An intense hunt for corporate account credentials will continue into the next quarter, researchers have predicted.
Variants on banking scams & corporate-account hunters using increasingly clever lures, including those with COVID-19 vaccine promises, will likely dominate the spam & phishing landscape throughout Q2 2021, concluded researchers.
Seemingly no new wild trends have emerged, but Kaspersky researchers, who just released their report for Q1 2021, observed that the spear-phishing tactics attackers are using against victims are improving.
QR-Code Phishing Lures
For example, mobile banking scams are far from new, however, attackers have now developed a couple of new methods.
In 1 case from Q1 2020, Kasperky reported that clients of several Dutch banks received a fraud email which prompted them to scan a QR code to “unlock” mobile banking. Instead, they were directed to a web page loaded with malware.
QR codes are an increasingly popular tool for threat players, especially since the pandemic. They have been used to access menus, check-in for vaccines & get public information.
Another banking scam observed by Kaspersky researchers sent a fake newsletter posing as legitimate correspondence from MKB bank with updates on COVID-19, but instead delivered a scam Outlook sign-in page, attempting to harvest credentials.
Other phishing lures observed last quarter by Kaspersky included offers of government pay-outs, intended to steal credit-card information & personal data.
COVID-19 vaccines are the most important topic around the world, & malicious players have capitalised on this over past several weeks.
“Cyber-criminals took advantage of people’s desire to get vaccinated as quickly as possible,” according to the report.
“For instance, some UK residents received an email that appeared to come from the NHS. In it, the recipient was invited to be vaccinated, having 1st confirmed their participation in the program by clicking on the link.”
Another particularly despicable COVID scam email specifically targeted people over 65 seeking a vaccine, the researchers also added.
“In both cases, to make a vaccination appointment, a form had to be filled out with personal data; & in the 1st case, the phishers also wanted bank-card details,” the report explained. “If the victim followed all the instructions on the fake website, they handed their money and personal data to the attackers.”
Fraudsters also sent out scam vaccination surveys, which were emails doctored up to look like they were from pharmaceutical companies making vaccines, asking for input.
“Participants were promised a gift or cash reward for their help,” the report added. “After answering the questions, the victim was redirected to a page with the ‘gift.’”
The victim was then asked for personal information, or in some cases, even payment information to pay for delivery of the “prize.”
Scammers also sent emails convincingly disguised to look like they were sent from Chinese vaccine-makers.
Because consumers are getting better at spotting scams, attackers are getting expert at making their communications seem real. This is especially important in trying to score what Kaspersky calls “a coveted prize for scammers:” corporate usernames & passwords.
“To counter people’s increasingly wary attitude to emails from outside, attackers try to give their mailings a respectable look, disguising them as messages from business tools & services,” Kaspersky observed. “By blending into the workflow, the scammers calculate that the user will be persuaded to follow the link & enter data on a fake page.”
The team observed a malicious link being delivered through Microsoft Planner, and in Russia, they discovered an email posing as a message from an analytics portal support team. Both asked for corporate-account credentials.
The ‘Less is More’ Lure
Another interesting lure type highlighted by the Kaspersky report asks for just a tiny amount of money to complete the scam transaction. In 1 example the team gives, the criminals only asked for 1.99 Rubles ($.27).
“The calculation was simple: Users would be less averse to paying a small amount than a larger one, which means more potential victims willing to enter card details on the bogus site,” the report explained. The emails usually had themes around everyday services like deliveries, fake “invoices” for domain usage or a WhatsApp subscription.
“The attackers’ calculation was simple: 1st lull the victim’s vigilance with a legitimate link, then get them to enter their credentials on a fake page,” the report explained.
In all, spam traffic was down somewhat (by 2.1% in Q1.
The Russian-language internet (“Runet”) also saw a small drop in spam of less than 2%, the report added. Russia accounted for the largest % of outgoing spam with 22.47%, followed by Germany with 14.89%, Kaspersky found. The US & China meanwhile followed with 12.98% & 7.38% of the world’s spam traffic.
Malicious email attachments detected were also down, but Kaspersky explains that this is primarily due to a boost in the number of attachments blocked by mail antivirus.
The most common malicious attachments for spam emails in the quarter was the Agensla malware, outlines Kaspersky, with 8.91% of malicious trojan market; then Microsoft Equation Editor vulnerability exploits for CVE-2017-11882. The Badun family was 3rd with 5.79%.
“The Top 10 most common malicious attachments in Q4 corresponds exactly to the ranking of families,” the report explained. “This suggests that each of the above-described families was widespread largely due to 1 member.”
Online stores remain the most popular impersonation targets for phishing pages, the report added, accounting for 15.77% of those observed, Kaspersky stated. Global internet portals (15.5%) & banks (10.04%) were close behind.
Also, Kaspersky warns about a potential slight increase in tourism-related bait soon.
“As the summer season approaches, an increase in the number of emails related to tourism is possible; however, due to the pandemic, it is likely to be small,” the report suggested.
“On the other hand, cyber-criminals will almost certainly continue to actively hunt corporate-account credentials, exploiting the fact that many companies are still in remote-working mode & communication among employees is predominantly online.”