Experts addressed crucial cybercrime developments during the pandemic

Monday, October 26, 2020, 15:11 GMT

A research on the key developments in cyber crime during the COVID-19 pandemic was published by Group-IB experts. The study was presented at the international forum “Strategic growth of the framework of the Ministry of Internal Affairs of Russia: state, developments, prospects” of the Management Academy of the Ministry of Internal Affairs of the Russian Federation.

A rapid rise in cyber fraud has been triggered by the effects of the coronavirus pandemic, the transition of jobs to a remote mode of operation, workforce shortages and the financial crisis. First of all, the number of financial frauds using social engineering techniques has grown, according to researchers at Group-IB. According to the Ministry of Internal Affairs, for the period from January to June 2020, the rise in cybercrime amounted to 91,7 percent relative to the same period last year. Around the same time , the number of “classic offences” declined: street robberies declined by 23.6%, robberies-by 20.7%, thefts-by 19.6%, auto thefts-by 28.7%.

The creation of remote methods of committing offences, in which there is no direct interaction between the attackers and their victims, has become one of the key developments in the Ministry of Internal Affairs. For example, if drug deals were carried out mostly ‘from hand to hand’ until 2014, then today drug dealers start using only electronic trade channels on the darknet, receiving payments in cryptocurrencies.

Nearly 70% of reported crimes relating to the illicit trafficking in weapons in 2020 were also committed through the Internet-remotely and secretly. The same goes for trading counterfeit currency, shares and documents illegally.

An spike in the number of financial frauds using social engineering-vishing, phishing-was reported by researchers at Group-IB in 2020, which mainly targeted bank customers. In total, CERT-GIB blocked 14,802 phishing resources in the first nine months of 2020, targeted at stealing money and personal web visitor information (logins, account and online bank credentials, bank card data). This is more than last year, when it blocked 14,093 such network services.

The Ministry of Internal Affairs Academy of Management states that the most common remote fraud method is the conventional ‘bank security service’ call, allegedly over an illegal transaction or hacking into a personal account. Around the same time, telephone scammers have been deliberately exploiting numerical spoofing and SIP telephony technology. It is really hard to determine the real IP address of an attacker by using anonymizers.

Many services have also recently emerged to “break open” bank clients, based on a blend of OSINT approaches and insider access to multiple accounts, which expanded the amount of information accessible to attackers about possible victims and contributed to an rise in the number of attacks.

Around the same time, the fraud delivery schemes themselves have not really improved. The cybercriminals’ key purpose is the same: theft of money or information that can be traded, but a new “kit” tailored to the latest agenda has been obtained. There are the selling of bogus wireless passes, the sending of fines for quarantine breach letters, bogus courier service pages, illegal mailings on behalf of the video conferencing service Zoom.

The Group-IB has been aggressively recruited into fraudulent criminal communities during 2020. The membership level has fallen significantly: with subsequent preparation and introductory incentives, potential users are drawn via Telegram networks and hacker forums. Andrey Kolmakov, head of the information technology incident investigation department at Group-IB, claims that the “grey zone” has rapidly adjusted to business conditions, so that the “ticket mafia” reoriented its money to supply food and drugs at inflated costs.

According to the specialist, the cybercrime-as-a-service criminal services industry has also been aggressively expanding, related to the renting of malware-infected computer networks (botnets) and used, for example, to coordinate DDoS attacks, send phishing emails and provide proxy servers. … These programs are promoted on Telegram and on hacker sites, along with tips for hacking messengers and social networks.

The study reports that email remains one of the principal attack vectors throughout the pandemic.

The cybercriminals attacked the workers moved to a distant area, infecting their machines with ransomware and obtaining entry to the corporate network via it. Most frequently, malicious mailings intercepted posing as COVID-19 communications brought attachments on board with spyware or download connections, backdoors and downloaders, which were eventually used to mount other malware, including banking trojans or ransomware viruses, “says Valery Baulin, head of the Network Forensics Laboratory Group-IB.”

The latter’s success is not accidental, experts report. The vast majority of crime gangs turned to collaborating with encryptors in 2020-the perpetrators found that they will gain no less with their support than in the event of a successful bank strike, and the technological execution is much simpler.

As well as new partnerships, the present year has given rise to many more organisations and affiliate projects. That is how the operators of the banking Trojan QakBot joined the Big Game Hunting (attacks on big corporations to gain a substantial ransom) using the ProLock ransomware, and more recently, the FIN7 community joined the REvil ransomware partner scheme, systematically targeting banks and hotels …

The scale of the ransom for such attacks has also risen significantly: the operators of cryptolockers sometimes query victims for several million dollars, and even tens of millions.