Spam and phishing reports – Securelist

Spam and phishing in 2022

Tatyana Kulikova, Roman Dedenok, Olga Svistunova, Andrey Kovtun, Irina Shimko — Thu, 16 Feb 2023 08:00:07 +0000

Figures of the year

In 2022:

48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam
As much as 29.82% of all spam emails originated in Russia
Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments
Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links
378,496 attempts to follow phishing links were associated with Telegram account hijacking

Phishing in 2022

Last year’s resonant global events

The year 2022 saw cybercrooks try to profit from new film releases and premieres just as they always have. The bait included the most awaited and talked-about releases: the new season of Stranger Things, the new Batman movie, and the Oscar nominees. Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. Those who just could not wait were in for a disappointment and a waste of cash. The promises of completely free access to the new content were never true. By clicking what appeared to be a link to the movie, the visitor got to view the official trailer or a film studio logo. Several seconds into the “preview”, the stream was interrupted by an offer to buy an inexpensive subscription right there on the website to continue watching. If the movie lover entered their bank card details on the fake site, they risked paying more than the displayed amount for content that did not exist and sharing their card details with the scammers.

Some websites that offered soccer fans free broadcasts of the FIFA World Cup in Qatar employed a similar scheme, but the variety of hoaxes aimed at soccer fans proved to be wider than that used by scammers who attacked film lovers. Thus, during the World Cup a brand-new scam appeared: it offered users to win a newly released iPhone 14 for predicting match outcomes. After answering every question, the victim was told that they were almost there, but there was a small commission to be paid before they could get their gadget. Of course, no prize ensued after the fee was paid.

Soccer fans chasing merchandise risked compromising their bank cards or just losing some money. Scammers created websites that offered souvenirs at low prices, including rare items that were out of stock in legitimate online stores. Those who chose to spend their money on a shady website risked never getting what they ordered.

Websites that offered tickets to the finals were another type of soccer-flavored bait. Scammers were betting on the finals typically being the most popular stage of the competition, tickets to which are often hard to get. Unlike legitimate ticket stores, the fake resellers were showing available seats in every sector even when the World Cup was almost closed. Vast selection of available seats should have alarmed visitors: real tickets would have been largely gone.

Fake donation sites started popping up after the Ukraine crisis broke out in 2022, pretending to accept money as aid to Ukraine. These sites referenced public figures and humanitarian groups, offering to accept cash in cryptocurrency, something that should have raised a red flag in itself.

The pandemic

The COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. For example, one website offered users to obtain a COVID vaccination certificate by entering their British National Health Service (NHS) account credentials. Others offered the coveted Green Pass without vaccination.

Scammers abused legitimate survey services by creating polls in the name of various organization to profit from victims’ personal, including sensitive, data. In another COVID-themed scheme, the con artists introduced themselves as the Direct Relief charity, which helps to improve the quality of life and healthcare in poorer regions. Visitors were offered to fill out a form to be eligible for $750 per week in aid for twenty-six weeks. The survey page said the “charity” found the victim’s telephone number in a database of individuals affected by COVID-19. Those who wished to receive the “aid” were asked to state their full name, contact details, date of birth, social security and driver’s license numbers, gender, and current employer, attaching a scanned copy of their driver’s license. To lend an air of authenticity and to motivate the victim to enter valid information, the swindlers warned that the victim could be prosecuted for providing false information. The scheme likely aimed at identity theft: the illegal use of others’ personal details for deriving profit. The cybercrooks might also use the data to contact their victims later, staging a more convincing swindle.

Crypto phishing and crypto scams

The unabated popularity of cryptocurrency saw crypto scammers’ interest in wallet owners’ accounts growing, despite the fact that rates continued to drop throughout the year. Cybercriminals chased seed phrases, used for recovering access to virtual funds. By getting the user’s secret phrase, cybercriminals could get access to their cryptocurrency balance.

In a typical internet hoax manner, crypto scam sites offered visitors to get rich quick by paying a small fee. Unlike common easy-money scams, these websites asked for payments in cryptocurrency — which they promised to give away and which they were trying to steal. The “giveaways” were timed to coincide with events that were directly or indirectly associated with cryptocurrency. Thus, one of the fake sites promised prizes on the occasion of Nvidia thirty-year anniversary (the company is a major vendor of graphics processing units, which are sometimes used for crypto mining). Promotion of cryptocurrency use was another pretext for the “giveaways”. Users were offered to deposit up to 100 cryptocurrency units for a promise to refund two times that amount, purportedly to speed up digital currency adoption. In reality, the scheme worked the way any other internet hoax would: the self-professed altruists went off the radar once they received the deposit.

Compensation, bonus, and paid survey scams

Bonuses and compensations are hard to deny in times of crisis and instability, but it is worth keeping in mind that “financial assistance” is frequently promised by con artists to swindle you out of your money.

“Promotional campaigns by major banks” were a popular bait in 2022. Visitors to a fraudulent web page were offered to receive a one-time payment or to take a service quality survey for a fee. Unlike the prizes offered in the aforementioned crypto schemes, these fees were smaller: an equivalent of $30–40. The cybercriminals used an array of techniques to lull victims’ vigilance: company logos, assurances that the campaigns were legit, as well as detailed, lifelike descriptions of the offer. Similar “campaigns” were staged in the name of other types of organizations, for example, the Polish finance ministry.

Aid as distributed by various governmental and nongovernmental organizations remained a popular fraud theme in 2022. For example, in Muslim countries, scammers promised to send charity packages, purportedly under a “Ramadan Relief” program that aimed at helping low-income families during the Ramadan fast. The fasting period typically sees higher prices for food and household products, whereas observers buy more than they normally do and may be faced with a shortage of money. Legitimate charities, such as WF-AID, do operate Ramadan relief programs, and judging by the screenshot below, the fraudsters were pretending to represent that organization. An eye-catching picture of the organization’s logo and huge boxes was accompanied by a list of foodstuffs included in the aid package, with positive “recipient feedback” posted below the message. The victim was asked to make sure that their name was on the list of recipients, so they could get a package. This required providing personal data on the website and sending a link to the scam site to instant messaging contacts—nothing extraordinary for hoaxes like this. This way, the scammers both populate their databases and have victims spread links to their malicious resources for them. In addition to that, they might ask the victim to cover the “shipping costs”.

Growing utility rates and an increase in the price of natural resources have prompted several governments to start discussing compensations for the population. Payout notices could arrive by mail, email, or as a text message. Cybercriminals attempted to take advantage of the situation by creating web pages that mimicked government websites, promising cash for covering utility payments or compensation of utility expenses. Visitors were occasionally asked to provide personal details under the pretext of checking that they were eligible, or simply to fill out a questionnaire. In Britain, con artists posing as a government authority promised to compensate electricity costs. The description of the one-time payout was copied from the official website of the authority, which did provide the type of compensation. After completing the questionnaire, the victim was asked to specify the electric utility whose services they were using and enter the details of the bank card linked to their account with the utility. The promise of £400 was supposed to make the victim drop their guard and share their personal information.

In Singapore, scammers offered a refund of water supply costs, purportedly because of double billing. An energy or resource crisis was not used as a pretext in this particular case, but refunds were still offered in the name of the water supply authority.

Fake online stores and large vendor phishing

We see fake websites that imitate large online stores and marketplaces year after year, and 2022 was no exception. Phishing attacks targeted both the customers of globally known retailers and regional players. An attack often started with the victim receiving a link to a certain product supposedly offered at an attractive price, by email, in an instant messaging app, or on a social network. Those who fell for the trick could lose access to their accounts, have their bank card details stolen, or waste the money they wanted to spend on the dirt-cheap item.

“Insides” about “private sales” were also used as a lure. Thus, a web page that copied the appearance of a Russian marketplace promised discounts of up to 90% on all items listed on it. The page design did look credible, with the only potential red flags being really low prices and the URL in the address bar not matching the official one.

Many large vendors, notably in the home appliances segment, announced in early spring that they would be pulling out of Russia, which caused a spike in demand. This was reflected in the threat landscape, with fake online stores offering home appliances popping up all over the Russian segment of the internet (also called Runet). Large retailers being out of stock, combined with unbelievably low prices, made these offers especially appealing. The risk associated with making a purchase was to lose a substantial amount of money and never to receive what was ordered.

Users of social media have increasingly focused on privacy lately. That said, curiosity is hard to contain: people want to check out who has been following them, but do so without the other party knowing. Cybercriminals who were after their account credentials offered victims to have their cake and eat it by using some new social media capability. A fake Facebook Messenger page promised to install an update that could change the user’s appearance and voice during video calls, and track who has been viewing their profile, among other features. To get the “update”, the victim was asked to enter their account credentials, which the scammers immediately took over.

Many Instagram users dream about the Blue Badge, which stands for verified account and is typically reserved for large companies or media personalities. Cybercriminals decided to take advantage of that exclusivity, creating phishing pages that assured visitors their verified status had been approved and all they needed to do was to enter their account logins and passwords.

Russia blocked access to both Facebook and Instagram in March 2022, which led to the popularity of Russian social networks and Telegram skyrocketing. This increased usage meant the users’ risk of losing personal data was now higher, too. “Well-wishers” who operated scam sites offered to check if Russian social media contained any embarrassing materials on the victim. The scam operators told the users it was possible to find damaging information about every third user of a social network by running a search. If the user agreed to a search to be done for them, they were told that a certain amount of dirty linen indeed had been found. In reality, there was no search — the scammers simply stole the credentials they requested for the check.

One of the added risks of social media phishing is scammers getting access to both the social media account itself and any linked services.

The Telegram Premium status provides a range of benefits, from an ad-free experience to an ability to block incoming voice messages, but the subscription costs money. Scammers offered to “test” a Premium subscription free of charge or simply promised to give one for free if the victim entered their Telegram user name and password or a verification code sent by the service, which was exactly what the cybercrooks were after.

One more phishing campaign targeting Telegram users was arranged to coincide with the New Year’s celebration. Scammers created a page on the telegra.ph blogging platform that posted a gallery of children’s drawings, encouraging users to vote for their favorites. Scammers sent a link to that page from hacked accounts, asking users to vote for their friends’ kids’ works. Those who took the bait were directed to a fake page with a login form on it. The cybercriminals were betting on the users to go straight to voting, without checking the authenticity of the drawings, which had been copied from various past years’ competition pages, as requests to vote for one’s friends’ kids are common before public holidays.

The Telegram auction platform named Fragment went live in the October of 2022: it was selling unique usernames. You can become a user by linking your Telegram account or TON wallet. Scammers who were after those account details sent out links to fake Fragment pages. A visitor who tried to buy a username from the fake website was requested to log in. If the victim entered their credentials, the scam operators immediately grabbed those.

Spam in 2022

The pandemic

Unlike phishing, COVID-themed spam is still a thing. Most of that is “Nigerian-type” scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.

The amount of spam exploiting the coronavirus theme in some way dropped noticeably during 2022: at the beginning of the year, we were blocking a million of these emails per month, but the figure had shrunk by three times by yearend.

Contact form spam

The year 2022 saw cybercriminals abuse contact forms for spam more frequently. In a typical scheme of this kind, scammers find websites that offer registration, contact, or support request forms that do not require the user to be logged in to submit, and do not check the data entered. In some cases, they insert a scam message with a hyperlink in the login or name fields, and in others, add a longer text with images to the message field. Then the attackers add victims’ email addresses to the contact fields and submit. When getting a message via a registration or contact form, most websites reply to the user’s email address that their request was received and is being processed, their account has been created, and so on. As a result, the person gets an automated reply from an official address of a legitimate organization, containing unsolicited advertisements or a scam link.

Most scam messages offer a compensation or prize to the recipient. For example, a spam email targeting Russian users promised an equivalent of $190–4200 in VAT refunds. To get the money, the victim was offered to open the link in the message. This scheme is a classic: a linked web page requests that the user pay a commission of under a dozen dollars, which is insignificant in comparison to the promised refund. We observed many varieties of contact form money scam: from fuel cards to offers to make money on some online platform.

Scammers took advantage of forms on legitimate sites all around the world. Where spam email in Russian typically played on “prizes” or “earning money”, messages in other languages, in addition to offering “prizes”, encouraged users to visit “dating sites” — in fact, populated by bots — where the victims would no doubt be asked to pay for a premium account.

We blocked upward of a million scam emails sent via legitimate forms in 2022.

Blackmail in the name of law enforcement agencies

Extortion spam is nothing new. In such emails, attackers usually claim that the recipient has broken the law and demand money. In 2022, these mailings not only continued, but also evolved. For example, there was virtually no text in the messages: the user was either asked to open an attached PDF file to find out more, or they received threats in the form of an image with text. In addition, the geography of mailings widened in 2022.

The essence of the message, as in similar emails sent earlier, was that a criminal case was going to be opened against the recipient due to allegedly visiting sites containing child pornography.

To avoid serious consequences, the attackers urged the victim to respond as soon as possible to the sender and “settle the matter”. Most likely, the scammers would ask for a certain amount of money to be paid in further correspondence for the victim’s name to be removed from the “criminal case”. In 2022, we blocked over 100,000 blackmail emails in various countries and languages, including French, Spanish, English, German, Russian and Serbian.

Exploiting the news

Spammers constantly use major world events in their fraudulent schemes. The 2022 geopolitical crisis was no exception. Throughout the year, we saw mailings aimed at English-speaking users proposing transferring money, usually to a Bitcoin wallet, to help the victims of the conflict in Ukraine. Scammers often demand the transfer of money to Bitcoin wallets, as it is more difficult to trace the recipient through cryptocurrency transactions than through the bank ones. Blackmail demanding payment in cryptocurrency used to prevail in spam. Now, attackers have started collecting Bitcoin for charity.

The news agenda was also used in other scam mailings. For example, in early July, our solutions blocked 300,000 emails where fraudsters were requesting help on behalf of a Russian millionaire, who allegedly wanted to invest money and avoid sanctions. Another mailing said that the European Commission had decided to give away a fund created by Russian oligarchs, and the email recipient might be lucky to get a piece of this pie.

More and more “business offers” are appearing among spam mailings, and they exploit the current information agenda. Due to economic sanctions in 2022, enterprising businessmen offered replacements for goods and services from suppliers who left the Russian market. For example, spammers actively advertised services of a company transporting people to Russia. The email text emphasized the fact that many transport companies refused to provide such services.

There were also spam mailings where various companies offered to replace popular international software with Russian equivalents or solutions developed in third countries. In addition, there were spam propositions for intermediary services to open a company or bank account in neighboring countries, such as Armenia, as well as offers of assistance in accepting payments from foreign partners.

The shortage of printer paper in Russia in March and April 2022 spawned a wave of related ads offering paper at discount prices.

Spammers in 2022 also actively marketed their promotional mailing services as alternative advertising to unavailable promotion via platforms such as Instagram. For example, in April we blocked around a million of such mailings.

Against the backdrop of sanctions and the accompanying disruption of supply chains, there has been an increase in spam offering goods and services from Chinese suppliers. In 2022, our filter blocked more than 3.5 million emails containing such offers, and the number of them was growing, from around 700,000 in the first quarter to more than a million in the fourth.

Spam with malicious attachments

Employees shifting to remote work during the pandemic and the associated growth of online communications spurred the active development of various areas of phishing, both mass and targeted. Attackers have become more active in imitating business correspondence, not only targeting HR-specialists and accountants, as before the pandemic, but also employees in other departments. In 2022, we saw an evolution of malicious emails masquerading as business correspondence. Attackers actively used social engineering techniques in their emails, adding signatures with logos and information from specific organizations, creating a context appropriate to the company’s profile, and applying business language. They also actively exploited off the current news agenda and mentioned real employees from the company supposedly sending the emails. Spammers faked their messages as internal company correspondence, business correspondence between different organizations, and even as notifications from government agencies.

Masking malicious emails as business correspondence has become a major trend in malicious spam in 2022. Attackers tried to convince the recipient that it was a legitimate email, such as a commercial offer, a request for the supply of equipment, or an invoice for the payment of goods. For example, throughout the year, we encountered the following scheme. Attackers gained access to real business correspondence (most likely by stealing correspondence from previously infected computers) and sent malicious files or links to all of its participants in response to the previous email. This trick makes it harder to keep track of malicious emails, and the victim is more likely to fall for it.

In most cases, either the Qbot Trojan or Emotet was loaded when the malicious document was opened. Both can be used to steal user data, collect information about the corporate network, and spread additional malware, such as ransomware. Qbot also allows you to gain access to emails and steal them for further attacks.

Mailings imitating notifications from various ministries and other government organizations have become more frequent in the Runet. Emails were often designed to take into account the specific activities of the organizations they were pretending to be. The sender’s addresses copied the logic of email addresses in the relevant agencies, and the malicious attachment was disguised as some kind of specialized document, such as “key points of the meeting”. For example, malicious code was found in one of these mailings that exploited a vulnerability in the Equation Editor module, the formula editor in Microsoft Office.

The perpetrators did not ignore the news agenda. In particular, the malware was distributed under the guise of call-up “as part of partial mobilization” or as a “new solution” to safeguard against possible threats on the internet “caused by hostile organizations”.

In the second case, the program installed on victim’s computer was in fact a crypto-ransomware Trojan.

Two-stage spear phishing using a known phish kit

In 2022, we saw an increase in spear (or targeted) phishing attacks targeting businesses around the world. In addition to typical campaigns consisting of one stage, there were attacks in several stages. In the first email, scammers in the name of a potential client asked the victim to specify information about its products and services. After the victim responds to this email, the attackers start a phishing attack.

Key facts:

Attackers use fake Dropbox pages created using a well-known phishing kit
The campaign targets the sales departments of manufacturers and suppliers of goods and services
Attackers use SMTP IP addresses and From domains provided by Microsoft Corporation and Google LLC (Gmail)

Statistics

The campaign began in April 2022, with malicious activity peaking in May, and ended by June.

Number of emails related to a two-step targeted campaign detected by Kaspersky solutions (download)

How a phishing campaign unfolds

Attackers send an email in the name of a real trade organization requesting more information about the victim company’s products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender’s email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the From field is different to its name in the signature.

Example of the first email

It is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use spoofing of the legitimate domain of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the From header (where the email came from) and Reply-to header (where the reply will go when clicking “Reply” in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the Reply-to header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.

After victims respond to a first email, attackers send a new message, asking them to go to a file-sharing site and view a PDF file with a completed order, which can be found via the link.

An email with a phishing link

By clicking the link, the user is taken to a fake site generated by a well-known phishing kit. It is a fairly simple tool that generates phishing pages to steal credentials from specific resources. Our solutions blocked fake WeTransfer and Dropbox pages created with this kit.

A fake WeTransfer page created using the same phish kit as the target campaign sites

In the phishing campaign described above, the phishing site mimics a Dropbox page with static file images and a download button. After clicking any element of the interface, the user is taken to a fake Dropbox login page that requests valid corporate credentials.

A fake Dropbox page

Login page with a phishing form

When victims attempt to log in, their usernames and passwords are sent to https://pbkvklqksxtdrfqkbkhszgkfjntdrf[.]herokuapp[.]com/send-mail.


          
            Email Address
            
            
          
          
            Password

HTML representation of a phishing form

Victims

We have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.

Statistics: spam

In 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.

Share of spam in global email traffic, 2022 (download)

The most active month in terms of spam was February 2022, with junk traffic accounting for 52.78% of all email correspondence. June was in second place (51.66%). December was the calmest, only 45.20% of emails in this month were spam.

On Runet, the proportion of spam in email traffic is generally higher than worldwide. In 2022, an average of 52.44% of emails were junk mailings. At the same time, the trend for a gradual shift in ratio in favor of legitimate correspondence can also be seen. We saw the largest share of spam in Runet in the first quarter, with 54.72% of all emails, and by the fourth quarter it had dropped to 49.20%.

Proportion of spam in Runet email traffic, 2022 (download)

Even though the second quarter (53.96%) was quieter in terms of spam than the first, the most active month in the Russian segment of the internet was June (60.16%). Most likely, the share of spam in June, both in Russia and globally, was influenced by the surge in mailings with offers from Chinese factories that we observed in that month. And the quietest month in Runet was December (47.18%), the same as globally.

Countries and territories — sources of spam

In 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).

TOP 20 countries and territories — sources of spam, 2022 (download)

The Netherlands remained in fifth place (3.70%), its share decreased compared to 2021. Sixth and seventh places went to Japan (3.25%) and Brazil (3.18%), whose shares rose by 0.89 and 3.77 p.p., respectively. Next come the UK (2.44%), France (2.27%) and India (1.82%).

Malicious mail attachments

In 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That’s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.

Number of Mail Anti-Virus hits, January — December 2022 (download)

The most common malicious email attachments in 2022, as in 2021, were Agensla Trojan stealers (7.14%), whose share decreased slightly. Noon spyware (4.89%) moved up to second place, and Badun Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits CVE-2018-0802 (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than CVE-2017-11882 exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.

TOP 10 malware families spread by email attachments in 2022 (download)

ISO Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the Guloader downloader family (2.65%), which delivers remotely controlled malware to victims’ devices. They are closely followed by the Badur family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous Emotet botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims’ devices, particularly ransomware. The ninth most popular family was Taskun (2.10%), which creates malicious tasks in the task scheduler.

TOP 10 types of malware spread by email attachments in 2022 (download)

The list of the most common malware sent via email usually corresponds to the list of families. As in 2021, attackers mostly distributed the same instances from the TOP 10 families.

Countries and territories targeted by malicious mailings

Spain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.

TOP 20 countries and territories targeted by malicious mailings, 2022 (download)

In Italy, 4.76% of all detected malicious attachments were blocked in 2022. The country is followed by Vietnam (4.43%) and Turkey (4.31%). The percentage of Mail Anti-Virus detections on computers of users from Germany (3.85%) continued to decrease. The share in the United Arab Emirates (3.41%) also decreased slightly, dropping to ninth place, while Malaysia (2.98%) remained in tenth place.

Statistics: phishing

In 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.

Map of phishing attacks

In 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year’s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.

TOP 10 countries and territories by share of attacked users:

Country/territory	Share of attacked users*
Vietnam	17.03%
Macau	13.88%
Madagascar	12.04%
Algeria	11.05%
Ecuador	11.05%
Malawi	10.91%
Brunei	10.59%
Brazil	10.57%
Morocco	10.43%
Portugal	10.33%

* Share of users encountering phishing out of the total number of Kaspersky users in that country/territory, 2022

Top-level domains

As in previous years, the majority of phishing pages were hosted in the COM domain zone, but its share almost halved, from 31.55% to 17.69%. Zone XYZ remained in second place (8.79%), whose share also decreased. The third most popular domain among attackers was FUN (7.85%), which had not previously received their attention. The domain is associated with entertainment content, which is perhaps what attracted fraudsters to it.

Most frequent top-level domains for phishing pages in 2022 (download)

Domains ORG (3.89%) and TOP (1.80%) swapped places relative to 2021 but remained in fourth and fifth places. In addition to this, the top ten domain zones in most demand among cybercriminals included: RU (1.52%), COM.BR (1.13), DE (0.98%), CO.UK (0.98%) and SE (0.92%).

Organizations under phishing attacks

The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

In 2022, pages impersonating delivery services had the highest percentage of clicks on phishing links blocked by our solutions (27.38%). Online stores (15.56%), which were popular with attackers during the pandemic, occupied second place. Payment systems (10.39%) and banks (10.39%) ranked third and fourth, respectively.

Distribution of organizations targeted by phishers, by category, 2022 (download)

The share of global internet portals (8.97%) almost halved, with almost as many phishing resources targeting users of smaller web services (8.24%). Social networks (6.83%), online games (2.84%), messengers (2.02%) and financial services (1.94%) round complete the TOP 10 categories of sites of interest to criminals.

Hijacking Telegram accounts

In 2022, our solutions stopped 378,496 phishing links aimed at hijacking Telegram accounts. Apart from a spike in phishing activity throughout June, when the number of blocked links exceeded 37,000, the first three quarters were relatively quiet. However, by the end of the year, the number of phishing attacks on the messenger’s users increased dramatically to 44,700 in October, 83,100 in November and 125,000 in December. This increase is most likely due to several large-scale Telegram account hijacking campaigns that we observed in late 2022 (article in Russian).

Number of clicks on phishing links aimed at hijacking a Telegram account worldwide, and in Russia specifically, January — December 2022 (download)

It is of note that the majority of phishing attacks were aimed at users from Russia. While in the first months of 2022 their share was approximately half of the total number of attacks worldwide, since March 70–90% of all attempts to follow phishing links by Telegram users were made by Russian users.

Phishing in messengers

Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them.

In 2022, our mobile solution blocked 360,185 attempts to click on phishing links from messengers. Of these, 82.71% came from WhatsApp, 14.12% from Telegram and another 3.17% from Viber.

Distribution of links blocked by the Safe Messaging component, by messenger, 2022 (download)

Phishing activity on WhatsApp is down slightly since 2021. On average, the Safe Messaging component blocked 816 clicks on fraudulent links per day. The first half of the year was the most turbulent, and by the third quarter, phishing activity in the messenger had dropped sharply.

Dynamics of phishing activity on WhatsApp in 2022 (weekly number of detected links shown)

The largest number of phishing attempts on WhatsApp, approximately 76,000, was recorded in Brazil. Russia is in second place, where over the year, the Chat Protection component prevented 69,000 attempts to go to fraudulent resources from the messenger.

TOP 7 countries and territories where users most often clicked phishing links in WhatsApp (download)

Unlike WhatsApp, the number of phishing attacks on Telegram almost tripled in 2022 compared to the previous reporting period. On average, our solutions blocked 140 attempts to follow phishing links in this messenger per day. The peak of activity came at the end of June and beginning of July, when the number of blocked clicks could have exceeded 1,500 per week. Phishing activity on Telegram also increased sharply at the end of the year.

Dynamics of phishing activity on Telegram in 2022 (weekly number of detected links shown)

In Russia, we recorded the largest number (21,000) of attempts to click a link to fraudulent resources from Telegram. Second place went to Brazil, where 3,800 clicks were blocked.

TOP 7 countries and territories where users most frequently clicked phishing links from Telegram (download)

Conclusion

Times of crisis create the preconditions for crime to flourish, including online. Scams promising compensation and payouts from government agencies, large corporations and banks are likely to remain popular among cybercriminals next year. The unpredictability of the currency market and departure of individual companies from specific countries’ markets will likely affect the number of scams associated with online shopping. At the same time, the COVID-19 topic, popular with cybercriminals in 2020 and 2021, but already beginning to wane in 2022, will finally cease to be relevant and will be replaced by more pressing global issues.

Recently, we’ve seen an increase in targeted phishing attacks where scammers don’t immediately move on to the phishing attack itself, but only after several introductory emails where there is active correspondence with the victim. This trend is likely to continue. New tricks are also likely to emerge in the corporate sector in 2023, with attacks generating significant profits for attackers.

Spam and phishing in 2021

Tatyana Kulikova, Tatyana Shcherbakova — Wed, 09 Feb 2022 10:00:28 +0000

Figures of the year

In 2021:

45.56% of e-mails were spam
24.77% of spam was sent from Russia with another 14.12% from Germany
Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails
The most common malware family found in attachments were Agensla Trojans
Our Anti-Phishing system blocked 253 365 212 phishing links
Safe Messaging blocked 341 954 attempts to follow phishing links in messengers

Trends of the year

How to make an unprofitable investment with no return

The subject of investments gained significant relevance in 2021, with banks and other organizations actively promoting investment and brokerage accounts. Cybercriminals wanted in on this trend and tried to make their “investment projects” look as alluring as possible. Scammers used the names of successful individuals and well-known companies to attract attention and gain the trust of investors. That’s how cybercriminals posing as Elon Musk or the Russian oil and gas company Gazprom Neft tricked Russian-speaking victims into parting with small sums of money in the hope of landing a pot of gold later. In some cases, they’d invite the “customer” to have a consultation with a specialist in order to come across as legit. The outcome would still be the same: the investor would receive nothing in return for giving their money to the scammers.

Similar schemes targeting English speakers were also intensively deployed online. Scammers encouraged investment in both abstract securities and more clearly outlined projects, such as oil production. In both cases, victims received nothing in return for their money.

Another trick was to pose as a major bank and invite victims to participate in investment projects. In some instances, scammers emphasized stability and the lack of risk involved for the investor, as well as the status of the company they were posing as. In order to make sure the investors didn’t think the process sounded too good to be true, victims were invited to take an online test or fill out an application form which would ostensibly take some time to be “processed”.

Films and events “streamed” on fake sites: not seeing is believing!

Online streaming of hyped film premieres and highly anticipated sports events was repeatedly used to lure users in 2021. Websites offering free streaming of the new Bond movie or the latest Spider-Man film appeared online shortly ahead of the actual release date, continuing to pop up until the eve of the official premiere. Scammers used various ploys to try and win the victim’s trust. They used official advertisements and provided a synopsis of the film on the website.

However, the promised free stream would be interrupted before the film even got going. Visitors to the site would be shown a snippet of a trailer or a title sequence from one of the major film studios, which could have absolutely nothing to do with the film being used as bait. Visitors would then be asked to register on the website in order to continue watching. The same outcome was observed when users tried to download or stream sports events or other content, the only difference was visitors might not be able to watch anything without registering. Either way the registration was no longer free. The registration fee would only be a symbolic figure according to the information provided on the website, but any amount of money could be debited once the user had entered their bank card details, which would immediately fall into the hands of attackers.

A special offer from cybercriminals: try hand at spamming

More and more often, scam websites posing as large companies that promise huge cash prizes in return for completing a survey have begun setting out stricter criteria for those who want a chance to win. After answering a few basic questions, “prize winners” are required to share information about the prize draw with a set number of their contacts via a messaging app. Only then is the victim invited to pay a small “commission fee” to receive their prize. This means the person who completes the full task not only gives the scammers money, but also recommends the scam to people in their list of contacts. Meanwhile, friends see the ad is from someone they know rather than some unknown number, which could give them a false sense of security, encouraging them to follow the link and part with their money in turn.

Hurry up and lose your account: phishing in the corporate sector

The main objective for scammers in an attack on an organization remained getting hold of corporate account credentials. The messages that cybercriminals sent to corporate e-mail addresses were increasingly disguised as business correspondence or notifications about work documents that required the recipient’s attention. The attackers’ main objective was to trick the victim into following the link to a phishing page for entering login details. That’s why these e-mails would contain a link to a document, file, payment request, etc., where some sort of urgent action supposedly needed to be taken.

The fake notification would often concern some undelivered messages. They needed to be accessed via some sort of “email Portal” or another similar resource.

Another noticeable phishing trend targeting the corporate sector was to exploit popular cloud services as bait. Fake notifications about meetings in Microsoft Teams or a message about important documents sent via SharePoint for salary payment approval aimed to lower the recipient’s guard and prompt them to enter the username and password for their corporate account.

COVID-19

Scams

The subject of COVID-19 which dominated newsfeeds throughout the entire year was exploited by scammers in various schemes. In particular, attackers continued sending out messages about compensation and subsidies related to restrictions imposed to combat the pandemic, as this issue remained top of the agenda. The e-mails contained references to laws, specific measures imposed and the names of governmental organizations to make them sound more convincing. To receive the money, the recipient supposedly just needed to pay a small commission fee to cover the cost of the transfer. In reality, the scammers disappeared after receiving their requested commission along with the victim’s bank card details.

The sale of fake COVID vaccination passes and QR codes became another source of income for cybercriminals. The fraudsters emphasized how quickly they could produce forged documents and personalized QR codes. These transactions are dangerous in that, on the one hand, the consequences can be criminal charges in some countries, and on the other hand, scammers can easily trick the customer. There’s no guarantee that the code they’re selling will work. Another risk is that the buyer needs to reveal sensitive personal information to the dealer peddling the certs in order to make the transaction.

The corporate sector

COVID-19 remained a relevant topic in phishing e-mails targeting the business sector. One of the main objectives in these mailing operations was to convince recipients to click a link leading to a fake login page and enter the username and password for their corporate account. Phishers used various ploys related to COVID-19. In particular, we detected notifications about compensation allocated by the government to employees of certain companies. All they needed to do in order to avail of this promised support was to “confirm” their e-mail address by logging in to their account on the scam website.

Another malicious mailshot utilized e-mails with an attached HTML file called “Covid Test Result”. Recipients who tried to open the file were taken to a scam website where they were prompted to enter the username and password for their Microsoft account.

The “important message about vaccination” which supposedly lay unread in a recipient’s inbox also contained a link to a page belonging to attackers requesting corporate account details.

Another type of attack deployed e-mails with malicious attachments. Shocking news, such as immediate dismissal from work accompanied by the need to take urgent action and read a “2 months salary receipt” were intended to make the recipient open the attachment with the malicious object as quickly as possible.

COVID-19 vaccination

While authorities in various countries gradually rolled out vaccination programs for their citizens, cybercriminals exploited people’s desire to protect themselves from the virus by getting vaccinated as soon as possible. For instance, some UK residents received an e-mail claiming to be from the country’s National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link. In another mailing, scammers emphasized that only people over the age of 65 had the opportunity to get vaccinated.

In both cases, a form had to be filled out with personal data to make a vaccination appointment; and in the former case, the phishers also asked for bank card details. If the victim followed all the instructions on the fake website, they handed their account and personal data over to the attackers.

Another way to gain access to users’ personal data and purse strings was through fake vaccination surveys. Scammers sent out e-mails in the name of large pharmaceutical companies producing COVID-19 vaccines, or posing as certain individuals. The e-mail invited recipients to take part in a small study.

The scammers promised gifts or even monetary rewards to those who filled out the survey. After answering the questions, the victim would be taken to a “prize” page but told to pay a small necessary “commission fee” in order to receive it. The scammers received the money, but the victim got nothing as a result.

We also observed a mailing last year which exploited the subject of vaccination to spread malware. The subject lines of these e-mails were randomly selected from various sources. The attached document contained a macro for running a PowerShell script detected as Trojan.MSOffice.SAgent.gen. SAgent malware is used at the initial stage of an attack to deliver other malware to the victim’s system.

Statistics: spam

On average, 45.56% of global mail traffic was spam in 2021. The figure fluctuated over the course of the year.

Share of spam in global e-mail traffic, 2021 (download)

We observed the largest percentage of spam in the second quarter (46.56%), which peaked in June (48.03%). The fourth quarter was the quietest period (44.54%), with only 43.70% of e-mails detected as spam in November.

Source of spam by country or region

Like in 2020, the most spam in 2021 came from Russia (24.77%), whose share rose by 3.5 p.p. Germany, whose share rose 3.15 p.p. to 14.12%, remained in second place. They were followed by the United States (10.46%) and China (8.73%), who’ve also stayed put in third and fourth place. The share of spam sent from the United States barely moved, while China’s rose 2.52 p.p. compared to 2020.

Sources of spam by country or region in 2021 (download)

The Netherlands (4.75%) moved up to fifth place, with its share rising by just 0.75 p.p. to overtake France (3.57%), whose share went in the opposite direction. Spain (3.00%) and Brazil (2.41%) also swapped places, and the top ten was rounded out by the same two countries as 2020, Japan (2,36%) and Poland (1.66%). In total, over three quarters of the world’s spam was sent from these ten countries.

Malicious mail attachments

Dynamics of Mail Anti-Virus triggerings in 2021 (download)

In 2021, the Kaspersky Mail Anti-Virus blocked 148 173 261 malicious e-mail attachments. May was the quietest month, when just over 10 million attachments were detected, i.e., 7.02% of the annual total. In contrast, October turned out to be the busiest month, when we recorded over 15 million attacks blocked by the Mail Anti-Virus, i.e., 10.24% of the annual total.

Malware families

The attachments most frequently encountered and blocked by the antivirus in 2021 were Trojans from the Agensla family, which steal login credentials stored in browsers as well as credentials from e-mail and FTP clients. Members of this family were found in 8.67% of the malicious files detected, which is 0.97 p.p. up on 2020. Second place was taken by Badun Trojans (6.31%), distributed in archives and disguised as electronic documents. In another 3.95% of cases, our products blocked attacks exploiting the CVE-2017-11882 vulnerability in Microsoft Equation Editor, which remains significant for the fourth year in a row. Almost the same amount of attachments belonged to the Taskun (3.93%) family, which create malicious tasks in Windows Task Scheduler.

TOP 10 malware families spread by e-mail attachments in 2021 (download)

The fifth and tenth most popular forms of malware sent in attachments were Noon spyware Trojans for any version of Windows OS (3.63%) and 32-bit versions (1.90%), respectively. Malicious ISO disk images accounted for 3.21% of all attachments blocked, while SAgent Trojans contributed 2.53%. Eighth place was taken by another exploited vulnerability in Equation Editor called CVE-2018-0802 (2.38%), while in the ninth place were Androm backdoors (1.95%), which are mainly used to deliver different types of malware to an infected system.

TOP 10 types of malware spread by e-mail attachments in 2021 (download)

The ten most common verdicts in 2021 coincided with the TOP 10 families. This means attackers mainly spread one member of each family.

Countries and regions targeted by malicious mailings

In 2021, the Mail Anti-Virus most frequently blocked attacks on devices used in Spain (9.32%), whose share has risen for the second year in a row. Russia rose to second place (6.33%). The third largest number of malicious files were blocked in Italy (5.78%).

Countries and regions targeted by malicious mailshots in 2021 (download)

Germany (4.83%) had been the most popular target in phishing attacks for several years until 2020. It dropped to fifth place in 2021, giving way to Brazil (4.84%) whose share was just 0.01 p.p higher than Germany’s. They’re followed in close succession by Mexico (4.53%), Vietnam (4.50%) and the United Arab Emirates (4.30%), with the same countries recorded in 2020 rounding out the TOP 10 targets: Turkey (3.37%) and Malaysia (2.62%).

Statistics: phishing

In 2021, our Anti-Phishing system blocked 253 365 212 phishing links. In total, 8.20% of Kaspersky users in different countries and regions around the world have faced at least one phishing attack.

Map of phishing attacks

Geography of phishing attacks in 2021 (download)

Users living in Brazil made the most attempts to follow phishing links, with the Anti-Phishing protection triggered on devices belonging to 12.39% of users in this country. Brazil was also the top phishing target in 2020. France rose to second place (12.21%), while Portugal (11.40%) remained third. It’s worth noting that phishing activity was so rampant in France last year that the country topped the leaderboard of targeted users in the first quarter.

Mongolia (10.98%) found itself in forth place for the number of users attacked in 2021, making it onto this list for the first time. The countries which followed in close succession were Réunion (10.97%), Brunei (10.89%), Madagascar (10.87%), Andorra (10.79%), Australia (10.74%), and Ecuador (10.73%).

TOP 10 countries by share of users targeted in phishing attacks:

Country	Share of attacked users*
Brazil	12.39%
France	12.21%
Portugal	11.40%
Mongolia	10.98%
Réunion	10.97%
Brunei	10.89%
Madagascar	10.87%
Andorra	10.79%
Australia	10.74%
Ecuador	10.73%

* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2021

Top-level domains

Most of the phishing websites blocked in 2021 used a .com domain name like in 2020, whose share rose 7.19 p.p., reaching 31.55%. The second most popular domain name used by attackers was .xyz (13.71%), as those domains are cheap or even free to register. The third row on the list was occupied by the Chinese country-code domain .cn (7.14%). The Russian domain .ru (2.99%) fell to sixth place, although its share has grown since 2020. It now trails behind the domains .org (3.13%) and .top (3.08%), and is followed by the domain names .net (2.20%), .site (1.82%), and .online (1.56%). The list is rounded out by the low-cost .tk domain (1.17%) belonging to the island nation of Tokelau, which attackers are attracted to for the same reason they’re attracted to .xyz.

Most frequent top-level domains for phishing pages in 2021 (download)

Organizations mimicked in phishing attacks

The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database.

The demand for online shopping remained high in 2021, which is reflected in phishing trends: phishing pages were most frequently designed to mimic online stores (17.61%). These were closely followed by global Internet portals (17.27%) in second place. Payment systems (13.11%) climbed to third place, rising 4.7 p.p. to overtake banks (11.11%) and social networks (6.34%). Instant messengers (4.36%) and telecom companies (2.09%) stayed in sixth and seventh place, respectively, although their shares both fell. IT companies (2.00%) and financial services (1.90%) also held onto their places in the rating. The TOP 10 was rounded out by online games (1.51%), as attackers went after gamers more frequently than after users of delivery services in 2021.

Distribution of organizations most often mimicked by phishers, by category, 2021 (download)

Phishing in messengers

In 2021, Safe Messaging blocked 341 954 attempts to follow phishing links in various messengers. Most of these were links that users tried to follow from WhatsApp (90.00%). Second place was occupied by Telegram (5.04%), with Viber (4.94%) not far behind.

Distribution of links blocked by the Safe Messaging component, by messenger, 2021 (download)

On average, WhatsApp users attempted to follow phishing links 850 times a day. We observed the least phishing activity at the beginning of the year, while in December the weekly number of blocked links exceeded the 10 000 mark. We have observed a spike in phishing activity on WhatsApp in July, when the Trojan.AndroidOS.Whatreg.b, which is mainly used to register new WhatsApp accounts, also became more active. We can’t say for sure that there’s a connection between Whatreg activity and phishing in this messaging app, but it’s a possibility. We also observed another brief surge in phishing activity on the week from October 31 through to November 6, 2021.

Dynamics of phishing activity on WhatsApp in 2021 (weekly number of detected links shown)

On average, the Safe Messaging component detected 45 daily attempts to follow phishing links sent via Telegram. Similar to WhatsApp, phishing activity increased towards the end of the year.

Dynamics of phishing activity on Telegram in 2021 (weekly number of detected links shown)

A daily average of 45 links were also detected on Viber, although phishing activity on this messenger dropped off towards the end of the year. However, we observed a peak in August 2021.

Dynamics of phishing activity on Viber in 2021 (weekly number of detected links shown)

Conclusion

As we had expected, the key trends from 2020 continued into 2021. Attackers actively exploited the subject of COVID-19 in spam e-mails, which remained just as relevant as it was a year earlier. Moreover, baits related to vaccines and QR codes — remaining two of the year’s main themes — were added to the bag of pandemic-related tricks. As expected, we continued to observe a variety of schemes devised to hack corporate accounts. In order to achieve their aims, attackers forged e-mails mimicking notifications from various online collaboration tools, sent out notifications about non-existent documents and similar business-related baits. There were also some new trends, such as the investment scam which is gaining momentum.

The key trends in phishing attacks and scams are likely to continue into the coming year. Fresh “investment projects” will replace their forerunners. “Prize draws” will alternate with holiday giveaways when there’s a special occasion to celebrate. Attacks on the corporate sector aren’t going anywhere either. Given remote and hybrid working arrangements are here to stay, the demand for corporate accounts on various platforms is unlikely to wane. The topic of COVID-19 vaccination status will also remain relevant. Due to the intensity of the measures being imposed in different countries to stop the spread of the virus, we’ll more than likely see a surge in the number of forged documents up for sale on the dark web, offering unrestricted access to public places and allowing holders to enjoy all the freedoms of civilization.

Spam and phishing in Q3 2021

Tatyana Kulikova, Tatyana Shcherbakova — Mon, 01 Nov 2021 12:00:26 +0000

Quarterly highlights

This summer and early fall saw some major international sporting events. The delayed Euro 2020 soccer tournament was held in June and July, followed by the equally delayed Tokyo Olympics in August. Q3 2021 also featured several F1 Grand Prix races. There was no way that cybercriminals and profiteers could pass up such a golden opportunity. Fans wanting to attend events live encountered fake ticket-selling websites. Some sites made a point of stressing the tickets were “official”, despite charging potential victims several times the real price of a ticket, and some just took the money and disappeared.

Scammers also laid traps for those preferring to watch the action online from the comfort of home. Fraudulent websites popped up offering free live broadcasts. On clicking the link, however, the user was asked to pay for a subscription. If that did not deter them, their money and bank card details went straight to the scammers, with no live or any other kind of broadcast in return. This scheme has been used many times before, only instead of sporting events, victims were offered the hottest movie and TV releases.

Soccer video games always attract a large following. This success has a downside: gaming platforms get attacked by hackers, especially during major soccer events. Accordingly, the Euro 2020 championship was used by scammers as bait to hijack accounts on the major gaming portal belonging to Japanese gaming giant Konami. The cybercriminals offered users big bonuses in connection with the tournament. However, when attempting to claim the bonus, the victim would land on a fake Konami login page. If they entered their credentials, the attackers took over their account and the “bonus” evaporated into thin air.

“Nigerian prince” scammers also had a close eye on Q3’s sporting fixture. The e-mails that came to our attention talked about multi-million-dollar winnings in Olympics-related giveaways. To receive the prize, victims were asked to fill out a form and e-mail it to the cybercriminals.

Some messages anticipated upcoming events in the world of sport. The FIFA World Cup is slated for far-off November — December 2022, yet scammers are already inventing giveaways related to it.

Among other things, we found some rather unusual spam e-mails with an invitation to bid for the supply of products to be sold at airports and hotels during the World Cup. Most likely, the recipients would have been asked to pay a small commission to take part in the bidding or giveaway, with no results ever coming forth.

In Q3 2021, our solutions blocked more than 5.6 million redirects to phishing pages. Anniversaries of well-known brands have become a favorite topic for attackers. According to announcements on fake sites, IKEA, Amazon, Tesco and other companies all held prize draws to celebrate a milestone date. Wannabe participants had to perform a few simple actions, such as taking a survey or a spot-the-hidden-prize contest, or messaging their social network contacts about the promotion, and then were asked to provide card details, including the CVV code, to receive the promised payout. That done, the attackers not only got access to the card, but also requested payment of a small commission to transfer the (non-existent) winnings. Curiously, the scammers came up with fake round dates, for example, the 80th anniversary of IKEA, which in reality will come two years later. It is always advisable to check promotions on official websites, rather than trusting e-mails, which are easy to spoof.

There were also plenty of “holiday deals” supposedly from major Russian brands, with some, it seemed, showing particular generosity in honor of September 1, or Knowledge Day, when all Russian schools and universities go back after the summer break. Those companies allegedly giving away large sums were all related to education in one way or another. At the same time, the fraudulent scheme remained largely the same, with just some minor tinkering round the edges. For example, fake Detsky Mir (Children’s World, a major chain of kids’ stores) websites promised a fairly large sum of money, but on condition that the applicant sends a message about the “promotion” to 20 contacts or 5 groups. And the payment was then delayed, allegedly due to the need to convert dollars into rubles: for this operation, the “lucky ones” had to pay a small fee.

On a fake website holding a giveaway under the Perekrestok brand, after completing the tasks the “winner” was promised as a prize a QR code that could supposedly be used to make purchases in the company’s stores. Note that Perekrestok does indeed issue coupons with QR codes to customers; that is, the cybercriminals tried to make the e-mail look plausible. When trying to retrieve this code, the potential victim would most likely be asked to pay a “commission” before being able to spend the prize money. Note too that QR codes from questionable sources can carry other threats, for example, spreading malware or debiting money in favor of the scammers.

In 2021, there was an increase in the number of fake resources posing as cookie-selling platforms. Users were promised a generous monetary reward (up to $5,000 a day) for selling such data. Those who fell for the tempting offer and followed the link were redirected to a fake page that allegedly “reads cookies from the victim’s device to estimate their market value.” The “valuation” most often landed in the US$700–2,000 range. To receive this money, the user was asked to put the cookies up at a kind of auction, in which different companies were allegedly taking part. The scammers assured that the data would go to the one offering the highest price.

If the victim agreed, they were asked to link their payment details to the account in the system and to top it up by €6, which the scammers promised to return, together with the auction earnings, within a few minutes. To top up the balance, the victim was required to enter their bank card details into an online form. Naturally, they received no payment, and the €6 and payment details remained in the attackers’ possession.

Note that the very idea of selling cookies from your device is risky: these files can store confidential information about your online activity — in particular, login details that let you avoid having to re-enter your credentials on frequently used sites.

Even in official mobile app stores, malware can sometimes sneak in. As such, this quarter saw a new threat in the shape of fraudulent welfare payment apps that could be downloaded on such platform. The blurb described them as software that helps find and process payments from the government that the user is entitled to. Due payments (fake, of course) were indeed found, but to receive the money, the user was requested to “pay for legal services relating to form registration”. The numerous positive reviews under the application form, as well as the design mimicking real government sites, added credibility. We informed the store in question, which they removed the fraudulent apps.

Spam support: call now, regret later

E-mails inviting the recipient to contact support continue to be spam regulars. If previously they were dominated by IT topics (problems with Windows, suspicious activity on the computer, etc.), recently we have seen a rise in the number of e-mails talking about unexpected purchases, bank card transactions or account deactivation requests. Most likely, the change of subject matter is an attempt to reach a wider audience: messages about unintentional spending and the risk of losing an account can frighten users more than abstract technical problems. However, the essence of the scam remained the same: the recipient, puzzled by the e-mail about a purchase or transfer they did not make, tried to call the support service at the number given in the message. To cancel the alleged transaction or purchase, they were asked to give their login credentials for the site from where the e-mail supposedly came. This confidential information fell straight into the hands of the cybercriminals, giving them access to the victim’s account.

COVID-19

New life was injected into the COVID-19 topic this quarter. In connection with mass vaccination programs worldwide, and the introduction of QR codes and certificates as evidence of vaccination or antibodies, fraudsters began “selling” their own. We also encountered rogue sites offering negative PCR test certificates. The “customer” was asked first to provide personal information: passport, phone, medical policy, insurance numbers and date of birth, and then to enter their card details to pay for the purchase. As a result, all this information went straight to the malefactors.

Spam in the name of generous philanthropists and large organizations offering lockdown compensation is already a standard variant of the “Nigerian prince” scam.

However, “Nigerian prince” scams are not all that might await recipients of such messages. For example, the authors of spam exploiting Argentina’s BBVA name had a different objective. Users were invited to apply for government subsidy through this bank. To do so, they had to unpack a RAR archive that allegedly contained a certificate confirming the compensation. In reality, the archive harbored malware detected by our solutions as Trojan.Win32.Mucc.pqp.

Cybercriminals also used other common COVID-19 topics to trick recipients into opening malicious attachments. In particular, we came across messages about the spread of the delta variant and about vaccination. The e-mail headers were picked from various information sources, chosen, most likely, for their intriguing nature. The attached document, detected as Trojan.MSOffice.SAgent.gen, contained a macro for running a PowerShell script. SAgent malware is used at the initial stage of the attack to deliver other malware to the victim’s system.

Corporate privacy

A new trend emerged this quarter in spam e-mails aimed at stealing credentials for corporate accounts, whereby cybercriminals asked recipients to make a payment. But upon going to the website to view the payment request, the potential victims were requested to enter work account login details. If they complied, the attackers got hold of the account.

Statistics: spam

In Q3 2021, the share of spam in global mail traffic fell once again, averaging 45.47% — down 1.09 p.p. against Q2 and 0.2 p.p. against Q1.

Share of spam in global mail traffic, April – September 2021 (download)

In July, this indicator fell to its lowest value since the beginning of 2021 (44.95%) — 0.15 p.p. less than in March, the quietest month of H1. The highest share of spam in Q3 was seen in August (45.84%).

Source of spam by country

The top spam-source country is still Russia (24.90%), despite its share dropping slightly in Q3. Germany (14.19%) remains in second place, while China (10.31%) moved into third this quarter, adding 2.53 p.p. Meanwhile, the US (9.15%) shed 2.09 p.p. and fell to fourth place, while the Netherlands held on to fifth (4.96%).

Source of spam by country, Q3 2021 (download)

On the whole, the TOP 10 countries supplying the bulk of spam e-mails remained virtually unchanged from Q2. Sixth position still belongs to France (3.49%). Brazil (2.76%) added 0.49 p.p., overtaking Spain (2.70%) and Japan (2.24%), but the TOP 10 members remained the same. At the foot of the ranking, as in the previous reporting period, is India (1.83%).

Malicious mail attachments

Mail Anti-Virus this quarter blocked more malicious attachments than in Q2. Our solutions detected 35,958,888 pieces of malware, over 1.7 million more than in the previous reporting period.

Dynamics of Mail Anti-Virus triggerings, April – September 2021 (download)

During the quarter, the number of Mail Anti-Virus triggerings grew: the quietest month was July, when our solutions intercepted just over 11 million attempts to open an infected file, while the busiest was September, with 12,680,778 malicious attachments blocked.

Malware families

In Q3 2021, Trojans from the Agensla family (9.74%) were again the most widespread malware in spam. Their share increased by 3.09 p.p. against the last quarter. These Trojans are designed to steal login credentials from the victim’s device. The share of the Badun family, which consists of various malware disguised as electronic documents, decreased slightly, pushing it into second place. Third place was taken by the Noon spyware (5.19%), whose 32-bit relatives (1.71%) moved down to ninth. Meanwhile, the Taskun family, which creates malicious tasks in Task Scheduler, finished fourth this time around, despite its share rising slightly.

TOP 10 malware families in mail traffic, Q3 2021 (download)

The sixth place in TOP 10 common malware families in spam in Q3 was occupied by exploits for the CVE-2018-0802 vulnerability (3.28%), a new addition to the list. This vulnerability affects the Equation Editor component, just like the older but still popular (among cybercriminals) CVE-2017-11882, exploits for which (3.29%) were the fifth most prevalent in Q3. Seventh position went to malicious ISO disk images (2.97%), and eighth to Androm backdoors (1.95%). Loaders from the Agent family again propped up the ranking (1.69%).

The TOP 10 most widespread e-mail malware in Q3 was similar to the families ranking. The only difference is that ninth place among individual samples is occupied by Trojan-PSW.MSIL.Stealer.gen stealers.

TOP 10 malicious attachments in spam, Q3 2021 (download)

Countries targeted by malicious mailings

In Q3, Mail Anti-Virus was most frequently triggered on the computers of users in Spain. This country’s share again grew slightly relative to the previous reporting period, amounting to 9.55%. Russia climbed to second place, accounting for 6.52% of all mail attachments blocked from July to September. Italy (5.47%) rounds out TOP 3, its share continuing to decline in Q3.

Countries targeted by malicious mailings, Q3 2021 (download)

Brazil (5.37%) gained 2.46 p.p. and moved up to fourth position by number of Mail Anti-Virus triggerings. It is followed by Mexico (4.69%), Vietnam (4.25%) and Germany (3.68%). The UAE (3.65%) drops to eighth place. Also among the TOP 10 targets are Turkey (3.27%) and Malaysia (2.78%).

Statistics: phishing

In Q3, the Anti-Phishing system blocked 46,340,156 attempts to open phishing links. A total of 3.56% of Kaspersky users encountered this threat.

Geography of phishing attacks

Brazil had the largest share of affected users (6.63%). The TOP 3 also included Australia (6.41%) and Bangladesh (5.42%), while Israel (5.33%) dropped from second to fifth, making way for Qatar (5.36%).

Geography of phishing attacks, Q3 2021 (download)

Top-level domains

The top-level domain most commonly used for hosting phishing pages in Q3, as before, was COM (29.17%). Reclaiming second place was XYZ (14.17%), whose share increased by 5.66 p.p. compared to the previous quarter. ORG (3.65%) lost 5.14 p.p. and moved down to fifth place, letting both the Chinese domain CN (9.01%) and TOP (3.93%) overtake it.

Top-level domain zones most commonly used for phishing, Q3 2021 (download)

The Russian domain RU (2.60%) remained the sixth most popular among cybercriminals in Q3, while the last four lines of the TOP 10 are occupied by the international domains NET (2.42%), SITE (1.84%), ONLINE (1.40%) and INFO (1.11%).

Organizations under phishing attack

Global internet portals (20.68%) lead the list of organizations whose brands were most often used by cybercriminals as bait. Online stores (20.63%) are in second place by a whisker. Third place, as in the last quarter, is taken by banks (11.94%), and fourth by payment systems (7.78%). Fifth and sixth positions go to the categories “Social networks and blogs” (6.24%) and “IMs” (5.06%), respectively.

Distribution of organizations whose users were targeted by phishers, by category, Q3 2021 (download)

The seventh line is occupied by online games (2.42%). Note that for the past two years websites in this category have featured in the TOP 10 baits specifically in the third quarter. Financial services (1.81%), IT companies (1.72%) and telecommunication companies (1.45%) round out the ranking.

Phishing in messengers

In Q3 2021, Safe Messaging blocked 117,854 attempted redirects via phishing links in various messengers. Of these, 106,359 links (90.25%) were detected and blocked in WhatsApp messages. Viber accounted for 5.68%, Telegram for 3.74% and Google Hangouts for 0.02% of all detected links.

Distribution of links blocked by the Safe Messaging component, by messenger, Q3 2021 (download)

On WhatsApp, Safe Messaging detected an average of 900 phishing links per day during the quarter. There was a surge in scamming activity in this period, though — on July 12–16 the system blocked more than 4,000 links a day. This spike coincided with an increase in detections of the Trojan.AndroidOS.Whatreg.b Trojan, which registers new WhatsApp accounts from infected devices. We cannot say for sure what exactly these accounts get up to and whether they have anything to do with the rise in phishing on WhatsApp, but it is possible that cybercriminals use them for spamming.

Dynamics of phishing activity on WhatsApp, Q3 2021

As for Telegram, phishing activity there increased slightly towards the end of the quarter.

Dynamics of phishing activity on Telegram, Q3 2021

Takeaways

Next quarter, we can expect Christmas- and New Year-themed mailings. Ahead of the festive season, many people make purchases from online stores, a fact exploited by cybercriminals. Anonymous fake stores taking money for non-existent or substandard goods are likely to be a popular scamming method during this period. Also beware of fraudulent copies of big-name trading platforms — such sites traditionally mushroom ahead of the festive frenzy. Corporate users too should remain sharp-eyed — even a congratulatory e-mail seemingly from a partner may be phishing for confidential information.

The COVID-19 topic will still be hot in the next quarter. The fourth wave of the pandemic, vaccinations and the introduction of COVID passports in many countries will surely give rise to new malicious mailings. Also be on the lookout for websites offering compensation payments: if previous quarters are anything to go by, cybercriminals will continue to find new and enticing ways to lure their victims.

Spam and phishing in Q2 2021

Tatyana Kulikova, Tatyana Shcherbakova — Thu, 05 Aug 2021 10:00:45 +0000

Quarterly highlights

The corporate sector

In Q2 2021, corporate accounts continued to be one of the most tempting targets for cybercriminals. To add to the credibility of links in emails, scammers imitated mailings from popular cloud services. This technique has been used many times before. A fake notification about a Microsoft Teams meeting or a request to view an important document traditionally takes the victim to a phishing login page asking for corporate account credentials.

Cybercriminals also faked emails from cloud services in schemes aimed at stealing not accounts but money. We saw, for example, spoofed messages about a comment added to a document stored in the cloud. The document itself most likely did not exist: at the other end of the link was the usual recipe for making a fast buck online by investing in Bitcoin or a similarly tempting offer. Such “offers” usually require the victim to pay a small amount upfront to claim their non-existent reward.

In addition to various cloud-related emails, we blocked messages disguised as business correspondence and containing links to malware. In particular, an email threatening legal action claimed that the victim had not paid for a completed order. To resolve the issue amicably, the recipient was asked to review the documents confirming the order completion and to settle the bill by a certain date. The documents were supposedly available via the link provided and protected by a special code. In fact, the file named “Договор №8883987726 от 10.10.2021.pdf.exe” (Agreement #8883987726 of 10.10.2021.pdf.exe) that the victim was asked to download was a malicious program known as Backdoor.Win32.RWS.a.

COVID-19 compensation fraud

In Q2 2021, scammers continued to exploit the theme of pandemic-related compensation. This time, offers of financial assistance were mostly sent in the name of government agencies. “The UK Government” and “the US Department of the Treasury” were ready to pay out special grants to all-comers. However, attempts to claim the promised handout only led to monetary loss or compromised bank card details. It goes without saying that the grants did not materialize.

It was bank card details, including CVV codes, that were the target of a gang of cybercriminals who created a fake informational website about social assistance for citizens of Belarus. To make the pages look official, the scammers described in detail the system of payouts depending on the applicant’s line of work and other conditions. The information bulletin issued in the name of the Belarus Ministry of Health clearly spelled out the payment amounts for medical staff. Workers in other fields were invited to calculate their entitled payout by clicking the Get Social Assistance button. This redirected the visitor to a page with a form for entering bank card details.

Parcel scam: buy one, get none

Unexpected parcels requiring payment by the recipient remained one of the most common tricks this past quarter. Moreover, cybercriminals became more adept at localizing their notifications: Q2 saw a surge in mass mailings in a range of languages. The reason for the invoice from the “mail company” could be anything from customs duties to shipment costs. When trying to pay for the service, as with compensation fraud, victims were taken to a fake website, where they risked not only losing the amount itself (which could be far higher than specified in the email), but also spilling their bank card details.

Mailed items were the focus of one other fraudulent scheme. Websites appeared offering people the chance to buy out others’ parcels that for some reason could not reach the intended recipients. The “service” was positioned as a lottery — the buyer paid only for the weight of the parcel (the bigger it was, the higher the price), and its contents were not disclosed. To find out what was inside, the lucky owner of the abandoned parcel had to wait for it to arrive at the specified address. Which it didn’t. According to the mail company Russian Post, when the storage period expires, registered items (parcels, letters, postcards, EMS items) are sent to the return address at the sender’s expense. If the sender does not collect the returned item within the storage period, it is considered “unclaimed” and stored for a further six months, after which it is destroyed. In other words, ownerless parcels are not sold. Therefore, any offer to buy them is evidently a scam.

New movies: pay for the pleasure of not watching

Late April saw the annual Oscars ceremony in Hollywood. Movies nominated for an Academy award naturally attract public as well as cybercriminal attention. As a consequence, fake websites popped up offering free viewings and even downloads of Oscar contenders. After launching a video, the visitor of the illegal movie theater was shown several clips of the film (usually taken from the official trailer), before being asked to pay a small subscription fee to continue watching. However, after payment of the “subscription” the movie screening did not resume; instead the attackers had a new bank account to play with.

In fact, almost any big-budget movie is accompanied by the appearance of fake websites offering video or audio content long before its official release. Kaspersky found fake sites supposedly hosting Friends: The Reunion, a special episode of the popular sitcom. Fans who tried to watch or download the long-awaited continuation were redirected to a Columbia Pictures splash screen. After a few seconds, the broadcast stopped, replaced by a request to pay a nominal fee.

Messenger spam: WhatsApp with that?

In messenger-based spam, we continued to observe common tricks to get users to part with a small amount of money. Victims were asked, for example, to take a short survey about WhatsApp and to send messages to several contacts in order to receive a prize. Another traditional scam aims to persuade the user that they are the lucky winner of a tidy sum. Both scenarios end the same way: the scammers promise a large payout, but only after receiving a small commission.

WhatsApp was bought by Facebook in 2014. In early 2021, the two companies’ symbiotic relationship became a hot topic in connection with WhatsApp’s new privacy policy, allowing the messenger to exchange user information with its parent company. Cybercriminals took advantage of the rumor mill about the two companies. They set up fake websites inviting users to a WhatsApp chat with “beautiful strangers”. But when attempting to enter the chat room, the potential victim landed on a fake Facebook login page.

Emails with a link pointing to a fake WhatsApp voice message most likely belong to the same category. By following it, the recipient risks not only handing over their personal data to the attackers, but also downloading malware to their computer or phone.

Investments and public property scams

Offers of quick earnings with minimal effort remain one of the most common types of fraud. In Q2 2021, cybercriminals diversified their easy-money schemes. Email recipients were invited to invest in natural resources (oil, gas, etc.) or cryptocurrency secured by these resources. The topic of gas surfaced also in more conventional compensation scams. To make their offers more credible, cybercriminals used the brands of large companies. Having accepted investments, the scammers and their sites quickly disappeared along with the victims’ money.

For more suspicious minds, the cybercriminals set up a fake Gazprom anti-fraud website, where they posed as company employees, promising to compensate victims’ losses. The cybercriminals claimed that those who had paid more than 60,000 rubles were entitled to compensation; however, the attacks were not targeted. Most likely, the scammers were counting on users being curious about whether they could claim compensation. Naturally, the help of the “anti-fraudsters” was not without strings attached, despite the advertised free consultation. “Clients” who filled out the form were asked to pay a small fee for the refund, whereupon the “consultants” vanished without compensating so much as a dime.

Another high-earning scam cited client payouts under VTB Invest, VTB Bank’s digital asset management solution. Using the bank’s logos, the fraudsters offered “active banking users” the opportunity to receive “payout from investors.” After filling out the application form, indicating name, phone number and email, the potential victim saw a message stating that they are to receive a certain amount of money. Although the cybercriminals assured that no commission was payable, to receive the “payout” the applicant was required to provide bank card details or deposit a small sum, ostensibly to verify the account. In other words, it was the usual scheme in a different wrapper.

Statistics: spam

Proportion of spam in mail traffic

After a prolonged decline, the share of spam in global mail traffic began to grow again in Q2 2021, averaging 46.56%, up 0.89 p.p. against the previous reporting period.

Share of spam in global mail traffic, Q1 and Q2 2021 (download)

A look at the data by month shows that, having troughed in March (45.10%), the share of spam in global mail traffic rose slightly in April (45.29%), with further jumps in May (46.35%) and June (48.03%), which is comparable to Q4 2020.

Source of spam by country

The TOP 10 spam-source countries remained virtually unchanged from the first quarter. Russia (26.07%) is still in first place, its share having increased by 3.6 p.p., followed by Germany (13.97%) and the US (11.24%), whose contribution to the global flow of spam decreased slightly. China (7.78%) remains in fourth position.

Source of spam by country, Q2 2021 (download)

The Netherlands (4.52%), France (3.48%) and Spain (2.98%) held on to fifth, sixth and seventh, respectively. Only the last three positions in the TOP 10 experienced a slight reshuffle: Poland (1.69%) dropped out of the ranking, falling to 11th place, while Japan (2.53%) moved up to eighth. Brazil (2.27%) remained in ninth spot, while the last line in the ranking was claimed by India (1.70%).

Malicious mail attachments

Mail Anti-Virus blocked 34,224,215 malicious attachments in Q2, almost 4 million fewer than in the first three months of 2021.

Number of Mail Anti-Virus triggerings, Q1 and Q2 2021 (download)

Peak malicious activity came in June, when Kaspersky solutions blocked more than 12 million attachments, while May was the quietest with only 10.4 million.

Malware families

In Q2, Trojans from the Badun family (7.09%) were the most common malicious attachments in spam, with their share increased by 1.3 p.p. These malicious programs, disguised as electronic documents, are often distributed in archives. In contrast, Agesla Trojans (6.65%), which specialize in stealing credentials, shed 2.26 p.p. and dropped to second place. The Taskun family (4.25%), which exploits Windows Task Scheduler, rounds out the TOP 3. These Trojans, like Badun, are gaining popularity.

TOP 10 malware families in mail traffic, Q2 2021 (download)

Exploits for CVE-2017-11882 (4.07%), an Equation Editor vulnerability popular with cybercriminals, gave ground and dropped to fourth place. Next come malicious ISO disk images (3.29%). Sixth and eighth places were occupied by Noon spyware Trojans, which infect any (2.66%) or only 32-bit (2.47%) versions of Windows. Androm backdoors (2.55%) lie in seventh position, while the TOP 10 is rounded out by malicious documents in the SAgent (2.42%) and Agent (2.11%) families.

TOP 10 malicious attachments, Q2 2021 (download)

The TOP 10 attachments in spam differs only slightly from the ranking of malware families. The most widespread representative of Agent family fell short of the TOP 10, but the ranking did find room for a Trojan from the Crypt family (2.06%), which includes heavily obfuscated and encrypted programs.

Countries targeted by malicious mailings

More than anywhere else, Kaspersky solutions blocked malicious attachments on user devices in Spain (9.28%). The share of this country grew slightly against Q1 2021, adding 0.54 p.p. Second place was retained by Italy (6.38%), despite losing 1.21 p.p. Germany (5.26%) and Russia (5.82%) swapped places in Q2, while the UAE (5.36%) remained fourth, its share practically unchanged.

Countries targeted by malicious spam, Q2 2021 (download)

Further down in the Top 10 countries by number of users who came across malicious attachments in Q2 2021 are Vietnam (4.71%), Mexico (4.23%), Turkey (3.43%), Brazil (2.91%) and Malaysia (2.53%).

Statistics: phishing

In phishing terms, Q2 2021 was fairly uneventful. The Anti-Phishing system detected and blocked 50,398,193 attempted redirects, with only 3.87% of our users encountering such phishing links.

Geography of phishing attacks

Looking at the share of users by country on whose devices the Anti-Phishing system was triggered, we see that Brazil (6.67%), which lost first place last quarter, is back at the top. It didn’t get far ahead from Israel (6.55%) and France (6.46%), which topped the Q1 list.

Geography of phishing attacks, Q2 2021 (download)

Top-level domains

The traditional leader among top-level domain zones used by cybercriminals to post phishing pages is COM (31.67%). The ORG domain (8.79%) moved up to second place, pushing XYZ (8.51%) into third.

Top-level domain zones most commonly used for phishing, Q2 2021 (download)

The fourth most popular domain zone among cybercriminals in Q2 was China’s CN (3.77%), followed by NET (3.53%). Russia’s RU (2.98%) dropped to sixth place, and Tokelau’s TK (1.65%) to eighth. Note also the cybercriminals’ preference for international domain zones (six of the ten lines in this quarter’s ranking).

Organizations under attack

For the first time since the start of the pandemic, online stores (19.54%) vacated the first line in the ranking of organizations most often used by cybercriminals as bait. Global internet portals (20.85%) stepped in as this quarter’s leader. Moreover, the share of both categories increased relative to Q1: by 3.77 and 5.35 p.p., respectively. Third place belongs to banks (13.82%), which gained 3.78 p.p. in Q2.

Distribution of organizations whose users were targeted by phishers, by category, Q2 2021 (download)

Overall, the list of the most popular organization categories among cybercriminals remained practically unchanged since the previous quarter, except that the shares of instant messengers (6.27%) and social networks (7.26%) almost drew level, and phishers preferred financial services (2.09%) to IT companies (1.68%).

Conclusion

In Q2, as we expected, cybercriminals continued to hunt for corporate account credentials and exploit the COVID-19 theme. A curious takeaway was the spike in investment-related activity. On the whole, however, the quarter did not deliver any surprises.

As for Q3 forecasts, the share of cyberattacks on the corporate sector is likely to stay the same. This is because remote working has established a firm foothold in the labor market. Also, the COVID-19 topic is unlikely to disappear from spam. And if the current crop of vaccination and compensation scams weren’t enough, fraudsters could start utilizing newly identified strains of the virus to add variety and nowness to their schemes. What’s more, during the vacation season, pandemic or not, we expect an increase in demand for intercity and international travel; as a result, the risk of encountering fake websites when buying tickets or booking accommodation will rise. Lastly, we will likely see waves of tourist-targeted attacks during major sporting occasions, such as the Olympic Games in Japan. Such events are always accompanied by thematic spam.

Spam and phishing in Q1 2021

Tatyana Kulikova, Tatyana Shcherbakova, Tatyana Sidorina — Mon, 03 May 2021 10:00:36 +0000

Quarterly highlights

Banking phishing: new version of an old scheme

In Q1 2021, new banking scams appeared alongside ones that are more traditional. Clients of several Dutch banks faced a phishing attack using QR codes. The fraudsters invited the victim to scan a QR code in an email, ostensibly to unblock mobile banking. In actual fact, scanning the code resulted in a data leak, money theft or device infection, if it contained a link to a web page with malware.

To lure users to their sites, phishers exploited the COVID-19 topic. In particular, in a newsletter purporting to be from the MKB bank, recipients were asked to catch up on the latest news about the pandemic and measures taken by the bank. The link pointed to a fake Outlook authorization page.

This past year, cybercriminals have actively exploited the topic of government payouts, most often in relation to damage caused by the pandemic. In Q1 2021, scammers imitating bank emails began to focus on compensation. The links in their messages took the victim to a well-designed phishing pages with official emblems, business language and references to relevant laws. The attacks were mostly aimed at stealing any card details and personal data.

However, users of specific banks were also targeted. In this case, the focus was on copying the external attributes of the bank’s website to create a near-indistinguishable phishing version.

Vaccine with cyberthreat

COVID-19 vaccination was one of the hottest global topics, and hence highly attractive to scammers. Cybercriminals took advantage of people’s desire to get vaccinated as quickly as possible. For instance, some UK residents received an email that appeared to come from the country’s National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link.

In another mailing, the attackers focused on age — people over 65 were asked to contact a clinic to receive a vaccine.

In both cases, to make a vaccination appointment, a form had to be filled out with personal data; and in the first case, the phishers also wanted bank card details. If the victim followed all the instructions on the fake website, they handed their money and personal data to the attackers.

Another way to gain access to users’ personal data and purse strings was through fake vaccination surveys. Scammers sent out emails in the name of large pharmaceutical companies producing COVID-19 vaccines, or of certain individuals. The message invited the recipient to take part in a short survey.

Participants were promised a gift or cash reward for their help. After answering the questions, the victim was redirected to a page with the “gift.”

Having consented to receive the prize, the user was asked to fill out a detailed form with personal information. In some cases, the attackers also asked for payment of a token amount for delivery. However, if the victim went ahead and entered their bank card details, the amount charged was several times higher. Needless to say, no gift materialized.

The vaccination topic could hardly be ignored by spammers offering services on behalf of Chinese manufacturers. The emails mentioned lots of products related to diagnosis and treatment of the virus, but the emphasis was on the sale of vaccination syringes.

Such offers may look very favorable, but the likelihood of a successful deal is zero. Most if not all of the time, the “business partners” simply vanish into thin air after receiving the agreed prepayment.

Corporate segment: on-the-job fraud

Corporate usernames and passwords remain a coveted prize for scammers. To counter people’s increasingly wary attitude to emails from outside, attackers try to give their mailings a respectable look, disguising them as messages from business tools and services. By blending into the workflow, the scammers calculate that the user will be persuaded to follow the link and enter data on a fake page. For example, a “notification” from Microsoft Planner invited the user to review their tasks for the coming month. The link redirected them to a phishing page requesting their Microsoft account credentials.

In the Runet (Russian internet), we found an email seemingly from the support department of an analytics portal. The messages talked about recent updates and suggested checking the availability of the resource. The link also required entering corporate account credentials.

Old techniques, such as creating a unique fake page using JavaScript, were combined in Q1 with overtly business-themed phishing emails. If previously scammers used common, but not always business-oriented services as bait, the new batch of emails cited an urgent document awaiting approval or contract in need of review.

Every little bit helps

Since the end of last year, we have observed fraudulent emails and fake pages urging users to pay a small sum for certain services. The payment indicated in the fake email was often so tiny that the potential victim could ignore the risks. For example, in one of the emails below, the cybercriminals ask for just 1.99 rubles (US$0.027). The calculation was simple: users would be less averse to paying a small amount than a larger one, which means more potential victims willing to enter card details on the bogus site. To make the emails more convincing, they imitated commonly used services. For example, delivery services — messages from which are often faked — led the field. The potential victim was asked to pay for customs clearance or package delivery. However, the scammers did not fake the courier service emails very well: they were readily given away by the address in the From field or by the invalid tracking number indicated in the email.

Besides delivery, scammers found other reasons for mailing out “invoices.” In particular, fake notifications about payment for domain usage or even an expired WhatsApp subscription did the rounds. In the latter case, the very mention of a paid subscription should sound an alarm, since even the business version of WhatsApp is free.

Although the scammers asked for a token payment in the email, in reality, if successful, they siphoned off far more than that from the victims’ account, and swiped their bank card details. This danger is ever-present when entering data on dubious websites.

Intrigue: emails from strangers

In March, we identified a targeted mailing to the addresses of an educational institution. The email reported a hack of the database of the school’s partner company, which resulted in the intruders getting their hands on the personal data of students and employees. The company refused to pay the ransom, so now the school administration must prepare for the worst: the data might find its way onto darknet, and from there to even worse criminals, who could use it to enter the school building under the guise of an employee. To convince the school leaders of the reality of the looming threat, the email authors advised clicking the provided link and viewing a portion of the stolen database. The link led to a site in the .onion domain, which can only be opened using the Tor browser. Behind the link was a C&C server that was accessed by malware (various ransomware, including Trojan-Banker.Win32.Danabot). A link to this resource was also contained in ransom messages from the attackers, and in some cases malware was downloaded from it. If a curious employee visited this resource, they risked launching the ransomware in the school’s network or facing a demand to pay the ransom on behalf of the partner company.

Cybercriminals adopted an interesting tactic to attack Facebook users. The potential victim received an email saying that their account had violated the social network’s terms of use. To avoid the account being deleted, the scammers advised the recipient to follow the link and lodge an appeal. At the same time, the window for doing so was very short so as to hurry the victim into acting quickly without scrutinizing the message. The email would have been no different from any other aimed at stealing Facebook credentials, but for one nuance: the link in the message pointed to an actual Facebook page.

Resembling an official notice, the page stated that an erroneous decision to block an account could be disputed by following the link provided. In reality, it was a note in a Facebook user’s profile, which the sharp-eyed user could have discerned from the word “notes” in the address. Clicking the link in the note took the victim straight to a phishing site. The attackers’ calculation was simple: first lull the victim’s vigilance with a legitimate link, then get them to enter their credentials on a fake page.

Statistics: spam

Proportion of spam in mail traffic

In Q1 2021, the share of spam in global mail traffic continued to decline and averaged 45.67%, down 2.11 p.p. against Q4 2020 (47.78%).

Proportion of spam in global email traffic, Q4 2020 and Q1 2021 (download)

The highest percentage of junk mail was recorded in January (46.12%). This is 0.71 p.p. less than the lowest figure in 2020 (46.83%). The calmest month was March, in which spam accounted for only 45.10% of all emails.

In the Runet, the average share of spam was also lower than in Q4 48.56% versus 50.25%. As was generally the case worldwide, the most turbulent month of the reporting period was January (49.76%), and the quietest was March (47.17%). In contrast to the global picture, January’s share of spam in the Runet was 1.30 p.p. higher than December’s (49.76% versus 48.46%).

Proportion of spam in Runet mail traffic, Q4 2020 and Q1 2021 (download)

Sources of spam by country

In 2020, Russia and Germany led the pack by volume of outgoing spam. In Q1 2021, they remained out in front: Russia accounted for 22.47% of spam, and Germany’s share was 14.89%. Third place went to the US (12.98%), and fourth to China (7.38%).

Sources of spam by country, Q1 2021 (download)

The Netherlands (4.18%) ranked fifth, followed by France (3.69%) and Spain (3.39%). Poland (2.39%), Brazil (2.37%) and Japan (2.23%) round out the Top 10.

Malicious mail attachments

In Q1 2021, Kaspersky solutions detected 38,195,315 malicious mail attachments. This is almost 3 million fewer than in the last three months of 2020. That said, the number of attachments blocked by Mail Anti-Virus grew during the quarter.

Number of Mail Anti-Virus triggerings, Q4 2020 and Q1 2021 (download)

Malware families

The most common Trojans detected by our solutions in mail attachments came from the Agensla family (8.91%). These malicious programs specialize in stealing credentials from browsers, as well as from mail and FTP clients. In second place came exploits for the CVE-2017-11882 vulnerability in the Microsoft Equation Editor component, which were detected in 6.38% of cases. Third position this time was taken by Trojans from the Badun family (5.79%). Malicious programs disguised as e-documents are detected with this verdict. Malware from the Badun family most often spreads through archives.

Top 10 malware families in mail traffic, Q1 2021 (download)

Fourth place went to SAgent (4.98%) — documents containing a VBA script that runs PowerShell to covertly download other malware. The fifth- and sixth-placed families are Taskun (3.79%) — programs that create malicious tasks in Windows Task Scheduler, and ISO (3.69%) — malicious disk images distributed by email. In seventh place is the Noon spyware (2.41%), which steals passwords from browsers and reads keystrokes. In eighth is the Crypt family (2.16%), which consists of highly obfuscated or encrypted software. The Top 10 is rounded out by Androm backdoors (2.05%) and worms coded in Visual Basic (1.66%).

Top 10 malicious attachments, Q1 2021 (download)

The Top 10 most common malicious attachments in Q4 corresponds exactly to the ranking of families. This suggests that each of the above-described families was widespread largely due to one member.

Countries targeted by malicious mailings

Our solutions registered the largest number of attempts to open malicious attachments in Spain (8.74%). This country was the top malicious mailing target throughout 2020, and held on to first place in this reporting quarter. Italy (7.59%) moved up to second place, and third place went to Germany (5.84%).

Countries targeted by malicious mailings, Q1 2021 (download)

In fourth position in Q1 was the UAE (5.25%), with Russia (4.88%) closing out the Top 5.

Statistics: phishing

In Q1 2021, our Anti-Phishing system prevented 79,608,185 attempted redirects to fraudulent websites. 5.87% of Kaspersky users encountered phishing, and 695,167 new masks were added to the anti-phishing databases.

Geography of phishing attacks

This quarter, phishing attacks affected a relatively small proportion of our users, both overall and in specific countries. The leader was France, where 9.89% of all users of Kaspersky solutions tried to follow a fraudulent link at least once during the reporting period.

Distribution of phishing attacks by country, Q1 2021 (download)

Israel placed second and Hungary third, where 8.45% and 8.27% of users, respectively, encountered phishing pages. Meanwhile, Brazil (7.94%), which topped the rating in 2020, only managed ninth position in Q1.

Top-level domains

As usual, the largest share of phishing sites that users attempted to visit in the period January–March 2021 were located in the .com domain zone (32.80%). The second most popular domain among scammers this time around was .xyz (11.38%). Bronze goes to the .tk domain zone (3.24%), belonging to the Tokelau Islands, a dependent territory of New Zealand, in the Pacific Ocean. Tokelau domains are cheap to rent, and so popular with phishers.

Top-level domain zones most commonly used for phishing, Q1 2021 (download)

Also prevalent this quarter were phishing sites that were not assigned domain names (2.78%). Such resources were the fourth most popular. In fifth spot, just 0.01 p.p. behind, was the Russian domain .ru (2.77%).

Organizations under attack

The Top 10 organizations used by phishers as bait remained practically unchanged in Q1 relative to 2020. Online stores (15.77%) still lead the way, followed by global internet portals (15.50%) and banks (10.04%). Fraudsters’ continued targeting of users of electronic trading platforms is explained by the pandemic-related restrictions that remained in force in many countries this quarter.

Distribution of organizations targeted by phishers, by category in Q1 2021 (download)

Conclusion

In Q1 2021, we largely saw a continuation of the 2020 trends. Cybercriminals are still actively using the COVID-19 theme to entice potential victims. And as coronavirus vaccination programs have been rolled out, spammers have adopted it as bait. Corporate account hunters continue to hone their techniques to make their emails as convincing as possible. Meanwhile, phishers who prey on personal accounts are still actively spoofing the websites of online stores, which have risen in popularity due to the pandemic.

Attackers will likely carry on exploiting the COVID-19 vaccination topic in Q2. Moreover, we can expect new fraudulent schemes to emerge. Scams related to compensation for damages caused to individuals and companies worldwide will not go away any time soon, too. Moreover, Q2 may see an associated rise in the number of fraudulent schemes offering payments from governments or other structures. And as the summer season approaches, an increase in the number of emails related to tourism is possible; however, due to the pandemic, it is likely to be small. On the other hand, cybercriminals will almost certainly continue to actively hunt corporate account credentials, exploiting the fact that many companies are still in remote working mode and communication among employees is predominantly online.

Spam and phishing in 2020

Tatyana Kulikova, Tatyana Shcherbakova, Tatyana Sidorina — Mon, 15 Feb 2021 10:00:38 +0000

Figures of the year

In 2020:

The share of spam in email traffic amounted to 50.37%, down by 6.14 p.p. from 2019.
Most spam (21.27%) originated in Russia.
Kaspersky solutions detected a total of 184,435,643 malicious attachments.
The email antivirus was triggered most frequently by email messages containing members of the Trojan.Win32.Agentb malware family.
The Kaspersky Anti-Phishing component blocked 434,898,635 attempts at accessing scam sites.
The most frequent targets of phishing attacks were online stores (18.12 per cent).

Trends of the year

Contact us to lose your money or account!

In their email campaigns, scammers who imitated major companies, such as Amazon, PayPal, Microsoft, etc., increasingly tried to get users to contact them. Various pretexts were given for requesting the user to get in touch with “support”: order confirmation, resolving technical issues, cancellation of a suspicious transaction, etc. All of these messages had one thing in common: the user was requested to call a support number stated in the email. Most legitimate messages give recipients constant warnings of the dangers of opening links that arrive by email. An offer to call back was supposed to put the addressees off their guard. Toll-free numbers were intended to add further credibility, as the support services of large companies often use these. The scammers likely expected their targets to use the provided phone number to get help instantly in a critical situation, rather than to look for a contact number or wait for a written response from support.

The contact phone trick was heavily used both in email messages and on phishing pages. The scammers were simply betting on the visitor to turn their attention to the number and unsettling warning message against the red background, rather than the address bar of the fake website.

We assume that those who called the numbers were asked to provide the login and password for the service that the scammers were imitating, or to pay for some diagnostics and troubleshooting services.

Reputation, bitcoins or your life?

In 2020, Bitcoin blackmailers stuck to their old scheme, demanding that their victims transfer money to a certain account and threatening adversity for failure to meet their demands. Threats made by extortionists grew in diversity. In most cases, scammers, as before, claimed to have used spyware to film the blackmail victim watching adult videos. In a reflection of the current trends for online videoconferencing, some email campaigns claimed to have spied on their victims with the help of Zoom. This year, too, blackmailers began to take advantage of news sensations to add substance to their threats. This is very similar to the techniques of “Nigerian” scammers, who pose as real political figures or their relatives, offering tons of money, or otherwise link their messages with concurrent global events. In the case of bitcoin blackmail, the media component was supposed to be a strong argument in the eyes of the victim for paying the ransom without delay, so cybercriminals cited the example of media personalities whose reputation suffered because of an explicit video being published.

This year, we have seen threats made against companies, too. A company was told to transfer a certain amount to a Bitcoin wallet to prevent a DDoS attack that the cybercriminals threatened to unleash upon it. They promised to provide a demonstration to prove that their threats were real: no one would be able to use the services, websites or email of the company under attack for thirty minutes. Interestingly, the cybercriminals did not limit their threats to DDoS. As with blackmail aimed at individuals, they promised to damage the company’s reputation even more, should it fail to pay up, by stealing confidential information, specifically, its business data. The attackers introduced themselves as well-known APT groups to add weight to their threats. For example, in the screenshot below, they call themselves Venomous Bear, also known as Waterbug or Turla.

The senders of an email that talked about a bomb planted in company’s offices went much further with their threats. The amount demanded by the blackmailers was much larger than in previous messages: $20,000. To make their threats sound convincing enough, the cybercriminals provided details of the “attack”: an intention to blow up the bomb if the police intervened, the substance used, the explosive yield and plans to threaten other blackmail victims with the explosion.

Attacks on the corporate sector

Theft of work accounts and infecting of office computers with malware in targeted attacks are the main risk that companies have faced this year. Messages that imitated business email or notifications from major services offered to view a linked document or attached HTML page. Viewing the file required entering the password to the recipient’s corporate email account.

Reasons given for asking users to open a link or attachment could be varied: a need to install an update, unread mail, quarantined mail or unread chat messages. The cybercriminals created web pages that were designed to look like they belonged to the company under attack. URL parameters including the corporate email address were pushed to the fake page with the help of JavaScript. This resulted in the user seeing a unique page with a pre-entered email address and a design generated to imitate the company’s corporate style. The appearance of that page could lull the potential victim into a false sense of security, as all they needed to do was enter their password.

During this type of attacks scammers began to make broader use of “voice messaging”. The appearance of the messages imitated business email.

The link could lead directly to a phishing site, but there also was a more complex scenario, in which the linked page looked like an audio player. When the recipient tried playing the file, they were asked to enter the credentials for their corporate mailbox.

Demand for online videoconferencing amid remote work led to a surge in fake online meeting invitations. A significant distinctive feature, which should have alarmed the recipients of the fake invitations, were the details that the page was asking them to enter in order to join the meeting. To access a real Zoom meeting, you need to know the meeting ID and password. The fake videoconference links opened fake Microsoft and WeTransfer pages, which contained fields for entering the login and password for a work account.

Messengers targeted

Scammers who were spreading their chain mail via social networks and instant messaging applications began to favor the latter. Message recipients, mostly in WhatsApp, were promised a discount or prize if they opened a link sent to them. The phishing web page contained a tempting message about a money prize, award or other, equally desirable, surprises.

The recipient had to fulfill two conditions: answer a few simple questions or fill out a questionnaire, and forward the message to a certain number of their contacts. Thus, the victim turned into a link in the spam chain, while subsequent messages were sent from a trusted address, thus avoiding anti-spam filters.

Besides that, a message from someone that the recipient knew would have much more credibility. Thus, the chain continued to grow, and the scammers went on enriching themselves. After all, even if the victim did fulfill the conditions, getting that promised prize proved not so simple, as the “lucky” recipient was urged to pay bank commission.

COVID-19

“Public relief” by spammers

Many governments did their best to help citizens during the pandemic. That initiative, together with the fact that people on the whole were willing to get payouts, became a theme for spam campaigns. Both individuals and companies were exposed to the risk of being affected by cybercriminals’ schemes.

Messages offering financial aid to businesses hurt by the pandemic or to underprivileged groups could crop up in social media feeds or arrive through instant messaging networks. The main requirement for getting the funds was filling out a detailed personal questionnaire. Those who took the step found that a small commission was required as well. Real government payouts these days are made through public portals that also serve other purposes and do not require additional registration, questionnaires or commissions.

Cybercriminals who offered tax deductions to companies employed a similar scheme. As in the examples above, the reason provided for the easing of tax policy was the pandemic, and in particular, anticipation of a second wave of COVID-19.

However, offers of tax deductions and compensations were hiding not just the danger of losing money but losing one’s account to the scammers, too, as many of the messages contained phishing links.

Malicious links

Email campaigns that promised compensation could also threaten computer security. Messages in Turkish, just as those mentioned earlier, offered a payout from Turkey’s Ministry of Health – not always mentioned by name – but getting the money required downloading and installing an APK file on the recipient’s smartphone. The attack was targeting Android users, and the downloadable application contained a copy of the Trojan-Dropper.AndroidOS.Hqwar.cf.

A fear of being infected with a new virus and a desire to know as much as possible about it could prompt recipients to review the email and open the links that it contained, as long as the message had been sent by a well-known organization. Fake letters from the WHO purporting to contain the latest safety advice were distributed in a variety of languages. The attachment contained files with various extensions. When the recipient tried to open these, malware was loaded onto the computer. In the message written in English, the attackers spread the Backdoor.Win32.Androm.tvmf, and in the one written in Italian, the Trojan-Downloader.MSOffice.Agent.gen.

Viral postal services

COVID-19 was also mentioned in fake email messages that mimicked notifications from delivery services. The sender said that there was a problem with delivering an order due to the pandemic, so the recipient needed to print out the attachment and take it to the nearest DHL office. The attached file contained a copy of the HEUR:Trojan.Java.Agent.gen.

The corporate sector

Spam that targeted companies also exploited the COVID-19 theme, but the cybercriminals occasionally relied on a different kind of tricks. For example, one of the emails stated that technical support had created a special alert system to minimize the risk of a new virus infection. All employees were required to log in to this system using their corporate account credentials and review their schedules and tasks. The link opened a phishing page disguised as the Outlook web interface.

In another instance, scammers were sending copies of the HEUR:Trojan-PSW.MSIL.Agensla.gen in the form of an email attachment. The scammers explained that the recipient needed to open the attached file, because the previous employee, who was supposed to send the “documentation”, had quit over COVID-19, and the papers had to be processed within three days.

“Nigerian” crooks making money from the pandemic

Email from “Nigerian” scammers and fake notifications of surprise lottery winnings regularly tapped the pandemic theme. The message in Korean shown below says that the recipient’s email address had been selected randomly by some center in Istanbul for a coronavirus-related emergency payout. Such surprise notices of winnings and compensations were generally sent out in a variety of languages. Messages from some lucky individuals who had won a huge sum and wished to support their fellow creatures in the difficult times of the pandemic were another variation on the “Nigerian” scam.

Where messages were signed as being from a lawyer trying to find a new owner for no-man’s capital, the sender emphasized that the late owner of the fortune had died of COVID-19.

An unusual turn of events

Regular “Nigerian” scam email is easy to recognize: it talks about millionaires or their relatives trying to inherit a huge fortune or bequeath it to someone who bears the same last name. The public seems to have become so accustomed to that type of junk mail that it has ceased to react, so cybercriminals have come up with a new cover story. To avoid being found out right away, they refrain from mentioning astronomical sums of money, instead posing as a mother from Russia who is asking for help with her daughter’s effort to collect postcards from around the world. The key point of this kind of messages is to get the potential victim to reply: the “mother’s” request sounds absolutely innocent and easy to do, so it can resonate with recipients. If the victim agrees to send a postcard, they are in for a lengthy email exchange with the scammers, who will offer them to partake in a large amount of money by paying a small upfront fee.

“Nigerian” scammers are not the only ones that have been getting creative. Spammers who sent out their messages through website feedback forms employed yet another unusual trick. The messages were signed as being from an outraged graphic artist or photographer, their names changing with each new message. The sender insisted that the website contained their works and thus violated their copyright, and demanded that the content be taken down immediately, threatening legal action.

The deadline for meeting the demand was quite tight, as the scammers needed the victim to open the link as soon as possible, while pondering on the consequences of that action as little as possible. A law-abiding site owner was likely to do just that. This is confirmed by related discussions in various blogs, with the users reporting that they immediately tried checking what photographs they had “stolen”. The links were not functional at the time the “complaints” were discovered, but in all likelihood, they had previously linked to malicious files or phishing programs.

Statistics: spam

Proportion of spam in email traffic

The share of spam in global email traffic in 2020 was down by 6.14 p.p. when compared to the previous reporting period, averaging 50.37%.

Proportion of spam in global email traffic, 2020 (download)

The percentage of junk mail gradually decreased over the year, with the highest figure (55.76%) recorded in January and the lowest (46.83%), in December. This may be due to the universal transition to remote work and a resulting increase in legitimate email traffic.

Sources of spam by country

The group of ten countries where the largest volumes of spam originated went through noticeable change in 2020. United States and China, which had shared first and second places (10.47% and 6.21%, respectively) in the previous three years, dropped to third and fourth. The “leader” was Russia, which was the source of 21.27% of all spam email in 2020. It was followed by Germany (10.97%), which was just 0.5 percentage points ahead of the United States.

Sources of spam by country in 2020 (download)

France gained 2.97 p.p. as compared to the year 2019, remaining fifth with 5.97%, while Brazil lost 1.76 p.p. and sunk to seventh place with 3.26%. The other countries in last year’s “top ten”, India, Vietnam, Turkey and Singapore, dropped out, giving way to the Netherlands (4.00%), which skipped to sixth place, Spain (2.66%), Japan (2.14%) and Poland (2.05%).

Malicious email attachments

Attacks blocked by the email antivirus in 2020 (download)

In 2020, our solutions detected 184,435,643 dangerous email attachments. The peak in malicious activity, 18,846,878 email attacks blocked, fell on March, while December was the quietest month, with 11,971,944 malicious attachments, as it was in 2019.

Malware families

TOP 10 malware families in 2020 (download)

Members of the Trojan.Win32.Agentb family were the most frequent (7.75%) malware spread by spammers. The family includes backdoors, capable of disrupting the functioning of a computer, and copying, modifying, locking or deleting data. The Trojan-PSW.MSIL.Agensla family was second with 7.70%. It includes malware that steals data stored by the browser, as well as credentials for FTP and email accounts.

Equation Editor vulnerability exploits, Exploit.MSOffice.CVE-2017-11882, dropped to third place with 6.55 percent. This family had topped the ranking of malware spread through spam in the previous two years.

Trojan.MSOffice.SAgent malicious documents dropped from second to fourth place with 3.41%. These contain a VBA script, which runs PowerShell to download other malware secretly.

In fifth place, with 2.66%, were Backdoor.Win32.Androm modular backdoors, which, too, are frequently utilized for delivering other malware to an infected system. These were followed by the Trojan.Win32.Badun family, with 2.34%. The Worm.Win32.WBVB worms, with 2.16%, were seventh. Two families, in eighth and ninth place, contain malware that carefully evades detection and analysis: Trojan.Win32.Kryptik trojans, with 2.02%, use obfuscation, anti-emulation and anti-debugging techniques, while Trojan.MSIL.Crypt trojans, with 1.91%, are heavily obfuscated or encrypted. The Trojan.Win32.ISO family, with 1.53%, rounds out the rankings.

TOP 10 malicious email attachments in 2020 (download)

The rankings of malicious attachments largely resemble those of malware families, but there are several subtle differences. Thus, our solutions detected the exploit that targeted the CVE-2017-11882 vulnerability more frequently (6.53%) than the most common member of the Agensla family (6.47%). The WBVB worm, with 1.93%, and the Kryptik trojan, with 1.97%, switched positions, too. Androm-family backdoors missed the “top ten” entirely, but the Trojan-Spy.MSIL.Noon.gen, with 1.36%, which was not represented in the families rankings, was tenth.

Countries targeted by malicious mailshots

Spain was the main target for malicious email campaigns in 2020, its share increasing by 5.03 p.p. to reach 8.48%. As a result of this, Germany, which had topped the rankings since 2015, dropped to second place with 7.28% and Russia, with 6.29%, to third.

Countries targeted by malicious mailshots in 2020 (download)

Italy’s share (5.45%) fell slightly, but that country remained in fourth place. Vietnam, which had previously rounded out the top three, dropped to fifth place with 5.20%, and the United Arab Emirates, with 4.46%, to sixth. Mexico, with 3.34%, rose from ninth to seventh place, followed by Brazil, with 3.33%. Turkey, with 2.91%, and Malaysia, with 2.46%, rounded out the rankings, while India, 2.34%, landed in eleventh place last year.

Statistics: phishing

In 2020, Anti-Phishing was able to block 434,898,635 attempts at redirecting users to phishing web pages. That is 32,289,484 fewer attempts than in 2019. A total of 13.21% of Kaspersky users were attacked worldwide, with 6,700,797 masks describing new phishing websites added to the system database.

Attack geography

In 2020, Brazil regained its leadership by number of Anti-Phishing detections, with 19.94% of users trying to open phishing links at least once.

Geography of phishing attacks in 2020 (download)

TOP 10 countries by number of attacked users

The countries with the largest numbers of attempts at opening phishing websites in 2018 “topped the rankings” again in 2020: Brazil, with 19.94%, in first place, and Portugal, with 19.73%, in second place. Both countries’ indicators dropped remarkably from 2019, Brazil “losing” 10.32 p.p. and Portugal, 5.9 p.p. France, which had not been seen among the ten “leaders” since 2015, was in third place with 17.90%.

Venezuela, last year’s “leader”, had the largest numbers in the first two quarters of 2020, but came out eighth overall, the share of attacked users in that country decreasing by 14.32 p.p. to 16.84%.

Country	Share of attacked users (%)*
Brazil	19.94
Portugal	19.73
France	17.90
Tunisia	17.62
French Guiana	17.60
Qatar	17.35
Cameroon	17.32
Venezuela	16.84
Nepal	16.72
Australia	16.59

* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2020

Top-level domains

Most scam websites, 24.36% of the total number, had a .com domain name extension last year. Websites with a .ru extension were 22.24 p.p. behind with 2.12%. All other top-level domains in the “top ten” are various country-code TLDs: the Brazilian .com.br with 1.31% in third place, with Germany’s .de, (1.23%), and Great Britain’s .co.uk (1.20%) in fourth and fifth places, respectively. In sixth place was the Indian domain extension .in, with 1.10%, followed by France’s .fr with 1.08%, and Italy’s .it with 1.06%. Rounding out the rankings were the Dutch .nl, with 1.03%, and the Australian .com.au, with 1.02%.

Most frequent top-level domains for phishing pages in 2020 (download)

Organizations under attack

The rating of attacks by phishers on different organizations is based on detections by Kaspersky Lab’s Anti-Phishing deterministic component. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

Last year’s events affected the distribution of phishing attacks across the categories of targeted organizations. The three largest categories had remained unchanged for several years: banks, payment systems and global Internet portals. The year 2020 brought change. Online stores became the largest category with 18.12%, which may be linked to a growth in online orders due to pandemic-related restrictions. Global Internet portals remained the second-largest category at 15.94%, but their share dropped by 5.18 p.p. as compared to 2019, and banks were third with a “modest” 10.72%.

Online games and government and taxes dropped out of the “top ten” in 2020. They were replaced by delivery companies and financial services.

Distribution of organizations targeted by phishers, by category in 2020 (download)

Conclusion

With its pandemic and mass transition to remote work and online communication, last year was an unusual one, which was reflected in spam statistics. Attackers exploited the COVID-19 theme, invited victims to non-existent video conferences and insisted that their targets register with “new corporate services”. Given that the fight against the pandemic is not over yet, we can assume that the main trends of 2020 will stay relevant into the near future.

The general growing trend of targeted attacks on the corporate sector will continue into next year, all the more so because the remote work mode, increasingly popular, makes employees more vulnerable. Users of instant messaging networks should raise their guard, as the amount of spam and phishing messages received by their mobile devices is likely to grow as well. Besides, the number of email messages and schemes exploiting the COVID-19 theme one way or another has a high likelihood of rising.

Spam and phishing in Q3 2020

Tatyana Kulikova, Tatyana Sidorina — Thu, 12 Nov 2020 10:00:54 +0000

Quarterly highlights

Worming their way in: cybercriminal tricks of the trade

These days, many companies distribute marketing newsletters via online platforms. In terms of capabilities, such platforms are quite diverse: they send out advertising and informational messages, harvest statistics (for example, about clicked links in emails), and the like. At the same time, such services attract both spammers, who use them to send their own mailings, and cybercriminals, who try to gain access to user accounts, usually through phishing. As a result, attackers also get their hands on user-created mailing lists, which allows them to disseminate mass advertising or phishing messages that filtering systems sometimes let through.

Accordingly, in Q3 we registered an increase in the number of messages sent using the Sendgrid platform. A significant portion of them were phishing attacks aimed at stealing login credentials for major resources. The emails were no different from traditional phishing, save for the legitimate headers and link to Sendgrid, which redirected the recipient to a phishing site. To the observant eye, the address bar and From field would reveal the messages to be fake.

Call me!

In our previous quarterly report, we talked about an increasingly common scam whereby fraudsters send emails purportedly from large companies with a request to urgently contact support at the given phone number. Users who contacted the operator were then asked for information, such as bank card details, which could then be used to empty their account. The most commonly used toll-free numbers have specific three-digit prefixes after the country code (for example: 800, 888, 844).

In Q3 2020, we observed new versions of such schemes warning not only about unauthorized account access, but about money transactions supposedly made by the user. The attackers’ calculation is that, on seeing a message about a financial transaction, the client will grab their phone and dial the support number highlighted in bold. Such emails do not contain links, and the message itself is an image, which makes it harder to detect.

Scammers like such schemes, because sending spam is much cheaper and easier than calling potential victims. To avoid swallowing the bait, either call the support service using the number on the organization’s official website (not the one in the email), or use an app that protects against telephone fraud by checking outgoing call numbers.

COVID-19 and spam topics

Facebook grants

In Q3 2020, many users of social networks and messengers saw a screenshot with some interesting news: CNBC, it said (in broken English — always a red flag), had reported that Facebook was paying out compensation to victims of COVID-19. To get yours, all you had to do was follow the link and fill out a number of documents.

The link had nothing to do with Facebook and led to a fake page resembling the website of Mercy Corps, an organization dedicated to helping victims of natural disasters and armed conflict. To apply, you had to enter your Facebook username and password, then verify your identity by providing personal information, including SSN (social security number, issued to US citizens). This last detail suggests that the attack was aimed at US residents. Users that entered all the requested data gave the cybercriminals not only access to their social network account, but also personal information that could then be used for identity theft or bank card fraud.

It should be noted that the scheme was based on official news that Facebook was indeed ready to provide support to victims of COVID-19. But it only concerned grants for companies, not individuals.

Tourist phishing

The coronavirus pandemic — which has decimated the tourist trade — has also had an effect on scammers: this quarter saw fewer emails offering attractive summer breaks than usual. However, the pandemic did not stop scammers, only redirected their attention.

In Q3, Airbnb and Expedia Group users were the most frequent targets of phishing attacks. Fake pages hungry for user credentials were very faithful to the design of the official websites, distinguishable only by looking closely at the address bar, where most often the domain was unrelated to the target company or belonged to a free hosting service.

So as not to reveal their cards too soon, scammers use URL-shortening services and distribute messages in social networks and messengers where shortened links look organic. In their messages, scammers offer cheap tickets or bargain hotel deals. And it is impossible to know where such links lead before clicking them, which is what attackers play upon. Accounts stolen in this way can be used, for example, for money laundering.

Phishers also forged pages with rental offers: visitors could view photos of apartments and read detailed information about the alleged terms and conditions. Lower down the page were rave reviews from past clients intended to lull the victim into a false sense of security.

The “landlord” in each case agreed to rent out the apartment, but asked for an advance payment. And then disappeared as soon as the money was deposited, together with the fake page. In this instance, the cybercriminals also banked on the fact that the juicy offer (low price, big discount) would distract the victim from looking at the URL and checking the information on the site.

Attacks on the corporate sector

Malicious mail

We already told about the distribution of malicious files disguised as notifications from delivery services. They continued this quarter as well: we uncovered a mailing targeting employees connected to sales in some capacity. The scammers persuaded recipients to open the attached documents supposedly to pay customs duties for the import of goods. Instead of documents, the attachment contained Backdoor.MSIL.Crysan.gen.

Malicious mailings with “reminders” about online meetups are worth a separate mention. For example, one of them asked the recipient to join a Zoom conference by clicking the attached link. Instead of a meeting, the user ended up on a WeTransfer phishing page. If the user fell for the trap and entered their WeTransfer credentials, the attackers gained access to the company’s files stored in this cloud.

Another mailing informed users that a Microsoft SharePoint document had been shared with them. After clicking the link, the victim was taken to a fake Microsoft login page that helped cybercriminals steal account usernames and passwords.

Far more dangerous were meeting notifications containing malicious files. For example, the at-first-glance harmless message below contained HEUR:Trojan-Downloader.Script.Generic.

And Trojan-Banker.Win32.ClipBanker, downloaded via the link in the email below, is used to steal financial (including cryptocurrency-related) information.

Mail scanner

To gain access to corporate accounts, cybercriminals distributed messages stating that a virus had been found in the recipient’s mailbox, and advising an urgent scan, otherwise the account would be disabled. The messages, disguised as notifications from infosec companies, were sent from a free mail address and employed neutral names like Email Security Team to avoid unnecessary specifics.

The cybercriminals reckoned on the combined threat of a computer virus and a deactivated work email account forcing the recipient to ignore some of the oddities of the message. For example, such emails could be from the company’s IT or security department, but not a third party. The page that opened on clicking the link did not resemble a corporate resource by either its address or layout. Plus, for added believability, the cybervillains placed on it the logos of all major infosec companies.

To start a “virus scan”, the user was asked to enter the username and password for their corporate mailbox. That said, the “scan” started even if arbitrary credentials were entered in the fields:

Statistics: spam

Proportion of spam in mail traffic

Proportion of spam in global mail traffic, Q2 2020 – Q3 2020 (download)

In Q3 2020, the largest share of spam was recorded in August (50.07%). The average share of spam in global mail traffic was 48.91%, down 1.27 p.p. against the previous reporting period.

Sources of spam by country

Sources of spam by country, Q3 2020 (download)

The Top 5 countries by amount of outgoing spam remained the same as in the previous quarter. Only their shares changed. The biggest increase came from Russia, which ranked first, jumping by 5 p.p. to 23.52%. The shares of the remaining top-fivers did not fluctuate by more than one percentage point. Second-place Germany gained 11.01%, the US in third picked up 10.85%, France 6.69%, and China in fifth 6.33%.

The bottom half of the Top 10 changed more significantly. For instance, it said goodbye to Turkey, which this time took 11th place (1.73%). Sixth place was taken by the Netherlands (3.89%), seventh by Brazil (3.26%), eighth by Spain (2.52%), ninth by Japan (2.30%), and Poland (1.80%) rounds out the Top 10, up one position on last quarter.

Spam email size

Spam email size, Q2 2020 – Q3 2020 (download)

The downward trend in the number of very small emails continued in Q3 2020; their share decreased significantly — by 13.21 p.p. to 38.09%. The share of emails sized 20–50 KB grew by 12.45 p.p. to 28.20% of the total number of registered spam emails. But the number of emails 10–20 KB in size fell to 8.31% (–2.78 p.p.). Also lower was the share of spam messages sized 100–200 KB; this time their share was 1.57%.

Malicious attachments: malware families

Number of Mail Anti-Virus triggerings, Q2 2020 – Q3 2020 (download)

Throughout Q3 2020, our security solutions detected a total of 51,025,889 malicious email attachments, which is almost 8 million more than in the previous reporting period.

Top 10 malicious attachments in mail traffic, Q3 2020 (download)

The most widespread malware in Q3 mail traffic was assigned the verdict Trojan-PSW.MSIL.Agensla.gen (8.44%). In second place was Exploit.MSOffice.CVE-2017-11882.gen (5.67%), while Trojan.MSOffice.SAgent.gen (4.85%) came third.

Top 10 malware families in mail traffic, Q3 2020 (download)

This quarter’s most widespread malware family was Trojan-PSW.MSIL.Agensla (12.67%), having ranked second in the last reporting period. While last quarter’s leader Trojan.Win32.Agentb finished second (8.78%). Third place, as in the previous quarter, went to Exploit.MSOffice.CVE-2017-11882 (8.03%).

Countries targeted by malicious mailshots

Distribution of Mail Anti-Virus triggerings by country, Q3 2020 (download)

Since the beginning of the year, Spain has led the way by number of Mail Anti-Virus triggerings. In Q3, users in this country accounted for 7.76% of attacks. In second place this time was Germany (7.05%), knocking Russia (5.87%) into third.

Statistics: phishing

In Q3 2020, the Anti-Phishing system prevented 103,060,725 attempts to redirect users to fake pages, which is almost 3.2 million fewer than in Q2. The share of unique attacked users amounted to 7.67% of the total number of users of Kaspersky products

Attack geography

This time, the country with the largest proportion of users attacked by phishers was Mongolia (15.54%).

Geography of phishing attacks, Q3 2020 (download)

Israel (15.24%) lies close behind in second place, with France (12.57%) this time in third.

Top-level domains

The most popular top-level domain with phishers this quarter, as before, was COM (40.09% of the total number of top-level domains used in attacks). Silver went to XYZ (5.84%), and bronze to NET (3.00%). RU finished in fourth place (2.93%), and BUZZ in fifth (2.57%).

Top-level domains most popular with phishers, Q3 2020 (download)

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by the Kaspersky Anti-Phishing component. This component detects pages with phishing content that the user tried to access by following email or web links, regardless of how the user got to the page: by clicking a link in a phishing email or in a message on a social network, or after being redirected by a malicious program. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

As before, the Online Stores category absorbed the most phishing attacks, despite its share dropping slightly against Q2 2020 (by 0.20 p.p.) to 19.22%. Global Web Portals (14.48%) in second position and Banks (10.89%) in third were also non-movers.

Distribution of organizations subjected to phishing attacks by category, Q3 2020 (download)

Conclusion

The COVID-19 topic, which appeared in Q1 this year, is still in play for spammers and phishers. In our view, the so-called second wave could lead to a surge in mailings offering various coronavirus-related treatments. Moreover, against the backdrop of the worsening economic situation, we could see a rise in the number of scam mailings promising a big payout in exchange for a small upfront sum.

The average share of spam in global mail traffic (48.91%) this quarter decreased by 1.27 p.p. against the previous reporting period, while the number of attempted redirects totaled nearly 103 million.

First place in the list of spam-source countries in Q3 again went to Russia, with a share of 23.52%. Our security solutions blocked 51,025,889 malicious attachments; the most popular malware family in spam mailings was Trojan-PSW.MSIL.Agensla, with a 12.67% share of mail traffic.

Spam and phishing in Q2 2020

Tatyana Kulikova, Tatyana Sidorina, Tatyana Shcherbakova — Fri, 07 Aug 2020 10:00:07 +0000

Quarterly highlights

Targeted attacks

The second quarter often saw phishers resort to targeted attacks, especially against fairly small companies. To attract attention, scammers imitated email messages and websites of companies whose products or services their potential victims could be using.

The scammers did not try to make any of the website elements appear credible as they created the fake. The login form is the only exception. One of the phishing websites we discovered even used a real captcha on that form.

The main pretext that scammers use to prompt the target to enter their information is offering an online catalog that purportedly only becomes available once the target provides the login and password to their email account.

In one instance, phishers used Microsoft Sway, the service for creating and sharing presentations, to hunt for logins and passwords for corporate accounts. The user was offered to view presentations belonging to another company in the same industry by following a link and entering the login and password for their work email account.

A fake website can be recognized by its design. The workmanship is often rough, and the chunks of information on the various pages are disjointed due to being pulled from diverse sources. Besides, pages like that are created on free hosting websites, as cybercriminals are not prepared to invest too much money in the fakes.

A targeted phishing attack may lead to serious consequences: after gaining access to an employee’s mailbox, cybercriminals can use it for further attacks on the company itself, or its employees or partners.

Waiting for your package: keeping your data secure and your computer, clean

As the pandemic reached its peak, mail service between countries became complicated and delivery times noticeably increased. Organizations responsible for delivery of letters and parcels rushed to notify recipients about all kinds of possible delays and hiccups. This is exactly the type of email messages that scammers started to imitate: the target was offered to open the attachment to find out the address of the warehouse with the package that had failed to reach them.

Another, relatively original, trick employed by cybercriminals was a message containing a miniature image of a postal receipt. The scammers expected the curious recipient to take the attachment, which was an ACE archive despite its name containing “jpg”, for the real thing and open it. The mailshots we detected used this as a method of spreading the Noon spyware. The scam can only be detected if the email client displays the full names of attachments.

In another fraudulent scheme, the target was to told that their order could not be dispatched due to a restriction on mailing of certain types of goods, but the processing of the package would be resumed once the restrictions were lifted. All required documents and a new tracking number could purportedly be found in the attached archive. In reality, the attachment contained a copy of the Androm backdoor, which opened remote access to the victim’s computer.

Scammers posing as courier service employees sent out email warning that packages could not be delivered due to failure to pay for the shipping. The “couriers” accepted codes for prepaid cards issued by Paysafecard as payment. These cards range from €10 to €100 and can be used in stores that accept this payment method. The victim was offered to email a €50 card code – incidentally, an activity that the payment system’s rules explicitly forbid. The cybercriminals chose this payment method for a reason: blocking or revoking a Paysafecard payment is next to impossible.

Banking phishing amid a pandemic

Banking phishing attacks in the second quarter of the year often employed emails that offered borrowers various pandemic-related discounts and bonuses. Accessing the benefits involved downloading a file with a manual or following a link. As a result, the scammers could access the user’s computer, personal data or credentials for various services, depending on the scheme.

The COVID-19 theme was present, too, in the widely known fake bank emails informing customers that their accounts had been blocked, and that they needed to enter their login and password on a special page to get back their access.

The pandemic saw the revival of a more-than-a-decade-old scheme, in which scammers sent victims emails offering to open the attachment to get the details of a low-rate loan. This time, the rate reduction was linked to the pandemic.

Taxes and exemptions

The beginning of the second quarter is the time for submitting tax forms in many countries. This year, tax authorities in some countries reduced the tax burden or exempted citizens from paying taxes. Scammers naturally grabbed the opportunity: mailshots we detected reported that the government had approved a compensation payout, and claiming it involved following a link to the tax agency’s website, which, unsurprisingly, proved to be fake. Some of the email messages were not too well crafted, and looking closely at the From field was all it took to detect a fake.

More ingenious scammers made up a whole legend: in an email presented as being from the IRS (United States Internal Revenue Service), they said there was a $500,000 “pandemic payment”, authorized jointly by the UN and the World Bank, that could be transferred to the recipient if it had not been for a woman named Annie Morton. The lady, the email said, had showed up at an IRS office carrying a warrant for the payment. She purportedly said that the intended recipient had succumbed to COVID-19, and she was the one to receive the $500,000. The message insisted that the victim contact a certain IRS employee – and not any other, so as to avoid a mistake – to prove that they were alive.

Subsequent steps would most likely be identical to the well-known inheritance scam, where the victim would be offered to pay for the services of a lawyer, who would then disappear with the advance money. One might guess that instead of the advance, the scammers would ask for a fee for executing papers that would prove the victim was still alive.

Getting refunded and losing it all

Tax refunds are not the only type of aid that states have been providing to individuals and companies distressed by the pandemic. And not the only type the scammers have been using. Thus, Brazilians were “allowed” not to pay their energy bills, and all they had to do was register on a website by following a link in an “email from the government”. The hyperlink had an appearance designed to trick the user into thinking that they were being redirected to a government portal, whereas in reality, the victim had a trojan installed on their computer, which downloaded and then ran another trojan, Sneaky.

Personal information leak is another hazard faced by those who risk registering for “compensation” on a suspicious website. For example, one mailshot offered individuals aged over seventy to go to a website and fill out a form, which contained fields for the last name, first name, gender, mailing address and SSN (social security number, for US citizens).

Identifying a fake email is easy. One just needs to take a closer look at the From field and the subject, which appears odd for an official email.

Once the target filled out the entire form, they were redirected to the official Web page of the World Health Organization’s COVID-19 Solidarity Response Fund, a real organization, to give a donation. This helped the scammers to create an illusion that the questionnaire was official and to build a vast database containing the details of individuals over seventy years of age.

Fake emails promising government compensations carried one more threat: instead of getting paid, the victim risked losing their own money to the cybercriminals. Thus, a fake email from the International Monetary Fund announced that the recipient and sixty-four other “lucky” individuals had been selected to receive compensations from a five-hundred-million-dollar fund set up by the IMF, China and the European Union for supporting victims of the pandemic. Getting €950,000 was a matter of contacting the IMF office at the address stated in the message. Subsequent events followed the lottery-scam script: getting the money required paying a commission first.

Fake HR: getting dismissed by professional spammers

The pandemic-related economic downturns in several countries caused a surge in unemployment, an opportunity that cybercriminals were quick to take advantage of. One mailshot, sent in the name of the US Department of Labor, offered looking at the latest changes to the parental leave and sick leave laws. The sender said these laws had been amended following the adoption of the coronavirus relief act, and all details on the amendments were available in the attachment. What the attachment really contained was Trojan-Downloader.MSOffice.SLoad.gen, a trojan mostly used for downloading and installing ransomware.

Another way scammers “surprised” potential victims was dismissal notices. The employee was informed that the company had been forced to discharge them due to the pandemic-induced recession. The dismissal “followed the book”, in that the attachment, according to the author of the email, contained a request form for two months’ worth of pay. Needless to say, the victim only found malware attached.

Your data wanted, now

The share of voice phishing in email traffic rose noticeably at the end of Q2 2020. One mailshot warned of a suspicious attempt at logging in to the target’s Microsoft account, originating in another country, and recommended that the target contact support by phone at the supplied number. This spared the scammers the need to create a large number of fake pages, as they tried to get all the information they needed over the phone.

An even less conventional way of obtaining personal data could be found in emails that offered subscription to COVID-19 updates, where the target only needed to verify their email address. Besides personal data theft, forms like this can be used for collecting mailbox usage statistics.

Statistics: spam

Proportion of spam in email traffic

Proportion of spam in global email traffic, Q1 2020 – Q2 2020 (download)

In Q2 2020, the largest share of spam (51.45 percent) was recorded in April. The average percentage of spam in global email traffic was 50,18%, down by 4.43 percentage points from the previous reporting period.

Proportion of spam in Runet email traffic, Q1 2020 – Q2 2020 (download)

The Russian segment of the World Wide Web presents the opposite picture, with the end of the quarter accounting for the larger share of spam: spam peaked in June as it reached 51.23 percent. The quarterly average was 50.35 percent, 1.06 p.p. lower that the first quarter’s average.

Sources of spam by country

Countries where spam originated in Q2 2020 (download)

The composition of the top five Q1 2020 spam leaders remained unchanged in the second quarter. Russia kept the lead with 18.52 percent, followed by Germany with 11.94 percent, which had overtaken the US, now third with 10.65 percent. France (7.06 percent) and China (7.02 percent) remained fourth and fifth, respectively.

Sixth was the Netherlands (4.21 percent), closely followed by Brazil (2.91 percent), Turkey (2.89 percent), Spain (2.83 percent) and lastly, Japan (2.42 percent).

Spam email size

Spam email size, Q1 – Q2 2002 (download)

The share of extra small emails kept going down, dropping by 8.6 p.p. to 51.30 percent in Q2 2020. Emails between 5 KB and 10 KB decreased slightly (by 0.66 p.p.) compared to the previous quarter, to 4.90 percent. Meanwhile, the share of spam messages within the range of 10 KB to 20 KB rose by 4.73 p.p. to 11.09 percent. The share of larger messages between 100 KB and 200 KB in the second quarter fell by 1.99 p.p. to 2.51 percent compared to Q1 2020.

Malicious attachments: malware families

Number of Mail Anti-Virus triggerings, Q1 2020 – Q2 2020 (download)

Our security solutions detected a total of 43,028,445 malicious email attachments in Q2 2020, an increase of six and a half million year-on-year.

TOP 10 malicious attachments in mail traffic, Q2 2020 (download)

Trojan.Win32.Agentb.gen (13.27 percent) was the most widespread malware in email attachments in the second quarter of the year, followed by Trojan-PSW.MSIL.Agensla.gen (7.86 percent) in second place and Exploit.MSOffice.CVE-2017-11882.gen (7.64 percent) in third place.

TOP 10 malware families in mail traffic, Q2 2020 (download)

The most widespread malware family in the second quarter, as in the previous one, was Trojan.Win32.Agentb (13.33 percent), followed by Trojan-PSW.MSIL.Agensla (9.40 percent) and Exploit.MSOffice.CVE-2017-11882 (7.66 percent).

Countries targeted by malicious mailshots

Distribution of Mail Anti-Virus triggerings by country, Q2 2020 (download)

Spain (8.38%) took the lead in Mail Anti-Virus triggerings in Q2 2020, just as in Q1 2020. Second came Russia with 7.37 percent of attacks, and third came Germany with 7.00 percent.

Statistics: phishing

Kaspersky Anti-Phishing helped to prevent 106,337,531 attempts at redirecting users to phishing Web pages in Q2 2020, a figure that is almost thirteen million lower than that for the first quarter. The share of unique attacked users accounted for 8.26 percent of the total Kaspersky users in the world, with 1,694,705 phishing wildcards added to the system database.

Attack geography

Venezuela was traditionally the country with the largest share of users attacked by phishers (17.56 percent).

Geography of phishing attacks, Q2 2020 (download)

Portugal was 4.05 p.p. behind with 13.51 percent, closely followed by Tunisia with 13.12 percent.

Country	%*
Venezuela	17.56%
Portugal	13.51%
Tunisia	13.12%
France	13.08%
Brazil	12.91%
Qatar	11.94%
Bahrain	11.88%
Guadeloupe	11.73%
Belgium	11.56%
Martinique	11.34%

*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky users in the country

Top-level domains

Starting with this quarter, we have decided to maintain statistics on top-level domains used in phishing attacks. Quite predictably, COM led by a huge margin, with 43.56 percent of the total number of top-level domain names employed in attacks. It was followed by NET (3.96 percent) and TOP (3.26 percent). The Russia-specific RU domain took fourth place with 2.91 percent, followed by ORG with 2.55 percent.

Top-level domains most popular with phishers, Q2 2020 (download)

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Anti-Phishing component. This component detects pages with phishing content that the user tried to access by following email or Web links, regardless of how the user got to the page: by clicking a link in a phishing email or in a message on a social network, or after being redirected by a malicious program. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

As in the first quarter, the Online Stores category accounted for the largest share of phishing attacks, its share increasing by 1.3 p.p. to 19.42 percent. Global Web Portals again received the second-largest share of attacks, virtually unchanged at 16.22 percent. Banks (11.61 percent) returned to third place, pushing Social Networks (10.08 percent) to fourth place.

Distribution of organizations subjected to phishing attacks by category, Q2 2020 (download)

Conclusion

In our summary of the first quarter, we hypothesized that COVID-19 would remain spammers’ and fishers’ key theme in the future. That is exactly what happened: seldom did a mailshot fail to mention the pandemic as phishers added relevance to their tried and tested schemes and came up with brand-new ones.

The average share of spam in global email traffic in Q2 2020 dropped by 4.43 p.p. to 50.18 percent compared to the previous reporting period, and attempts to access phishing pages amounted to 106 million.

First place in the list of spam sources in Q2 went to Russia with a share of 18.52 percent. Our security solutions blocked a total of 43,028,445 malicious email attachments, with the most widespread “email-specific” malware family being Trojan.Win32.Agentb.gen, which infected 13.33 percent of the total email traffic.

Spam and phishing in Q1 2020

Tatyana Shcherbakova, Tatyana Sidorina, Tatyana Kulikova — Tue, 26 May 2020 10:00:50 +0000

Quarterly highlights

Don’t get burned

Burning Man is one of the most eagerly awaited events among fans of spectacular performance and installation art. The main obstacle to attending is the price of admission: a standard ticket will set you back $475, the number is limited, and the buying process is a challenge all by itself (there are several stages, registration data must be entered at a specific time, and if something goes wrong you might not get a second chance). Therefore, half-price fake tickets make for excellent bait.

Scammers tried to make their website as close as possible to the original — even the page with the ticket description looked genuine.

There were just three major differences from the original: only the main page and the ticket purchase section were actually operational, tickets were “sold” without prior registration, and the price was a steal ($225 versus $475).

Oscar-winning scammers

February 2020 saw the 92nd Academy Awards ceremony. Even before the big night, websites were popping up offering free viewings of all the nominated films. Fraudsters targeted users eager to see the short-listed movies before the presentation of the awards.

To promote these sites, Twitter accounts were created — one for each nominated film.

Curious users were invited to visit the resource, where they were shown the first few minutes before being asked to register to continue watching.

During registration, the victim was prompted to enter their bank card details, allegedly to confirm their region of residence. Unsurprisingly, a short while later a certain amount of money disappeared from their account, and the movie did not resume.

Users should be alert to the use of short links in posts on social networks. Scammers often use them because it’s impossible to see where a shortened URL points without actually following it.

There are special services that let you check what lies behind such links, often with an additional bonus in the form of a verdict on the safety of the website content. It is important to do a proper check on links from untrusted sources.

ID for hire

US companies that leak customer data can be heavily fined by the Federal Trade Commission (FTC). For example, in 2019 Facebook was slapped with a $5 billion penalty; however, users whose data got stolen do not receive any compensation. This is what scammers decided to exploit by sending a fake e-mail offering compensation from the non-existent Personal Data Protection Fund, created by the equally fictitious US Trading Commission.

Inspired by the idea of services for checking accounts for leaks, the cybercriminals decided to create their own. Visitors were invited to check whether their account details had been stolen, and if so (the answer was “yes” even if the input was gibberish), they were promised compensation “for the leakage of personal data.”

To receive “compensation,” the victim’s citizenship was of no consequence — what mattered was their first name, last name, phone number, and social network accounts. For extra authenticity, a warning message about the serious consequences of using other people’s data to claim compensation popped up obsessively on the page.

To receive the payment, US citizens were asked to enter their Social Security Number (SSN). Everyone else had to check the box next to the words “I’am don’t have SSN” (the mistakes are a good indicator of a fake), whereupon they were invited to “rent” an SSN for $9. Interestingly, even if the user already had an SSN, they were still pestered to get another one.

After that, the potential victim was redirected to a payment page with the amount and currency based on the user’s location. For instance, users in Russia were asked to pay in rubles.

The scam deployed the conventional scheme (especially common in the Runet) of asking the victim to pay a small commission or down payment for the promise of something much bigger. In Q1, 14,725,643 attempts to redirect users to such websites were blocked.

Disaster and pandemic

Fires in Australia

The natural disaster that hit the Australian continent was another get-rich opportunity for scammers. For example, one “Nigerian prince”-style e-mail scam reported that a millionaire dying of cancer was ready to donate her money to save the Australian forests. The victim was asked to help withdraw the funds from the dying woman’s account by paying a fee or making a small contribution to pay for the services of a lawyer, for which they would be rewarded handsomely at a later date.

Besides the fictional millionaire, other “nature lovers” were keen to help out — their e-mails were more concise, but the scheme was essentially the same.

COVID-19

“Nigerian prince” scheme

COVID-19 was (and continues to be) a boon to scammers: non-existent philanthropists and dying millionaires are popping up everywhere offering rewards for help to withdraw funds supposedly for humanitarian purpsoses. Some recipients were even invited to help finance the production of a miracle vaccine, or take part in a charity lottery, the proceeds of which, it was said, would be distributed to poor people affected by the pandemic.

Bitcoin for coronavirus

Having introduced themselves as members of a healthcare organization, the scammers appealed to the victim to transfer a certain sum to the Bitcoin wallet specified in the message. The donation would allegedly go toward fighting the coronavirus outbreak and developing a vaccine, as well as helping victims of the pandemic.

In one e-mail, the attackers played on people’s fear of contracting COVID-19: the message was from an unnamed “neighbor” claiming to be dying from the virus and threatening to infect the recipient unless the latter paid a ransom (which, it was said, would help provide a comfortable old age for the ransomer’s parents).

Dangerous advice from the WHO

One fraudulent mailing disguised as a WHO newsletter offered tips about staying safe from COVID-19.

To get the information, the recipient had to click a link pointing to a fake WHO website. The design was so close to the original that only the URL gave away the scam. The cybercriminals were after login credentials for accounts on the official WHO site. Whereas in the first mailings only a username and password were asked for, in later ones a phone number was also requested.

In addition, we detected several e-mails supposedly from the WHO containing documents with malware. The recipient was asked to open the attachment (in DOC or PDF format), which allegedly offered coronavirus prevention advice. For example, this message contained Backdoor.Win32.Androm.tvmf:

There were other, less elaborate mailings with harmful attachments, including ones containing Trojan-Spy.Win32.Noon.gen:

Corporate segment

The coronavirus topic was also exploited in attacks on the corporate sector. For example, COVID-19 was cited in fraudulent e-mails as a reason for delayed shipments or the need to reorder. The authors marked the e-mails as urgent and required to check attached files immediately.

Another mailing prompted recipients to check whether their company was in a list of firms whose activities were suspended due to the pandemic. After which it asked for a form to be filled out, otherwise the company could be shut down. Both the list of companies and the form were allegedly in the archives attached to the message. In actual fact, the attachments contained Trojan-PSW.MSIL.Agensla.a:

We also registered a phishing attack on corporate users. On a fake page, visitors were invited to monitor the coronavirus situation across the world using a special resource, for which the username and password of the victim’s corporate mail account were required.

Government compensation

The introduction of measures to counter the pandemic put many people in a difficult financial situation. Forced downtime in many industries has had a negative impact on financial well-being. In this climate, websites offering compensation from the government pose a particular danger.

One such popular scheme was highlighted by a colleague of ours from Brazil. A WhatsApp messages about financial or food assistance were sent that appeared to come from a supermarket, bank, or government department. To receive the aid, the victim had to fill out the attached form and share the message with a certain number of contacts. After the form was filled out, the data was sent to the cybercriminals, while the victim got redirected to a page with advertising, a phishing site, a site offering a paid SMS subscription, or similar.

Given that the number of fake sites offering government handouts seems likely only to increase, we urge caution when it comes to promises of compensation or material assistance.

Anti-coronavirus protection with home delivery

Due to the pandemic, demand for antiseptics and antiviral agents has spiked. We registered a large number of mailings with offers to buy antibacterial masks.

In Latin America, WhatsApp mass messages were used to invite people to take part in a prize draw for hand sanitizer products from the brewing company Ambev. The company has indeed started making antiseptics and hand gel, but exclusively for public hospitals, so the giveaway was evidently the work of fraudsters.

The number of fake sites offering folk remedies for the treatment of coronavirus, drugs to strengthen the immune system, and non-contact thermometers and test kits has also risen sharply. Most of the products on offer have no kind of certification whatsoever.

On average, the daily share of e-mails mentioning COVID-19 in Q1 amounted to around 6% of all junk traffic. More than 50% of coronavirus-related spam was in the English language. We anticipate that the number of phishing sites and pandemic-related scams will only increase, and that cybercriminals will use new attack schemes and strategies.

Statistics: spam

Proportion of spam in mail traffic

Proportion of spam in global mail traffic, Q4 2019 – Q1 2020 (download)

In Q1 2020, the largest share of spam was recorded in January (55.76%). The average percentage of spam in global mail traffic was 54.61%, down 1.58 p.p. against the previous reporting period.

Proportion of spam in Runet mail traffic, Q4 2019 – Q1 2020 (download)

In Q1, the share of spam in Runet traffic (the Russian segment of the Internet) likewise peaked in January (52.08%). At the same time, the average indicator, as in Q4 2019, remains slightly lower than the global average (by 3.20 p.p.).

Sources of spam by country

Sources of spam by country, Q1 2020 (download)

In Q1 2020, Russia led the TOP 5 countries by amount of outgoing spam. It accounted for 20.74% of all junk traffic. In second place came the US (9.64%), followed by Germany (9.41%) just 0.23 p.p. behind. Fourth place goes to France (6.29%) and fifth to China (5.22%), which is usually a TOP 3 spam source.

Brazil (3.56%) and the Netherlands (3.38%) took sixth and seventh positions, respectively, followed by Vietnam (2.55%), with Spain (2.34%) and Poland (2.21%) close on its heels in ninth and tenth.

Spam e-mail size

Spam e-mail size, Q4 2019 – Q1 2020 (download)

Compared to Q4 2019, the share of very small e-mails (up to 2 KB) in Q1 2020 fell by more than 6 p.p. and amounted to 59.90%. The proportion of e-mails sized 5-10 KB grew slightly (by 0.72 p.p.) against the previous quarter to 5.56%.

Meanwhile, the share of 10-20 KB e-mails climbed by 3.32 p.p. to 6.36%. The number of large e-mails (100–200 KB) also posted growth (+2.70 p.p.). Their slice in Q1 2020 was 4.50%.

Malicious attachments in e-mail

Number of Mail Anti-Virus triggerings, Q4 2019 – Q1 2020 (download)

In Q1 2020, our security solutions detected a total of 49,562,670 malicious e-mail attachments, which is almost identical to the figure for the last reporting period (there were just 314,862 more malicious attachments detected in Q4 2019).

TOP 10 malicious attachments in mail traffic, Q1 2020 (download)

In Q1, first place in terms of prevalence in mail traffic went to Trojan.Win32.Agentb.gen (12.35%), followed by Exploit.MSOffice.CVE-2017-11882.gen (7.94%) in second and Worm.Win32.WBVB.vam (4.19%) in third.

TOP 10 malicious families in mail traffic, Q1 2020 (download)

As regards malware families, the most widespread this quarter was Trojan.Win32.Agentb (12.51%), with Exploit.MSOffice.CVE-2017-11882 (7.98%), whose members exploit a vulnerability in Microsoft Equation Editor, in second place and Worm.Win32.wbvb (4.65%) in third.

Countries targeted by malicious mailshots

Distribution of Mail Anti-Virus triggerings by country, Q1 2020 (download)

First place by number of Mail Anti-Virus triggerings in Q1 2020 was claimed by Spain. This country accounted for 9.66% of all users of Kaspersky security solutions who encountered e-mail malware worldwide. Second place went to Germany (8.53%), and Russia (6.26%) took bronze.

Statistics: phishing

In Q1 2020, the Anti-Phishing system prevented 119,115,577 attempts to redirect users to scam websites. The percentage of unique attacked users was 8.80% of the total number of users of Kaspersky products in the world.

Attack geography

The country with the largest proportion of users attacked by phishers, not for the first time, was Venezuela (20.53%).

Geography of phishing attacks, Q1 2020 (download)

In second place, by a margin of 5.58 p.p., was Brazil (14.95%), another country that is no stranger to the TOP 3. Next came Australia (13.71%), trailing by just 1.24 p.p.

Country	%*
Venezuela	20.53%
Brazil	14.95%
Australia	13.71%
Portugal	12.98%
Algeria	12.12%
France	11.71%
Honduras	11.62%
Greece	11.58%
Myanmar	11.54%
Tunisia	11.53%

* Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky users in the country

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky products Anti-Phishing component. This component detects pages with phishing content that the user gets redirected to. It does not matter whether the redirect is the result of clicking a link in a phishing e-mail or in a message on a social network, or the result of a malicious program activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

The largest share of phishing attacks in Q1 2020 fell to the Online Stores category (18.12%). Second place went to Global Internet Portals (16.44%), while Social Networks (13.07%) came in third.

Distribution of organizations affected by phishing attacks by category, Q1 2020 (download)

As for the Banks category, a TOP 3 veteran, this time it placed fourth with 10.95%.

Conclusion

Glancing at the results of Q1 2020, we anticipate that the COVID-19 topic will continue to be actively used by cybercriminals for the foreseeable future. To attract potential victims, the pandemic will be mentioned even on “standard” fake pages and in spam mailings.

The topic is also used extensively in fraudulent schemes offering compensation and material assistance.

It is highly likely that this type of fraud will become more frequent.

The average share of spam in global mail traffic (54.61%) this quarter decreased by 1.58 p.p. against the previous reporting period, while the number of attempted redirects totaled nearly 120 million.

Top of this quarter’s list of spam-source countries is Russia, with a share of 20.74%. Our security solutions blocked 49,562,670 malicious mail attachments, while the most common mail-based malware family, with a 12.35% share of mail traffic, was Trojan.Win32.Agentb.gen.

Spam and phishing in 2019

Maria Vergelis, Tatyana Shcherbakova, Tatyana Sidorina, Tatyana Kulikova — Wed, 08 Apr 2020 10:00:10 +0000

Figures of the year

The share of spam in mail traffic was 56.51%, which is 4.03 p.p. more than in 2018.
The biggest source of spam this year was China (21.26%).
78.44% of spam e-mails were less than 2 KB in size.
Malicious spam was detected most commonly with the Exploit.MSOffice.CVE-2017-11882 verdict.
The Anti-Phishing system was triggered 467,188,119 times.
15.17% of unique users encountered phishing.

Trends of the year

Beware of novelties

In 2019, attackers were more active than usual in their exploitation of major sports and movie events to gain access to users’ financial or personal data. Premieres of TV shows and films, and sports broadcasts were used as bait for those looking to save money by watching on “unofficial” resources.

A search for “Watch latest X for free” (where X = Avengers movie, Game of Thrones season, Stanley Cup game, US Open, etc.) returned links to sites offering the opportunity to do precisely that. On clicking through to these resources, the broadcast really did begin, only to stop after a couple of minutes. To continue viewing, the user was prompted to create a free account (only an e-mail address and password were required). However, when the Continue button was clicked, the site asked for additional confirmation.

And not just any old information, but bank card details, including the three-digit security code (CVV) on the reverse side. The site administrators assured that funds would not be debited from the card, but that this data was needed only to confirm the user’s location (and hence right to view the content). However, instead of continuing the broadcast, the scammers simply pocketed the details.

New gadgets were also deployed as a bait. Cybercriminals created fake pages mimicking official Apple services. The number of fake sites rose sharply after the company unveiled its new products. And while Apple was only just preparing to release the next gadget, fraudsters were offering to “sell” it to those with itchy hands. All that victim had to do was follow a link and enter their AppleID credentials — the attackers’ objective.

The price of fame: attackers exploit popular resources

In 2019, scammers found new ways to exploit popular resources and social networks to spread spam and sell non-existent goods and services. They actively used Youtube and Instagram comments to place ads and links to potentially malicious pages, and created numerous social media accounts that they promoted by commenting on the posts of popular bloggers.

For added credibility, they left many fake comments on posts about hot topics. As the account gained a following, it began to post messages about promotions. For example, a sale of branded goods at knock-down prices. Victims either received a cheap imitation or simply lost their cash.

A similar scheme was used to promote get-rich-quick-online videos, coupled with gushing reviews from “newly flush” clients.

Another scam involved fake celebrity Instagram accounts. The “stars” asked fans to take a survey and get a cash payout or the chance to participate in a prize draw. Naturally, a small upfront fee was payable for this unmissable opportunity… After the cybercriminals received the money, the account simply disappeared.

Besides distributing links through comments on social networks, scammers utilized yet another delivery method in the shape of Google services: invitations to meetings sent via Google Calendar or notifications from Google Photos that someone just shared a picture were accompanied by a comment from the attackers with links to fake promotions, surveys, and prize giveaways.

Other Google services were also used: links to files in Google Drive and Google Storage were sent inside fraudulent e-mails, which spam filters are not always able to spot. Clicking it usually opened a file with adware (for example, fake pharmaceutical products) or another link leading to a phishing site or a form for collecting personal data.

Although Google and others are constantly working to protect users from scammers, the latter are forever finding new loopholes. Therefore, the main protection against such schemes is to pay careful attention to messages from unfamiliar senders.

Malicious transactions

In Q1, users of the Automated Clearing House (ACH), an electronic funds-transfer system that facilitates payments in the US, fell victim to fraudsters: we registered mailings of fake ACH notifications about the status of a payment or debt. By clicking the link or opening the attachment, the user risked infecting the computer with malware.

Anyone order bitcoin?

Cryptocurrency continues to be of interest to scammers. Alongside the standard fakes of well-known cryptocurrency exchanges, cybercriminals have started creating their own: such resources promise lucrative exchange rates, but steal either personal data or money.

Cryptocurrencies and blackmail

If in 2018 cybercriminals tried to blackmail users by claiming to have malware-obtained compromising material on them, in 2019 e-mails began arriving from a CIA agent (the name varied) supposedly dealing with a case opened against the message recipient pertaining to the storage and distribution of pornographic images of minors.

The case, the e-mail alleged, was part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the “agent” happened to know that the recipient was a well-heeled individual with a reputation to protect, and for $10,000 in bitcoin would be willing to alter or destroy the dossier (all information about the victim to add credence to the e-mail was harvested in advance from social networks and forums). For someone genuinely afraid of the potential consequences, this would be a small price to pay.

Legal entities found themselves in an even more desperate situation when faced with similar threats. However for them it was not about sextortion, but spamming. The blackmailers sent a message to the company using its public e-mail address or online feedback form in which they demanded a ransom in bitcoin. If refused, the attackers threatened to send millions of spam e-mails in the company’s name. This, the cybercriminals assured, would prompt the Spamhaus Project to recognize the resource as a spammer and block it forever.

Corporate sector in the crosshairs

The growing trend for attacks on the corporate sector is reflected not only in the attempts to cyber-blackmail companies. The reputation of many firms has been compromised by spam mailings through feedback forms. Having previously used such forms to attack the mailboxes of company employees, in 2019 cybercriminals evolved their methods.

As such, messages about successful registation on a particular website were received by people who had never even heard about it. After finding a security hole in the site, spammers used a script to bypass the CAPTCHA system and mass-register users via the feedback form. In the Username field, the attackers inserted message text or link. As a result, the victim whose mailing address was used received a registration confirmation e-mail from a legitimate sender, but containing a message from the scammers. Moreover, the company itself had no idea that this was going on.

A far more serious threat came from mailings masked as automatic notifications from services used to compile legitimate mailing lists: the scammers’ messages were carefully disguised as notifications about new voice messages (some business products have a feature for exchanging voice messages) or about incoming e-mails stuck in the delivery queue. To access them, the employee had to go through an authentication process, whereupon the corporate account credentials ended up in the hands of the attackers.

Scammers devised new methods to coax confidential data out of unsuspecting company employees. For example, by sending e-mails requesting urgent confirmation of corporate account details or payment information with a link conveniently supplied. If the user swallowed the bait, the authentication data for their account went straight to the cybercriminals.

Another attack aimed at the corporate sector employed a more complex scheme: the attackers tried to dupe e-mail recipients into thinking that the company management was offering a pay rise in exchange for taking a performance review.

The message appeared to come from HR and contained detailed instructions and a link to a bogus appraisal form. But before going through the procedure, the recipient had to enter a few details (in most cases it was specified that the e-mail address had to be a corporate one). After clicking the Sign in or Appraisal button, the entered credentials were duly forwarded to the attackers, granting them access to business correspondence, personal data, and probably confidential information too, which could later be used for blackmail or sold to competitors.

A simpler scheme involved sending phishing e-mails supposedly from services used by the company. The most common were fake notifications from HR recruiting platforms.

Statistics: spam

Proportion of spam in mail traffic

The share of spam in mail traffic in 2019 increased by 4.03 p.p. to 56.51%.

Proportion of spam in global mail traffic, 2019 (download)

The lowest figure was recorded in September (54.68%), and the highest in May (58.71%).

Sources of spam by country

In 2019, as in the year before, China retained its crown as the top spam-originating country. Its share grew significantly from the previous year (up 9.57 p.p.) to 21.26%. It remains ahead of the US (14.39%), whose share increased by 5.35 p.p. In third place was Russia (5.21%).

Fourth position went to Brazil (5.02%), despite shedding 1.07 p.p. Fifth place in 2019 was claimed by France (3.00%), and sixth by India (2.84%), which ranked the same as the year before. Vietnam (2.62%), fourth in the previous reporting period, moved down to seventh.

The TOP 10 is rounded out by Germany, dropping from third to eighth (2.61%, down by 4.56 p.p.), Turkey (2.15%), and Singapore (1.72%).

Sources of spam by country, 2019 (download)

Spam e-mail size

In 2019, the share of very small e-mails continued to grow, but less dramatically than the year before — by just 4.29 p.p. to 78.44%. Meanwhile, the share of e-mails sized 2–5 KB decreased against 2018 by 4.22 p.p. to 6.42%.

Spam e-mails by size, 2019 (download)

The share of larger e-mails (10–20 KB) changed insignificantly, down by 0.84 p.p. But there was more junk mail sized 20–50 KB: such messages accounted for 4.50% (+1.68 p.p) In addition, the number of 50–100 KB sized e-mails rose by almost 1 p.p, amounting to 1.81%.

Malicious mail attachments

Malware families

Number of Mail Anti-Virus triggerings, 2019 (download)

In 2019, our security solutions detected a total of 186 005 096 malicious email attachments. November was the most active month with 19 million Mail Anti-Virus triggerings, while December was the “calmest” — with 7 million fewer.

TOP 10 malware families, 2019 (download)

In 2019, like the year before it, Exploit.Win32.CVE-2017-11882 malicious objects were the most commonly encountered malware (7.24%). They exploited a vulnerability in Microsoft Office that allowed arbitrary code to be executed without the user’s knowledge.

In second place is the Trojan.MSOffice.SAgent family (3.59%), whose members also attack Microsoft Office users. This type of malware consists of a document with a built-in VBA script that secretly loads other malware using PowerShell when the document is opened.

The Worm.Win32.WBVB family (3.11%), which includes executable files written in Visual Basic 6 and classed as untrusted by KSN, rose from fourth place in the rating to third.

Backdoor.Win32.Androm.gen (1.64%), which ranked second in the previous reporting period, dropped to fourth position. This modular backdoor is most often used to download malware onto the victim’s machine.

Fifth place in 2019 was taken by the Trojan.Win32.Kryptik family (1.53%). This verdict is assigned to Trojans that use anti-emulation, anti-debugging, and code obfuscation to make them difficult to analyze.

Trojan.MSIL.Crypt.gen (1.26%) took sixth place, while Trojan.PDF.Badur (1.14%) — a PDF that directs the user to a potentially dangerous site — climbed to seventh.

Eighth position fell to another malicious DOC/DOCX document with a malicious VBA script inside — Trojan-Downloader.MSOffice.SLoad.gen (1.14%), which, when opened, may download ransomware onto the victim’s computer.

In ninth place is Backdoor.Win32.Androm, and propping up the table is Trojan.Win32.Agent (0.92%).

Countries targeted by malicious mailings

As in the previous year, Germany took first place in 2019. Its share remained virtually unchanged: 11.86% of all attacks (+0.35 p.p.). Second place was claimed jointly by Russia and Vietnam (5.77% each) — Russia held this position in the previous reporting period, while Vietnam’s rise to the TOP 3 came from sixth position.

Countries targeted by malicious mailings, 2019 (download)

Lagging behind by just 0.2 p.p. is Italy (5.57%), while the UAE is in fifth place (4.74%), Brazil in sixth (3.88%), and Spain in seventh (3.45%). The TOP 10 is rounded out by the practically neck-and-neck India (2.67%), Mexico (2.63%), and Malaysia (2.39%).

Statistics: phishing

In 2019, the Anti-Phishing system was triggered 467 188 119 times on Kaspersky user computers as a result of phishing redirection attempts (15,277,092 fewer than in 2018). In total, 15.17% of our users were attacked.

Organizations under attack

The rating of organizations targeted by phishing attacks is based on the triggering of the heuristic component in the Anti-Phishing system on user computers. This component detects all instances when the user tries to follow a link in an e-mail or on the Internet to a phishing page in cases when such link has yet to be added to Kaspersky’s databases.

Rating of categories of organizations attacked by phishers

In contrast to 2018, in this reporting period the largest share of heuristic component triggers fell to the Banks category. Its slice increased by 5.46 p.p. to 27.16%. Last year’s leader, the Global Internet Portals category, moved down a rung to second. Against last year, its share decreased by 3.60 p.p. (21.12%). The Payment Systems category remained in third place, its share in 2019 amounting to 16.67% (-2.65 p.p.).

Distribution of organizations subject to phishing attacks by category, 2019 (download)

Attack geography

This period’s leader by percentage of attacked unique users out of the total number of users was Venezuela (31.16%).

Percentage of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky users in the country, 2019 (download)

Country	%
Venezuela	31.16
Brazil	30.26
Greece	25.96
Portugal	25.63
Australia	25.24
Algeria	23.93
Chile	23.84
Réunion	23.82
Ecuador	23.53
French Guiana	22.94

TOP 10 countries by share of attacked users

Last year’s leader, Brazil (30.26%), this year found itself in second place, shedding 1.98 p.p. and ceding top spot to Venezuela (31.16%), which moved up from ninth position, gaining 11.27 p.p. In third place was TOP 10 newcomer Greece (25.96%).

Wrap-up

TV premieres, high-profile sporting events, and the release of new gadgets were exploited by scammers to steal users’ personal data or money.

In the search for new ways to bypass spam filters, attackers are developing new methods of delivering their messages. This year, they made active use of various Google services, as well as popular social networks (Instagram) and video hosting sites (YouTube).

Cybercriminals continue to use the topic of finance in schemes aimed at gaining access to users’ personal data, infecting computers with malware, or stealing funds from victims’ accounts.

The main trend of 2019 was the rise in the number of attacks on the corporate sector. Fraudulent schemes previously used to repeatedly attack ordinary users changed direction, adding new intricacies to cybercriminal tactics.

Spam and phishing reports – Securelist

Spam and phishing in 2022

Figures of the year

Phishing in 2022

Last year’s resonant global events

The pandemic

Crypto phishing and crypto scams

Compensation, bonus, and paid survey scams

Fake online stores and large vendor phishing

Hijacking of social media accounts

Spam in 2022

The pandemic

Contact form spam

Blackmail in the name of law enforcement agencies

Exploiting the news

Spam with malicious attachments

Two-stage spear phishing using a known phish kit

Statistics

How a phishing campaign unfolds

Victims

Statistics: spam

Share of spam in mail traffic

Countries and territories — sources of spam

Malicious mail attachments

Countries and territories targeted by malicious mailings

Statistics: phishing

Map of phishing attacks

Top-level domains

Organizations under phishing attacks

Hijacking Telegram accounts

Phishing in messengers

Conclusion

Spam and phishing in 2021

Figures of the year

Trends of the year

How to make an unprofitable investment with no return

Films and events “streamed” on fake sites: not seeing is believing!

A special offer from cybercriminals: try hand at spamming

Hurry up and lose your account: phishing in the corporate sector

COVID-19

Scams

The corporate sector

COVID-19 vaccination

Statistics: spam

Share of spam in mail traffic

Source of spam by country or region

Malicious mail attachments

Malware families

Countries and regions targeted by malicious mailings

Statistics: phishing

Map of phishing attacks

Top-level domains

Organizations mimicked in phishing attacks

Phishing in messengers

Conclusion

Spam and phishing in Q3 2021

Quarterly highlights

Scamming championship: sports-related fraud

Scam: get it yourself, share with friends

Spam support: call now, regret later

COVID-19

Corporate privacy

Statistics: spam

Share of spam in mail traffic

Source of spam by country

Malicious mail attachments

Malware families

Countries targeted by malicious mailings

Statistics: phishing

Geography of phishing attacks

Top-level domains

Organizations under phishing attack

Phishing in messengers

Takeaways

Spam and phishing in Q2 2021

Quarterly highlights

The corporate sector

COVID-19 compensation fraud

Parcel scam: buy one, get none

New movies: pay for the pleasure of not watching