Google’s phishing and malware warnings are outnumbering 2020’s alerts by a significant percent. The tech giant advises the use of multi-factor authentication to prevent costly breaches.
Google Sent Out 50,000 Phishing And Malware Attacks Warnings So Far This Year
Google is putting its policy to alert Google Accounts users that alleged state-sponsored threat actors are targeting them to heavy use in 2021. Representatives said that the tech giant has already sent out more than 50,000 warnings for potential phishing and malware attacks to users, 33% more than the same period in 2020.
“So far in 2021, we’ve sent over 50,000 warnings, a nearly 33% increase from this time in 2020. This spike is largely due to blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear,” Google security engineer and Threat Analysis Group (TAG) team member Ajax Bash writes in a recent post.
TAG’s Shane Huntley tweeted on October 7 that the group had sent an “above average batch of government-backed security warnings yesterday.” TAG sends alerts over phishing scams and malware attacks.
58% Of Cyberattacks Come From Russia
Google’s suggestion that Kremlin-sponsored cybercriminals are a big issue aligns with Microsoft’s findings revealing that 58% of nation-state cyberattacks originated from Russia over the past year.
In July, the US National Security Agency revealed that APT28 had operated a vast password-cracking campaign targeting US and EU organizations over the past two years.
APT28 is one of many state-sponsored groups launching password-based attacks and exploiting the Microsoft Exchange server vulnerabilities CVE-2020-0688 and CVE-2020-17144.
Google noted that it sends the phishing and malware attacks alerts in batches to all users who are at risk so as not to give away their defense strategies to attackers.
TAG Tracks Over 270 Targeted And State-Sponsored Cybercriminal Groups Everyday
“On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically more than one threat actor behind the warnings,” says Bash.
TAG is also closely watching the Iranian group known as APT35, which launches phishing attacks against high-profile targets in government and defense departments.
The cybercriminal group is also known as Charming Kitten, or Phosphorus, and has directed their attacks toward victims from the Persian Gulf, Europe, and the US. The group has been actively targeting the US defense sector for several years, and Google managed to disrupt their attempts to phish campaign staffers of Joe Biden and Donald Trump in 2020.
This week, Microsoft warned that 250 Office 365 users in the US and Israeli defense technology industry were hit with a password-spraying campaign conducted by a separate emerging Iranian group.
“In early 2021, APT35 compromised a website affiliated with a UK university to host a phishing kit,” notes Google’s Bash.
“Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices.”
APT35 hasn’t changed its methods since 2017 to target government, education, journalism, NGOs, foreign policy, and national security.
The hacking group uploaded a fake VPN app to Play Store last May to collect data from Android devices. Google said it had removed the malicious app before any users could download it.
Video meetings have become the norm during the pandemic, and APT35 has tweaked its strategies to suit it, according to Google.
“Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence,” Bash noted.
The poisoned links often included link shorteners and click trackers, embedded in PDF files. The attacks exploited Google Drive, Google Site pages, Dropbox, Microsoft services, and Telegram.
Google And Microsoft Urge Users To Use TFA
Both Google and Microsoft encourage Workspace administrators and general customers to enable two-factor authentication.
“Workspace administrators are also notified regarding targeted accounts in their domain. Users are encouraged to take these warnings seriously and consider enrolling in the Advanced Protection Program or enabling two-factor authentication if they haven’t already,” notes Bash.
Google TAG Countering threats from Iran