The term “phishing” was coined back in 1996, when cybercriminals attacked users of America Online (AOL), the largest internet provider at that time. Posing as AOL employees, the scammers sent messages asking users to verify their accounts or asking for payment details. This method of phishing for personal data is still in use today, because, unfortunately, it continues to yield results.<\/p>\n
Also in the 1990s, the first online scams appeared. When banks began to roll out internet banking, scammers sent text messages to users supposedly from relatives with an urgent request to transfer money to the details given in the message.<\/p>\n
By the early 2000s, charity had become a common scam topic: for example, after the massive Indian Ocean earthquake and tsunami of 2004, users received messages from fake charities pleading for donations. At around the same time, phishers started targeting online payment systems and internet banks. Since user accounts in those days were protected only by a password, it was enough for attackers to phish out this information to gain access to victims’ money. To do this, they sent e-mails in the name of companies such as PayPal, asking users to go to a fake site displaying the corporate logo and enter their credentials. To make their sites look more credible, cybercriminals registered multiple domains all very similar to the original, differing by just two or three letters. An inattentive user could easily mistake a fake for a genuine bank or payment system website. In addition, scammers often used personal information from victims’ own social media pages to make their attacks more targeted, and thus more successful.<\/p>\n
As time progressed, online fraud became ever more sophisticated and persuasive. Cybercriminals learned how to successfully mimic the official websites of brands, making them almost indistinguishable from the original, and to find new ways to approach victims. There appeared services specializing in creating fake content, at which point phishing really took off. Now not only the personal data and finances of ordinary users were in the firing line, but politicians and big business as well.<\/p>\n
This report examines the main phishing trends, methods, and techniques that are live in 2022.<\/p>\n
Phishing and scams: current types of fraud<\/h2>\n
Phishing:<\/h3>\n
Phishers can target credentials in absolutely any online service: banks, social networks, government portals, online stores, mail services, delivery companies, etc. But it is customers of top brands that are most often at risk, because people use and trust them more than smaller brands, increasing the likelihood of a successful attack.<\/p>\n
To extract the coveted information, cybercriminals try to persuade victims that they are logging in on the real website of the respective company or service, or that they are sharing their credentials with a company employee. Often, fake sites look no different from the original, and even an experienced user might be fooled. Phishers skillfully copy the layout and design of official sites, adding extra details to their pages, such as live chat support (usually inactive), and linking to real services to inspire confidence.<\/p>\n
![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05162017\/phishing-scam-techniques-tricks-01.png\")
<\/a><\/p>\nPhishing site with chat support<\/em><\/p>\n
![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05162026\/phishing-scam-techniques-tricks-02.png\")
<\/a><\/p>\nScams<\/h3>\nWhile phishers target both businesses and ordinary internet users, scammers prey mostly on the latter. Most scams work by offering the victim an easy way to earn a chunk of money, or the chance to win a valuable prize or get something for free or at a huge discount. The main goal of this type of threat is to raise money, but scammers can also harvest the victim’s personal data to sell later or use in other schemes.<\/p>\n
In the screenshot below, for example, the victim is informed they have won a smartphone and asked to pay a small fee to have it delivered, as well as specify their e-mail address, date of birth, gender, phone number, and home address.<\/p>\n
Form for collecting personal data to send the bogus prize<\/em><\/p>\n
Offer to activate a premium account on a fake dating site<\/em><\/p>\n
There are other ways to attract victims to scam sites: by “selling” sought-after or scarce<\/a> goods, or trips with like-minded travelers, etc. In general, if something’s popular with users, fraudsters will use it as bait.<\/p>\n
Distribution<\/h2>\nAlthough most scams and phishing attacks begin with mass e-mails containing links to fake websites, alternative attack vectors are gaining ground today. There are so many different communication and data sharing platforms that attackers can use to distribute phishing links.<\/p>\n
Messengers<\/h3>\nOne of the main vectors for phishing and scaming are messengers such as WhatsApp and Telegram.<\/p>\n
WhatsApp users might receive a fraudulent message from either the cybercriminals themselves or someone in their contact list. To spread their scams, attackers send messages in the name of popular brands or government agencies, but have no qualms about involving users too. In particular, to receive a gift promised in a message, they often get the victim to forward it to all or some of their contacts.<\/p>\n
Comment in a Telegram chat promoting a currency exchange scheme<\/em><\/p>\n
![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05162036\/phishing-scam-techniques-tricks-03.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05162045\/phishing-scam-techniques-tricks-04.png\")
<\/a><\/p>\nAlthough most scams and phishing attacks begin with mass e-mails containing links to fake websites, alternative attack vectors are gaining ground today. There are so many different communication and data sharing platforms that attackers can use to distribute phishing links.<\/p>\n
Messengers<\/h3>\nOne of the main vectors for phishing and scaming are messengers such as WhatsApp and Telegram.<\/p>\n
WhatsApp users might receive a fraudulent message from either the cybercriminals themselves or someone in their contact list. To spread their scams, attackers send messages in the name of popular brands or government agencies, but have no qualms about involving users too. In particular, to receive a gift promised in a message, they often get the victim to forward it to all or some of their contacts.<\/p>\n
![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05162053\/phishing-scam-techniques-tricks-05.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05162104\/phishing-scam-techniques-tricks-06.png\")
<\/a><\/p>\nComment in a Telegram chat promoting a currency exchange scheme<\/em><\/p>\n
Social networks<\/h3>\nComments offering easy profits are also found on social networks, for example, under photos in popular accounts, where messages are more likely to be read than on a page with fewer followers. Cybercriminals invite users to follow a link in a profile header, send them a direct message, or join a secret group chat. A message can also contain a link to a phishing or scam site. Posts promising well-paid part-time work with a link to a mini app are also common on VK, the Russian equivalent of Facebook. In addition, cybercriminals can use social networks to send direct messages to users, promote their offers, or create fake accounts promising valuable gifts, in-game currency, and gift cards. These are hyped up through ads, hashtags, or mass tagging of users in posts, comments, or on photos.<\/p>\n
Instagram account “giving away” free smartphones<\/em><\/p>\n
Marketplaces<\/h3>\nMarketplaces act as an intermediary between the user and the seller, to some extent ensuring the security of the transaction for both parties. But their functionality is open to abuse by scammers as well. A widespread scheme on Russian marketplaces<\/a> is when the seller appears reluctant to communicate on the site and tries to move the conversation to a third-party messenger where they can send a malicious link without fear of triggering the marketplace’s built-in defenses.<\/p>\n
Phishing and scam attack methods<\/h2>\nTo carry out attacks, cybercriminals employ a wide range of technical and psychological tricks to dupe as many users as possible while minimizing the risk of detection.<\/p>\n
Below are the main phishing and scam techniques used in 2022.<\/p>\n
Spoofing<\/h3>\nTo increase the victim’s trust in a fake resource, scammers often try to make it as similar as possible to the original. This technique is known as spoofing. In the context of website spoofing, there are two main types:<\/p>\n
\n- Domain spoofing, when attackers fake a website domain to fool users,<\/li>\n
- Content spoofing, when they mimic the appearance of a legitimate site.<\/li>\n<\/ul>\n
It’s common for attacks to deploy both of these.<\/p>\n
Domain spoofing<\/u> involves registering a domain similar to that of the target organization. Phishers are careful to choose domains that don’t look suspicious to victims. Domain spoofing can be divided into three categories:<\/p>\n
\n- Typosquatting is the use of the original domain name with typos commonly made by users when inputting the URL, such as missing or extra characters, or letters in the wrong order.<\/li>\n<\/ul>\n
\n- Combosquatting is the use of additional words, often related to authorization or online security, in a domain name similar to that of the brand whose users are the target. For example, words like “login”, “secure”, “account”, “verify”, and so on.<\/li>\n<\/ul>\n
The word “account” in a domain name alongside the name of a bank<\/em><\/p>\n
\n- Internationalized domain name (IDN) homograph attacks work by using Unicode characters that closely resemble letters in the Latin alphabet. For example, the most commonly used Cyrillic letters in such attacks are a, c, e, o, p, x, y, because they look identical to Latin a, c, e, o, p, x, y.<\/li>\n<\/ul>\n
Content spoofing<\/u> is used to fake the appearance of a legitimate site. Here, the following methods can be singled out:<\/p>\n
\n- Legal iFrame Background is when an iFrame is used to load a legitimate site onto a rogue one, on top of which a phishing form is overlaid.<\/li>\n<\/ul>\n
Legitimate site serving as a background for a phishing form<\/em><\/p>\n
\n- HTML spoofing is the visual imitation of a legitimate site by, among other things, partially copying its style and HTML code. Scammers often use software for creating mirror sites, such as HTTrack and Website Downloader.<\/li>\n
<\/u><\/p>\n
Comment in the HTML code of a phishing page indicating that HTTrack was used<\/em><\/p>\n
Website hacking<\/h3>\nSometimes it’s easier for scammers to hack others’ sites to host malicious content than to create their own from scratch. Such phishing pages tend to be short-lived, because the site owners quickly detect and remove scam content, as well as regularly patch holes and vulnerabilities in their infrastructure. That said, if cybercriminals break into an abandoned site, phishing pages hosted there can survive a long time<\/a>. Phishers can exploit compromised sites in several ways:<\/p>\n
\n- iFrame Injection is when a login form or other part of a phishing page is inserted through an iFrame. Whereas the Legal iFrame Background method involves the use of an iFrame with a legitimate website as the background for a phishing form, in the case of iFrame Injection the URL of the page is legitimate, while the iFrame contains a phishing form, whose background is most often homemade content using brand logos.<\/li>\n<\/ul>\n
Login form created using an iFrame on a hacked site<\/em><\/p>\n
\n- Subfolder Hijacking is the partial hacking of a site to gain access to its subdirectories to place fraudulent content there. Such attacks can either use existing directories on the legitimate site or create new ones.<\/li>\n<\/ul>\n
Home page of a hacked site that looks normal<\/em><\/p>\n
Phishing page placed in a subdirectory of a hacked site<\/em><\/p>\n
\n- Site Swapping is the complete replacement of a legitimate site with a phishing one. The original content is usually removed.<\/li>\n<\/ul>\n
Using legitimate services<\/h3>\nSome internet scammers, instead of bothering to create or hack sites, prefer to exploit the features of services trusted by users. As such, forms for creating online surveys and collecting data (Google Forms, MS Forms, HubSpot Form Builder, Typeform, Zoho Forms, etc.) are very often used to perform an attack.<\/p>\n
For example, in the screenshot below, scammers under the guise of technical support for a popular cryptowallet use a Google form to coax identification data out of users, such as e-mail address and secret phrase.<\/p>\n
Fraudsters try to finagle confidential data through Google Forms<\/em><\/p>\n
Avoiding detection<\/h3>\nScammers use various techniques to hide from detection. Some are quite effective but not so common, because they require more advanced technical know-how than many scammers possess.<\/p>\n
One method to avoid detection is obfuscation, where the user-invisible source code of a scam page is scrambled to make the attack hard to detect by automated means. We talked in detail about obfuscation methods in our post about the phishing-kit market<\/a>.<\/p>\n
\n- Use of images. If text is replaced with images of text, content engines will be unable to see and analyze the text, so users will read it.<\/li>\n
- Browser notifications. Links to scam resources can be distributed through browser notifications. Unlike e-mails and public websites, browser notifications are processed in several stages, and not all anti-phishing engines analyze them. This allows cybercriminals to bypass at least some detection technologies.<\/li>\n<\/ul>\n
\n- Pop-up windows. Scam content can open in pop-up windows on a site. Pop-up windows load later than the site’s main window, so not all anti-phishing technologies see them. In addition, pop-up windows furnish attackers with additional tools to copy the appearance of a legitimate site. In particular, cybercriminals can use the Browser-in-the-Browser method, when a pop-up window imitates a browser window with an address bar showing the URL of a legitimate site.<\/li>\n<\/ul>\n
\n- URL links randomly generated using hashes. Each victim receives a unique link, which makes it difficult to block a malicious site.<\/li>\n
- URL shorteners. Attackers can mask malicious addresses using legitimate URL shorteners, such as bit.ly.<\/li>\n<\/ul>\n
Social engineering elements<\/h3>\nCybercriminals’ tricks often target the user and not the security system’s vulnerabilities. Scammers employ their knowledge of the human psyche to deceive victims. These can be combined with technical means to achieve a devastating effect.<\/p>\n
\n- Fake CAPTCHA. Cybercriminals mimic CAPTCHA technology on scam sites to persuade victims to perform certain actions.<\/li>\n<\/ul>\n
\n- User-Related Dynamic Content. The page content changes depending on the user and their data, such as e-mail address: to fake the domain, images are downloaded from the user’s mail and inserted into the phishing page.<\/li>\n<\/ul>\n
Attackers use the victim’s mail domain to create content on a scam site<\/em><\/p>\n
\n- Intimidation and threats. Cybercriminals can intimidate victims to make them panic and act rashly. For example, they may threaten legal action and demand payment of a “fine” for the victim to be left in peace. Attackers can also threaten to block the victim’s account to force them to click a phishing link.<\/li>\n<\/ul>\n
\n- Attackers give victims a limited time window to respond to their message in one way or another to make them act rashly.<\/li>\n<\/ul>\n
Scam site demands urgent payment of “COVID-19-related expenses” for delivery of a parcel<\/em><\/p>\n
\n- An appeal to pity. Cybercriminals try to arouse people’s sense of pity to get them to part with their cash.<\/li>\n
- Lucrative offers. Scammers tempt victims with lip-smacking offers that are hard to refuse.<\/li>\n<\/ul>\n
Cybercriminals lure the user with the chance to win an Amazon gift card<\/em><\/p>\n
Conclusion<\/h2>\nMost users today are more or less aware of the current web threats. Many have either experienced internet scams themselves, or know about them from the news or other sources, making it harder for attackers to dupe victims and so requiring the use of ever more sophisticated methods. Instead of slapdash phishing and scam sites, high-quality fakes are becoming increasingly common. This includes mimicking a browser window with a legitimate URL in a pop-up window, as well as phishing pages with a legitimate site in the background, loaded via an iFrame. We’ve also seen elements of targeted attacks in phishing and scams, such as downloading content related to the target’s mail domain or using data got from large-scale leaks to make contact with potential victims.<\/p>\n
At the same time, vishing is on the rise, because it’s easier to apply pressure over the phone, giving the victim no time to mull things over. In addition, cybercriminals use other available communication channels: e-mail, popular messengers, social networks, marketplaces.<\/p>\n
To implement attacks, they employ a variety of techniques, such as spoofing, social engineering, site hacking, and code and content hiding. Alongside this, detection avoidance methods also continue to evolve. Attackers are increasingly using one-time generated links with hashes to prevent web threat detection technologies from blocking them.<\/p>\n
Note, too, that scammers continue to base their malicious campaigns on the hottest topics in the news. If there’s a major event going on somewhere, a problem on a country or global scale, or some service or technology is becoming all the rage, be sure that cybercriminals will seek to exploit it. For instance, the lockdown period was beset by large-scale “financial aid” scams, while last year’s upturn in cryptocurrency prices went hand in hand with numerous fraudulent investment schemes. So it pays to be vigilant online, especially when it comes to money: no matter how much you want to believe that good fortune has fallen from the sky, if something sounds too good to be true, it probably is.<\/p>\n","protected":false},"excerpt":{"rendered":"
Phishing in social networks and messengers, marketplace fraud, exploitation of Google Forms and other services: we uncover what\u2019s trending among attackers in 2022<\/p>\n","protected":false},"author":4704,"featured_media":108257,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[159],"tags":[472,459,42,723,1053,29,8,200,1052],"banners":"","hreflang":[{"hreflang":"x-default","url":"https:\/\/securelist.com\/phishing-scam-techniques-tricks\/108247\/"},{"hreflang":"ru","url":"https:\/\/securelist.ru\/phishing-scam-techniques-tricks\/106307\/"},{"hreflang":"es","url":"https:\/\/securelist.lat\/phishing-scam-techniques-tricks\/97340\/"}],"_links":{"self":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108247"}],"collection":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/users\/4704"}],"replies":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/comments?post=108247"}],"version-history":[{"count":9,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108247\/revisions"}],"predecessor-version":[{"id":108250,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108247\/revisions\/108250"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media\/108257"}],"wp:attachment":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media?parent=108247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/categories?post=108247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/tags?post=108247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05162114\/phishing-scam-techniques-tricks-07.png\")
<\/a><\/p>\nMarketplaces act as an intermediary between the user and the seller, to some extent ensuring the security of the transaction for both parties. But their functionality is open to abuse by scammers as well. A widespread scheme on Russian marketplaces<\/a> is when the seller appears reluctant to communicate on the site and tries to move the conversation to a third-party messenger where they can send a malicious link without fear of triggering the marketplace’s built-in defenses.<\/p>\n
![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05162123\/phishing-scam-techniques-tricks-08.png\")
<\/a><\/p>\nPhishing and scam attack methods<\/h2>\nTo carry out attacks, cybercriminals employ a wide range of technical and psychological tricks to dupe as many users as possible while minimizing the risk of detection.<\/p>\n
Below are the main phishing and scam techniques used in 2022.<\/p>\n
Spoofing<\/h3>\nTo increase the victim’s trust in a fake resource, scammers often try to make it as similar as possible to the original. This technique is known as spoofing. In the context of website spoofing, there are two main types:<\/p>\n
\n- Domain spoofing, when attackers fake a website domain to fool users,<\/li>\n
- Content spoofing, when they mimic the appearance of a legitimate site.<\/li>\n<\/ul>\n
It’s common for attacks to deploy both of these.<\/p>\n
Domain spoofing<\/u> involves registering a domain similar to that of the target organization. Phishers are careful to choose domains that don’t look suspicious to victims. Domain spoofing can be divided into three categories:<\/p>\n
\n- Typosquatting is the use of the original domain name with typos commonly made by users when inputting the URL, such as missing or extra characters, or letters in the wrong order.<\/li>\n<\/ul>\n
\n- Combosquatting is the use of additional words, often related to authorization or online security, in a domain name similar to that of the brand whose users are the target. For example, words like “login”, “secure”, “account”, “verify”, and so on.<\/li>\n<\/ul>\n
The word “account” in a domain name alongside the name of a bank<\/em><\/p>\n
\n- Internationalized domain name (IDN) homograph attacks work by using Unicode characters that closely resemble letters in the Latin alphabet. For example, the most commonly used Cyrillic letters in such attacks are a, c, e, o, p, x, y, because they look identical to Latin a, c, e, o, p, x, y.<\/li>\n<\/ul>\n
Content spoofing<\/u> is used to fake the appearance of a legitimate site. Here, the following methods can be singled out:<\/p>\n
\n- Legal iFrame Background is when an iFrame is used to load a legitimate site onto a rogue one, on top of which a phishing form is overlaid.<\/li>\n<\/ul>\n
Legitimate site serving as a background for a phishing form<\/em><\/p>\n
\n- HTML spoofing is the visual imitation of a legitimate site by, among other things, partially copying its style and HTML code. Scammers often use software for creating mirror sites, such as HTTrack and Website Downloader.<\/li>\n
<\/u><\/p>\n
Comment in the HTML code of a phishing page indicating that HTTrack was used<\/em><\/p>\n
Website hacking<\/h3>\nSometimes it’s easier for scammers to hack others’ sites to host malicious content than to create their own from scratch. Such phishing pages tend to be short-lived, because the site owners quickly detect and remove scam content, as well as regularly patch holes and vulnerabilities in their infrastructure. That said, if cybercriminals break into an abandoned site, phishing pages hosted there can survive a long time<\/a>. Phishers can exploit compromised sites in several ways:<\/p>\n
\n- iFrame Injection is when a login form or other part of a phishing page is inserted through an iFrame. Whereas the Legal iFrame Background method involves the use of an iFrame with a legitimate website as the background for a phishing form, in the case of iFrame Injection the URL of the page is legitimate, while the iFrame contains a phishing form, whose background is most often homemade content using brand logos.<\/li>\n<\/ul>\n
Login form created using an iFrame on a hacked site<\/em><\/p>\n
\n- Subfolder Hijacking is the partial hacking of a site to gain access to its subdirectories to place fraudulent content there. Such attacks can either use existing directories on the legitimate site or create new ones.<\/li>\n<\/ul>\n
Home page of a hacked site that looks normal<\/em><\/p>\n
Phishing page placed in a subdirectory of a hacked site<\/em><\/p>\n
\n- Site Swapping is the complete replacement of a legitimate site with a phishing one. The original content is usually removed.<\/li>\n<\/ul>\n
Using legitimate services<\/h3>\nSome internet scammers, instead of bothering to create or hack sites, prefer to exploit the features of services trusted by users. As such, forms for creating online surveys and collecting data (Google Forms, MS Forms, HubSpot Form Builder, Typeform, Zoho Forms, etc.) are very often used to perform an attack.<\/p>\n
For example, in the screenshot below, scammers under the guise of technical support for a popular cryptowallet use a Google form to coax identification data out of users, such as e-mail address and secret phrase.<\/p>\n
Fraudsters try to finagle confidential data through Google Forms<\/em><\/p>\n
Avoiding detection<\/h3>\nScammers use various techniques to hide from detection. Some are quite effective but not so common, because they require more advanced technical know-how than many scammers possess.<\/p>\n
One method to avoid detection is obfuscation, where the user-invisible source code of a scam page is scrambled to make the attack hard to detect by automated means. We talked in detail about obfuscation methods in our post about the phishing-kit market<\/a>.<\/p>\n
\n- Use of images. If text is replaced with images of text, content engines will be unable to see and analyze the text, so users will read it.<\/li>\n
- Browser notifications. Links to scam resources can be distributed through browser notifications. Unlike e-mails and public websites, browser notifications are processed in several stages, and not all anti-phishing engines analyze them. This allows cybercriminals to bypass at least some detection technologies.<\/li>\n<\/ul>\n
\n- Pop-up windows. Scam content can open in pop-up windows on a site. Pop-up windows load later than the site’s main window, so not all anti-phishing technologies see them. In addition, pop-up windows furnish attackers with additional tools to copy the appearance of a legitimate site. In particular, cybercriminals can use the Browser-in-the-Browser method, when a pop-up window imitates a browser window with an address bar showing the URL of a legitimate site.<\/li>\n<\/ul>\n
\n- URL links randomly generated using hashes. Each victim receives a unique link, which makes it difficult to block a malicious site.<\/li>\n
- URL shorteners. Attackers can mask malicious addresses using legitimate URL shorteners, such as bit.ly.<\/li>\n<\/ul>\n
Social engineering elements<\/h3>\nCybercriminals’ tricks often target the user and not the security system’s vulnerabilities. Scammers employ their knowledge of the human psyche to deceive victims. These can be combined with technical means to achieve a devastating effect.<\/p>\n
\n- Fake CAPTCHA. Cybercriminals mimic CAPTCHA technology on scam sites to persuade victims to perform certain actions.<\/li>\n<\/ul>\n
\n- User-Related Dynamic Content. The page content changes depending on the user and their data, such as e-mail address: to fake the domain, images are downloaded from the user’s mail and inserted into the phishing page.<\/li>\n<\/ul>\n
Attackers use the victim’s mail domain to create content on a scam site<\/em><\/p>\n
\n- Intimidation and threats. Cybercriminals can intimidate victims to make them panic and act rashly. For example, they may threaten legal action and demand payment of a “fine” for the victim to be left in peace. Attackers can also threaten to block the victim’s account to force them to click a phishing link.<\/li>\n<\/ul>\n
\n- Attackers give victims a limited time window to respond to their message in one way or another to make them act rashly.<\/li>\n<\/ul>\n
Scam site demands urgent payment of “COVID-19-related expenses” for delivery of a parcel<\/em><\/p>\n
\n- An appeal to pity. Cybercriminals try to arouse people’s sense of pity to get them to part with their cash.<\/li>\n
- Lucrative offers. Scammers tempt victims with lip-smacking offers that are hard to refuse.<\/li>\n<\/ul>\n
Cybercriminals lure the user with the chance to win an Amazon gift card<\/em><\/p>\n
Conclusion<\/h2>\nMost users today are more or less aware of the current web threats. Many have either experienced internet scams themselves, or know about them from the news or other sources, making it harder for attackers to dupe victims and so requiring the use of ever more sophisticated methods. Instead of slapdash phishing and scam sites, high-quality fakes are becoming increasingly common. This includes mimicking a browser window with a legitimate URL in a pop-up window, as well as phishing pages with a legitimate site in the background, loaded via an iFrame. We’ve also seen elements of targeted attacks in phishing and scams, such as downloading content related to the target’s mail domain or using data got from large-scale leaks to make contact with potential victims.<\/p>\n
At the same time, vishing is on the rise, because it’s easier to apply pressure over the phone, giving the victim no time to mull things over. In addition, cybercriminals use other available communication channels: e-mail, popular messengers, social networks, marketplaces.<\/p>\n
To implement attacks, they employ a variety of techniques, such as spoofing, social engineering, site hacking, and code and content hiding. Alongside this, detection avoidance methods also continue to evolve. Attackers are increasingly using one-time generated links with hashes to prevent web threat detection technologies from blocking them.<\/p>\n
Note, too, that scammers continue to base their malicious campaigns on the hottest topics in the news. If there’s a major event going on somewhere, a problem on a country or global scale, or some service or technology is becoming all the rage, be sure that cybercriminals will seek to exploit it. For instance, the lockdown period was beset by large-scale “financial aid” scams, while last year’s upturn in cryptocurrency prices went hand in hand with numerous fraudulent investment schemes. So it pays to be vigilant online, especially when it comes to money: no matter how much you want to believe that good fortune has fallen from the sky, if something sounds too good to be true, it probably is.<\/p>\n","protected":false},"excerpt":{"rendered":"
Phishing in social networks and messengers, marketplace fraud, exploitation of Google Forms and other services: we uncover what\u2019s trending among attackers in 2022<\/p>\n","protected":false},"author":4704,"featured_media":108257,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[159],"tags":[472,459,42,723,1053,29,8,200,1052],"banners":"","hreflang":[{"hreflang":"x-default","url":"https:\/\/securelist.com\/phishing-scam-techniques-tricks\/108247\/"},{"hreflang":"ru","url":"https:\/\/securelist.ru\/phishing-scam-techniques-tricks\/106307\/"},{"hreflang":"es","url":"https:\/\/securelist.lat\/phishing-scam-techniques-tricks\/97340\/"}],"_links":{"self":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108247"}],"collection":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/users\/4704"}],"replies":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/comments?post=108247"}],"version-history":[{"count":9,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108247\/revisions"}],"predecessor-version":[{"id":108250,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108247\/revisions\/108250"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media\/108257"}],"wp:attachment":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media?parent=108247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/categories?post=108247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/tags?post=108247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
To increase the victim’s trust in a fake resource, scammers often try to make it as similar as possible to the original. This technique is known as spoofing. In the context of website spoofing, there are two main types:<\/p>\n
- \n
- Domain spoofing, when attackers fake a website domain to fool users,<\/li>\n
- Content spoofing, when they mimic the appearance of a legitimate site.<\/li>\n<\/ul>\n
It’s common for attacks to deploy both of these.<\/p>\n
Domain spoofing<\/u> involves registering a domain similar to that of the target organization. Phishers are careful to choose domains that don’t look suspicious to victims. Domain spoofing can be divided into three categories:<\/p>\n
- \n
- Typosquatting is the use of the original domain name with typos commonly made by users when inputting the URL, such as missing or extra characters, or letters in the wrong order.<\/li>\n<\/ul>\n
- \n
- Combosquatting is the use of additional words, often related to authorization or online security, in a domain name similar to that of the brand whose users are the target. For example, words like “login”, “secure”, “account”, “verify”, and so on.<\/li>\n<\/ul>\n
The word “account” in a domain name alongside the name of a bank<\/em><\/p>\n
- \n
- Internationalized domain name (IDN) homograph attacks work by using Unicode characters that closely resemble letters in the Latin alphabet. For example, the most commonly used Cyrillic letters in such attacks are a, c, e, o, p, x, y, because they look identical to Latin a, c, e, o, p, x, y.<\/li>\n<\/ul>\n
Content spoofing<\/u> is used to fake the appearance of a legitimate site. Here, the following methods can be singled out:<\/p>\n
- \n
- Legal iFrame Background is when an iFrame is used to load a legitimate site onto a rogue one, on top of which a phishing form is overlaid.<\/li>\n<\/ul>\n
Legitimate site serving as a background for a phishing form<\/em><\/p>\n
- \n
- HTML spoofing is the visual imitation of a legitimate site by, among other things, partially copying its style and HTML code. Scammers often use software for creating mirror sites, such as HTTrack and Website Downloader.<\/li>\n
<\/u><\/p>\n
Comment in the HTML code of a phishing page indicating that HTTrack was used<\/em><\/p>\n
Website hacking<\/h3>\n
Sometimes it’s easier for scammers to hack others’ sites to host malicious content than to create their own from scratch. Such phishing pages tend to be short-lived, because the site owners quickly detect and remove scam content, as well as regularly patch holes and vulnerabilities in their infrastructure. That said, if cybercriminals break into an abandoned site, phishing pages hosted there can survive a long time<\/a>. Phishers can exploit compromised sites in several ways:<\/p>\n
- \n
- iFrame Injection is when a login form or other part of a phishing page is inserted through an iFrame. Whereas the Legal iFrame Background method involves the use of an iFrame with a legitimate website as the background for a phishing form, in the case of iFrame Injection the URL of the page is legitimate, while the iFrame contains a phishing form, whose background is most often homemade content using brand logos.<\/li>\n<\/ul>\n
Login form created using an iFrame on a hacked site<\/em><\/p>\n
- \n
- Subfolder Hijacking is the partial hacking of a site to gain access to its subdirectories to place fraudulent content there. Such attacks can either use existing directories on the legitimate site or create new ones.<\/li>\n<\/ul>\n
Home page of a hacked site that looks normal<\/em><\/p>\n
Phishing page placed in a subdirectory of a hacked site<\/em><\/p>\n
- \n
- Site Swapping is the complete replacement of a legitimate site with a phishing one. The original content is usually removed.<\/li>\n<\/ul>\n
Using legitimate services<\/h3>\n
Some internet scammers, instead of bothering to create or hack sites, prefer to exploit the features of services trusted by users. As such, forms for creating online surveys and collecting data (Google Forms, MS Forms, HubSpot Form Builder, Typeform, Zoho Forms, etc.) are very often used to perform an attack.<\/p>\n
For example, in the screenshot below, scammers under the guise of technical support for a popular cryptowallet use a Google form to coax identification data out of users, such as e-mail address and secret phrase.<\/p>\n
Fraudsters try to finagle confidential data through Google Forms<\/em><\/p>\n
- Site Swapping is the complete replacement of a legitimate site with a phishing one. The original content is usually removed.<\/li>\n<\/ul>\n
- Subfolder Hijacking is the partial hacking of a site to gain access to its subdirectories to place fraudulent content there. Such attacks can either use existing directories on the legitimate site or create new ones.<\/li>\n<\/ul>\n
Avoiding detection<\/h3>\n
Scammers use various techniques to hide from detection. Some are quite effective but not so common, because they require more advanced technical know-how than many scammers possess.<\/p>\n
One method to avoid detection is obfuscation, where the user-invisible source code of a scam page is scrambled to make the attack hard to detect by automated means. We talked in detail about obfuscation methods in our post about the phishing-kit market<\/a>.<\/p>\n
- \n
- Use of images. If text is replaced with images of text, content engines will be unable to see and analyze the text, so users will read it.<\/li>\n
- Browser notifications. Links to scam resources can be distributed through browser notifications. Unlike e-mails and public websites, browser notifications are processed in several stages, and not all anti-phishing engines analyze them. This allows cybercriminals to bypass at least some detection technologies.<\/li>\n<\/ul>\n
- \n
- Pop-up windows. Scam content can open in pop-up windows on a site. Pop-up windows load later than the site’s main window, so not all anti-phishing technologies see them. In addition, pop-up windows furnish attackers with additional tools to copy the appearance of a legitimate site. In particular, cybercriminals can use the Browser-in-the-Browser method, when a pop-up window imitates a browser window with an address bar showing the URL of a legitimate site.<\/li>\n<\/ul>\n
- \n
- URL links randomly generated using hashes. Each victim receives a unique link, which makes it difficult to block a malicious site.<\/li>\n
- URL shorteners. Attackers can mask malicious addresses using legitimate URL shorteners, such as bit.ly.<\/li>\n<\/ul>\n
Social engineering elements<\/h3>\n
Cybercriminals’ tricks often target the user and not the security system’s vulnerabilities. Scammers employ their knowledge of the human psyche to deceive victims. These can be combined with technical means to achieve a devastating effect.<\/p>\n
- \n
- Fake CAPTCHA. Cybercriminals mimic CAPTCHA technology on scam sites to persuade victims to perform certain actions.<\/li>\n<\/ul>\n
- \n
- User-Related Dynamic Content. The page content changes depending on the user and their data, such as e-mail address: to fake the domain, images are downloaded from the user’s mail and inserted into the phishing page.<\/li>\n<\/ul>\n
Attackers use the victim’s mail domain to create content on a scam site<\/em><\/p>\n
- \n
- Intimidation and threats. Cybercriminals can intimidate victims to make them panic and act rashly. For example, they may threaten legal action and demand payment of a “fine” for the victim to be left in peace. Attackers can also threaten to block the victim’s account to force them to click a phishing link.<\/li>\n<\/ul>\n
- \n
- Attackers give victims a limited time window to respond to their message in one way or another to make them act rashly.<\/li>\n<\/ul>\n
Scam site demands urgent payment of “COVID-19-related expenses” for delivery of a parcel<\/em><\/p>\n
- \n
- An appeal to pity. Cybercriminals try to arouse people’s sense of pity to get them to part with their cash.<\/li>\n
- Lucrative offers. Scammers tempt victims with lip-smacking offers that are hard to refuse.<\/li>\n<\/ul>\n
Cybercriminals lure the user with the chance to win an Amazon gift card<\/em><\/p>\n
Conclusion<\/h2>\n
Most users today are more or less aware of the current web threats. Many have either experienced internet scams themselves, or know about them from the news or other sources, making it harder for attackers to dupe victims and so requiring the use of ever more sophisticated methods. Instead of slapdash phishing and scam sites, high-quality fakes are becoming increasingly common. This includes mimicking a browser window with a legitimate URL in a pop-up window, as well as phishing pages with a legitimate site in the background, loaded via an iFrame. We’ve also seen elements of targeted attacks in phishing and scams, such as downloading content related to the target’s mail domain or using data got from large-scale leaks to make contact with potential victims.<\/p>\n
At the same time, vishing is on the rise, because it’s easier to apply pressure over the phone, giving the victim no time to mull things over. In addition, cybercriminals use other available communication channels: e-mail, popular messengers, social networks, marketplaces.<\/p>\n
To implement attacks, they employ a variety of techniques, such as spoofing, social engineering, site hacking, and code and content hiding. Alongside this, detection avoidance methods also continue to evolve. Attackers are increasingly using one-time generated links with hashes to prevent web threat detection technologies from blocking them.<\/p>\n
Note, too, that scammers continue to base their malicious campaigns on the hottest topics in the news. If there’s a major event going on somewhere, a problem on a country or global scale, or some service or technology is becoming all the rage, be sure that cybercriminals will seek to exploit it. For instance, the lockdown period was beset by large-scale “financial aid” scams, while last year’s upturn in cryptocurrency prices went hand in hand with numerous fraudulent investment schemes. So it pays to be vigilant online, especially when it comes to money: no matter how much you want to believe that good fortune has fallen from the sky, if something sounds too good to be true, it probably is.<\/p>\n","protected":false},"excerpt":{"rendered":"
Phishing in social networks and messengers, marketplace fraud, exploitation of Google Forms and other services: we uncover what\u2019s trending among attackers in 2022<\/p>\n","protected":false},"author":4704,"featured_media":108257,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[159],"tags":[472,459,42,723,1053,29,8,200,1052],"banners":"","hreflang":[{"hreflang":"x-default","url":"https:\/\/securelist.com\/phishing-scam-techniques-tricks\/108247\/"},{"hreflang":"ru","url":"https:\/\/securelist.ru\/phishing-scam-techniques-tricks\/106307\/"},{"hreflang":"es","url":"https:\/\/securelist.lat\/phishing-scam-techniques-tricks\/97340\/"}],"_links":{"self":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108247"}],"collection":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/users\/4704"}],"replies":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/comments?post=108247"}],"version-history":[{"count":9,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108247\/revisions"}],"predecessor-version":[{"id":108250,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108247\/revisions\/108250"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media\/108257"}],"wp:attachment":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media?parent=108247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/categories?post=108247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/tags?post=108247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Attackers give victims a limited time window to respond to their message in one way or another to make them act rashly.<\/li>\n<\/ul>\n
- Intimidation and threats. Cybercriminals can intimidate victims to make them panic and act rashly. For example, they may threaten legal action and demand payment of a “fine” for the victim to be left in peace. Attackers can also threaten to block the victim’s account to force them to click a phishing link.<\/li>\n<\/ul>\n
- User-Related Dynamic Content. The page content changes depending on the user and their data, such as e-mail address: to fake the domain, images are downloaded from the user’s mail and inserted into the phishing page.<\/li>\n<\/ul>\n
- Fake CAPTCHA. Cybercriminals mimic CAPTCHA technology on scam sites to persuade victims to perform certain actions.<\/li>\n<\/ul>\n
- Pop-up windows. Scam content can open in pop-up windows on a site. Pop-up windows load later than the site’s main window, so not all anti-phishing technologies see them. In addition, pop-up windows furnish attackers with additional tools to copy the appearance of a legitimate site. In particular, cybercriminals can use the Browser-in-the-Browser method, when a pop-up window imitates a browser window with an address bar showing the URL of a legitimate site.<\/li>\n<\/ul>\n
- iFrame Injection is when a login form or other part of a phishing page is inserted through an iFrame. Whereas the Legal iFrame Background method involves the use of an iFrame with a legitimate website as the background for a phishing form, in the case of iFrame Injection the URL of the page is legitimate, while the iFrame contains a phishing form, whose background is most often homemade content using brand logos.<\/li>\n<\/ul>\n
- HTML spoofing is the visual imitation of a legitimate site by, among other things, partially copying its style and HTML code. Scammers often use software for creating mirror sites, such as HTTrack and Website Downloader.<\/li>\n
- Legal iFrame Background is when an iFrame is used to load a legitimate site onto a rogue one, on top of which a phishing form is overlaid.<\/li>\n<\/ul>\n
- Internationalized domain name (IDN) homograph attacks work by using Unicode characters that closely resemble letters in the Latin alphabet. For example, the most commonly used Cyrillic letters in such attacks are a, c, e, o, p, x, y, because they look identical to Latin a, c, e, o, p, x, y.<\/li>\n<\/ul>\n
- Combosquatting is the use of additional words, often related to authorization or online security, in a domain name similar to that of the brand whose users are the target. For example, words like “login”, “secure”, “account”, “verify”, and so on.<\/li>\n<\/ul>\n
- Typosquatting is the use of the original domain name with typos commonly made by users when inputting the URL, such as missing or extra characters, or letters in the wrong order.<\/li>\n<\/ul>\n
![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161812\/phishing-scam-techniques-tricks-09.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161821\/phishing-scam-techniques-tricks-10.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161829\/phishing-scam-techniques-tricks-11.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161839\/phishing-scam-techniques-tricks-12.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161845\/phishing-scam-techniques-tricks-13.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161854\/phishing-scam-techniques-tricks-14.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161901\/phishing-scam-techniques-tricks-15.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161907\/phishing-scam-techniques-tricks-16.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161915\/phishing-scam-techniques-tricks-17.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161922\/phishing-scam-techniques-tricks-18.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161933\/phishing-scam-techniques-tricks-19.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161942\/phishing-scam-techniques-tricks-20.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05161951\/phishing-scam-techniques-tricks-21.png\")
<\/a><\/p>\n![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/12\/05162001\/phishing-scam-techniques-tricks-22.png\")
<\/a><\/p>\n