Ksenia Rysaeva: ‘The main thing is to be attentive to incoming messages not to become a victim of phishing’

The head of the Analytics group of the Cyber Threat Prevention Centre CyberART at Innostage Group — about new online fraud schemes and security measures

The number of cyberattacks has increased, including cases of phishing, in Russia. In social networks and messengers, Tatarstan citizens receive various messages from well-known brands with an offer to participate in the competition, receive a prize, and buy goods at a bargain price. How to recognise a trap, what a click on a fake link can lead to, and what new tricks scammers resort to — Ksenia Rysaeva, the head of the analytics group at the CyberART Cyber Threat Prevention Centre of Innostage Group, tells more about this in the author's column for Realnoe Vremya.

What are the goals of phishing

Attacks using social engineering tools (that is, a method of obtaining the necessary access to information based on the peculiarities of human psychology) occupy the leading position among other methods of online fraud. In particular, attackers use phishing mailings. Their danger lies in the fact that, firstly, they are aimed at ordinary users who, as a rule, are not concerned about information security issues. Secondly, they are quite difficult to identify. The main purpose of phishing is to obtain user identification data. This includes the theft of usernames and passwords, credit card numbers, bank accounts and other confidential information.

According to the method of distribution , phishing can be divided into two categories:

  • phishing mailings, e-mail, SMS, messages in social networks;
  • phishing sites that copy the victim's original resource (banks, airlines, online stores, businesses, government agencies, and so on).

If there are a lot of recommendations for safe work with mail and messengers, then things are worse with websites.

Attackers use whale phishing whales, or phishing kits

One of the common techniques of phishers is to create copies of legitimate pages of well-known brands or companies. As a rule, attackers borrow design elements of a real site, so it can be difficult for the user to distinguish the pages they created from the original. The web address of a fake site can often be mistaken for a legitimate one, since scammers include in the URL the name of the company or service that they are trying to fake.

Since a phishing site can be promptly blocked or added to anti-phishing databases, attackers are interested in generating such pages quickly and in large quantities. It takes a long time to create them manually every time, besides, not all scammers have the skills of web development and site administration. Therefore, fish whales, or phishing kits, are popular among attackers — a kind of constructors consisting of ready-made templates and scripts with which you can quickly and massively create phishing pages. Fish whales are quite easy to use, so they can also be acquired by inexperienced fishers who do not have special technical skills.

From March 23, messages have been sent to the e-mail of Russian users allegedly on behalf of representatives of the Ministry of Finance and Roskomnadzor. The letters contained a warning about the illegality of using websites, social networks, messengers and VPN services banned in Russia to bypass their blocking. The message was accompanied by an RTF file with a list of prohibited resources. Experts found out that when opening a document on a smartphone, PC or any other user device, an HTML file is downloaded, which activates a script that allows fraudsters to gain remote access to these devices. The mailing of phishing emails was configured primarily to the addresses of electronic mailboxes with domains mail.ru, yandex.ru , mvd.ru, cap.ru and minobr-altai.ru .

On April 19, Kaspersky Lab informed about malicious mailings using the names of well-known universities. For example, Kaspersky has recorded the illegal use of names such as Moscow State University named after M.V. Lomonosov, University of Bucharest, Rhenish-Westphalian Technical University in Aachen, Aristotle University in Thessaloniki, Ankara University, Autonomous University of Nuevo Leon (Mexico), Catholic University of Bolivia. The letters were designed as a business offer, which the recipient was invited to familiarise himself with by opening an attached archive or an office document with a macro that used the vulnerability of outdated versions of Microsoft Office programmes.

Since July 1, analysts at the CyberART Cyber Threat Prevention Centre of Innostage Group have been recording the spread of malicious load on the hosts of users of websites running CMS Bitrix. On infected sites, a malicious script appeared in the page code that redirects users to one of the phishing pages. In fact, hackers can use sites on Bitrix to steal user accounts and payment card data. The addresses change, but in some cases phishing is disguised as Sberbank's personal account, Ozon stores or DNS.

Redirects to phishing sites ozon[.]ru[.]wb[.]org[.]ruada-rus[.]ru, ozon[.]ru[.]premium[.]pp[.]ru) were recorded .

One of the latest phishing campaigns in the global community was a WhatsApp newsletter from Heineken. The phishing message in WhatsApp was attached with an image with a beer cooler and a link to the fake website of the company's contest. The fake page requires personal data (names, email addresses and phone numbers) of those wishing to participate in the booze draw.

How not to become a victim of phishing

The most important thing is to be attentive to incoming messages.

  1. Pay attention to visual deviations in the letter, this is one of the criteria for a phishing message.
  2. Be critical of links received in letters and messages from strangers, as well as in “viral” messages with a request to forward them to a certain number of contacts. Check URLs to see if they are redirecting to an unknown and/or suspicious website. Also, the letter should not contain grammatical and spelling errors.
  3. Use a security solution that blocks phishing resources.
  4. To protect themselves from phishing attacks, users should avoid answering calls from unknown phone numbers and not provide personal information by phone.

There are also several recommendations for companies and their employees:

  1. If you notice suspicious computer behaviour or a suspicious letter in the mail, immediately report it to the information security service of your organisation. The sooner you report it, the faster they will be able to respond.
  2. If you receive an email with an attached document or link that you absolutely do not expect from the sender, before opening the attachments or clicking on the link, call the sender and clarify whether he really sent this email.
  3. Observe digital hygiene:a) do not store usernames, passwords and other important information in the mail; b) do not save the password from the web-based login form in the mail in the browser.

  4. Never enter your corporate password on third-party resources, and if you are asked to do this, check this point with your organisation's information security service. Believe me, they will be glad that you asked them now, and did not come to them when you were “hacked”.
  5. Never share passwords over the phone, even if the caller appears to be an employee of your IT or security service. Contact the security service yourself and ask why they are asking for your personal password on the phone.
  6. Watch out for the appearance of fish whales targeting users or employees.
  7. Increase the digital literacy of employees, for example, through basic training of employees in the basics of information security.
  8. Apply comprehensive security solutions that will allow you to build a flexible and effective information security system.
Ksenia Rysaeva

The author's opinion may not coincide with the position of the editorial board of Realnoe Vremya.