phishing attack Copyright (c) 2015 wk1003mike/Shutterstock. No use without permission.

phishing attack Copyright (c) 2015 wk1003mike/Shutterstock. No use without permission.

Over the last quarter of 2021, phishing and other forms of cyber-attacks have increased by 40%, according to the latest report by Post’s Cyberforce.

Out of the 183 attacks recorded in Q4 of 2021, the majority were phishing attempts (74%), followed by spam (11%), wangiri--or one-time missed phone calls--(7%), DDos (2%) and malicious code (1%). The remaining causes (5%) included masquerading--when a scammer creates a fake profile for a famous brand and copies its content. This occurs sometimes in the context of online contests.

Phishing attempts have mainly targeted Post’s @pt.lu e-mail addresses, according to Cyberforce. In some instances, the scam involved a spoofed webmail interface for a Post Login or a LuxTrust certificate reactivation. Other techniques targeting e-mails include HTML files linked in an e-mail.

Fake LuxTrust reactivation certificate links are sent to users. Cyberforce Post

Fake LuxTrust reactivation certificate links are sent to users. Cyberforce Post

1 / 2
Fake LuxTrust reactivation certificate links are sent to users. Cyberforce Post
The Webmail Login page for @pt.lu pages is another trap for phishing victims. Cyberforce Post

Circumventing spam folders by attacking phone numbers

The Cyberforce report also warns of demands linked to fictitious package deliveries. This will either occur through e-mail or by text message. The latter include URL which the user is invited to select to access to more information regarding a delivery. Clicking the link allows malware--like Flubot or Medusa in the case of Android phones--to download an .apk file onto the phone. This type of file can harvest crucial information such as bank details, passwords or phone numbers.

Aside from wangiri--where a scammer leaves a missed call on a victim’s phone, inciting the latter to call back--, call-based phishing has also seen an increase over the final months of 2021. Using usurped numbers that the recipient’s phone will identify as the police, for instance, the offender will inform the user of illegal activities linked to the phone number. The victim is then invited to call a U.S.-based phone number to address the fictitious issue.

These methods are used to go around the spam filter of e-mail inboxes.

Major vulnerability uncovered

In December 2021, the zero-day Log4Shell vulnerability was revealed, which according to Cyberforce had “an unprecedented impact on the world of cybersecurity.” Log4j is an open source logging library which allows operations on applications to be tracked. The issue is that Log4j found in a vast number of solutions added to a vast attack surface, rendering the weakness in Log4shell important, as the vulnerability allows hackers to execute arbitrary remote code without authentication.

Cyberforce in its report also listed the main hosts for phishing initiatives. Google LLC. Namecheap Inc. and Bitly Inc ruled the top spots of the chart.