On the International Safer Internet Day we could not fail to mention one of the most common practices of cybercriminals. There are countless phishing campaigns that come to light every day. Module 6 of C1b3rWall Academy is packed with interesting lectures, such as the one given by Nuria Prieto, Security Analyst at the CERT of the University Carlos III of Madrid. Her lecture entitled “Los #malosmalotes no descansan” aims to illustrate some of the phishing campaigns that have taken place in recent years.

Phishing is the main entry vector, as humans cannot hide themselves. We must think that the attackers are there and always be on guard.

If analyzing phishing URLs, it is important to know what we are doing. It is advisable to do it on virtual machines (or an old computer), protected environments, never use our service provider as an exit, etc. The best way to hide is to use the TOR network and a VPN is never a bad idea.

Analyzing phishing campaigns

Multanopagada and saludcastillayleons were some of the analyzed URLs, (Multanopagada) received on March 14, 2021. The worrying thing is that they were Spanish domains, and to register a domain in Spain, the Tax ID must be provided. The site from which the malware has been downloaded was also Spanish. The corresponding bodies were notified.

As of April 5, the domains were still online. The attackers were not very careful as they did not even camouflage the URL. They used either purchased (VPS) or Azure (free) machines. The URL came encoded in base 64, which usually includes the victim’s email address. If the victim wishes to access it, they can decode it, view the information, modify it and re-encode it. However, never do this by yourself as your data would stay there.

Paypal

Another campaign was a very good copy of Paypal in which the attackers told the victims that there was a problem with their account and asked us for credit card, address, phone number and even a photo of their ID card. They collected this data for future campaigns. Luckily, the FBI was investigating this case.

FarmaUtils

It distributed malware files looking for vulnerable data, such as the victims’ medical history or social security number. The domain was registered with sedoparking. This means that attackers show interest in some domains that are gaining good fame and reputation, and if they ever become free, sedoparking notifies them if they have shown interest. They acquire the domain and use it for other purposes.

As Nuria says, cybercriminals do not take breaks, and they need little investment and minimal effort to commit their crimes. Although they are difficult to prosecute, we can make it more difficult for them by using our knowledge and taking timely actions.

These are some of the most known cases. You can learn about other cases from Nuria’s conference, here is the link to it. You can also read the full article on News 365.

Posted by Juan M. Corchado

Juan Manuel Corchado (15 de Mayo de 1971, Salamanca, España) Catedrático en la Universidad de Salamanca. Ha sido Vicerrector de Investigación desde el 2013 hasta el 2017 y Director del Parque Científico de la Universidad de Salamanca. Elegido dos veces como Decano de la Facultad de Ciencias, es Doctor en Ciencias de la Computación por la Universidad de Salamanca y, además, es Doctor en Inteligencia Artificial por la University of the West of Scotland. Dirige el Grupo de Investigación Reconocido BISITE (Bioinformática, Sistemas Inteligentes y Tecnología Educativa), creado en el año 2000. Director del IOT Digital Innovation Hub y presidente del AIR Institute, J. M. Corchado también es Profesor Visitante en el Instituto Tecnológico de Osaka desde enero de 2015, Profesor visitante en la Universiti Malaysia Kelantan y Miembro del Advisory Group on Online Terrorist Propaganda of the European Counter Terrorism Centre (EUROPOL). J. M. Corchado ha sido presidente de la asociación IEEE Systems, Man and Cybernetics, y coordinador académico del Instituto Universitario de Investigación en Arte y Tecnología de la Animación de la Universidad de Salamanca e investigador en las Universidades de Paisley (UK), Vigo (Spain) y en el Plymouth Marine Laboratory (UK). En la actualidad compagina toda su actividad con la dirección de los programas de Máster en Seguridad, Animación Digital, Telefonía Movil, Dirección de Sistemas de Información, Internet de las Cosas, Social Media, Diseño e Impresión 3D, Blockchain, Z System, Industria 4.0, Gestión de Proyectos Ágiles y Smart Cities & Intelligent Buildings​, en la Universidad de Salamanca y su trabajo como editor jefe de las revistas ADCAIJ (Advances in Distributed Computing and Artificial Intelligence Journal), OJCST (Oriental Journal of Computer Science and Technology) o Electronics MDPI (Computer Science & Engineering section). J. M. Corchado desarrolla principalmente trabajos en proyectos relacionados con Inteligencia Artificial, Machine Learning, Blockchain, IoT, Fog Computing, Edge Computing, Smart Cities, Smart Grids y Análisis de sentimiento.