The first quarter of 2022 saw Allot Secure blocking 618% more malicious URLs than the first quarter of 2021.

The threat landscape is constantly changing and while there may be fluctuations in types of threats, the long-term trend is that threats are increasing.

The beginning of the year saw a rise in banking trojans.  A banker trojan is a malicious computer program designed to gain access to privileged information from an online banking system.  We also saw malware, a fake cryptocurrency trading scam, adware, and browser hijackers.

"AllotSecure blocked 618% more malicious URLs in the first quarter of 2022 than the same period in 2021.”

Allot is dedicated to protecting CSPs and their customers from cyberattacks across their network and endpoints, providing a complete 360-degree approach. This Q1 2022 Cyber Threat Report shows how European communication service providers that partner with Allot were able to block all types of cyber threats and keep their consumer subscribers safe all year long.

This report covers January 2022 – March 2022, and reviews data in 2021, covered in our previous two reports. This report also explores how attacks have changed over the past year.

Key takeaways

Threats are on the rise

  • CSPs running Allot Secure blocked 618% more blocks in Q1 2022 than the same period in 2021.
  • In Q1 2022, CSPs running Allot Secure blocked malicious URLs 2.33 billion times and viruses 2.05 million times.
  • 2021 was the year of adware, with a significant increase in threats.

Changing threat landscape

  • Phishing blocks increased by 37% (47 million in Q1 2021 vs 64 million in Q1 2022).
  • There was a rise in banking trojans.
  • There was a decline in Q1 2022 of Flubot and Omnatuor.

Crypto scams are back!

  • In 2017, there was an explosion of crypto miners but then silence.
  • Bitcoin trojans blocks increased by 600% in Q1 2022 compared to Q1 2021
  • Crypto threats are not only focused on malware using your resources to mine cryptocurrency. Phishing pages disguised as crypto wallets or mining pools are on the rise!

Main consumer messages

  • Allot NetworkSecure blocked cyberthreats from harming European subscribers 2.3 billion times in Q1 2022, compared to 326 million times in Q1 2021.
  • Of those blocks, only 2,054,656 were viruses, making up less than 0.09% of total blocks.
  • Infections and trojans represented 98% of all virus blocks.
  • The average percentage of customers experiencing protection events was 15% in Q1 2022.

A comparative perspective

While it is easy to get distracted by minor fluctuations month over month, it is important to look at the big picture and identify key patterns.

And whoa, blocks skyrocketed when comparing early 2021 to early 2022. CSPs running Allot Secure blocked 618% more blocks in Q1 (January to March) 2022 than the same period in 2021.

 

If the second half of 2021 was the time of Flubot and Omnatuor, the first quarter of 2022 saw a decline. Could this be the end of this threat?

During Q4 2021, Omnatuor was blocked 2,497,754,516 times while during Q1 2022 It was blocked 1,648,525,881 times – this is a decline of 52%. However, this isn’t an excuse to get complacent as Omnatuor is still a frequently-occurring threat.

Flubot is also decreasing. During Q4, Flubot C&C-related domains were blocked 163,272,554 times while during Q1 2022, that number decreased by 257%, reaching 45,674,732 blocks.

Percent of customers protected

Before exploring which categories were most blocked during this period, let’s look at the percentage of customers who were protected by NetworkSecure blocking events during Q1 2022, and see how it compares to the same period over the previous year.

Pre-blocks by category

“Pre-blocks” is the name of the category assigned to the blocks that occur before a customer loads a malicious website. Pre-blocks have remained relatively stable over the past year, with some fluctuations over the past summer.

The most prevalent threat is adware, representing close to 75% of the pre-blocks.

Adware (in millions)

Adware (in millions)

While adware is often thought of as a nuisance, it poses a significant risk to users.

Adware can be easily disguised and even operate in the background, unnoted to infected users. As Wired noted, “Campaigns like adware and cryptojacker distribution can often function on legitimate infrastructure platforms like AWS, because it's difficult to distinguish their malicious activity from legitimate operations. In other recent adware campaigns, researchers have found innovations like malware that takes advantage of smartphone display and accessibility settings to overlay invisible ads that give them credit with ad networks without users even seeing anything.”

Adware opens the door for attackers to add other malicious functionality that can endanger users’ data or accounts. It is also sometimes bundled with other malicious threats. Other types of threats, such as malware, phishing, and hacking, while less frequent, also are risky. These risks may both be to users’ networks as well as their employers’ resources since individuals use their personal devices and home network to access corporate-owned resources.

After a Q4 2021 with impressive numbers, mostly due to Omnatuor, during Q1 2022 we start to see a decline.

Compared to Q1 2021, phishing blocks increased 37% (47,121,853 in Q1 2021 vs 64,384,431 in Q1 2022).

Adware and trojans remained the most blocked categories.

 

Download blocks by category

Allot Secure detects malicious files and blocks them from being downloaded before they pose any danger to the user.

Download blocks are the blocks performed when a user attempts (intentionally or not) to download a malicious file.

We again see that adware and trojans are the most blocked categories, representing more than 90% of the total monthly blocks. This is usually because one threat feeds the other. Once a trojan infects a user’s device it usually tries to download additional malware -- frequently adware.  Adware then shows ads that often lead the victim to download a trojan or another infected file.

In January 2022, Allot security researchers detected a rise in banker trojans.  A banker trojan is a malicious computer program designed to gain access to privileged information from an online banking system.

This is reflected in an increase of URLs blocked acting as a C&C of different banking trojans, such as Emotet, Trickbot, Cerberus, Joker, and Medusa. This causes the “malicious downloads” category to remain stable even if the frequency of Flubot declines.

Virus Types

In January, there was an increase in malicious downloads due to the rise in banker trojans and their usage of C&C servers.

Malicious download

In February there was an increase of 47% in C&C blocks compared to January. This is a 550% increase in March.

 

% of blocks

In Q1 2022, Allot Secure protected European Internet users from downloading viruses 2.05 million times

 

Notable attacks

Blooming of banking trojans

Beating Bian

The Bian Banking Trojan was first discovered in 2019 and then went silent for a while. However, Allot security researchers have identified a rise in this trojan, with a resurgence in November 2021 and increasing since then. The Times of India even ranked this trojan as one of the 10 most dangerous mobile banking trojans of 2021.

Bian is difficult to detect because instead of placing an overlay when detecting a banking app, it obtains the banking credentials by recording the user’s screen while avoiding direct communication with the C&C server. The criminals can decide when to retrieve the video with the banking information.

In addition to Bian, subscribers to CSPs using Allot Secure were also protected from other banking trojans.

Coper on the rise

Allot researchers identified several hundred thousand blocks of the Coper banking trojan. The Coper banking trojan was first discovered in Columbia, but it has spread to other parts of Latin America and has also been identified in Europe. Allot researchers identified thousands of cases among customers in Brazil. According to Dr. Web, Android.BankBot.Coper is spread by impersonating the official Bancolombia financial institution app using similar iconography and branding. Unsuspecting users then install the decoy app. Once the app is launched, the device is infected and, if permissions are granted, the app will then be able to take control of messages, install a keylogger, and much more.

Resurgence of Emotet

Allot researchers have also identified and blocked the Emotet malware. Emotet was described by EUROPOL, the European Union’s law enforcement agency, as the world’s most dangerous malware. They had announced that they disrupted the Emotet botnet in early January 2021.

However, Allot researchers have recently identified a resurgence in Emotet. Beginning in late 2021, the botnet has seen a resurgence. Bleeping Computer previously reported that the Conti ransomware gang is behind their revival and the Emotet botnet started to slowly recreate itself in November, seeing far greater distribution via phishing campaigns beginning in January 2022. Researchers at Check Point announced similar findings, stating that Emotet was the most prevalent malware in February 2022.

The fake cryptocurrency trading scam

Website spoofing is the act of creating a fake website to mislead visitors that the website is a different one. The website usually has a similar design as the real website.

For example, subscribers of CSPs using Allot Secure were protected from website spoofing from a popular cryptocurrency trading site, Gate.io. According to Forbes Advisor, Gate.io “supports just about the biggest selection of crypto assets of any cryptocurrency exchange” and received 4.5 stars.

The real gate.io site

The site’s popularity made it a target for a look-alike site so criminals can trick users into giving up their credentials.

The spoofed impersonated site

Allot Secure blocked millions of users from accessing the spoofed site.

The explosion of adware

This past quarter also saw a rise in adware. We saw many cases of Fyben, a type of adware, targeting devices running Android.

While Fyben is not a new threat, Allot security researchers identified that Fyben blocks increased 278% from November 2021 to January 2022.

Blocks October 2021 - February 2022

It is hard to know the origin of this increase but as it is related to gaming applications and December and January are months on which multiple games are launched, cybercriminals could use this opportunity to take those games and “inject” the malware into them. Therefore, people trying to download these games end up on a third-party store downloading the malware instead of the original game that they intended to get.

The NGINX Virus

NGINX is an open-source web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. It is the most popular web server in the world, and about a third of all websites use NGINX, while over 67% of the top 10,000 websites use NGINX.

The NGINX virus is part of an online scam designed to redirect internet users to websites containing advertising content to profit from advertising revenue illicitly.  The infection originates from malware downloaded by subscribers, disguised as legitimate software.

The NGINX Virus gets its name because victims are directed to web pages containing an error message from NGINX. While this message is legitimate if you are trying to load an NGINX-based website, many users have been directed to these pages without authorization because they have been infected.

The virus directs users to websites without their permission and also changes web browser settings such as the home page and security settings. This is designed to redirect unsuspecting users to sites containing advertising, so the malicious actors can profit.

The virus can be many types of browser hijackers, ranging from browser hijackers with little effect on your browser settings all the way to extremely severe rootkit infections involving various trojans.

Allot was able to block the virus over 2 million times during Q1 2022.

The ever-changing threat landscape

While short term analysis can provide early warning for new and emerging threats, it is critical to explore long term trends. There will always be peaks and valleys in any threat landscape, and it is important to be vigilant and ready for any threat that may appear. However, comprehensive understanding comes in understanding the long-term trends, as well as how the threats behave in the wild.

As this report showed, over the past year, threats skyrocketed! CSPs running Allot Secure blocked 618% more blocks in Q1 2022 than the same period in 2021. In Q1 2022, CSPs running Allot Secure blocked malicious URLs 7.10 billion times and viruses 3.75 million times.

While it’s common for end-users to speak of “viruses” and “anti-virus solutions”, it’s clear that viruses make up only a miniscule number of threats. Viruses made up less than 0.09% of total blocks. Other threats are far more significant and damaging. For example, phishing blocks increased by 37% from Q1 2021 to Q1 2022. And, with the explosion in cryptocurrency, Bitcoin trojans blocks increased by 600% in Q1 2022 compared to Q1 2021. Crypto threats are not only focused on malware using your resources to mine cryptocurrency. Phishing pages disguised as crypto wallets or mining pools are also on the rise!

So, what’s the takeaway? Stay vigilant and stay protected.

By using a service such as Allot Secure, CSPs can keep their subscribers protected from the changing threat landscape, ensure that subscribers are protected from the latest threats, and ensure that all of their devices across their home, business, and mobile network are protected – not simply on endpoints that an app is installed – while also protecting them anywhere they are, even if they are on the go on someone else’s network.