Attackers launch new wave of malicious emails during war
BY KERRY TOMLINSON, AMPERE NEWS
MARCH 3, 2022
As war wages in Ukraine, attackers are sending out a blitz of poisoned emails to our computers.
Researchers with cybersecurity company Avanan report an 800% increase in attack emails originating from Russia starting on February 27. Russia invaded Ukraine on February 24.
What kind of emails are they and what can you do protect yourself?
Watch here:
What do the attackers want?
The attackers are looking for passwords and email accounts, said researchers with Avanan, purchased by Check Point last year.
The number of these kinds of emails originating from Russia jumped 8-fold on February 27, according to researchers. They don't know exactly who is behind the emails.
The targets are companies in the U.S. and Europe with a focus on shipping companies and car makers, as well as more random-seeming targets.
One email claims the sender is sharing a folder with you about bonus payments in 2021. You might notice some discrepancies in the message. It says, "Please upload your documents in the bonus folder for 2020," but shows a folder labeled 2021.
A phishing email from the February 27 malicious email campaign. Image: Avanan/Check Point
What WILL they do?
Attackers can use your account to carry out more crimes.
Last week, Ukraine's Computer Emergency Response Team warned that attackers were sending out a round of phishing emails to Ukrainian soldiers telling them they needed to verify their accounts or lose access. The phishers then take over the account and use the contacts to send more malicious emails, Ukraine's CERT said.
This week, security company Proofpoint reported that attackers are using a Ukraine military member's account to target others. The targets appear to be European government workers involved in helping people escape the war in Ukraine.
The email subject is "IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022." It contained a file called “list of persons.xlsx.”
This is likely the work of a nation-state, Proofpoint said.
Unusual Sign-In?
Another round of fake emails pretends to be from Microsoft with a warning that someone has accessed your account from Moscow, Russia. "If this wasn't you, please report the user," the email reads, according to security company Malwarebytes.
This email campaign may not be related to the events in Ukraine, Malwarebytes' Christopher Boyd said.
"But, given current world events, seeing 'unusual sign-in activity from Russia' is going to make most people do a double take, and it’s perfect spam bait material for that very reason," Boyd said in a post.
Phishing email falsely claiming that someone in Russia has signed into your account. Image: Malwarebytes
Money Grab
Reports show multiple cases of phony emails asking you to donate to help Ukraine.
One example from security company Trustwave says, "A little show of kindness will help save a Ukrainian life," posing as a Ukrainian human rights charity looking for donations in cryptocurrency, or digital money.
"Ukraine Survival Fund" proclaims another example from Avanan’s parent company, Check Point. Errors in the text may give it away, such as "Let's reachout to Ukraine as no Support is little."
If you want to donate safely to this or other causes, Check Point recommends you:
---Watch for fake web site names
---Be wary of unusual attachments
---Look for incorrect grammar or tone
Phishing email asking for donations to support Ukraine. Image: Avanan
Deeper Threats
Attackers may use phishing for other devious deeds such as ransomware, according to Julia O'Toole, CEO of password security company MyCena.
They may steal your passwords for their own attacks or to sell on the dark web. And if you reuse passwords for your email, work, or money accounts, you may have given attackers the keys to your world. They can simply try your password on multiple accounts until they get in.
"They would go and pillage," O'Toole said. "Imagine if this key is the same in the office, in the bank, and in the house. They get one, and they go on to steal whatever they can."
What to do
Look for spelling errors and fake website names, hover over links, and verify links directly with websites instead of clicking, experts recommend.
In addition, use two-factor authentication --- also known as multi-factor authentication --- to protect your accounts, said Tony Anscombe with ESET.
That adds an extra step, like a code sent to your phone, to log in. You might think of it like an ATM card, he explained. If the card is your password, you need another step --- the PIN --- to get into your account.
One study shows that using multi-factor authentication can prevent 99% of general phishing attacks, and 66% of targeted phishing attacks.
"Two-factor authentication. I can't say this enough," Anscombe said. "It's one of those things that we don't implement on accounts because it's that extra step when you log in. However, it's one of the most key things in keeping actually, as consumers, our data and our identity safe. So, that's super important."
RETURN TO SENDER
Could the phishers be cyber criminals out to make money from world upheaval, or perhaps a government trying to raise money for war or any other criminal purposes? Security experts say it can be very hard to determine who is responsible.
But if a nation-state tries to hit other countries with ransomware or other attacks, it may likely come in the form of an email, said Rob Lee with the SANS Institute. He warns that you look out for messages and links that ask for your password, as well as random updates to software.