Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
This year, hackers have almost completely abandoned the use of links in phishing emails in favor of virus-infected attachments. According to F.A.C.C.T.
, the Formbook stealer has taken the first place among the malicious fillings of phishing emails - its share in mailings has quadrupled. AgentTesla, which previously held a leading position, fell immediately to third place, and the little-known DarkGate malware took second place.
Cybercriminals have all but abandoned the use of links to deliver malicious software (malware) – the share of phishing emails with attachments increased from 97.3% in the second quarter to 99.1% in the third of this year. According to F.A.C.C.T. analysts, the trend is due to the fact that this malware delivery technique does not justify the cost of mass mailings. The main task for the attacker is to motivate a potential victim user to click on the link in the email, and this can cause a number of problems due to the fact that employees of information security (IS) departments have been informing everyone about this method of cyberattack for several years. Attachments to an e-mail as a familiar element of email communication are less likely to arouse suspicion, which is what hackers are trying to take advantage of. The usual method in human psychology works here: if an information security specialist or an IT department employee said that you should not click on links, then he did not say anything about downloading the file or opening it, at least for a cursory view. If the IT department even warned about a file in .jpg format, it did not say anything about the .xls format, or it is at the moment that some potential victim is waiting for the file for its task, etc.
In 82% of malicious emails, recipients will see an archive in the attachment. In six out of ten cases, this will be .zip and .rar, and a number of other formats .7z, .z, .. gz. Also, office documents with .pdf and .docx extensions continue to be used as a virus deliverer, the share of which in mailings increased slightly compared to the previous quarter - up to 8.8% (+2.4%). F.A.C.C.T. researchers note that hackers are changing tactics and abandoning the use of Excel spreadsheets (with .xls extension) in favor of .pdf and .docx for packaging malware.
Cybercriminals continue to experiment not only with the submission of phishing emails, but also with their filling. Over the past few years, including the first half of this year, AgentTesla has been the leader among malware. This modular espionage software was found in at least every second malicious email. In the third quarter, AgentTesla's share among malware in phishing emails decreased fourfold, from 56.1% to 13.4%. Formbook Formgrabber, an IT tool for stealing accounts and personal data, has taken the lead. A modular malware with a wide range of functionality in the form of the DarkGate loader: a stealer, a remote control tool, and depending on the appetite and impudence of the attacking hackers, even a miner is built into the software.
Formbook, which was previously among the top 3 threats, has almost quadrupled to 40%. The DarkGate loader was detected by F.A.C.C.T. cyber intelligence last year, and at the end of the third quarter of this year, its share was 15%.
Information security experts attribute the sharp drop in AgentTesla's share in mailings to the liquidation of informationThe time-tested Formbook stealer was chosen by many as a replacement for AgentTesla due to the fact that this is why the IT tool is growing in popularity.
Analyzing the functionality of malware, F.A.C.C.T. experts note that the most popular type of software is currently spyware, the families of which are distributed according to the Malware-as-a-service (MaaS) model. At the same time, there was a slight decrease in the share of malicious mailings with spies and a twofold increase in the share of downloaders who can install any other malware on the user's device. Backdoors as a primary malicious payload have become less common, accounting for 8%.
Most often, mailings in the third quarter were carried out in the middle of the working week (Wednesday -22%), while in the second quarter of this year, Thursday was already in the lead. A consistently large number of phishing emails - more than 20% - are sent on Mondays and Tuesdays, the least - only 1% - on Sunday.
F.A.C.C.T. information security experts note a decrease in the share of mailings using free email services, which has been going on since the beginning of this year. More than 97% of emails from malware are sent from separate domains. For these cyber operations, hackers use both custom-crafted domains and compromised mailboxes and domains. The most common domain names in this context are in the .com zone (64%), .ru (5.4%), .net (3%), as well as .jp and .org. Hackers often use spoofing - this is a situation in which an attacker disguises himself as another person, company or object in order to gain the user's trust, as a rule, the main goal is to gain access to IT systems, steal data or money, or distribute malware.
IT attack with fake invoices
Hackers began to use APIs to send fake invoices that look like real ones. DocuSign, a large American company, has already found itself in the center of a new type of cyber attack.
DocuSign provides a service that allows you to upload, send for signing, view, sign, and track the status of various electronic documents.
Criminals create paid accounts on DocuSign, where they set up templates with simulated invoices from well-known brands such as Norton Antivirus. Invoices include reliable data and often contain additional fees, such as a $50 "activation fee," which makes fakes even more believable. When signing such an invoice, the user is actually giving permission for payment, which the attackers can use to transfer money to their accounts. Such invoices are difficult to trace – they come directly through the DocuSign platform, without malicious links or attachments, so email filters let them through.
The scheme is now skyrocketing in popularity in cybercrime overseas, with attackers successfully embedding their operations into trusted IT platforms, making them harder to detect.
, the Formbook stealer has taken the first place among the malicious fillings of phishing emails - its share in mailings has quadrupled. AgentTesla, which previously held a leading position, fell immediately to third place, and the little-known DarkGate malware took second place.
Cybercriminals have all but abandoned the use of links to deliver malicious software (malware) – the share of phishing emails with attachments increased from 97.3% in the second quarter to 99.1% in the third of this year. According to F.A.C.C.T. analysts, the trend is due to the fact that this malware delivery technique does not justify the cost of mass mailings. The main task for the attacker is to motivate a potential victim user to click on the link in the email, and this can cause a number of problems due to the fact that employees of information security (IS) departments have been informing everyone about this method of cyberattack for several years. Attachments to an e-mail as a familiar element of email communication are less likely to arouse suspicion, which is what hackers are trying to take advantage of. The usual method in human psychology works here: if an information security specialist or an IT department employee said that you should not click on links, then he did not say anything about downloading the file or opening it, at least for a cursory view. If the IT department even warned about a file in .jpg format, it did not say anything about the .xls format, or it is at the moment that some potential victim is waiting for the file for its task, etc.
In 82% of malicious emails, recipients will see an archive in the attachment. In six out of ten cases, this will be .zip and .rar, and a number of other formats .7z, .z, .. gz. Also, office documents with .pdf and .docx extensions continue to be used as a virus deliverer, the share of which in mailings increased slightly compared to the previous quarter - up to 8.8% (+2.4%). F.A.C.C.T. researchers note that hackers are changing tactics and abandoning the use of Excel spreadsheets (with .xls extension) in favor of .pdf and .docx for packaging malware.
Cybercriminals continue to experiment not only with the submission of phishing emails, but also with their filling. Over the past few years, including the first half of this year, AgentTesla has been the leader among malware. This modular espionage software was found in at least every second malicious email. In the third quarter, AgentTesla's share among malware in phishing emails decreased fourfold, from 56.1% to 13.4%. Formbook Formgrabber, an IT tool for stealing accounts and personal data, has taken the lead. A modular malware with a wide range of functionality in the form of the DarkGate loader: a stealer, a remote control tool, and depending on the appetite and impudence of the attacking hackers, even a miner is built into the software.
Formbook, which was previously among the top 3 threats, has almost quadrupled to 40%. The DarkGate loader was detected by F.A.C.C.T. cyber intelligence last year, and at the end of the third quarter of this year, its share was 15%.
Information security experts attribute the sharp drop in AgentTesla's share in mailings to the liquidation of informationThe time-tested Formbook stealer was chosen by many as a replacement for AgentTesla due to the fact that this is why the IT tool is growing in popularity.
Analyzing the functionality of malware, F.A.C.C.T. experts note that the most popular type of software is currently spyware, the families of which are distributed according to the Malware-as-a-service (MaaS) model. At the same time, there was a slight decrease in the share of malicious mailings with spies and a twofold increase in the share of downloaders who can install any other malware on the user's device. Backdoors as a primary malicious payload have become less common, accounting for 8%.
Most often, mailings in the third quarter were carried out in the middle of the working week (Wednesday -22%), while in the second quarter of this year, Thursday was already in the lead. A consistently large number of phishing emails - more than 20% - are sent on Mondays and Tuesdays, the least - only 1% - on Sunday.
F.A.C.C.T. information security experts note a decrease in the share of mailings using free email services, which has been going on since the beginning of this year. More than 97% of emails from malware are sent from separate domains. For these cyber operations, hackers use both custom-crafted domains and compromised mailboxes and domains. The most common domain names in this context are in the .com zone (64%), .ru (5.4%), .net (3%), as well as .jp and .org. Hackers often use spoofing - this is a situation in which an attacker disguises himself as another person, company or object in order to gain the user's trust, as a rule, the main goal is to gain access to IT systems, steal data or money, or distribute malware.
IT attack with fake invoices
Hackers began to use APIs to send fake invoices that look like real ones. DocuSign, a large American company, has already found itself in the center of a new type of cyber attack.
DocuSign provides a service that allows you to upload, send for signing, view, sign, and track the status of various electronic documents.
Criminals create paid accounts on DocuSign, where they set up templates with simulated invoices from well-known brands such as Norton Antivirus. Invoices include reliable data and often contain additional fees, such as a $50 "activation fee," which makes fakes even more believable. When signing such an invoice, the user is actually giving permission for payment, which the attackers can use to transfer money to their accounts. Such invoices are difficult to trace – they come directly through the DocuSign platform, without malicious links or attachments, so email filters let them through.
The scheme is now skyrocketing in popularity in cybercrime overseas, with attackers successfully embedding their operations into trusted IT platforms, making them harder to detect.
