Cybercriminals are using the war in Ukraine to enrich themselves by defrauding people trying to help the embattled country.
Their techniques include malware, phishing attacks and straight-up scams. Emails that purport to come from Ukrainian government agencies deliver malware designed to let an attacker control the recipient’s computer. When Ukraine started soliciting donations in cryptocurrency, criminals created and marketed fake coins. And some are attempting to trick inexperienced volunteers for Ukraine’s “IT Army” into downloading malware disguised as distributed denial of service (DDoS) software to fight Russian interests online.
The fact that regular people far from Ukraine are getting involved in DDoS attacks and donating cryptocurrencies is a sign that the “baseline technological knowledge for the majority of people is much higher than it ever has been,” said threat researcher Nick Biasini, head of outreach at security firm Cisco Talos. But a little knowledge can be a dangerous thing: It’s also given cybercriminals a way to capitalize on their efforts and prey on the public’s best intentions, especially those of the well-meaning amateur hackers joining in Ukraine’s cyber defense.
“Broadly speaking, cybercriminals take advantage of whatever situation is out there and whatever situation is in the news,” said Allan Liska, an intelligence analyst at the security firm Recorded Future, which tracks ransomware attacks.
The current situation echoes the early 2000s, when “hacktivism” was popular. Hackers would release legitimate tools that people could use to launch a DDoS attack against targets like banks, and cybercriminals would follow by putting out similar-sounding tools that were actually malware.
“History doesn’t repeat itself, but it often rhymes,” Liska said, invoking a Mark Twain-attributed quote. “We have seen similar kinds of activity in the past even as it relates to activism, but not in a war setting.”
Scams surge as global concern rises
Since Feb. 1, network intelligence and cybersecurity provider Cujo AI has identified about 1,500 unique internet domains that are related to helping Ukraine. About 5 percent of them are scam sites, said Leonardas Marozas, head of Cujo’s security research lab. That’s notable but smaller in scale than the flood of new domains related to covid in early 2020, he said.
“At the start of the pandemic, there were hundreds of thousands of new domains being registered and put into use,” said Marozas. “We do not see this trend with the start of the Ukraine-Russia war.”
But the Ukraine crisis has pushed cybercriminals to new and even more brazen heights, according to a report Cisco Talos released this month. It described how criminals are peddling malware disguised as pro-Ukraine DDoS software, with the aim of stealing people’s personal information.
“We are happy to remind you about the software we use to attack Russian sites!” said a Telegram message promoting the software. “It will automatically fetch the attack targets from the server.”
The channel in which the message appeared has thousands of subscribers, the Talos report said.
“They were just like ‘Here, run this [program],’ but it was an infostealer that basically steals a whole bunch of information related to cryptocurrency stuff, credentials,” Biasini said. “Whatever it can find on that system, it’s going to take and steal.”
The people behind the software were distributing infostealers as early as November 2021, Talos found — lending weight to the idea that experienced criminals are trying to capitalize on the existing conflict in Ukraine.
The example illustrates the danger of inexperienced cyber volunteers wading into the conflict, Biasini said. “The best-case scenario is you may accidentally be committing a crime,” he said. “Worst-case scenario, you’re likely downloading something that is inherently malicious.”
Cryptocurrency takes center stage
Criminals are also leveraging the humanitarian interest in helping Ukrainians into phishing attacks. These trick people into clicking on malicious links that can inject malware or start conversations in which scammers extract money or a person’s financial information. Known phishing scams related to Ukraine include an email purporting to seek donations to a humanitarian organization and another where the sender posed as a displaced Ukrainian.
Phishing emails often include requests for cryptocurrency as a means of support. In this case, they’re taking advantage of the fact that the Ukrainian government has taken in extensive cryptocurrency donations, to the tune of more than $50 million as of March 15.
In early March, the government announced a cryptocurrency “air drop,” which traditionally involves a group giving out free tokens to attract users and improve engagement. Details on the government plan were scarce but seemed to involve the Ukrainians “air dropping” a token of some sort to people who donated to the country. A surge of donations followed.
The Ukrainian government canceled the airdrop plan about 24 hours after it first revealed it, without giving a reason. But scammers had already introduced a fake token.
Experts predict that scammers will only intensify their efforts to profit from the Ukraine crisis as the conflict continues and more cybercriminal groups have the time to tailor their efforts to the nuances of the war.
“There is no downward boundary for these bastards,” Liska said. “They will prey on people’s good intentions. They will take advantage of anything and everything they can in order to rip people off.”