Allot is dedicated to protecting networks and their users from all types of attacks including malware, ransomware, phishing attacks, cryptojacking and more. This report is meant to be a knowledge tool in your arsenal against the cybercriminals whose goal is to disrupt your business and take advantage of your customers.

All threats presented in this report were stopped by the Allot solutions that are implemented across Europe

The data presented in this report is based on malware and other types of attacks that Allot NetworkSecure detected and blocked over the second three months of the year (Q2 2020). It is notable that all of the events presented in this report were, in fact, stopped by the Allot solutions that are implemented amongst a considerable number of communication service providers in Europe of various sizes from local to multi-national tier one players. In
a time when businesses are experiencing radical interruptions resulting from the Coronavirus pandemic, cybercriminals have been ramping up their attacks, targeting people when they are more vulnerable to scams and other crimes. We have added an additional section to this report that describes these new threats.

KEY HIGHLIGHTS

  • On average, among security subscribers across Europe, 30% needed to have cyberattacks prevented. 41% in April, then down to 18% in June. The reduction may reflect “getting back to normal” as Europe adjusts the new COVID-19 reality.
  • Total Pre-blocks* in Europe: 496,690,584
  • Main Pre-blocked* URLs across Europe: Phishing reached over 60% in June, up from 23% in Q1. Adware Only declined from 31% to 28% in Q2.
  • Blocked downloads: Adware Only and Infection Only remain constant during the whole period.
  • The main blocked download categories during the Q2 were Adware Only (51%) and Infection Only (42%). Together representing more than 93% of the blocking events during this period.
  • The coronavirus outbreak has introduced new types of threats. The
    confinement has caused us all to spend more time online, therefore also
    increasing exposure to all threats and increased likelihood of cyberattack.
  • In addition to threats related to Coronavirus, multiple new threats
    emerged during this period. These threats may seem harmless (Adware
    Only) or have a “short lifespan (Phishing), but this could change in the
    future.

MAIN TAKE-AWAYS

WHAT ARE THE KEY MESSAGES THAT CAN BE COMMUNICATED TO CUSTOMERS?

PHISHING is the predominant type of website attack in Europe

  • Increased from 23% in Q1 to 55% in Q2.
  • A longtime favorite of cybercriminals – as Europe was hit by Coronavirus, they further increased these types of threats.
  • Phishing can result in monetary loss, and stolen personal data and
    account credentials. Phishing websites often look exactly like real
    website and can be very difficult to detect.

ADWARE is the second most important type of threat, estimated around 30% of total threats blocked in Europe

  • More advertisements may seem like just a nuisance, but adware also damages sense of privacy and quality of experience due to slow browsing.
  • Adware can include redirects to infected pages that contain downloaders, malware or phishing.

Coronavirus threats are here to stay

  • Cybercriminals will use anything to bypass the security awareness of their potential victims. The virus didn’t disappear so neither did the threats related with it. Is important to only trust official sources of information

Don’t let your guard down!

  • The Coronavirus situation increased the number of threats and cybercriminal activities. Even if the numbers drop, users should not think its ok to be less vigilant. The summer holiday period also used by cybercriminals use to trick user out of their money, so it is important to stay alert.
  • The Champions League (football competition) is around the corner.
    It is a major event; therefore it will be used by cybercriminals to
    disguise their threats (mostly Phishing and download of virus).

% OF CUSTOMERS PROTECTED

Before digging into which categories were the most blocked during this period it is important to take a look into the % of customers protected by Allot services during the second quarter of 2020.

European Clients Protected Monthly Chart

Allot customers in Europe can be counted in the tens of millions. The graphs shows, in Q2 the average clients protected doubled from 15% in Q1 to 30% in Q2.

It is important to highlight that this percentage is calculated using the security subscribers and not the customer base of the CSPs.

April was the most active month for the cybercriminals. The Coronavirus situation was at its peak during April and practically all of Europe was confined to their homes. This increased the overall time spent online. Therefore the chance of visiting a malicious URL or downloading a virus also increased

After April, the % of customers protected returned to levels observed during Q1. As we mentioned in the previous report, the Coronavirus crisis had a significant impact in terms of threats blocked. The situation is not over yet so this number could increase again in Q3.

CATEGORIES IN PRE-BLOCKED URLs

A “Pre-blocked” URL is the name assigned to the blocks that occur before a customer loads a malicious website. Based on Allot’s European data, the distribution per preblock category (in percentage terms) during the second
quarter of 2020 was the following:

Pre Blocked URL Categories

In the previous quarterly report Allot saw that Phishing accounted for approximately 35% of pre-blocked URLs, but due to the increased time spent online during the coronavirus confinement, Phishing increased to around 67%.

The other main category during this quarter was Adware Only, which had similar percentages as in the previous report (29%).

These are the same categories that were the most blocked during March, at the very moment that the Coronavirus situation started, so its expected that Adware Only and Phishing will be the top categories.

The rest of the categories are between 1% and 7% each.

Total Pre Blocked URLs Q2 2020

Phishing was the most blocked category among Allot’s European customers. It represented 55% of total blocks during Q2. It doubled its numbers compared to the Q1 where it represented 23%.

Adware only is the second most blocked category with a 28% of total blocks.

As people spent most or all of their time at home due to the confinement situation, they had more
time to use the internet and, therefore, these two threats (which are the most common) increased significantly.

Two of the most important URLs related to Phishing were trk.appittech.com and bretterichardson.com. These URLs are activated dynamically and during periods of activation are known to cause redirects that trigger a high amount of blocks.

The cause of the amount of blocks in the Adware Only category is due to multiple URLs categorized as Adware.

Downloaders remain the third most blocked category in terms of Pre-blocked URLs but its percentage decreased from 18% to 6%.

CATEGORIES IN DOWNLOAD BLOCKS

Download blocks are the blocks performed when the victim downloads (intentionally or not) a malicious file. This detection is heuristic and done through different antivirus tools.

The following graph represents (in percentage terms) the most blocked categories for Allot’s European customers during the second quarter of this year.

Similar to pre-blocked URLs, download blocks are also dominated by Adware Only, continuing the trend from Q1.

The second most blocked category for Q2 was Infection only, remaining constant during the whole period. The “infection only” category includes Trojan viruses.

Download Blocks Categories Chart

Other Malware and Root privileges were the next most prevalent download
block categories. At the beginning of Q2 Spyware levels were high but
decreased over time to 1% of blocks.

TOTAL DOWNLOAD BLOCKS DURING Q2 2020

There is a significant difference between the most blocked categories and the
rest. The top two categories represent more than 90% of blocks.

Total Download Blocks Q2 2020 Pie Chart

The most blocked category during the first quarter of this year was Adware Only, representing 51% of events registered across Europe during that period-continuing the trend seen at the end of the previous quarter. This is due to the multiple Adware viruses Allot blocked in Q1 2020 that remained active
during Q2 and a surge of new ones. Again, increased time spent online increased the likelihood of being redirected to websites hosting this type of virus.

Usually, Adware software is bundled with free programs downloaded from the internet or even pre-installed in certain apps. This makes Adware one of the easiest types of viruses to spread.

The second most blocked category is Infection Only. Rates of occurrence remained similar to the previous quarter because of the significant number of Trojan viruses detected during this period.

CORONAVIRUS RELATED BLOCKS

The use of Coronavirus as bait to trick victims started In March 2020 and has continued affecting customers online. One of the latest (and most dangerous) Trojans is the Ginp banking Trojan. Its main target are Spanish customers.

This Trojan imitates the Spanish government page. After installation, it requests activation of accessibility services, then sends info about all launched apps to the attacker’s server. Ginp is a banking Trojan. So as soon as the virus detects that the victim is using a banking app, it will use an overlay attack to trick the victim into providing personal information and capture
two-factor authentication details.

Once the app is installed in the terminal it needs to contact the following domain to download the malicious instructions:

Declinebeauty.top – 1,123,865 blocks

IMPORTANT BLOCKS

In addition to the Ginp Trojan, these important threats were blocked during this quarter:

THREAT - 217.8.117.15

Disguised as a Google update. This Banking Trojan steals bank account information

BLOCKS - 733,455

THREAT - mnexuscdn.com

Hosts a dangerous Clicker Trojan. Once inside the device, it will click on ads and subscribe to premium services

BLOCKS - 809,557

THREAT - bretterichardson.com

Phishing page that was the result of redirects due to a previous infection in the device or by another website

BLOCKS - 38,556,073

 

"...Cybercriminals are using the fear created by the Coronavirus crisis to decrease the security awareness of victims."

Juan Antonio Latasa,
Security Marketing Director, Allot