TEMPE, Ariz. and PRAGUE, Feb. 9, 2023 — Avast, a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), saw an increase in threats using social engineering to steal money, such as refund and invoice fraud and tech support scams, during Q4 of the calendar year 2022. Cybercriminals also remained active in spying and information stealing, with lottery-themed adware campaigns used as a tactic to obtain people’s contact details. Avast threat researchers also discovered zero-day exploits in Google Chrome and Windows. These vulnerabilities have since been patched. These insights are covered in the Avast Q4/2022 Threat Report. Monthly threats increased by 70.1% in Q4 compared to Q3 in the United States.
“At the end of 2022, we have seen an increase in human-centered threats, such as scams tricking people into thinking their computer is infected, or that they have been charged for goods they didn’t order. It’s human nature to react to urgency, fear and try to regain control of issues, and that’s where cybercriminals succeed,” said Jakub Kroustek, Avast Malware Research Director. “When people face surprising pop-up messages or emails, we recommend they stay calm and take a moment to think before they act. Threats are so ubiquitous today that it’s hard for consumers to keep up. It is our mission to help protect people by detecting threats and alerting users before they can do any harm, using the latest AI-based technology.”
Growth in refund and invoice fraud, and tech support scams
The Avast threat labs also saw an increase in tech support scam activity. Top affected countries include the United States, Brazil, Japan, Canada, and France. These scams often start with a pop-up window that alerts people of an alleged malware infection and urges them to call a helpline to resolve the issue. Scammers will convince the caller to set up a remote connection to their computer, opening the door to theft of personal information and money, as the criminals try to access people’s bank accounts or crypto wallets, and ask for a payment for their services.
“We recommend people ignore such pop-up messages and close the window with the escape key, or if that’s not possible, restart their computer,” advises Kroustek. “Also, never give remote access to your computer to somebody you don’t know.”
The Avast threat labs also saw an uptick in refund and invoice fraud of 14% from October to November 2022, and another increase of 22% in December. Refund fraud works in a comparable way to tech support scams, and often comes in the form of an email that looks like it was sent from a trusted company. People will receive an email including a fake receipt making them believe they were charged for a purchase they didn’t make. People are then tricked into calling a phone number, where an agent asks them to create a remote connection to their computer and open their banking account, so the person can see how the refund is done. The goal of the attacker is to steal the person’s money. In the case of invoice fraud, people, and more often businesses, receive bills for goods or services the business never ordered or received.
“To avoid invoice fraud, people need to pay close attention to invoices they receive. Fraudulent invoices often look legitimate, and people need to verify whether an order really was made, the service received, and whether the sender is truly who they pretend to be ,” said Kroustek.
Information stealing adware, remote access trojans and bots
Web-based adware was also prevalent in the quarter, not only annoying people with intrusive ads, but also trying to steal their personal data. For example, people are asked to take part in a lottery, spinning a roulette wheel to win, and are then asked to enter their contact information and pay a “handling fee” using their credit card or Google Pay or Apple Pay account. Avast researchers also saw a flood of DealPly adware, which comes as a Google Chrome extension and sends statistical and search information to the attackers. The risk to get infected by DealPly increased around the world, most significantly in the Americas, in Europe, and South and Southeast Asia.
Avast researchers saw a significant increase of 400% of the Arkei information stealer in the United States, which is known for stealing data from browsers’ autofill forms, passwords and other sources. There was also a 57% increase in people and businesses protected against AgentTesla, a strain of malware that often spreads through phishing emails to businesses and designed to steal credentials, as well as a 37% increase in RedLine stealer, which often spreads in cracked games and services, stealing information from browsers and cryptowallets.
Avast telemetry also shows that the spread of LimeRAT in the United States increased by 30% in Q4. LimeRAT is a remote access trojan capable of stealing passwords, cryptocurrencies, driving Distributed Denial of Service (DDoS) attacks and installing ransomware on a victim’s computer. It was mostly active in South and Southeast Asia and Latin America. The Emotet botnet, also a malware distributor with a wide variety of capabilities to steal information and spread malware, has evolved its technique of evading detection by antivirus software in the past few months through the use of timers to incrementally continue the payload’s execution. The Qakbot information stealer botnet has also evolved further and started using “HTML smuggling” to hide an encoded malicious script within an email attachment. For example, the threat actors have started abusing SVG images to hide malicious payloads and the code used for its reassembly.
Zero-day exploits in the wild
Two sophisticated zero-day exploits were also discovered by Avast researchers in the quarter. Avast protected its users as both were exploited in the wild. The first, CVE-2022-3723, was a type confusion in V8 and used to do a ‘get Remote Code Execution’ (RCE) against Google Chrome. Avast reported this vulnerability to Google who quickly rolled out a patch in just two days, on October 27, 2022. The second zero-day CVE-2023-21674, was an LPE vulnerability in ALPC that allowed attackers to get from the browser sandbox all the way into the Windows kernel. Microsoft patched this exploit in the January 2023 Patch Tuesday update.
In addition, the Avast Q4/2022 Threat Report from the Avast Threat Labs shares insights into spyware, and the latest in mobile banking Trojans and Trojan SMS. Avast helps protect its users from all threats covered in the report.
The Avast Q4/2022 Threat Report can be found on the Decoded blog: https://decoded.avast.io/threatresearch/avast-q4-2022-threat-report