Why is phishing through SendGrid more dangerous in this case?

Among the tips we usually give in phishing-related posts, we most often recommend taking a close look at the domain of the site in the button or text hyperlink that you’re invited to click or tap. ESPs, as a rule, don’t allow direct links to client websites to be inserted in an email, but rather serve as a kind of redirect — inside the link the email recipient sees the domain of the ESP, which then redirects them to the site specified by the mail authors when setting up the mailing campaign. Among other things, this is done to collect accurate analytics.

In this case, the phishing email appears to come from the ESP SendGrid, expressing concern about the customer’s security and highlighting the need to enable two-factor authentication (2FA) to prevent outsiders from taking control of their account. The email explains the benefits of 2FA and provides a link to update the security settings. This leads, as you’ve probably already guessed, to some address in the SendGrid domain (where the settings page would likely be located if the email really was from SendGrid).

To all email scanners, the phishing looks like a perfectly legitimate email sent from SendGrid’s servers with valid links pointing to the SendGrid domain. The only thing that might alert the recipient is the sender’s address. That’s because ESPs put the real customer’s domain and mailing ID there. Most often, phishers make use of hijacked accounts (ESPs subject new customers to rigorous checks, while old ones who’ve already fired off some bulk emails are considered reliable).

An email seemingly from SendGrid sent through SendGrid to phish a SendGrid account.

Phishing site

This is where the attackers’ originality comes to an end. SendGrid redirects the link-clicking victim to a regular phishing site mimicking an account login page. The site domain is “sendgreds”, which at first glance looks very similar to “sendgrid”.

A site mimicking the SendGrid login page. Note the domain in the address bar

How to stay safe

Since the email is sent through a legitimate service and shows no typical phishing signs, it may slip through the net of automatic filters. Therefore, to protect company users, we always recommend deploying solutions with advanced anti-phishing technology not only at the mail gateway level but on all devices that have access to the internet. This will block any attempted redirects to phishing sites.

And yes, for once it’s worth heeding the attackers’ advice and enabling 2FA. But not through a link in a suspicious email, but in the settings in your account on ESP’s website.

Malvertising

To the great surprise of many (even InfoSec experts), cybercriminals have been making active use of legitimate paid advertising for a number of years now. In one way or another they pay for banner ads and search placements, and employ corporate promotion tools. There are many examples of this phenomenon, which goes by the name of malvertising (malicious advertising). Usually, cybercriminals advertise fake pages of popular apps, fake promo campaigns of famous brands, and other fraudulent schemes aimed at a wide audience. Sometimes threat actors create an advertising account of their own and pay for advertising, but this method leaves too much of a trail (such as payment details). So a different method is more attractive to them: stealing login credentials and hacking the advertising account of a straight-arrow company, then promoting their sites through it. This has a double payoff for the cybercriminals: they get to spend others’ money without leaving excess traces. But the victim company, besides a gutted advertising account, gets one problem after another — including potentially being blocked by the advertising platform for distributing malicious content.

Downvoted and unfollowed

A variation of the above scheme is a takeover of social networks’ paid advertising accounts. The specifics of social media platforms create additional troubles for the target company.

First, access to corporate social media accounts is usually tied to employees’ personal accounts. It’s often enough for attackers to compromise an advertiser’s personal computer or steal their social network password to gain access not only to likes and cat pics but to the scope of action granted by the company they work for. That includes posting on the company’s social network page, sending emails to customers through the built-in communication mechanism, and placing paid advertising. Revoking these functions from a compromised employee is easy as long as they aren’t the main administrator of the corporate page — in which case, restoring access will be labor-intensive in the extreme.

Second, most advertising on social networks takes the form of “promoted posts” created on behalf of a particular company. If an attacker posts and promotes a fraudulent offer, the audience immediately sees who published it and can voice their complaints directly under the post. In this case, the company will suffer not just financial but visible reputational damage.

Third, on social networks many companies save “custom audiences” — ready-made collections of customers interested in various products and services or who have previously visited the company’s website. Although these usually can’t be pulled (that is, stolen) from a social network, unfortunately it’s possible to create malvertising on their basis that’s adapted to a specific audience and is thus more effective.

Unscheduled circular

Another effective way for cybercriminals to get free advertising is to hijack an account on an email service provider. If the attacked company is large enough, it may have millions of subscribers in its mailing list.

This access can be exploited in a number of ways: by mailing an irresistible fake offer to email addresses in the subscriber database; by covertly substituting links in planned advertising emails; or by simply downloading the subscriber database in order to send them phishing emails in other ways later on.

Again, the damage suffered is financial, reputational, and technical. By “technical” we mean the blocking of future incoming messages by mail servers. In other words, after the malicious mailouts, the victim company will have to resolve matters not only with the mailing platform but also potentially with specific email providers that have blocked you as a source of fraudulent correspondents.

A very nasty side effect of such an attack is the leakage of customers’ personal data. This is an incident in its own right — capable of inflicting not only reputational damage but also landing you with a fine from data protection regulators.

Fifty shades of website

A website hack can go unnoticed for a long time — especially for a small company that does business primarily through social networks or offline. From the cybercriminals’ point of view, the goals of a website hack vary depending on the type of site and the nature of the company’s business. Leaving aside cases when website compromise is part of a more sophisticated cyberattack, we can generally delineate the following varieties.

First, threat actors can install a web skimmer on an e-commerce site. This is a small, well-disguised piece of JavaScript embedded directly in the website code that steals card details when customers pay for a purchase. The customer doesn’t need to download or run anything — they simply pay for goods or services on the site, and the attackers skim off the money.

Second, attackers can create hidden subsections on the site and fill them with malicious content of their choosing. Such pages can be used for a wide variety of criminal activity, be it fake giveaways, fake sales, or distributing Trojanized software. Using a legitimate website for these purposes is ideal, just as long as the owners don’t notice that they have “guests”. There is, in fact, a whole industry centered around this practice. Especially popular are unattended sites created for some marketing campaign or one-time event and then forgotten about.

The damage to a company from a website hack is broad-ranging, and includes: increased site-related costs due to malicious traffic; a decrease in the number of real visitors due to a drop in the site’s SEO ranking; potential wrangles with customers or law enforcement over unexpected charges to customers’ cards.

Hotwired web forms

Even without hacking a company’s website, threat actors can use it for their own purposes. All they need is a website function that generates a confirmation email: a feedback form, an appointment form, and so on. Cybercriminals use automated systems to exploit such forms for spamming or phishing.

The mechanics are straightforward: the target’s address is entered into the form as a contact email, while the text of the fraudulent email itself goes in the Name or Subject field, for example, “Your money transfer is ready for issue (link)”. As a result, the victim receives a malicious email that reads something like: “Dear XXX, your money transfer is ready for issue (link). Thank you for contacting us. We’ll be in touch shortly”. Naturally, the anti-spam platforms eventually stop letting such emails through, and the victim company’s form loses some of its functionality. In addition, all recipients of such mail think less of the company, equating it with a spammer.

How to protect PR and marketing assets from cyberattacks

Since the described attacks are quite diverse, in-depth protection is called for. Here are the steps to take:

• Conduct cybersecurity awareness training across the entire marketing department. Repeat it regularly;
• Make sure that all employees adhere to password best practices: long, unique passwords for each platform and mandatory use of two-factor authentication — especially for social networks, mailing tools, and ad management platforms;
• Eliminate the practice of using one password for all employees who need access to a corporate social network or other online tool;
• Instruct employees to access mailing/advertising tools and the website admin panel only from work devices equipped with full protection in line with company standards (EDR or internet security, EMM/UEM, VPN);
• Urge employees to install comprehensive protection on their personal computers and smartphones;
• Introduce the practice of mandatory logout from mailing/advertising platforms and other similar accounts when not in use;
• Remember to revoke access to social networks, mailing/advertising platforms, and website admin immediately after an employee departs the company;
• Regularly review email lists sent out and ads currently running, together with detailed website traffic analytics so as to spot anomalies in good time;
• Make sure that all software used on your websites (content management system, its extensions) and on work computers (such as OS, browser, and Office), is regularly and systematically updated to the very latest versions;
• Work with your website support contractor to implement form validation and sanitization; in particular, to ensure that links can’t be inserted into fields that aren’t intended for such a purpose. Also set a “rate limit” to prevent the same actor from making hundreds of requests a day, plus a smart captcha to guard against bots.

There are three reasons why this situation might occur:

1. A hacking attempt. Hackers have somehow learned, guessed, or stolen your password and are now trying to use it to access your account. You’ve received a legitimate message from the service they are trying to access.
2. Preparation for a hack. Hackers have either learned your password or are trying to trick you into revealing it, in which case the OTP message is a form of phishing. The message is fake, although it may look very similar to a genuine one.
3. Just a mistake. Sometimes online services are set up to first request a confirmation code from a text message, and then a password, or authenticate with just one code. In this case, another user could have made a typo and entered your phone/email instead of theirs — and you receive the code.

As you can see, there may be a malicious intent behind this message. But the good news is that at this stage, there has been no irreparable damage, and by taking the right action you can avoid any trouble.

What to do when you receive a code request

Most importantly, don’t click the confirmation button if the message is in the “Yes/No” form, don’t log in anywhere, and don’t share any received codes with anyone.

If the code request message contains links, don’t follow them.

These are the most essential rules to follow. As long as you don’t confirm your login, your account is safe. However, it’s highly likely that your account’s password is known to attackers. Therefore, the next thing to do is change the password for this account. Go to the relevant service by entering its web address manually — not by following a link. Enter your password, get a new (this is important!) confirmation code, and enter it. Then find the password settings and set a new, strong password. If you use the same password for other accounts, you’d need to change the password for them, too — but make sure to create a unique password for each account. We understand that it’s difficult to remember so many passwords, so we highly recommend storing them in a dedicated password manager.

This stage — changing your passwords — is not so urgent. There’s no need to do it in a rush, but also don’t postpone it. For valuable accounts (like banking), attackers may try to intercept the OTP if it’s sent via text. This is done through SIM swapping (registering a new SIM card to your number) or launching an attack via the operator’s service network utilizing a flaw in the SS7 communications protocol. Therefore, it’s important to change the password before the bad guys attempt such an attack. In general, one-time codes sent by text are less reliable than authenticator apps and USB tokens. We recommend always using the most secure 2FA method available; a review of different two-factor authentication methods can be found here.

What to do if you’re receiving a lot of OTP requests

In an attempt to make you confirm a login, hackers may bombard you with codes. They try to log in to the account again and again, hoping that you’ll either make a mistake and click “Confirm”, or go to the service and disable 2FA out of annoyance. It’s important to keep cool and do neither. The best thing to do is go to the service’s site as described above (open the site manually, not through a link) and quickly change the password; but for this, you’ll need to receive and enter your own, legitimate OTP. Some authentication requests (for example, warnings about logging into Google services) have a separate “No, it’s not me” button — usually, this button causes automated systems on the service side to automatically block the attacker and any new 2FA requests. Another option, albeit not the most convenient one, would be to switch the phone to silent or even airplane mode for half-an-hour or so until the wave of codes subsides.

What to do if you accidentally confirm a stranger’s login

This is the worst-case scenario, as you’ve likely allowed an attacker into your account. Attackers act quickly in changing settings and passwords, so you’ll have to play catch-up and deal with the consequences of the hack. We’ve provided advice for this scenario here.

How to protect yourself?

The best method of defense in this case is to stay one step ahead of the criminals: si vis pacem, para bellum. This is where our security solution comes in handy. It tracks leaks of your accounts linked to both email addresses and phone numbers, including on the dark web. You can add the phone numbers and email addresses of all your family members, and if any account data becomes public or is discovered in leaked databases, Kaspersky Premium will alert you and give advice on what to do.

Included in the subscription, Kaspersky Password Manager will warn you about compromised passwords and help you change them, generating new uncrackable passwords for you. You can also add two-factor authentication tokens to it or easily transfer them from Google Authenticator in a few clicks. Secure storage for your personal documents will safeguard your most important documents and files, such as passport scans or personal photos, in encrypted form so that only you can access them.

Moreover, your logins, passwords, authentication codes and saved documents will be available from any of your devices — computer, smartphone or tablet — so even if you somehow lose your phone, you’ll lose neither your data nor access, and you’ll be able to easily restore them on a new device. And to access all your data, you only need to remember one password — the main one — which isn’t stored anywhere except in your head and is used for banking-standard AES data encryption.

With the “zero disclosure principle”, no one can access your passwords or data — not even Kaspersky employees. The reliability and effectiveness of our security solutions have been confirmed by numerous independent tests, with one recent example being our home protection solutions having received the highest award — Product of the Year 2023 — in tests run by the independent European laboratory AV-Comparatives.

What a crypto (wallet) drainer is

A crypto drainer — or crypto wallet drainer — is a type of malware that’s been targeting crypto owners since it first appeared just over a year ago. A crypto drainer is designed to (quickly) empty crypto wallets automatically by siphoning off either all or just the most valuable assets they contain, and placing them into the drainer operators’ wallets.

As an example of this kind of theft, let us review the theft of 14 Bored Ape NFTs with a total value of over $1 million, which occurred on December 17, 2022. The scammers set up a fake website for the real Los Angeles-based movie studio Forte Pictures, and contacted a certain NFT collector on behalf of the company. They told the collector that they were making a film about NFT. Next, they asked the collector if they wanted to license the intellectual property (IP) rights to one of their Bored Ape NFTs so it could be used in the movie.

According to the scammers, this required signing a contract on “Unemployd”, ostensibly a blockchain platform for licensing NFT-related intellectual property. However, after the victim approved the transaction, it turned out that all 14 Bored Ape NFTs belonging to them were sent to the malicious actor for a paltry 0.00000001 ETH (about US¢0.001 at the time).

What the request to sign the “contract” looked like (left), and what actually happened after the transaction was approved (right). Source

The scheme relied to a large extent on social engineering: the scammers courted the victim for more than a month with email messages, calls, fake legal documents, and so on. However, the centerpiece of this theft was the transaction that transferred the crypto assets into the scammers’ ownership, which they undertook at an opportune time. Such a transaction is what drainers rely on.

How crypto drainers work

Today’s drainers can automate most of the work of emptying victims’ crypto wallets. First, they can help to find out the approximate value of crypto assets in a wallet and identify the most valuable ones. Second, they can create transactions and smart contracts to siphon off assets quickly and efficiently. And finally, they obfuscate fraudulent transactions, making them as vague as possible, so that it’s difficult to understand what exactly happens once the transaction is authorized.

Armed with a drainer, malicious actors create fake web pages posing as websites for cryptocurrency projects of some sort. They often register lookalike domain names, taking advantage of the fact that these projects tend to use currently popular domain extensions that resemble one another.

Then the scammers use a technique to lure the victim to these sites. Frequent pretexts are an airdrop or NFT minting: these models of rewarding user activity are popular in the crypto world, and scammers don’t hesitate to take advantage of that.

These X (Twitter) ads promoted NFT airdrops and new token launches on sites that contain the drainer. Source

Also commonplace are some totally unlikely schemes: to draw users to a fake website, malicious actors recently used a hacked Twitter account that belonged to a… blockchain security company!

X (Twitter) ads for a supposedly limited-edition NFT collection on scam websites. Source

Scammers have also been known to place ads on social media and search engines to lure victims to their forged websites. In the latter case, it helps them intercept customers of real crypto projects as they search for a link to a website they’re interested in. Without looking too closely, users click on the “sponsored” scam link, which is always displayed above organic search results, and end up on the fake website.

Google search ads with links to scam websites containing crypto drainers. Source

Then, the unsuspecting crypto owners are handed a transaction generated by the crypto drainer to sign. This can result in a direct transfer of funds to the scammers’ wallets, or more sophisticated scenarios such as transferring the rights to manage assets in the victim’s wallet to a smart contract. One way or another, once the malicious transaction is approved, all the valuable assets get siphoned off to the scammers’ wallets as quickly as possible.

How dangerous crypto drainers are

The popularity of drainers among crypto scammers is growing rapidly. According to a recent study on crypto drainer scams, more than 320,000 users were affected in 2023, with total damage of just under $300 million. The fraudulent transactions recorded by the researchers included around a dozen — worth more than a million dollars each. The largest value of loot taken in a single transaction amounted to a little over $24 million!

Curiously, experienced cryptocurrency users fall prey to scams like this just like newbies. For example, the founder of the startup behind Nest Wallet was recently robbed of $125,000 worth of stETH by scammers who used a fake website promising an airdrop.

How to protect against crypto drainers

• Don’t put all your eggs in one basket: try to keep only a portion of your funds that you need for day-to-day management of your projects in hot crypto wallets, and store the bulk of your crypto assets in cold wallets.
• To be on the safe side, use multiple hot wallets: use one for your Web3 activities — such as drop hunting, use another to keep operating funds for these activities, and transfer your profits to cold wallets. You’ll have to pay extra commission for transfers between the wallets, but malicious actors would hardly be able to steal anything from the empty wallet used for airdrops.
• Keep checking the websites you visit time and time again. Any suspicious detail is a reason to stop and double-check it all again.
• Don’t click on sponsored links in search results: only use links in organic search results – that is, those that aren’t marked “sponsored”.
• Review every transaction detail carefully.
• Use companion browser extensions to verify transactions. These help identify fraudulent transactions and highlight what exactly will happen as a result of the transaction.
• Finally, be sure to install reliable security on all devices you use to manage crypto assets.

How protection from crypto threats works in Kaspersky solutions

By the way, Kaspersky solutions offer multi-layered protection against crypto threats. Be sure to use comprehensive security on all your devices: phones, tablets, and computers. Kaspersky Premium is a good cross-platform solution. Check that all basic and advanced security features are enabled and read our detailed instructions on protecting both hot and cold crypto wallets.

Therefore, it’s crucial for parents to stay informed about the latest cybersecurity threats targeting kids to better protect them from potential harm. In this post, my colleague, Anna Larkina, and I explore some of the key cybersecurity trends that parents should be aware of and provide tips on how to safeguard their children’s online activities.

AI threats

AI is continuing to revolutionize various industries, and its daily use ranges from chatbots and AI wearables to personalized online shopping recommendations — among many other common uses. And of course, such global trends pique the interest and curiosity of children, who can use AI tools to do their homework or simply chat with AI-enabled chatbots. According to a UN study, about 80 percent of youths that took part in its survey claimed that they interact with AI multiple times a day. However, AI applications can pose numerous risks to young users involving data privacy loss, cyberthreats, and inappropriate content.

With the development of AI, numerous little-known applications have emerged with seemingly harmless features such as uploading a photo to receive a modified version — whether it be an anime-style image or simple retouching. However, when adults, let alone children, upload their images to such applications, they never know in which databases their photos will ultimately remain, or whether they’ll be used further. Even if your child decides to play with such an application, it’s essential to use them extremely cautiously and ensure there’s no personal information that may identify the child’s identity — such as names, combined with addresses, or similar sensitive data — in the background of the photo, or consider avoiding using such applications altogether.

Moreover, AI apps – chatbots in particular – can easily provide age-inappropriate content when prompted. This poses a heightened risk as teenagers might feel more comfortable sharing personal information with the chatbot than with their real-life acquaintances, as evidenced by instances where the chatbot gave advice on masking the smell of alcohol and pot to a user claiming to be 15. On an even more inappropriate level, there are a multitude of AI chatbots that are specifically designed to provide an “erotic” experience. Although some require a form of age verification, this is a dangerous trend as some children might opt to lie about their age, while checks of real age are lacking.

It is estimated that on Facebook Messenger alone, there are over 300,000 chatbots in operation. However, not all of them are safe, and may carry various risks, like the ones mentioned earlier. Therefore, it is extremely important to discuss with children the importance of privacy and the dangers of oversharing, as well as talking to them about their online experiences regularly. It also reiterates the significance of establishing trusting relationships with one’s children. This will ensure that they feel comfortable asking their parents for advice rather than turning to a chatbot for guidance.

Young gamers under attack

According to statistics, 91 percent of children in the UK aged 3-15 play digital games on devices. The vast world of gaming is open to them — also making them vulnerable to cybercriminals’ attacks. For instance, in 2022, our security solutions detected more than seven million attacks relating to popular children’s games, resulting in a 57 percent increase in attempted attacks compared to the previous year. The top children’s games by the number of users targeted even included games for the youngest children — Poppy Playtime and Toca Life World — which are designed for children 3-8-years old.

What raises even more concerns is that sometimes children prefer to communicate with strangers on gaming platforms rather than on social media. In some games, unmoderated voice and text chats form a significant part of the experience. As more young people come online, criminals can build trust virtually, in the same way as they would entice someone in person — by offering gifts or promises of friendship. Once they lure a young victim by gaining their trust, cybercriminals can obtain their personal information, suggesting they click on a phishing link, download a malicious file onto their device disguised as a game mod for Minecraft or Fortnite, or even groom them for more nefarious purposes. This can be seen in the documentary series “hacker:HUNTER“, co-produced by Kaspersky, as one of the episodes revealed how cybercriminals identify skilled children through online games and then groom them to carry out hacking tasks.

The number of ways to interact within the gaming world is increasing, and now includes voice chats as well as AR and VR games. Both cybersecurity and social-related threats remain particular problems in children’s gaming. Parents must remain vigilant regarding their children’s behavior and maintain open communication to address any potential threats. Identifying a threat involves observing changes, such as sudden shifts in gaming habits that may indicate a cause for concern. To keep your child safe by stopping them downloading malicious files during their gaming experience, we advise installing a trusted security solution on all their devices.

Fintech for kids: the phantom menace

An increasing number of banks are providing specialized products and services designed for children — including bank cards for kids as young as 12. This gives parents helpful things like the ability to monitor their child’s expenditures, establish daily spending limits, or remotely transfer funds for the child’s pocket money.

Yet, by introducing banking cards for children, the latter can become susceptible to financially motivated threat actors and vulnerable to conventional scams, such as promises of a free PlayStation 5 and other similar valuable devices after entering card details on a phishing site. Using social engineering techniques, cybercriminals might exploit children’s trust by posing as their peers and requesting card details or money transfers to their accounts.

As the fintech industry for children continues to evolve, it’s crucial to educate children not only about financial literacy but also the basics of cybersecurity. To achieve this, you can read Kaspersky Cybersecurity Alphabet together with your child. It’s specifically designed to explain key online safety rules in a language easily comprehensible for children.

To avoid concerns about a child losing their card or sharing banking details, we recommend installing a digital NFC card on their phone instead of giving them a physical plastic card. Establish transaction confirmation with the parent if the bank allows it. And, of course, the use of any technical solutions must be accompanied by an explanation of how to use them safely.

Smart home threats for kids

In our interconnected world, an increasing number of devices — even everyday items like pet feeders — are becoming “smart” by connecting to the internet. However, as these devices become more sophisticated, they also become more susceptible to cyberattacks. This year, our researchers conducted a vulnerability study on a popular model of smart pet feeder. The findings revealed a number of serious security issues that could allow attackers to gain unauthorized access to the device and steal sensitive information such as video footage — potentially turning the feeder into a surveillance tool.

Despite the increasing number of threats, manufacturers are not rushing to create cyber-immune devices that preemptively prevent potential exploits of vulnerabilities. Meanwhile, the variety of different IoT devices purchased in households continues to grow. These devices are becoming the norm for children, which also means that children can become tools for cybercriminals in an attack. For instance, if a smart device becomes a fully functional surveillance tool and a child is home alone, cybercriminals could contact them through the device and request sensitive information such as their name, address, or even their parents’ credit card number and times when their parents are not at home. In a scenario such as this one, beyond just hacking the device, there is a risk of financial data loss or even a physical attack.

As we cannot restrict children from using smart home devices, our responsibility as parents is to maximize the security of these devices. This includes at least adjusting default security settings, setting new passwords, and explaining basic cybersecurity rules to children who use IoT devices.

I need my space!

As kids mature, they develop greater self-awareness, encompassing an understanding of their personal space, privacy, and sensitive data, both offline and in their online activities. The increasing accessibility of the internet means more children are prone to becoming aware of this. Consequently, when a parent firmly communicates the intent to install a parenting digital app on their child’s devices, not all children will take it calmly.

This is why parents now require the skill to discuss their child’s online experience and the importance of parenting digital apps for online safety while respecting the child’s personal space. This involves establishing clear boundaries and expectations, discussing the reasons for using the app with the child. Regular check-ins are also vital, and adjustments to the restrictions should be made as the child matures and develops a sense of responsibility. Learn more in our guide on kids’ first gadgets, where, together with experienced child psychologist Saliha Afridi, our privacy experts analyze a series of important milestones to understand how to introduce such apps into a child’s life properly and establish a meaningful dialogue about cybersecurity online.

Forbidden fruit can be… malicious

If an app is unavailable in one’s home region, a child may start looking for an alternative, but this alternative is often only a malicious copy. Even if they turn to official app stores like Google Play, they still run the risk of falling prey to cybercriminals. From 2020 to 2022, our researchers found more than 190 apps infected with the Harly Trojan on Google Play, which signed users up for paid services without their knowledge. A conservative estimate of the number of downloads of these apps is 4.8 million, while the actual figure of victims may be even higher.

Children are not the only ones following this trend; adults are as well, which was highlighted in our latest consumer cyberthreats predictions report as a part of the annual Kaspersky Security Bulletin. That’s why it’s crucial for kids and their parents to understand the fundamentals of cybersecurity. For instance, it’s important to pay attention to the permissions that an app requests when installing it: a simple calculator, for instance, shouldn’t need access to your location or contact list.

How to keep kids safe?

As we can see, many of the trends that are playing out in society today are also affecting children, making them potential targets for attackers. This includes both the development and popularity of AI and smart homes, as well as the expansion of the world of gaming and the fintech industry. Our experts are convinced that protecting children from cybersecurity threats in 2024 requires proactive measures from parents:

• By staying informed about the latest threats and actively monitoring their children’s online activities, parents can create a safer online environment for their kids.
• It’s crucial for parents to have open communication with their children about the potential risks they may encounter online and to enforce strict guidelines to ensure their safety.
• With the right tools such as Kaspersky Safe Kids, parents can effectively safeguard their children against cyberthreats in the digital age.
• To help parents introduce their children to cybersecurity amid the evolving threat landscape, our experts have developed the above-mentioned Kaspersky Cybersecurity Alphabet, with key concepts from the cybersecurity industry. In this book, your child can get to know about new technologies, learn the main cyber hygiene rules, find out how to avoid online threats, and recognize fraudsters’ tricks. After reading this book together, you’ll be sure that your offspring knows how to distinguish a phishing website, how VPN and QR-codes work, and even what encryption and honeypots are and what role they play in modern cybersecurity. You can download the pdf version of the book and also the Kaspersky Cybersecurity Alphabet poster for free.

Infecting hotel staff computers with a password stealer

What we’re dealing with here is a multi-stage attack — B2B2C, if you will. It all starts with infecting hotel computers, but the immediate threat isn’t to the hotel itself — it’s to the clients.

To hijack accounts on admin.booking.com, attackers use specialized malware known as password stealers. Typically, these stealers collect any passwords found on an infected computer. But in this case it seems that Booking.com accounts are what the cybercriminals are specifically interested in.

In particular, one of the abovementioned studies describes a targeted email attack on hotel staff. This attack starts with an innocuous email in which someone poses as a recent guest and asks the hotel staff for help in finding lost documents.

The first email from the attackers to the targeted hotel. Source

In the next email, the “guest” claims to have searched everywhere for the lost passport or whatever to no avail, suggesting the hotel is the only possible place where it might be. So, they ask the hotel staff to look for it and, to help the search, provide a link supposedly containing photos of the lost passport.

The next email from the attackers, containing a link to an infected archive with a password stealer. Source

As you might suspect, this archive contains not the photos of the passport, but the password stealer. After the user clicks on the dangerous file, the stealer searches the system for saved login credentials for the hotel’s account on admin.booking.com, and sends them to the attackers.

Using a stolen login and password, the cybercriminals gain access to the hotel’s account on admin.booking.com.

Another study on the Booking.com account theft epidemic describes an alternative method of infecting hotel staff computers. In this attack, criminals create reservations using guest accounts (in some cases, probably stolen accounts). They then contact the hotel using Booking.com’s internal messaging system and, under one pretext or another, slip in a link to a malware-infected file — with the exact same outcome as in the previous case.

Stealing hotel accounts on Booking.com and emailing clients

At the next stage, the attackers proceed to directly use the accounts stolen from the infected hotel computers. Everything is made a lot simpler by the fact that Booking.com’s service doesn’t provide two-factor authentication, so accessing an account only requires a login and password.

Upon entering the hotel’s account on admin.booking.com, the criminals study current bookings and begin sending messages to future guests using Booking.com’s internal messaging system. These messages generally revolve around an error in verifying the guest’s payment card information provided during the booking. The “hotel” thus asks the guest to re-enter their card details; otherwise, the reservation will be canceled.

Of course, the messages include links that at first glance appear to resemble genuine links to Booking.com’s booking pages. They contain the word “booking” itself, something resembling a booking number, and in some cases, additional words like “reservation”, “approve”, “confirmation”, and so on.

Of course, upon closer inspection, it’s easy to see that these links don’t lead to Booking.com at all. However, the aim here is to target hasty individuals who, unexpectedly discovering that their planned trip could be ruined, rush to rectify the situation.

] Through Booking.com’s internal messaging system, scammers send hotel clients links to fake booking pages. Source 1, source 2, source 3, source 4

The messages are written in a professional tone and appear quite plausible. It should also be noted that the text of such messages varies considerably from one described incident to another. Apparently, a number of criminals are using this scheme independently of each other.

Fake copies of Booking.com and stealing bank card data

The final stage of the attack ensues. By clicking on the link in the message, the hotel’s client lands on a fake page — a meticulous copy of Booking.com. These pages even display the correct guest name, information about the hotel where the victim intends to stay, dates, and price — all of which the scammers know because they have access to all the booking data.

The only thing that gives it away is the link in the address bar. However, the scammers distract the victim from paying attention to such minor details by rushing them: the page claims that these dates are in high demand, so “10 four-star hotels similar to this one are already unavailable”. The implication, of course, is that if this booking fails, finding alternative accommodation won’t be easy.

On the fake Booking.com page, the client of the hacked hotel is asked to enter their card number to reconfirm the reservation. Source

The victims are urged once again to confirm the booking as quickly as possible. Moreover, it’s easy to do: just re-enter the payment information. Obviously, the card details then fall into the hands of the criminals — mission accomplished.

Selling hotel logins and passwords for Booking.com

It’s worth mentioning that here, as in almost any other cybercriminal scheme, we see a tendency for narrow specialization. Apparently, some criminals collect hacked Booking.com accounts, while others exploit these accounts to deceive hotel clients. In any case, advertisements offering substantial sums for logins and passwords from admin.booking.com accounts can be found on hacker forums.

Listing on an underground forum, where the authors are willing to pay generously for hacked Booking.com hotel accounts. Source

Another listing offering decent money for hacked admin.booking.com accounts. Source

Yet another group of criminals, providing subscription-based services to search for stolen credentials in stealer malware databases, have recently added admin.booking.com to their list of searchable data.

One of the services offering paid searches across databases of stolen passwords has learned to function with admin.booking.com accounts. Source

All of this suggests that the popularity of this criminal scheme is only growing; therefore, there’ll likely be more hacks of hotel accounts on Booking.com and more affected clients in the future.

How to protect against theft of admin.booking.com accounts

Even though these attacks directly threaten hotel clients rather than the hotels themselves, the hotels still have to deal with the backlash and somehow compensate the affected parties to avoid any reputational damage. And in general, hotel computers getting infected is bad news — today, cybercriminals are hijacking Booking.com accounts; tomorrow they’ll come up with another way to monetize this infection. Therefore, it’s absolutely necessary to protect against this threat. Here’s what to keep in mind:

• Storing passwords in your browser is not safe — that’s where stealer malware always looks for them.
• To store passwords well, use a specialized application — a password manager — that will take care of their security.
• It’s essential to install reliable protection on all your devices used for business.
• And take particular care of the security of those computers that employees might use to communicate with strangers — they’re the ones more likely to become the target of an attack.

An @ symbol in the address

The simplest way to hide the real domain in the address is to use the @ symbol in the URL. This is a completely legitimate symbol that can be used to integrate a login and a password into the website address — HTTP allows to pass credentials to the web server via the URL simply by using login:password@domain.com format. If the data before the @ symbol is incorrect and not suitable for authentication, the browser simply discards it, redirecting the user to the address located after the @ symbol. So cybercriminals use this: they come up with a convincing page name, use the name of a legitimate site in it, and place the real address after the @ symbol. For example, look at our blog’s address disguised in this way:

It looks like a page with many words in the name hosted somewhere on the Google domain, but the browser will take you to http://kaspersky.com/blog/.

Numbers instead of the IP address

In the previous method, attackers often try to confuse the user with a long page name in order to distract them from the real address — because it still remains in the URL. But there’s a way to hide it completely — by converting the IP-address of a site into an integer. As you may know, IP addresses are not very conveniently stored in databases. Therefore, at some point, a mechanism was invented to convert IP addresses into integers (which are much more convenient to store) and vice versa. And these days, when modern browsers see a number in an URL they automatically convert it into an IP address. In combination with the same @ symbol, it effectively hides the real domain. This is how a link to our corporate website can look like:

In using this trick, cybercriminals try to focus attention on the domain before the @ symbol, and make everything else look like some kind of parameter — various marketing tools often insert all sorts of alphanumeric tags into web links.

URL shortener services

Another fairly simple way to hide the real URL is to use one of the legitimate link shortening services. You can include absolutely anything inside a short link — and it’s impossible to check what hides there without clicking.

Google Accelerated Mobile Pages

Several years ago, Google and some partners created the Google AMP framework — a service that was intended to help webpages load faster on mobile devices. In 2017, Google claimed that AMPed pages load in less than a second and use 10 times less data than the same pages without AMP. Now attackers have learned how to use this mechanism for phishing. An email contains a link starting with “google.com/amp/s/”, but if the user clicks it, they’ll be redirected to a site that doesn’t belong to Google. Even some anti-phishing filters often fall for this trick: due to Google’s reputation, they consider such a link to be sufficiently reliable.

Email service providers

Another way to hide your page behind someone else’s URL is to use an               ESP; that is, a service for creating legitimate newsletters and other mailouts. We’ve already written in detail about this method in one of our previous posts. In short, criminals employ one of these services, create a mailing campaign, input a phishing URL, and as a result get a ready-made clean address, which has the reputation of an ESP company. ESP companies of course try to fight such misuse of their service, but it doesn’t always work out.

Redirect via Baidu

The Chinese search engine Baidu has quite an interesting approach to showing search results. Unlike Google, it doesn’t give you links to the sites, but instead makes links to itself with a redirect to the site searched for. That is, in order to disguise a malicious URL as Baidu, all cybercriminals need do is search for the page (and that is quite simple if you enter the exact address), copy the link and paste it in the phishing email.

And by and large, we don’t know just how many other services there are that can redirect URLs or even cache pages on their side (be it for their own needs or in the name of convenience of content delivery).

Practical takeaways

No matter how confident your employees are, we doubt that they really can understand whether a link is dangerous or not. We therefore recommend backing them up with protective solutions. Moreover, we recommend to use such solutions both at the corporate mail server level, and at the level of internet-enabled working devices.

But this convenience has a downside: our digital finances are vulnerable to digital crimes. Then again, that’s only true if you neglect protecting your online finances from cybercriminals. This post takes a look at how Kaspersky technologies and products secure your digital money, and thus your financial well-being.

1. Password Manager

The backbone of all account security — and financial services are no exception — is, of course, your password. The weaker it is, the greater the chances of a successful hack on your account in some online store or payment system where you enter card details.

It’s just as dangerous to use the same password for different online services. If you do, then if there’s a password leak on one of them (all too common, sadly), your accounts with other services will be compromised as well. Hackers are well aware that many people use the same character combinations on multiple sites, so they often use leaked passwords to try to log in to other resources, a technique known as credential stuffing. And naturally, their focus tends to be on money-related services.

Using Kaspersky Password Manager radically improves password security and to keep your financial accounts safe. Our app generates unique, maximum-security passwords for every service you use, stores them safely so there’s no need to remember them, and even warns you about leaks. Incidentally, the latest update of Kaspersky Password Manager has added the ability to generate one-time codes for two-factor authentication. And you get it for free with Kaspersky Plus and Kaspersky Premium subscriptions.

2. Safe Money

Safe Money was designed specifically for enabling secure financial transactions and online purchases. To protect important payment data entered on the websites of banks, payment systems, and online stores — including bank card numbers and passwords — our solution prompts you to open such sites in our Protected Browser.

In this special mode, your confidential data is protected to the max. And if a site seems fishy in any way at all, Protected Browser warns you with a notification and a change of the frame color from safe green to yellow.

With Safe Money, you can do online shopping and banking safely in the knowledge that both your money and personal data are fully protected. This feature is included in all our paid subscriptions:Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium.

3. File Anti-Virus

Of course, one of the central components of our multi-layered financial protection is good old Anti-Virus. This is what protects your money from the most dangerous threat: malware, in particular, so-called stealers, which, after infecting the target device, look for passwords and private keys to cryptocurrency wallets stored on it, then send them straight to the cyberthieves.

Another common threat directly related to finances that File Anti-Virus guards against is banking Trojans. These are viruses that overlay a banking app’s interface with its own and can’t only steal passwords but also intercept one-time confirmation codes, as well as substitute details and amounts of transfers and payments, allowing the cybercriminals to siphon off money.

These two threats alone are reason enough for you to install reliable protection on all devices you use for financial transactions. There are plenty of other dangers that Anti-Virus also protects against, such as ransomware Trojans and spyware to name just a couple.

4. Safe Browsing

Note that it might not be your computer or smartphone that’s infected with malware, but the server you’re interacting with. The first threat to worry about in this scenario would be online skimmers — malware that scammers install on hacked online stores in order to harvest customers’ bank card details.

Web skimmers have become very popular with cybercriminals of late — every year, tens of thousands of online stores are found to be infected with malware of this kind. Often, the owners of compromised stores are either unaware of the infection or take no action to neutralize a threat, so a web skimmer might remain active on an infected site for months. In practical terms, this means that even if you personally have been careful and your devices are all clean, you can still fall victim to cybercriminals simply by interacting with an infected website.

Fortunately, we also have a solution to protect you from web skimmers and other threats: Safe Browsing scans the pages loaded by your browser for malicious code and, if detected, warns you that the site is unsafe.

5. Anti-Phishing and Fraud Prevention

There’s no way we can skip over fake and fraudulent websites, which affect a huge number of internet users every year. These can be cloned sites mimicking banks, payment systems, crypto exchanges, or other financial services that trick visitors out of their credentials and then hijack their accounts.

They can also be online scams promising large payouts in exchange for a small commission, fake online stores with tempting prices that never deliver your purchase, or other types of online fraud.

The problem is that sites of this kind usually don’t directly contain any malicious code. To effectively protect against such threats, our experts work day and night to keep our database of phishing and fraudulent sites up to date. As a result, our solutions give you a heads-up in good time whenever danger is near.

Scan the QR code, or face the inevitable

A typical email of this kind contains a notification saying your account password is about to expire, after which you’ll lose access to your mailbox, and so the password must be changed for which you need to scan the QR code in the email and follow the instructions.

The password must be reset by scanning the QR code

Another email could warn the recipient that their “authenticator session has expired today”. To avoid this, the user is advised to “quickly scan the QR Code below with your smartphone to re-authenticate your password security”. Otherwise access to the mailbox could be lost.

“Authenticator session has expired” — for a quick fix, scan the QR code

A further example: the message kindly informs the reader: “This email is from a trusted source” — we’ve already talked about why emails stamped “verified” should be treated with caution. The thrust of the message is that “3 important emails” supposedly cannot be delivered to the user due to lack of some kind of validation. Of course, scanning the QR code below will “fix” the issue.

Important emails can be delivered only by scanning the QR code for “validation”

Clearly, the authors of these emails want to intimidate inexperienced users with high-sounding words.

They’re also likely hoping that the recipient has heard something about authenticator apps — which do indeed use QR codes — so that their mere mention may stir some vague associations in their mind.

What happens if you scan the QR code in the email

The link in the QR code takes you to a rather convincing replica of a Microsoft login page.

Scanning the QR code takes you to a phishing site that steals entered credentials

Of course, all credentials entered on such phishing pages end up in cybercriminal hands. And this jeopardizes the accounts of users who fall for such tricks.

An interesting detail is that some phishing links in QR codes lead to IPFS resources. IPFS (InterPlanetary File System) is a communication protocol for sharing files that has much in common with torrents. It allows you to publish any files on the internet without domain registration, hosting, or other complications.

In other words, the phishing page is located directly on the phisher’s computer and is accessible via a link through a special IPFS gateway. Phishers use the IPFS protocol because it’s much easier publish and much harder to remove a phishing page than blocking a “regular” malicious website. As such, the links live longer.

How to guard against phishing QR codes

No decent authentication system will suggest scanning a QR code as your only option. Therefore, if you receive an email asking you to, say, confirm something, or sign in to your account again, or reset your password, or perform some similar action, and this email only contains a QR code, you’re probably dealing with phishing. You can safely ignore and delete such an email.

And for those times when you need to scan a QR code of an unknown source, we recommend our security solution with its secure QR code scanner function. It will check the contents of QR codes and warn you if there’s anything bogus inside.

• You clicked a website link in an email or ad, but then had second thoughts and became suspicious about said link.
• Someone claiming to be from Microsoft called to remove a virus from your computer.
• You received an erroneous bill, called customer support, and they sent you a helpful link to solve the problem and avoid overpayment.

What should you do to prevent hacking?

Don’t give any more information

This is the first and most fundamental rule that you can apply without hesitation. If you get bad vibes from a website asking for your name, email, phone… or bank card information — close it immediately.

If you’re talking to someone on the phone — even if they claim to be from your bank or tech support — and the conversation seems even just a little strange, hang up immediately and don’t answer if they call back. Scammers often employ elaborate schemes; they might call from a different number or contact you through an instant messenger — perhaps pretending to be someone else or from a different organization. Ignore them.

If you’re communicating through video conferencing tools like Zoom, end the meeting and close the application.

Disconnect your device from the internet

This is an essential point if you’ve installed any applications at someone’s request, or someone’s done something on your computer using remote control tools — including Zoom, Skype, MS Teams, or Google Meet. If this is the case, there’s a high probability that malware has been installed on your computer or smartphone. To prevent the criminals from controlling your device remotely, immediately disconnect your computer/phone from the internet by turning off Wi-Fi and cellular data. The simplest and fastest way to do this is to activate Airplane Mode on your phone, or unplug the Ethernet cable if your computer is connected to the net via one.

Think about what the hackers might have learned

If you’ve visited a suspicious website or talked on the phone, try to remember any information you entered on the site or shared with the caller. Address and name? Phone number? Bank card number? Password?

If you only shared your name, address, and phone number, no further action is required, but stay on your guard — most likely the scammers will try to attack again based on your data, possibly using a different scam.

The situation is worse if you’ve shared more sensitive information, such as passwords, photos of personal documents, or banking information: in this case, follow the advice in the next two sections.

Change your passwords

Quickly log in to all services where the compromised password was used and change it to a new one — unique for each service. If you disconnected your device from the internet, use another device rather than plugging in the potentially infected one. Don’t hesitate to ask your neighbors or co-workers for help if you don’t have another device. Time is of the essence here — every minute counts. When accessing any services, enter the site address manually or open it through your browser bookmarks rather than clicking on links in recent emails.

If the password you entered was for an online banking platform, a payment system, or any account containing money, simply changing the password is not enough — take the following steps to save your funds.

Contact your bank, credit bureau, or service provider

If you provided bank card numbers or other financial information, contact the bank immediately. You can usually block cards through a dedicated hotline, as well as through the mobile application and your personal account on the website. For other types of data, such as bank account details, consult with specialists from the bank or online service about protective measures to take. Don’t wait for a call from the bank – they could be scammers; call the number listed on the bank’s website or mobile application yourself.

If you’ve shared extensive personal information or photographs of documents, malicious actors may use this data fraudulently, such as to apply for loans. To prevent this from happening, contact the credit bureau and inquire about available protective measures you can take. These measures vary from country to country — see these examples for the U.S.A., Germany, and Russia — but typically include setting up notifications for any inquiries about your credit history (checking your credit history is the first step in applying for a loan), blocking new inquiries, or self-banning credit issuance — making it impossible to obtain a loan in your name.

Check your computer

If you followed our advice and disconnected your computer from the internet due to potential infection, thoroughly check it for malware or potentially unsafe software before reconnecting to the network. If you already have a comprehensive protection system installed, such as Kaspersky Premium, ensure that the protection databases have been updated recently and all protection and scanning technologies are enabled, and then run a full scan. It’s crucial to run the deepest possible scan, applying settings that can detect not only malware but also potentially dangerous software such as remote control tools. Remove any detected malware according to the instructions of the security application.

What should you do if your computer lacks protection or if the protection databases are outdated? Use another computer to download protection from the manufacturer’s official website, then transfer the installation files across using a USB flash drive.

Check for any suspicious activity

After taking all the steps described above, make sure that the attackers haven’t managed to do anything harmful with the potentially compromised accounts. If these are online store or bank accounts, check your recent purchases. If you see any purchases you didn’t make, try to cancel them by contacting the online store/bank.

On social networks, check recent posts, new friends, photo album content, and so on. In messaging apps, check your recent chats to make sure no fraudulent messages were sent from your account.

For all accounts, verify your contact information, name, profile picture, address, and payment information. If you notice any changes, it means the account has been compromised; change your password and, if possible, secure the account with two-factor authentication.

Be sure to check the information about which devices are linked to your accounts with online services, social networks, and messaging apps. Having hacked an account, attackers try to maintain access to it — for example, by linking their device to it. Depending on the service, this connection might persist even after you change your password. Therefore, it’s crucial to ensure that you recognize all devices and active sessions listed in the “Security” section (this section might be called “Devices”, “Connected devices”, “Recent sessions”, and so on, depending on the specific service). Next to the name of the connected device, there’s usually a button to “Disconnect device” or “End session”, allowing you to kick out any strangers. If you cannot identify any devices and/or sessions listed, disconnect them after making sure you remember your updated password. You’ll have to re-log-in to your accounts with the new password (you changed the password, didn’t you?) — but now the attackers won’t have access.

The hardest thing to deal with is the consequences of an email hack. Firstly, besides all the above, you’ll have to check the mail forwarding rules. Make sure that neither your mailbox settings nor your message processing rules have forwarding of your emails to third-party addresses enabled. Secondly, if any other service accounts are linked to your email, attackers can hack into most of them. If you find any signs that your email has been tampered with, you’ll need to check for suspicious activity and change the password on all services linked to that email address.

Prevention is better than cure

Following the advice above requires a significant amount of time, effort, and patience. To minimize the risks of fraud as much as possible, it’s best to take precautionary measures in advance.

• Protect your smartphone from potential theft or loss.
• Use unique passwords and two-factor authentication for every account. A password manager with a built-in authenticator will help you create new unique passwords and store both the passwords and the authentication tokens.
• Install a comprehensive security system on all your computers and smartphones. This will prevent most phishing and fraud attempts through malicious emails and links.