INTRODUCTION

As the first half of 2021 is now behind us, the world has recovered from the initial shock of Covid-19 and people, governments and businesses have come to terms with the idea that this will be a long-haul battle. Many of the adjustments we thought were temporary a year ago are here to stay. Sixteen months ago, ‘work form home’ was a hot new buzz word. Now it is the norm.

As in-store shopping became dangerous or impossible, the deliveries market surged. Trapped inside our homes, the bulk of commercial activity shifted to ordering online and receiving ‘no contact’ deliveries. During the first year of the pandemic Amazon sales grew 38% (Amazon quarterly earnings reports). People became dependent on deliveries for everything from food and medicine, to clothing, houseware and electronic equipment. High consumer demand for deliveries continues, even during periods when in-store shopping is again available.

The cybercriminals behind the Flubot Banker Trojan quickly exploited the increased prevalence of deliveries to sneak onto mobile phones and into bank accounts of millions of users across Europe. First appearing in March 2021, the cleverly designed and localized SMS messages perfectly mimicked legitimate messages from well-established delivery brands like FedEx, DHL and Amazon, and millions of consumers clicked. Flubot has been the main antagonist of consumer focused cyberthreats in the first half of 2021.

And unfortunately, its success has inspired more criminals to copy and tweak its tactics, so we expect to see more attacks of this type in H2.

Allot is dedicated to protecting CSPs and their customers from all types of attacks including malware, ransomware, Phishing, Trojans and more. This H1 2021 Cyber Threat Report shows how European communication service providers that partner with Allot Secure were able to block all types of cyberthreats and keep their consumer subscribers safe all year long.

KEY TAKEAWAYS

DOWNLOADERS EMERGED AS THE PREDOMINANT THREAT TO EUROPEAN CONSUMERS

  • 45% of all pre-blocks in H1 2021 were Downloaders.
  • Most of the blocks were triggered by Flubot related command and control (C&C) connection attempts.
  • Damage includes monetary loss and losing access to bank and financial accounts.

ADWARE COMPRISED 52% OF ALL DOWNLOAD BLOCKS

  • Adware infection is the cause of bothersome pop-up ads and can also slow browsing speed.
  • Can be as dangerous as other malware by redirecting users to infected pages containing downloaders or Phishing pages.

THE RISE OF C&CS

  • Since the appearance of Flubot, C&C (command and control) URLs have been on the rise for all types of malware.
  • If communication with the C&C is blocked, the malware infection is rendered harmless and isolated in the terminal.

DGA – DOMAIN GENERATION ALGORITHMS

  • Cybercriminals increasingly use domain generation algorithms to automate high-volume, high-velocity creation of new URLs to avoid detection by antivirus solutions.
  • Allot Secure proprietary DGA tool detects DGA-created domains before the first connection is made, therefore completely protecting consumer and SMB customers from damage caused by malware using this tactic.

MAIN CONSUMER MESSAGES

Allot NetworkSecure blocked cyberthreats from harming European subscribers 653,996,978 times in H1 2021.

The average percentage of customers experiencing protection events was 19% in January, then dipped slightly for most of the six-month period and began climbing again in June. The overall average for the entire period was 14%.

99% of NetworkSecure protections were via pre-blocking visits to malicious websites.

Since the appearance of Flubot during April, Downloaders increased 273% to become the most prevalent pre-blocked threat.

Adware and Trojans, together continued to accounted for 97% of total Download blocks.

% OF CUSTOMERS PROTECTED

Before digging into which categories were the most blocked during this period it is important to appreciate the percentage of customers who were protected by NetworkSecure blocking events during the first half of 2021.

On average, 14% of customers were protected each month by a blocking event in H1 2021.

January started the year off with 19% of subscribers protected from at least one cyberthreat, likely due to the holiday season and users spending more free time online. The percentages corrected by a few points for a few months, and began climbing again as the summer holiday approached.

CATEGORIES IN PRE-BLOCKED URLs

“Pre-blocks” is the name assigned to the blocks that occur before a customer loads a malicious website.

The graph shows the rise in Downloaders coincided with the appearance of Flubot malware. The most prevalent threats in this category are different C&C created using DGA to avoid being blocked. This will be explained later in the document. On average, Downloaders represented 45% of the blocks during 2021. Most of the blocks in this category were Flubot C&C connection attempts.

Flubot was the dominant threat of H1 2021. Adware maintained its high instances but nevertheless was pushed to second place, falling from 28% in 2020 to 22% in H1 2021.

Phishing, went from 51% last year to 13% in the first half of this year.

There were 653,302,981 pre-blocking events in H1. Of those, 295,673,308 blocks were Downloaders.

The majority of the Downloader category were the C&C URLs related to Flubot. These domains establish a connection between the malware and the cybercriminal, sending and receiving instructions needed to carry out all the stages of the attack.

By blocking this connection, even if the malware has infected the customer’s device, it will be rendered harmless as the malware won’t be able to carry out the additional stages of the attack.

CATEGORIES IN DOWNLOAD BLOCKS

Download blocks are the blocks performed when a user attempts (intentionally or not) to download a malicious file.

The NetworkSecure Antivirus engine detects the malicious files and blocks them from download before they can pose any danger to the user. The bulk of download blocks remained Adware and Trojans, though even they declined during the first half of 2021. Adware and Trojans rise and fall together because they work in tandem. Once a Trojan infects a user’s device it usually tries to download additional malware, usually Adware. The Adware then shows ads that can lead the victim to download yet another Trojan or Adware, continuing the vicious cycle. The rest of threats are each only single digit percentages for all malicious downloads. In this range, the most blocked threat was Malware and Spyware.

Adware (52%) and Trojans (45%) together triggered 97% of download blocks in Europe during the first half of the year.

This comes as no surprise, as most Trojans remain undetected and continue to download additional malware, mostly Adware and more Trojans, which in turn trigger more and more blocks for each additional attempt.

In H1 2021, NetworkSecure protected European Internet users from downloading malicious files 693,997 times. This number is much smaller than the pre-blocks, but the potential damage from each infected file is much greater, and many malicious files are pre-blocked before the download even begins and are therefore counted as pre-block events.

BLOCKS OVER TIME

From beginning to end, Flubot relies on numerous connections to servers controlled by the cybercriminals. The link in the initial infection SMS message is the first connection. Once downloaded onto the user device, Flubot needs to send information it finds about user payment and banking apps to an external server. When the user opens or tries to login to one of these apps, the matching overlay is sent from the server to the device to stealthily intercept the login details, which are then sent out to the cybercriminals’ server. Allot NetworkSecure blocks every connection attempt made as part of the Flubot attack. During the first three months that Flubot spread across Europe, Allot NetworkSecure blocked connection attempts associated with Flubot 261M times.

IMPORTANT BLOCKS

Flubot was by far the most widespread threat to consumers in Europe over the past few months. A Trojan is malware that disguises itself as a legitimate program to trick users into downloading it. A Banker Trojan is a special type of Trojan designed to steal money.

Flubot was spread primarily via SMS messages appearing to be from well-known shipping companies (FedEx, DHL, Amazon, etc.) The message included a link to track or coordinate delivery. This human engineering strategy took advantage of the fact that receiving packages has become such a commonplace occurrence during Covid-19 that consumers would quickly click the link on ‘auto-pilot’ without closely inspecting or carefully considering the legitimacy of the message. The app itself was also a perfect replica of legitimate company apps, so as to not raise any suspicions.

For a printer-ready version of the report, click here.