Threats increased during the second half of 2021. This year showed us that COVID-19 is not going away, as it shows a resurgence just when we thought things were getting better. Work from home has become the new normal, raising risks to corporate data on peoples’ home networks.
The second half of the year saw AllotSecure blocking 300% more malicious URLs than the first half of the year due to the rise of malicious adware. The end of the year saw an increase in attacks around the holiday season, from Black Friday, Christmas shopping, and lotto scams.
The threat landscape is changing. H2 saw a decline in Flubot attacks (though it is still raging), but an increase in other culprits.
H2 could be called the period of adware. 75% of all URLs blocked were related to adware.
Allot is dedicated to protecting CSPs and their customers from all types of attacks including malware, ransomware, phishing, trojans and more. This H2 2021 Cyber Threat Report shows how European communication service providers that partner with Allot Secure were able to block all types of cyberthreats and keep their consumer subscribers safe all year long.
This report covers July-November 2021. Details from December 2021 will be released in Allot’s next Cyber Threat Report.
H2 2021 Cyber Threat Report: Key Takeaways
Adware emerged as the primary threat to European consumers
- 75% of all blocks were adware.
- September saw an increase of 200% of total blocks due to the appearance of omnatuor.com, a browser hijacker.
- Adware is not just a nuisance. It can lead to downloading additional malware.
Flubot is not dead yet
- Flubot was blocked 421,905,856 times during H2 2022.
- Even if the blocks are declining each month, Flubot is not going away. It has been a very profitable threat and the cybercriminals will work on renewing their behavior to keep surprising their victims.
Special events are also special for cybercriminals
- During holidays and other special events, we cannot lower our guard. Cybercriminals will take the opportunity by using social engineering tactics, such as offering crazy discounts or free products related to the events.
- In H2 2022 the cybercriminals used Black Friday, Christmas, and the lottery as bait to trick their victims.
- Fortunately, Allot protected against these “special events” threats.
Main consumer messages
- Allot NetworkSecure blocked cyberthreats from harming European subscribers 2.97 billion times in H2 2021.
- Of those blocks, only 647,000 were viruses, making up less than 1% of total blocks.
- H2 could be called the period of adware. 75% of all URLs blocked were related to adware.
- Infections and trojans represented 64% of all virus blocks.
- The average percentage of customers experiencing protection events was 4% in June and then slowly rising to hit 17% in November. The average for the entire period was 8%.
- Flubot has not gone away. The two most common blocks were Flubot C&C URLs and omnatuor.com.
Percent of Customers Protected
Before exploring which categories were the most blocked during this period it is important to appreciate the percentage of customers who were protected by NetworkSecure blocking events during the second half of 2021.
On average, 8% of customers were protected during the second half of 2021, a decline from 14% in H1. However, protection events significantly increased in November, jumping from 5% to 17%.
Even if the number of blocks is higher than in H1, the customer's protected ratio is lower. The threats, especially those accumulating larger numbers, were targeting certain countries, and were not affecting customers worldwide. This is one of the reasons that, even if we had more blocking events during H2, fewer customers were victims.
November’s spike is caused by more unique customer being affected by omnatuor.com.
Categories in Pre-Blocked URLs
“Pre-blocks” is the name assigned to the blocks that occur before a customer loads a malicious website.
Due to the difference between the most blocked categories and the rest, we split the graphs into two:
Adware and malicious downloads are the “king” among the rest, representing more than 90% of the pre-blocks.
Adware grew from 10% to 73% just in one month because omnatuor.com appeared in September. The growth during July and August is because multiple websites acted as adware, but then those websites were shut down. In H2, omnatuor.com was born, maintaining the ratio of blocks related to adware until the end of the year.
It has two main protagonists, Flubot C&C blocks, and the aggressive adware omnatuor.com. Omnatuor.com displays fake error messages that trick users into subscribing to its browser notifications. Once subscribed, it displays ad notifications for adult sites, online web games, fake software updates, and unwanted programs.
Looking at the categories with less than 15% representation, we see one thing that is surprising: phishing only represented an average of 2.3% of total blocks.
The graph shows that spyware increased between August and October, but then went down in November to the levels seen in July. In parallel, there was a decline in porn adware during those same months, but then returning in November to the levels seen in July.
The cybercriminals clearly have changed their methodology during H2 2022, as phishing was usually their most profitable act. But even with these low numbers, we were able to protect our customers from dangerous phishing campaigns that will be explained further in the document.
H2 saw a significant increase in adware. While adware made up 22% of all pre-blocks in H1, in H2 adware made up 75% of all blocks.
In H1, while malicious downloads represented 45% of all pre-blocks, in H2 they make up 18.2%, primarily Flubot, which continued to prevail in the second half of the year, although less than we saw in H1 2021.
Phishing made up 2.1% of pre-blocks in H2, compared to 13% in the first half of the year.
Allot blocked 2.97 billion connections to a malicious website in the second half of the year.
Categories in Download Blocks
Download blocks are the blocks performed when a user attempts (intentionally or not) to download a malicious file.
Due to the differences between the most blocked categories, the table was split into two, one showing viruses that occurred more than 15% and the other showing viruses that struck less than 15% of the time.
We again see how adware and trojans are the most blocked categories, representing more than 90% of the total blocks monthly. This is usually because one threat feeds the other. Once a trojan infects a user’s device it usually tries to download additional malware to the terminal. That malware is frequently adware.
Adware then shows ads that often lead the victim to download a trojan or other adware, continuing the vicious cycle.
The graph shows that trojans increased from 60% in July and skyrocketed in September and October to 77% and 76%, respectively, but then falling to 49% in November.
However, adware infections spiked from 26% in July to 47% in November, after experiencing a decline in September and October to 17% and 16%, respectively.
The NetworkSecure Antivirus engine detects the malicious files and blocks them from download before they can pose any danger to the user. Most download blocks remained adware and trojans.
Adware (26%) and trojans (72%) make up the bulk of blocks – totaling a whopping 98% of all blocks.
In H2 2021, NetworkSecure protected European Internet users from downloading malicious files 647,530 times. This number is much smaller than the pre-blocks, but the potential damage from each infected file is much greater, and many malicious files are pre-blocked before the download even begins and are therefore counted as pre-block events.
Blocks Over Time
Flubot, even if it is decreasing since its July peak, is still being blocked more than 20 million times.
Omnatuor.com erupted in September with more than 400 million blocks. It keeps increasing month after month.
Amazon Black Friday phishing
Scammers frequently pretend to be from Amazon. One such attack was recently seen by Allot security researchers. It took place between November 16 and November 30. It was spread through WhatsApp and SMS text messages. The target was asked to fill out a survey in exchange for a gift from Amazon. After completing the survey, the target was asked to fill in their credit card information.
Compromising credit card data was not the only consequence of the attack. After entering credit card details, another pop up appeared prompting the user to click on “Allow.” Subsequently, the device was infected with adware.
In November 2021, Allot Secure blocked 1.7 million instances of this attack.
Increase in lottery scams
Since 2021, there has been an increase in sweepstakes and lotto scams.
These scams target unsuspecting victims over the telephone, email, SMS. They tell them that they have won a prize – the lotto, a sweepstakes, even a new cell phone or iPad. They ask for money or for account information to claim the prize. But when the victim pays, they find out that their money is gone and there is no prize.
Allot Secure was able to block these attacks from reaching subscribers.
Holiday gift scam
Thousands of subscribers of one of Allot’s telco customers were attacked during December. The site claimed to be a holiday gift site. The phishing attack attempted to steal subscribers’ credit card data and use it for fraudulent purchases.
“Allot’s cybersecurity platform provides a flexible solution to protect our customers from both existing and emerging threats.”
Mikkel Noesgaard, Board Member and Chief Marketing Officer at Play
Click here for a printer-friendly version of the report.