Phishers turning hard-working: CERT-GIB records upsurge of phishing resource blockages as duration of attacks grows

Pierluigi Paganini May 08, 2020

Group-IB, a Singapore-based cybersecurity company, observed the growth of the lifespan of phishing attacks in the second half of 2019.

This trend, revealed by Group-IB’s Computer Emergency Response Team (CERT-GIB), resulted in the tremendous increase in the number of phishing websites blockages over the given period — it rose by over 230 percent year-on-year. In 2019 in general, web phishers slightly changed their preferences: email service providers gave way to cloud storages in the Top 3 of phishers’ targets, which comes as no surprise given the fact that they keep record of literally every aspect of personal and sometimes corporate lives, holding gigabytes of sensitive data. Online services and financial organizations fill the other two spots in the top and seem to stay among the most frequent victims for long.

Diligent phishers

In H2 2019, as part of its work to detect and prevents threats distributing online, Group-IB’s Computer Emergency Response Team (CERT-GIB) blocked a total of 8, 506 phishing web resources, while in H2 2018, the figure stood at 2,567.This sharp upsurge in the number of blockages stems from the growing duration of phishing attacks: cybercriminals used to stop their fraudulent campaign as soon as their web pages were blocked, quickly mobilizing efforts for attacks on other brands. Today, they no longer dwell on it and continue replacing removed pages with new ones. One more trend that derives from that is the rising number of resources accumulated for a single attack.

Target reshuffle

phishing attacks 1
Figure 1 The distribution of web-phishing among target categories 

According to the figures for the past year, the Top-3 of web phishers’ targets were online services (namely client software, online streaming services, e-commerce, delivery services and etc.) (29,3%), cloud storages (25,4%), and financial organizations (17,6%). It should be noted that some of the tech companies provide a wide range of Internet-related services and some of them, like cloud storages and email services, form separate categories. CERT-GIB’s findings indicate that phishing attack perpetrators have revised their so-called target pool. Thus, the number of phishing attacks on cloud storages nearly doubled last year, while Internet providers have seen the three-fold increase in the number of phishing scams targeting them. Both access to users’ cloud storages and accounts with internet service provider enables the attackers to get much sensitive information like personal and payment data.This was accompanied by a lower interest to email service providers — the share of attacks on them decreased from 19,9 percent to 5,9 percent — and cryptocurrency projects, which became less attractive to cybercriminals as hype surrounding them started fading away.

Balance of power

phishing attacks 2
Figure 2 The map of major web phishing-hosting countries

The pedestal of web phishing-hosting countries, according to CERT-GIB’s, had its leader changed last year: the United States (27%), which was an irremovable leader in terms of hosting phishing for the past several years, yielded to Russia (34%), taking the second position, while Panama, well behind its two predecessors, remained third (8%) just as the year earlier.Other countries hosting the majority of phishing pages in 2019 were Germany, South Africa, the United Kingdom, the Netherlands, Canada, Malaysia, and France.

Malware delivery: what’s on the menu?

H2 2019 has proved the tendency of past several years: mail remains the main method of delivering ransomware, spyware, backdoors and other malware, being used by cyber crooks in 94 percent of cases. In the majority of cases — 98 percent — malicious items were delivered as attachments, while only 2 percent of phishing emails contained links, by clicking which a user could download malware. To compare, according to CERT-GIB, in H1 2019, 23 percent of phishing emails had a link in them, which might mean that malicious attachments proved to have a greater “ROI” for scammers.To bypass corporate security systems in H2 2019, cybercriminals continued to archive their malicious attachments. About 70% of all malicious objects, detected by CERT-GIB, were delivered in archive files, mainly in .rar (29%) and .zip (16%) formats. Threat actors included the passwords for accessing the archives’ contents in the subject of the email, the name of the archive, or in their subsequent correspondence with the victim.

phishing attacks 3
Figure 3 Top-10 threats hiding in phishing emails in H2 2019 and extension of attached malicious files

In the second half of 2019, ransomware remained the most frequent “stuffing” of phishing emails, accounting for 47 percent of the total number of malicious attachments. Banking Trojans, as Group-IB forecasted in its Hi-Tech Crime Trends Report 2019/2020, continued losing its popularity and represented only 9 percent of malicious attachments. They, in turn, let spyware and backdoors move ahead and become the second most popular malware with a 35-percent share. The reason behind it might be the expanding functionality of backdoors, which also enables them to steal financial data and replace instruments designed for harvesting banking data only, like banking Trojans. Top-10 tools used in attacks tracked by CERT-GIB in the second half of 2019 were ransomware Troldesh (55%), which Group-IB has been tracking for several years already; backdoors Pony (11%), Formbook (5%), Nanocore (4%) and Netwire (1%); banking Trojans RTM (6%) and Emotet (5%); and spyware AgentTesla (3%), Hawkeye (2%), and Azorult (1%). AgentTeslaNetwire, and Azorult for the first time appeared among attackers’ preferred instruments.

“In the second half of 2019, we saw the prolongation of phishing attacks – attackers changed approach toward the conduct of their campaigns, choosing quantity over quality,” comments CERT-GIB deputy head Yaroslav Kargalev. “Cloud storages and online services are due to remain among phishers’ main targets due to the large amount of personal information that is stored in them, cybercriminals are likely to use the access to them to first download data from cloud storages and then blackmail their victims to increase the chances of receiving a ransom.”

About CERT-GIB CERT-GIB, opened in 2011, became the first certified private emergency response services in Eastern Europe and currently is one of the largest ones in the region. CERT-GIB is a round-the-clock first technical emergency aid tasked with helping to contain the threat and bring trusted incident responders, forensic analysts, and investigation experts on the scene, if needed, to eliminate costly delays. As part of CERT-GIB, a Security Operation Center (SOC) has been set up, with its employees monitoring cybersecurity incidents in international companies using various cybersecurity systems and solutions, including the system for the detection of targeted attacks at an early stage, Threat Detection System, and the system that monitors, analyzes and predicts cyberthreats – Threat Intelligence. The experts of CERT-GIB ensure the round-the-clock support for incident response and can send a mobile unit to the incident site to control the relevant procedures and gather digital evidence. CERT-GIB is also authorized to block malware distribution websites, as well as phishing and fraudulent websites in over 2,500 domain zones.CERT-GIB is an accredited member of the Trusted Introducer (Association of European Security and Incident Response Teams) and a member of the Forum of Incident Response and Security Teams (FIRST) and Organisation of Islamic Cooperation (OIC-CERT).

About Group-IB Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations. Group-IB’s Threat Intelligence system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s technological leadership is built on the company’s 17 years of hands-on experience in cybercrime investigations around the world and 60 000 hours of cyber security incident response accumulated in one of biggest forensic laboratory and a round-the-clock center providing a rapid response to cyber incidents—CERT-GIB. Group-IB is a partner of INTERPOL, Europol, and has been recommended by the OSCE as a cybersecurity solutions provider.Group-IB’s experience, threat hunting & intelligence have been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyber threats.Our mission is to protect clients in cyberspace using innovative products and services.  
Due to the ongoing pandemic, Group-IB has set up the StayCyberSafe portal with recommendations for organizing comfortable and cybersafe remote work and webinars about modern cyberthreats and the ways to confront them.

Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – phishing attacks, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment