A KnowBe4 Risk Lab publication
Authors: Martin Kraemer, Jeewan Singh Jalal, Anand Bodke, and James Dyer
EXECUTIVE SUMMARY: We noticed a 98% rise in phishing campaigns hosted on Russian (.ru) top-level domains (TLDs) from December 2024 to January 2025, primarily used for credential harvesting.
These Russian .ru domains are run by so-called “bullet-proof” internet hosting suppliers, which can be recognized to maintain malicious domains operating and ignore abuse experiences which is good for cybercriminals.
Most of the phishing emails that we recognized and investigated had handed by means of a number of safety merchandise together with Trade On-line Safety, Barracuda E mail Safety Gateway, Mimecast and Cisco Ironport.
KEY FINDINGS
- 98% improve in phishing websites utilizing .ru TLDs from December 2024 to January 2025
- 1,500 distinctive .ru domains recognized as a part of the marketing campaign
- 377 new domains registered with “bulletproof” registrar R01-RU
- Greater than 13,000 malicious emails with the area have been reported
- 2.2% of noticed emails from .ru domains have been phishing emails
- 7.4 days common age of a .ru area
.Ru Phishing Assault Instance:
The primary objective of the attackers seems to be credential harvesting as they use QR codes, auto redirects and multi-level embedded attachments to direct potential victims to phishing web sites.
Within the instance under you possibly can see the attacker leverages social engineering ways, resembling suggesting the e-mail is from Accounting in reference to remittance particulars, to entice the recipient to click on on the hyperlink inside the attachment. Embedding the malicious hyperlink inside the attachment makes it more durable for legacy applied sciences (resembling SEGs that rely closely on signature-based detection) to establish the malicious hyperlink inside the attachment.
Screenshot of phishing e-mail that features a malicious hyperlink embedded inside an attachment
If the recipient have been to click on on the hyperlink, they’re directed to a spoofed Microsoft touchdown web page used for credential harvesting. You’ll be able to see within the URL that that is hosted on a Russian TLD, which is defined in additional element under.
Screenshot of a credential harvesting web page hosted on a .ru area
We noticed the elevated use of .ru domains throughout a number of industries, with attackers primarily focused these 5: Enterprise and Economic system (36.09%), Monetary Companies (12.44%), Information & Media (8.27%), Well being and Drugs (5.6%), and Authorities (4.51%). We anticipate this development to proceed by means of Q1 2025, with potential escalation in each sophistication and quantity of assaults.
“BULLET-PROOF” HOSTING ON RUSSIAN DOMAINS
On this marketing campaign, cybercriminals have used “bullet-proof” internet hosting suppliers – a time period used to explain providers that intentionally ignore abuse experiences, function in jurisdictions with little-to-no worldwide legislation enforcement cooperation, and supply a excessive degree of anonymity to customers. Cybercrime legal guidelines are sometimes weak, enforcement is missing, or political boundaries stop takedown operations in these areas. This permits attackers to execute large-scale campaigns with minimal threat.
A notable development we’ve lately noticed was the shift to Russia-based Prime Degree Domains (ru, .su, .рф) which provide these qualities. Many Russian area registrars have lax registration insurance policies, permitting attackers to make use of faux identities or proxy registration providers to cover possession particulars. The domains are sometimes utilized in mixture with fast-flux DNS strategies, which evade detection by blocking mechanisms by means of frequent IP handle adjustments.
These emails have efficiently evaded detection by native and legacy e-mail safety instruments utilizing numerous strategies, together with:
- Embedding redirect hyperlinks that exploit the status of professional web sites
- Utilizing QR codes inside attachments to bypass safe e-mail gateways (SEGs)
- Using multi-layered HTML attachments with embedded redirects
- Leveraging polymorphic URLs, that are troublesome for rule-based techniques to detect
- Using dynamically generated URLs that always change, making detection much more difficult
MITIGATION RECOMMENDATIONS:
Organizational Measures:
- Improve person consciousness about .ru domain-based phishing by means of customized coaching for extremely focused customers (recognized through menace traits and threat scores).
- Leverage clever anti-phishing expertise that is ready to detect superior threats.
- Evaluation and replace incident response procedures.
- Implement extra verification for high-risk transactions.
Guide Safety Insurance policies:
- Take into account blocking all .ru TLD entry until business-critical
- Implement strict DMARC/SPF/DKIM insurance policies
- Enhanced monitoring of .ru area interactions
- Implement enhanced e-mail filtering for .ru domains
- Replace blocklists to incorporate newly recognized malicious domains
Expertise Necessities:
- Contextual evaluation (the instance above is clean with an attachment and originating from an exterior area, so we all know this might be suspicious)
- Linguistic evaluation for assaults containing textual content to detect linguistic identifiers of phishing.
- Time of click on evaluation on the hyperlink for post-delivery weaponization.
- Metadata inspecting – figuring out the sender e-mail handle is totally different from the show title
- Holistically “placing all this collectively” to establish a complicated phishing e-mail
Concerning the Risk Lab
KnowBe4 Risk Labs focuses on researching and mitigating e-mail threats and phishing assaults, using a mix of knowledgeable evaluation and crowdsourced intelligence. The crew of seasoned cybersecurity professionals investigates the newest phishing strategies and develops methods to preemptively fight these threats.
By harnessing insights from a world community of collaborating prospects, KnowBe4 Risk Labs delivers complete suggestions and well timed updates, empowering organizations to guard towards and reply to stylish email-based assaults. The Risk Labs are KnowBe4’s dedication to innovation and experience, making certain sturdy defenses towards the ever-evolving panorama of cyber threats.
