India third most targeted country by phishing campaign: Report

Mumbai: India ranked third globally and first in the Asia-Pacific region in the list of 111 countries affected by a world-wide cyberattack involving a syndicate of cybercriminals stealing passwords through a concerted phishing campaign, according to a recent report.

The research was conducted by Group-IB, a cybersecurity research firm based in Singapore. Group-IB’s researchers said that 34 Russian-speaking cybercriminals have been distributing info-stealing malware via Telegram. They steal passwords, debit and credit card details, crypto wallet data and cookie files.

An info stealer is a type of malware that collects credentials stored in browsers, including gaming accounts, email services, and social media, bank card details and crypto wallet information from infected computers, and then sends the data to the operator. After a successful attack, the scammers either obtain money using the stolen data or they sell the information on dark web markets.

The data, exclusively with HT, revealed that in the last two years, the syndicate had stolen over 11 crore cookie files—temporary files—from browsers, which enable hackers to open social media or banking accounts of the users without passwords.

Apart from cookie files, the cybercriminals also stole lakhs of passwords and thousands of financial login data sets from Indian users over the last two years. Over 50 million passwords were stolen in the first seven months of 2022 alone. Researchers said that the value of the stolen data and compromised card details was around USD 5.8 million in the underground market.

India saw the highest number of infected devices in the Asia-Pacific, closely followed by Indonesia, Philippines and Vietnam. Globally, the top five most often attacked countries in 2022 were the United States, Brazil, India, Germany, and Indonesia, the report mentioned.

“According to the analysis of Telegram groups, the stealer malware infected 19,249 devices in the last 10 months of 2021 in India, while the number grew to 53,988 in the first seven months of 2022. The hackers were able to retrieve 117,645,558 cookie files, 4,547,020 passwords, details of 4,657 bank cards and 4,428 sets of crypto wallet information,” said Ilia Rozhnov, head of the digital risk protection team in the Asia-Pacific, Group-IB.

Rozhnov added that in India, among the passwords that the cybercriminals most frequently collected include Amazon passwords, which made up 32% of the stolen passwords, followed by PayPal at 17% in the last 10 months of 2021. In the first seven months of 2022, the most frequently obtained credentials were the same—Amazon at 29% and PayPal at 11%.

Calling it a ‘world tour’, Group-IB estimated that between March 1 and December 31, 2021, the cybercriminals were able to compromise 5,38,000 devices globally. In the first seven months of 2022, the stealers were found to be almost twice more active, infecting over 890,000 devices in 111 countries.

Group-IB’s research showed that the campaign works on the stealer-as-a-service mode, where the malwares are rented out to those who need them. Effectively, this means that cybercriminals no longer have to create their own malware, they can simply lease the malware.

“Cybercriminals embed links for downloading stealers into video reviews of popular games on YouTube, into crypto mining software or NFT files on specialised forums and lotteries on social media,” Group-IB’s report said.

Globally, the cybercriminals collected 27,875,879 passwords, 1,215,532,572 cookie files, 56,779 payment records and data of 35,791 crypto wallets in the last 10 months of 2021. In the first 7 months of 2022, they stole 50,352,518 passwords, 2,117,626,523 cookie files, details of 103,150 bank cards and data of 113,204 crypto wallets.

“The popularity of schemes involving stealers can be explained by the low barrier to entry. Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it. For victims whose computers gets infected, however, the consequences can be disastrous,” said Rozhnov.