IM Platforms Increasingly Used by Threat Actors in Place of Dark Web Marketplaces – Disposable mail news

Researchers at IntSight have discovered that IM platforms such as WhatsApp, Telegram, Discord, IRC, and Jabber are being used by cybercriminals for advertising and putting their goods and services on sale. One of the major reason as to why cybercriminals are switching to these IM platforms from the conventional ones is ‘law enforcement practices’; law enforcement operations have been targeting online darknet markets one after another. Earlier in 2017, the world’s largest dark web market, AlphaBay was taken offline, sending darknet users into chaos. Immediately after, the cyberspace witnesses the shut down of Hansa, another major darknet market. As more and more major dark web markets went offline due to the law enforcement penetrations, cybercriminals are wisely migrating to new platforms.

Although threat actors are loving IM platforms, the regular cybercrime sources such as dark web markets, credit card shops, and forums are still witnessing their web usual traffic. These platforms have more advantages such as chatbots, fewer rules, and automated replies due to their core nature, unlike IM platforms that are majorly meant for communication.

While giving insights, Etay Maor, IntSights CSO, said,
“Telegram appears to be experiencing the most growth, with more than 56,800 Telegram invite links shared across cybercrime forums and over 223,000 general mentions of the application across forums. Telegram is also the platform most often discussed in foreign language forums.”

“Financial threat actors and fraudsters exchange stolen carding information, selling or trading all kinds of credit card dumps, and publishing methods or techniques relevant for the fraud community. In addition, there is also a trade of physical items stolen or counterfeited from organizations in the retail industry.” He added.

“While the data itself is fully encrypted and law enforcement needs sophisticated algorithms in order to decrypt it, some countries have authorized law enforcement agencies to access the private information of their citizens if sanctioned by courts or other judicial authorities – including information that lives in IM platforms. Threat actors are worried about the cooperation between technology companies and law enforcement agencies, especially in the United States.” Maor further explained.

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IT threat evolution Q1 2020. Statistics – 10 minute mail

These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network,

  • Kaspersky solutions blocked 726,536,269 attacks launched from online resources in 203 countries across the globe.
  • A total of 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 249,748 unique users.
  • Ransomware attacks were defeated on the computers of 178,922 unique users.
  • Our File Anti-Virus detected 164,653,290 unique malicious and potentially unwanted objects.
  • Kaspersky products for mobile devices detected:
    • 1,152,662 malicious installation packages
    • 42,115 installation packages for mobile banking trojans
    • 4339 installation packages for mobile ransomware trojans

Mobile threats

Quarter events

Q1 2020 will be remembered primarily for the coronavirus pandemic and cybercriminals’ exploitation of the topic. In particular, the creators of a new modification of the Ginp banking trojan renamed their malware Coronavirus Finder and then began offering it for €0.75 disguised as an app supposedly capable of detecting nearby people infected with COVID-19. Thus, the cybercriminals tried not only to scam users by exploiting hot topics, but to gain access to their bank card details. And, because the trojan remains on the device after stealing this data, the cybercriminals could intercept text messages containing two-factor authorization codes and use the stolen data without the victim’s knowledge.

Another interesting find this quarter was Cookiethief, a trojan designed to steal cookies from mobile browsers and the Facebook app. In the event of a successful attack, the malware provided its handler with access to the victim’s account, including the ability to perform various actions in their name, such as liking, reposting, etc. To prevent the service from spotting any abnormal activity in the hijacked profile, the trojan contains a proxy module through which the attackers issue commands.

The third piece of malware that caught our attention this reporting quarter was trojan-Dropper.AndroidOS.Shopper.a. It is designed to help cybercriminals to leave fake reviews and drive up ratings on Google Play. The attackers’ goals here are obvious: to increase the changes of their apps getting published and recommended, and to lull the vigilance of potential victims. Note that to rate apps and write reviews, the trojan uses Accessibility Services to gain full control over the other app: in this case, the official Google Play client.

Mobile threat statistics

In Q1 2020, Kaspersky’s mobile products and technologies detected 1,152,662 malicious installation packages, or 171,669 more than in the previous quarter.

Number of malicious installation packages detected, Q1 2019 – Q1 2020 (download)

Starting in Q2 2019, we have seen a steady rise in the number of mobile threats detected. Although it is too early to sound the alarm (2019 saw the lowest number of new threats in recent years), the trend is concerning.

Distribution of detected mobile apps by type

Distribution of newly detected mobile programs by type, Q1 2020 and Q4 2019 (download)

Of all the threats detected in Q1, half were unwanted adware apps (49.9%), their share having increased by 19 p.p. compared to the previous quarter. Most often, we detected members of the HiddenAd and Ewind families, with a combined slice of 40% of all detected adware threats, as well as the FakeAdBlocker family (12%).

Potentially unwanted RiskTool apps (28.24%) took second place; the share of this type of threat remained almost unchanged. The Smsreg (49% of all detected threats of this class), Agent (17%) and Dnotua (11%) families were the biggest contributors. Note that in Q1, the number of detected members of the Smsreg family increased by more than 50 percent.

In third place were Trojan-Dropper-type threats (9.72%). Although their share decreased by 7.63 p.p. against the previous quarter, droppers remain one of the most common classes of mobile threats. Ingopack emerged as Q1’s leading family with a massive 71% of all Trojan-Dropper threats, followed by Waponor (12%) and Hqwar (8%) far behind.

It is worth noting that mobile droppers are most often used for installing financial malware, although some financial threats can spread without their help. The share of these self-sufficient threats is quite substantial: in particular, the share of Trojan-Banker in Q1 increased by 2.1 p.p. to 3.65%.

Top 20 mobile malware programs

Note that this malware rankings do not include potentially dangerous or unwanted programs such as RiskTool or adware.

Verdict %*
1 DangerousObject.Multi.Generic 44.89
2 Trojan.AndroidOS.Boogr.gsh 9.09
3 DangerousObject.AndroidOS.GenericML 7.08
4 Trojan-Downloader.AndroidOS.Necro.d 4.52
5 2.73
6 Trojan-Downloader.AndroidOS.Helper.a 2.45
7 Trojan.AndroidOS.Handda.san 2.31
8 Trojan-Dropper.AndroidOS.Necro.z 2.30
9 Trojan.AndroidOS.Necro.a 2.19
10 Trojan-Downloader.AndroidOS.Necro.b 1.94
11 Trojan-Dropper.AndroidOS.Hqwar.gen 1.82
12 Trojan-Dropper.AndroidOS.Helper.l 1.50
13 1.46
14 Trojan-Dropper.AndroidOS.Lezok.p 1.46
15 Trojan-Banker.AndroidOS.Rotexy.e 1.43
16 Trojan-Dropper.AndroidOS.Penguin.e 1.42
17 Trojan-SMS.AndroidOS.Prizmes.a 1.39
18 Trojan.AndroidOS.Dvmap.a 1.24
19 Trojan.AndroidOS.Agent.rt 1.21
20 Trojan.AndroidOS.Vdloader.a 1.18

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products that were attacked.

First place in our Top 20 as ever went to DangerousObject.Multi.Generic (44.89%), the verdict we use for malware detected using cloud technology. They are triggered when the antivirus databases still lack the data for detecting a malicious program, but the Kaspersky Security Network cloud already contains information about the object. This is basically how the latest malware is detected.

Second and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.09%) and DangerousObject.AndroidOS.GenericML (7,08%) respectively. These verdicts are assigned to files that are recognized as malicious by our machine-learning systems.

In fourth (Trojan-Downloader.AndroidOS.Necro.d, 4.52%) and tenth (Trojan-Downloader.AndroidOS.Necro.b, 1.94%) places are members of the Necro family, whose main task is to download and install modules from cybercriminal servers. Eighth-placed Trojan-Dropper.AndroidOS.Necro.z (2.30%) acts in a similar way, extracting from itself only those modules that it needs. As for Trojan.AndroidOS.Necro.a, which took ninth place (2.19%), cybercriminals assigned it a different task: the trojan follows advertising links and clicks banner ads in the victim’s name. (2.73%) claimed fifth spot. As soon as it runs, the malware hides its icon on the list of apps and continues to operate in the background. The trojan’s payload can be other trojan programs or adware apps.

Sixth place went to Trojan-Downloader.AndroidOS.Helper.a (2.45%), which is what Trojan-Downloader.AndroidOS.Necro usually delivers. Helper.a is tasked with downloading arbitrary code from the cybercriminals’ server and running it.

The verdict Trojan.AndroidOS.Handda.san (2.31%) in seventh place is a group of diverse trojans that hide their icons, gain Device Admin rights on the device, and use packers to evade detection.

Trojan-Banker.AndroidOS.Rotexy.e (1.43%) and Trojan-Dropper.AndroidOS.Penguin.e (1.42%) warrant a special mention. The former is the only banking trojan in the top 20 this past quarter. The Rotexy family is all of six years old, and its members have the functionality to steal bank card details and intercept two-factor payment authorization messages. In turn, the first member of the Penguin dropper family was only detected last July and had gained significant popularity by Q1 2020.

Geography of mobile threats


Map of infection attempts by mobile malware, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile threats

Country* %**
1 Iran 39.56
2 Algeria 21.44
3 Bangladesh 18.58
4 Nigeria 15.58
5 Lebanon 15.28
6 Tunisia 14.94
7 Pakistan 13.99
8 Kuwait 13.91
9 Indonesia 13.81
10 Cuba 13.62

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky mobile products in the country.

In Q1 2020, the leader by share of attacked users was Iran (39.56%). Inhabitants of this country most frequently encountered adware apps from the Notifyer family, as well as Telegram clone apps. In second place was Algeria (21.44%), where adware apps were also distributed, but this time it was the HiddenAd and FakeAdBlocker families. Third place was taken by Bangladesh (18.58%), where half of the top 10 mobile threats consisted of adware in the HiddenAd family.

Mobile banking trojans

During the reporting period, we detected 42,115 installation packages of mobile banking trojans. This is the highest value in the past 18 months, and more than 2.5 times higher than in Q4 2019. The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Agent (42.79% of all installation packages detected), Trojan-Banker.AndroidOS.Wroba (16.61%), and Trojan-Banker.AndroidOS.Svpeng (13.66%) families.

Number of installation packages of mobile banking trojans detected by Kaspersky, Q1 2019 – Q1 2020 (download)

Top 10 mobile banking trojans

  Verdict %*
1 Trojan-Banker.AndroidOS.Rotexy.e 13.11
2 Trojan-Banker.AndroidOS.Svpeng.q 10.25
3 Trojan-Banker.AndroidOS.Asacub.snt 7.64
4 Trojan-Banker.AndroidOS.Asacub.ce 6.31
5 Trojan-Banker.AndroidOS.Agent.eq 5.70
6 Trojan-Banker.AndroidOS.Anubis.san 4.68
7 Trojan-Banker.AndroidOS.Agent.ep 3.65
8 Trojan-Banker.AndroidOS.Asacub.a 3.50
9 3.00
10 2.70

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by banking threats.

First and second places in our top 10 were claimed by trojans targeted at Russian-speaking mobile users: Trojan-Banker.AndroidOS.Rotexy.e (13.11%) and Trojan-Banker.AndroidOS.Svpeng.q (10.25%).

Third, fourth, eighth, and ninth positions in the top 10 mobile banking threats went to members of the Asacub family. The cybercriminals behind this trojan stopped creating new samples, but its distribution channels were still active in Q1.

Geography of mobile banking threats, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile banking trojans

Country* %**
1 Japan 0.57
2 Spain 0.48
3 Italy 0.26
4 Bolivia 0.18
5 Russia 0.17
6 Turkey 0.13
7 Tajikistan 0.13
8 Brazil 0.11
9 Cuba 0.11
10 China 0.10

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked by mobile banking trojans as a percentage of all users of Kaspersky mobile products in the country.

In Q1 2020, Japan (0.57%) had the largest share of users attacked by mobile bankers; the vast majority of cases involved Trojan-Banker.AndroidOS.Agent.eq.

In second place came Spain (0.48%), where in more than half of all cases, we detected malware from the Trojan-Banker.AndroidOS.Cebruser family, and another quarter of detections were members of the Trojan-Banker.AndroidOS.Ginp family.

Third place belonged to Italy (0.26%), where, as in Spain, the Trojan-Banker.AndroidOS.Cebruser family was the most widespread with almost two-thirds of detections.

It is worth saying a bit more about the Cebruser family. Its creators were among the first to exploit the coronavirus topic to spread the malware.

When it runs, the trojan immediately gets down to business: it requests access to Accessibility Services to obtain Device Admin permissions, and then tries to get hold of card details.

The malware is distributed under the Malware-as-a-Service model; its set of functions is standard for such threats, but with one interesting detail — the use of a step-counter for activation so as to bypass dynamic analysis tools (sandbox). Cebruser targets the mobile apps of banks in various countries and popular non-financial apps; its main weapons are phishing windows and interception of two-factor authorization. In addition, the malware can block the screen using a ransomware tool and intercept keystrokes on the virtual keyboard.

Mobile ransomware trojans

In Q2 2020, we detected 4,339 installation packages of mobile trojan ransomware, 1,067 fewer than in the previous quarter.

Number of installation packages of mobile ransomware trojans detected by Kaspersky, Q1 2019 – Q1 2020 (download)

Top 10 mobile ransomware trojans

Verdict %*
1 Trojan-Ransom.AndroidOS.Svpeng.aj 17.08
2 Trojan-Ransom.AndroidOS.Congur.e 12.70
3 11.41
4 Trojan-Ransom.AndroidOS.Rkor.k 9.88
5 7.32
6 Trojan-Ransom.AndroidOS.Small.o 4.79
7 Trojan-Ransom.AndroidOS.Svpeng.aj 3.62
8 Trojan-Ransom.AndroidOS.Svpeng.ah 3.55
9 Trojan-Ransom.AndroidOS.Congur.e 3.32
10 Trojan-Ransom.AndroidOS.Fusob.h 3.17

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by ransomware trojans.

Over the past few quarters, the number of ransomware trojans detected has been gradually decreasing; all the same, we continue to detect quite a few infection attempts by this class of threats. The main contributors to the statistics were the Svpeng, Congur, and Small ransomware families.

Geography of mobile ransomware trojans, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile ransomware trojans:

Country* %**
1 USA 0.26
2 Kazakhstan 0.25
3 Iran 0.16
4 China 0.09
5 Saudi Arabia 0.08
6 Italy 0.03
7 Mexico 0.03
8 Canada 0.03
9 Indonesia 0.03
10 Switzerland 0.03

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked by mobile ransomware trojans as a percentage of all users of Kaspersky mobile products in the country.

The leaders by number of users attacked by mobile ransomware trojans are Syria (0.28%), the United States (0.26%) and Kazakhstan (0.25%)

Attacks on Apple macOS

In Q1 2020, we detected not only new versions of common threats, but one new backdoor family, whose first member was Backdoor.OSX.Capip.a. The malware’s operating principle is simple: it calls the C&C for a shell script, which it then downloads and executes.

Top 20 threats to macOS

Verdict %*
1 Trojan-Downloader.OSX.Shlayer.a 19.27
2 AdWare.OSX.Pirrit.j 10.34
3 AdWare.OSX.Cimpli.k 6.69
4 AdWare.OSX.Ketin.h 6.27
5 AdWare.OSX.Pirrit.aa 5.75
6 AdWare.OSX.Pirrit.o 5.74
7 AdWare.OSX.Pirrit.x 5.18
8 AdWare.OSX.Spc.a 4.56
9 AdWare.OSX.Cimpli.f 4.25
10 AdWare.OSX.Bnodlero.t 4.08
11 AdWare.OSX.Bnodlero.x 3.74
12 Hoax.OSX.SuperClean.gen 3.71
13 AdWare.OSX.Cimpli.h 3.37
14 AdWare.OSX.Pirrit.v 3.30
15 AdWare.OSX.Amc.c 2.98
16 AdWare.OSX.MacSearch.d 2.85
17 RiskTool.OSX.Spigot.a 2.84
18 AdWare.OSX.Pirrit.s 2.80
19 AdWare.OSX.Ketin.d 2.76
20 2.70

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked

The top 20 threats for macOS did not undergo any major changes in Q1 2020. The adware trojan Shlayer.a (19.27%) still tops the leaderboard, followed by objects that Shlayer itself loads into the infected system, in particular, numerous adware apps from the Pirrit family.

Interestingly, the unwanted program Hoax.OSX.SuperClean.gen landed in 12th place on the list. Like other Hoax-type programs, it is distributed under the guise of a system cleanup app, and immediately after installation, scares the user with problems purportedly found in the system, such as gigabytes of trash on the hard drive.

Threat geography

Country* %**
1 Spain 7.14
2 France 6.94
3 Italy 5.94
4 Canada 5.58
5 USA 5.49
6 Russia 5.10
7 India 4.88
8 Mexico 4.78
9 Brazil 4.65
10 Belgium 4.65

* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 5,000)
** Unique users who encountered macOS threats as a percentage of all users of Kaspersky security solutions for macOS in the country.

The leading countries, as in previous quarters, were Spain (7.14%), France (6.94%) and Italy (5.94%). The main contributors to the number of detections in these countries were the familiar Shlayer trojan and adware apps from the Pirrit family.

IoT attacks

IoT threat statistics

In Q1 2020, the share of IP addresses from which attempts were made to attack Kaspersky telnet traps increased significantly. Their share amounted to 81.1% of all IP addresses from which attacks were carried out, while SSH traps accounted for slightly less than 19%.

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2020

It was a similar situation with control sessions: attackers often controlled infected traps via telnet.

Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2020

Telnet-based attacks


Geography of device IP addresses where attacks at Kaspersky telnet traps originated, Q1 2020 (download)

Top 10 countries by location of devices from which attacks were carried out on Kaspersky telnet traps.

Country* %
China 13.04
Egypt 11.65
Brazil 11.33
Vietnam 7.38
Taiwan 6.18
Russia 4.38
Iran 3.96
India 3.14
Turkey 3.00
USA 2.57

For several quarters in a row, the leading country by number of attacking bots has been China: in Q1 2020 its share stood at 13.04%. As before, it is followed by Egypt (11.65%) and Brazil (11.33%).

SSH-based attacks


Geography of device IP addresses where attacks at Kaspersky SSH traps originated, Q1 2020 (download)

Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps.

Country* %
China 14.87
Vietnam 11.58
USA 7.03
Egypt 6.82
Brazil 5.79
Russia 4.66
India 4.16
Germany 3.64
Thailand 3.44
France 2.83

In Q1 2020, China (14.87%), Vietnam (11.58%) and the US (7.03%) made up the top three countries by number of unique IPs from which attacks on SSH traps originated.

Threats loaded into honeypots

Verdict %*
Trojan-Downloader.Linux.NyaDrop.b 64.35
Backdoor.Linux.Mirai.b 16.75 6.47
Backdoor.Linux.Gafgyt.a 4.36 1.30
Trojan-Downloader.Shell.Agent.p 0.68
Backdoor.Linux.Mirai.c 0.64
Backdoor.Linux.Hajime.b 0.46
Backdoor.Linux.Mirai.h 0.40
Backdoor.Linux.Gafgyt.av 0.35

* Share of malware type in the total amount of malware downloaded to IoT devices following a successful attack.

In Q1 2020, attackers most often downloaded the minimalistic trojan loader NyaDrop (64.35%), whose executable file does not exceed 500 KB. Threats from the Mirai family traditionally dominated: its members claimed four places in our top 10. These malicious programs will continue to rule the world of IoT threats for a long time to come, at least until the appearance of a more advanced (and publicly available) DDoS bot.

Financial threats

Financial threat statistics

In Q1 2020, Kaspersky solutions blocked attempts to launch one or several types of malware designed to steal money from bank accounts on the computers of 249,748 users.

Number of unique users attacked by financial malware, Q1 2020 (download)

Attack geography

To assess and compare the risk of being infected by banking trojans and ATM/POS malware in various countries, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

Geography of banking malware attacks, Q1 2020 (download)

Top 10 countries by share of attacked users

Country* %**
1 Uzbekistan 10.5
2 Tajikistan 6.9
3 Turkmenistan 5.5
4 Afghanistan 5.1
5 Yemen 3.1
6 Kazakhstan 3.0
7 Guatemala 2.8
8 Syria 2.4
9 Sudan 2.1
10 Kyrgyzstan 2.1

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Top 10 banking malware families

Name Verdicts %*
1 Emotet Backdoor.Win32.Emotet 21.3
2 Zbot Trojan.Win32.Zbot 20.8
3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 17.2
4 RTM Trojan-Banker.Win32.RTM 12.3
5 Nimnul Virus.Win32.Nimnul 3.6
6 Trickster Trojan.Win32.Trickster 3.6
7 Neurevt Trojan.Win32.Neurevt 3.3
8 SpyEye Trojan-Spy.Win32.SpyEye 2.3
9 Danabot Trojan-Banker.Win32.Danabot 2.0
10 Nymaim Trojan.Win32.Nymaim 1.9

** Unique users attacked by this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

Quarterly highlights

Ransomware attacks on organizations, as well as on city and municipal networks, did not ease off. Given how lucrative they are for cybercriminals, there is no reason why this trend of several years should cease.

More and more ransomware is starting to supplement encryption with data theft. To date, this tactic has been adopted by distributors of ransomware families, including Maze, REvil/Sodinokibi, DoppelPaymer and JSWorm/Nemty/Nefilim. If the victim refuses to pay the ransom for decryption (because, say, the data was recovered from a backup copy), the attackers threaten to put the stolen confidential information in the public domain. Such threats are sometimes empty, but not always: the authors of several ransomware programs have set up websites that do indeed publish the data of victim organizations.

Number of new modifications

In Q1 2020, we detected five new ransomware families and 5,225 new modifications of these malware programs.

Number of new ransomware modifications detected, Q1 2019 – Q1 2020 (download)

Number of users attacked by ransomware trojans

In Q1 2020, Kaspersky products and technologies protected 178,922 users from ransomware attacks.

Number of unique users attacked by ransomware trojans, Q1 2020 (download)

Attack geography


Geography of attacks by ransomware trojans, Q1 2020 (download)

Top 10 countries attacked by ransomware trojans

Country* %**
1 Bangladesh 6.64
2 Uzbekistan 1.98
3 Mozambique 1.77
4 Ethiopia 1.67
5 Nepal 1.34
6 Afghanistan 1.31
7 Egypt 1.21
8 Ghana 0.83
9 Azerbaijan 0.81
10 Serbia 0.74

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware trojans

Name Verdicts %*
1 WannaCry Trojan-Ransom.Win32.Wanna 19.03
2 (generic verdict) Trojan-Ransom.Win32.Gen 16.71
3 (generic verdict) Trojan-Ransom.Win32.Phny 16.22
4 GandCrab Trojan-Ransom.Win32.GandCrypt 7.73
5 Stop Trojan-Ransom.Win32.Stop 6.62
6 (generic verdict) Trojan-Ransom.Win32.Encoder 4.28
7 (generic verdict) Trojan-Ransom.Win32.Crypren 4.15
8 PolyRansom/VirLock Virus.Win32.PolyRansom,


9 Crysis/Dharma Trojan-Ransom.Win32.Crusis 2.02
10 (generic verdict) Trojan-Ransom.Win32.Generic 1.56

* Unique Kaspersky users attacked by the specified family of ransomware trojans as a percentage of all users attacked by ransomware trojans.


Number of new modifications

In Q1 2020, Kaspersky solutions detected 192,036 new miner modifications.

Number of new miner modifications, Q1 2020 (download)

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 518,857 unique users of Kaspersky Lab products worldwide.

Number of unique users attacked by miners, Q1 2020 (download)

Attack geography


Geography of miner attacks, Q1 2020 (download)

Top 10 countries attacked by miners

Country* %**
1 Afghanistan 6.72
2 Ethiopia 4.90
3 Tanzania 3.26
4 Sri Lanka 3.22
5 Uzbekistan 3.10
6 Rwanda 2.56
7 Vietnam 2.54
8 Kazakhstan 2.45
9 Mozambique 1.96
10 Pakistan 1.67

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

We already noted that Microsoft Office vulnerabilities are the most common ones. Q1 2020 was no exception: the share of exploits for these vulnerabilities grew to 74.83%. The most popular vulnerability in Microsoft Office was CVE-2017-11882, which is related to a stack overflow error in the Equation Editor component. Hard on its heels was CVE-2017-8570, which is used to embed a malicious script in an OLE object inside an Office document. Several other vulnerabilities, such as CVE-2018-0802 and CVE-2017-8759, were also popular with attackers. In the absence of security updates for Microsoft Office, these vulnerabilities are successfully exploited and the user’s system becomes infected.

In second place were exploits for vulnerabilities in Internet browsers (11.06%). In Q1, cybercriminals attacked a whole host of browsers, including Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox. What’s more, some of the vulnerabilities were used in APT attacks, such as CVE-2020-0674, which is associated with the incorrect handling of objects in memory in an outdated version of the JScript scripting engine in Internet Explorer, leading to code execution. Another example is the previously identified CVE-2019-17026, a data type mismatch vulnerability in Mozilla Firefox’s JIT compiler, which also leads to remote code execution. In the event of a successful attack, both browser exploits cause a malware infection. The researchers also detected a targeted attack against Google Chrome exploiting the RCE vulnerability CVE-2020-6418 in the JavaScript engine; in addition, the dangerous RCE vulnerability CVE-2020-0767 was detected in a component of the ChakraCore scripting engine used by Microsoft Edge. Although modern browsers have their own protection mechanisms, cybercriminals are forever finding ways around them, very often using chains of exploits to do so. Therefore, it is vital to keep the operating system and software up to date at all times.

Distribution of exploits used in attacks by type of application attacked, Q1 2020 (download)

This quarter, a wide range of critical vulnerabilities were detected in operating systems and their components.

  • CVE-2020-0601 is a vulnerability that exploits an error in the core cryptographic library of Windows, in a certificate validation algorithm that uses elliptic curves. This vulnerability enables the use of fake certificates that the system recognizes as legitimate.
  • CVE-2020-0729 is a vulnerability in processing LNK files in Windows, which allows remote code execution if the user opens a malicious shortcut.
  • CVE-2020-0688 is the result of a default configuration error in Microsoft Exchange Server, whereby the same cryptographic keys are used to sign and encrypt serialized ASP.NET ViewState data, enabling attackers to execute their own code on the server side with system rights.

Various network attacks on system services and network protocols were as popular as ever with attackers. We continue to detect attempts at exploiting vulnerabilities in the SMB protocol using EternalBlue, EternalRomance and similar sets of exploits. In Q1 2020, the new vulnerability CVE-2020-0796 (SMBGhost) was detected in the SMBv3 network protocol, leading to remote code execution, in which regard the attacker does not even need to know the username/password combination (since the error occurs before the authentication stage); however, it is present only in Windows 10. In Remote Desktop Gateway there were found two critical vulnerabilities (CVE-2020-0609 and CVE-2020-0610) enabling an unauthorized user to execute remote code in the target system. In addition, there were more frequent attempts to brute-force passwords to Remote Desktop Services and Microsoft SQL Server via the SMB protocol as well.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2020, Kaspersky solutions defeated 726,536,269 attacks launched from online resources located in 203 countries worldwide. As many as 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-based attack sources by country, Q1 2020 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Bulgaria 13.89
2 Tunisia 13.63
3 Algeria 13.15
4 Libya 12.05
5 Bangladesh 9.79
6 Greece 9.66
7 Latvia 9.64
8 Somalia 9.20
9 Philippines 9.11
10 Morocco 9.10
11 Albania 9.09
12 Taiwan, Province of China 9.04
13 Mongolia 9.02
14 Nepal 8.69
15 Indonesia 8.62
16 Egypt 8.61
17 Georgia 8.47
18 France 8.44
19 Palestine 8.34
20 Qatar 8.30

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to providing statistical data.

On average, 6.56% of Internet user’ computers worldwide experienced at least one Malware-class attack.

Geography of malicious web-based attacks, Q1 2020 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q1 2020, our File Anti-Virus registered 164,653,290 malicious and potentially unwanted objects. 

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal-computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users**
1 Afghanistan 52.20
2 Tajikistan 47.14
3 Uzbekistan 45.16
4 Ethiopia 45.06
5 Myanmar 43.14
6 Bangladesh 42.14
7 Kyrgyzstan 41.52
8 Yemen 40.88
9 China 40.67
10 Benin 40.21
11 Mongolia 39.58
12 Algeria 39.55
13 Laos 39.21
14 Burkina Faso 39.09
15 Malawi 38.42
16 Sudan 38.34
17 Rwanda 37.84
18 Iraq 37.82
19 Vietnam 37.42
20 Mauritania 37.26

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q1 2020 (download)

Overall, 19.16% of user computers globally faced at least one Malware-class local threat during Q1.

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IT threat evolution Q1 2020 – 10 minute mail

Targeted attacks and malware campaigns

Operation AppleJeus: the sequel

In 2018, we published a report on Operation AppleJeus, one of the more notable campaigns of the threat actor Lazarus, currently one of the most active and prolific APT groups. One notable feature of this campaign was that it marked the first time Lazarus had targeted macOS targets, with the group inventing a fake company in order to deliver its manipulated application and exploit the high level of trust among potential victims.

Our follow-up research revealed significant changes to the group’s attack methodology. To attack macOS victims, Lazarus has developed homemade macOS malware and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk. In addition, to attack Windows victims, the group has elaborated a multi-stage infection procedure and made significant changes to the final payload. We believe Lazarus has been more careful in its attacks since the release of Operation AppleJeus and has employed a number of methods to avoid detection.

We identified several victims as part of our ongoing research, in the UK, Poland, Russia and China. Moreover, we were able to confirm that several of the victims are linked to cryptocurrency business organizations.

Roaming Mantis turns to SMiShing and enhances anti-researcher techniques

Kaspersky continues to track the Roaming Mantis campaign. This threat actor was first reported in 2017, when it used SMS to distribute its malware to Android devices in just one country – South Korea. Since then, the scope of the group’s activities has widened considerably. Roaming Mantis now supports 27 languages, targets iOS as well as Android and includes cryptocurrency mining for PCs in its arsenal.

Roaming Mantis is strongly motivated by financial gain and is continuously looking for new targets. The group has also put a lot of effort into evading tracking by researchers, including implementing obfuscation techniques and using whitelisting to avoid infecting researchers who navigate to the malicious landing page. While the group is currently applying whitelisting only to Korean pages, we think it is only a matter of time before Roaming Mantis implements this for other languages.

Roaming Mantis has also added new malware families, including Fakecop and Wroba.j. The actor is still very active in using ‘SMiShing‘ for Android malware distribution. This is particularly alarming, because it means that the attackers could combine infected mobile devices into a botnet for malware delivery, SMiShing, and so on. In one of the more recent methods used by the group, a downloaded malicious APK file contains an icon that impersonates a major courier company brand: the spoofed brand icon is customized for the country it targets – for example, Sagawa Express for Japan, Yamato Transport and FedEx for Taiwan, CJ Logistics for South Korea and Econt Express for Russia.

WildPressure on industrial networks in the Middle East

In March, we reported a targeted campaign to distribute Milum, a Trojan designed to gain remote control of devices in target organizations, some of which operate in the industrial sector. We detected the first signs of this operation, which we have dubbed WildPressure, in August 2019; and the campaign remains active.

The Milum samples that we have seen so far do not share any code similarities with any known APT campaigns. All of them allow the attackers to control infected devices remotely: letting them download and execute commands, collect information from the compromised computer and send it to the C2 server and install upgrades to the malware.

Attacks on industrial targets can be particularly devastating. So far, we haven’t seen evidence that the threat actor behind WildPressure is trying to do anything beyond gathering data from infected networks. However, the campaign is still in development, so we don’t yet know what other functionality might be added.

To avoid becoming a victim of this and other targeted attacks, organizations should do the following.

  • Update all software regularly, especially when a new patch becomes available.
  • Deploy a security solution with a proven track record, such as Kaspersky Endpoint Security, that is equipped with behavior-based protection against known and unknown threats, including exploits.
  • On top of endpoint protection, implement a corporate-grade security solution designed to detect advanced threats against the network, such as Kaspersky Anti Targeted Attack Platform.
  • Ensure staff understand social engineering and other methods used by attackers and develop a security culture within in the organization.
  • Provide your security team with access to comprehensive cyberthreat intelligence, such as Kaspersky APT Intelligence Reporting.

TwoSail Junk

On January 10, we discovered a watering-hole attack that utilized a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. Judging by the content of the landing page, the site appears to have been designed to target users in Hong Kong.

Since then, we have released two private reports on LightSpy, available to customers of Kaspersky Intelligence Reporting (please contact [email protected] for further information).

We are temporarily calling the APT group behind this implant TwoSail Junk. Currently, we have hints from known backdoor callbacks to infrastructure about clustering this campaign with previous activity. We are also working with fellow researchers to tie LightSpy to prior activity from a well-established Chinese-speaking APT group, previously reported (here and here) as Spring Dragon (aka Lotus Blossom and Billburg(Thrip)), known for its Lotus Elise and Evora backdoors.

As this LightSpy activity was disclosed publicly by fellow researchers from Trend Micro, we wanted to contribute missing information to the story without duplicating content. In addition, in our quest to secure technologies for a better future, we have reported this malware and activity to Apple and other relevant companies.

Our report includes information about the Android implant, including its deployment, spread and support infrastructure.

A sprinkling of Holy Water in Asia

In December, we discovered watering-hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings.

This campaign, which has been active since at least May 2019, targets an Asian religious and ethnic group. The threat actor’s unsophisticated but creative toolset, which has evolved greatly and may still be in development, makes use of Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language and Google Drive-based C2 channels.

The threat actor’s operational target is unclear because we haven’t been able to observe many live operations. We have also been unable to identify any overlap with known APT groups.

Threat hunting with Bitscout

In February, Vitaly Kamluk, from the Global Research and Analysis Team at Kaspersky, reported on a new version of Bitscout, based on the upcoming release of Ubuntu 20.04 (scheduled for release in April 2020).

Bitscout is a remote digital forensics tool that we open-sourced about two and a half years ago, when Vitaly was located in the Digital Forensics Lab at INTERPOL. Bitscout has helped us in many cyber-investigations. Based on the widely popular Ubuntu Linux distribution, it incorporates forensics and malware analysis tools created by a large number of excellent developers around the world.

Here’s a summary of the approach we use in Bitscout

  • Bitscout is completely FREE, thereby reducing your forensics budget.
  • It is designed to work remotely, saving time and money that would otherwise be spent on travel. Of course, you can use the same techniques locally.
  • The true value lies not in the toolkit itself, but in the power of all the forensic tools that are included.
  • There’s a steep learning curve involved in mastering Bitscout, which ultimately reinforces the technical foundations of your experts.
  • Bitscout records remote forensics sessions internally, making it perfect for replaying and learning from more experienced practitioners or using as evidential proof of discovery.
  • It is fully open source, so you don’t need to wait for the vendor to implement a patch or feature for you: you are free to reverse-engineer and modify any part of it.

We have launched a project website,, as the go-to destination for those looking for tips and tricks on remote forensics using Bitscout.

Hunting APTs with YARA

In recent years, we have shared our knowledge and experience of using YARA as a threat hunting tool, mainly through our training course, ‘Hunting APTs with YARA like a GReAT ninja’, delivered during our Security Analyst Summit. However, the COVID-19 pandemic has forced us to postpone the forthcoming SAS.

Meanwhile, we have received many requests to make our YARA hands-on training available to more people. This is something we are working on and hope to be able to provide soon as an online training experience. Look out for updates on this by following us on Twitter – @craiu, @kaspersky.

With so many people working from home, and spending even more time online, it is also likely the number of threats and attacks will increase. Therefore, we decided to share some of the YARA experience we have accumulated in recent years, in the hope that all of you will find it useful for keeping threats at bay.

If you weren’t able to join the live presentation, on March 31, you can find the recording here.

We track the activities of hundreds of APT threat actors and regularly highlight the more interesting findings here. However, if you want to know more, please reach out to us at [email protected]

Other security news

Shlayer Trojan attacks macOS users

Although many people consider macOS to be safe, there are cybercriminals who seek to exploit those who use this operating system. One malicious program stands out – the Shlayer Trojan. In 2019, Kaspersky macOS products blocked this Trojan on every tenth device, making this the most widespread threat to people who use macOS.

Shlayer is a smart malware distribution system that spreads via a partner network, entertainment websites and even Wikipedia. This Trojan specializes in the installation of adware – programs that feed victims illicit ads, intercepting and gathering their browser queries and modifying search results to distribute even more advertising messages.

Shlayer accounted for almost one-third of all attacks on macOS devices registered by Kaspersky products between January and November last year – and nearly all other top 10 macOS threats were adware programs that Shlayer installs.

The infection starts with an unwitting victim downloading the malicious program. The criminals behind Shlayer set up a malware distribution system with a number of channels leading their victims to download the malware. Shlayer is offered as a way to monetize websites in a number of file partner programs, with relatively high payment for each malware installation made by users in the US, prompting over 1,000 ‘partner sites’ to distribute Shlayer. This scheme works as follows: a user looks for a TV series episode or a football match, and advertising landing pages redirect them to fake Flash Player update pages. From here, the victim downloads the malware; and for each installation, the partner who distributed links to the malware receives a pay-per-install payment.

Other schemes that we saw led to a fake Adobe Flash update page that redirected victims from various large online services with multi-million audiences, including YouTube, where links to the malicious website were included in video descriptions, and Wikipedia, where such links were hidden in article references. People that clicked on these links would also be redirected to the Shlayer download landing pages. Kaspersky researchers found 700 domains containing malicious content, with links to them on a variety of legitimate websites.

Almost all the websites that led to a fake Flash Player contained content in English. This corresponds to the countries where we have seen most infections – the US (31%), Germany (14%), France (10%) and the UK (10%).

Blast from the past

Although many people still use the term “virus” to mean any malicious program, it actually refers specifically to self-replicating code, i.e., malicious code that copies itself from file to file on the same computer. Viruses, which used to dominate the threat landscape, are now rare. However, there are some interesting exceptions to this trend and we came across one recently – the first real virus we’ve seen in the wild for some time.

The virus, called KBOT, infects the victim’s computer via the internet, a local network, or infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. KBOT can also download additional stealer modules that harvest and send to the Command-and-Control (C2) server comprehensive information about the victim, including passwords/logins, crypto-wallet data, lists of files and installed applications, and so on. The malware stores all its files and stolen data in a virtual file system, encrypted using the RC6 algorithm, making it hard to detect.

Cybercriminals exploiting fears about data breaches

Phishers are always on the lookout for hot topics that they can use to hook their victims, including sport, politics, romance, shopping, banking, natural disasters and anything else that might entice someone into clicking on a link or malicious file attachment.

Recently, cybercriminals have exploited the theme of data leaks to try to defraud people. Data breaches, and the fines imposed for failing to safeguard data, are now a staple feature of the news. The scammers posed as an organization called the “Personal Data Protection Fund” and claim that the “US Trading Commission” had set up a fund to compensate people whose personal data had been exposed.

However, in order to get the compensation, the victims are asked to provide a social security number. The scammers offer to sell a temporary SSN to those who don’t have one.

Even if the potential victim enters a valid SSN, they are still directed to a page asking them to purchase a temporary SSN.

You can read the full story here.

… and coronavirus

The bigger the hook, the bigger the pool of potential victims. So it’s no surprise that cybercriminals are exploiting the COVID-19 pandemic. We have found malicious PDF, MP4 and DOCX files disguised as information about the coronavirus. The names of the files suggest they contain video instructions on how to protect yourself, updates on the threat and even virus detection procedures. In fact, these files are capable of destroying, blocking, modifying or copying data, as well as interfering with the operation of the computer.

The cybercriminals behind the Ginp banking Trojan recently developed a new campaign related to COVID-19. After receiving a special command, the Trojan opens a web page called Coronavirus Finder. This provides a simple interface that claims to show the number of people nearby who are infected with the virus and asks you to pay a small sum to see their location.

The Trojan then provides a payment form.

Then … nothing else happens – apart from the criminals taking your money. Data from the Kaspersky Security Network suggests that most users who have encountered Ginp are located in Spain. However, this is a new version of Ginp that is tagged “flash-2”, while previous versions were tagged “flash-es12”. So perhaps the lack of “es” in the tag of the newer version means the cybercriminals are planning to expand their campaign beyond Spain.

We have also seen a number of phishing scams where cybercriminals pose as bona fide organizations to trick people into clicking on links to fake sites where the scammers capture their personal information, or even ask them to donate money.

If you’ve ever wanted to know why it’s so easy for phishers to create spoof emails, and what efforts have been made to make it harder for them, you can find a good overview of the problems and potential solutions here.

Cybercriminals are also taking the opportunity to attack the information infrastructure of medical facilities, clearly hoping that the overload on IT services will provide them with an opportunity to break into hospital networks, or are attempting to extort money from clinical research companies. In an effort to ensure that IT security isn’t something that medical teams have to worry about, we’re offering medical institutions free six-month licenses for our core solutions.

In February, we reported an unusual malware campaign in which cybercriminals were spreading the AZORult Trojan as a fake installer for ProtonVPN.

The aim of the campaign is to steal personal information and crypto-currency from the victims.

The attackers created a spoof copy a VPN service’s website, which looks like the original but has a different domain name. The criminals spread links to the domain through advertisements using different banner networks – a practice known as malvertizing. When someone visits a phishing website, they are prompted to download a free VPN installer for Windows. Once launched, this drops a copy of the AZORult botnet implant. This collects the infected device’s environment information and reports it to the server. Finally, the attackers steal crypto-currency from locally available wallets (Electrum, Bitcoin, Etherium and others), FTP logins, and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials from WinSCP, Pidgin messenger and others.

AZORult is one of the most commonly bought and sold stealers on Russian forums due to its wide range of capabilities. The Trojan is able to harvest a good deal of data, including browser history, login credentials, cookies, files and crypto-wallet files; and can also be used as a loader to download other malware.

Distributing malware under the guise of security certificates

Distributing malware under the guise of legitimate software updates is not new. Typically, cybercriminals invite potential victims to install a new version of a browser or Adobe Flash Player. However, we recently discovered a new approach: visitors to infected sites were informed that some kind of security certificate had expired.

They were offered an update that infected them with malware – specifically the Buerak downloader and Mokes backdoor.

We detected the infection on variously themed websites – from a zoo to a store selling auto parts. The earliest infections that we found date back to January 16.

Mobile malware sending offensive messages

We have seen many mobile malware apps re-invent themselves, adding new layers of functionality over time. The Faketoken Trojan offers a good example of this. Over the last six years, it has developed from an app designed to capture one-time passcodes, to a fully-fledged mobile banking Trojan, to ransomware. By 2017, Faketoken was able to mimic many different apps, including mobile banking apps, e-wallets, taxi service apps and apps used to pay fines and penalties – all in order to steal bank account data.

Recently, we observed 5,000 Android smartphones infected by Faketoken sending offensive text messages. SMS capability is a standard feature of many mobile malware apps, many of which spread by sending links to their victims’ contacts; and banking Trojans typically try to make themselves the default SMS application, in order to intercept one-time passcodes. However, we had not seen one become a mass texting tool.

The messages sent by Faketoken are charged to the owner of the device; and since many of the infected smartphones we saw were texting a foreign number, the cost was quite high. Before sending any messages, the Trojan checks to see if there are sufficient funds in the victim’s bank account. If there are, Faketoken tops up the mobile account sending any messages.

We don’t yet know whether this is a one-off campaign or the start of a trend. To avoid becoming a victim of Faketoken, download apps only from Google Play, disable the downloading of apps from other sources, don’t follow links from messages and protect your device with a reputable mobile security product.

The use and abuse of the Android AccessibilityService

In January, we reported that cybercriminals were using malware to boost the rating of specific apps, to increase the number of installations.

The Shopper.a Trojan also displays advertising messages on infected devices, creates shortcuts to advertising sites and more.

The Trojan opens Google Play (or other app store), installs several programs and writes fake user reviews about them. To prevent the victim noticing, the Trojan conceals the installation window behind an ‘invisible’ window. Shopper.a gives itself the necessary permissions using the Android AccessibilityService. This service is intended to help people with disabilities use a smartphone, but if a malicious app obtains permission to use it, the malware has almost limitless possibilities for interacting with the system interface and apps – including intercepting data displayed on the screen, clicking buttons and emulating user gestures.

Shopper.a was most widespread in Russia, Brazil and India.

You should be wary if an app requests access to the AccessibilityService but doesn’t need it. Even if the only danger posed by such apps comes from automatically written reviews, there is no guarantee that its creators will not change the payload later.

Everyone loves cookies – including cybercriminals

We recently discovered a new malicious Android Trojan, dubbed Cookiethief, designed to acquire root permissions on the victim’s device and transfer cookies used by the browser and the Facebook app to the cybercriminals’ C2 server. Using the stolen cookies, the criminals can gain access to the unique session IDs that websites and online services use to identify someone, thereby allowing the criminals to assume someone’s identity and gain access to online accounts without the need for a login and password.

On the C2 server, we found a page advertising services for distributing spam on social networks and messengers, which we think is the underlying motive in stealing cookies.

From the C2 server addresses and encryption keys used, we were able to link Cookiethief to widespread Trojans such as Sivu, Triada, and Ztorg. Usually, such malware is either planted in the device firmware before purchase, or it gets into system folders through vulnerabilities in the operating system and then downloads various applications onto the system.

Stalkerware: no place to hide

We recently discovered a new sample of stalkerware – commercial software typically used by those who want to monitor a partner, colleague or others – that contains functionality beyond anything we have seen before. You can find more information on stalkerware here and here.

MonitorMinor, goes beyond other stalkerware programs. Primitive stalkerware uses geo-fencing technology, enabling the operator to track the victim’s location, and in most cases intercept SMS and call data. MonitorMinor goes a few steps further: recognizing the importance of messengers as a means of data collection, this app aims to get access to data from all the popular modern communication tools.

Normally, the Android sandbox prevents direct communication between apps. However, if a superuser app has been installed, which grants root access to the system, it overrides the security mechanisms of the device. The developers of MonitorMinor use this to enable full access to data on a variety of popular social media and messaging applications, including Hangouts, Instagram, Skype and Snapchat. They also use root privileges to access screen unlock patterns, enabling the stalkerware operator to unlock the device when it is nearby or when they next have physical access to the device. Kaspersky has not previously seen this feature in any other mobile threat.

Even without root access, the stalkerware can operate effectively by abusing the AccessibilityService API, which is designed to make devices friendly for users with disabilities. Using this API, the stalkerware is able to intercept any events in the applications and broadcast live audio.

Our telemetry indicates that the countries with the largest share of installations of MonitorMinor are India, Mexico, Germany, Saudi Arabia and the UK.

We recommend the following tips to reduce the risk of falling victim to a stalker:

  • Block the installation of apps from unknown sources in your smartphone settings.
  • Never disclose the password or passcode to your mobile device, even with someone you trust.
  • If you are ending a relationship, change security settings on your mobile device, such as passwords and app location access settings.
  • Keep a check on the apps installed on your device, to see if any suspicious apps have been installed without your consent
  • Use a reliable security solution that notifies you about the presence of commercial spyware programs aimed at invading your privacy, such as Kaspersky Internet Security.
  • If you think you are being stalked, reach out to a professional organization for advice.
  • For further guidance, contact the Coalition against Stalkerware
  • There are resources that can assist victims of domestic violence, dating violence, stalking and sexual violence. If you need further help, please contact the Coalition against Stalkerware.

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Microsoft rolls out a new threat intelligence against COVID-19 attacks – Disposable mail news

COVID-19 has become a hotspot of cyber attacks and spams as the majority of employees are working from home. These growing numbers of attacks have made security firms and tech industries quite concerned. But Microsoft has come to the rescue, rolling out a new COVID-19 threat intelligence.

Microsoft announced on its blog a new move that will improve security and can be availed easily. The company has introduced a COVID-19 threat intelligence made available from May 14, sharing feeds for Azure Sentinel customers and publicly available for everyone on GitHub.

So, even if you are not a Microsoft customer worry not, you can still protect yourself from these COVID-19 based attacks. This data is only available for a limited period only until the pandemic threat looms over our heads.

“Microsoft processes trillions of signals each day across identities, endpoints, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack,” Microsoft stated in their blog.
“Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions.”

Users with Microsoft Threat Protection need not go through this, they are already protected with Microsoft Defender Advanced Threat Protection (ATP) and email with Office 365 ATP.

These COVID-19 threat intelligence indicators are available on the Azure Sentinel GitHub via Microsoft Graph Security API.

Best Protection from COVID-19 Threats 

Hackers and Cybercriminals have been using an array of malicious ways from malware to phishing emails for their own gain. This move by Microsoft will shift the balance and go a long way to protect and defend from such threats.

Security researcher Sean Wright says, “Microsoft certainly deserves credit for this. It will be especially useful for those who are struggling at the moment and don’t necessarily have the funds to afford services that organizations would normally have to pay for.”

“This information is going to be very useful to enable many volunteers in the community to help organizations and others. It is the correlation of data—especially threat intelligence—that will go a long way to help stop the threat actors out there who are actively targeting organizations and individuals.”

Some are critical of this announcement by the tech giant pointing out that it is “too little, too late”.

 “I’m not saying it’s not welcome but where was this support nine weeks ago?” says Ian Thornton-Trump. 

Ian Thornton-Trump, CISO at Cyjax points out “It’s clever marketing and has some value—although most, if not all, those indicators of compromise (IOCs) will be available from a multitude of cyber threat intelligence sources, feeds and vendors already.”

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

WannaCryptor remains a global threat three years on – 10 minute mail

WannaCryptor is still alive and kicking, so much so that it sits atop the list of the most commonly detected ransomware families

On May 12th, 2017, WannaCryptor (also known as WannaCry and WCrypt) wrought havoc on computer systems across the globe to a degree never seen previously. The cryptoworm propagated through an exploit called EternalBlue that targeted a critical vulnerability in an outdated version of Microsoft’s implementation of the Server Message Block (SMB) protocol, via port 445, which is mainly used for file- and printer-sharing in enterprise networks. During such an attack, a cybercriminal scans the internet for machines with an exposed SMB port, and launches the exploit code against any vulnerable machines that are found. If the exploit succeeds, the blackhat will run a payload of their choice; in this case, it was the WannaCryptor.D ransomware.

Fast forward to 2020

Three years later, WannaCryptor is still a strong player on the ransomware field. According to the ESET Threat Report for the first quarter of 2020, WannaCryptor still dominates the ransomware family rankings, accounting for 40.5% of ransomware detections. Its dominance at the top of the table didn’t stop in April either, although it did drop by less than one percentage point compared to the previous month. This is quite disconcerting, considering that it had been almost three years since the largest recorded outbreak in May 2017. For most of the first quarter of 2020, WannaCryptor detections were attributed to widely recognized samples that spread in regions with potentially high numbers of unpatched machines, such as Turkey, Thailand, and Indonesia.

Figure 1. Top 10 ransomware families (% of ransomware detections), January to April 2020

Let’s now focus on the exploit that facilitated the whole WannaCryptor crisis: EternalBlue. Attempted attacks using the infamous exploit were on the decline throughout Q1. In fact, by the end of the first quarter of 2020 it was at half of the historical high it reached in the second quarter of 2019. Although the statistics may seem encouraging: three years on, EternalBlue remains a relevant threat with hundreds of thousands of attack attempts taking place daily.

According to Shodan, meanwhile, there are still about one million Windows machines with the SMBv1 protocol exposed to the internet (Figure 2). That means that there are potentially one million machines that are susceptible to attacks using the EternalBlue exploit.

Figure 2. Data from Shodan (as of May 4th, 2020)

Compared with last year, there was a reshuffle of where most of the affected devices are located. While the United States still leads the pack with the greatest number of vulnerable devices, Russia has overtaken Japan for second place. South Africa is a noteworthy addition since last year it wasn’t even on the list and now it has taken fourth place.

It’s worth noting that although EternalBlue gained infamy for enabling WannaCryptor, that is not by any means the only high-profile attack that leveraged it. Both the Diskcoder.C (aka Petya, NotPetya and ExPetya) and BadRabbit ransomware campaigns are attributed to the exploit, dumped online by the Shadow Brokers group after allegedly being purloined from the US National Security Agency (NSA).

Lessons learned?

Looking back, it’s safe to say that the outbreak was avoidable and could have been stopped dead in its tracks if users worldwide had taken the necessary steps. The vulnerability was disclosed to Microsoft and a critical security update was released as part of a typical “Patch Tuesday” update a full 59 days before the global outbreak began.

Furthermore, the Redmond giant deemed the first version of SMBv1 protocol – which is now over thirty years old and contained the EternalBlue vulnerability – deprecated in 2013, indicating then that it should have been considered obsolete and not used anymore. And even if a patch wasn’t installed, then some basic security configurations could have prevented WannaCryptor from infecting devices altogether. So has the cyberworld learned anything from one of the worst ransomware outbreaks in history?

Although you would think that the EternalBlue-enabled WannaCryptor crisis instilled a valuable lesson in netizens, unfortunately, that doesn’t seem to be the case. To quote the Spanish philosopher George Santayana: “Those who cannot remember the past are condemned to repeat it.”

Those words especially ring true, since starting in the middle of last year, cybersecurity experts started sounding the alarm about BlueKeep, a Remote Code Execution (RCE) vulnerability found in Remote Desktop Services (RDP) that every enterprise administrator should have patched ASAP. Yet, the first attacks were recorded months later. [ESET released a free utility last year to check if a Windows computer is vulnerable to attacks exploiting BlueKeep.]

Final thoughts

The major takeaway remains that three years on, many people still underestimate the value of patching their computer systems as soon as a patch is available, and apparently they do not adhere to best security practices. Keep your software patched and up to date, and combine that practice with a reputable multi-layered endpoint security product. This will go a long way toward protecting you against ransomware … and all kinds of other malicious attacks.

Amer Owaida

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

All you need to know about the new threat “Fleeceware” and how to protect yourself!

SophosLabs, a cybersecurity firm has discovered a range of apps on Google Play Store and Apple’s iOS App Store whose sole purpose is to charge huge subscriptions and other fees to clients for the features and services they could avail for free.

These apps though tricks the user they however neither steal your data nor do they run any malicious code hence fundamentally they are not malwares. Sophos calls them fleecewear, malicious apps hiding in sheep’s clothing. “Because these apps exist in a categorical grey area that isn’t overtly malware, and isn’t a potentially unwanted app (PUA), we’ve coined the term fleeceware, because their defining characteristic is that they overcharge users for functionality that’s widely available in free or low-cost apps.” writes Sophos Labs.

They found 25 such Android apps on Google Play store in January and 30 apps on the iOS App Store that could be fleeceware.

“In our capitalistic society, you can look at fleeceware apps and say if somebody wants to waste $500 per year on a flashlight app that’s up to them,” says John Shier, Sophos senior security adviser. “But it’s just the exorbitant price that you’re being charged, and it’s not done aboveboard. That, to me, is not ethical.”

You have to be careful while paying for in-app purchases and especially subscription. These apps will offer a trial period but will demand payment the first time you open the app. Or they could ask high payment for simple basic features like photo filter for 9$ per week or 30$ per month.

Fleeceware apps exploit the marketing model of play store and App Store, finding loopholes to charge their skyrocketing prices. But Google is tightening the leash. It announced last week that developers will be required to make details of subscriptions, free trials, and introductory offers more precise and clear by June 16.

“Part of improving the subscription user experience comes from fostering a trustworthy platform for subscribers; making sure they feel fully informed when they purchase in-app subscriptions,” Angela Ying, Google product manager wrote in a blog.

How to avoid fleeceware?

Through some simple steps you can avoid falling into the traps set by this fleeceware:

  1. Install apps developed by prominent developers. Big companies and their apps offer features like emojis, selfie filters, and QR code scanners for free.
  2. If you found something exclusive that the app is providing, it’s better to compare prices by doing a quick search.
  3. If you think, you’re subscriptions are getting a bit out of hand and want to check which apps you have subscribed to and the ones you’d like to cancel – Play Store and iOS App Store both offer the option where you can see all your subscriptions.

“On iOS, open Settings, tap your name, and then Subscriptions to view and manage everything. Or you can open the App Store, insert your initials in the upper right corner, and tap Subscriptions. On Android, open the Play Store, tap the hamburger menu icon in the upper right, and choose Subscriptions to view and manage your signups.”

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

It’s no time to let your guard down as coronavirus fraud remains a threat – 10 minute mail

Scammers rehash old campaigns, create credit card-stealing websites and repurpose information channels to milk the COVID-19 crisis for all it’s worth

Another week of the COVID-19 pandemic is almost behind us, with countries charting out paths to recovery and in many cases moving to shake off some of the lockdown restrictions.

Meanwhile, the crisis has brought out the worst in con artists, who have been exploiting every trick in their playbooks of scams to defraud people. Indeed, for weeks they have been hard at work impersonating legitimate sources of information on the pandemic and launching new fraudulent online marketplaces offering deals on products that are in short supply, such as respirators and hand sanitizers.

In part four of our series on COVID-19-related scams, we share a few examples of recent campaigns targeting your money and personal data. More examples of scams that seize on concerns surrounding the pandemic are available in these three articles.

Mapping out a scam

The most popular COVID-19 map was developed at the Johns Hopkins University by Professor Lauren Gardner, a civil and systems engineering professor, and her graduate student Ensheng Dong. It allows researchers, public health authorities and the public to track the pandemic’s progression and provides useful statistics. Since everyone is trying to be up to date on the latest developments, that makes the organization an ideal target for scammers to impersonate.

In the example below, you can see an example of a fraudulent map impersonating the Johns Hopkins map, with some extra features such as pop-up ads and a chat window. If you click on any part of the map, it will try to redirect you to a phishing website, which will try to scam you out of your personal data or attempt to steal your login credentials or even download malware to your computer.

WHO let the app out?

As individuals struggle to remain on top of the influx of daily information, they usually rely on the media and their local and international health authorities. The World Health Organization (WHO) remains one of the best and foremost sources of information on the COVID-19 pandemic, and so it probably comes as no surprise that it is one of the authorities most impersonated by fraudsters.

In recent campaigns, scammers have pretended to be WHO officials, while emailing victims with bogus information. These emails included either a link or an attachment, which then lead to malware making its way to your computer. But now the bad actors have upped their game by creating a website impersonating the WHO, as demonstrated in the example below.

The website tries to trick the victims into downloading a fraudulent application claiming to have COVID-19 information and instructions. Once they click on the download button, it instead downloads malware to the computer. Depending on the victim computer’s location, and other factors, different payloads, varying from information stealers to ransomware, are downloaded to the computer,

A fake one-stop-shop for your pandemic needs

Due to a shortage of personal protective equipment and hygienic products such as hand sanitizers, fake online stores have proven to be a popular way for scammers to defraud victims. Especially face masks are the search term du jour.

In fact, they are so popular that in the next example the scammers are offering them on a website that sells smartphones and apparel as well – a one-stop-shop for all your quarantine needs. As many of these online shops are clearly fake, it seems likely that your credit card data will be siphoned off if you attempt to go through with purchases on these sites, especially if the prices seem unusually good.

Philanthropic spirit of sharing the wealth

Another scam that has remained popular with fraudsters is preying on people who have fallen into financial difficulties or can be cajoled into thinking that they can make easy money. In the example below, someone posing as a wealthy businessman claims to be diagnosed with COVID-19 and, in an attempt to redeem his soul, wants to share his vast wealth with charity organizations. He just needs your help to do it and for that, he will pay handsomely. Although the request sounds charitable, it is a scam. Once the victim engages in communication, the scammer will try to bilk the victim out of increasingly greater amounts of money with false claims of fees, unforeseen costs and bribes needed to finally release the ensuing fortune.

It is safe to say no businessman worth his salt would be careless enough to rely on the goodwill of strangers to access their wealth.

Beyond the subject line

Dating and romance scams are quite widespread and have defrauded victims out of millions of dollars over the years. In the example below aimed at German speakers, the scammers apparently thought the phrase “sex sells” applies to a pandemic as well, even if many countries are advising social and physical distancing and limiting travel. The email itself offers access to a dating service that apparently doesn’t concern itself with the age of the customer, which should already be cause for alarm.

The body of the message translates as follows: “It doesn’t matter how old you are. Our hookup dating site has been created so that you can communicate anonymously with various girls. Have sex now. The girls themselves get in touch first and want sex. We guarantee the protection of your personal data. Here is this site: HappySweetDating. Click and go through the quick registration process.”

Astonishingly enough, the only link to the pandemic is the subject of the email that states “stop the spread of COVID-1 (sic)”, which makes no sense since it goes against the advice and directives of governments worldwide to limit physical interaction.

In conclusion

These are by far not all of the tricks scammers have hidden up their sleeves, but it goes to show how low they’ll sink by playing on the confusion and fears surrounding the crisis.

So, it’s best to remain alert and keep out of harm’s way, both in real life and on the internet. Here are some pointers that should help you stay safe:

  • Do not click on any link nor download any files in an email if you cannot verify the source independently. And even if the email comes from a source you trust, doublecheck with them if they really sent it. Don’t forget to scan the attachment with an endpoint software to see if it’s safe to open
  • If you want to have up-to-date information, rely on trusted sources like the official websites of health organizations or the news. Visit only reputable sites like WHO ( and Johns Hopkins ( Due to high demand, load times may be slow. It’s worth the wait
  • Scrutinize offers that seem too good to be true or suspicious, and never purchase anything from an unverified vendor. If you’re in doubt, even in the slightest, do not purchase anything from the vendor under any circumstances. Neither click on links nor open attachments for that matter. Always look for reviews about the vendor and evaluate them
  • Don’t reply to unsolicited emails from strangers and especially if they ask you to provide any kind of personal information
  • Always use a reputable security endpoint solution that can protect you from malware, phishing and other kinds of cyberthreats

Related reading

Beware scams exploiting coronavirus fears
Coronavirus con artists continue to spread infections of their own
Scams, lies, and coronavirus

ESET has been here for you for over 30 years. We want to assure you that we will be here in order to protect your online activities during these uncertain times, too.
Protect yourself from threats to your security online with an extended trial of our award-winning software.
Try our extended 90-day trial for free.

Amer Owaida

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

ESET Threat Report | WeLiveSecurity – 10 minute mail

A view of the Q1 2020 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts

The first quarter of 2020 was, without a doubt, defined by the outbreak of COVID-19 – now a pandemic that has put much of the world under lockdown, disrupting people’s lives in unprecedented ways.

In the face of these developments, many businesses were forced to swiftly adopt work-from-home policies, thereby facing numerous new challenges. The soaring demand for remote access and videoconferencing applications has attracted cybercriminals who quickly adjusted their attack strategies to profit from the shift.

Cybercriminals also haven’t hesitated to exploit public concerns surrounding the pandemic. In March 2020, we saw a surge in scam and malware campaigns using the coronavirus pandemic as a lure, trying to capitalize on people’s fears and hunger for information.

Even under lockdown, our analysts, detection engineers and security specialists continued to keep a close eye on this quarter’s developments. Some threat types – such as cryptominers or Android malware – saw a decrease in detections when compared with the previous quarter; others – such as web threats or stalkerware – were on the rise. Web threats in particular have seen the largest increase in terms of overall numbers of detections, a possible side effect of coronavirus lockdowns.

The researchers in ESET’s Research Labs also did not stop investigating threats – Q1 saw them dissect obfuscation techniques in Stantinko’s new cryptomining module; detail the workings of advanced Brazil-targeting banking trojan Guildma; uncover new campaigns by the infamous Winnti Group and Turla; and uncover Kr00k, a previously unknown vulnerability affecting the encryption of over a billion Wi‑Fi devices.

Before lockdowns became the new normal, experts from ESET Research Labs were sharing their insights at security conferences and events around the world. In February, they unveiled the Kr00k vulnerability research and led a workshop for hunting Linux malware at RSA Conference 2020, and presented two talks at BlueHat IL.

Follow ESET research on Twitter for regular updates on key trends and top threats.

Roman Kovac

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Says Recently Discovered iOS Mail Vulnerabilities Pose No Immediate Threat, But a Patch Is in the Works

Apple has responded to a recent report on vulnerabilities discovered in its iOS Mail app, claiming the issues do not pose an immediate risk to users.

Earlier this week, San Francisco-based cybersecurity company ZecOps said it had uncovered two zero-day security vulnerabilities affecting Apple’s stock Mail app for iPhones and iPads.

One of the vulnerabilities was said to enable an attacker to remotely infect an iOS device by sending emails that consume a large amount of memory. Another could allow remote code execution capabilities. Successful exploitation of the vulnerabilities could potentially allow an attacker to leak, modify, or delete a user’s emails, claimed ZecOps.

However, Apple has downplayed the severity of the issues in the following statement, which was given to several media outlets.

“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”

The vulnerabilities are said to impact all software versions between iOS 6 and iOS 13.4.1. ZecOps said that Apple has patched the vulnerabilities in the latest beta of iOS 13.4.5, which should be publicly released within the coming weeks. Until then, ZecOps recommends using a third-party email app like Gmail or Outlook, which are apparently not impacted.

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

The Russian Foreign Ministry has warned of the threat of cyber pandemic to humanity – Disposable mail news

Director of the Department of International Information Security of the Russian Foreign Ministry Andrei Krutskikh said on Tuesday during the online discussion “Information Security and the Digitalization Process: Between Development and Fears” that in addition to the coronavirus pandemic, humanity today is threatened by cyber pandemic provoked by the negative development of digital technologies, which could lead to military confrontation.

“We are dealing with two pandemics. One is a bio pandemic associated with the spread of coronavirus, people are dying, and now this is a priority topic. But in parallel with it, another global problem is also deepening, and it is probably human made – this is what I would call a cyber pandemic. Under cyberpandemic I understand the possibility of the involvement of humanity in cyber confrontation and even cyberwar,” said Mr. Krutskikh.

He explained that the manifestations of cyberpandemic are hacking, cyberterrorism, cyber interference in private life and the development of states. “This is all a consequence of the development of negative trends in improving cyber technologies,” added the diplomat.
“I also refer to the fact that a number of states proclaim doctrines of the right to launch preemptive cyberattacks even against a potential enemy when no one’s guilt has yet been proven,” added Mr. Krutskikh.

At the same time, he stressed that the forced transfer of many areas of life “to online” in the context of the coronavirus pandemic clearly shows the need to ensure international information security and develop common measures to combat cyber threats.

“We must develop not only a common language terminologically, not only a common understanding but also common security standards. We must not be late in finding solutions before the next cyber crisis,” warned Mr. Krutskikh.

On Tuesday, the Bank of Russia announced new fraudulent schemes to steal money from bank accounts using social engineering; criminals are actively using the theme of coronavirus infection.

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.