Group-IB Analysts toldthat in 2019 the company blocked more than 14,000 phishing resources, which is three times more than a year earlier. Among the key trends of last year, CERT-GIB experts noted a shift in the focus of attacks on cloud storage users in both B2C and B2B segments, as well as the transition of phishers from creating single fraudulent pages to entire "networks" of sites for certain brands, which ensures their continued operation and blocking resistance.
In the second half of 2019, during the CERT-GIB blocked 8,506 phishing resources, while a year earlier this figure was 2,567. In general, 14,093 phishing pages were blocked in 2019, and a year earlier – 4,494.
The sharp increase in the number of locks is explained not only by the effectiveness of detecting and detecting criminal schemes, but also by a change in phishing tactics, which increased the duration of phishing attacks: in previous years, attackers for the most part stopped their campaigns after blocking fraudulent web resources and quickly switched to other brands . But now they continue to work, creating new pages to replace the blocked ones. As a result, another trend of the last year was the complication and expansion of the infrastructure for the implementation of a phishing attack.
According to Group-IB, last year the largest number of phishing pages was aimed at online services (29.3%), cloud storage (25.4%) and financial institutions (17.6%).
Researchers also say that last year, attackers reviewed the “pool” of their victims. Thus, the number of phishing attacks disguised as cloud storage has almost doubled, and the number of fraudulent pages targeted at users of Internet providers has tripled.
The value of access to the user's cloud storage or his personal account on the provider's website is understandable: “hunting”, as always, goes for personal or payment data that can be stored there. The growing interest in attacks on cloud storage and Internet providers was accompanied by a decrease in the volume of phishing for email services – their share in the total number of phishing resources fell from 19.9% to 5.9% – and cryptocurrency projects.
Interestingly, the year 2019 marked a change in the leading country in hosting phishing resources: the United States (27%), which held the championship over the past few years, gave way to Russia (34%). The holder of the third place on this pedestal remained unchanged – Panama is the owner of the “bronze”, it accounted for 8% of the locks.
Also last year, this ranking, along with three leaders, included Germany, South Africa, the United Kingdom, the Netherlands, Canada, Malaysia and France.
The second half of 2019 did not make any change in the trend of the last few years: email remained the main delivery channel for malware (cryptographers, banking Trojans, backdoors) and was used by attackers in 94% of the cases studied.
In most cases (98%), malware was hidden in attachments, and only 2% of phishing emails contained links leading to the download of malicious objects. For comparison: in the first half of 2019, 23% of phishing emails contained links. Such statistics may indicate that letters with attachments are more effective for attackers.
To circumvent corporate security features, attackers continued to archive malicious attachments. In the second half of 2019, about 70% of all malicious objects were delivered to the archives, mainly for this, the formats .rar (29%) and .zip (16%) were used. The attackers indicated the password for decrypting the contents in a letter with a malicious attachment, in the subject line or in the name of the archive, or during further correspondence with the victim.
Cryptographers remained the most common “stuffing” of phishing emails in the second half of last year: they accounted for 47% of the total number of malicious attachments.
Banking Trojans continued to lose popularity and were detected in only 9% of malicious campaigns, giving way to spyware and backdoors (35%). Such a change may be due to the growing functionality of backdoors, which can also be used to steal financial information.
The TOP 10 tools used by cybercriminals in attacks recorded by CERT-GIB in the second half of 2019 included the Troldesh ransomware (55%); backdoors Pony (11%), Formbook (5%), Nanocore (4%) and Netwire (1%); bankers RTM (6%) and Emotet (5%); and spyware AgentTesla (3%), Hawkeye (2%), and Azorult (1%). AgentTesla, Netwire and Azorult have become new threats of the observed period.
“In the second half of 2019, we observed an increase in the duration of phishing attacks – attackers changed the approach to launching their malicious campaigns, increasing their resource base. Cloud storage and online services will remain the main targets of phishing attack operators due to the large amount of personal information stored there. Such targets allow attackers to first download sensitive data, and then blackmail their victims, demanding a ransom from them, ”summarizes Yaroslav Kargalev, Deputy Head of CERT Group-IB.