Viry a Červi

Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday'

The Register - Anti-Virus - 6 Prosinec, 2024 - 02:03
Redmond threat intel maven talks explains this persistent pain to The Reg

A Chinese government-linked group that Microsoft tracks as Storm-2077 has been actively targeting critical organizations and US government agencies as of yesterday, according to Redmond's threat intel team.…

Kategorie: Viry a Červi

Solana blockchain's popular web3.js npm package backdoored to steal keys, funds

The Register - Anti-Virus - 6 Prosinec, 2024 - 00:13
Damage likely limited to those running bots with private PKI access

Malware-poisoned versions of the widely used JavaScript library @solana/web3.js were distributed via the npm package registry, according to an advisory issued Wednesday by project maintainer Steven Luscher.…

Kategorie: Viry a Červi

Explore strategies for effective endpoint control

The Register - Anti-Virus - 5 Prosinec, 2024 - 19:43
Discover how automation can simplify endpoint management in this webinar

Webinar  Managing endpoints in today's dynamic IT environments is becoming increasingly complex.…

Kategorie: Viry a Červi

British hospitals hit by cyberattacks still battling to get systems back online

The Register - Anti-Virus - 5 Prosinec, 2024 - 13:25
Children's hospital and cardiac unit say criminals broke in via shared 'digital gateway service'

Updated  Both National Health Service trusts that oversee the various hospitals hit by separate cyberattacks last week have confirmed they're still in the process of restoring systems.…

Kategorie: Viry a Červi

BT Group confirms attackers tried to break into Conferencing division

The Register - Anti-Virus - 5 Prosinec, 2024 - 12:03
Sensitive data allegedly stolen from US subsidiary following Black Basta post

BT Group confirmed it is dealing with an attempted attack on one of its legacy business units after the Black Basta ransomware group claimed they broke in.…

Kategorie: Viry a Červi

Shape the future of UK cyber security

The Register - Anti-Virus - 5 Prosinec, 2024 - 10:03
Support the industry by sponsoring the UK Cyber Team Competition

Partner Content  The opportunity to identify, foster and nurture talented young people towards a cyber security career should always be grabbed with both hands.…

Kategorie: Viry a Červi

Ransomware hangover, Putin grudge blamed for vodka maker's bankruptcy

The Register - Anti-Virus - 5 Prosinec, 2024 - 09:30
Stoli Group on the rocks in the US

Two US subsidiaries of alcohol giant Stoli Group filed for bankruptcy protection this week over financial difficulties exacerbated by an August ransomware attack.…

Kategorie: Viry a Červi

T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'

The Register - Anti-Virus - 5 Prosinec, 2024 - 01:52
Security chief talks to El Reg as Feds urge everyone to use encrypted chat

Interview  While Chinese-government-backed spies maintained access to US telecommunications providers' networks for months – and in some cases still haven't been booted out – T-Mobile US thwarted successful attacks on its systems "within a single-digit number of days," according to the carrier's security boss Jeff Simon.…

Kategorie: Viry a Červi

Cops arrest suspected admin of German-language crime bazaar

The Register - Anti-Virus - 4 Prosinec, 2024 - 16:30
Drugs, botnets, forged docs, and more generated fortune for platform sellers

German authorities say they have again shut down the perhaps unwisely named Crimenetwork platform and arrested a suspected admin.…

Kategorie: Viry a Červi

Microsoft says premature patch could make Windows Recall forget how to work

The Register - Anti-Virus - 4 Prosinec, 2024 - 15:03
Installed the final non-security preview update of 2024? Best not hop onto the Dev Channel

Microsoft has pinned down why some eager Windows Insiders could not persuade the Recall preview to save any snapshots. It's all down to a pesky non-security preview.…

Kategorie: Viry a Červi

Eurocops take down 'secure' criminal chat system known as Matrix

The Register - Anti-Virus - 4 Prosinec, 2024 - 09:32
They took the red pill

Updated  French and Dutch police have taken down the Matrix chat app, which was designed by criminals for criminals to be a secure encrypted messaging tool.…

Kategorie: Viry a Červi

FTC scolds two data brokers for allegedly selling your location to the meter

The Register - Anti-Virus - 4 Prosinec, 2024 - 03:29
'Where we go is who we are' totally isn't a creepy ad slogan at all

The FTC has reached a settlement with two data brokerages over allegations they harvested precise location data that shows when people entered hospitals, places of worship, and even attended protests supporting the late George Floyd.…

Kategorie: Viry a Červi

Perfect 10 directory traversal vuln hits SailPoint's IAM solution

The Register - Anti-Virus - 4 Prosinec, 2024 - 00:45
20-year-old info disclosure class bug still pervades security software

Updated  It's time to rev up those patch engines after SailPoint disclosed a perfect 10/10 severity vulnerability in its identity and access management (IAM) platform IdentityIQ.…

Kategorie: Viry a Červi

Major energy contractor reports 'limited' access to IT after ransomware locks files

The Register - Anti-Virus - 3 Prosinec, 2024 - 21:00
ENGlobal customers include the Pentagon as well as major oil and gas producers

American energy contractor ENGlobal disclosed that access to its IT systems remains limited following a ransomware infection in late November.…

Kategorie: Viry a Červi

Severity of the risk facing the UK is widely underestimated, NCSC annual review warns

The Register - Anti-Virus - 3 Prosinec, 2024 - 12:45
National cyber emergencies increased threefold this year

The number of security threats in the UK that hit the country's National Cyber Security Centre's (NCSC) maximum severity threshold has tripled compared to the previous 12 months.…

Kategorie: Viry a Červi

Russia gives life sentence to Hydra dark web kingpin after seizing a ton of drugs

The Register - Anti-Virus - 3 Prosinec, 2024 - 08:29
No exaggeration – literally a ton. Plus, 15 co-conspirators also put behind bars

A Russian court has handed a life sentence to the head of the infamous online drugs souk Hydra, and 15 of his co-conspirators will also spend many years behind bars.…

Kategorie: Viry a Červi

Data on 760K workers from Xerox, Nokia, BofA, Morgan Stanley and more dumped online

The Register - Anti-Virus - 3 Prosinec, 2024 - 03:57
Yet another result of the MOVEit mess

Hundreds of thousands of employees from major corporations including Xerox, Nokia, Koch, Bank of America, Morgan Stanley and others appear to be the latest victims in a massive data breach linked to last year's attacks on file transfer tool MOVEit.…

Kategorie: Viry a Červi

AWS unveils cloud security IR service for a mere $7K a month

The Register - Anti-Virus - 3 Prosinec, 2024 - 02:30
Tap into the infinite scalability... of pricing

Re:Invent  Amazon Web Services has a new incident response service that combines automation and people to protect customers' AWS accounts - at a hefty price.…

Kategorie: Viry a Červi

Mandrake spyware sneaks onto Google Play again, flying under the radar for two years

Kaspersky Securelist - 29 Červenec, 2024 - 11:00

Introduction

In May 2020, Bitdefender released a white paper containing a detailed analysis of Mandrake, a sophisticated Android cyber-espionage platform, which had been active in the wild for at least four years.

In April 2024, we discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any other vendor. The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment.

Our findings, in a nutshell, were as follows.

  • After a two-year break, the Mandrake Android spyware returned to Google Play and lay low for two years.
  • The threat actors have moved the core malicious functionality to native libraries obfuscated with OLLVM.
  • Communication with command-and-control servers (C2) uses certificate pinning to prevent capture of SSL traffic.
  • Mandrake is equipped with a diverse arsenal of sandbox evasion and anti-analysis techniques.

Kaspersky products detect this threat as HEUR:Trojan-Spy.AndroidOS.Mandrake.*.

Technical details Background

The original Mandrake campaign with its two major infection waves, in 2016–2017 and 2018–2020, was analyzed by Bitdefender in May 2020. After the Bitdefender report was published, we discovered one more sample associated with the campaign, which was still available on Google Play.

The Mandrake application from the previous campaign on Google Play

In April 2024, we found a suspicious sample that turned out to be a new version of Mandrake. The main distinguishing feature of the new Mandrake variant was layers of obfuscation designed to bypass Google Play checks and hamper analysis. We discovered five applications containing Mandrake, with more than 32,000 total downloads. All these were published on Google Play in 2022 and remained available for at least a year. The newest app was last updated on March 15, 2024 and removed from Google Play later that month. As at July 2024, none of the apps had been detected as malware by any vendor, according to VirusTotal.

Mandrake samples on VirusTotal

Applications Package name App name MD5 Developer Released Last updated on Google Play Downloads com.airft.ftrnsfr AirFS 33fdfbb1acdc226eb177eb42f3d22db4 it9042 Apr 28,
2022 Mar 15,
2024 30,305 com.astro.dscvr Astro Explorer 31ae39a7abeea3901a681f847199ed88 shevabad May 30,
2022 Jun 06,
2023 718 com.shrp.sght Amber b4acfaeada60f41f6925628c824bb35e kodaslda Feb 27,
2022 Aug 19,
2023 19 com.cryptopulsing.browser CryptoPulsing e165cda25ef49c02ed94ab524fafa938 shevabad Nov 02,
2022 Jun 06,
2023 790 com.brnmth.mtrx Brain Matrix – kodaslda Apr 27,
2022 Jun 06,
2023 259

Mandrake applications on Google Play

We were not able to get the APK file for com.brnmth.mtrx, but given the developer and publication date, we assume with high confidence that it contained Mandrake spyware.

Application icons

Malware implant

The focus of this report is an application named AirFS, which was offered on Google Play for two years and last updated on March 15, 2024. It had the biggest number of downloads: more than 30,000. The malware was disguised as a file sharing app.

AirFS on Google Play

According to reviews, several users noticed that the app did not work or stole data from their devices.

Application reviews

Infection chain

Like the previous versions of Mandrake described by Bitdefender, applications in the latest campaign work in stages: dropper, loader and core. Unlike the previous campaign where the malicious logic of the first stage (dropper) was found in the application DEX file, the new versions hide all the first-stage malicious activity inside the native library libopencv_dnn.so, which is harder to analyze and detect than DEX files. This library exports functions to decrypt the next stage (loader) from the assets/raw folder.

Contents of the main APK file

Interestingly, the sample com.shrp.sght has only two stages, where the loader and core capabilities are combined into one APK file, which the dropper decrypts from its assets.

While in the past Mandrake campaigns we saw different branches (“oxide”, “briar”, “ricinus”, “darkmatter”), the current campaign is related to the “ricinus” branch. The second- and third-stage files are named “ricinus_airfs_3.4.0.9.apk”, “ricinus_dropper_core_airfs_3.4.1.9.apk”, “ricinus_amber_3.3.8.2.apk” and so on.

When the application starts, it loads the native library:

Loading the native library

To make detection harder, the first-stage native library is heavily obfuscated with the OLLVM obfuscator. Its main goal is to decrypt and load the second stage, named “loader“. After unpacking, decrypting and loading into memory the second-stage DEX file, the code calls the method dex_load and executes the second stage. In this method, the second-stage native library path is added to the class loader, and the second-stage main activity and service start. The application then shows a notification that asks for permission to draw overlays.

When the main service starts, the second-stage native library libopencv_java3.so is loaded, and the certificate for C2 communications, which is placed in the second-stage assets folder, is decrypted. The treat actors used an IP address for C2 communications, and if the connection could not be established, the malware tried to connect to more domains. After successfully connecting, the app sends information about the device, including the installed applications, mobile network, IP address and unique device ID, to the C2. If the threat actors find their target relevant on the strength of that data, they respond with a command to download and run the “core” component of Mandrake. The app then downloads, decrypts and executes the third stage (core), which contains the main malware functionality.

Second-stage commands: Command Description start Start activity cup Set wakelock, enable Wi-Fi, and start main parent service cdn Start main service stat Collect information about connectivity status, battery optimization, “draw overlays” permission, adb state, external IP, Google Play version apps Report installed applications accounts Report user accounts battery Report battery percentage home Start launcher app hide Hide launcher icon unload Restore launcher icon core Start core loading clean Remove downloaded core over Request “draw overlays” permission opt Grant the app permission to run in the background Third stage commands: Command Description start Start activity duid Change UID cup Set wakelock, enable Wi-Fi, and start main parent service cdn Start main service stat Collect information about connectivity status, battery optimization, “draw overlays” permission, adb state, external IP, Google Play version apps Report installed applications accounts Report user accounts battery Report battery percentage home Start launcher app hide Hide launcher icon unload Restore launcher icon restart Restart application apk Show application install notification start_v Load an interactive webview overlay with a custom implementation of screen sharing with remote access, commonly referred to by the malware developers “VNC” start_a Load webview overlay with automation stop_v Unload webview overlay start_i, start_d Load webview overlay with screen record stop_i Stop webview overlay upload_i, upload_d Upload screen record over Request “draw overlays” permission opt Grant the app permission to run in the background

When Mandrake receives a start_v command, the service starts and loads the specified URL in an application-owned webview with a custom JavaScript interface, which the application uses to manipulate the web page it loads.

While the page is loading, the application establishes a websocket connection and starts taking screenshots of the page at regular intervals, while encoding them to base64 strings and sending these to the C2 server. The attackers can use additional commands to adjust the frame rate and quality. The threat actors call this “vnc_stream”.  At the same time, the C2 server can send back control commands that make application execute actions, such as swipe to a given coordinate, change the webview size and resolution, switch between the desktop and mobile page display modes, enable or disable JavaScript execution, change the User Agent, import or export cookies, go back and forward, refresh the loaded page, zoom the loaded page and so on.

When Mandrake receives a start_i command, it loads a URL in a webview, but instead of initiating a “VNC” stream, the C2 server starts recording the screen and saving the record to a file. The recording process is similar to the “VNC” scenario, but screenshots are saved to a video file. Also in this mode, the application waits until the user enters their credentials on the web page and then collects cookies from the webview.

The start_a command allows running automated actions in the context of the current page, such as swipe, click, etc. If this is the case, Mandrake downloads automation scenarios from the URL specified in the command options. In this mode, the screen is also recorded.

Screen recordings can be uploaded to the C2 with the upload_i or upload_d commands.

The main goals of Mandrake are to steal the user’s credentials, and download and execute next-stage malicious applications.

Data decryption methods

Data encryption and decryption logic is similar across different Mandrake stages. In this section, we will describe the second-stage data decryption methods.

The second-stage native library libopencv_java3.so contains AES-encrypted C2 domains, and keys for configuration data and payload decryption. Encrypted strings are mixed with plain text strings.

To get the length of the string, Mandrake XORs the first three bytes of the encrypted array, then uses the first two bytes of the array as keys for custom XOR encoding.

Strings decryption algorithm

The key and IV for decrypting AES-encrypted data are encoded in the same way, with part of the data additionally XORed with constants.

AES key decryption

Mandrake uses the OpenSSL library for AES decryption, albeit in quite a strange way. The encrypted file is divided into 16-byte blocks, each of these decrypted with AES-CFB128.

The encrypted certificate for C2 communication is located in the assets/raw folder of the second stage as a file named cart.raw, which is decrypted using the same algorithm.

Installing next-stage applications

When Mandrake gets an apk command from the C2, it downloads a new separate APK file with an additional module and shows the user a notification that looks like something they would receive from Google Play. The user clicking the notification initiates the installation process.

Android 13 introduced the “Restricted Settings” feature, which prohibits sideloaded applications from directly requesting dangerous permissions. To bypass this feature, Mandrake processes the installation with a “session-based” package installer.

Installing additional applications

Sandbox evasion techniques and environment checks

While the main goal of Mandrake remains unchanged from past campaigns, the code complexity and quantity of the emulation checks have significantly increased in recent versions to prevent the code from being executed in environments operated by malware analysts. However, we were able to bypass these restrictions and discovered the changes described below.

The versions of the malware discovered earlier contained only a basic emulation check routine.

Emulator checks in an older Mandrake version

In the new version, we discovered more checks.

To start with, the threat actors added Frida detection. When the application starts, it loads the first-stage native library libopencv_dnn.so. The init_array section of this library contains the Frida detector function call. The threat actors used the DetectFrida method. First, it computes the CRC of all libraries, then it starts a Frida detect thread. Every five seconds, it checks that libraries in memory have not been changed. Additionally, it checks for Frida presence by looking for specific thread and pipe names used by Frida. So, when an analyst tries to use Frida against the application, execution is terminated. Even if you use a custom build of Frida and try to hook a function in the native library, the app detects the code change and terminates.

Next, after collecting device information to make a request for the next stage, the application checks the environment to find out if the device is rooted and if there are analyst tools installed. Unlike some other threat actors who seek to take advantage of root access, Mandrake developers consider a rooted device dangerous, as average users, their targets, do not typically root their phones. First, Mandrake tries to find a su binary, a SuperUser.apk, Busybox or Xposed framework, and Magisk and Saurik Substrate files. Then it checks if the system partition is mounted as read-only. Next, it checks if development settings and ADB are enabled. And finally, it checks for the presence of a Google account and Google Play application on the device.

C2 communication

All C2 communications are maintained via the native part of the applications, using an OpenSSL static compiled library.

To prevent network traffic sniffing, Mandrake uses an encrypted certificate, decrypted from the assets/raw folder, to secure C2 communications. The client needs to be verified by this certificate, so an attempt to capture SSL traffic results in a handshake failure and a breakdown in communications. Still, any packets sent to the C2 are saved locally for additional AES encryption, so we are able to look at message content. Mandrake uses a custom JSON-like serialization format, the same as in previous campaigns.

Example of a C2 request:

node #1 { uid "a1c445f10336076b"; request "1000"; data_1 "32|3.1.1|HWLYO-L6735|26202|de||ricinus_airfs_3.4.0.9|0|0|0||0|0|0|0|Europe/Berlin||180|2|1|41|115|0|0|0|0|loader|0|0|secure_environment||0|0|1|0||0|85.214.132.126|0|1|38.6.10-21 [0] [PR] 585796312|0|0|0|0|0|"; data_2 "loader"; dt 1715178379; next #2; } node #2 { uid "a1c445f10336076b"; request "1010"; data_1 "ricinus_airfs_3.4.0.9"; data_2 ""; dt 1715178377; next #3; } node #3 { uid "a1c445f10336076b"; request "1003"; data_1 "com.airft.ftrnsfr\n\ncom.android.calendar\n\[redacted]\ncom.android.stk\n\n"; data_2 ""; dt 1715178378; next NULL; }

Example of a C2 response:

node #1 { response "a1c445f10336076b"; command "1035"; data_1 ""; data_2 ""; dt "0"; next #2; } node #2 { response "a1c445f10336076b"; command "1022"; data_1 "20"; data_2 "1"; dt "0"; next #3; } node #3 { response "a1c445f10336076b"; command "1027"; data_1 "1"; data_2 ""; dt "0"; next #4; } node #4 { response "a1c445f10336076b"; command "1010"; data_1 "ricinus_dropper_core_airfs_3.4.1.9.apk"; data_2 "60"; dt "0"; next NULL; }

Mandrake uses opcodes from 1000 to 1058. The same opcode can represent different actions depending on whether it is used for a request or a response. See below for examples of this.

  • Request opcode 1000: send device information;
  • Request opcode 1003: send list of installed applications;
  • Request opcode 1010: send information about the component;
  • Response opcode 1002: set contact rate (client-server communication);
  • Response opcode 1010: install next-stage APK;
  • Response opcode 1011: abort next-stage install;
  • Response opcode 1022: request user to allow app to run in background;
  • Response opcode 1023: abort request to allow app to run in background;
  • Response opcode 1027: change application icon to default or Wi-Fi service icon.
Attribution

Considering the similarities between the current campaign and the previous one, and the fact that the C2 domains are registered in Russia, we assume with high confidence that the threat actor is the same as stated in the Bitdefender’s report.

Victims

The malicious applications on Google Play were available in a wide range of countries. Most of the downloads were from Canada, Germany, Italy, Mexico, Spain, Peru and the UK.

Conclusions

The Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion and bypassing new defense mechanisms. After the applications of the first campaign stayed undetected for four years, the current campaign lurked in the shadows for two years, while still available for download on Google Play. This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces.

Indicators of Compromise

File Hashes
141f09c5d8a7af85dde2b7bfe2c89477
1b579842077e0ec75346685ffd689d6e
202b5c0591e1ae09f9021e6aaf5e8a8b
31ae39a7abeea3901a681f847199ed88
33fdfbb1acdc226eb177eb42f3d22db4
3837a06039682ced414a9a7bec7de1ef
3c2c9c6ca906ea6c6d993efd0f2dc40e
494687795592106574edfcdcef27729e
5d77f2f59aade2d1656eb7506bd02cc9
79f8be1e5c050446927d4e4facff279c
7f1805ec0187ddb54a55eabe3e2396f5
8523262a411e4d8db2079ddac8424a98
8dcbed733f5abf9bc5a574de71a3ad53
95d3e26071506c6695a3760b97c91d75
984b336454282e7a0fb62d55edfb890a
a18a0457d0d4833add2dc6eac1b0b323
b4acfaeada60f41f6925628c824bb35e
cb302167c8458e395337771c81d5be62
da1108674eb3f77df2fee10d116cc685
e165cda25ef49c02ed94ab524fafa938
eb595fbcf24f94c329ac0e6ba63fe984
f0ae0c43aca3a474098bd5ca403c3fca

Domains and IPs
45.142.122[.]12
ricinus[.]ru
ricinus-ca[.]ru
ricinus-cb[.]ru
ricinus-cc[.]ru
ricinus[.]su
toxicodendron[.]ru

When spear phishing met mass phishing

Kaspersky Securelist - 11 Červenec, 2024 - 11:00

Introduction

Bulk phishing email campaigns tend to target large audiences. They use catch-all wordings and simplistic formatting, and typos are not uncommon. Targeted attacks take greater effort, with attackers sending personalized messages that include personal details and might look more like something you’d get from your employer or a customer. Adopting that approach on a larger scale is a pricey endeavor. Yet, certain elements of spear phishing recently started to be used in regular mass phishing campaigns. This story looks at some real-life examples that illustrate the trend.

Spear phishing vs. mass phishing

Spear phishing is a type of attack that targets a specific individual or small group. Phishing emails like that feature information about the victim, and they tend to copy, both textually and visually, the style used by the company that they pretend to be from. They’re not easy to see for what they are: the attackers avoid errors in technical headers and don’t use email tools that could get them blocked, such as open email relays or bulletproof hosting services included in blocklists, such as DNS-based blocklist (DNSBL).

By contrast, mass phishing campaigns are designed for a large number of recipients: the messages are generalized in nature, they are not addressed to a specific user and do not feature the name of the addressee’s company or any other personalized details. Typos, mistakes and poor design are all common. Today’s AI-powered editing tools help attackers write better, but the text and formatting found in bulk email is still occasionally substandard. There is no structure to who gets targeted: attackers run their campaigns across entire databases of email addresses available to them. It’s a one-size-fits-all message inside: corporate discounts, security alerts from popular services, issues with signing in and the like.

Attacks evolving: real-life examples

Unlike other types of email phishing, spear phishing was never a tool for mass attacks. However, as we researched user requests in late 2023, we spotted an anomaly in how detections were distributed statistically. A lot of the emails that we found were impossible to pigeonhole as either targeted or mass-oriented. They boasted a quality design, personalized details of the targeted company and styling that imitated HR notifications. Still the campaigns were too aggressive and sent on too mass a scale to qualify as spear phishing.

An HR phishing email message: the body references the company, the recipient is addressed by their name, and the content is specialized enough so as to feel normal to a vigilant user

Besides, the message linked to a typical fake Outlook sign-in form. The form was not customized to reflect the target company’s style – a sure sign of bulk phishing.

The phishing sign-in form that opened when the user clicked the link in the email

Another similar campaign uses so-called ghost spoofing, a type of spoofing that adds a real corporate email address to the sender’s name, but does not hide or modify the actual domain. The technique sees increasing use in targeted attacks, but it’s overkill for mass phishing.

An HR phishing email message that uses ghost spoofing: the sender’s name contains the HR team’s email address, lending an air of authenticity to the email

As in the previous example, the phishing link in the email doesn’t have any unique features that a spear phishing link would. The sign-in form that opens contains no personalized details, while the design looks exactly like many other forms of this kind. It is hosted on an IPFS service like those often used in mass attacks.

The IPFS phishing sign-in form

Statistics

The number of mixed phishing emails, March-May, 2024 (download)

We detected a substantial increase in the number of those mixed attacks in March through May 2024. First and foremost, this is a sign that tools used by attackers are growing in complexity and sophistication. Today’s technology lowers the cost of launching personalized attacks at scale. AI-powered tools can style the email body as an official HR request, fix typos and create a clean design. We have also observed a proliferation of third-party spear phishing services. This calls for increased vigilance on the part of users and more robust corporate security infrastructure.

Takeaways

Attackers are increasingly adopting spear phishing methods and technology in their bulk phishing campaigns: emails they send are growing more personalized, and the range of their spoofing technologies and tactics is expanding. These are still mass email campaigns and as such present a potential threat. This calls for safeguards that keep up with the pace of advances in technology while combining sets of methods and services to combat each type of phishing.

To fend off email attacks that combine spear and mass phishing elements:

  • Pay attention to the sender’s address and the actual email domain: in an official corporate email, these must match.
  • If something smells phishy, ask the sender to clarify, but don’t just reply to the email: use a different communication channel.
  • Hold regular awareness sessions for your team to educate them about email phishing.
  • Use advanced security solutions that incorporate anti-spam filtering and protection.
Syndikovat obsah