Group-IB specialists presented a reportdedicated to the main trends in computer crimes during the COVID-19 pandemic. The report was presented in the framework of the international forum of the Academy of Management of the Ministry of Internal Affairs of the Russian Federation "Strategic development of the system of the Ministry of Internal Affairs of Russia: state, trends, prospects".
The consequences of the coronavirus pandemic, the transfer of employees to a remote mode of work, staff reductions and the financial crisis have caused a rapid increase in computer crime. According to analysts at Group-IB, first of all, the number of financial frauds using social engineering methods has increased. So, for the period from January to June 2020, according to the Ministry of Internal Affairs, the increase in cybercrime amounted to 91.7% compared to the same period last year. At the same time, the number of "classic crimes" decreased: street robberies decreased by 23.6%, robberies – by 20.7%, thefts – by 19.6%, car thefts – by 28.7%.
One of the main trends in the Ministry of Internal Affairs is called the development of remote methods of committing crimes, in which there is no physical contact between attackers and their victims – the crimes have gone offline and online. For example, if until 2014 the sale of drugs was carried out mainly "from hand to hand", then nowadays drug traffickers began to use exclusively electronic trading platforms on the darknet, accepting payments in cryptocurrency.
Almost 70% of registered crimes related to illegal arms trafficking in 2020 were also committed using the Internet – remotely and anonymously. The same goes for the illegal sale of counterfeit money, securities and documents.
Throughout 2020, analysts at Group-IB recorded an increase in the number of financial frauds using social engineering – vishing, phishing – which mostly targeted bank customers. In total, in the first nine months of 2020, CERT-GIB blocked 14 802 phishing resources aimed at stealing money and personal information of site visitors (logins, passwords from accounts and online banks, bank card data). This is more than last year, when 14,093 such web resources were blocked.
The Academy of Management of the Ministry of Internal Affairs notes that the most common mechanism for remote fraud is a traditional call from the "bank security service", allegedly about an unauthorized transaction or hacking into a personal account. At the same time, telephone scammers actively used technologies related to number spoofing and SIP telephony. When using anonymizers, it is very difficult to establish the real IP address of an attacker.
Also, recently, many services have appeared to "break through" bank clients, built on a combination of OSINT methods and insider access to various databases, which increased the amount of information about potential victims available to attackers and led to an increase in the number of attacks.
At the same time, the schemes for the implementation of fraud themselves have not actually changed. The main motive of cybercriminals is the same: theft of money or information that can be sold, but they have acquired a new "package" adapted to the current agenda. These are the sale of fake digital passes, the distribution of messages about fines for violation of quarantine, fake sites of courier services, fraudulent mailings on behalf of the Zoom video conferencing service.
“Throughout 2020, Group-IB has seen an active recruitment into criminal fraudulent communities. The entry threshold has dropped significantly: new members are attracted through Telegram channels and hacker forums with subsequent training and introductory bonuses. The “gray zone” also quickly adjusted to market demands, so the “ticket mafia” reoriented its resources to deliver food and medicine at inflated prices, ”says Andrey Kolmakov, head of the information security incident investigation department at Group-IB.
According to the expert, the market for cybercrime-as-a-service criminal services was actively developing, related to the leasing of computer networks infected with malware (botnets) and used, for example, in organizing DDoS attacks, sending phishing emails and providing proxy servers. … As well as suggestions for hacking messengers and social networks, these services are advertised on Telegram and on hacker forums.
The report states that during the pandemic, email remained one of the main attack vectors.
“The cybercriminals targeted the employees transferred to the remote location, infecting their computers with malicious programs, through which they then gained access to the corporate network. Most often, intercepted malicious mailings disguised as COVID-19 messages carried attachments with spyware or download links, backdoors and downloaders on board, which were subsequently used to install other malware, including banking Trojans or ransomware viruses, ”says Valery Baulin, head of the Group-IB Computer Forensics Laboratory.
The popularity of the latter is not accidental, experts write. In 2020, the overwhelming majority of criminal groups switched to working with encryptors – the attackers realized that with their help they could earn no less than in the case of a successful attack on the bank, and the technical execution is much easier.
This year has given birth to even more groups and partner programs, as well as new collaborations. This is how the operators of the banking Trojan QakBot joined the Big Game Hunting (attacks on large companies with the aim of obtaining a significant ransom) using the ransomware ProLock, and more recently, the FIN7 group, which actively attacked banks and hotels, joined the REvil ransomware partner …
The size of the ransom in such attacks has also increased significantly: cryptolocker operators often demand several million dollars from victims, and sometimes tens of millions.