New research from cybersecurity vendor Akamai has revealed that 12.3% of monitored devices communicated with domains associated with malware or ransomware at least once during the second quarter of 2022. This represented a 3% increase compared to Q1 2022, the firm stated, with phishing toolkits playing a key role in malicious domain-related activity. The findings are based on DNS data and Akamai’s visibility into carrier and enterprise traffic across different industries and geographies.
Increased malware, phishing, C2 domain activity detected in Q2 2022
In a blog post detailing its research, Akamai stated that, in addition to the devices it detected communicating with domains associated with malware/ransomware, a further 6.2% of devices accessed phishing domains with 0.8% accessing command-and-control (C2)-associated domains (both small increases on Q1 2022). “While this number might seem insignificant, the scale here is in the millions of devices,” the firm wrote. “When this is considered, with C2 being the most malignant of threats, this is not only significant, it’s cardinal.”
Of the potentially compromised devices and different threat categories, 63% of devices were exposed to threats associated with malware activity, 32% with phishing, and 5% with C2, Akamai added. “Access to malware-associated domains does not guarantee that these devices were actually compromised but provides a strong indication of increased potential risk if the threat wasn’t properly mitigated. On the other hand, access to C2-associated domains indicates that the device is most likely compromised and is communicating with the C2 server. This can often explain why the incidence of C2 is lower when compared with malware numbers.”
High tech, financial brands most targeted, mimicked by malicious domain activity
Akamai said that high tech and financial brands were the most targeted, abused and mimicked by malicious domain activity during Q2 2022. As for attack categorization, while the vast majority (80.7%) of campaigns were aimed at consumers, Akamai warned that the 19.3% of attacks against business accounts should not be considered marginal.
“These kinds of attacks are usually more targeted with greater potential for significant damage,” the researchers wrote. “Attacks that target business accounts might lead to a company’s network being compromised with malware or ransomware, or confidential information being leaked. An attack that begins with an employee clicking a link in a phishing email can end up with the business suffering significant financial and reputational damages.”
Phishing kits influential in increased malicious domain activity
Akamai’s research highlighted phishing kits as playing a key role in the malicious domain activity it analyzed. It tracked 290 different phishing toolkits being used in the wild in Q2 2022, with 1.9% reused on at least 72 distinct days. “Further, 49.6% of the kits were reused for at least five days, and when looking into all the tracked kits, we can see that all of them were reused no fewer than three distinct days over Q2,” the firm wrote.
The industrial creation and selling/sharing of phishing kits that mimic known brands is a driving force behind kit reuse, Akamai said. “Kits are becoming easier to develop and deploy, and the web is full of abandoned websites ready to be abused, as well as vulnerable servers and services. The growing industrial nature of phishing kit development and sales, where new kits are developed and released within hours, and the clear split between creators and users, means this threat isn’t going anywhere anytime soon.”
The Kr3pto toolkit was identified as the one most frequently used during Q2 2022, associated with more than 500 domains. Though estimated to have been created more than three years ago, Kr3pto is still highly active and effective, Akamai stated. Webmail_423, Microsoft_530, and sfexpress_93 were the next most frequently used phishing toolkits.
Malicious domains pose significant threats to businesses
Malicious domains expose businesses to threats, and security teams should consider options to help address the associated risks, Alex Applegate, senior threat researcher at DNSFilter, tells CSO. “By opening a malicious website, a user can initiate a wide range of malicious activities. Most of that malicious activity is often centered around executing some sort of code on the victim’s machine, including the installation of a malicious executable or the initiation of a script on the website that takes malicious actions against the victim machine,” he says.
Once successfully installed, the capabilities of that malicious code are limitless, putting sensitive information at risk of being stolen or damaged, he adds. “The victim machine could then be used as a waypoint to move laterally from within the network or to gain access to more secure resources (for example, compromising an external contractor’s system to gain access to the network of a Fortune 500 company),” Applegate says.
To mitigate malicious domain risks, security teams should first ensure that secure web connections are in place, along with effective end-user education about the threats of clicking any link or visiting any URL that comes from an untrusted source or was otherwise unsolicited. “Additionally, there are several well-known domains managed by third-party companies that can automatically check for misspellings, character substitutions, and other homoglyphs, as well as cyber threat intelligence services, both open-source and commercial, that distribute lists of websites used for phishing, business email compromises, and other malicious activity,” says Applegate.
Beyond the URL itself, a healthy network and endpoint monitoring plan can detect many of the most troublesome threats, Applegate says. “It is important that checking for process injection, permissions escalation, opening network ports, writing to system files, exfiltration of large files, and unexpected copying of files to multiple systems are all captured and audited – and of course, always maintain and verify full off-site backups of all critical data.”
As for addressing the phishing toolkit reuse highlighted in Akamai’s research, Or Katz, principal lead security researcher at Akamai, tells CSO that more action is needed to better track emerging campaigns and eliminate them quickly and effectively, “using ongoing threat intelligence associated to IP addresses or ASN reputation, new domains being registered, or seen in the wild.”