“Malicious domain activity and phishing toolkit reuse increase in Q2 22,” Akamai Survey

A recent study by cybersecurity firm Akamai found that 12.3% of monitored devices communicated with a domain associated with malware or ransomware at least once during the second quarter of 2022. This is a 3% increase from the first quarter of 2022. Akamai also said that phishing toolkits are playing a key role in malicious domain-related activities. The findings are based on DNS data and Akamai’s analysis of carrier and enterprise traffic across a variety of industries and geographic locations.
ⓒ Getty Images Bank

Q2 22, detected an increase in malware, phishing, and C2 domain activity

detailed the investigation blogIn addition to devices detected as communicating with malware/ransomware-related domains, Akamai noted that 6.2% had access to phishing domains and 0.8% to C2-related domains (all slightly up from Q1 2022). Akamai said, “If you look at the numbers, it may seem insignificant, but if you look at the scale, it is millions of devices. This is a very important issue considering that C2 is the most malicious threat.”

Akamai found that across potentially compromised devices and various threat categories, 63% of devices were exposed to threats related to malware activity, 32% to phishing, and 5% to C2. While devices aren’t necessarily compromised, these findings provide a strong indication of an increased potential risk if the threat is not adequately mitigated. On the other hand, access to a C2-related domain indicates that the device has been compromised and is very likely communicating with the C2 server. This may explain why in many cases the observed frequency of C2 is low compared to the number of malware.”

The most frequent targets are high-tech, financial brands

According to Akamai, high-tech and financial brands were the most targeted, exploited and imitated by malicious domain activity in the second quarter of 2022. By attack category, most (80.7%) campaigns targeted consumers, but Akamai warned that even 19.3% of attacks targeting corporate accounts should not be taken lightly.

“In general, these types of attacks target those who are more likely to inflict serious damage,” Akamai’s team said. Attacks that target business accounts can lead to the compromise of a company’s network with malware or ransomware, or the disclosure of confidential information. An attack initiated by an employee clicking on a link in a phishing email can result in significant financial and reputational damage to businesses.”

Phishing kits impact increase in malicious domain activity

Phishing kits appeared to play a key role in the malicious domain activity analyzed by Akamai. Akamai tracked 290 phishing toolkits used in the second quarter of 2022, of which 1.9% were reused over at least 72 days (individual days). Akamai also found that “49.6% of kits were reused for at least five days, and based on all traceable kits, the number of days that were reused during Q2 was more than three days.”

The driving force behind kit reuse is the creation and sale/sharing of industrialized phishing kits that imitate famous brands. “Kit development and deployment is getting easier, and the web is overflowing with abandoned websites, vulnerable servers and services that can be immediately exploited,” Akamai said. “The clear separation between creators and users as phishing kit development and sales are industrialized, with new kits being developed and released within hours, means that this trend will not disappear easily.”

The most frequently used toolkit in Q2 2022 Kr3ptoAll. More than 500 domains have been identified. Akamai believes Kr3pto is more than three years old when it was first created, but still very active and effective. The next most frequently used phishing toolkit was Webmail_423, Microsoft_530, and sfexpress_93.

Malicious domains are a big threat to businesses

Alex Applegate, senior threat researcher at DNSFilter, said malicious domains expose businesses to threats, and security teams must consider how to deal with these risks. can do. The key to most malicious activity is the execution of some sort of code on the victim’s system. For example, how to install malicious executables and run scripts on websites to perform malicious activities on victim systems.”

“Once successfully installed, the capabilities of the malware are virtually unlimited, and the risk of theft or compromise of sensitive corporate information increases,” Applegate said. The victim system can move laterally in the network or be used as an intermediate point to gain access to a more secure resource (for example, by compromising an external contractor’s system to gain access to a Fortune 500 network). obtaining authority)”.

To lower the risk of malicious domains, security teams must first establish secure web connections and effectively educate end-users about the threats posed by clicking on links or visiting URLs from untrusted or other unexpected sources. Applegate also said, “Some well-known domains managed by external companies automatically check for typos, character substitutions and other homoglyphs, as well as cyber threat intelligence services available in a variety of both open source and commercial forms, such as phishing and business Distribute a list of websites used for email breaches and other malicious activities.”

In addition, Applegate said that not only the URL itself, but also a solid network and endpoint monitoring plan can detect many of the major threats. You should make sure to copy files, and always maintain and verify full offsite backups of all important data.”

Akamai chief security researcher All Cats said that to combat Akamai’s phishing toolkit reuse, “use continuous threat intelligence associated with IP addresses, ASN reputations, and new registered or randomly observed domains to track and eliminate new campaigns faster and more effectively. Action is needed,” he said.
[email protected]

Source: ITWorld Korea by www.itworld.co.kr.

*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!