A KnowBe4 Menace Lab publication
Authors: Martin Kraemer, Jeewan Singh Jalal, Anand Bodke, and James Dyer
EXECUTIVE SUMMARY: We noticed a 98% rise in phishing campaigns hosted on Russian (.ru) top-level domains (TLDs) from December 2024 to January 2025, primarily used for credential harvesting.
These Russian .ru domains are run by so-called “bullet-proof” internet hosting suppliers, which can be identified to maintain malicious domains working and ignore abuse studies which is right for cybercriminals.
Lots of the phishing emails that we recognized and investigated had handed by way of a number of safety merchandise together with Trade On-line Safety, Barracuda Electronic mail Safety Gateway, Mimecast and Cisco Ironport.
KEY FINDINGS
- 98% enhance in phishing websites utilizing .ru TLDs from December 2024 to January 2025
- 1,500 distinctive .ru domains recognized as a part of the marketing campaign
- 377 new domains registered with “bulletproof” registrar R01-RU
- Greater than 13,000 malicious emails with the area had been reported
- 2.2% of noticed emails from .ru domains had been phishing emails
- 7.4 days common age of a .ru area
.Ru Phishing Assault Instance:
The principle purpose of the attackers seems to be credential harvesting as they use QR codes, auto redirects and multi-level embedded attachments to direct potential victims to phishing web sites.
Within the instance under you’ll be able to see the attacker leverages social engineering ways, corresponding to suggesting the e-mail is from Accounting in reference to remittance particulars, to entice the recipient to click on on the hyperlink inside the attachment. Embedding the malicious hyperlink inside the attachment makes it more durable for legacy applied sciences (corresponding to SEGs that rely closely on signature-based detection) to establish the malicious hyperlink inside the attachment.
Screenshot of phishing e-mail that features a malicious hyperlink embedded inside an attachment
If the recipient had been to click on on the hyperlink, they’re directed to a spoofed Microsoft touchdown web page used for credential harvesting. You may see within the URL that that is hosted on a Russian TLD, which is defined in additional element under.
Screenshot of a credential harvesting web page hosted on a .ru area
We noticed the elevated use of .ru domains throughout a number of industries, with attackers primarily focused these 5: Enterprise and Economic system (36.09%), Monetary Companies (12.44%), Information & Media (8.27%), Well being and Drugs (5.6%), and Authorities (4.51%). We anticipate this development to proceed by way of Q1 2025, with attainable escalation in each sophistication and quantity of assaults.
“BULLET-PROOF” HOSTING ON RUSSIAN DOMAINS
On this marketing campaign, cybercriminals have used “bullet-proof” internet hosting suppliers – a time period used to explain companies that intentionally ignore abuse studies, function in jurisdictions with little-to-no worldwide legislation enforcement cooperation, and supply a excessive degree of anonymity to customers. Cybercrime legal guidelines are sometimes weak, enforcement is missing, or political boundaries forestall takedown operations in these areas. This permits attackers to execute large-scale campaigns with minimal threat.
A notable development we’ve got just lately noticed was the shift to Russia-based High Degree Domains (ru, .su, .рф) which provide these qualities. Many Russian area registrars have lax registration insurance policies, permitting attackers to make use of pretend identities or proxy registration companies to cover possession particulars. The domains are sometimes utilized in mixture with fast-flux DNS strategies, which evade detection by blocking mechanisms by way of frequent IP tackle adjustments.
These emails have efficiently evaded detection by native and legacy e-mail safety instruments utilizing varied strategies, together with:
- Embedding redirect hyperlinks that exploit the fame of professional web sites
- Utilizing QR codes inside attachments to bypass safe e-mail gateways (SEGs)
- Using multi-layered HTML attachments with embedded redirects
- Leveraging polymorphic URLs, that are tough for rule-based programs to detect
- Using dynamically generated URLs that continually change, making detection much more difficult
MITIGATION RECOMMENDATIONS:
Organizational Measures:
- Enhance person consciousness about .ru domain-based phishing by way of personalised coaching for extremely focused customers (recognized through menace tendencies and threat scores).
- Leverage clever anti-phishing know-how that is ready to detect superior threats.
- Evaluate and replace incident response procedures.
- Implement extra verification for high-risk transactions.
Handbook Safety Insurance policies:
- Take into account blocking all .ru TLD entry until business-critical
- Implement strict DMARC/SPF/DKIM insurance policies
- Enhanced monitoring of .ru area interactions
- Implement enhanced e-mail filtering for .ru domains
- Replace blocklists to incorporate newly recognized malicious domains
Expertise Necessities:
- Contextual evaluation (the instance above is clean with an attachment and originating from an exterior area, so we all know this might be suspicious)
- Linguistic evaluation for assaults containing textual content to detect linguistic identifiers of phishing.
- Time of click on evaluation on the hyperlink for post-delivery weaponization.
- Metadata inspecting – figuring out the sender e-mail tackle is totally different from the show title
- Holistically “placing all this collectively” to establish a complicated phishing e-mail
Concerning the Menace Lab
KnowBe4 Menace Labs focuses on researching and mitigating e-mail threats and phishing assaults, using a mix of professional evaluation and crowdsourced intelligence. The crew of seasoned cybersecurity professionals investigates the newest phishing strategies and develops methods to preemptively fight these threats.
By harnessing insights from a worldwide community of taking part clients, KnowBe4 Menace Labs delivers complete suggestions and well timed updates, empowering organizations to guard towards and reply to classy email-based assaults. The Menace Labs are KnowBe4’s dedication to innovation and experience, making certain sturdy defenses towards the ever-evolving panorama of cyber threats.