Tech support scams using pop-up messages with fake warnings of computer problems are increasingly being used to take advantage of employees working from home, according to customer data gathered by Fortinet.
Malvertising and scareware were detected by one in four organizations running Fortinet devices in the first half of the year, the company said Monday in its semi-annual global threat landscape report. It was a figure that surprised some in the company.
“That’s a pretty high number,” Derek Manky, Vancouver-based chief of security insights and global threat alliances at FortiGuard Labs, said in an interview. “This is something we haven’t seen for about 10 years.”
“These are web-borne threats now targeting the work-from-home environment. But they’re very much trying to double down, instead of just doing social engineering through social media campaigns, by using websites that are impersonating tech support departments.”
One of the most popular malware families recently seen, says the report, is dubbed Cryxos. These are trojans that display messages saying a user’s computer or web browser has been blocked by a virus and personal data is being stolen. The message tells the user to phone a number to help remove the infection. A threat actor may prepare for the attack by infecting a legitimate or malicious web page so the popup appears when anyone goes to the page.
Other tactics include phishing email messages with COVID-19 related attachments that either inject code into a victim’s computer or direct them to malicious sites. “Such techniques have risen in popularity of late as a way to exploit peoples’ craving for news/information during the COVID-19 pandemic and the concurrent transition to working from home outside corporate web filters,” the report says.
Other patterns detected in the first half of the year included
– the well-documented increasing rise of ransomware. The average weekly ransomware activity in June was more than 10 times higher than levels from one year ago.
The report also notes some ransomware operators shifted their strategy away from email-initiated payloads to focusing on gaining and selling initial access into corporate networks. That, the report says, is part of the continuing evolution of ransomware-as-a-service (RaaS) fueling cybercrime;
–botnets continue to be a threat. At the beginning of the year, 35 per cent of Fortinet customers detected botnet activity of one sort or another; six months later it was 51 per cent.
A large bump in TrickBot activity was responsible for the overall spike in botnet activity during June, the report notes. Partly crippled by attacks last fall, TrickBot has shown a resurgence, moving from a banking trojan into what the report says is a “sophisticated and multi-stage toolkit supporting a range of illicit activities.” The Mirai botnet is still the most prevalent;
–operational technology (OT) networks are increasingly being targeted. While IT-related exploits are clearly more numerous and exhibit greater prevalence and volume, the report says the “relatively high level of exploitation targeting OT may surprise many. Figures Fortinet gathered “shatters the perception that ICS (industrial control system) exploits are an obscure niche of the cyber threat landscape.”
–it’s not all bad news. Several events in 2021 show positive developments specifically for defenders, says the report. The original developer of TrickBot was arraigned on multiple charges in June. Also, the co-ordinated takedown of Emotet, described by the report as “one of the most prolific malware operations in recent history,” as well as actions to disrupt the Egregor, NetWalker, and Cl0p ransomware operations were significant.
The level of attention that some attacks garnered spooked a few ransomware operators (Ryuk, Darkside) to announce they were ceasing operations, the report adds.
In the interview Manky emphasized there are a lot of relatively simple ways CISOs can reduce risk in their organizations, including using intrusion prevention software, and watching for evidence of evasion of anti-virus and other defences, and evidence of unexpected privilege escalation.
“It’s all about making it more expensive for cyber criminals,” he said.