Cybercriminals are increasingly using malicious domains as an attack vector. Our Internet Security Report Q1 2021 already detected a 281% increase in the number of domains blocked by DNSWatch over the previous quarter, and there has been significant activity in the past year with such links exploiting the interest in COVID-19.
Espionage, web files, banks and social media
A few days ago, Microsoft announced that it had disabled 42 malicious domains created by the Chinese APT-15 cyber-espionage group. The group tricked members of public and private organizations, think tanks and NGOs related to human rights through links that let malware in when unsuspecting users clicked on them, enabling the group to access servers and obtain privileged information about Chinese industrial and geopolitical interests. Analysts believe that this was part of a massive cyber-espionage campaign by China.
Other major domain incidents this year have involved legitimate and well-known websites being compromised. For example, in July it was discovered that the archive.org portal (known for the "Way Back Machine" search engine for old websites) had a malicious PowerShell script inserted into one of its pages with a loader containing the AgentTesla malware from Aggah, which is linked to the Pakistani APT group Gorgon. Researchers speculate that the portal pages were used as hosts for the malware and then used in subsequent cyberattacks.
Phishing is another of the techniques commonly used by these links and the banking industry is usually among the most affected because the gains to be made are very high if cyberattackers manage to get hold of customer passwords. Several customers of Chase Personal Banking were victims of a campaign of this type: they received a fake email with the message "Your credit card statement is now available" and a link that led to a fake landing page asking for their bank details. This incident stands out as the email with these bogus links managed to bypass the spam filters of Microsoft Exchange Online Protection and Microsoft Defender for Office 365.
Facebook has also been a channel for the use of malicious domains in recent months. In this case, hackers used professional Facebook accounts to place ads that led to domains that served as loaders for the CopperStealer malware. Once injected, the malware steals the credentials of its victims and cybercriminals, then uses their systems as a source for further cyberattacks.
Best Practices and Firewalls
All the above examples related to malicious domains demonstrate that cyberattackers are using increasingly sophisticated social engineering techniques: not only do they trick users, but also, as the Chase personal banking phishing scam showed, they sometimes manage to circumvent widely deployed cybersecurity solutions, such as those provided by Microsoft.
For these reasons, for next year MSPs should implement advanced network protection solutions for their customers that incorporate next-generation firewalls. Equipped with these solutions, they will be able to block suspicious links in an automated way and even detect encrypted malware that may circulate on their networks, all managed very easily in a centralized system.
Using these tools, it’s good practice for MSPs and IT teams to generate lists of trusted websites and categorize topics that are more likely to have dangerous links and that are not usually related to the professional activity of the company (for example: gambling houses or cryptocurrencies).
In addition, employees should receive basic cybersecurity instruction on web browsing and emails, such as not opening unknown links or knowing how to identify potentially suspicious links.
If you would like to learn about other cybersecurity trends, check out our Cybersecurity Predictions for 2022.