Phishing sites in Russia

Main article: Phishing in Russia

2024

Cyber ​ ​ fraudsters use fake Rosfinmonitoring sites to deceive Russians

The number of fake sites imitating the official portal of Rosfinmonitoring reached 170 domains in 2024, with 50% of them registered in the last three months, which became known on November 5, 2024.

The company "ESA PRO" revealed an increase in cases of fraudsters using fake sites of Rosfinmonitoring by 50%. General Director of ESA PRO Lev Fisenko stressed that attackers exploit the image of Rosfinmonitoring to create an illusion of reliability and manipulate user trust.

Cyber ​ ​ fraudsters create fake Rosfinmonitoring sites to deceive Russians

Fraudsters operate according to two main schemes. In the first case, they offer the victim to check a suspicious phone number through a fake site, which indicates the contact details of the attackers. In the second, victims are sent to a fake portal with a form for contacting fraud, after which they are convinced to transfer funds to a "safe account."

To increase likelihood, attackers create full copies of the official site with minimal changes, use similar domain names and post data of real employees obtained from open sources.

The National Coordination Center for Computer Incidents, together with the specialists of "ESA Missile Defense," promptly block the detected phishing sites. NCCC has the authority to suppress malicious activity in Russian national domain zones RU/RF/SU and can send requests to hosting providers.

The detection of fraudulent sites is carried out using the automatic Smart Business Alert service, developed by a team of specialists with 15 years of experience in combating cyber threats. The system analyzes large amounts of data in real time and adapts to new types of digital attacks.

Information about fake sites is transmitted to antivirus manufacturers for inclusion in the databases of malicious resources. Thanks to the coordinated actions of NCCCI and the ECA Missile State system of detection, prevention and elimination of consequences of computer attacks Center, most fraudulent resources are blocked within a few hours after detection.^[1]

Fraudsters in Russia began to steal Telegram channels under the pretext of advertising

In October 2024, the Ministry of Internal Affairs of Russia recorded a significant increase in the number of theft of Telegram channels carried out by cybercriminals under the guise of placing advertising integrations from large marketplaces. Read more here

Ministry of Digital Development of the Russian Federation: Since the beginning of the year, 60 thousand phishing sites have been blocked

On June 20, 2024, the Ministry of Digital Development, Communications and Mass Media of the Russian Federation announced on its Telegram channel that more than 60 thousand phishing sites have been blocked since the beginning of 2024. These measures are aimed at combating Internet fraud, the purpose of which is to obtain personal data of users, such as bank details and passwords, through fake sites and letters.

According to the ministry, since 2022, when the Antifishing program was launched, about 215 thousand phishing resources have been blocked. The program demonstrates high effectiveness in preventing cybercrime, protecting millions of citizens from possible financial losses and personal data leakage. These measures include not only technical solutions, but also actively informing the public about ways to recognize phishing attacks and increase digital literacy of users.

The Ministry of Digital Development announced the blocking of more than 60 thousand phishing sites since the beginning of 2024

The greatest threat is posed by fake sites of investment platforms, marketplaces, banks, social networks, instant messengers and government bodies. These categories are most often chosen by scammers to create phishing resources, since users often enter confidential information on such sites.

According to the Ministry of Digital Development, to combat phishing, citizens can file a complaint through the State Public services portal. Users need to provide a suspicious site address, language, discovery date, and their email for feedback. The application will be processed within 24 hours, and if fraud is confirmed, the site will be blocked. Timely blocking of such resources helps to prevent many cases of fraud and maintain the confidence of citizens in Internet services.^[2]

2023

Roskomnadzor blocked 43,100 phishing sites in a year

In 2023 Roskomnadzor , on the basis of court decisions and requirements of the Prosecutor General's Office, he blocked approximately 43.1 thousand phishing sites. For comparison, in 2022 Russia , access to 13.8 thousand fraudulent resources was limited. Thus, the blocking intensity has more than tripled. This is stated in the materials published in early July 2024.

According to the Vedomosti newspaper, referring to the published data, the increase in the indicator is explained by several factors. On the one hand, information security tools are being improved, which increases the efficiency of detecting malicious sites. However, on the other hand, the activity of cybercriminals is growing, which are increasingly using artificial intelligence to organize phishing schemes.

Roskomnadzor, on the basis of court decisions and the requirements of the Prosecutor General's Office, blocked approximately 43.1 thousand phishing sites

According to estimates, during the first half of 2024, Roskomnadzor limited access to 33.8 thousand phishing sites on the basis of court decisions and the requirements of the Prosecutor General's Office. At the same time, within the framework of the Anti-phishing"" program, implemented, from Ministry of Digital Development January 1 to June 20, 2024, approximately 64 thousand fraudulent resources were blocked. And since the beginning of the work of the named system in June 2022, access has been limited to 215 thousand phishing sites.

It is said that most often attackers fake the sites of investment sites, online stores, banks, social networks and instant messengers, online booking services, as well as bodies. state power Moreover, despite the increase in blocking efficiency, many malicious sites continue to work. The head of the investigation department T.Hunter , Igor Bederov, notes that the real number of phishing resources can be 3-4 times more than the number of sites that are blocked by Roskomnadzor.^[3]

The increase in the share of phishing sites in the.ru zone by 3.6 times

At the end of 2023, the share of phishing resources located in the.ru domain zone reached 46.5%. For comparison, a year earlier, the figure was 12.9%. Thus, 3.6-fold growth was recorded. Such data at the end of February 2024 are provided in a study by the phishing protection group CERT-F.A.C.C.T. (formerly Group-IB).

We are talking about sites aimed at Russian-speaking users and/or using Russian brands. The negative trend is confirmed by the Solar group of companies: according to the monitoring of external digital threats Solar Aura, approximately 50% of blocked resources in 2023 were registered in the zone.ru.

The share of phishing resources located in the.ru domain zone reached 46.5%

According to the Vedomosti newspaper, the increase in the number of malicious resources in the.ru domain zone is partly due to the fact that Russians have become more vigilant towards foreign domains. In addition, the popularity of the.ru zone among fraudsters is explained by the possibility of buying a domain in the country without the need to issue a foreign bank card. This reduces the financial cost of organizing malicious campaigns.

F.A.S.S.T. experts also identified major trends in malicious mailings in 2023. It turned out that most phishing emails are sent by attackers at the beginning of the week: the peak of mailings falls on Tuesday - 19.7% of all such emails in a week. After Wednesday, there is a decline, and the least malicious messages are sent on Sunday - 7.1%. In 2023, cybercriminals in mass phishing mailings used investments as the main way to deliver malware: the share of such messages in the total volume of phishing emails reached 98%. The number of letters with malicious links is decreasing: the result for the year is a little more than 1.5%. Attackers mainly pack viruses into archives of.rar (23.3%),.zip (21.1%) and.z (7.7%) formats^[4]

The number of fraudulent sites in Russia for the year increased by 86% to 207.1 thousand units

The number of fraudulent sites Russia in 2023 increased by 86% compared to the same period in 2022 and reached 207.1 thousand units. The Bi.Zone company announced this at the end of December 2023.

According to Yevgeny Voloshin, Director of the Bi.Zone Security and Anti-Fraud Analysis Department, the main jumps in the registration of fraudulent resources occurred in March, September and October, when a significant increase in the number of domains imitating the venues for drawing prizes was noticed.

One of the most popular schemes has become. phishing According to the Coordination Center for Domains.RU/.RF, 89% of requests from organizations were associated with it. This is also caused by the transfer of financial services to digital format and an increase in the popularity of online services, Voloshin emphasized.

Another popular scam on the Internet is "quick earnings." Under the pretext of profitable investments, they attracted victims to a site that imitates the page of a large Russian or world company. Such fake resources ran into the thousands. To register there, the user answered questions of a confidential and financial nature, as well as left personal data. All this information fell into the hands of fraudsters, according to a study by Bi.Zone.

As the head of the phishing protection group of F.A.C.C.T. Ivan Lebedev noted to Izvestia, attackers automate and speed up processes in their schemes - this is one of the reasons for the emergence of a large number of phishing and fraudulent pages.

Today, in a few clicks, criminals can create a phishing page and massively distribute a link to it through social networks or instant messengers. This does not require deep technical knowledge, as a result, the entry threshold is reduced, the influx of new members of the groups is maintained, he added.[5]

Attackers have become better at hiding phishing resources

Attackers in 2023 became better at hiding phishing resources. This was announced on September 28, 2023 by Solar (formerly Rostelecom-Solar).

Over the past six months, non-personalized phishing attacks have become noticeably more complicated, more than 98% of all phishing. Attackers began to use and improve methods of hiding harmful content from tools to find it.

Such conclusions were made by experts from the Solar AURA External Digital Threat Monitoring Center Solar group of companies based on an analysis of hundreds of thousands of malicious resources.

As of September 2023, over 53% of phishing resources detected by Solar AURA specialists use certain means of protection against their detection. For comparison, in 2022 this figure was 27%, and in 2021 - 11%.

One of the most difficult ways to hide phishing was the Chameleon scheme. Its essence is that the malicious site could dynamically change the content, and showed its true "face" only to those users who met the parameters set by the attackers - for example, the territorial ownership of the IP address, screen resolution, version of the operating system and browser, etc.

According to attackers, this approach was supposed to prevent anti-phishing services from recognizing malicious content.

Also notable is the scheme, which experts called "Chameleon 2.0." In it attackers used chains of dozens arbitrarily generated domains, each of which served to redirect the user to a malicious resource. The scheme was actively used at the turn of 2022-2023 in a large-scale phishing campaign that affected more than 300 large brands.

{{quote "In addition to such technically complex variations as" Chameleon "or" Chameleon 2.0, "other techniques are actively used - for example, the use of domains that are not related to the brand on behalf of which the attack is carried out. Also, "gasket sites" are used that redirect the user to the desired URL and at the same time notify him that the portal is allegedly checked by an antivirus and does not pose a danger, "explained Diana Selekhina, an expert at the Solar AURA Solar Group of Companies external digital threat monitoring center. }}

Victory RKN: Phishing resources almost left the domain.ru

According to the results of the first quarter of 2023, more than 7.2 thousand phishing resources were removed and blocked in Russia against about 2 thousand for the same period of 2022. Such data in Roskomnadzor led on May 10, 2023. According to the statistics of the department, the largest number of domains with links to illegal financial activities and fake documents fell on the.com domain zone (52%), in second place -.ru (13%), in third place -.xyz and.site (8%). The remaining share was distributed between.top,.io,.net,.pro,.ws domains. The Ministry of Digital Development engaged in blocking phishing sites through the Antifishing system, which has been operating since June 2022.

Companies working in the field of information security confirm this trend. According to Kaspersky Lab, in January-May 2023, the domain zones.com (48%),.ru (12%) and.ws (6%) accounted for the largest number of attempts to switch to phishing pages of Russian users.

The departure of scammers to new domains may be due to the fact that registration there is cheaper or generally free. In addition, as noted by Aleksei Kuznetsov, head of security analysis at the Future Crew MTS RED innovation center, in a conversation with Kommersant, it is easier for Roskomnadzor to block fraudulent resources on the.ru domain, which partly restrains the growth of phishing sites in Runet.

There are gTLD (generic Top-Level Domain) top-level domains, for example.com, which are centrally managed, and country-specific domains - ccTLD (country code Top-Level Domain, including.ru, as well as other national zones), and in ccTLD zones it is often difficult to get to the registrar and force him to take the domain name from the resource owner, the expert explained.[6]

The growth in the number of new phishing sites 3 times to 5.2 thousand.

In January-March 2023, 5.2 thousand phishing sites were identified in Russia, which is almost three times more than a year earlier. This was reported in mid-March 2023 in the ANO "Coordination Center of Domains."

ANO Director Andrei Vorobyov said that one of the reasons for this was the confusion with SSL certificates that arose after the refusal of Western certification centers to work in the Russian Federation.

Until February 2022, SSL certificates were issued by foreign certification centers, but after February 24 of the same year, many of them refused to work with the Russian Federation. Over the past year, several local certification centers have begun to work in Russia and the problem is gradually losing its severity, Vorobyov said in mid-March 2023.

The increase in the number of phishing sites was also noted in Roskomnadzor (RKN). The press service of the department told the publication that from January to February 2023, the ILV removed and blocked 523 fraudulent resources. Among them were sites related to the credit and financial sector. For the same period in 2022, 313 resources were removed.

Specialists of the Domain Coordination Center told Izvestia that most often fraudsters imitate the sites of the largest Russian banks that have fallen under sanctions, as well as marketplaces and ad services.

According to experts from the Domain Coordination Center, an effective measure to counter fraudsters could be to confirm the passport data of an individual registering a domain name through the ESIA, the newspaper writes.

One of the reasons for the growth in the number of phishing sites is the development of technologies. For example, site designers are becoming increasingly widespread, which can be used by any person familiar with a computer who does not even have programming skills, explained Sergei Trukhachev, head of Internet threat analytics at RTK-Solar.^[7]

2022

The number of phishing sites blocked in Russia has more than doubled

On March 3, 2023, Group-IB announced that it had blocked more than 59,000 phishing sites in 2022, of which more than 7,000 were in the Russian segment of the Internet, which is twice as much as a year earlier. Fraudulent resources stole logins and passwords, data bank cards, accounts in instant messengers from users from Russia. So, in 2022 there was a wave of attacks using phishing resources on Telegram users.

According to the company, if in 2021 the number of blocked resources by the Group-IB - CERT-GIB Information Security Incident Response Center (24/7) on the Internet amounted to 31,455, then in 2022 their number increased to 59,282. Pages of cybercriminals, among other things, copied the resources of brands, services, games popular with Russian users. In zones .ru and .rf. the number of sites blocked more than doubled from 3,210 to 7,121.

In general, specialists of the round-the-clock CERT-GIB revealed in 2022 only in zones.ru and.rf. 20,170 phishing domains, and in 2021 their number was 15,363 domains.

Most often, scammers disguised phishing resources as social networks, banks, and postal services. The attackers used the services of hosting providers located mainly in the United States, Russia and Germany. Every third site of scammers was posted in the.com domain zone - 33.8% of the total number of resources.

Phishing pages were used in a scheme to steal user accounts on Telegram in December 2022. Victims received a message asking them to support the sender's goddaughter or niece in a children's drawing competition, vote for the "author" of the message in any online quiz, and receive a gift in the form of a premium subscription in the messenger. The link in the message led to a phishing resource. Messages were sent to the address books of hacked accounts in the messenger and chats where their owners were. With stolen accounts, the scheme was repeated: according to their contact lists, attackers sent messages with links to phishing resources. In 2023, attackers to steal Telegram accounts also use a script with a message from the messenger support service about limiting the user's account.

Phishing remains the most common threat on the Internet, its scale continues to grow. Such sites make up 98-99% of the blocked resources of cybercriminals. First of all, these are resources that play the role of one of the main elements of the popular Mammoth scheme (FakeCourier) and its versions, where money and bank card data are stolen from the victim under the pretext of fake buying, delivery, rent or dating. noted Ivan Lebedev, head of the CERT-GIB phishing protection group

Group-IB specialists resemble the basic rules that are important to comply with in order not to become a victim of phishing:

• Due to the emergence of a large number of fakes and phishing resources aimed at well-known brands, customers should be especially vigilant, even downloading applications from official stores.
• You should check the domain names of suspicious sites. Most often, attackers use domains consonant with popular brands. You need to use official applications.
• When shopping online, you should always check all the details of transfers and payments. Do not give anyone codes from SMS and push notifications, card data (PIN and CVV codes), personal data.
• Never click on suspicious links from unknown senders, scammers can infect a computer or phone and steal data.
• You can trust the links that are indicated in the verified accounts of companies in social networks and instant messengers.

Fraudsters in Russia began to create fake car sharing sites to steal data

At the end of 2022, it became known that fraudsters in Russia began to actively create fake sites of car-sharing companies to steal data, as well as to steal cars and remove spare parts from them.

As RIA Novosti was told in NTI Avtonet, fraudsters create fake sites and lure victims to them with the help of non-existent actions. After the user enters the car data, login, password and driver's license data, the attackers take possession of them.

When registering on such sites, the user reveals his personal data and gives fraudsters the opportunity to steal car-sharing cars on their own behalf. The trigger for registration is the low cost of renting a car. It is noted that many of the sites have already begun to be blocked.

In 2022, the number of schemes related to theft of automotive data increased sharply, analysts said. This may be due to a lack of auto parts and a shortage of cars, as well as the departure from the Russian Federation of a number of popular fraudulent schemes related to the banking segment due to the blocking of the SWIFT system.

According to NTI "Autonet," by the end of 2022 there are at least 130 fake sites of car-sharing companies in Runet.

In September 2022, Kaspersky Lab said that hackers began to offer to buy access to the administrator account of one of the car-sharing companies in one of the ads on the darknet. The proposal says that the buyer will be able to remotely control several service machines at once. For example, track the location of a car, open and close it, turn the engine on and off. Fraudsters can use access to the car sharing control panel, for example, to extort money.^[8]

The number of fraudulent sites in Runet increased by 15%

The company, Group-IB one world of the experts in the field, cyber security announced on November 11, 2022, the discovery Russian Internet of about 18,000 phishing sites in the segment in 2022, which is 15% more than in 2021. Experts attribute this growth to the scaling of the fraudulent Mammoth scheme. Most often, scammers use phishing resources under the guise of, and as bait. banks online services payment systems

For 9 months of 2022, CERT-GIB identified 17,742 phishing sites in the domain zones.ru and.rf. For comparison, for the same period in 2021, 15,363 domains were recorded. A steady increase in the number of fraudulent resources was observed throughout the year: if 1295 domains were discovered in January, in May already 1936, and in October - 2402.

According to analysts, the growth in the number of phishing sites is associated with the growing spread of the FakeCourier scheme, where deliveries money is stolen from the victim under the pretext of fake buying or renting. data bank cards The main spikes in the appearance of fraudsters' pages were observed in May, August and October 2022, which is also due to the "seasonal" scenarios of the schemes. cybercriminals

Earlier, Group-IB identified at least 300 skam groups operating under the Mammoth scheme. Fraudsters earned on the topics of courier delivery, real estate rental, sale of cars, joint trips and even going on dates. After the scheme was released to Europe, the total annual earnings of all criminal groups using this fraud scheme, according to the most conservative estimates, were estimated at more than $6.2 million.

In general, according to the data, the Domain Coordination Center. RU/.RF (CC) number of requests for blocking harmful sites in 2022 increased by 25%. The largest number sent CERT-GIB - 5,343 requests. First of all, the resources that the affected users and companies complained about were subject to blocking. In just 10 months, competent organizations - partners of the CC - sent 11,936 requests, time while in 2021 9556 requests were sent over the same period. As a result, hostingproviders 11,514 malicious resources were blocked by registrars. The average response time was 23.2 hours.

Phishing remains the most massive threat to users on the Internet, and its scale is steadily growing. It is phishing sites that make up 98-99% of the blocked resources of cybercriminals. The remaining share of the total number of blocked pages falls on sites with malware, emphasized Ivan Lebedev, head of the CERT-GIB phishing protection group.

The CERT-GIB Information Security Incident Response Center is one of 12 competent organizations that provide the Coordination Center and accredited domain name registrars with information about resources with illegal content, cases of phishing, unauthorized access to information systems and the spread of malware from domain names located in zones.ru and.rf. Registrars have the right to stop delegating domain names for such resources.

The Ministry of Digital Development creates a pre-trial blocking system for fraudulent sites

On August 11, 2022, it became known about the decision, Ministry of Digital Development communications and mass media RUSSIAN FEDERATION to block fraudulent resources disguised as official sites without a court ruling. To do this, the department will expand interaction with the Prosecutor General's Office within the framework of the Antifishing information system. More here

Over the year, the number of phishing attacks in Russia doubled

Over the year, the number phishing attacks Russia has doubled. This was announced on June 22, 2022 by the company. Trust Technologies (Trust Technologies)

Every year, companies increase investment in information security by 15%. The number of cybercrimes is growing exponentially, and in the last year alone (from May 2021 to May 2022) their number in Russia has almost doubled.

Expensive equipment, modern systems often turn out to be powerless, since the weakest link in the protection system is the company's employees.

Attacks using phishing sites show their effectiveness from year to year. The opening of phishing emails entails significant financial losses for the company. Users have long been accustomed to numerous mailings: stores, services, verified sources of information. According to statistics, malicious letters are opened by up to 85 percent of employees, most often these are specialists not directly related to IT: backophis, managers, assistants, interns. However, they may not have access rights of interest to attackers, so the damage to the company from the theft of such accounts is rarely significant. Another thing is IT specialists, financiers and, surprisingly, information security specialists. As a rule, they have elevated privileges, but they do not always have the necessary ones to recognize and counter cyber attacks.

For example, an accountant of a large company receives a letter from his favorite store about discounts on goods for summer cottages, follows the link to see something or tries to make a purchase. At this time, the malware has already started working. Data from the accountant's computer becomes known to cybercriminals: you can conduct transactions with financial resources or obtain confidential information.

It is difficult to distinguish phishing mailing from a real unprepared user. The best advice given by experts is not to open suspicious letters coming to a corporate email at all. especially from external mail domains. At the same time, attackers can use personal data to employees. How can you still understand that a phishing email has arrived? What to look out for?

• Is there a missing letter in the domain?
• Is there an files unknown format in the attachment?
• From whom is this letter known?

Quite often, employees forget about fairly simple safety rules. A separate "find" of cybercriminals is a newsletter stylized as a corporate letter, where the main bet is made on the curiosity of employees. A case from practice, when the secretary was unable to open a letter with an alleged salary statement, sent to a colleague, another sent to the system administrator, who also tried to open the attachment. The result is a hacking of the corporate server, leakage of personal data of the company's customers.

The most popular phishing topics:

• Information on discounts and promotions from well-known retail chains;
• Seasonal sales in the country season and for the holidays;
• Gift information;
• Confidential information about employees or management of the company.

To improve employee literacy in information security issues, companies are increasingly conducting practical training using specialized platforms that allow you to conduct a training attack, collect statistics on the company, and also send "caught" users to the training portal to take an information security course.

Example of a training phishing attack:

During the holiday season, we take a real relevant newsletter. We change some of the data: the subject of the letter, adjust the content, insert the necessary link and send our version to the company's employees.

In this case, the training attack was carried out in an IT company with a high level of training in information security. The link in the letter was followed by no more than 15% of the employees who were sent to the training course. The more often preventive measures are taken, the lower the risk of wrong actions in a real cyber attack.

According to experts, attackers will only increase their activity. Unprotected organizations with a low level of knowledge of are most at risk. cyber security

Ministry of Digital Development has launched a phishing site monitoring system

On June 6, 2022, the Ministry of Digital Development announced the launch of a phishing site monitoring system. Read more here.

Scammers use phishing for Apple services

On May 17, 2022, the company Group-IB announced the emergence of fraudulent schemes to steal money, data bank cards and Apple accounts under the pretext of paying and using services, and. Apple Store Apple Pay In total, iTunes over the past two years, Group-IB experts have discovered more than 5,000 in the RU zone, domains created for only phishing attacks Russians to gain access to and services iPhone. Apple More. here

Scammers send phishing emails on behalf of the Ministry of Digital Development and Roskomnadzor

Scammers phishing send letters on behalf of Ministry of Digital Development and. Roskomnadzor This became known on March 31, 2022.

Malwarebytes, a cybersecurity company, spoke about this deception scheme.

Since March 23 email the Russian , users regularly receive messages, allegedly on behalf of representatives of the Ministry of Digital Development and Roskomnadzor. The letters warn about the illegality of using banned Russia websites,, and social networks- messengers VPN services to bypass their blocks. The message is attached file in RTF format with a list of prohibited resources.

Experts found that when a document is opened on a smartphone PC or any other device, the user downloads - HTMLfile which activates a script that allows fraudsters to gain remote access to data to the device.

Phishing emails are configured primarily to email addresses with, yandex.ru, mvd.ru, cap.ru and minobr-altai.ru Scammers send phishing emails on behalf of domains mail.ru^[9]

2021

Rubitech is the creator of the phishing site monitoring system

In November Ministry of Digital Development 2021, she signed a Rubitech contract with the company "" for the creation of systems phishing site monitoring. The winner of the competition proposed to implement the project for 128.3 million with rubles an initial (maximum) contract price of 132.2 million rubles. The contractor will need to perform the work until June 1, 2022. More. here

Mass appearance of fake public services sites

From October 18 to October 21, 2021, 48 domain names were registered in the .ru zone, imitating the portal of public services (gosusliga.ru, gosusluni.ru, etc.). This was reported by experts from Infosecurity a Softline Company. Read more here.

Russians faced mass malicious mailing allegedly from the Federal Tax Service

At the end of September 2021, the Federal Tax Service (FTS) warned of malicious mailing, which was started by attackers using the name of the department.

Since September 29, the Federal Tax Service of Russia has been receiving complaints about the receipt of suspicious letters. Unknown persons on behalf of the Federal Tax Service of Russia send messages to corporate mail addresses that it is necessary to provide documents. The text of the email is designed so that the recipient opens the attached file, the service said in a statement.

The Federal Tax Service recalled that the department does not send such messages and has nothing to do with these letters. Taxpayers receive notifications of accrued taxes either in personal accounts or by mail. In addition, the tax authorities do not send anything to the taxpayers' email addresses.

On September 30, 2021, Kaspersky Lab reported that the company's experts recorded a malicious mailing list on behalf of the Federal Tax Service - more than 11 thousand attempts to launch a malicious investment were detected. At the same time, it was noted that the real department has nothing to do with this newsletter.

According to Kaspersky Lab, the letter contains a malicious archive with a password weighing about 20 megabytes, the attachment is of the RMS type - software for obtaining remote access. The application uses IP addresses and a domain in the.ru zone, when connecting to command servers, ports 5651, 4443, 8080 are involved.

Those who opened the attachment are advised to download the antivirus to the infected device, disconnect it from the network and restart it in safe mode, delete temporary files, start the scanner, remove the virus or move it to quarantine, then restart the computer, change passwords.

Kaspersky Lab products block this viral software with a Backdoor.Win32.RABased verdict.^[10][11]

Fraud using the domain of government agencies gov.ru

In July 2021, it became known about a new type of fraud with the domain of gov.ru government agencies - it is used to send phishing emails. This was reported in the administration of the RSNet network (Russian State Network, the Internet segment for the Russian authorities). Read more here.

2020

Roskachestvo warned of a wave of fraud with phishing sites before the election

June 19 Roskachestvo , 2020 warned of a wave frauds phishing with sites before the elections. The date of the start of voting on the adoption of amendments to the Constitution is nearing. RUSSIAN FEDERATION RuNet Clone sites began to appear in on portal changes to the basic law of the country -. With 2020og.ru domains similar names and designs, only information about voting is contained, but the situation will undoubtedly change in 7 days when voting begins. As a result, there will be a wave of scams related to phishing sites.

"As of June 17, 2020, experts have discovered more than 10 similar domains: 20200g.ru, 2020og-ru.ru and others. Among domain names, for example, lk-gosuslug1.ru or rf-gosuslugi.ru, but so far it is impossible to unambiguously associate them with the topic of voting. On the other hand, suspicious sites appear that do not try to copy the domains of official portals, but play up the topic of voting in the name. For example, sites golosovanie2020.ru or konstituciya-rf.ru, " ' TASS News Agency of Russia reports

Taking advantage of the inattention of users, fraudsters begin to collect personal data, with the help of which funds will be stolen in the future. How to prevent yourself from being deceived? The Center for Digital Expertise of Roskachestvo has prepared recommendations for protection against fraudulent phishing sites.

A few basic anti-phishing rules when handling emails:

1. Be sure to check the address from which the letter came. Often, scammers try to make the addresses of their fraudulent sites very similar to the original ones and when you quickly view the letter, it may seem that everything is in order, but it is better to check the address, especially if the letter somehow gets out of the usual style of communication with this addressee (and it is definitely always worth checking the letters that came from someone for the first time).
2. You need to check if the letter is impersonal. It is worth paying attention to whether there is a name in the letter, and to whom the appeal is going. Sometimes scammers in letters simply say "Hello" and do not enter the name of the addressee, in other cases the addressee's email address will be used after "Hello." This impersonal approach to contact is another sign that a fraudster is most likely behind the email. The misuse of cases (in case criminals are international) or the mechanical construction of sentences are also a sure sign that this is phishing.
3. You need to check the dates. Sometimes scammers can forget to specify the correct dates. For example, in a letter they are invited to an event, but the time for this event has already expired.
4. Check the links. Almost always, scammers in phishing emails try to impersonate large companies and organizations. The letter may contain a link to the site, the design of which, as a rule, copies this organization. It is better not to follow such links (the act of crossing itself can already start a malicious process), but if it so happens that the user clicked on the website, considering it genuine, you must definitely check that this is a reliable site of the company. To do this, you can open a new tab and search for an organization. Click on their website and then compare the URLs. You need to take as a rule not to follow the links from the letters, but instead manually enter the site address in the search bar. If the user has an account on the site on which he has a new message, you need to log in manually in the browser and check if the message is really there. If this is not the case, then the email received was most likely sent by a fraudster.
5. Check whether the bank data is requested. Most legal organizations will not request bank or other personal data in the letter. Personal information includes things like a credit card number, PIN or credit card security code, the mother's maiden name, or any other answers to security questions that the user may have entered. If an email asks you to update or re-enter personal or bank information, it's almost always a fraud.
6. Pressure, emphasis on haste. Scammers will try to apply pressure by encouraging the user to act right now or miss out on an offer. You cannot rush, you need to do all the possible authentication of the message.

"Once again, it must be emphasized that it is from the actions of the user (whether he comes across the" bait "of the phisher) that it depends in nine out of ten cases whether his phone or computer will be compromised (which is practically the same in the modern home digital ecosystem when devices work within the same network). Advice - you need to be careful and check everything that comes, not open everything on the machine, " noted' Ilya Loevsky, deputy head of Roskachestvo '

According to a study by Positive Technologies, an attacker previously "requires any user action" to exploit 87% of vulnerabilities in mobile applications. As a rule, we are talking about phishing mailings and subsequent visits to suspicious sites via links from letters, instant messengers or SMS. Security is also weakened by factors such as elevating privileges in the mobile OS to administrative ones and installing applications not from the official App Store and Google Play stores.

Roskachestvo gave recommendations to combat phishing:

1. Be sure to ignore all links and attachments that are posted in letters from unknown addresses. As a rule, such files hiding under reports or incomprehensible graphics can have serious virus programs.
2. Make sure that anti-virus software you are always enabled and updated to the latest version, as this will provide an additional level of protection if the user still accidentally downloaded computer virus after clicking on the link or downloading the attachment.
3. Regularly back up all important files. If all the frontiers of antivirus protection are overcome, and the user loses important files, then at least a copy of them will be safe. Store the copy physically on a separate disk or in the cloud (in this case, be sure to protect the files with a password).^[12]

The number of fraudulent sites in Russia doubled in a year

By the end of March 2020, the number of fraudulent sites in Russia doubled compared to the same period in 2019, and the number of transitions to such resources increased 10 times - to 15 million. Such data on May 6, 2020 were brought to Kaspersky Lab.

The company's specialists have identified about 10 thousand phishing sites on which Russians are trying to lure money. The schemes are different. In them, as a rule, users are promised a large monetary reward for passing a survey or participating in voting. To receive money, a person needs to pay a "commission" or "fixing payment." Usually this is a small amount of about 200 rubles. But the user will not see any payments, and the "commission" goes to the attackers. In addition, a person risks the safety of his payment information if he entered the card data.

If each blocked attempt to go to a fraudulent page entailed the deception of at least one user, then the potential amount of damage in the first quarter of 2020 alone could exceed 3 billion rubles, according to Kaspersky Lab.

According to the company, the most attractive categories for fraudsters are banks, pension funds, celebrities and state lotteries, the latter of which began to be actively used by attackers at the beginning of this year.

In addition, state lotteries came to the attention of the attackers. Kaspersky Lab discovered 219 pseudo-lottery fraudulent resources on which swindlers ask to transfer money for winning. Attackers create phishing sites to collect personal data, send email and SMS links to them and ask users to enter personal data - passwords and card details, and then steal money from accounts.^[13]

2019: Runet's share of total phishing or malware sites declines

On July 5, 2019, the company Group-IB announced that the Russian domain the zone, at the end of 2018, reached record levels for reducing the volume of toxic sites. This was announced by the Incident Response Center. cyber security CERT-GIB Computer Emergency Response Team - Group-IB With an increase of 30% in 2018, the number of potentially dangerous resources containing or phishing malicious software (HVE) RuNet accounted for less than 20% of such sites, while in 2017 the share of toxic resources in the zone RP was almost 50% among all those blocked by CERT-GIB specialists. In addition, experts note that phishing is becoming cheaper and more sophisticated, but malefactors are gradually leaving the RU. Users still open malicious exe-, and files HTTPS no longer synonymous. safety

Group-IB noted that despite a 30 percent increase in the number of dangerous websites containing phishing or malware detected and blocked by CERT-GIB (from 4264 websites in 2017 to 6217 in 2018), the use of domains in the RU zone has become less attractive for attackers: the number of dangerous domains blocked by CERT-GIB in Runet has decreased by 40% compared to 2017. Attackers are increasingly preferring the.com zone: the number of toxic resources there has increased almost 3 times 2018 year. Also, attackers began to choose more often top-level domains "New gTLD" (.online;.website;.space, etc.).

This trend is explained, among other things, by the active work of teams for monitoring and responding to computer incidents and the efforts of the Coordination Center for.RU/.RF domains to create favorable conditions for the work of competent organizations. With the expansion of the international partner network and automation of malicious content detection processes, the average time from CERT-GIB response to malicious content neutralization decreased by 20% in 2018 compared to last year.

The total number of phishing resources located in various domain zones, including RPs identified and blocked by CERT-GIB in 2018, increased by 44% compared to 2017. Each quarter, on average, growth was 15%. So, in 2018, as part of the work of CERT-GIB, the activities of 4494 sites used for phishing purposes were suspended.

However, only 10% of this number fell on domains in the Russian zone - 458, while in 2017 they accounted for 27%. The number of resources distributing or controlling malware ON in the Russian zone in 2018 also decreased by 44% compared to 2017. The total number of such resources identified and blocked by CERT-GIB remained at the level of 2017 - 1736 web resources in 2017 and 1723 sites in 2018, respectively.

2017

At the initiative of Sberbank, over 600 phishing domains and 1,300 sites with viruses were identified in Russia over the year

At the initiative of the Service cyber security Sberbank , since the beginning of the year, Internet over 600 domain names used for phishing attacks, about 200 fraudulent sites and more than 1,300 sites that distributed have been identified and closed in the Russian space. malicious software This was announced on September 15, 2017 by Sberbank.

We pay close attention to the fight against phishing, "said Stanislav Kuznetsov, Deputy Chairman of the Board. - However, it is half the battle to identify and carry out the necessary actions on the sites of criminals. The "fishing rod" of scammers comes across gullible people who do not have the proper skills to protect against cyber fraud. That is why Sberbank's priorities are shifting towards preventive measures to improve the financial literacy of the population.

According to Sberbank, one of the most common phishing schemes is as follows: the victim receives a message of tempting or, conversely, frightening content with a proposal to either send personal data (logins, bank card passwords), or follow a link to a certain site on which you again need to enter your data. More than 48% of Internet users who receive phishing emails respond to them and become victims of criminals.

Since the number one goal for phishers is financial services, most of which were online banks, Sberbank has developed a special program for representatives of the sphere to increase the level of cyber literacy, including interactive courses and the subsequent determination of signs of phishing attacks in practice.

Central Bank for 8 months revealed 481 fraudulent sites

The report of the Center for Monitoring and Responding to Computer Attacks in the Financial Sphere (FinCERT) notes that "from January 1 to September 1, 2017, the Center sent information about 481 domains of various fraudulent topics to be separated."

As a result of the review, 367 domains were blocked by registrars. Among them are resources such as 84 sites with R2R transfers that collect user payment card data (owner's name, number, validity date, card authenticity code) for illegal purposes, 44 false bank resources, 45 "insurance companies" and 39 financial pyramids.

Also blocked are from 20 to 30 sites of "airlines," online stores, "microfinance organizations," resources from malicious ON and platforms dedicated to financial fraud and sales of dumps (copies) of bank cards.

AlfaStrakhovanie prevented the work of two fake sites for the sale of E-OSAGO

In 2016-2017 "" AlfaStrakhovanie twice faced attempts to create phishing sites that issued their CTP calculator as a company calculator in order to collect information about customer payment cards and further fraud with them. The company fully supports the decision FinCERT Central Bank of Russia of the Russian Union of Auto Insurers (RSA) to track sites offering fake E-OSAGO policies. More. here

2016

The Bank of Russia wants to get the right to disable the domains of phishing sites

and negotiate Central Bank of the Russian Federation National Internet Domain Coordination Center (CC) to grant the organization the FinCert right to disable in national zones .ru and through . rf domains whose sites the theft of funds is carried out. The parties plan to sign the corresponding agreement by the end of this summer, according to media reports.

We are talking about disabling phishing sites that allow attackers to gain access to the credit card numbers of bank customers and other confidential information. After signing the agreement, FinCert will receive the authority to separate domains used for phishing, stealing credit card data or forging pages of financial and credit institutions. According to the publication, the Central Bank is currently working to remove the delegation of domains through whose sites phishing attacks are carried out.

According to Internet Ombudsman Dmitry Marinichev, granting the Central Bank the right to disable phishing sites is the right initiative, since the regulator has up-to-date information about embezzlement of funds via the Internet. The appointment of the Central Bank by a competent organization will reduce the risk that someone "will get on the money," Marinichev said.

Central Bank received the right to block sites with malicious content

Internet sites with malicious content related to the financial markets and the national payment system will be blocked based on data received from the Central Bank. This was reported by TASS The Russian Information Agency of the ^[14].

Such actions are provided for in the agreement between the Bank of Russia and the Coordination Center for the National Internet Domain - the administrator of the national top-level domains. "rf" and ".ru."

The Central Bank received the status of a competent organization with the right to identify violating sites that distribute malware, resources with illegal content, phishing sites, and provide this information to the coordination center and accredited domain name registrars to block such resources.

In addition, the Bank of Russia urged citizens to inform the regulator about unscrupulous sites located in the domestic domain space.

Notes