{"id":31981,"date":"2020-01-27T06:40:31","date_gmt":"2020-01-27T11:40:31","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&p=31981"},"modified":"2022-10-10T10:03:04","modified_gmt":"2022-10-10T14:03:04","slug":"worlds-most-phished-country","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/worlds-most-phished-country\/31981\/","title":{"rendered":"Shoot first, ask later: Strategies for protecting the most phished country in the world"},"content":{"rendered":"

Cybercriminals always take the path of least resistance when attacking. Vulnerabilities in technology, while undoubtedly presenting serious problems, usually aren\u2019t<\/em> those paths. When you have up-to-date anti-malware software<\/a> installed on all your computers, and you have network firewalls running around the clock, it\u2019s pretty challenging to break in. Add encryption, heuristic scanning and multifactor authentication (MFA) into the mix, and you\u2019ve got a veritable fortress protecting your digital assets.<\/p>\n

At least, you might think so.<\/p>\n

The problem? Most cybercriminals don\u2019t follow the hacker stereotype. Instead, they exploit the weakest link \u2013 humans. After all, why try to break encryption or hack a password when you can dupe an unsuspecting victim to give away this information freely? If the email address and domain look authentic, as though it belongs to an organization you do business with, you would probably click that link and think nothing of it. And often, there\u2019s nothing your anti-malware can do about it.<\/p>\n

That\u2019s one of the underlying reasons why phishing scams are on the rise. They jumped 21 percent in the second quarter of 2019<\/a>.<\/p>\n

In my country, Brazil, which has the unfortunate distinction of being the most phished country in the world<\/a>, 29 percent of people have been attacked. Kaspersky has been tracking this worrying trend for the past few years and decided it was time to take a radically new approach towards dealing with the threat. Our Global Research and Analysis Team blocked almost 37 million attacks in 2017 and just over 40 million in 2018 \u2013 and that\u2019s just in Brazil.<\/p>\n

So, what are the strategies for blocking phishing attempts from the very outset?<\/p>\n

Understanding the phishing attack vectors<\/h2>\n

Although phishing attacks conducted via email get the lion\u2019s share of the attention, social engineering attacks can take many forms. This includes SMS, telephone calls, malicious ads and fake profiles on social media. What most phishing scams have in common, however, is that they include compromised websites masquerading as those belonging to legitimate organizations. They use the same branding and wording. Sometimes they\u2019re complete clones of the real thing. The issue: as soon as you enter confidential information, such as usernames and passwords, it ends up dropping straight into the hands of the attackers.<\/p>\n

Banks and other financial institutions are among the most popular subjects to impersonate \u2013 not just in Brazil, but all over the world. But it\u2019s important to remember that any organization or individual can be imitated. Phishing is a global epidemic that affects everyone.<\/p>\n

Around 20 million new phishing websites launch every year<\/a>. Granted, most of them get blocked and taken down pretty quickly, but that\u2019s not the point. Scammers often still have more than enough time to launch their attacks before that happens. In Brazil, as well as many other jurisdictions, local legislation gives everyone the right to register a domain name. The only legal way to get a malicious domain taken down is when a company files a trademark infringement against the owner of the domain, in cases where an unauthorized party is using their brand name. That doesn\u2019t exactly happen overnight.<\/p>\n

Online fraud is everywhere in Brazil. Scammers exploit virtually every customer loyalty program. Government websites are impersonated to defraud critical public services like healthcare. Attackers have masqueraded as data brokers to manipulate credit scores. In one attack, the Government Environment and Nature Institute (IBAMA) was targeted by a phishing scam, resulting in 23 companies, which had been blacklisted for environmental crimes, being allowed to resume activities. In the 10 days that followed, these companies managed to extract $11 million from illegally harvested wood from the Amazon rainforest \u2013 enough to fill 1,400 trucks. Some bounty. Everything that\u2019s online in Brazil is getting phished, fast.<\/p>\n

It starts with domain registration<\/h2>\n

Most phishing attacks involve duping victims into visiting a malicious domain. That\u2019s why Kaspersky\u2019s research team wanted to get right to the root of the problem. This meant targeting the window of opportunity between when a suspicious domain is registered and when it\u2019s used in an attack.<\/p>\n

We started this project in 2014 by monitoring all new domain registrations, which included the names of financial institutions operating in Brazil and then checking their WHOIS data. The WHOIS lookup allowed us to find some basic information about who registered the domain, which company provided the service and when it was registered. But that wasn\u2019t going to be enough by itself, especially with domain privacy services and GDPR<\/a> masking a lot of the information. We needed to apply specialized methods to monitor domain reputation and proactively identify suspicious registrations.<\/p>\n

Homing in on the phisher\u2019s favorite exploits<\/h2>\n
\"worlds

Credit: Getty Images<\/p><\/div>\n

Would-be victims of phishing attacks wouldn\u2019t deliberately visit an unfamiliar website to log into their online bank account or any other platform, so attackers have to find different ways to reach them.<\/p>\n

One of the most common tactics used is typosquatting. It\u2019s a form of cybersquatting which involves registering domain names under someone else\u2019s name or brand. A simple way to mimic a real company\u2019s website, the attacker waits for someone to enter the domain name incorrectly and land on a compromised site. That\u2019s why many organizations deliberately register commonly misspelled versions of their domain names. For example, entering gooogle.com instead of google.com will automatically redirect you to the correct address, but that\u2019s only because Google registered it. However, because there are so many possible misspellings of popular brand names, it\u2019s usually impractical to register all of them. To get around this, we used a method called Levenshtein distancing, a domain name matching algorithm that helps us automatically detect cases of typosquatting and block the offending domains.<\/p>\n

A lesser-known but increasingly common exploit involves internationalized domain names (IDNs), which use characters that aren\u2019t in the Latin alphabet. Traditionally, all web addresses were in ASCII text, but during the last decade, you can register web addresses in Unicode to support writing systems like Cyrillic, Greek and Chinese.<\/p>\n

The problem here is that some languages use the same letters, but they\u2019re different as far as computers are concerned. For example, the letter \u2018B\u2019 in English looks precisely the same as the Russian letter \u2018B,\u2019 even though the letters are different. A domain name like caixa.gov.br, one of the biggest banks in Brazil, would look the same in the Cyrillic alphabet if the letter \u2018c\u2019 is replaced with its Cyrillic lookalike. Only a computer can tell the difference because each variant uses a different encoding system.<\/p>\n

Other exploits using the IDN system are a little less subtle. Some might add accents to characters or letters from one language which look similar to another in the hope that the victim wouldn\u2019t notice. Compare the Russian \u041a with the English K, for example. The slightly different shape of the former might go unnoticed by an unsuspecting user.<\/p>\n

Protecting the most phished country in the world \u00a0\u2013 what does the future hold?<\/h2>\n

We\u2019ve come a long way since 2014. While GDPR presented a hurdle due to its masking domain name registration information, we\u2019ve found other ways to determine domain authenticity. Still, there are cases where local human expertise still plays a central role, and some cases need human approval. For example, \u2018caixa\u2019 means \u2018box\u2019 in Portuguese, but it\u2019s also the name of a big government bank operating in Brazil. Since we don\u2019t want to blacklist an innocent packaging or logistics company just for using the word \u2018box\u2019 in their domain name, we need a more specialized approach. In a similar case, Santander isn\u2019t only a major bank; it\u2019s also the name of a Spanish city, a province in the Philippines and a state in Colombia.<\/p>\n

In conclusion, our proactive approach has grown out of necessity. The traditional, reactive security methods are no longer sufficient enough to keep up with the race against cybercrime. We hope that our efforts will help the organizations and people of Brazil, and the rest of the world, keep one step ahead of cybercriminals.<\/p>\n","protected":false},"excerpt":{"rendered":"

In Brazil, the most phished country in the world, shooting first and asking questions later is the only way to turn the tide in the fight against cybercrime.<\/p>\n","protected":false},"author":2554,"featured_media":32254,"template":"","coauthors":[3614],"class_list":{"0":"post-31981","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-endpoint-security","7":"emagazine-category-opinions","8":"emagazine-category-trends","9":"emagazine-tag-phishing"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/worlds-most-phished-country\/31981\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/secure-futures-magazine\/worlds-most-phished-country\/20095\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/secure-futures-magazine\/worlds-most-phished-country\/16360\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/31981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2554"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/32254"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=31981"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=31981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}