Group-IB, a Singapore-based cybersecurity company, observed the growth of the lifespan of phishing attacks in the second half of 2019. This trend, revealed by Group-IB’s Computer Emergency Response Team (CERT-GIB), resulted in the tremendous increase in the number of phishing websites blockages over the given period — it rose by over 230 percent year-on-year. In 2019 in general, web phishers slightly changed their preferences: email service providers gave way to cloud storages in the Top 3 of phishers’ targets, which comes as no surprise given the fact that they keep record of literally every aspect of personal and sometimes corporate lives, holding gigabytes of sensitive data. Online services and financial organizations fill the other two spots in the top and seem to stay among the most frequent victims for long.
In H2 2019, as part of its work to detect and prevents threats distributing online, Group-IB’s Computer Emergency Response Team (CERT-GIB) blocked a total of 8, 506 phishing web resources, while in H2 2018, the figure stood at 2,567. This sharp upsurge in the number of blockages stems from the growing duration of phishing attacks: cybercriminals used to stop their fraudulent campaign as soon as their web pages were blocked, quickly mobilizing efforts for attacks on other brands. Today, they no longer dwell on it and continue replacing removed pages with new ones. One more trend that derives from that is the rising number of resources accumulated for a single attack.
The distribution of web-phishing among target categories
According to the figures for the past year, the Top-3 of web phishers’ targets were online services (namely client software, online streaming services, e-commerce, delivery services and etc.) (29,3%), cloud storages (25,4%), and financial organizations (17,6%). It should be noted that some of the tech companies provide a wide range of Internet-related services and some of them, like cloud storages and email services, form separate categories. CERT-GIB’s findings indicate that phishing attack perpetrators have revised their so-called target pool. Thus, the number of phishing attacks on cloud storages nearly doubled last year, while Internet providers have seen the three-fold increase in the number of phishing scams targeting them. Both access to users’ cloud storages and accounts with internet service provider enables the attackers to get much sensitive information like personal and payment data.
This was accompanied by a lower interest to email service providers — the share of attacks on them decreased from 19,9 percent to 5,9 percent — and cryptocurrency projects, which became less attractive to cybercriminals as hype surrounding them started fading away.
Balance of power
The map of major web phishing-hosting countries
The pedestal of web phishing-hosting countries, according to CERT-GIB’s, had its leader changed last year: the United States (27%), which was an irremovable leader in terms of hosting phishing for the past several years, yielded to Russia (34%), taking the second position, while Panama, well behind its two predecessors, remained third (8%) just as the year earlier.
Other countries hosting the majority of phishing pages in 2019 were Germany, South Africa, the United Kingdom, the Netherlands, Canada, Malaysia, and France.
Malware delivery: what’s on the menu?
H2 2019 has proved the tendency of past several years: mail remains the main method of delivering ransomware, spyware, backdoors and other malware, being used by cyber crooks in 94 percent of cases. In the majority of cases — 98 percent — malicious items were delivered as attachments, while only 2 percent of phishing emails contained links, by clicking which a user could download malware. To compare, according to CERT-GIB, in H1 2019, 23 percent of phishing emails had a link in them, which might mean that malicious attachments proved to have a greater “ROI” for scammers.
To bypass corporate security systems in H2 2019, cybercriminals continued to archive their malicious attachments. About 70% of all malicious objects, detected by CERT-GIB, were delivered in archive files, mainly in .rar (29%) and .zip (16%) formats. Threat actors included the passwords for accessing the archives’ contents in the subject of the email, the name of the archive, or in their subsequent correspondence with the victim.
Top-10 threats hiding in malicious emails in H2 2019 and extension of attached malicious files
In the second half of 2019, ransomware remained the most frequent “stuffing” of phishing emails, accounting for 47 percent of the total number of malicious attachments. Banking Trojans, as Group-IB forecasted in its Hi-Tech Crime Trends Report 2019/2020, continued losing its popularity and represented only 9 percent of malicious attachments. They, in turn, let spyware and backdoors move ahead and become the second most popular malware with a 35-percent share. The reason behind it might be the expanding functionality of backdoors, which also enables them to steal financial data and replace instruments designed for harvesting banking data only, like banking Trojans.
Top-10 tools used in attacks tracked by CERT-GIB in the second half of 2019 were ransomware Troldesh (55%), which Group-IB has been tracking for several years already; backdoors Pony (11%), Formbook (5%), Nanocore (4%) and Netwire (1%); banking Trojans RTM (6%) and Emotet (5%); and spyware AgentTesla (3%), Hawkeye (2%), and Azorult (1%). AgentTesla, Netwire and Azorult for the first time appeared among attackers’ preferred instruments.
CERT-GIB deputy head