Phishing in 2022<\/h2>\n
Last year’s resonant global events<\/h3>\n
The year 2022 saw cybercrooks try to profit from new film releases and premieres just as they always have. The bait included the most awaited and talked-about releases: the new season of Stranger Things, the new Batman movie, and the Oscar nominees. Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. Those who just could not wait were in for a disappointment and a waste of cash. The promises of completely free access to the new content were never true. By clicking what appeared to be a link to the movie, the visitor got to view the official trailer or a film studio logo. Several seconds into the “preview”, the stream was interrupted by an offer to buy an inexpensive subscription right there on the website to continue watching. If the movie lover entered their bank card details on the fake site, they risked paying more than the displayed amount for content that did not exist and sharing their card details with the scammers.<\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13132238\/spam-phishing-report-2022-01.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13132326\/spam-phishing-report-2022-02.jpg\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13132414\/spam-phishing-report-2022-03.jpg\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13132716\/spam-phishing-report-2022-04.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13132903\/spam-phishing-report-2022-05.png\")
<\/a><\/p>\nThe pandemic<\/h3>\nThe COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. For example, one website offered users to obtain a COVID vaccination certificate by entering their British National Health Service (NHS) account credentials. Others offered the coveted Green Pass without vaccination.<\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13141812\/spam-phishing-report-2022-06.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13141841\/spam-phishing-report-2022-07.png\")
<\/a><\/p>\nCrypto phishing and crypto scams<\/h3>\nThe unabated popularity of cryptocurrency saw crypto scammers’ interest in wallet owners’ accounts growing, despite the fact that rates continued to drop throughout the year. Cybercriminals chased seed phrases, used for recovering access to virtual funds. By getting the user’s secret phrase, cybercriminals could get access to their cryptocurrency balance.<\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13141926\/spam-phishing-report-2022-08.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13142443\/spam-phishing-report-2022-09.png\")
<\/a><\/p>\nCompensation, bonus, and paid survey scams<\/h3>\nBonuses and compensations are hard to deny in times of crisis and instability, but it is worth keeping in mind that “financial assistance” is frequently promised by con artists to swindle you out of your money.<\/p>\n
“Promotional campaigns by major banks” were a popular bait in 2022. Visitors to a fraudulent web page were offered to receive a one-time payment or to take a service quality survey for a fee. Unlike the prizes offered in the aforementioned crypto schemes, these fees were smaller: an equivalent of $30\u201340. The cybercriminals used an array of techniques to lull victims’ vigilance: company logos, assurances that the campaigns were legit, as well as detailed, lifelike descriptions of the offer. Similar “campaigns” were staged in the name of other types of organizations, for example, the Polish finance ministry.<\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13142523\/spam-phishing-report-2022-10.png\")
<\/a><\/p>\nAid as distributed by various governmental and nongovernmental organizations remained a popular fraud theme in 2022. For example, in Muslim countries, scammers promised to send charity packages, purportedly under a “Ramadan Relief” program that aimed at helping low-income families during the Ramadan fast. The fasting period typically sees higher prices for food and household products, whereas observers buy more than they normally do and may be faced with a shortage of money. Legitimate charities, such as WF-AID<\/a>, do operate Ramadan relief programs, and judging by the screenshot below, the fraudsters were pretending to represent that organization. An eye-catching picture of the organization’s logo and huge boxes was accompanied by a list of foodstuffs included in the aid package, with positive “recipient feedback” posted below the message. The victim was asked to make sure that their name was on the list of recipients, so they could get a package. This required providing personal data on the website and sending a link to the scam site to instant messaging contacts\u2014nothing extraordinary for hoaxes like this. This way, the scammers both populate their databases and have victims spread links to their malicious resources for them. In addition to that, they might ask the victim to cover the “shipping costs”.<\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13142600\/spam-phishing-report-2022-11.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13142636\/spam-phishing-report-2022-12.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13142706\/spam-phishing-report-2022-13.png\")
<\/a><\/p>\nFake online stores and large vendor phishing<\/h3>\nWe see fake websites that imitate large online stores and marketplaces year after year, and 2022 was no exception. Phishing attacks targeted both the customers of globally known retailers and regional players. An attack often started with the victim receiving a link to a certain product supposedly offered at an attractive price, by email, in an instant messaging app, or on a social network. Those who fell for the trick could lose access to their accounts, have their bank card details stolen, or waste the money they wanted to spend on the dirt-cheap item.<\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13142737\/spam-phishing-report-2022-14.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13142817\/spam-phishing-report-2022-15.jpg\")
<\/a><\/p>\nHijacking of social media accounts<\/h3>\nUsers of social media have increasingly focused on privacy lately. That said, curiosity is hard to contain: people want to check out who has been following them, but do so without the other party knowing. Cybercriminals who were after their account credentials offered victims to have their cake and eat it by using some new social media capability. A fake Facebook Messenger page promised to install an update that could change the user’s appearance and voice during video calls, and track who has been viewing their profile, among other features. To get the “update”, the victim was asked to enter their account credentials, which the scammers immediately took over.<\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13142852\/spam-phishing-report-2022-16.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13142919\/spam-phishing-report-2022-17.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13142944\/spam-phishing-report-2022-18.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13143155\/spam-phishing-report-2022-19.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13143228\/spam-phishing-report-2022-20-EN.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13143725\/spam-phishing-report-2022-21.jpg\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13143807\/spam-phishing-report-2022-22.png\")
<\/a><\/p>\nSpam in 2022<\/h2>\nThe pandemic<\/h3>\nUnlike phishing, COVID-themed spam is still a thing. Most of that is “Nigerian-type” scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.<\/p>\n
Unlike phishing, COVID-themed spam is still a thing. Most of that is “Nigerian-type” scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.<\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13143915\/spam-phishing-report-2022-23.png\")
<\/a><\/p>\nContact form spam<\/h3>\nThe year 2022 saw cybercriminals abuse contact forms for spam more frequently. In a typical scheme of this kind, scammers find websites that offer registration, contact, or support request forms that do not require the user to be logged in to submit, and do not check the data entered. In some cases, they insert a scam message with a hyperlink in the login or name fields, and in others, add a longer text with images to the message field. Then the attackers add victims’ email addresses to the contact fields and submit. When getting a message via a registration or contact form, most websites reply to the user’s email address that their request was received and is being processed, their account has been created, and so on. As a result, the person gets an automated reply from an official address of a legitimate organization, containing unsolicited advertisements or a scam link.<\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13144349\/spam-phishing-report-2022-24.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13145016\/spam-phishing-report-2022-25.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13150322\/spam-phishing-report-2022-26.png\")
<\/a><\/p>\nWe blocked upward of a million scam emails sent via legitimate forms in 2022.<\/p>\n
Blackmail in the name of law enforcement agencies<\/h3>\nExtortion spam is nothing new. In such emails, attackers usually claim that the recipient has broken the law and demand money. In 2022, these mailings not only continued, but also evolved. For example, there was virtually no text in the messages: the user was either asked to open an attached PDF file to find out more, or they received threats in the form of an image with text. In addition, the geography of mailings widened in 2022.<\/p>\n
The essence of the message, as in similar emails sent earlier, was that a criminal case was going to be opened against the recipient due to allegedly visiting sites containing child pornography.<\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13150404\/spam-phishing-report-2022-27.png\")
<\/a><\/p>\nExploiting the news<\/h3>\nSpammers constantly use major world events in their fraudulent schemes. The 2022 geopolitical crisis was no exception. Throughout the year, we saw mailings aimed at English-speaking users proposing transferring money, usually to a Bitcoin wallet, to help the victims of the conflict in Ukraine. Scammers often demand the transfer of money to Bitcoin wallets, as it is more difficult to trace the recipient through cryptocurrency transactions than through the bank ones. Blackmail demanding payment in cryptocurrency used to prevail in spam. Now, attackers have started collecting Bitcoin for charity.<\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13150431\/spam-phishing-report-2022-28.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13150458\/spam-phishing-report-2022-29.jpg\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13153541\/spam-phishing-report-2022-30.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13153600\/spam-phishing-report-2022-31.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13153622\/spam-phishing-report-2022-32.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13153708\/spam-phishing-report-2022-33.png\")
<\/a><\/p>\nSpam with malicious attachments<\/h3>\nEmployees shifting to remote work during the pandemic and the associated growth of online communications spurred the active development of various areas of phishing, both mass and targeted. Attackers have become more active in imitating business correspondence, not only targeting HR-specialists and accountants, as before the pandemic, but also employees in other departments. In 2022, we saw an evolution of malicious emails masquerading as business correspondence. Attackers actively used social engineering techniques in their emails, adding signatures with logos and information from specific organizations, creating a context appropriate to the company’s profile, and applying business language. They also actively exploited off the current news agenda and mentioned real employees from the company supposedly sending the emails. Spammers faked their messages as internal company correspondence, business correspondence between different organizations, and even as notifications from government agencies.<\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13153731\/spam-phishing-report-2022-34.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13153756\/spam-phishing-report-2022-35.png\")
<\/a><\/p>\nIn most cases, either the Qbot<\/a> Trojan or Emotet<\/a> was loaded when the malicious document was opened. Both can be used to steal user data, collect information about the corporate network, and spread additional malware, such as ransomware. Qbot also allows you to gain access to emails and steal them for further attacks.<\/p>\n
Two-stage spear phishing using a known phish kit<\/h2>\nIn 2022, we saw an increase in spear (or targeted) phishing attacks targeting businesses around the world. In addition to typical campaigns consisting of one stage, there were attacks in several stages. In the first email, scammers in the name of a potential client asked the victim to specify information about its products and services. After the victim responds to this email, the attackers start a phishing attack.<\/p>\n
Key facts:<\/p>\n
\n- Attackers use fake Dropbox pages created using a well-known phishing kit<\/li>\n
- The campaign targets the sales departments of manufacturers and suppliers of goods and services<\/li>\n
- Attackers use SMTP IP addresses and From<\/em> domains provided by Microsoft Corporation and Google LLC (Gmail)<\/li>\n<\/ul>\n
Statistics<\/h3>\nThe campaign began in April 2022, with malicious activity peaking in May, and ended by June.<\/p>\n
<\/div>\nNumber of emails related to a two-step targeted campaign detected by Kaspersky solutions (download<\/a>)<\/em><\/p>\n
How a phishing campaign unfolds<\/h3>\nAttackers send an email in the name of a real trade organization requesting more information about the victim company’s products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender’s email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the From<\/em> field is different to its name in the signature.<\/p>\n
Example of the first email<\/em><\/strong><\/p>\n
It is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use spoofing of the legitimate domain<\/a> of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the From<\/em> header (where the email came from) and Reply-to<\/em> header (where the reply will go when clicking “Reply” in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the Reply-to<\/em> header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.<\/p>\n
An email with a phishing link<\/em><\/strong><\/p>\n
A fake Dropbox page<\/em><\/strong><\/p>\n
Login page with a phishing form<\/em><\/strong><\/p>\n
<form name=\"loginform\">\r\n <div class=\"form-group\">\r\n <label for=\"\">Email Address<\/label>\r\n <input type=\"email\" id=\"email\" class=\"form-control\" name=\"email\" placeholder=\"email Address\">\r\n <div class=\"email-error\"><\/div>\r\n <\/div>\r\n <div class=\"form-group\">\r\n <label for=\"\">Password<\/label>\r\n <input type=\"password\" id=\"password\" class=\"form-control\" name=\"password\" placeholder=\"Password\">\r\n <div class=\"password-error\"><\/div>\r\n <\/div>\r\n <div class=\"form-group btn-area\">\r\n <button class=\"download-btn\" id=\"db\" type=\"submit\">Download<\/button>\r\n <\/div>\r\n <\/form>\r\n <\/div>\r\n <script src=\"https:\/\/firebasestorage.googleapis.com\/v0\/b\/linktopage-c7fd6.appspot.com\/o\/obfuscated.js?alt=media&token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b\"><\/script>\r\n<\/pre>\nHTML representation of a phishing form<\/em><\/strong><\/p>\n
Victims<\/h3>\nWe have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.<\/p>\n
Statistics: spam<\/h2>\n
Share of spam in mail traffic<\/h3>\nIn 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.<\/p>\n
<\/div>\nShare of spam in global email traffic, 2022 (download<\/a>)<\/em><\/p>\n
<\/div>\nProportion of spam in Runet email traffic, 2022 (download<\/a>)<\/em><\/p>\n
Countries and territories \u2014 sources of spam<\/h3>\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).<\/p>\n
<\/div>\nTOP 20 countries and territories \u2014 sources of spam, 2022 (download<\/a>)<\/em><\/p>\n
Malicious mail attachments<\/h3>\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That’s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.<\/p>\n
<\/div>\nNumber of Mail Anti-Virus hits, January \u2014 December 2022 (download<\/a>)<\/em><\/p>\n
The most common malicious email attachments in 2022, as in 2021, were Agensla<\/a> Trojan stealers (7.14%), whose share decreased slightly. Noon<\/a> spyware (4.89%) moved up to second place, and Badun<\/a> Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits CVE-2018-0802<\/a> (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than CVE-2017-11882<\/a> exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.<\/p>\n
<\/div>\nTOP 10 malware families spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
ISO<\/a> Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the Guloader<\/a> downloader family (2.65%), which delivers remotely controlled malware to victims’ devices. They are closely followed by the Badur<\/a> family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous Emotet<\/a> botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims’ devices, particularly ransomware. The ninth most popular family was Taskun<\/a> (2.10%), which creates malicious tasks in the task scheduler.<\/p>\n
<\/div>\nTOP 10 types of malware spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
Countries and territories targeted by malicious mailings<\/h3>\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.<\/p>\n
<\/div>\nTOP 20 countries and territories targeted by malicious mailings, 2022 (download<\/a>)<\/em><\/p>\n
Statistics: phishing<\/h2>\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.<\/p>\n
Map of phishing attacks<\/h3>\n
In 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year’s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.<\/p>\n
TOP 10 countries and territories by share of attacked users:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Statistics<\/h3>\nThe campaign began in April 2022, with malicious activity peaking in May, and ended by June.<\/p>\n
<\/div>\nNumber of emails related to a two-step targeted campaign detected by Kaspersky solutions (download<\/a>)<\/em><\/p>\n
How a phishing campaign unfolds<\/h3>\nAttackers send an email in the name of a real trade organization requesting more information about the victim company’s products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender’s email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the From<\/em> field is different to its name in the signature.<\/p>\n
Example of the first email<\/em><\/strong><\/p>\n
It is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use spoofing of the legitimate domain<\/a> of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the From<\/em> header (where the email came from) and Reply-to<\/em> header (where the reply will go when clicking “Reply” in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the Reply-to<\/em> header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.<\/p>\n
An email with a phishing link<\/em><\/strong><\/p>\n
A fake Dropbox page<\/em><\/strong><\/p>\n
Login page with a phishing form<\/em><\/strong><\/p>\n
<form name=\"loginform\">\r\n <div class=\"form-group\">\r\n <label for=\"\">Email Address<\/label>\r\n <input type=\"email\" id=\"email\" class=\"form-control\" name=\"email\" placeholder=\"email Address\">\r\n <div class=\"email-error\"><\/div>\r\n <\/div>\r\n <div class=\"form-group\">\r\n <label for=\"\">Password<\/label>\r\n <input type=\"password\" id=\"password\" class=\"form-control\" name=\"password\" placeholder=\"Password\">\r\n <div class=\"password-error\"><\/div>\r\n <\/div>\r\n <div class=\"form-group btn-area\">\r\n <button class=\"download-btn\" id=\"db\" type=\"submit\">Download<\/button>\r\n <\/div>\r\n <\/form>\r\n <\/div>\r\n <script src=\"https:\/\/firebasestorage.googleapis.com\/v0\/b\/linktopage-c7fd6.appspot.com\/o\/obfuscated.js?alt=media&token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b\"><\/script>\r\n<\/pre>\nHTML representation of a phishing form<\/em><\/strong><\/p>\n
Victims<\/h3>\nWe have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.<\/p>\n
Statistics: spam<\/h2>\n
Share of spam in mail traffic<\/h3>\nIn 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.<\/p>\n
<\/div>\nShare of spam in global email traffic, 2022 (download<\/a>)<\/em><\/p>\n
<\/div>\nProportion of spam in Runet email traffic, 2022 (download<\/a>)<\/em><\/p>\n
Countries and territories \u2014 sources of spam<\/h3>\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).<\/p>\n
<\/div>\nTOP 20 countries and territories \u2014 sources of spam, 2022 (download<\/a>)<\/em><\/p>\n
Malicious mail attachments<\/h3>\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That’s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.<\/p>\n
<\/div>\nNumber of Mail Anti-Virus hits, January \u2014 December 2022 (download<\/a>)<\/em><\/p>\n
The most common malicious email attachments in 2022, as in 2021, were Agensla<\/a> Trojan stealers (7.14%), whose share decreased slightly. Noon<\/a> spyware (4.89%) moved up to second place, and Badun<\/a> Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits CVE-2018-0802<\/a> (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than CVE-2017-11882<\/a> exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.<\/p>\n
<\/div>\nTOP 10 malware families spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
ISO<\/a> Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the Guloader<\/a> downloader family (2.65%), which delivers remotely controlled malware to victims’ devices. They are closely followed by the Badur<\/a> family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous Emotet<\/a> botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims’ devices, particularly ransomware. The ninth most popular family was Taskun<\/a> (2.10%), which creates malicious tasks in the task scheduler.<\/p>\n
<\/div>\nTOP 10 types of malware spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
Countries and territories targeted by malicious mailings<\/h3>\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.<\/p>\n
<\/div>\nTOP 20 countries and territories targeted by malicious mailings, 2022 (download<\/a>)<\/em><\/p>\n
Statistics: phishing<\/h2>\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.<\/p>\n
Map of phishing attacks<\/h3>\n
In 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year’s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.<\/p>\n
TOP 10 countries and territories by share of attacked users:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Number of emails related to a two-step targeted campaign detected by Kaspersky solutions (download<\/a>)<\/em><\/p>\n
How a phishing campaign unfolds<\/h3>\nAttackers send an email in the name of a real trade organization requesting more information about the victim company’s products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender’s email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the From<\/em> field is different to its name in the signature.<\/p>\n
Example of the first email<\/em><\/strong><\/p>\n
It is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use spoofing of the legitimate domain<\/a> of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the From<\/em> header (where the email came from) and Reply-to<\/em> header (where the reply will go when clicking “Reply” in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the Reply-to<\/em> header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.<\/p>\n
An email with a phishing link<\/em><\/strong><\/p>\n
A fake Dropbox page<\/em><\/strong><\/p>\n
Login page with a phishing form<\/em><\/strong><\/p>\n
<form name=\"loginform\">\r\n <div class=\"form-group\">\r\n <label for=\"\">Email Address<\/label>\r\n <input type=\"email\" id=\"email\" class=\"form-control\" name=\"email\" placeholder=\"email Address\">\r\n <div class=\"email-error\"><\/div>\r\n <\/div>\r\n <div class=\"form-group\">\r\n <label for=\"\">Password<\/label>\r\n <input type=\"password\" id=\"password\" class=\"form-control\" name=\"password\" placeholder=\"Password\">\r\n <div class=\"password-error\"><\/div>\r\n <\/div>\r\n <div class=\"form-group btn-area\">\r\n <button class=\"download-btn\" id=\"db\" type=\"submit\">Download<\/button>\r\n <\/div>\r\n <\/form>\r\n <\/div>\r\n <script src=\"https:\/\/firebasestorage.googleapis.com\/v0\/b\/linktopage-c7fd6.appspot.com\/o\/obfuscated.js?alt=media&token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b\"><\/script>\r\n<\/pre>\nHTML representation of a phishing form<\/em><\/strong><\/p>\n
Victims<\/h3>\nWe have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.<\/p>\n
Statistics: spam<\/h2>\n
Share of spam in mail traffic<\/h3>\nIn 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.<\/p>\n
<\/div>\nShare of spam in global email traffic, 2022 (download<\/a>)<\/em><\/p>\n
<\/div>\nProportion of spam in Runet email traffic, 2022 (download<\/a>)<\/em><\/p>\n
Countries and territories \u2014 sources of spam<\/h3>\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).<\/p>\n
<\/div>\nTOP 20 countries and territories \u2014 sources of spam, 2022 (download<\/a>)<\/em><\/p>\n
Malicious mail attachments<\/h3>\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That’s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.<\/p>\n
<\/div>\nNumber of Mail Anti-Virus hits, January \u2014 December 2022 (download<\/a>)<\/em><\/p>\n
The most common malicious email attachments in 2022, as in 2021, were Agensla<\/a> Trojan stealers (7.14%), whose share decreased slightly. Noon<\/a> spyware (4.89%) moved up to second place, and Badun<\/a> Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits CVE-2018-0802<\/a> (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than CVE-2017-11882<\/a> exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.<\/p>\n
<\/div>\nTOP 10 malware families spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
ISO<\/a> Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the Guloader<\/a> downloader family (2.65%), which delivers remotely controlled malware to victims’ devices. They are closely followed by the Badur<\/a> family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous Emotet<\/a> botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims’ devices, particularly ransomware. The ninth most popular family was Taskun<\/a> (2.10%), which creates malicious tasks in the task scheduler.<\/p>\n
<\/div>\nTOP 10 types of malware spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
Countries and territories targeted by malicious mailings<\/h3>\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.<\/p>\n
<\/div>\nTOP 20 countries and territories targeted by malicious mailings, 2022 (download<\/a>)<\/em><\/p>\n
Statistics: phishing<\/h2>\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.<\/p>\n
Map of phishing attacks<\/h3>\n
In 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year’s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.<\/p>\n
TOP 10 countries and territories by share of attacked users:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
![\"Example](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13153835\/spam-phishing-report-2022-36.jpg\")
<\/a><\/p>\n![\"An](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13153858\/spam-phishing-report-2022-37.jpg\")
<\/a><\/p>\n![\"A](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13153925\/spam-phishing-report-2022-38.jpg\")
<\/a><\/p>\n![\"A](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13153950\/spam-phishing-report-2022-39.png\")
<\/a><\/p>\n![\"Login](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13154022\/spam-phishing-report-2022-40.jpg\")
<\/a><\/p>\nHTML representation of a phishing form<\/em><\/strong><\/p>\n
Victims<\/h3>\nWe have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.<\/p>\n
Statistics: spam<\/h2>\n
Share of spam in mail traffic<\/h3>\nIn 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.<\/p>\n
<\/div>\nShare of spam in global email traffic, 2022 (download<\/a>)<\/em><\/p>\n
<\/div>\nProportion of spam in Runet email traffic, 2022 (download<\/a>)<\/em><\/p>\n
Countries and territories \u2014 sources of spam<\/h3>\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).<\/p>\n
<\/div>\nTOP 20 countries and territories \u2014 sources of spam, 2022 (download<\/a>)<\/em><\/p>\n
Malicious mail attachments<\/h3>\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That’s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.<\/p>\n
<\/div>\nNumber of Mail Anti-Virus hits, January \u2014 December 2022 (download<\/a>)<\/em><\/p>\n
The most common malicious email attachments in 2022, as in 2021, were Agensla<\/a> Trojan stealers (7.14%), whose share decreased slightly. Noon<\/a> spyware (4.89%) moved up to second place, and Badun<\/a> Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits CVE-2018-0802<\/a> (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than CVE-2017-11882<\/a> exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.<\/p>\n
<\/div>\nTOP 10 malware families spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
ISO<\/a> Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the Guloader<\/a> downloader family (2.65%), which delivers remotely controlled malware to victims’ devices. They are closely followed by the Badur<\/a> family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous Emotet<\/a> botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims’ devices, particularly ransomware. The ninth most popular family was Taskun<\/a> (2.10%), which creates malicious tasks in the task scheduler.<\/p>\n
<\/div>\nTOP 10 types of malware spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
Countries and territories targeted by malicious mailings<\/h3>\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.<\/p>\n
<\/div>\nTOP 20 countries and territories targeted by malicious mailings, 2022 (download<\/a>)<\/em><\/p>\n
Statistics: phishing<\/h2>\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.<\/p>\n
Map of phishing attacks<\/h3>\n
In 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year’s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.<\/p>\n
TOP 10 countries and territories by share of attacked users:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
In 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.<\/p>\n
Share of spam in global email traffic, 2022 (download<\/a>)<\/em><\/p>\n
Proportion of spam in Runet email traffic, 2022 (download<\/a>)<\/em><\/p>\n
Countries and territories \u2014 sources of spam<\/h3>\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).<\/p>\n
<\/div>\nTOP 20 countries and territories \u2014 sources of spam, 2022 (download<\/a>)<\/em><\/p>\n
Malicious mail attachments<\/h3>\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That’s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.<\/p>\n
<\/div>\nNumber of Mail Anti-Virus hits, January \u2014 December 2022 (download<\/a>)<\/em><\/p>\n
The most common malicious email attachments in 2022, as in 2021, were Agensla<\/a> Trojan stealers (7.14%), whose share decreased slightly. Noon<\/a> spyware (4.89%) moved up to second place, and Badun<\/a> Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits CVE-2018-0802<\/a> (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than CVE-2017-11882<\/a> exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.<\/p>\n
<\/div>\nTOP 10 malware families spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
ISO<\/a> Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the Guloader<\/a> downloader family (2.65%), which delivers remotely controlled malware to victims’ devices. They are closely followed by the Badur<\/a> family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous Emotet<\/a> botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims’ devices, particularly ransomware. The ninth most popular family was Taskun<\/a> (2.10%), which creates malicious tasks in the task scheduler.<\/p>\n
<\/div>\nTOP 10 types of malware spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
Countries and territories targeted by malicious mailings<\/h3>\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.<\/p>\n
<\/div>\nTOP 20 countries and territories targeted by malicious mailings, 2022 (download<\/a>)<\/em><\/p>\n
Statistics: phishing<\/h2>\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.<\/p>\n
Map of phishing attacks<\/h3>\n
In 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year’s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.<\/p>\n
TOP 10 countries and territories by share of attacked users:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
TOP 20 countries and territories \u2014 sources of spam, 2022 (download<\/a>)<\/em><\/p>\n
Malicious mail attachments<\/h3>\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That’s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.<\/p>\n
<\/div>\nNumber of Mail Anti-Virus hits, January \u2014 December 2022 (download<\/a>)<\/em><\/p>\n
The most common malicious email attachments in 2022, as in 2021, were Agensla<\/a> Trojan stealers (7.14%), whose share decreased slightly. Noon<\/a> spyware (4.89%) moved up to second place, and Badun<\/a> Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits CVE-2018-0802<\/a> (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than CVE-2017-11882<\/a> exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.<\/p>\n
<\/div>\nTOP 10 malware families spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
ISO<\/a> Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the Guloader<\/a> downloader family (2.65%), which delivers remotely controlled malware to victims’ devices. They are closely followed by the Badur<\/a> family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous Emotet<\/a> botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims’ devices, particularly ransomware. The ninth most popular family was Taskun<\/a> (2.10%), which creates malicious tasks in the task scheduler.<\/p>\n
<\/div>\nTOP 10 types of malware spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
Countries and territories targeted by malicious mailings<\/h3>\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.<\/p>\n
<\/div>\nTOP 20 countries and territories targeted by malicious mailings, 2022 (download<\/a>)<\/em><\/p>\n
Statistics: phishing<\/h2>\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.<\/p>\n
Map of phishing attacks<\/h3>\n
In 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year’s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.<\/p>\n
TOP 10 countries and territories by share of attacked users:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Number of Mail Anti-Virus hits, January \u2014 December 2022 (download<\/a>)<\/em><\/p>\n
The most common malicious email attachments in 2022, as in 2021, were Agensla<\/a> Trojan stealers (7.14%), whose share decreased slightly. Noon<\/a> spyware (4.89%) moved up to second place, and Badun<\/a> Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits CVE-2018-0802<\/a> (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than CVE-2017-11882<\/a> exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.<\/p>\n
TOP 10 malware families spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
ISO<\/a> Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the Guloader<\/a> downloader family (2.65%), which delivers remotely controlled malware to victims’ devices. They are closely followed by the Badur<\/a> family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous Emotet<\/a> botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims’ devices, particularly ransomware. The ninth most popular family was Taskun<\/a> (2.10%), which creates malicious tasks in the task scheduler.<\/p>\n
TOP 10 types of malware spread by email attachments in 2022 (download<\/a>)<\/em><\/p>\n
Countries and territories targeted by malicious mailings<\/h3>\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.<\/p>\n
<\/div>\nTOP 20 countries and territories targeted by malicious mailings, 2022 (download<\/a>)<\/em><\/p>\n
Statistics: phishing<\/h2>\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.<\/p>\n
Map of phishing attacks<\/h3>\n
In 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year’s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.<\/p>\n
TOP 10 countries and territories by share of attacked users:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
TOP 20 countries and territories targeted by malicious mailings, 2022 (download<\/a>)<\/em><\/p>\n
![\"Dynamics](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13154605\/spam-phishing-report-2022-42.png\")
<\/a><\/p>\n![\"Dynamics](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/13154645\/spam-phishing-report-2022-41.png\")
<\/a><\/p>\n