Cybercriminals are increasingly exploiting users’ trust in popular apps like Microsoft OneNote and Adobe Acrobat Sign to snare victims in phishing attacks, Avast said in a recent report.
In the Avast Q1 2023 Threat Report, published on May 4, the Czech-based cybersecurity company revealed that most of the threats (two-thirds) people encounter online today depend on social engineering techniques like phishing and SMS-phishing (smishing) – which grew by 40 percent compared to 2022.
“Unfortunately, scammers have made it nearly impossible to take any messages at face value – all communications, whether seemingly from a friend, boss, or household brand, have potential to be fraudulent,” Avast Malware Research Director Jakub Kroustek said.
Avast’s report also highlights some notable desktop and mobile-related cyber threats, including scams, malware, and phishing attacks aimed at swiping consumers’ passwords, Social Security numbers, and other personal information.
The malware used in these attacks includes RATs, rootkits, stealers, and banking trojans. Cybercriminals also exploited software vulnerabilities or “zero-days” to compromise targeted devices. According to Avast, some vulnerabilities reported in its Q4 2022 Threat Report “have been increasingly exploited for the delivery of ransomware and spyware, both on desktop and mobile devices.”
Popular Apps Used to Spread Malware
Notorious malware development groups like Qakbot, IceID, Redline, and Emotet have been increasingly lacing Microsoft OneNote docs with malware and leveraging Adobe Acrobat Sign cloud service to infect users with password and crypto wallet stealers like Redline, Avast said.
The scammers send malware-laced Microsoft OneNote files to their targets or add malicious links to documents sent from legitimate Adobe email addresses.
“My advice is to take extra caution with any email asking you to download files or click on a link, even those that appear to be from reputable brands,” Kroustek said.
Cybercriminals often pose as trusted brands or individuals to lure victims in phishing attacks. However, they’re doing this with increasing sophistication.
In January, Cyble revealed that cybercriminals are using Google Ads to lead unsuspecting victims to “convincing” phishing sites that spoof the sites of popular brands like Zoom, AnyDesk, and Notepad++.
In March, Cofense’s State of Email Security Report revealed that phishing emails increased by nearly 600 percent in 2022.
Mobile Text Message Scams on the Rise
SMS-phishing scams, also known as smashing, contributed to the rise in phishing attacks in the first quarter of this year. Smishing “is becoming increasingly popular among cybercriminals due to its high open rate and the sense of trust that people place in text messages from seemingly reliable sources, like banks or government agencies,” Avast said.
Like other phishing messages, cybercriminals attempt to get their targets to click a malicious link in smishing scams. Some common themes of smishing messages include fake financial alerts, package delivery notifications, text alerts, or charity and lottery-related messages.
In September 2022, the U.S. Internal Revenue Service (IRS) warned of a “significant” rise in phishing scams. The IRS said scammers were impersonating the agency to lure victims with messages about COVID relief and tax credits.
While there has been a drop in tech support scams this year, Avast noted a spike in other forms of online fraud, like invoice and refund scams.
How to Stop Social Engineering Attacks
The best way to avoid falling victim to a phishing scam is to learn how to identify a phishing message. Always verify the authenticity of emails and text messages before clicking any links they contain or complying with their demands.
And, to avoid downloading malicious apps, only download apps from a company’s official website or Google’s Play Store and Apple’s App Store. Furthermore, use a reliable password manager to create and store secure passwords and avoid oversharing online.
