User targeted hacking attempts increased by 33% - Google


Google's anti-hacker team noted that threat actors highjack websites and offer spyware-infested apps, using Telegram bots to monitor the attacks in real-time.

The company's Threat Analysis Group (TAG) announced yesterday that in 2021 it sent over 50,000 warnings to targeted users. Compared to last year, attempts to target high-value accounts grew by 33%, TAG claims.

The spike, however, is attributed to an unusually large campaign from Fancy Bear, also known as APT28, a Russian actor with alleged links to state government. CyberNews researchers have listed Fancy Bear as one of the world's most dangerous state-sponsored hacker groups.

According to the statement, at any given TAG is tracking 270 state-sponsored groups in over 50 countries. Recently an Iranian group, Charming Kitten (APT35), stood out in its attempts to compromise high-value accounts in government, academia, NGOs, national security, and journalism.

TAG claims that the group compromised a website belonging to a UK-based university in order to host a phishing kit. Malicious actors send their victims invitations to bogus webinars. Upon receiving the email, the target is asked to activate an account using their credentials. The technique shows that APT35 is not shy of going the extra mile to trick users into giving away their personal data.

TAG also discovered that the Iranian group attempted to upload spyware to the Google Play Store, masquerading it as VPN software. If installed, the app could steal call logs, text messages, contacts, and location data from devices. However, Google claims to have removed the malware before anyone could download it.

Other phishing tactics involve impersonating conferences emails. APT35 sent their targets non-malicious emails pretending to represent Munich Security and the Think-20 (T20) Italy conferences. Once threat actors established initial contact, the targets would receive follow-up emails containing phishing links.

APT35 Telegram
Public Telegram channel used for attacker notifications.

According to TAG, the Charming Kitten employed Telegram for real-time operation monitoring. Javascript, embedded in a phishing site, would notify the attacker once a victim loaded it, prompting a notification to a public channel.

The bot allowed the attacker to see the victim's IP address, useragent, and location. Google claims to have notified Telegram, which in turn took actions to remove the bots.

Earlier this week, the US tech giant announced it is establishing the Google Cybersecurity Action Team amidst growing cybersecurity concerns. The new team will focus on cloud transition safety, threat intelligence, and advisory services.

Phishing attacks saw a staggering 34.4% increase in activity in 2020 compared to the previous year. Between January and February 2020, the proportion of phishing attacks rose 510% alone.

Throughout 2020, the top five targets for phishing attacks were eBay, Apple, Microsoft, Facebook, and Google – household names to users and therefore most likely to garner the attention of potential victims.

The European Union Agency for Cybersecurity (ENISA) reported that malicious business email compromises (BEC) cost businesses over €26 billion last year. The FBI said that complaints on BEC and other email compromises cost $1.8 billion in 2020.


More from CyberNews

Tech giants endlessly exploit our data. Who will put an end to it?

Who let the ‘bugs’ out? It’s probably not who you think

Scammers impersonate e-signature service DocuSign to steal credentials

VirusTotal’s first Ransomware Activity Report: the stakes are getting higher

New ransomware family, Yanluowang, found by researchers

Subscribe to our newsletter