San Francisco: Google said that so far in 2021, it has sent more than 50,000 warnings to those whose accounts have been the target of government-backed phishing or malware attempts, an increase of nearly 33 % compared to this date in 2020.
The company said it intentionally sends these batch warnings to all users who may be at risk, rather than when the company itself detects the threat so that attackers cannot follow defense strategies. .
âEvery day, TAG tracks more than 270 targeted or government-backed attacker groups in more than 50 countries. This means that there is typically more than one threat actor behind the warnings,â the company said in a statement. blog post.
The blog post mentioned that some of the more notable campaigns the company halted this year from another government-backed attacker – APT35 – an Iranian group, which regularly conducts phishing campaigns targeting high-risk users.
For years, this group has hijacked accounts, deployed malware and used new techniques to carry out espionage activities aligned with the interests of the Iranian government, the company said.
In early 2021, APT35 compromised a website affiliated with a UK university to host a phishing kit. The attackers sent emails containing links to this website to collect credentials for platforms such as Gmail, Hotmail, and Yahoo.
Users were prompted to activate a (fake) webinar invitation by logging in. The phishing kit will also request second-factor authentication codes sent to devices.
APT35 has been building on this technique since 2017 – targeting high value accounts in government, academia, journalism, NGOs, foreign policy and national security.
The phishing of credentials through a compromised website demonstrates that these attackers will go to great lengths to appear legitimate because they know that it is difficult for users to detect this type of attack.
Last year in May, Google discovered that APT35 had attempted to download spyware from the Google Play Store.
The app was disguised as VPN software which, if installed, could steal sensitive information such as call logs, text messages, contacts, and device location data.
Google quickly detected the app and removed it from the Play Store before users had a chance to install it.