Bait Boost: Phishers Delivering Increasingly Convincing Lures

An intense hunt for corporate account credentials will continue into next quarter, researchers predict.

Innovative twists on banking scams and corporate-account hunters wielding increasingly clever lures, including those with COVID-19 vaccine promises, are likely to dominate the spam and phishing landscape throughout Q2 2021, according to researchers.

And although no new wild trends have emerged, Kaspersky researchers, who just released their report for Q1 2021, said that the spear-phishing tactics attackers are using against victims are getting better.

Bank-Scam, QR-Code Phishing Lures

For instance, mobile banking scams aren’t anything new, however, attackers have developed a couple of new approaches.

zoho webinar promo

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.

In one example from Q1 2020, Kasperky reported that clients of several Dutch banks received a fraud email which prompted them to scan a QR code to “unlock” mobile banking. Instead, they were directed to a web page loaded with malware.

QR codes are an increasingly popular tool for threat actors, especially since the pandemic. They have been used to access menus, check in for vaccines and get public information.

Another banking scam observed by Kaspersky researchers delivered a fake newsletter posing as legitimate correspondence from MKB bank with updates on COVID-19, but instead delivered a scam Outlook sign-in page, attempting to harvest credentials.

Other phishing lures observed last quarter by Kaspersky included offers of government payouts, intended to steal credit-card information and personal data.

COVID-19 Vaccine Lures

COVID-19 vaccines are the most important topic around the world at the moment, and malicious actors have capitalized on this over past several weeks.

A scam COVID-19 vaccination lure. Source: Kaspersky. Click to enlarge.

“Cybercriminals took advantage of people’s desire to get vaccinated as quickly as possible,” according to the report. “For instance, some U.K. residents received an email that appeared to come from the country’s National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link.”

Another particularly despicable COVID scam email specifically targeted people over 65 seeking a vaccine, the researchers added.

“In both cases, to make a vaccination appointment, a form had to be filled out with personal data; and in the first case, the phishers also wanted bank-card details,” the report explained. “If the victim followed all the instructions on the fake website, they handed their money and personal data to the attackers.”

Fraudsters also blasted out scam vaccination surveys, which were emails doctored up to look like they were from pharmaceutical companies making vaccines, asking for input.

“Participants were promised a gift or cash reward for their help,” the report added. “After answering the questions, the victim was redirected to a page with the ‘gift.'”

The victim was then asked for personal information, or in some cases, even payment information to pay for delivery of the “prize.”

Scammers also sent emails convincingly disguised to look like they were sent from Chinese vaccine-makers.

Hunt for Corporate Credentials Is On

A bogus mobile QR-code lure. Source: Kaspersky. Click to enlarge.

Because consumers are getting better at spotting scams, attackers are getting expert at making their communications seem real. This is especially important in trying to score what Kaspersky calls “a coveted prize for scammers:” corporate usernames and passwords.

“To counter people’s increasingly wary attitude to emails from outside, attackers try to give their mailings a respectable look, disguising them as messages from business tools and services,” Kaspersky said. “By blending into the workflow, the scammers calculate that the user will be persuaded to follow the link and enter data on a fake page.”

The team observed a malicious link being delivered through Microsoft Planner, and in Russia, they discovered an email posing as a message from an analytics portal support team. Both asked for corporate-account credentials.

“Old techniques, such as creating a unique fake page using JavaScript, were combined in Q1 with overtly business-themed phishing emails,” the report said. “If previously scammers used common, but not always business-oriented, services as bait, the new batch of emails cited an urgent document awaiting approval or contract in need of review.”

The ‘Less is More’ Lure

Another interesting lure type highlighted by the Kaspersky report asks for just a tiny amount of money to complete the scam transaction. In one example the team gives, the criminals only asked for 1.99 Rubles ($.27).

“The calculation was simple: Users would be less averse to paying a small amount than a larger one, which means more potential victims willing to enter card details on the bogus site,” the report explained. The emails usually had themes around everyday services like deliveries, fake “invoices” for domain usage or a WhatsApp subscription.

Facebook users were targeted last quarter by a scam lure saying their accounts were in violation of the platform’s terms of use, Kaspersky said. The first link went to a legitimate Facebook page to reassure the victim that it was real. But the second link went to a phishing site.

“The attackers’ calculation was simple: First lull the victim’s vigilance with a legitimate link, then get them to enter their credentials on a fake page,” the report explained.

Overall, spam traffic was down a bit (by 2.1 percent) in Q1. The Russian-language internet (“Runet”) also saw a small drop in spam of less than 2 percent, the report added. Russia accounted for the largest percent of outgoing spam with 22.47 percent, followed by Germany with 14.89 percent, Kaspersky found. The U.S. and China meanwhile followed with 12.98 percent and 7.38 percent of the world’s spam traffic.

Malicious email attachments detected were also down, but Kaspersky points out that this is primarily due to a boost in the number of attachments blocked by mail antivirus.

Malware Families on the Rise

The most common malicious attachments for spam emails in the quarter consisted of the Agensla malware, according to Kaspersky, with 8.91 percent of malicious trojan market; followed by Microsoft Equation Editor vulnerability exploits for CVE-2017-11882. The Badun family was third with 5.79 percent.

“The Top 10 most common malicious attachments in Q4 corresponds exactly to the ranking of families,” the report explained. “This suggests that each of the above-described families was widespread largely due to one member.”

Online stores remain the most popular impersonation targets for phishing pages, the report added, accounting for 15.77 percent of those observed, Kaspersky said. Global internet portals (15.5 percent) and banks (10.04 percent) were close behind.

Finally, Kaspersky warns about a potential slight uptick in tourism-related bait around the corner.

“And as the summer season approaches, an increase in the number of emails related to tourism is possible; however, due to the pandemic, it is likely to be small,” the report said. “On the other hand, cybercriminals will almost certainly continue to actively hunt corporate-account credentials, exploiting the fact that many companies are still in remote-working mode and communication among employees is predominantly online.”

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.  

Suggested articles