Exploiting the Ukraine crisis – Donation scams and malspam

Cybercriminals have been taking advantage of our anxiety and insecurities to deceive, defraud, and dupe from the early days of the pandemic to the ongoing Russia-Ukraine conflict. In Singapore for instance, we saw scammers building false narratives around vaccinations amidst the vaccine rollout last year to trick consumers to click on dubious links and visit fake pages that harvest personal data.

Humans are the weakest link inside organisations. Social engineering attacks have been part of the cybercrime playbook for a long time. Cybercrime accounts for almost half of all crime in Singapore today, and online scams have also grown exponentially. Recent incidents such as the SMS phishing scams targeting bank customers in Singapore only prove that fraudsters will exploit any situation to deceive and steal.

The following are some of the ways we’ve observed cybercriminals take advantage of compassionate people to harvest money and credentials.

No trap for these RATs

Malspam campaigns were one of the first campaigns to emerge that leveraged the crisis as clickbait. Disguised behind urgent emails on supply chain issues, the campaigns lured targets into downloading the malware-as-a-service remote access trojan (RAT) Agent Tesla.

RATs are insidious as they are capable of more than stealing and altering data. Agent Tesla can even hijack a device’s core functions once it has been compromised. Most importantly, since victims are unaware of its presence, locating and removing it can be difficult – even with antivirus software. Agent Tesla in particular is known to mutate, making it even more of a danger to organisations both large and small.

While these campaigns exploit our human weaknesses, other social engineering attacks potentially leverage fear or curiosity. Whether on work or personal devices, individuals should be wary of opening unfamiliar or unsolicited emails, and inspect unusual attachments before downloading and opening them. At the corporate level, because over 90% of malware must touch DNS to enter or leave a network, using DNS security can help security pros accelerate threat hunting.

Cryptic Ukrainian support 

When the crisis erupted in late February, a wave of positive public sentiment turned towards Ukraine. As such, a flurry of sites emerged offering donations to Ukraine, and even the Ukrainian government requested donations in cryptocurrency on Twitter.

Seeing this wave of support and concern, cybercriminals immediately pivoted to create fraudulent support campaigns. These social-engineering campaigns exploit the ongoing crisis and concern for personal gain, siphoning well-meaning donations into their own pockets.

Further complicating things are the emergence of decentralised anonymous organisations (DAOs), which leverage a blockchain for transparency and record-keeping. Many such DAOs are legitimate, like UkraineDAO (LOVE) which raised over US$8 million in a month for Ukraine. However, ongoing domain analysis has uncovered fake DAOs that look remarkably like valid relief campaign organisations. These DAOs lack credible ties and are scams to pilfer cryptocurrency, benefiting from the anonymous and decentralised nature of cryptocurrency donations.

These campaigns highlight how difficult it can be for the average consumer to distinguish between legitimate and malicious activity. Cybercriminals not only abscond with the donations, but can also steal personal information and credit card details, or even deliver malware.

Prevention is better than cure 

Cybercriminals will always adapt and adjust their tactics to be a step ahead of precautions. Therefore, a healthy suspicion is always necessary when receiving unexpected mail, text messages, or when surfing the net. Organisations should also step up awareness training for employees to keep their networks, browsers, and devices malware-free.

When it comes to donating, individuals should think twice before sharing sensitive payment information. Be on guard for potentially fraudulent payment services and redirects to unknown third-party websites.

The volatility of today’s geopolitics and the long-drawn pandemic have exposed vulnerabilities that cybercriminals are eager to exploit. Practising good cyber hygiene will be key to mitigating the losses in this modern cat-and-mouse game.