Author

admin

Browsing

Microsoft warns against threats targeting organizations with malicious ISO and img files that aim to deploy Trojans remotely.

Advanced threat detection models developed by Microsoft for computer-based training detect many spam campaigns that spread malware with an encrypted ISO.

Last week, Microsoft experts discovered a COVID 19-themed spam campaign that creates messages to entice users to download and edit ISO or IMG attachments. The bait in the ISO or IMG files is infected with a strain of the Remcos Remote Access Trojan (RAT). Site here Windows Server Management.

The campaign was sector-specific and made use of COWID-19’s thematic bait, and the Remcos campaigns seem limited and short-lived to be undetected.

For example, we found a Remcos campaign that follows a small company that wants to get a disaster recovery loan. An e-mail posing as a message from the U.S. Small Business Administration contains a malicious IMG (disk image) attachment that leads to the infamous Remcos RAT. pic.twitter.com/EbI8kxICQG.

– 3. Microsoft Security Intelligence Service (@MsftSecIntel) 4. The information service of Microsoft Security Intelligence Service (@MsftSecIntel) May 2020.

We also saw a campaign aimed at production companies in South Korea. The attackers sent an e-mail to the target organization, which posed as CDC (Health Alert Network – HAN) and contained malicious attachments of ISO files. The ISO file contains a malicious SCR file – Remcos.

A recent Remcos campaign aimed at accountants in the United States with e-mails containing updates on COWID-19 for members of the American Institute of Accountants. The attachment is a ZIP archive containing a known ISO file containing a malicious SCR file with the deceptive icon pic.twitter.com/o1FbMUbTBs.

– 3. Microsoft Security Intelligence Service (@MsftSecIntel) 4. The information service of Microsoft Security Intelligence Service (@MsftSecIntel) May 2020.

Among the largest spam campaigns controlled by Microsoft are attacks on small businesses in the United States, manufacturing companies in South Korea and accountants in the United States.

As part of the campaign against small businesses in the US, messages with a malicious IMG (disk image) attachment were issued by the US Small Business Administration (SBA). The IMG file contained an executable file with the misleading PDF icon that will one day cause a Remcos RAT infection.

In a campaign aimed at South Korean manufacturing companies, the actors of the threat present themselves as the Health Alert Network (HAN) set up by the CDC. The attacks used ISO attachments containing the malicious SCR file used to install Remcos RAT.

The third Microsoft-audited campaign targeted auditors in the United States, in this case COVID, as bait. These presentations are intended to provide updated information on COVID-19 to the members of the US CPA Institute. In this case, the attackers used a ZIP archive with an ISO file containing a malicious SCR file with a misleading icon.

Mal-spam KOVID

At that time the ultimate goal of the men’s spam campaigns was not clear, the combination of a certain type of investment and the use of KOWID-19 as bait for men’s spam.

http://31.220.61.170/wp-content/uploads/2020/05/Multiple-malspam-campaigns-using-malware-laced-ISO-and-IMG-filesSecurity-Affairs.jpg

Vote on security issues for the European Blogger Award on Cyber Security – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform.

Pierluigi Paganini

(security service – KOVID-19, mal-spam)

 

Part

 

Cyber-block

It was a great week for the victims of Shade Ransomware, also known as Troldesh, as the killer’s actors released more than 750,000 decryption keys for their victims.

The Shade operators said they had stopped their work at the end of 2019 and decided to release all important keys and individual decryption keys so the victims could retrieve their files for free.

Kaspersky used these keys to update his ShadeDecryptor so that it can now decrypt any user who has been encoded with Shade ransomware in the past.

Also in this week’s news is the pharmaceutical company ExecuPharm, which filed a data breach complaint after the sponsors of Clop Ransomware revealed stolen data.

Moreover, these were only new versions of the existing ransom money.

The authors and those who have provided new information and stories about this week’s ransom are Daniel Gallagher, @demonslay335, @malwrhunterteam, @struppigel, @FourOctets, @fwosar, @BleepinComputer, @serghei, @jorntvdw, @Ionut_Ilascu, @VK_Intel, @Seifreed, @LawrenceAbrams, @malwareforme, @PolarToffee, @emsoft, @ValthekOn, @John_Fokker, @fbgwls245, @Lawveware, @James_inthe_box and @Amigo_A_.

25. April 2020

New COVID-19 Android Ransomware Theme

MalwareHunter’s team discovered COVID-19, a thematic Android buy-out infection which adds an .encrypted extension to encrypted files.

26. April 2020

New Qewe STOP put option

dnwls0719 have found a new STOP redemption option that adds the .qewe extension to encrypted files.

27. April 2020

Shadow Ransomware is switched off, releases 750K decryption key

The operators behind Shade Ransomware (Troldesh) stopped work, released more than 750,000 decryption keys and apologized for the damage they caused to their victims.

29. April 2020

Forgery software Q1 Refund report

Coveware’s report on the reimbursement market provides an overview of the trends in corporate reimbursement incidents in the first half of 2009. The two companies will meet in the second quarter of 2020. In the first quarter of 2020, entities threatened with ransom have benefited from the economic and production factors caused by the emergence of COWID-19. The frequency of outbreak-related spam attacks has increased and rarely used network configurations have led to an increase in ransom attacks on the network. Some groups of threat actors continued to attack health organisations, while others refused to attack them. Our report presents the demographics of the victims and the resolution rates based on the actual repurchase cases handled by Coveware’s incident team.

30. April 2020

Clop ransomware revealed ExecuPharm files after failed acquisition

Clop ransomware disclosed stolen files to the U.S. pharmaceutical company ExecuPharm after the alleged failure of the ransom negotiations.

Shadow Ransomware Decryptor can now decipher more than 750K casualties

Kaspersky has released an update of the decryptor for Shade Ransomware (Troldesh), allowing all victims who have encrypted files to retrieve them for free.

Slot stories; Limitations on redemption

We believe that there is a real opportunity to learn from examples of reactions to incidents and attacks from the past, hence the name of this blog Trench Tales. In collaboration with Northwave, this article describes a real case of a targeted ransom attack. In a recent incident, Northwave came across a relatively new family of ransom demands, called LockBit, carrying out a targeted attack.

1. May 2020

New packaging for the Infoprotectant anti-phishing campaign, Buyout Punch

The new phishing campaign divides the double exchange of malware to steal information about LokiBot and a second payload under the name Jigsaw Ransomware.

Saw

Emsisoft releases an update of the Jigsaw Ransomwaredecoder.

Emsisoft has released an update for Decryptor which supports the .zemblax extension described in the previous article.

New repurchase option Mpal STOP

Michael Gillespie has found a new version of the ransom software STOP which adds the .mpal extension to encrypted files.

It’s the big day this week! I hope everyone has a great weekend!michael gillespie ransomware,id ransomware,ransomware decryptor,ransomware download,ransomware website,ransomware signatures,ransomware forum,ransomware hashes

On July 11th, 2019 I found myself in New York City with about 10,000 other cloud enthusiasts. This was my first big cloud conference with Linux Academy and it was overwhelming, to say the least. As a newcomer, I was armed with the knowledge of my company and our awesome platform, but I didn’t know much about the other vendors throughout the venue—except one. A Cloud Guru was our fiercest competitor and if there was anything I was well aware of, it was their team and offerings. We even shared the same level of sponsorship for the event and so our booths were the exact same size, with similar locations. In every industry, it’s important to understand your rivals. Just as my team knew ACG’s strengths and weaknesses, I’m sure they knew ours.

Mutual Love & Mutual Goals

Linux Academy always approached the differentiation among platforms with respect, and I’m sure ACG did as well. Because when the customer that we love, mentions using multiple tools to reach success, it doesn’t diminish the success itself. Learners would sheepishly approach our booth with ACG swag and say “I love you guys! But I also like ACG.” Our response was always “That’s okay!” Or if a learner mentioned certification we always emphasized the achievement over the method. “That’s awesome! We’re so proud of you!” Of course, we wanted our learners to love our content. But we also recognized that learning is agile and our learners don’t operate in a land of absolutes.

Our learners benefitted from multiple methods, and who were we to discourage them? This entire industry was built on finding unique solutions to complex problems, after all. Changing requirements and changing learner demographics demanded that technology training evolve. We could support changing needs, but did we really need to own the entire effort? After all, “the cloud is big enough for everyone.” I know, because the ACG instructor I ate lunch with during the AWS Summit said so.

That’s right. Before the acquisition was even a whisper in the mind of either company’s founders, I was seated at a lunch table with an ACG instructor. The worst part about that lunch? He was a great guy. He was smart and friendly and held no animosity for me or my teammate sitting beside him. But to understand why this moment was so unique, you have to understand how we got here. So let’s look back at the events that led to this very moment, as well as the greatest cloud duo of all time.

November 2012: Linux Academy is Founded by Anthony James

What began as a humble blog in 2011, quickly transformed into a community of learners sharing resources. The company scaled quickly and evolved into the full course platform you see today.

August 2013: Live! Labs

The precursor to the Hands-On Labs our learners have come to know and love so deeply. Live! Labs were the infancy release of this innovative tool.

Aug 11, 2014: First AWS Live!Lab

The first AWS labs went live and became a staple for preparing for exams, but more importantly, preparing for real-world scenarios.

January 2015: A Cloud Guru Launches

In January of 2015, Sam and Ryan Kroonenburg, brothers from the countryside of Australia, launched the very first version of A Cloud Guru, and it went crazy.

February 2016: LA for Mobile

The introduction of mobile app training allowed learners to take their courses on the go, and make the most of their free time.

November 2017: ACG Launches Memberships & Original Series

Mere weeks before re: Invent, 2017, ACG released a subscription option for members, as well as its popular YouTube series.

November 2018: ACG for Business Officially Released

Another surprise, ready just in time for re: Invent, was the business platform rollout. Now, organizations had their own unique dashboard becoming cloud gurus.

February 2019: LA launches instant Hands-On Labs

In a continuation of the innovative Hands-On Labs technology, LA introduced instant, fully loaded resources for scenario-based training.

July 2019: ACG Instructor Shares His Brownie at AWS Summit

While this might seem unimportant to some, it set the stage for what would happen only five months later. This act of kindness, followed by the sentiment that the cloud is “big enough for everyone” sets the stage for a beautiful relationship to come.

October 2019: ACG Announces 1 Million Learner Mark

This epic accomplishment made even the team at LA tip their hats. It also made all of us say “Wait, what number are we at?”

December 2019:AWS re:Invent

On Sunday, December 1st, 2019 ACG and LA simultaneously prepared for AWS re: Invent in Las Vegas, Nevada. Two sets of teams were carefully packing up audio and recording equipment. Event managers from each organization carefully reviewed their assets and schedules for the event. Both teams took flights to hotels that were within a mile of one another. And while sharing the same air at conferences is common for ACG and LA (usually operating booths within a few strides of one another) this year was different. While both teams were on the same side of the conference itself, the actual booths weren’t even within eyesight of one another. This is also why the LA team had no idea that as they were interviewing learners, so was ACG.

December 16, 2019: The Acquisition Announcement

A Cloud Guru and Linux Academy announced their alliance; signaling an end to years of competing as cloud training titans. Learners of both platforms rejoiced, cried, danced, tweeted, and picked their jaws up off the floor as the day went on. No, this was not a dream, although some have referred to this epic pairing as such. In the words of Anthony James:

“I’m thrilled for our students. They are the true winners in this combination of two best-in-class cloud training providers. Our student-first missions are completely aligned, and we truly are better together.”

Finding Common Ground

Whether you’re here as an original Linux Academy learner, or you started your coursework with A Cloud Guru, we’re just glad you’re here. When we put our two journeys side-by-side, it’s easy to see that the end goal was always the same. Both organizations wanted, and still want, to promote learning through updated content, awesome instructors, and innovative tools. While both teams were working tirelessly to improve their product, they were actually working toward something much bigger. While Linux Academy focused on optimizing our Hands-On Labs and Cloud Playground, ACG was perfecting eloquent, cutting-edge video content with instructors as witty as they are intelligent. Many learners often compared our offerings, and we understood why. But just because LA is older, doesn’t make it better. And just because ACG is known for its fun, light-hearted, engaging content doesn’t make it better. Apart, neither platform was truly “better”. We were merely chasing one another’s shadows in an infinite game of tag.

It’s reminiscent of the moment when Batman realized he was wrong about Superman in “Batman v Superman: Dawn of Justice”.

Batman V Superman

And much like the ACG-LA acquisition, many die-hard fans were left in a state of shock after this moment. When Batman finds out that Superman’s mother shares the same name as his own mother, he realizes they aren’t as different as he once thought. In fact, they have experienced a lot of the same triumphs and discouragement in their lives. And when we look back at where we were separately, and where we want to go together, it’s clear.

We are simply, better together.

The first of many shared innovations is now LIVE on ACG’s business platform. LA technology has been embedded into ACG with the launching of Cloud Playground. We can’t wait to see what we’ll accomplish in the future, bringing together the very strengths that used to separate us.a cloud guru acquires linux academy,linux academy logo

Streamlink VLC

Streamlink 1.4.0 has been released with support for low latency streaming on Twitch, fixed YouTube plugin, and more.

Streamlink is a free and open source command line utility which pipes live video streams to players like VLC, mpv, MPlayer, OMXPlayer or MPC-HC, with the purpose of avoiding resource-heavy websites (and on Linux, to use hardware-accelerated video playback). It was forked over 3 years ago from Livestreamer, which is no longer maintained, and runs on Windows, macOS, and Linux.

The tool uses a plugin system which allows easy addition of new streaming services, and it supports more than 300 streaming websites, including Twitch, YouTube, Livestream, DLive, Mixer, Dailymotion, BBC iPlayer, ITV Player, NBC, Periscope, Vimeo, VK.com, and many more.

The new Streamlink 1.4.0 adds low latency streaming on Twitch.tv. To use this, add the –twitch-low-latency command line option when piping the livestream to a video player. There’s also a new –hls-segment-stream-data option, which makes Streamlink write the HLS segments to the output buffer while they are being downloaded (this is used implicitly when using the low latency option).

With this, the pull request message notes that Streamlink with mpv (without additional player cache) is able to “beat Twitch’s web player by 0-2 seconds”.

This Streamlink release also fixes the YouTube plugin, which stopped working due to YouTube VOD API changes.

There’s also a new option to always show a download progress, by using –force-progress. By default, Streamlink only shows a download progress when running in a terminal, and this new option enables showing the progress if it runs in e.g. a subprocess.

It’s also worth noting that with Streamlink 1.4.0, logging in to Twitch has been disabled, since it was no longer working anyway.

More changes:

  • Fix Twitch clips showing “410 Gone” error
  • Add support for Invintus Media live streams and VOD
  • Add support for radiko.jp
  • Add Kugou Fanxing live plugin
  • Add support for GALATASARAY SK TV
  • Add support for ATV and ATVMas
  • Add support for Clan RTVE, children’s channel of RTVE
  • New plugin for WASD.TV
  • New plugin for Niconico Live
  • New plugin for rotana.net
  • New plugin for Zeenews Live TV
  • Support for Abema overseas version
  • TF1 plugin: use new API to retrieve DASH streams
  • Fixes for the following plugins: Crunchyroll, Pixiv, TVplayer, Zattoo, Piczel
  • Use Firefox as default User-Agent instead of python-requests

This is the last Streamlink release to support Python 2, which has reached end of life at the beginning of 2020.

Related: Video Livestream Wallpaper For Your GNOME, Xfce Or bspwm Desktop

Download Streamlink

Streamlink is available for Windows, macOS and Linux.

On Linux it’s available in the repositories for most Linux distributions, as shown on its installation page, although it may not be up to date.

The easiest way to install the latest version is to install Streamlink using its PyPI package. In case you go with the PyPI package, remove the version installed from the repositories, and make sure you have FFmpeg installed on your system.

Also note here that the Streamlink PyPI installation instructions mention using “pip”, which is for Python 2 on Ubuntu and Linux Mint, so in case you use an Ubuntu-based Linux distribution, use pip3 to install the Python 3 version instead (and don’t run pip with sudo, it’s not only bad for security but it can also mess up your system Python).

New to Streamlink? This is how to use it

Play a Twitch stream using “best” quality (I piked a random Twitch streamer for these examples):streamlink twitch.tv/anomaly best
If VLC is installed on your system, it will be used by default to play the stream.

You may also specify the VLC path, or use a different video player. For example to use Streamlink to stream the same Twitch link in the “best” quality using mpv:

streamlink -p mpv twitch.tv/anomaly best
For best results, the Streamlink documentation mentions to use VLC or mpv!

To show all available stream qualities, run Streamlink followed by the URL, without specifying any quality, e.g.:

streamlink twitch.tv/anomaly
Which should output something like this:[cli][info] Found matching plugin twitch for URL https://www.twitch.tv/anomaly
Available streams: audio_only, 160p (worst), 360p, 480p, 720p, 720p60, 1080p60 (best)
For more Streamlink options, check out its help (streamlink –help) and documentation.streamlink plugins,hls-live-edge

Simple Screen Recorder 0.4.1

SimpleScreenRecorder is a Qt application for Linux that can record the desktop (Xorg only) and OpenGL applications directly. It had a major new release (0.4.0) about 3 weeks ago, but because I was waiting for its changelog to be updated (which wasn’t until today), I forgot about it until today when a bug-fix 0.4.1 version was released.

The latest ScreenRecorder 0.4.0 / 0.4.1 brings high-DPI monitor support, a recording schedule, command-line control over stdin, and other improvements.

But first let me tell you a bit about SimpleScreenRecorder. More help Windows Plesk server support. The application uses libav/ffmpeg for encoding and it can record (with optional sound) OpenGL applications directly, the entire screen, a rectangle you draw on the screen or a window with properly synchronized audio and video, which is a common issue for other such tools. The video can be paused and resumed at any time, either with a click or with a keyboard shortcut. It also supports live-streaming, though this feature is experimental.

Other SSR features:

  • good defaults
  • fully multithreaded, so its various components don’t block the others, resulting in a smooth video recording
  • shows a preview during recording
  • reduces the video frame rate if your computer is too slow
  • shows a preview during recording
  • shows statistics during recording, like the file size, bit rate, recording time, etc.
  • tooltips for everything so you can fully understand what everything does

The new SimpleScreenRecorder 0.4.0 / 0.4.1 brings high-DPI monitor support. I don’t own such a monitor, so I can’t tell you how well it behaves with high-DPI monitors though. You’ll have to give it a try and see for yourself.

The latest SimpleScreenRecorder also includes an important new feature: recording schedule. Using this recording schedule, you can set the application to start and pause the recording at a given date and time, so it can capture the screen without any later input from the user. This is great to record some TV show (in conjunction with a TV tuner) for example.

SimpleScreenRecorder recording schedule

The Recording schedule can be found on the last screen (from where you can start the recording). To use it click Edit schedule, then Add to add some date/times to start or pause recordings. Choose the Start or Pause action for each date/time, and you’re set. Now all you need to do is click on Activate schedule.

Yet another change is the addition of command-line control over stdin, with the following possible commands: record-start, record-pause, record-cancel, record-save, schedule-activate, schedule-deactivate, window-show, window-hide and quit. This is useful for usage in scripts. See this for details and how to use this with an already running instance.

More changes in SimpleScreenRecorder 0.4.0 / 0.4.1:

  • Increased maximum video size to 20000×20000
  • Add option to skip the welcome screen
  • Add more command-line options (it already supported options to not show the system tray and to start hidden, among others):
    • –settingsfile=FILE: Load and save program settings to FILE. If omitted, ~/.ssr/settings.conf is used
    • –start-recording: Start recording immediately
    • –activate-schedule: Activate the recording schedule immediately
    • –syncdiagram: Show synchronization diagram (for debugging)
    • –benchmark: Run the internal benchmark
  • Add warning for Wayland users – SimpleScreenRecorders continues to not support Wayland screen recording
  • Many bug fixes

Related: 4 Tools To Record Your Linux Desktop (Screencast) In 2020

Download SimpleScreenRecorder

On the SimpleScreenRecorder download section linked above, you’ll find installation instructions either from your Linux distribution’s repositories (it has been updated to 0.4.1 for Arch Linux for example, but some Linux distributions still have the old 0.3.11 version, like Debian and Ubuntu), or from a third-party source, like a PPA for Ubuntu / Linux Mint which was updated today with SimpleScreenRecorder 0.4.1 (previously it had 0.3.11).

It’s worth noting that you won’t be able to install the 32bit simplescreenrecorder-lib on Ubuntu 20.04, because the PPA only builds 64bit packages. This was useful for recording 32bit OpenGL applications on 64bit systems.record desktop,free cam software for windows 10

Gzip compression helps the server to download websites faster.

It is therefore customary to enable gzip compression on web servers.

Therefore, we regularly receive requests from our customers to enable gzip compression on the server as part of our server management services.

Today we will see how our support engineers help our customers to enable gzip compression on Plesk and correct typical errors. Look at more info Azure Cloud Management.

 

Why do we need gzip compression?

First, let’s see why we need gzip compression.

Gzip (GNU-Zip) is free and open source file compression software. This is a method of compressing files for faster transmission over the network.

It is usually used to compress web pages on the server side. And that gives you such advantages,

  • -> Reduce the data size.
  • -> Saves space in the warehouse.
  • -> Increase the speed of data transmission.
  • -> Compression of streaming media on the Internet (video and audio content).

That’s why our specialist engineers always include compression in the loading gear on the construction site.

How does gzip compression work?

Let’s see how the compression works when you request a file. There are five important steps in this process.

1. When the server receives a request for a web page, it checks whether the browser supports gzip.

2. If this is the case, the server generates the page layout before applying gzip.

3. Gzip converts the markup into a compressed data stream that is then delivered to the user.

4. When a user receives compressed data, his browser decompresses it.

5. The user can now view the requested file without delay.

Now it’s time to discuss how we can make the gzip compression under Plesk possible.

Steps to ensure gzip compression

Let’s start with how our support engineers enable gzip compression on the Plesk server for the domain.

1. In Plesk, go to Domains > Yourdomain.com > Apache & Nginx Settings

2. In the area of additional Nginx guidelines, we add the following guidelines:

http://31.220.61.170/wp-content/uploads/2020/04/How-to-enable-gzip-compression-in-Plesk.png

3. Click OK.

We can now see the changes on the phpinfo() page below the domain. The part of the gzip module is also displayed.

Elements that do not work when compressing Plesk gzip

However, when dealing with the Plesk servers, our technical team often finds errors related to Gzip.

Although gzip compression is enabled in Plesk, we sometimes get a gzip error. Let’s see what steps we take to deal with this.

1. Parameter error

1. Initially, we guarantee that the Plesk server will support the Gzip module. However, on web servers such as Nginx, gzip compression is automatically enabled after installation with default settings.

2. Then we check the contents of the configuration file.

Here is the content of the /etc/nginx/conf.d/gzip.conf file on the server that is experiencing problems.

gzip off;
gzip_disable MSIE [1-6]…*SV1) ;
gzip_proxied any ;
gzip_types text/css text/plain application/x-javascript application/xml+rss application/javascript text/javascript image/x-icon image/bmp image/svg+xml application/x-httpd-php ;
gzip_vary on ;

2. From there we can unofficially identify the gzip. So to fix it, we turned it on.

3. In addition, our specialized engineers test the Nginx syntax before restarting the web server. If everything’s all right, you can see that:

nginx: Syntax of the configuration file /etc/nginx/nginx.conf ok
nginx : Configuration file /etc/nginx/nginx.conf Test successful

After the restart, the compression of the site started to work normally.

2. Gzip settings for static files

1. The second problem reported by our client – gzip does not work for static files on versions of Plesk Onyx.

2. So to solve the problem on Plesk Onyx, we have added the following parameters to the additional Nginx guidelines on their website.

http://31.220.61.170/wp-content/uploads/2020/04/1588256342_532_How-to-enable-gzip-compression-in-Plesk.png

3. This solved the problem and the gzip compression clients worked fine.

We can enable Gzip compression to make websites faster].

Conclusion

In short, as the need for information increases, methods of delivering large amounts of data quickly and efficiently become increasingly relevant. Gzip compression can give any web service a cost-effective speed boost. Today we saw how our support engineers made gzip compression on Plesk possible to fix some bugs.enable gzip compression plesk windows,45 with enabled compression

Figures for the year

  • The share of spam in mail traffic was 56.51%, which is 4.03 p.p. more than in 2018.
  • The largest source of spam this year was China (21,26%).
  • 44% of spam e-mails were less than 2 KB.
  • Malicious spam was most commonly detected with the Exploit.MSOffice.CVE-2017-11882 judgment.
  • The Anti-Phishing system was activated 467,188,119 times.
  • 17% of unique users have experienced phishing.

Trends of the year

Beware of novelties

In 2019, the attackers were more active than usual in exploiting major sports and film events to gain access to users’ financial or personal data. Premieres of TV shows and movies, and sports broadcasts were used as bait for those who want to save money by watching unofficial means.

A search for Watch latest X for free (where X = Avengers movie, Game of Thrones season, Stanley Cup game, US Open, etc.) provided links to sites that offer the possibility to do exactly that. Clicking through to these sources really started the broadcast, only to stop after a few minutes. To look further, the user was asked to create a free account (only an email address and password were required). However, when the Continue button was clicked, the site asked for an additional confirmation.

And not just any information, but bank card details, including the three-digit security code (CVV) on the back. Click site Outsource Support in India. The site administrators assured that the money would not be debited from the card, but that this information was only needed to confirm the user’s location (and therefore the right to view the content). But instead of continuing the broadcast, the crooks just put the details in their pockets.

http://31.220.61.170/wp-content/uploads/2020/04/Spam-and-phishing-in-2019.png

http://31.220.61.170/wp-content/uploads/2020/04/1588247087_952_Spam-and-phishing-in-2019.png

New gadgets were also used as bait. Cybercriminals have created fake pages that mimic Apple’s official services. The number of bogus sites increased sharply after the unveiling of the company’s new products. And while Apple was just preparing to release the next gadget, fraudsters offered to sell it to people with itchy hands. All the victim had to do was follow a link and enter their AppleID data – the purpose of the attackers.

http://31.220.61.170/wp-content/uploads/2020/04/1588247088_0_Spam-and-phishing-in-2019.png

The price of fame: attackers exploit popular resources

In 2019, scammers found new ways to exploit popular resources and social networks to spread spam and sell non-existent goods and services. They actively used Youtube and Instagram commentary to post ads and links to potentially harmful pages, and created numerous social media accounts which they promoted by commenting on popular bloggers’ posts.

For extra credibility, they left a lot of false comments on posts on topical subjects. As the account became more widely known, it started posting messages about promotions. For example, a sale of branded goods at knock-down prices. Victims got a cheap imitation or just lost their money.

A similar scheme was used to quickly promote videos in combination with coil reviews from new flash customers.

Another scam involved fake Instagram accounts. The stars asked the fans to fill out a survey and receive a cash payout or the chance to enter a prize draw. For this not-to-be-missed opportunity, of course, a small fee was due in advance… After the cybercriminals received the money, the account simply disappeared.

http://31.220.61.170/wp-content/uploads/2020/04/1588247089_868_Spam-and-phishing-in-2019.png

In addition to distributing links via comments on social networks, scammers used another delivery method in the form of Google services: invitations to meetings sent via Google Calendar or reports from Google Photos that someone had just shared a photo were accompanied by a comment from the attackers with links to fake promotions, surveys and awards ceremonies.

Other Google services were also used: links to files in Google Drive and Google Storage were sent in fraudulent emails, which cannot always be recognised by spam filters. Clicking on it usually opens a file containing adware (e.g. fake pharmaceutical products) or another link leading to a phishing site or a personal data collection form.

http://31.220.61.170/wp-content/uploads/2020/04/1588247090_83_Spam-and-phishing-in-2019.png

Although Google and others are constantly working to protect users from scammers, the latter will forever find new loopholes. Therefore, the most important protection against such schemes is to pay careful attention to messages from unknown senders.

Malicious transactions

In Q1, users of the Automated Clearing House (ACH), an electronic payment system that facilitates payments in the US, became victims of fraudsters: we recorded mailings of fake ACH notifications about the status of a payment or a debt. By clicking on the link or opening the attachment, the user risks infecting the computer with malware.

http://31.220.61.170/wp-content/uploads/2020/04/1588247091_794_Spam-and-phishing-in-2019.png

Anyone order bitcoin?

Crypto-knowledge continues to interest crooks. In addition to the standard forgeries of known cryptographic currency exchanges, cybercriminals have begun to create their own resources: these resources promise lucrative exchange rates, but steal either personal data or money.

http://31.220.61.170/wp-content/uploads/2020/04/1588247092_682_Spam-and-phishing-in-2019.png

http://31.220.61.170/wp-content/uploads/2020/04/1588247093_600_Spam-and-phishing-in-2019.png

Crypto forces and blackmail

While cybercriminals attempted to blackmail users into claiming they had compromised malware in 2018, in 2019 e-mails came in from a CIA agent (name varies) who allegedly handled an open case against the recipient of the message about the storage and distribution of pornographic images of minors.

The case, the alleged e-mail, was part of an international operation to arrest more than 2,000 paedophile suspects in 27 countries around the world. However, the agent knew that the recipient was a well-intentioned person with a reputation to protect, and for $10,000 Bitcoin, he would be willing to modify or destroy the file (all information about the victim to make the email credible was collected in advance on social networks and forums). For someone who is really afraid of the possible consequences, that would be a small price to pay.

http://31.220.61.170/wp-content/uploads/2020/04/1588247094_696_Spam-and-phishing-in-2019.png

Legal entities find themselves in an even more desperate situation when faced with similar threats. For them, however, it was not about sextortion, but about spamming. The blackmailers sent a message to the company using the public email address or an online return form with Bitcoin’s ransom request. If refused, the attackers threatened to send millions of spam emails on behalf of the company. This, cybercriminals assured, would encourage the Spamhaus project to recognize the source as a spammer and block it forever.

http://31.220.61.170/wp-content/uploads/2020/04/1588247094_69_Spam-and-phishing-in-2019.png

Business in focus

The growing trend of attacks on business is not only reflected in attempts to cyber-blackmail companies. The reputation of many companies has been tarnished by sending spam via feedback forms. Having previously used such forms to attack the company’s employees’ mailboxes, cybercriminals developed their methods in 2019.

For example, messages about successful registration on a certain website were received by people who had never heard of it. After finding a security breach on the site, spammers used a script to bypass the CAPTCHA system and register users en masse via the feedback form. In the Username field, attackers have inserted the message text or a link. As a result, the victim whose postal address was used received a registration confirmation e-mail from a legitimate sender, but with a message from the scammers. Moreover, the company itself had no idea what was going on.

http://31.220.61.170/wp-content/uploads/2020/04/1588247095_163_Spam-and-phishing-in-2019.png

A much more serious threat came from disguised mailings in the form of automatic notifications of services used to create legitimate mailing lists: scammers’ messages were carefully disguised as notifications of new voicemail messages (some commercial products have a voicemail exchange function) or incoming e-mails blocked in the distribution queue. In order to gain access, the employee had to go through an authentication process, after which the company account details were found in the hands of the attackers.

The scammers have developed new methods to extract confidential data from unsuspecting company employees. For example, by sending e-mails requesting urgent confirmation of the company’s account details or payment information with a convenient link. If the user has swallowed the bait, the authentication data of his account has gone directly to the cybercriminals.

http://31.220.61.170/wp-content/uploads/2020/04/1588247096_341_Spam-and-phishing-in-2019.png

Another attack on business used a more complex scheme: the attackers tried to make the recipients of the emails believe that the company’s management offered a salary increase in exchange for a performance appraisal.

The message turned out to have come from HR and contained detailed instructions and a link to a false evaluation form. However, before going through the procedure, the recipient had to enter some data (in most cases it was indicated that the e-mail address had to be that of the company). After the identification or evaluation button was clicked, the identification information entered was duly transmitted to the attackers, giving them access to business correspondence, personal data and probably confidential information, which could later be used for blackmail purposes or sold to competitors.

A simple system consisted of sending phishing emails that supposedly came from services used by the company. The most common were false reports from HR recruitment platforms.

http://31.220.61.170/wp-content/uploads/2020/04/1588247096_927_Spam-and-phishing-in-2019.png

Statistics: spam

Share of spam in mail traffic

The share of spam in mail traffic rose by 4.03 percent to 56.51 percent in 2019.

Share of spam in world postal traffic, 2019 (download)

The lowest figure was recorded in September (54.68%) and the highest in May (58.71%).

Spam sources by country

In 2019, as in the previous year, China retained its crown as the country that emits the most spam. Its share has increased considerably compared to the previous year (9.57 p.p.) to 21.26%. It remains ahead of the United States (14.39%), whose share increased by 5.35%. Russia ranks third (5.21%).

Fourth place went to Brazil (5.02%), despite a loss of 1.07 p.p. Fifth place in 2019 was claimed by France (3.00%) and sixth place by India (2.84%).  Vietnam (2.62%), fourth in the previous period, rose to seventh place.

The TOP 10 is completed by Germany, which moves from third to eighth place (2.61%, down 4.56 p.p.), Turkey (2.15%) and Singapore (1.72%).

Spam sources by country, 2019 (download)

Size of spam mail

In 2019, the share of very small emails continued to rise, but less dramatically than the year before – from just 4.29 p.p. to 78.44%. At the same time, the share of e-mails between 2 and 5 Kb decreased by 4.22 p.p. compared to 2018 to 6.42 %.

Unwanted emails by size, 2019 (download)

The share of larger e-mails (10-20 KB) changed little, 0.84 p.p. less. But there were more junk mails from 20 to 50 KB: these messages accounted for 4.50% (+1.68%). In addition, the number of e-mails from 50 to 100 KB increased by almost 1%, or 1.81%.

Malicious mail attachments

Malware families

TOP 10 Malware families, 2019 (download)

In 2019, Exploit.Win32.CVE-2017-11882 was, as in the previous year, the most common malware (7.24%). They made use of a vulnerability in Microsoft Office that made it possible to execute random code without the user’s knowledge.

In second place is the Trojan.MSOffice.SAgent family (3.59%), whose members also target Microsoft Office users. This type of malware consists of a document with a built-in VBA script that secretly loads other malware using PowerShell when the document is opened.

The Worm.Win32.WBVB family (3.11%), which contains executable files written in Visual Basic 6 and classified by KSN as unreliable, has moved up from fourth to third place.

Backdoor.Win32.Androm.gen (1.64%), which ranked second in the previous period, ranked fourth This modular backdoor is most often used to download malware to the victim’s computer.

The fifth place in 2019 was taken by the Trojan family Win32.Cryptic (1.53%). This verdict is attributed to Trojan horses that use anti-emulation, anti-debugging and code obfuscation to make them difficult to analyse.

Trojan.MSIL.Crypt.gen (1.26%) came sixth, while Trojan.PDF.Badur (1.14%) – a PDF that leads the user to a potentially dangerous site – climbed to seventh place.

Eighth place went to another malicious DOC/DOCX document with a malicious VBA script – Trojan-Downloader.MSOffice.SLoad.gen (1.14%), which, once opened, can download ransom software to the victim’s computer.

In ninth place is Backdoor.Win32.Androm, and in third place Trojan.Win32.Agent (0,92%).

Countries targeted by malicious mailings

As in the previous year, Germany took first place in 2019. Its share remained virtually unchanged: 11.86% of all attacks (+0.35%). Second place was claimed by Russia and Vietnam together (5.77% each) – Russia was in this position in the previous reporting period, while Vietnam rose from sixth to third place.

Countries targeted by malicious mailings, 2019 (download)

Italy (5.57%) is only 0.2% behind, while the United Arab Emirates is fifth (4.74%), Brazil sixth (3.88%) and Spain seventh (3.45%). The TOP 10 is completed by India (2.67%), Mexico (2.63%) and Malaysia (2.39%), which are practically neck and neck.

Statistics: Phishing

In 2019, the anti-phishing system was activated 467,188,119 times on Kaspersky users’ computers as a result of phishing diversion attempts (15,277,092 times less than in 2018). In total, 15.17% of our users were attacked.

Organisations under fire

The ranking of organizations targeted by phishing attacks is based on the activation of the heuristic component of the anti-phishing system on users’ computers. This section detects all cases where the user attempts to follow a link in an email or on the Internet to a phishing page in cases where this link has not yet been added to the Kaspersky databases.

Classification of categories of organisations under attack from fishermen

Contrary to 2018, most of the heuristic component triggers in this period fell into the banking category. Its share rose by 5.46% to 27.16%. Last year’s leader, the global Internet portal category, one sport dropped to second place. Compared to last year, the share decreased by 3.60 p.p.. (21.12%). The payment systems category remained in third place, with a share of 16.67% (-2.65 p.p.) in 2019.

Breakdown of organisations undergoing phishing attacks by category, 2019 (download)

Geography of the attack

Countries by proportion of users attacked

The leader in this period in terms of the percentage of unique users attacked out of the total number of users was Venezuela (31.16%).

Percentage of users whose computers have activated the anti-visa system among all Kaspersky users in the country, 2019 (download)

TOP 10 countries per attacked user share

Country %
Venezuela 31.16
Brazil 30.26
Greece 25.96
Portugal 25.63
Australia 25.24
Algeria 23.93
Chile 23.84
Meeting 23.82
Ecuador 23.53
French Guiana 22.94

TOP 10 countries per user share attacked

Last year’s leader, Brazil (30,26%), came second with a loss of 1,98 p.p., while Venezuela (31,16%) slipped from ninth to third and won 11,27 p.p.. In third place is the TOP 10 of the newcomers in Greece (25.96%).

Summary

Television premieres, top sporting events and the release of new gadgets have been abused by crooks to steal users’ personal information or money.

Looking for new ways to bypass spam filters, attackers are developing new methods to deliver their messages. This year they actively used various Google services, as well as popular social networks (Instagram) and video hosting sites (YouTube).

Cybercriminals continue to use funding in schemes to access users’ personal data, to infect computers with malicious software or to steal money from victims’ accounts.

The main trend in 2019 is the increase in the number of attacks on businesses. Fraudulent schemes previously used to repeatedly attack ordinary users have changed direction, adding new subtleties to cybercriminal tactics.phishing statistics 2019,recent phishing attacks 2019