The higher the global popularity of cryptocurrencies and the more new ways of storing them, the wider the arsenal of tools used by malicious actors who are after digital money. Scammers tailor the complexity of technology they use and the thoroughness of their efforts to imitate legitimate websites to how well the target is protected and how large the amount is that they can steal if successful. This story covers two fundamentally different methods of email attacks on the two most popular ways of storing cryptocurrency: hot and cold wallets.

Hot wallets and attempts at hacking them

A hot wallet is a cryptocurrency wallet with permanent access to the internet. This is essentially any online service that provides cryptocurrency storage, ranging from crypto exchanges to specialized apps.

Hot wallets are a highly popular crypto storage option. This can be explained by the simplicity of creating one (registering with a wallet service is all you need to do) and the ease of withdrawing and converting funds. The popularity and simplicity of hot wallets makes them cybercriminals’ main target. However, for this reason, and due to the fact that hot wallets are always online, they are rarely used for storing large amounts. Hence, cybercriminals have little motivation to invest heavily into phishing campaigns, and so, techniques used in email attacks on hot wallets are hardly ever original or complex. In fact, they look rather primitive and target mostly unsophisticated users.

A typical phishing scam aimed at a hot wallet user works as follows: hackers send email messages addressed as coming from a well-known crypto exchange and requesting the user to confirm a transaction or verify their wallet again.

Sample phishing email that targets Coinbase users

After the user clicks the link, they are redirected to a page where they are asked to enter their seed phrase. A seed phrase (recovery phrase) is a sequence of 12 (less commonly 24) words for recovering access to a crypto wallet. This is essentially the main password for the wallet. The seed phrase can be used for gaining or recovering access to the user’s account and making any transactions. The seed phrase cannot be changed or recovered: by misplacing it, the user risks losing access to their wallet for good, and by giving it to scammers, permanently compromising their account.

Seed phrase entry page

If the user enters the seed phrase on a fake web page, scammers get full access to the wallet and the ability to siphon all of the funds to their own addresses.

Fairly simple and devoid of software or social engineering tricks, scams like these typically target non-technical users. A seed phrase entry form usually has a stripped-down look: just an input field and a crypto exchange logo.

Phishing scams that target cold wallets

A cold wallet (cold storage) is a wallet without a permanent connection to the internet, like a dedicated device or even just a private key written on a slip of paper. Hardware storage is the most common type of cold wallets. As these devices are offline most of the time, and remote access is impossible, users tend to store significantly larger amounts on these. That said, it would be erroneous to believe that a hardware wallet cannot be compromised without stealing it, or at least, getting physical access to it. As is the case with hot wallets, scammers use social engineering techniques to get to users’ funds. We spotted an email campaign recently that was specifically aimed at the owners of hardware cold wallets.

This type of attack starts as a crypto email campaign: the user gets an email, addressed as being from the Ripple cryptocurrency exchange and offering to join a giveaway of XRP tokens, the platform’s internal cryptocurrency.

Phishing letter pretending to be from the Ripple cryptocurrency exchange

If the user clicks the link, they are presented with a blog page featuring a post that explains the rules of the “giveaway”. The post contains a direct link to “registration”.

Fake Ripple blog

Already at this point, the scam shows a few differences from mass attacks on hot wallets: instead of sending the user a link to a phishing page, the scammers used a more sophisticated immersion trick with a blog post. They also went so far as meticulously copying the design of the Ripple website and registering a domain name that was nearly identical to the exchange’s official domain. This is called a Punycode phishing attack. At first glance, the second-level domain is identical to the original one, but a closer look will reveal that the letter “r” has been replaced with a Unicode character that uses a cedilla:

https://app[.]xn--ipple-4bb[.]net -> https://app[.]ŗipple[.]net/

Also, the scam site is hosted in the .net top-level domain, rather than .com, where the official Ripple website is located. This may not raise any red flags with the victim, though, as both domains are widely used by legitimate organizations.

After the user follows the link from the “blog” to the fake Ripple page, they are offered to connect to the WebSocket address wss://s2.ripple.com.

Connection to the WebSocket address

Next, the user is offered to enter the address of their XRP account.

Entering XRP account address

The website then offers to choose an authentication method for receiving the bonus tokens.

Choosing an authentication method

As you can see, hardware wallets are top of the list and suggested by scammers. Selecting Trezor redirects the user to the official website trezor.io, which allows to connect devices to web apps via Trezor Connect API. The API is used for simplifying transactions with the help of a hardware wallet. The scammers want the victim to connect to their website, so they can withdraw the funds from the victim’s account.

When the user attempts to connect to the third-party website, Trezor Connect asks them to consent to anonymous collection of data and to confirm that they want to connect to the website. The address of the scam site is displayed in a Punycode view as: https://app[.]xn--ipple-4bb[.]net. The scammer’s hope is that the user misses the address, which is provided in small print on the side of the page.

Trezor Connect: confirming the connection to the scam site

Connection via Ledger is a lot like Trezor, but it uses the WebHID interface, with the other steps unchanged.

What happens after the user connects their hardware wallet? We had to explore the code of the phishing site just a bit to answer that question. The website is powered by an application written in Node.js. This uses two APIs:

• wss://s2.ripple.com, the official WebSocket address for Ripple transactions
• The phishing site API, for example: app[.]xn--ipple-4bb[.]net/api/v1/action

The scammers use these two APIs for interacting with the victim’s XRP account. The phishing site API talks to the WebSocket address, verifies account details and requests funds. For this purpose, the scammers spin up one-off intermediate wallets.

{
 "command": "get_payment"
 "account": victim_address,
 "transactionType": "Payment"
}

{
	"success": true,
	"data": {
    	"TransactionType": "Payment",
    	"Account": victim_address,
    	"Fee": "10",
    	"Sequence": 391,
    	"Destination": "rU53pnJzEv2mrtck…"*,
    	"Flags": 2147483648,
    	"Amount": "xxx",
    	"LastLedgerSequence": 79548458
	}
}

The intermediate account is used for just two things: to receive the victim’s funds and to forward these to the scammers’ permanent account. This helps to hide the final destination.

Statistics

In the spring of 2023, Kaspersky antispam solutions detected and blocked 85,362 scam emails targeting cryptocurrency users. Scam email campaigns peaked in March, with 34,644 messages. We blocked 19,902 emails in April and 30,816 in May.

Number of detected phishing emails targeting cryptocurrency users in March–May 2023 (download)

Conclusion

Scammers understand one thing just fine: the harder it is to get to the loot, the bigger it is likely to be. Therefore, attacks on hardware wallets, which many consider bullet-proof, use far more sophisticated tactics than those employed against the users of online crypto storage services. Although hardware wallets are indeed more secure than hot wallets, users should not lower their guard. Check every detail carefully before giving any website access to your wallet, and refuse to connect if anything smells fishy.

The idea of creating Web 3.0 has been around since the end of 2000s. The new version of the world wide web should repair the weak points of Web 2.0., some of which are: featureless content, prevalence of proprietary solutions, and lack of safety in a centralized user data storage environment, where a massive leak is likely should just one server be compromised. Web 3.0 is described as a decentralized and open internet — some of its features already implemented in today’s digital world.

Unfortunately, the “new internet” will still remain a playground for criminals who will employ cutting-edge technologies for their old sport of data theft, financial machinations and the like. In this article, I will dwell on how they use one of the WEB 3.0 technologies — the distributed file system IPFS — for email phishing attacks.

What is IPFS?

IPFS (InterPlanetary File System) is a peer-to-peer distributed file system enabling users around the world to exchange files. Unlike centralized systems, IPFS uses addressing performed according to unique content identifiers (CID), and not file paths. CID is generated based on the file’s hash value and then recorded to a distributed hash table, which also contains information on the file owner. The file itself resides on the computer of the user who had “uploaded” it to IPFS, and is downloaded directly from that computer. The structure of IPFS is somewhat similar to the BitTorrent protocol which, too, is a distributed network where file exchange takes place directly between the users’ devices.

By default, uploading a file to IPFS or downloading it requires special software (IPFS client). For users to view the files residing in IPFS freely without installing any software, the so-called gateways are provided. A gateway is in fact a server with access to IPFS. To open a file via a gateway, a URL is required normally containing a gateway address, reference to IPFS, and the file’s CID. URL formats can be quite different, for example:

• https://gateway_address/ipfs/CID
• https://CID.ipfs.gateway_address

Phishing and IPFS

In 2022, scammers began actively using IPFS for email phishing attacks. They would place HTML files containing a phishing form in IPFS and use gateways as proxies, so that victims could open the file, whether or not running an IPFS client on their devices. The scammers would include file access links via a gateway into phishing letters dispatched to would-be victims.

The use of a distributed file system allows attackers to cut back on phishing page hosting costs. Besides, you cannot delete files uploaded by third parties from IPFS. If somebody wants a file to disappear from the system completely, they can urge its owners to delete it, but the method will probably never work with cybercriminals anyway.

IPFS gateway providers attempt to combat IPFS phishing by regularly deleting links to fraudulent files.

Phishing page deletion notification

Yet detection and deletion of links at gateway level does not always happen as quickly as the blocking of a phishing website, cloud form, or document. We have observed URL addresses of IPFS files that first appeared in October 2022 and remain operational at the time of this writing.

Phishing letters containing IPFS links are hardly ever too original — they contain the typical phishing content the purpose of which is to obtain the victim’s account login and password.

Phishing letter with an IPFS link

It is a bit more interesting to examine the HTML pages the links lead to.

HTML page used for phishing

As can be seen on the screenshot above, the URL parameter contains the recipient’s e-mail address. Once it is modified, the page content will change too: the corporate logo on top of the phishing form and the email address entered into the login field. In this way, one link can be used in several phishing campaigns targeting different users — sometimes even in dozens of campaigns.

Phishing page modification

The logo replacement effect is achieved using a simple JavaScript code. The script obtains domain info from the page URL parameter and substitutes it into the URL of the Google resource, from which a logo icon is then sourced.

Company logo substitution

Use of IPFS in targeted phishing attacks

The use of IPFS is not limited to mass mailing campaigns: it is used for complex targeted attacks too. Unlike the ordinary ones, targeted phishing campaigns are much better prepared, normally focusing on specific persons within the company, not just random users.

Targeted phishing with an IPFS link

In the two examples above, the attacks were leveled at corporate procurement departments, the letters coming from sales managers of existing organizations. The phishing page itself lacks in originality.

Phishing page used in a targeted attack

Statistics

In late 2022, we were observing 2–15 thousand IPFS phishing letters a day for most of the time. But there were quieter days too. Thus, our systems registered only 637 such letters on December 1, and 937 on December 23. Starting this year, IPFS phishing began to grow in scale. We observed a few upsurges in January and February with over 24,000 letters a day — with peaks reaching 34–37 thousand/day. However, the flurry has died down little by little by mid-February, the number of attacks mostly returning to November and December levels.

Dynamics of the number of IPFS phishing attacks, November 2022 — February 2023 (download)

Yet it is worth noting that February turned out the busiest month in terms of IPFS phishing activity. In that month alone, we observed almost 400,000 letters — more than 20,000 above the January figure, and over 100,000 more than in November and December 2022.

IPFS phishing letters distribution by month, November 2022 — February 2023 (download)

Conclusion

Attackers have used and will continue to use cutting-edge technologies to reap profits. Of late, we observe an increase in the number of IPFS phishing attacks — both mass and targeted. The distributed file system allows scammers to save money on domain purchase. Plus, it is not easy to completely delete a file, although, there are attempts to combat fraud at IPFS gateway level. The good news is that anti-spam solutions detect and block links to phishing files in IPFS, just like any other phishing links. In particular, Kaspersky products employ a number of heuristics to detect IPFS phishing.

Figures of the year

In 2022:

• 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam
• As much as 29.82% of all spam emails originated in Russia
• Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments
• Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links
• 378,496 attempts to follow phishing links were associated with Telegram account hijacking

Phishing in 2022

Last year’s resonant global events

The year 2022 saw cybercrooks try to profit from new film releases and premieres just as they always have. The bait included the most awaited and talked-about releases: the new season of Stranger Things, the new Batman movie, and the Oscar nominees. Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. Those who just could not wait were in for a disappointment and a waste of cash. The promises of completely free access to the new content were never true. By clicking what appeared to be a link to the movie, the visitor got to view the official trailer or a film studio logo. Several seconds into the “preview”, the stream was interrupted by an offer to buy an inexpensive subscription right there on the website to continue watching. If the movie lover entered their bank card details on the fake site, they risked paying more than the displayed amount for content that did not exist and sharing their card details with the scammers.

Some websites that offered soccer fans free broadcasts of the FIFA World Cup in Qatar employed a similar scheme, but the variety of hoaxes aimed at soccer fans proved to be wider than that used by scammers who attacked film lovers. Thus, during the World Cup a brand-new scam appeared: it offered users to win a newly released iPhone 14 for predicting match outcomes. After answering every question, the victim was told that they were almost there, but there was a small commission to be paid before they could get their gadget. Of course, no prize ensued after the fee was paid.

Soccer fans chasing merchandise risked compromising their bank cards or just losing some money. Scammers created websites that offered souvenirs at low prices, including rare items that were out of stock in legitimate online stores. Those who chose to spend their money on a shady website risked never getting what they ordered.

Websites that offered tickets to the finals were another type of soccer-flavored bait. Scammers were betting on the finals typically being the most popular stage of the competition, tickets to which are often hard to get. Unlike legitimate ticket stores, the fake resellers were showing available seats in every sector even when the World Cup was almost closed. Vast selection of available seats should have alarmed visitors: real tickets would have been largely gone.

Fake donation sites started popping up after the Ukraine crisis broke out in 2022, pretending to accept money as aid to Ukraine. These sites referenced public figures and humanitarian groups, offering to accept cash in cryptocurrency, something that should have raised a red flag in itself.

The pandemic

The COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. For example, one website offered users to obtain a COVID vaccination certificate by entering their British National Health Service (NHS) account credentials. Others offered the coveted Green Pass without vaccination.

Scammers abused legitimate survey services by creating polls in the name of various organization to profit from victims’ personal, including sensitive, data. In another COVID-themed scheme, the con artists introduced themselves as the Direct Relief charity, which helps to improve the quality of life and healthcare in poorer regions. Visitors were offered to fill out a form to be eligible for $750 per week in aid for twenty-six weeks. The survey page said the “charity” found the victim’s telephone number in a database of individuals affected by COVID-19. Those who wished to receive the “aid” were asked to state their full name, contact details, date of birth, social security and driver’s license numbers, gender, and current employer, attaching a scanned copy of their driver’s license. To lend an air of authenticity and to motivate the victim to enter valid information, the swindlers warned that the victim could be prosecuted for providing false information. The scheme likely aimed at identity theft: the illegal use of others’ personal details for deriving profit. The cybercrooks might also use the data to contact their victims later, staging a more convincing swindle.

Crypto phishing and crypto scams

The unabated popularity of cryptocurrency saw crypto scammers’ interest in wallet owners’ accounts growing, despite the fact that rates continued to drop throughout the year. Cybercriminals chased seed phrases, used for recovering access to virtual funds. By getting the user’s secret phrase, cybercriminals could get access to their cryptocurrency balance.

In a typical internet hoax manner, crypto scam sites offered visitors to get rich quick by paying a small fee. Unlike common easy-money scams, these websites asked for payments in cryptocurrency — which they promised to give away and which they were trying to steal. The “giveaways” were timed to coincide with events that were directly or indirectly associated with cryptocurrency. Thus, one of the fake sites promised prizes on the occasion of Nvidia thirty-year anniversary (the company is a major vendor of graphics processing units, which are sometimes used for crypto mining). Promotion of cryptocurrency use was another pretext for the “giveaways”. Users were offered to deposit up to 100 cryptocurrency units for a promise to refund two times that amount, purportedly to speed up digital currency adoption. In reality, the scheme worked the way any other internet hoax would: the self-professed altruists went off the radar once they received the deposit.

Compensation, bonus, and paid survey scams

Bonuses and compensations are hard to deny in times of crisis and instability, but it is worth keeping in mind that “financial assistance” is frequently promised by con artists to swindle you out of your money.

“Promotional campaigns by major banks” were a popular bait in 2022. Visitors to a fraudulent web page were offered to receive a one-time payment or to take a service quality survey for a fee. Unlike the prizes offered in the aforementioned crypto schemes, these fees were smaller: an equivalent of $30–40. The cybercriminals used an array of techniques to lull victims’ vigilance: company logos, assurances that the campaigns were legit, as well as detailed, lifelike descriptions of the offer. Similar “campaigns” were staged in the name of other types of organizations, for example, the Polish finance ministry.

Aid as distributed by various governmental and nongovernmental organizations remained a popular fraud theme in 2022. For example, in Muslim countries, scammers promised to send charity packages, purportedly under a “Ramadan Relief” program that aimed at helping low-income families during the Ramadan fast. The fasting period typically sees higher prices for food and household products, whereas observers buy more than they normally do and may be faced with a shortage of money. Legitimate charities, such as WF-AID, do operate Ramadan relief programs, and judging by the screenshot below, the fraudsters were pretending to represent that organization. An eye-catching picture of the organization’s logo and huge boxes was accompanied by a list of foodstuffs included in the aid package, with positive “recipient feedback” posted below the message. The victim was asked to make sure that their name was on the list of recipients, so they could get a package. This required providing personal data on the website and sending a link to the scam site to instant messaging contacts—nothing extraordinary for hoaxes like this. This way, the scammers both populate their databases and have victims spread links to their malicious resources for them. In addition to that, they might ask the victim to cover the “shipping costs”.

Growing utility rates and an increase in the price of natural resources have prompted several governments to start discussing compensations for the population. Payout notices could arrive by mail, email, or as a text message. Cybercriminals attempted to take advantage of the situation by creating web pages that mimicked government websites, promising cash for covering utility payments or compensation of utility expenses. Visitors were occasionally asked to provide personal details under the pretext of checking that they were eligible, or simply to fill out a questionnaire. In Britain, con artists posing as a government authority promised to compensate electricity costs. The description of the one-time payout was copied from the official website of the authority, which did provide the type of compensation. After completing the questionnaire, the victim was asked to specify the electric utility whose services they were using and enter the details of the bank card linked to their account with the utility. The promise of £400 was supposed to make the victim drop their guard and share their personal information.

In Singapore, scammers offered a refund of water supply costs, purportedly because of double billing. An energy or resource crisis was not used as a pretext in this particular case, but refunds were still offered in the name of the water supply authority.

Fake online stores and large vendor phishing

We see fake websites that imitate large online stores and marketplaces year after year, and 2022 was no exception. Phishing attacks targeted both the customers of globally known retailers and regional players. An attack often started with the victim receiving a link to a certain product supposedly offered at an attractive price, by email, in an instant messaging app, or on a social network. Those who fell for the trick could lose access to their accounts, have their bank card details stolen, or waste the money they wanted to spend on the dirt-cheap item.

“Insides” about “private sales” were also used as a lure. Thus, a web page that copied the appearance of a Russian marketplace promised discounts of up to 90% on all items listed on it. The page design did look credible, with the only potential red flags being really low prices and the URL in the address bar not matching the official one.

Many large vendors, notably in the home appliances segment, announced in early spring that they would be pulling out of Russia, which caused a spike in demand. This was reflected in the threat landscape, with fake online stores offering home appliances popping up all over the Russian segment of the internet (also called Runet). Large retailers being out of stock, combined with unbelievably low prices, made these offers especially appealing. The risk associated with making a purchase was to lose a substantial amount of money and never to receive what was ordered.

Hijacking of social media accounts

Users of social media have increasingly focused on privacy lately. That said, curiosity is hard to contain: people want to check out who has been following them, but do so without the other party knowing. Cybercriminals who were after their account credentials offered victims to have their cake and eat it by using some new social media capability. A fake Facebook Messenger page promised to install an update that could change the user’s appearance and voice during video calls, and track who has been viewing their profile, among other features. To get the “update”, the victim was asked to enter their account credentials, which the scammers immediately took over.

Many Instagram users dream about the Blue Badge, which stands for verified account and is typically reserved for large companies or media personalities. Cybercriminals decided to take advantage of that exclusivity, creating phishing pages that assured visitors their verified status had been approved and all they needed to do was to enter their account logins and passwords.

Russia blocked access to both Facebook and Instagram in March 2022, which led to the popularity of Russian social networks and Telegram skyrocketing. This increased usage meant the users’ risk of losing personal data was now higher, too. “Well-wishers” who operated scam sites offered to check if Russian social media contained any embarrassing materials on the victim. The scam operators told the users it was possible to find damaging information about every third user of a social network by running a search. If the user agreed to a search to be done for them, they were told that a certain amount of dirty linen indeed had been found. In reality, there was no search — the scammers simply stole the credentials they requested for the check.

One of the added risks of social media phishing is scammers getting access to both the social media account itself and any linked services.

The Telegram Premium status provides a range of benefits, from an ad-free experience to an ability to block incoming voice messages, but the subscription costs money. Scammers offered to “test” a Premium subscription free of charge or simply promised to give one for free if the victim entered their Telegram user name and password or a verification code sent by the service, which was exactly what the cybercrooks were after.

One more phishing campaign targeting Telegram users was arranged to coincide with the New Year’s celebration. Scammers created a page on the telegra.ph blogging platform that posted a gallery of children’s drawings, encouraging users to vote for their favorites. Scammers sent a link to that page from hacked accounts, asking users to vote for their friends’ kids’ works. Those who took the bait were directed to a fake page with a login form on it. The cybercriminals were betting on the users to go straight to voting, without checking the authenticity of the drawings, which had been copied from various past years’ competition pages, as requests to vote for one’s friends’ kids are common before public holidays.

The Telegram auction platform named Fragment went live in the October of 2022: it was selling unique usernames. You can become a user by linking your Telegram account or TON wallet. Scammers who were after those account details sent out links to fake Fragment pages. A visitor who tried to buy a username from the fake website was requested to log in. If the victim entered their credentials, the scam operators immediately grabbed those.

Spam in 2022

The pandemic

Unlike phishing, COVID-themed spam is still a thing. Most of that is “Nigerian-type” scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.

The amount of spam exploiting the coronavirus theme in some way dropped noticeably during 2022: at the beginning of the year, we were blocking a million of these emails per month, but the figure had shrunk by three times by yearend.

Contact form spam

The year 2022 saw cybercriminals abuse contact forms for spam more frequently. In a typical scheme of this kind, scammers find websites that offer registration, contact, or support request forms that do not require the user to be logged in to submit, and do not check the data entered. In some cases, they insert a scam message with a hyperlink in the login or name fields, and in others, add a longer text with images to the message field. Then the attackers add victims’ email addresses to the contact fields and submit. When getting a message via a registration or contact form, most websites reply to the user’s email address that their request was received and is being processed, their account has been created, and so on. As a result, the person gets an automated reply from an official address of a legitimate organization, containing unsolicited advertisements or a scam link.

Most scam messages offer a compensation or prize to the recipient. For example, a spam email targeting Russian users promised an equivalent of $190–4200 in VAT refunds. To get the money, the victim was offered to open the link in the message. This scheme is a classic: a linked web page requests that the user pay a commission of under a dozen dollars, which is insignificant in comparison to the promised refund. We observed many varieties of contact form money scam: from fuel cards to offers to make money on some online platform.

Scammers took advantage of forms on legitimate sites all around the world. Where spam email in Russian typically played on “prizes” or “earning money”, messages in other languages, in addition to offering “prizes”, encouraged users to visit “dating sites” — in fact, populated by bots — where the victims would no doubt be asked to pay for a premium account.

We blocked upward of a million scam emails sent via legitimate forms in 2022.

Blackmail in the name of law enforcement agencies

Extortion spam is nothing new. In such emails, attackers usually claim that the recipient has broken the law and demand money. In 2022, these mailings not only continued, but also evolved. For example, there was virtually no text in the messages: the user was either asked to open an attached PDF file to find out more, or they received threats in the form of an image with text. In addition, the geography of mailings widened in 2022.

The essence of the message, as in similar emails sent earlier, was that a criminal case was going to be opened against the recipient due to allegedly visiting sites containing child pornography.

To avoid serious consequences, the attackers urged the victim to respond as soon as possible to the sender and “settle the matter”. Most likely, the scammers would ask for a certain amount of money to be paid in further correspondence for the victim’s name to be removed from the “criminal case”. In 2022, we blocked over 100,000 blackmail emails in various countries and languages, including French, Spanish, English, German, Russian and Serbian.

Exploiting the news

Spammers constantly use major world events in their fraudulent schemes. The 2022 geopolitical crisis was no exception. Throughout the year, we saw mailings aimed at English-speaking users proposing transferring money, usually to a Bitcoin wallet, to help the victims of the conflict in Ukraine. Scammers often demand the transfer of money to Bitcoin wallets, as it is more difficult to trace the recipient through cryptocurrency transactions than through the bank ones. Blackmail demanding payment in cryptocurrency used to prevail in spam. Now, attackers have started collecting Bitcoin for charity.

The news agenda was also used in other scam mailings. For example, in early July, our solutions blocked 300,000 emails where fraudsters were requesting help on behalf of a Russian millionaire, who allegedly wanted to invest money and avoid sanctions. Another mailing said that the European Commission had decided to give away a fund created by Russian oligarchs, and the email recipient might be lucky to get a piece of this pie.

More and more “business offers” are appearing among spam mailings, and they exploit the current information agenda. Due to economic sanctions in 2022, enterprising businessmen offered replacements for goods and services from suppliers who left the Russian market. For example, spammers actively advertised services of a company transporting people to Russia. The email text emphasized the fact that many transport companies refused to provide such services.

There were also spam mailings where various companies offered to replace popular international software with Russian equivalents or solutions developed in third countries. In addition, there were spam propositions for intermediary services to open a company or bank account in neighboring countries, such as Armenia, as well as offers of assistance in accepting payments from foreign partners.

The shortage of printer paper in Russia in March and April 2022 spawned a wave of related ads offering paper at discount prices.

Spammers in 2022 also actively marketed their promotional mailing services as alternative advertising to unavailable promotion via platforms such as Instagram. For example, in April we blocked around a million of such mailings.

Against the backdrop of sanctions and the accompanying disruption of supply chains, there has been an increase in spam offering goods and services from Chinese suppliers. In 2022, our filter blocked more than 3.5 million emails containing such offers, and the number of them was growing, from around 700,000 in the first quarter to more than a million in the fourth.

Spam with malicious attachments

Employees shifting to remote work during the pandemic and the associated growth of online communications spurred the active development of various areas of phishing, both mass and targeted. Attackers have become more active in imitating business correspondence, not only targeting HR-specialists and accountants, as before the pandemic, but also employees in other departments. In 2022, we saw an evolution of malicious emails masquerading as business correspondence. Attackers actively used social engineering techniques in their emails, adding signatures with logos and information from specific organizations, creating a context appropriate to the company’s profile, and applying business language. They also actively exploited off the current news agenda and mentioned real employees from the company supposedly sending the emails. Spammers faked their messages as internal company correspondence, business correspondence between different organizations, and even as notifications from government agencies.

Masking malicious emails as business correspondence has become a major trend in malicious spam in 2022. Attackers tried to convince the recipient that it was a legitimate email, such as a commercial offer, a request for the supply of equipment, or an invoice for the payment of goods. For example, throughout the year, we encountered the following scheme. Attackers gained access to real business correspondence (most likely by stealing correspondence from previously infected computers) and sent malicious files or links to all of its participants in response to the previous email. This trick makes it harder to keep track of malicious emails, and the victim is more likely to fall for it.

In most cases, either the Qbot Trojan or Emotet was loaded when the malicious document was opened. Both can be used to steal user data, collect information about the corporate network, and spread additional malware, such as ransomware. Qbot also allows you to gain access to emails and steal them for further attacks.

Mailings imitating notifications from various ministries and other government organizations have become more frequent in the Runet. Emails were often designed to take into account the specific activities of the organizations they were pretending to be. The sender’s addresses copied the logic of email addresses in the relevant agencies, and the malicious attachment was disguised as some kind of specialized document, such as “key points of the meeting”. For example, malicious code was found in one of these mailings that exploited a vulnerability in the Equation Editor module, the formula editor in Microsoft Office.

The perpetrators did not ignore the news agenda. In particular, the malware was distributed under the guise of call-up “as part of partial mobilization” or as a “new solution” to safeguard against possible threats on the internet “caused by hostile organizations”.

In the second case, the program installed on victim’s computer was in fact a crypto-ransomware Trojan.

Two-stage spear phishing using a known phish kit

In 2022, we saw an increase in spear (or targeted) phishing attacks targeting businesses around the world. In addition to typical campaigns consisting of one stage, there were attacks in several stages. In the first email, scammers in the name of a potential client asked the victim to specify information about its products and services. After the victim responds to this email, the attackers start a phishing attack.

Key facts:

• Attackers use fake Dropbox pages created using a well-known phishing kit
• The campaign targets the sales departments of manufacturers and suppliers of goods and services
• Attackers use SMTP IP addresses and From domains provided by Microsoft Corporation and Google LLC (Gmail)

Statistics

The campaign began in April 2022, with malicious activity peaking in May, and ended by June.

Number of emails related to a two-step targeted campaign detected by Kaspersky solutions (download)

How a phishing campaign unfolds

Attackers send an email in the name of a real trade organization requesting more information about the victim company’s products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender’s email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the From field is different to its name in the signature.

Example of the first email

It is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use spoofing of the legitimate domain of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the From header (where the email came from) and Reply-to header (where the reply will go when clicking “Reply” in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the Reply-to header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.

After victims respond to a first email, attackers send a new message, asking them to go to a file-sharing site and view a PDF file with a completed order, which can be found via the link.

An email with a phishing link

By clicking the link, the user is taken to a fake site generated by a well-known phishing kit. It is a fairly simple tool that generates phishing pages to steal credentials from specific resources. Our solutions blocked fake WeTransfer and Dropbox pages created with this kit.

A fake WeTransfer page created using the same phish kit as the target campaign sites

In the phishing campaign described above, the phishing site mimics a Dropbox page with static file images and a download button. After clicking any element of the interface, the user is taken to a fake Dropbox login page that requests valid corporate credentials.

A fake Dropbox page

Login page with a phishing form

When victims attempt to log in, their usernames and passwords are sent to https://pbkvklqksxtdrfqkbkhszgkfjntdrf[.]herokuapp[.]com/send-mail.

<form name="loginform">
          <div class="form-group">
            <label for="">Email Address</label>
            <input type="email" id="email" class="form-control" name="email" placeholder="email Address">
            <div class="email-error"></div>
          </div>
          <div class="form-group">
            <label for="">Password</label>
            <input type="password" id="password" class="form-control" name="password" placeholder="Password">
            <div class="password-error"></div>
          </div>
          <div class="form-group btn-area">
            <button class="download-btn" id="db" type="submit">Download</button>
          </div>
        </form>
      </div>
      <script src="https://firebasestorage.googleapis.com/v0/b/linktopage-c7fd6.appspot.com/o/obfuscated.js?alt=media&amp;token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b"></script>

HTML representation of a phishing form

Victims

We have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.

Statistics: spam

Share of spam in mail traffic

In 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.

Share of spam in global email traffic, 2022 (download)

The most active month in terms of spam was February 2022, with junk traffic accounting for 52.78% of all email correspondence. June was in second place (51.66%). December was the calmest, only 45.20% of emails in this month were spam.

On Runet, the proportion of spam in email traffic is generally higher than worldwide. In 2022, an average of 52.44% of emails were junk mailings. At the same time, the trend for a gradual shift in ratio in favor of legitimate correspondence can also be seen. We saw the largest share of spam in Runet in the first quarter, with 54.72% of all emails, and by the fourth quarter it had dropped to 49.20%.

Proportion of spam in Runet email traffic, 2022 (download)

Even though the second quarter (53.96%) was quieter in terms of spam than the first, the most active month in the Russian segment of the internet was June (60.16%). Most likely, the share of spam in June, both in Russia and globally, was influenced by the surge in mailings with offers from Chinese factories that we observed in that month. And the quietest month in Runet was December (47.18%), the same as globally.

Countries and territories — sources of spam

In 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).

TOP 20 countries and territories — sources of spam, 2022 (download)

The Netherlands remained in fifth place (3.70%), its share decreased compared to 2021. Sixth and seventh places went to Japan (3.25%) and Brazil (3.18%), whose shares rose by 0.89 and 3.77 p.p., respectively. Next come the UK (2.44%), France (2.27%) and India (1.82%).

Malicious mail attachments

In 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That’s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.

Number of Mail Anti-Virus hits, January — December 2022 (download)

The most common malicious email attachments in 2022, as in 2021, were Agensla Trojan stealers (7.14%), whose share decreased slightly. Noon spyware (4.89%) moved up to second place, and Badun Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits CVE-2018-0802 (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than CVE-2017-11882 exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.

TOP 10 malware families spread by email attachments in 2022 (download)

ISO Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the Guloader downloader family (2.65%), which delivers remotely controlled malware to victims’ devices. They are closely followed by the Badur family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous Emotet botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims’ devices, particularly ransomware. The ninth most popular family was Taskun (2.10%), which creates malicious tasks in the task scheduler.

TOP 10 types of malware spread by email attachments in 2022 (download)

The list of the most common malware sent via email usually corresponds to the list of families. As in 2021, attackers mostly distributed the same instances from the TOP 10 families.

Countries and territories targeted by malicious mailings

Spain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.

TOP 20 countries and territories targeted by malicious mailings, 2022 (download)

In Italy, 4.76% of all detected malicious attachments were blocked in 2022. The country is followed by Vietnam (4.43%) and Turkey (4.31%). The percentage of Mail Anti-Virus detections on computers of users from Germany (3.85%) continued to decrease. The share in the United Arab Emirates (3.41%) also decreased slightly, dropping to ninth place, while Malaysia (2.98%) remained in tenth place.

Statistics: phishing

In 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.

Map of phishing attacks

In 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year’s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.

TOP 10 countries and territories by share of attacked users:

* Share of users encountering phishing out of the total number of Kaspersky users in that country/territory, 2022

Top-level domains

As in previous years, the majority of phishing pages were hosted in the COM domain zone, but its share almost halved, from 31.55% to 17.69%. Zone XYZ remained in second place (8.79%), whose share also decreased. The third most popular domain among attackers was FUN (7.85%), which had not previously received their attention. The domain is associated with entertainment content, which is perhaps what attracted fraudsters to it.

Most frequent top-level domains for phishing pages in 2022 (download)

Domains ORG (3.89%) and TOP (1.80%) swapped places relative to 2021 but remained in fourth and fifth places. In addition to this, the top ten domain zones in most demand among cybercriminals included: RU (1.52%), COM.BR (1.13), DE (0.98%), CO.UK (0.98%) and SE (0.92%).

Organizations under phishing attacks

The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

In 2022, pages impersonating delivery services had the highest percentage of clicks on phishing links blocked by our solutions (27.38%). Online stores (15.56%), which were popular with attackers during the pandemic, occupied second place. Payment systems (10.39%) and banks (10.39%) ranked third and fourth, respectively.

Distribution of organizations targeted by phishers, by category, 2022 (download)

The share of global internet portals (8.97%) almost halved, with almost as many phishing resources targeting users of smaller web services (8.24%). Social networks (6.83%), online games (2.84%), messengers (2.02%) and financial services (1.94%) round complete the TOP 10 categories of sites of interest to criminals.

Hijacking Telegram accounts

In 2022, our solutions stopped 378,496 phishing links aimed at hijacking Telegram accounts. Apart from a spike in phishing activity throughout June, when the number of blocked links exceeded 37,000, the first three quarters were relatively quiet. However, by the end of the year, the number of phishing attacks on the messenger’s users increased dramatically to 44,700 in October, 83,100 in November and 125,000 in December. This increase is most likely due to several large-scale Telegram account hijacking campaigns that we observed in late 2022 (article in Russian).

Number of clicks on phishing links aimed at hijacking a Telegram account worldwide, and in Russia specifically, January — December 2022 (download)

It is of note that the majority of phishing attacks were aimed at users from Russia. While in the first months of 2022 their share was approximately half of the total number of attacks worldwide, since March 70–90% of all attempts to follow phishing links by Telegram users were made by Russian users.

Phishing in messengers

Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them.

In 2022, our mobile solution blocked 360,185 attempts to click on phishing links from messengers. Of these, 82.71% came from WhatsApp, 14.12% from Telegram and another 3.17% from Viber.

Distribution of links blocked by the Safe Messaging component, by messenger, 2022 (download)

Phishing activity on WhatsApp is down slightly since 2021. On average, the Safe Messaging component blocked 816 clicks on fraudulent links per day. The first half of the year was the most turbulent, and by the third quarter, phishing activity in the messenger had dropped sharply.

Dynamics of phishing activity on WhatsApp in 2022 (weekly number of detected links shown)

The largest number of phishing attempts on WhatsApp, approximately 76,000, was recorded in Brazil. Russia is in second place, where over the year, the Chat Protection component prevented 69,000 attempts to go to fraudulent resources from the messenger.

TOP 7 countries and territories where users most often clicked phishing links in WhatsApp (download)

Unlike WhatsApp, the number of phishing attacks on Telegram almost tripled in 2022 compared to the previous reporting period. On average, our solutions blocked 140 attempts to follow phishing links in this messenger per day. The peak of activity came at the end of June and beginning of July, when the number of blocked clicks could have exceeded 1,500 per week. Phishing activity on Telegram also increased sharply at the end of the year.

Dynamics of phishing activity on Telegram in 2022 (weekly number of detected links shown)

In Russia, we recorded the largest number (21,000) of attempts to click a link to fraudulent resources from Telegram. Second place went to Brazil, where 3,800 clicks were blocked.

TOP 7 countries and territories where users most frequently clicked phishing links from Telegram (download)

Conclusion

Times of crisis create the preconditions for crime to flourish, including online. Scams promising compensation and payouts from government agencies, large corporations and banks are likely to remain popular among cybercriminals next year. The unpredictability of the currency market and departure of individual companies from specific countries’ markets will likely affect the number of scams associated with online shopping. At the same time, the COVID-19 topic, popular with cybercriminals in 2020 and 2021, but already beginning to wane in 2022, will finally cease to be relevant and will be replaced by more pressing global issues.

Recently, we’ve seen an increase in targeted phishing attacks where scammers don’t immediately move on to the phishing attack itself, but only after several introductory emails where there is active correspondence with the victim. This trend is likely to continue. New tricks are also likely to emerge in the corporate sector in 2023, with attacks generating significant profits for attackers.

There is a vast number of trackers, which gather information about users’ activities online. For all intents and purposes, we have grown accustomed to online service providers, marketing agencies, and analytical companies tracking our every mouse click, our social posts, browser and streaming services history. The collected data can be used for improving their user interfaces or the overall user experience, or to personalize ads.

There exist various types of trackers meant for collecting different types of information: advertising (AdAgency) trackers, analytics (WebAnalytics) trackers, and so on. Most of these are largely used on websites and inside applications. There are more versatile trackers too, used on websites, inside applications, and even in e-mail. This article describes one of these tracker types: web beacons. We demonstrate what tracking systems’ and companies’ web beacons our security products (anti-tracking browser extensions and antispam technology) detect most often.

What web beacons are

Web beacons, or web bugs, also known as tracker pixels or spy pixels, among other names, are tracking elements used on web pages, inside applications and in e-mail for checking that the user has accessed certain content (opened an e-mail or visited a web page). Their main purpose is to collect statistics and build analytical reports on the user’s activities.

Web beacons on websites track visitors. Analytical marketing agencies or website owners themselves can use these to measure how well certain content or promotional campaigns performed, or how their audiences responded. Some websites use tracker pixels as watermarks for their content, for example, to track down illegal copies.

The main purpose of web beacons in e-mail, just as those on websites, is to count users who interact with the content. For example, tracker pixels can be used to make a report on e-mail open rates. These help companies to find out which e-mail campaigns their users find interesting and which they do not. For example, if an e-mail campaign sees declining open rates, the company may choose to either replace the subject with something more eye-catching or clickbaity, or on the contrary, make it more matter-of-fact and informative.

How web beacons work

A beacon on a web page is typically an image that loads from an external source. The size is usually one or even zero pixels, so invisible to the human eye. Hence the name: “spy pixel”. Additionally, the CSS display property can be set to “none” (do not display) to hide the image. Less common are JavaScript beacon implementations, such as Beacon API: an interface that allows sending requests to a server without expecting a response.

Example of web beacon location in the HTML code of a website

E-mail web beacons are implemented in a similar way: invisible images are placed within the e-mail body, or JavaScript code is added in an HTML attachment.

Example of web beacon location in the HTML part of an e-mail

When the web page or e-mail is opened, a request is sent to the web beacon server. If the web beacon is an image the request is to upload this image. Otherwise it is a request specified in the JavaScript code, usually one that doesn’t require a response. The following information is typically communicated to the server:

• Date and time of opening the web page or e-mail
• Operating system version
• Browser or e-mail client type and version
• Screen resolution
• IP address

Example of user data transmission

The most common website and e-mail beacons

We have analyzed the web beacons detected by our systems in December 2022, and ranked twenty companies whose beacons interacted with our users while browsing websites or opening e-mail messages most often.

Twenty most common beacons on websites

This section uses anonymous statistics collected from December 1 through 31, 2022 by the Do Not Track (DNT) component, which blocks loading of website trackers. DNT, which is disabled by default, is part of Kaspersky Internet Security, Kaspersky Total Security, and Kaspersky Security Cloud. The statistics consist of anonymized data shared by users with their consent. We have compiled a list of twenty companies whose content DNT detected around the world the most frequently. One hundred percent represents the total number of DNT detections triggered by these twenty systems.

Most of the twenty companies according to DNT have at least some connection to digital advertising and marketing. For example, Aniview, in sixth place with 2.68%, specializes in video advertising. OpenX (2.19%), Taboola (1.63%), Smart AdServer (1.55%), and many others are advertising or marketing agencies.

Even tech giants, such as Google (32.53%), Microsoft (21.81%), Amazon (13.15%) and Oracle (2.86%), who lead in our rankings, operate marketing and advertising subsidiaries, and product enhancement is by far not the only reason why they use web beacons.

Twenty most common website beacons in December 2022 (download)

Twenty most common beacons in e-mail

This section presents anonymized Anti-Spam detection data from Kaspersky users’ devices. The Anti-Spam component is part of Kaspersky Security for Linux Mail Server, Kaspersky Security for Microsoft Exchange Server, Kaspersky Secure Mail Gateway, and Kaspersky Security for Microsoft Office 365.

Unlike the website beacons rankings, the list of the most common e-mail beacons is not dominated by the big tech: Adobe Analytics (4.49%) is eighth, and Google (3.86%) and Microsoft (3.18%) have even humbler shares. The fact that there is a fairly large number of companies specializing in e-mail marketing could explain that. These companies can be broken down into two categories:

• Email service providers (ESP): companies that manage and maintain e-mail campaigns for their clients.
• Customer relationship management (CRM): companies that specialize in building platforms for managing every type of customer communications at various stages in the sales process.

The tech giants own major advertising networks that are used by most websites, and hence their trackers dominate these websites, whereas ESP and CRM companies manage most e-mail campaigns, and so their trackers dominate e-mail. ESP and CRM beacons collect user data to track their responses to e-mail campaigns: the percentage of users who open the messages, how the open rate changes from region to region, and so on. Most of the beacons we detected in e-mail traffic were by Mailchimp (21.74%) and SendGrid (19.88%), two major American e-mail marketing players.

Besides ESP and CRM, our e-mail beacon rankings included the large Japanese online retailer Rakuten (5.97%), the business networking website LinkedIn (4.77%), the ride-hailing platform Uber (1.49%), and Booking.com (0.56%), a major accommodation booking service. These companies share their reasons for using web beacons with the ESP and CRM players: to evaluate e-mail campaign impact and collect aggregate user statistics.

Twenty most common web beacons in e-mail, December 2022 (download)

Conclusion

Companies strive to collect as much data on their users as they can, to add as much detail to each user profile as possible, so that they can personalize their offerings, and sell their goods and services more efficiently. Various tracking systems enable companies to track users on websites, inside applications, and in e-mail.

Rather than outsourcing these services, many large companies are able to set up advertising subsidiaries of their own, selling the same services as advertising specialists do. They often merge their information about users obtained from diverse sources to enrich and extend each user profile that they already have. Meanwhile, others use the services of the Internet giants, marketing agencies, ESP and CRM companies, helping these to amass even more data.

The user would find it sufficiently difficult, if at all possible, to track down where their data ends up. Even more, you sometimes may not even notice that data is being collected. Beacons on websites and in e-mail are invisible to the user, and companies that put them there give no warning, as opposed to cookies. The beacons, meanwhile, allow the companies to find out how many times the users visited the website, where they came from, and who opened the e-mail, when and where. By gathering all that information on a regular basis, one can get an idea of not just the user’s reaction to specific e-mail messages or landing pages, but also the user’s habits, such as when they typically get online.

If cybercriminals were to obtain that information, for example, as result of a leak, they could use it for their own purposes. In particular, they could try hacking your online accounts or send fake e-mail in your name if they found out your usual offline hours. Moreover, attackers use the web beacon technology too. It is worth adopting at least minimal anti-tracking measures to protect yourself from unwanted attention by companies, let alone cybercrooks. You can install a special browser extension that prevents loading of trackers on web pages and configure your browser for increased privacy. Many VPN services offer tracker blocking as an added feature. When it comes to e-mail, you can prevent images from loading automatically. Even if you do open an e-mail that contains a spy pixel, it will not be functional, as any images — a web beacon is an image too — will not load unless you explicitly permit it. As for more advanced JavaScript beacons, these are located in the attachment and only load once you open that.

The consumer threat landscape constantly changes. Although the main types of threats (phishing, scams, malware, etc.) remain the same, lures that fraudsters use vary greatly depending on the time of year, current major events, news, etc. This year, we have seen spikes in cybercriminal activity aimed at users amid the shopping and back-to-school season, big pop culture events, such as Grammy and Oscar, movie premieres, new smartphone announcements, game releases, etc. The list can go on, as cybercriminals are quick to adapt to new social, political, economic, and cultural trends, coming up with new fraudulent schemes to benefit from the situation.

Below, we present a number of key ideas about what the consumer-oriented threat landscape will look like in 2023, and describe how users could be lured into cybertraps with fake content and third-party apps.

Games and streaming services

Users will face more gaming subscription fraud. Sony’s PlayStation Plus is starting to compete with Microsoft’s subscription service, GamePass, and offers to play subscription games not only on consoles, but also on the PC, to increase the market share. The larger the subscription base, the greater the number of fraudulent key-selling schemes and attempts at stealing accounts. These schemes can be very similar to the streaming scams that we have been observing for the past several years.

Gaming console shortage to be exploited. The shortage of consoles, relieved slightly in 2022, could start to increase again already in 2023, spurred by the release of the PS VR 2 by Sony. The headset, which requires a PS5 to function, will be a convincing reason for many to buy the console. A further factor is expected to be the release of “pro” console versions, rumors about which began to circulate in the middle of 2022, and which may trigger more demand than can be satisfied. Fake presale offers, generous “giveaways” and “discounts”, as well as online store clones that sell hard-to-find consoles—we expect all these types of fraud to exploit the console shortage.

In-game virtual currencies will be in demand among cybercriminals. Most modern games have introduced monetization: the sale of in-game items and boosters, as well as the use of in-game currencies. Games that include these features are cybercriminals’ primary targets as they process money directly. In-game items and money are some of the prime goals for attackers stealing players’ accounts. This summer for instance, cyberthieves stole 2 million dollars’ worth of items from an account that they hacked. To get a hold of in-game valuables, scammers may also trick their victims into a fraudulent in-game deal. In the coming year, we expect new schemes relating to resale or theft of virtual currencies and items to emerge.

Cybercriminals will capitalize on long-awaited titles. This year, we have already seen an attacker claim to leak several dozen gameplay videos from GTA 6. Chances are that in 2023, we will see more attacks relating to games slated for release in that year: Diablo IV, Alan Wake 2, and Stalker 2. Besides possible leaks, we expect to see the increase in scams that target these games, as well as in Trojans disguised as those games.

Streaming will remain cybercriminals’ bottomless source of income. Every year, streaming services produce more and more exclusive content that gets released on select platforms. A growing number of TV shows are becoming not just a source of entertainment, but a cultural phenomenon that influences fashion and trends in general. 2023 promises a wealth of new releases. We expect cybercriminals to use these anticipated titles along with streaming service names when distributing Trojans, creating phishing pages and implementing scams.

The talked-about movies and shows that could be exploited by cybercriminals include the new seasons of Euphoria and The Mandalorian; the long-awaited show starring Lily Rose Depp and The Weeknd, “The Idol”; the Barbie movie; and the post-apocalyptic drama series based on the video game “The Last of Us”. The list of potential bait films to be exploited can go on and on, since fraudsters are quick to adapt to consumer tastes. If they see that users are looking for the latest episode of a popular show, they will simply find their way to benefit from that interest.

Social media and the metaverse

New social media will bring more privacy risks. We would like to believe that the near future will see a new revolutionary phenomenon in the world of social networks. Perhaps this will happen already in VR, but rather in AR. As soon as a new trendy app appears, so do risks for its users. Cybercriminals can start distributing fake trojanized applications to infect victims’ phones for further malicious purposes. Further dangers are associated with data and money theft, as well as phishing pages aimed at hijacking accounts in the new social media. Privacy most probably will be a major concern, too, as many startups neglect to configure their applications in accordance with privacy protection best practices. This attitude may lead to a high risk of personal data compromise and cyberbullying in the new social media, however trendy and convenient it may be.

Exploitation of the metaverse. Right now, we are only taking the first steps toward complete immersion in virtual reality, already using metaverses for entertainment while testing industrial and business applications of this new technology. Although so far, there are only a few metaverse platforms, they already have revealed risks that future users will face. As the metaverse experience is universal and does not obey regional data protection laws, such as GDPR, this might create complex conflicts between the requirements of the regulations regarding data breach notification.

Virtual abuse and sexual assault will spill over into metaverses. We have already seen cases of avatar rape and abuse, despite efforts to build a protection mechanism into metaverses. As there are no specific regulation or moderation rules, this scary trend is likely to follow us into 2023.

New source of sensitive personal data for cybercriminals

Data from mental health apps will be used in accurately targeted social engineering attacks. Taking care of your mental health is no longer just some kind of whim or trend, but an absolutely necessary activity. And if, at some point, we are accustomed to the fact that the Internet knows almost everything about us, we are yet to realize that now our virtual portrait can be enriched with sensitive data about our mental state. As usage of mental health apps increases, the risk of this sensitive data being accidentally leaked or obtained by a third party through a hacked account will also grow. Armed with details on the victim’s mental state, the attacker is likely to launch an extremely precise social engineering attack. Now, imagine that the target is a key employee of a company. We are likely to see stories of targeted attacks involving data on the mental health of corporate executives. And, if you add here data, such as facial expressions and eye movement, that sensors in VR headsets collect, the leakage of that data may prove disastrous.

Education platforms and the learning process

Online education platforms will attract more cybercrime. In the post-pandemic times, online education has proven to be no less efficient than offline classes, we expect investment in online education platforms and learning management systems (LMS) to increase significantly. The trend is not new, but the relevance of concomitant threats will grow along with the growth in digitalization: trojanized files and phishing pages mimicking online educational platforms and videoconferencing services, as well as LMS credential theft are all set to grow in 2023.

A greater number of innovative technologies embedded in the learning process. These can be the use of virtual and augmented reality, voice interfaces, process automation (including robotization of communication), machine analysis of user actions, and AI-assisted testing and grading.

Gamification of education. In 2023, we will see greater use of gamification technologies in online learning to achieve functional goals: user acquisition and engagement, holding attention, personalized learning, inclusivity, and reducing resistance to learning. This will expose students to additional risks, the like of which have plagued the gaming industry, among them trolls, phishing, and bullying, on platforms built for communication, competition, and teamwork.

Most mass malicious mailing campaigns are very primitive and hardly diverse, with the content limited to several sentences offering the user to download archives that supposedly contain some urgent bills or unpaid fines. The email messages may contain no signatures or logos, with typos and other errors being fairly common. These mailings may target individual users or large corporations, with no significant differences in message content.

Example of a mass malicious mailing message

Things have started to change recently, though, as spammers began employing techniques that are typical of targeted attacks. In particular, they have been sending emails in the name of real companies, copying the senders’ writing style and signatures.

Customer email with an Easter egg inside

We discovered a noteworthy email message recently. In it, someone posing as a Malaysian prospect and using a fairly odd variety of English, asks the recipient to review some customer requirements and get back with the requested documents. The general format complies with the corporate correspondence standards: there is a logo that belongs to a real company and a signature that features sender details. Overall, the request looks legit, while the linguistic errors easily can be attributed to the sender being a non-native speaker.

The email from the “Malaysian prospect,” with a malicious attachment

The only thing about the email that smells fishy is the sender’s address (newsletter@trade***.com), as “newsletter” is typically used for news, not procurement. Besides, the sender’s domain name is different from the company name in the logo.

In another email, a purported Bulgarian customer inquires about the availability of some products and offers to discuss the details of a deal. The requested products list is said to be in the attachment, as in the previous specimen. The sender’s address, similarly suspicious, belongs to a Greek, not Bulgarian, domain, which apparently has no relation to the company whose name is used by the spammers.

The email from the “Bulgarian customer,” with a malicious attachment

What these two messages have in common is both the mailing scenario and the fact that neither looks generated by a machine. Looking closely at the message headers, we noticed that they shared a structure: a sequence of headers, MSGID format and email client were the same. Besides, the messages originated within a limited range of IP addresses. This suggested that they were part of one massive email campaign.

Comparing the message headers of two malicious emails

Unlike the IP addresses and headers, the content varies. The spammers have been sending malicious archives addressed from a large number of companies, with the “request” text changing as well. This suggests that the operators invested quite some effort into preparations, which is uncharacteristic of this kind of campaigns.

Statistics

From April till August, our systems detected 739,749 messages attributed to the campaign. The email activity peaked in June, with 194,100 detected messages, dropping to 178,510 in July and to 104,991 in August.

Malicious email dynamics, April through August 2022 (download)

Payload: Agent Tesla malware

We studied the contents of the archives attached to the emails, finding it to contain one of two unique files that belong to the same family. It is the widespread Agent Tesla malware, written in .NET and known since 2014. Its main objective is to fetch passwords stored in browsers and other applications, and forward these to the operator. While Agent Tesla most frequently forwards data via email, there are versions that drop the stolen data into a Telegram secret chat, on a website operated by the attackers or on an FTP server. The Agent Tesla version being spread by the campaign at hand is one the latest, capable of ripping password from the following applications.

• Browsers: Chrome, Edge, Firefox, Opera, 360 Browser, 7Star, Amigo, Brave, CentBrowser, Chedot, Chromium, Citrio, Cốc Cốc, Comodo Dragon, CoolNovo, Coowon, Elements Browser, Epic Privacy, Iridium Browser, Kometa, Liebao Browser, Orbitum, QIP Surf, Sleipnir 6, Sputnik, Torch Browser, Uran, Vivaldi, Yandex.Browser, QQ Browser, Cyberfox, IceDragon, Pale Moon, SeaMonkey, Waterfox, IceCat, K-Meleon.
• Email clients: Becky!, Opera Mail, Foxmail, Thunderbird, Claws, Outlook, The Bat!, eM Client, Mailbird, IncrediMail, Postbox, Pocomail
• FTP/SCP clients: WinSCP, WS_FTP, FTPGetter, SmartFTP, FTP Navigator, Core FTP
• Databases: MySQL Workbench
• Virtual network computing clients: RealVNC, TightVNC, TigerVNC, UltraVNC, Windows RDP, cFTP
• VPN clients: NordVPN, OpenVPN
• Instant messaging programs: Psi/Psi+, Trillian

Agenta Tesla is also capable of making screenshots, intercepting clipboard contents and logging keystrokes.

Agent Tesla attack geography

Agent Tesla targets users around the world. According to our observations, the malware’s activity from May till August 2022 was the highest in Europe, Asia and Latin America. The largest number of victims (20,941) was recorded in Mexico. It was followed by Spain, with 18,090 users’ devices registering infection attempts, and Germany, where 14,880 users were affected.

Ten most-attacked counties by number of affected users:

Conclusion

The spam campaign we discovered is clear proof that cybercriminals can invest significant effort even in mass attacks. The email messages we studied appear to be high-quality imitations of business inquiries by real companies, only given away by the inappropriate sender addresses. In all likelihood, these emails were composed and sent out manually. That said, our systems were detecting more than a hundred thousand of these emails each month, which targeted organizations all around the world.

The payload spread by the attackers is capable of stealing login data from an imposing number of applications. The data may be offered for sale on darkweb forums or used in targeted attacks against organizations. Agent Tesla is notably a long-known stealer, detected by most cybersecurity products. It is assigned the verdict Trojan-PSW.MSIL.Agensla by Kaspersky products.

Indicators of compromise

MD5 hashes of attached archives:

ddc607bb993b94c543c63808bebf682a
862adb87b0b894d450f8914a353e3e9c
a1ae8b0d794af648908e0345204ea192
9d0364e1f625edb286b0d5541bb15357
eee70de3ac0dc902b99ed33408e646c9

MD5 hashes of the executables and details of attackers’ email accounts used for sending and receiving data stolen by the sample:

64011a7871abb873c822b8b99082e8ab
Mail from: info(a)essentialapparatus.co.ke
Password: Info@2018
Mail to: sales1.nuozhongsteel(a)gmail.com
Mail server: mail.essentialapparatus.co.ke:587

b012cb8cfee0062632817d12d43f98b4
Mail from: quality(a)keeprojects.in
Password: quality#@!
Mail to: quality(a)keeprojects.in
Mail server: mail.keeprojects.in:587

E-mail scammers typically combine social engineering with technical skills to bypass spam filters and persuade the recipient to reply. But there is a specific class of attacks that is technically stuck somewhere in the late 90s/early 00s, in the era of CRT monitors and sluggish internet: we are talking about text-based fraud. Attackers of this kind do not carefully imitate the appearance of e-mails from major companies, do not redirect the victim to a fake site, do not obfuscate links and do not even use them. Their main tool and method of persuasion is old-fashioned text. And it works surprisingly often.

Types of text-based fraud

In terms of topics and techniques, text-based fraud can be divided into several types:

• Dating scams
• 419 scams
• Blackmailing and extortion
• Vishing

Let’s take a look at these types of scams and see why they work.

Dating scams

This category includes messages seemingly from attractive women (more rarely men) looking for a “serious relationship.” For extra plausibility, scammers add biographical details and/or photographs of their bait, including immodest ones. The latter are usually downloaded from open sources.

Example of a dating scam e-mail

Attackers can also create fake profiles in social networks and instant messengers to make the scheme more persuasive. If the potential victim responds, they are added as friends and start to receive individual treatment. The interaction can last from several days to several months, and includes not only messages, but also phone and even video calls.

Fraudsters can monetize their lonely-heart character in several ways. For instance, early on in the communication, they might ask for small amounts of money or gifts as a sign of commitment. Another variant is, after a long virtual communication, to ask for a large sum to visit the victim, have an urgent surgery, etc. One more scheme, quite common lately, is when the “partner” promises to send the victim an expensive gift or cash by courier from abroad. After some time, the “courier” gets in touch and asks the victim to pay for shipping, customs duties, etc.

Note that scammers get acquainted with victims not only by e-mail. These schemes are utilized on dating sites, social networks and instant messengers. Moreover, the latter two are often the main channel for communicating with the victim, regardless of how contact was initially made. But mass mailings are still more convenient to send out by e-mail, since accounts in social networks, messengers, etc., are quickly blocked due to spam.

Statistics

Dating scams are the least common type of message-based fraud. From March to June 2022, we found 49,536 messages from people “looking for a relationship,” dropping to 1998 e-mails for the whole June. This may be because scammers actively use other communication channels to get to know their victims and establish a trusting relationship.

Number of detected messages offering to date, March–June 2022 (download)

419 scams: “rich uncles” and Covid payments

419 scams are one of the oldest types of text-based fraud. In the classic 419 letter, the recipient is informed by a “lawyer” or other “official” that a deceased relative or dying benefactor has bequeathed a huge fortune to them. All the victim needs to do is fill out a short questionnaire, pay a fee for administration and other formalities, and claim their millions. Often, the scammers do not mention the fee straight up but invite the victim to make contact by replying to the e-mail to find out more about their “inheritance.” In any case, once the fee is paid, they vanish.

419 e-mails are often crawling with grammar and spelling mistakes. This may be to mask words and expressions that could activate spam filters, or it could be that the attackers have a poor grasp of the victim’s language.

Classical 419 scam with inheritance

419 letters are still popular with attackers, who send them regularly and in large numbers: our solutions detect hundreds of thousands of such messages every month. Often instead of deceased rich relatives they exploit more relevant topics. For example, alongside with the increased attention to the Syrian war, cybercriminals were sending e-mails supposedly from people inside the country wanting to transfer large sums abroad.

419 scam with transactions

Lately, unexpected transactions have been doing the rounds, as well as payments to victims — of Covid, the Ukraine crisis and, ironically, frauds.

419 scam with compensation

Another subspecies of the 419 scam is lottery winnings in which the “winner” did not participate. To make the scheme more credible, scammers usually claim that, say, a giveaway was held for taxpayers in a particular region or country, for owners of a particular e-mail domain, etc. Unlike Covid-19 compensation, such mailings are not new but they never lose popularity.

Lottery fraud

From a technical standpoint, not much has changed in the 419 scam — for the most part, messages are sent from free webmail accounts (Google Mail, Yahoo Mail, etc.).

To ask for details, send a form, etc., attackers usually encourage victims to contact them by mail. As soon as mail services can block addresses known as spam sources, they often give a different address for replies, one that is not flagged.

Statistics

From February to June, our solutions detected 1.8 million 419 scam e-mails. Their number began to rise in late February, peaking at 657,014 in March. In April, on the contrary, spammer activity decreased by more than half.

Number of 419 e-mails detected, February–June 2022 (download)

Blackmail scam

Whereas scammers use the above methods to exploit victims’ greed, blackmailers play on their fear. Typically, cybercriminals claim that they have come into possession of the target’s personal information, which, for a modest payment, they promise not to send to family members or post online. As a rule, they do not provide any actual evidence of data theft, since they did not in fact steal anything — this is how scammers differ from ransomware groups, which do indeed steal or encrypt files using malware.

Blackmail scams really came into their own with the popularization of cryptocurrencies: the blockchain’s anonymity eliminates the need for complex money-laundering chains.

Extortion e-mail: the scammer claims to have hacked into the recipient’s mailbox

Extortionists attack both individuals and companies but employ different approaches. Individuals are most often threatened with publication of personal data allegedly stolen by hacking into their computer or mailbox. Scammers might also mention intimate photos or videos that they claim to have recorded through the device’s webcam. It’s quite possible they pinched this idea from the episode of Black Mirror.

Extortion e-mail threatening to post “intimate” content allegedly stolen from the user and containing their e-mail address in the From header

From a technical point of view, this type of fraud typically features e-mail address spoofing. Attackers substitute the recipient’s address in the From header, seemingly confirming mailbox hacking.

E-mails targeting individuals may also threaten administrative or criminal penalties, although such messages are far less common than ones about hacking.

Companies, meanwhile, can be threatened with bomb scare messages. In 2020 and 2021, extortionists actively sent out e-mails in the name of renowned APT and ransomware groups, promising to carry out an attack unless payment was forthwith. Unlike the majority of promises, attackers sometimes implement this one.

Statistics

There are significantly more extortion e-mails in mail traffic than other forms of text-based scam. For instance, from March to June, we detected more than 12 million blackmail messages.

Number of extortionate e-mails detected, March–June 2022 (download)

Vishing: scammers’ hotline

Vishing is short for voice phishing. As you might guess from the name, this is when attackers make contact with the potential victim via voice communication. How does this relate to text-based scams? In the past few years, vishers have been sending out mass e-mails asking the recipient to call back on their phone number, that is, spamming is the first step of the operation.

Vishing can target both individuals and companies. From the former, scammers try to extract confidential data, persuade them to install software for remote access, or to transfer money to the scammers’ account. And as for the target company employee, attackers can convince them to transfer money to a specific bank account or grant access to a corporate account.

Fake PayPal notification about a large purchase. To cancel the order, the victim is asked to urgently write or call the support service

Most often, vishing e-mails masquerade as notifications from some service: this can be a large online store, a payment system, or, for example, subscription-based software.

Fake Geek Squad notification. For more information, the victim is asked to call the specified number

Typically, the e-mails are composed so as to create the impression of being generated automatically. Most likely, this is so that the victim does not try to reply to the message but uses the vishers’ contact details.

To find out exactly how attackers achieve their goal, that is, to fish (or vish) out data or money, I called a couple of numbers provided in such e-mails. In both cases, after a short introductory dialog, a confident voice at the other end asked me to open a browser window and spelled out a URL (anydesk.com) for me to download the Anydesk remote access program. In response to my question about such a long unsubscribing process, the first scammer, absolutely unfazed, replied that they needed to log in to my bank account to confirm and then cancel the transaction. When I replied that I did not use online banking, the scammer hung up. The second turned out to be less talkative and did not give any interesting details.

On the one hand, this scheme seems too clunky to be widely used. On the other, communication via various channels and the attackers’ imitation of expertise can inspire more trust in the user than just an e-mail with a phishing link.

Statistics

From March to June 2022, we found 347,141 e-mails prompting the recipient to call the scammers back by phone. We saw a slight drop in this type of scam in April, after which the number of e-mails began to grow again.

Number of detected vishing e-mails, March–June 2022 (download)

Conclusion

Despite the existence of instant messengers, social networks and video chats, cybercriminals continue to use e-mail as the first point of contact with the victim, even if they switch to other channels afterwards. It is mainly the topics of the e-mails that change: attackers actively exploit current events to attract the potential victims’ attention. This suggests that despite users’ general awareness of cybercriminals’ basic methods, techniques such as intimidation and the promise of a free lunch, coupled with a willingness to spend time building trust, continue to reap rewards. The aim of these e-mails is to knock the user off balance and get them to act without thinking. Therefore, it is important not only to be aware of intruders’ techniques, but to make it a habit to respond to e-mails in a calm state of mind — or not to respond at all.

On the ISP side, solutions that employ machine learning and heuristics to recognize fraudulent e-mails can help filter out such spam.

The use of embedded HTML documents in phishing e-mails is a standard technique employed by cybercriminals. It does away with the need to put links in the e-mail body, which antispam engines and e-mail antiviruses usually detect with ease. HTML offers more possibilities than e-mail for camouflaging phishing content.

There are two main types of HTML attachments that cybercriminals use: HTML files with a link to a fake website or a full-fledged phishing page. In the first case, the attackers can not only hide a link in the file, but also automatically redirect the user to the fraudulent site when they open this file. The second type of HTML attachment makes it possible to skip creating the website altogether and save on hosting costs: the phishing form and the script that harvests the data are embedded directly in the attachment. In addition, an HTML file, like an e-mail, can be modified according to the intended victim and attack vector, allowing for more personalized phishing content.

Fig.1. Example e-mail with an HTML attachment

Structure of phishing HTML attachments

Phishing elements in HTML attachments are usually implemented using JavaScript, which handles redirecting the user to a phishing site or collecting and sending credentials to scammers.

Fig. 2. Phishing HTML page and its source code

Typically, the HTML page sends data to a malicious URL specified in the script. Some attachments consist entirely (or mostly) of a JS script.

In the e-mail source code, the HTML attachment looks like plain text, usually Base64-encoded.

Fig. 3. HTML attachment in e-mail source code

If a file contains malicious scripts or links in plaintext, the security software can quickly parse and block it. To avoid this, cybercriminals resort to various tricks.

JavaScript obfuscation

JavaScript obfuscation is one of the most common techniques used to disguise HTML attachments. To prevent the URL in the file from being quickly spotted and blocked, phishers obfuscate either the phishing link itself or the entire script, and sometimes the whole HTML file. In some cases, cybercriminals obfuscate the code manually, but often they use ready-made tools, of which many are freely available, such as JavaScript Obfuscator.

For example, opening the HTML attachment in the phishing e-mail supposedly from HSBC Bank (see Fig. 1) in a text editor, we see some pretty confusing JS code, which, it would seem, hints neither at opening a link nor at any other meaningful action.

Fig. 4. Example of obfuscation in an HTML attachment

However, it actually is an obfuscated script that redirects the user to a phishing site. To disguise the phishing link, the attackers used a ready-made tool, allowing us to easily deobfuscate the script.

Fig. 5. Deobfuscated script from an attachment in an e-mail seemingly from HSBC Bank: link for redirecting the user

If a script, link, or HTML page is obfuscated manually, it is much harder to restore the original code. To detect phishing content in such a file, dynamic analysis may be required, which involves running and debugging the code.

Encoding

Sometimes attackers use more interesting methods. In one phishing e-mail, for instance, we found an unusual HTML attachment. As in the example above, it contained JavaScript. Because the code was so compact, one might think it was doing the same as the code in the fake HSBC e-mail — that is, redirecting the user to a phishing site. But upon running it, we found a full-fledged phishing page encoded in this small script.

Fig. 6. HTML file using the unescape() method — the source code of the file contains only five lines, one of which is empty

Fig. 7. Phishing page in the HTML attachment

The cybercriminals used an interesting trick that involves the deprecated JS method unescape(). This method substitutes the “%xx” character sequences with their ASCII equivalents in the string that is passed to it. Running the script and viewing the source code of the resulting page, we see plain HTML.

Fig. 8. The resulting HTML file

Instead of unescape(), JavaScript now uses the decodeURI() and decodeURIComponent() methods, yet most modern browsers still support unescape(). We cannot say for sure why the attackers chose a deprecated method, but it could be because modern methods are more likely to be interpreted and detected by antispam engines.

Statistics

In the first four months of 2022, Kaspersky security solutions detected nearly 2 million e-mails containing malicious HTML attachments. Nearly half of them (851,328) were detected and blocked in March. January was the calmest month, with our antispam solutions detecting 299,859 e-mails with phishing HTML attachments.

Number of detected e-mails with malicious HTML attachments, January–April 2022 (download)

Conclusion

Phishers deploy a variety of tricks to bypass e-mail blocking and lure as many users as possible to their fraudulent sites. A common technique is HTML attachments with partially or fully obfuscated code. HTML files allow attackers to use scripts, obfuscate malicious content to make it harder to detect, and send phishing pages as attachments instead of links.

Kaspersky security solutions detect HTML attachments containing scripts regardless of obfuscation.

Introduction

In a nutshell, email spoofing is the creation of fake emails that seem legitimate. This article analyzes the spoofing of email addresses through changing the From header, which provides information about the sender’s name and address.

SMTP (Simple Mail Transfer Protocol, the main email transmission protocol in TCP/IP networks) offers no protection against spoofing, so it is fairly easy to spoof the sender’s address. In fact, all the would-be attacker needs is a tool for choosing in whose name the message will arrive. That can be another mail client or a special utility or script, of which there is no shortage online.

Email spoofing is used in both fraudulent schemes and targeted attacks against organizations. Cybercriminals use this technique to convince victims that a message came from a trusted sender and nudge them into performing a specific action, such as clicking a phishing link, transferring money, downloading a malicious file, etc. For added credibility, attackers can copy the design and style of a particular sender’s emails, stress the urgency of the task, and employ other social engineering techniques.

In some cases, fake emails form part of a multistage attack, the first phase of which requires no suspicious actions on the part of the victim. For examples of such attacks, see our article on corporate doxing.

Legitimate Domain Spoofing

The simplest form of the technique is legitimate domain spoofing. This involves inserting the domain of the organization being spoofed into the From header, making it extremely difficult for the user to distinguish a fake email from a real one.

To combat spoofing, several mail authentication methods have been created that enhance and complement each other: SPF, DKIM and DMARC. By various means, these mechanisms verify that the message was actually sent from the stated address.

• The SPF (Sender Policy Framework) standard allows a mail domain owner to restrict the set of IP addresses that can send messages from this domain, and lets the mail server check that the sender’s IP address is authorized by the domain owner. However, SPF checks not the From header, but the sender’s domain specified in the SMTP envelope, which is used to transmit information about the email’s route between the mail client and the server, and is not shown to the recipient.
• DKIM solves the problem of sender authentication by means of a digital signature generated on the basis of a private key stored on the sender’s server. The public key for authenticating the signature is placed on the DNS server responsible for the sender’s domain. If in reality the message was sent from a different domain, the signature will be invalid. However, this technology has a weakness: an attacker can send a fake email without a DKIM signature, and the message will be impossible to authenticate.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) is used to check the domain in the From header against a DKIM/SPF-validated domain. With DMARC, a message with a spoofed legitimate domain fails authentication. However, if the policy is strict, DMARC can also block wanted emails (see here for how our solutions augment this technology and minimize false positives).

Naturally, with the widespread implementation of the above-described technologies, attackers faced a tough choice: to hope that the company they are impersonating did not configure mail authentication properly (still common, sadly), or to use From-header spoofing methods that bypass authentication.

Display Name Spoofing

The display name is the name of the sender that gets shown in the From header before the email address. In the case of corporate mail, it is usually the real name of the relevant individual or department.

Example of a display name

To make the email less cluttered for the recipient, many mail clients hide the sender’s address and show only the display name. This allows cybercriminals to substitute the name, but leave their real address in the From header. And this address is often protected by a DKIM signature and SPF, so the authentication mechanisms see the message as legitimate.

Ghost Spoofing

The most common form of the above method is known as ghost spoofing. Here, the attacker specifies as the name not only the name of the person or company being spoofed, but also the address of the supposed sender, as in the example in the screenshot below.

Example of ghost spoofing

In actual fact, the message comes from a completely different address.

Real sender address in ghost spoofing, and mail authentication.

AD Spoofing

AD (Active Directory) spoofing is another form of display name spoofing, but unlike the ghost version, it does not involve specifying the spoofed address as part of the name. What’s more, the address from which the cybercriminals send messages features the name of the person being imitated.

Example of AD spoofing

This method looks more primitive than ghost spoofing, but some scammers prefer it for several reasons. First, if the recipient’s mail agent does display the contents of the From header in its entirety, the double sender address will make the user more suspicious than the address on the public domain. Second, ghost spoofing is technically easier to block with spam filters: it is enough to consign to the spam folder emails where the displayed sender name contains the email address. It is not generally feasible to block all incoming emails sent from addresses with the same names as colleagues and contractors.

Lookalike Domain Spoofing

More sophisticated attacks use specially registered domains, similar to the domain of the target organization. This requires a bit more effort, since finding and buying a specific domain, then setting up mail, DKIM/SPF signatures and DMARC authentication on it, is rather more difficult than simply modifying the From header slightly. But it also complicates the task of recognizing a fake.

Primary Lookalike

A lookalike domain is a domain name that looks similar to that of the organization being spoofed, but with a couple of alterations. We discussed such domains in detail in our article Lookalike domains and how to outfox them. For example, the email in the screenshot below came from the domain deutschepots.de, which can easily be confused with the domain of the German mail company Deutsche Post (deutschepost.de). If you follow the link in such an email and try to pay for delivery of a parcel, you will not only lose 3 euros, but also hand your card details to the fraudsters.

Example of a message from a lookalike domain

However, with the right level of vigilance, it is possible to spot misspelled domains. But in other cases, simple attentiveness is no longer sufficient.

Unicode Spoofing

Unicode spoofing is a type of spoofing in which an ASCII character in the domain name is replaced with a physically similar character from the Unicode set. Understanding this technique requires knowledge of how domains that use non-Latin characters (for example, Cyrillic or umlauts) are encoded. To use them, Punycode was created — a method that converts Unicode characters to an ASCII Compatible Encoding (ACE) representation, consisting of letters of the Latin alphabet, hyphens and numbers from 0 to 9. At the same time, many browsers and mail clients display the Unicode version of the domain. For example, this Russian domain:

касперский.рф

is converted to:

xn--80akjebc7ajgd.xn--p1ai

However, in the browser you will most likely see that same касперский.рф. Since this technology provides for partial encoding (individual characters are encoded, not the whole string), the domain can contain both ASCII and Unicode characters, which cybercriminals actively utilize.

Example of an email with Unicode spoofing

In the screenshot above, we see a message supposedly sent from the domain apple.com. It looks legitimate, and the email passed mail authentication. The email design is unusual, but since the average user rarely receives messages about blocking, there is little by way of comparison. If an unsuspecting user clicks the link, they are taken to a fake site that asks for their account details.

A look at the message headers (which can be done in most mail clients for PC and web versions of mail services) shows a completely different picture:

Punycode domain record

The fact is that the apple.com domain we saw above would look very different in Punycode, since the first three characters are in fact the Cyrillic letters “а” and “р”. But the mail client that opened the email converted that Punycode representation into Unicode for the convenience of the user, and the message displayed “apple.com”.

It should be noted that some mail clients warn the user about non-standard characters used in the domain name, or even display Punycode in the From header. However, such protection mechanisms are not universal, which plays into the hands of fraudsters.

Conclusion

There are various ways to convince the recipient of an email that it came from a trusted sender. Some of them seem primitive, yet they enable cybercriminals to successfully bypass mail authentication. At the same time, the technique of spoofing is used to carry out various types of attacks, from standard phishing to advanced BEC. They, in turn, can be just one step in a more sophisticated targeted attack. Accordingly, the damage from spoofing, even if restricted to a single attack, can range from identity theft to business downtime, loss of reputation and multi-million dollar losses.

There is also a variety of anti-spoofing protection methods, from simple (but not very reliable) vigilance to special components in business solutions. Kaspersky solutions for mail servers running on Microsoft Exchange, and Linux and in virtual environments contain such a module, plus we offer a standalone product for Microsoft Office 365.

Introduction

Doxing refers to the collection of confidential information about a person without their consent for the purpose of inflicting harm on that person or to otherwise gain some benefit from gathering or disclosing such information. Normally, doxing involves a threat to specific people, such as media personalities or participants of online discussions. However, any organization can also become a victim of doxing. Confidential corporate information is no less sensitive than the personal data of an individual, and the sheer scale of financial and reputational risks from potential blackmail or disclosure of such information can have a colossal impact.

In the article titled “Dox, steal, reveal. Where does your personal data end up?”, we mentioned that a cybercriminal could attack their victim by using targeted phishing e-mails to obtain access to the victim’s data. But this probably would be an expensive undertaking. However, when doxing is aimed at the corporate sector, cybercriminals are less hindered by the cost of an attack because the potential monetary rewards are much larger. To gather as much confidential corporate information as possible, cybercriminals are employing much more diverse methods than they normally would in their attacks against individual users. We will discuss those methods in this article.

Collecting information about a company from public sources

The first and simplest step that can be taken by cybercriminals is to gather data from publicly accessible sources. The Internet can provide doxers with all kinds of helpful information, such as the names and positions of employees, including those who occupy key positions in the company. Such key positions include the CEO, HR department director, and chief accountant.

For example, if LinkedIn shows that the CEO of a company is “friends” with the chief accountant or head of the HR department, and these persons are also friends with their direct subordinates, a cybercriminal only needs to know their individual names to easily figure out the company’s hierarchy and use this information for subsequent attacks.

In less professionally-oriented social networks such as Facebook, many users indicate their workplace and also publish a large amount of personal information, including recreational photos and the specific restaurants and gyms that they visit. You might think that this kind of information would be useless for an attack on a company because this personal info is not actually related to the company and contains no data that could actually compromise the company or the account owner. However, you would be surprised at how useful this information really could be to a cybercriminal.

Attacks using publicly accessible data: BEC

Information from personal profiles of employees can actually be used to set up BEC attacks. A BEC (Business E-mail Compromise) is a targeted attack on the corporate sector in which a cybercriminal initiates e-mail correspondence with an employee of an organization by posing as a different employee (including their superior) or as a representative of a partner company. The attacker does this to gain the trust of the victim before ultimately persuading the victim to perform certain actions, such as sending confidential data or transferring funds to an account controlled by the attacker. We registered 1,646 unique BEC attacks during February of 2021 alone. Let’s examine a scenario in which information from personal profiles of employees can help cybercriminals achieve their ultimate goals.

On his own page on a social network, an employee of a large company publishes an innocent photo with an ocean view and a comment stating that he still has three more weeks of vacation. A few days later, the company account department’s mailbox receives an e-mail from the vacationing employee requesting his pay to be deposited to a card in a different bank. The e-mail sender requests that they take care of this as quickly as possible, and explains that he can’t take any calls because he got sick and is not able to speak over the phone.

Example BEC attack with switched bank details

The unsuspecting accountant asks the employee to send his new bank details. After receiving this new banking information, the accountant changes the employee’s data in the system, and payment is sent to the new bank account some time later. However, a few weeks later, the clueless employee returns from vacation without a penny to his name and is dying to know why the accountant never sent his money.

After a little investigation, they determine that the e-mail regarding payment had been sent by cybercriminals who found out from the employee’s social network post that he was on vacation and temporarily unreachable. Although they used the real first and last name of the employee, the fraudulent message had been sent from a spoofed domain that was very similar to the domain of the organization (more details about this technique can be found in this article).

BEC attacks as a means to collect data

In the example above, the goal of the cybercriminals was a one-time financial profit. However, as we mentioned earlier, BEC attacks can also be aimed at obtaining confidential information. Depending on the position of the employee or the importance of the partner being impersonated by the cybercriminals, they could obtain access to fairly sensitive documents such as contracts or customer databases. In addition, cybercriminals may not limit themselves to just one attack, but could use any acquired information to pursue a larger goal.

Leaked data

Confidential documents that end up in the public domain either by carelessness or from malicious intent can also help cybercriminals to complete a dossier on a company. Over the past few years, there has been a notable increase in data breaches related to data stored in the cloud. Most of these breaches occur with Amazon AWS Simple Cloud Storage (AWS S3) due to the widespread popularity of this system as well as the apparent simplicity of its configuration, which does not require any special knowledge of information security. This simplicity is what ultimately poses a danger to the owners of file repositories in AWS known as “buckets”, which are most often breached due to an incorrect system configuration. For example, in July of 2017, the data of 14 million Verizon users was breached due to incorrectly configured buckets.

Tracking pixel

Cybercriminals may resort to various technical tricks to obtain information relevant to their particular goals. One of these tricks is to distribute e-mail messages containing tracking pixel that are often disguised as some type of “test” messages. This technique enables attackers to obtain data such as the time the e-mail was opened, the specific version of the recipient’s mail client, and the IP address, which could help find out the approximate location of the recipient. Using this information, cybercriminals can build a profile on a specific person whom they can then impersonate in subsequent attacks. Specifically, if scammers know the daily schedule and time zone of an employee, they can choose the most ideal time to conduct an attack.

Here’s one example of doxing through the use of a tracking pixel, in which the CEO of a large company receives so-called “test messages” whose contents may slightly vary.

Example test message containing a tracking pixel

Messages arrive from different domains and at different times. Some come at the peak of the workday, and some come late at night. The latter are opened by the company CEO almost immediately after they arrive to work. Those “test messages” continue to arrive for approximately a week, and then abruptly stop. The CEO thinks the incident is some kind of joke and quickly forgets about it. However, it soon turns out that the company has transferred a few million dollars to the address of an outside company. An investigation reveals that someone claiming to be the CEO had sent several e-mails demanding that the company accountants immediately pay for services rendered by the outside company. This scenario matches one variant of a BEC attack known as a CEO fraud attack, in which cybercriminals pose as top managers of organizations.

Example e-mail used to initiate a CEO fraud attack

In this scenario, cybercriminals found out the work schedule of their targets by using “test messages” containing a tracking pixel that they sent not only to the CEO but also to specific accounting employees. They were then able to request the transfer of a large sum of money supposedly on behalf of the CEO at an ideal time when the CEO was unreachable, but the accounting department was already online.

Phishing

Despite their seemingly primitive simplicity, e-mail phishing and other malicious attacks still serve as some of the main tools used by cybercriminals to gather corporate data. These attacks usually follow a standard scenario.

Corporate e-mail addresses of employees receive messages that imitate typical notifications coming from business platforms such as SharePoint. These messages urgently ask the employees to follow a link to either read an important document or perform some other important action. If employees actually follow the recommendations of this e-mail, they will end up on a spoofed website containing a fraudulent form for entering their corporate account credentials. If an employee attempts to log in to this fake resource, this login information will end up in the hands of the phishing scammers. If a business platform is accessible not only from within the corporate network but also from outside of it, the cybercriminals could then log in to the resource using the employee’s account and collect the information they need.

Example phishing e-mail. An employee is asked to follow a link to read a fax message

The first wave of an attack launched against an organization may also be a phishing ploy aimed at hijacking the personal accounts of employees. Many users are “friends” with their colleagues on social networks and correspond with them in popular messengers, which may include discussions about work-related issues. By gaining access to an employee’s account, cybercriminals can skillfully coax the employee’s contacts into disclosing corporate information.

Luckily, simple mass e-mail phishing is promptly detected by most security products, and more and more users are becoming aware of these types of attacks. However, cybercriminals are resorting to more advanced types of attacks, such as phishing for data over the phone.

Phone phishing

The main difference between phone phishing and typical phishing attacks is that cybercriminals persuade their victim to give them confidential information over the phone instead of via a phishing web page. They also may use various methods to establish contact with their victim. For example, they can directly call specific employees or call around the entire company — if the database of employee contacts ended up in their hands, or they can distribute e-mail messages requesting that the employees call a specific number. The latter example is more interesting, so we will discuss this method in detail.

Let’s examine a potential scenario for such an attack. A company employee receives a phishing e-mail that is specially stylized as an official message from a large service provider such as Microsoft. The message contains information that requires the victim to make a quick decision. Cybercriminals may also try to intimidate the recipient. The example below states that child pornography was accessed from the victim’s computer. To resolve the issue, the cybercriminals request that the employee contact technical support at a specific number. If the victim actually calls the specific number, the cybercriminals could pose as Microsoft technical support personnel and dupe the victim into revealing their username and password for accessing the company’s internal systems.

Example e-mail message initiating a phone phishing attack

Cybercriminals often pose as technical support personnel or as representatives of the company’s IT department to gain the trust of its employees. This was exactly the technique used for the Twitter hack in the summer of 2020.

By obtaining employee credentials, they were able to target specific employees who had access to our account support tools. They then targeted 130 Twitter accounts – Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.

— Twitter Support (@TwitterSupport) July 31, 2020

Message from Twitter Support regarding the incident

Twitter employees with access to internal systems of the company received phone calls supposedly from the IT department. During these conversations, cybercriminals employed social engineering techniques to gain access not only to the internal network of the company, but also to tools that enabled them to manage Twitter user accounts. As a result, the pages of many famous people showed fraudulent messages promising their readers that they would receive double any amount that they transferred to a specific bitcoin wallet. More details about this incident can be found in the Twitter company blog.

Examples of scam messages on Twitter

The victims of this incident included the company itself, which incurred reputational losses, and many Twitter users who were duped by the messages from the spoofed posts and actually transferred more than $110,000 in bitcoin. This perfectly illustrates the fact that the initially attacked company is not always the ultimate victim of corporate doxing, but it could be just an unknowing intermediary within a much larger cybercriminal campaign aimed at the company’s customers or partners. Ultimately, the reputation of all involved parties will be damaged.

Doxing of individual employees

Traditional doxing involving the collection of data on specific people could also be used in a larger attack against an organization. As we mentioned earlier, cybercriminals can employ BEC attacks based on specific information acquired from publicly accessible posts on social networks. However, this is not the only potential consequence of doxing, especially for cases of targeted data collection in which the attackers do not limit themselves to publicly available data sources but actually hack the accounts of a victim for the purpose of obtaining access to private content.

Identity theft

One result of doxing aimed at an individual employee may also be theft of their identity. Under a stolen identity, cybercriminals may circulate false information that results in a damaged reputation and sometimes financial losses of a company, especially if this information is attributed to a high-ranking employee whose statements are capable of provoking a serious scandal.

Let’s examine one of the potential attack scenarios involving identity theft. In this scenario, cybercriminals create a fake account for a high-ranking manager of their target company on a social network where the manager has not yet registered, such as Clubhouse. This account participates in discussions with a large number of users, and constantly makes provocative statements that are eventually reported in the media. As a result, company shares may lose value, and potential customers start trending toward the company’s competitors. Interestingly, cases of identity theft have already been observed in Clubhouse (albeit relatively minor cases so far).

Cybercriminals may also pose as a company employee for fraudulent purposes. For example, if a cybercriminal has obtained audio and video content involving the victim, such as from presentations at conferences, broadcasts, or their Instagram stories, the cybercriminal may employ “deepfake” technology. There have already been cases when scammers very convincingly imitated the voice of the CEO of an international company and persuaded the management team of one of their branches to transfer a large sum of money to the scammers.

Conclusion

Corporate doxing poses a serious threat to the confidential data of a company. This article provided examples showing how information that is publicly accessible and generally non-threatening to a company could actually lead to an attack that results in significant financial and reputational losses if such information falls into the hands of professional cybercriminals. The more sensitive the data accessed by cybercriminals, the more damage they are capable of inflicting. They could demand ransom for the confidential information, sell it on the dark web, or use it for subsequent attacks on customers, partners, and company departments responsible for financial transactions.

How to protect yourself

To prevent or minimize the risk of a successful attack on your company, you must first understand that skimping on your security tools is never a good idea. This is especially true in today’s environment, which is continually dealing with new technologies that could be exploited by cybercriminals. To lower the likelihood of confidential data theft:

• Establish a rigid rule to never discuss work-related issues in external messengers outside of the official corporate messengers, and train your employees to strictly adhere to this rule.
• Help your employees become more knowledgeable and aware of cybersecurity issues. This is the only way to effectively counteract the social engineering techniques that are aggressively used by cybercriminals. To do so, you could use an online training platform such as Kaspersky Automated Security Awareness Platform.
• An employee who is well versed in cybersecurity issues will be able to thwart an attack. For instance, if they receive an e-mail from a colleague requesting information, they will know to first call the colleague to confirm that they actually sent the message.
• Utilize anti-spam and anti-phishing technologies. Kaspersky provides several of these types of solutions, which are included in the following business-oriented products: Kaspersky Security for Microsoft Exchange Servers, Kaspersky Security for Linux Mail Server, Kaspersky Secure Mail Gateway, and the standalone product Kaspersky Security for Microsoft Office 365.