‘Friends’ Reunion Anchors Video Swindle

Spam was on the rise in Q2, with video fraud and COVID-19-related efforts in the mix.

The second quarter saw a rise in entertainment lures for fraud and phishing, including one campaign capitalizing on the buzz around “Friends: The Reunion.”

Researchers at Kaspersky found fake sites supposedly hosting video for the much-anticipated special episode of the popular sitcom, according to its analysis of second-quarter trends, released last week. Fans who tried to watch or download the episode were redirected to a Columbia Pictures splash screen. After a few seconds, the broadcast stopped, replaced by a request to pay a nominal fee.

Variations on the gambit had cropped up in late April, too, timed around the Academy Awards. Oscar-nominated movies were graced with fake websites offering “free viewings” of the contenders.

Infosec Insiders Newsletter

“After launching a video, the visitor of the illegal movie theater was shown several clips of the film (usually taken from the official trailer), before being asked to pay a small subscription fee to continue watching,” according to the report. “However, after payment of the ‘subscription,’ the movie screening did not resume; instead the attackers had a new bank account to play with.”

It added, “almost any big-budget movie is accompanied by the appearance of fake websites offering video or audio content long before its official release.”

Q2 Phishing and the Cloud

The quarter also saw the return of cloud-related phishing lures, Kaspersky found – likely driven by the continued remote working phenomenon in the face of the COVID-19 pandemic.

For instance, when targeting corporate accounts, scammers imitated mailings from popular cloud services.

“A fake notification about a Microsoft Teams meeting or a request to view an important document traditionally takes the victim to a phishing login page asking for corporate account credentials,” according to the report.

Some of the schemes were aimed at stealing funds or installing malware, not taking over accounts, Kaspersky found.

Some were “spoofed messages about a comment added to a document stored in the cloud,” the analysis explained. “The document itself most likely did not exist; at the other end of the link was the usual recipe for making a fast buck online by investing in Bitcoin or a similarly tempting offer. Such ‘offers’ usually require the victim to pay a small amount upfront to claim their non-existent reward.”

Another email threatened legal action, and asked the target to “review documents” about the issue. Clicking on the link, however, eventually led to the download of a backdoor.

Other lures in circulation during the quarter included offers of financial pandemic assistance sent in the name of government agencies, notices of unexpected parcels requiring payment by the recipient, notifications about being the lucky winner of a tidy sum and romance-themed efforts.

Spam on the Rise

Kaspersky also found that after a prolonged decline, the share of spam in global mail traffic began to grow again in the second quarter, making up 46.56 percent of the volume.

“A look at the data by month shows that, having troughed in March (45.10 percent), the share of spam in global mail traffic rose slightly in April (45.29 percent), with further jumps in May (46.35 percent) and June (48.03 percent), which is comparable to Q4 2020,” according to the report.

As far as the source of spam, Russia (26.07 percent) remains in first place, followed by Germany (13.97 percent) and the U.S. (11.24 percent).

As for targets, Spain had the most recipients (9.28 percent), followed by Italy (6.38 percent) and Germany (5.26 percent).

“In Q2, as we expected, cybercriminals continued to hunt for corporate account credentials and exploit the COVID-19 theme,” the report concluded. “As for Q3 forecasts, the share of cyberattacks on the corporate sector is likely to stay the same. This is because remote working has established a firm foothold in the labor market. Also, the COVID-19 topic is unlikely to disappear from spam. And if the current crop of vaccination and compensation scams weren’t enough, fraudsters could start utilizing newly identified strains of the virus to add variety and nowness to their schemes.”

Threatpost Webinar Series Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

Suggested articles