriminals "earned" through phishing. According to experts, the number of crimes carried out on the Internet decreased by 3% compared to last year. The share of offline crimes increased by exactly the same amount.

In January-June 2016, skimming brought income to attackers in the amount of 900 million rubles, while phishing - 140 million rubles.

2014: APWG: The number of phishing incidents in the Russian Federation is decreasing

According to the Anti-Phishing Working Group report for the 1st quarter of 2014, there is a decrease in phishing-related incidents in the Russian Federation. The share of ip addresses located in the Russian Federation from which fraudulent actions were carried out decreased significantly and averaged 1.6% in the first quarter of 2014 against 15.3% in the same quarter of 2013.

Obviously, cybercrimes related to phishing have changed their geographical affiliation, having met a strong rebuff on the territory of the Russian Federation. At the moment, a surge in incidents by geographical affiliation falls on the United States, Turkey and China. However, Group-IB believes that this is a temporary phenomenon and cybercriminals are preparing to strike a new blow soon.

The fact that Group-IB knocked down cybercriminals is directly indicated by the work analyst CERT-GIB for the first half of 2013 and 2014. Thus, in the first half of 2014, CERT-GIB specialists processed 52% fewer applications: 1537 in 2013 against 800 applications for the same period in 2014. Phishing was reduced by 70%. 762 incidents in the first half of 2013 to 235 incidents in the same period of 2014. Thus, the connection with the number of incoming applications with the share of phishing incidents is more than obvious. Group-IB emphasizes that this is a temporary phenomenon. The financial sector in Russia is still an object of increased interest from cybercriminals.

The amount of funds in payment systems is steadily growing., in Banks turn, online services are constantly improving, thereby attracting an increasing number of users, and these are more and more new, personal data which attackers need as air. The company warns not to reduce vigilance in matters. information security The fact that cybercriminals are preparing to strike a new blow is obvious and quite predictable. It is worth noting that the victory in the won round in the fight against cybercrime owes much to the competencies of Group-IB, endowed with the Coordination Center of the national domain of the Internet, which includes countering phishing, malicious ON and botnet controllers.

Notes