Based on the data from cybersecurity solutions firm Kaspersky, 24% of email users in the Asia Pacific received malicious spam mail, which the company blocked. Other findings on spam mail landscape were presented during Kaspersky’s cybersecurity weekend held recently.
Malicious spam is not a technologically complex attack, but when done with sophisticated social engineering techniques, it poses a severe threat to individuals and enterprises alike. These junk mails are sent out in mass quantities by spammers and cybercriminals who are looking to do one or more of the following:
- Make money from the small percentage of recipients that actually respond to the message
- Run phishing scams – in order to obtain passwords, credit card numbers, bank account details, and more
- Spread malicious code onto recipients’ computers
According to Noushin Shababa, one of the senior researchers at Kaspersky, in 2022, more than half (61.1%) of the malicious spam detected in the region targeted Kaspersky users from Vietnam, Malaysia, Japan, Indonesia, and Taiwan.
Shabab cited three main factors which cause the bulk of spam emails targeting APAC: its population, the high adoption of e-services, and the pandemic lockdowns.
The APAC region has almost 60% of the world’s population which means that there are more potential victims of scammers here compared to other parts of the world. The extensive use of online services such as online shopping and other online platforms for day-to-day activities here also makes individuals more susceptible to falling victim to scams. There is also the lingering pandemic aftermath which led to lockdowns and work-from-home set up in the region where people took their work computers home. Home networks are usually less protected from cyberattacks.
“Since 2018, the number of malicious spam mails detected by our solutions has seen a gradual decline after its peak in 2019,” Shabab said. “This, however, does not equate to our mailboxes being cleaner and safer. Our constant monitoring of the current and new Advanced Persistent Threats (APTs) operating in Asia Pacific showed that majority of these notorious threat actors use targeted phishing called spear phishing to crack into an organization’s systems.”
The most recent example of an APT targeting key entities in APAC through sophisticated malicious mails is the “Sidewinder” threat actor. Since October 2021, the Sidewinder threat actor has been using new malicious JS code with recently created C2 server domains. The attacker, also known as Rattlesnake or T-APT4, targets victims with spear-phishing emails containing malicious RTF and OOXML files.
Known for targeting military, defense, and law enforcement agencies, foreign affairs, IT, and aviation entities in Central and South Asia, Sidewinder is considered one of the most prolific threat actors monitored in the APAC region. Kaspersky experts also recently found spear-phishing documents that appear to be aimed at future targets in Singapore.
Some of the main characteristics of this threat actor that make it stand out are the sheer number, high frequency, and persistence of their attacks, and the large collection of encrypted and obfuscated malicious components used in their operations. Kaspersky experts, who have been monitoring Sidewinder since 2012, have detected over a thousand spear phishing attacks by this APT actor since October 2020.
“There are many more well-oiled APT groups like Sidewinder who are constantly upgrading their tools and tactics to target high-profile victims in APAC through believable spam and phishing emails,” Shabab said. “The implication for enterprises and government organizations here is that a single malicious email when clicked can crumble your most sophisticated defenses, and usually, APTs like Sidewinder just need one door to open, one machine to infect, and then it can hide and stay undetected for long.”
APTs target any sensitive data; one doesn’t need to be a government agency, major financial institution, or energy company to become a victim.
The major danger of APT attacks is that even when they are discovered and the immediate threat appears to be gone, the hackers may have left multiple backdoors open that allow them to return when they choose. This increases the importance of guarding mailboxes – an entry point they usually exploit to get a foothold of an organization’s networks.