The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month.
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 150 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time view of the evolving threat landscape.
Highlight of the month: Introducing homograph report
Homograph (also known as homoglyph) phishing attacks are based on the idea of using similar characters to pretend to be another site. The most basic homograph attack is substituting „o“ for „0“ (
g00gle.com). Even though this approach seems simple, it is still a very successful method of cyberthreat attacks.
Homograph attacks that tend to be more complex use international domain names (IDN). Threat actors create an international domain name that resembles a target domain name. An example of this type of attack is a spear phishing attack using domain
https://www.bițdefender.com – crafted using latin-based Romanian alphabet, but letter „t“ is replaced with similar character „ț“.
Our following report is focused on these IDN homograph attacks. They are not common, because they require high-level skills, careful planning, and precise execution. That makes them better candidates for analysis, because they are typically reserved for high-value targets or more professional threat actors. Typical use cases include spear phishing for large ransomware campaigns or lucrative targets such as cryptocurrencies.
Bitdefender Labs designed an advanced machine learning model that detects spoofed domains and identifies the legitimate domain they are trying to pose as. This gives us visibility into domains that are most likely to be targeted by threat actors.
Homograph Phishing Report
For our initial report, we analyzed a larger data sample and covering data from January 1, 2021, to October 25, 2021. In the following sections, you will see which domains are most targeted and “top 10” lists for interesting categories (all, cryptocurrencies, and social media).
When we talk about “target” of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. For example,
google.com is the target for domains
goggle.com. Targets of IDN homograph attacks didn’t neglect any security – their brand names are just globally recognized and trustworthy, making them a perfect target for impersonation.
When we categorize targets of spoofing attacks, three categories stand out from the rest:
- Cryptocurrencies (35%)
- Banks (24.5%)
- Social Networks (12%)
These three categories combined are making over 70% of the detected spoofing attacks.
Almost 1 in 10 (9.37%) of fake domains are using HTTPS encryption. This technique helps threat actors avoid detection with network-based security controls, but more importantly, they appear as legitimate sites (green padlock). Educating end users (workers, friends and family) to make sure they understand the secure connection symbol does not necessarily mean that site is legitimate.
Below is the list of the top 10 most common targets for phishing sites.
Top 10 spoofed domains – Cryptocurrencies and Banks
Cryptocurrency markets and regular banks represents almost 60% of the phishing domains in our data sample. Threat actors use harvested credentials to steal funds from accounts – this method represents the most direct way to monetize the attack, so it is not surprising to see it at the top of the list. If you want to learn more about this kind of phishing operation, you can read our previous research New Homograph Phishing Attack Impersonates Bank of Valletta, Leverages Valid TLS Certificate.
Top 10 spoofed domains – social media and others
Social media and other domains (Gmail, Hotmail, PayPal, Amazon etc.) are useful for spoofing to harvest credentials. Threat actors collect and save logon credentials and either use them to launch another attack (for example to reset password for a more sensitive site) or sell it on the dark web.
Spear phishing attacks are often used as an initial attack vector. Ransomware infection is often the final stage of the same kill chain. For this report, we analyzed malware detections collected in September 2021 from our static anti-malware engines. We are only counting total cases, not considering how significant the impact of infection is. Opportunistic adversaries and Ransomware-as-a-Serice (RaaS) groups will represent a higher percentage compared to groups that are more selective about their targets, since they prefer more volume instead of higher value.
When looking at this data, remember that these are ransomware detections, not infections. Technology companies are ranking at the top of our list with the most detections, while non-profit organizations are trailing at the end. Detection rates vary based on technologies in place and security maturity.
Top 10 Ransomware Families
For this report, we analyzed 12.7 million malware detections from September 1st to September 30th. In total, we identified 220 ransomware families. Number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries.
Top 10 Countries
In total, we detected ransomware from 173 countries in our dataset this month. Ransomware continues to be a global threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Most ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections.
Top 10 Industries
For our data set, we have been able to assign almost 40% of detections to specific industries. Telecommunications services are particularly high as their customers are included within the detections.
In this BDTD edition, we added new report on phishing sites using IDN homograph attacks. Analyzing these attacks helps identify high-value targets threat actors are most interested in and where users need to be more vigilant when accessing sites. Our data shows a clear preference for targeting cryptocurrencies or financial institutions.
We hope you have found this BDTD report interesting. Leave us a comment and let us know what you think.