The pandemic has definitely made adjustments in many, if not all, areas of human activity. Coronavirus and scammers did not get around. In the media, you can often find the phrase "wave of fraud". And indeed it is. I took an array of registered domains in the RU zone over the past year and analyzed them in the context of news events that resonated in society. Under the cut you will find charts, descriptions of popular and piecemeal techniques used by scammers, as well as tips for users on how to avoid becoming a victim.
Methodology
First, a few words about the technique. An archive of registered domains in the RU domain zone was uploaded. Then the archive was analyzed according to the list of "roots". The list was compiled in advance on the basis of high-profile publications in the media. The site was considered unambiguously suspicious in 2 cases:
if there were obvious signs in the name itself (for example, VVWW-HTTTPS-AVITO [.] RU);
if it has been flagged as fraudulent by the browser.
The goal was not to find all possible domains and unambiguously confirm their maliciousness. It's no secret that the effective lifetime of a fraudulent resource is hours or days. Therefore, ideally, such research should be carried out almost in real time. The appearance of a surge of public interest in a particular topic affects the growth of the interest of fraudsters. Those. the number of domain registrations on a specific topic is directly proportional to the number of phishing domain registrations.
Therefore, the goal was to study trends, see the basic techniques that scammers used in 2020, and then clearly show and describe all this.
Coronavirus
This is an overarching theme that has set the tone for the entire year. Therefore, it was decided to take it to a separate point, so as not to return to it in each subsequent one.
, – . covid 1200%, corona – 600%. , .
: , , «covid» , «corona». .
, , . , 2020- ( - «informer», «radar», «bulletin» ..).
– . «»-: posobie16.gosuslugi[.]ru. gosuslugi, posobie, vyplaty ..
«»:
«» , – . 1 14 RU 66 COVID-19. 28 – . 22 -4 , – 11 ( « V» ).
,
-. , . 3 : , .
. , . , (. ). .
zoom , . zoom- 4, 28, – 49.
: Zoom, US, «» COM.
.
2020og[.]ru «0», «-» .
: , , . - « », 2 , , . « » (!) . -. ( ag-vmeste[.]ru), . , .
, , . , , , «» ( BONUS-CARD-LUCOIL[.]ru, BONUSI-LUKOIL[.]ru), , -, , , BelkaCar, , -, .
, . . , . « ». «-off».
-. . - : Boxberry, Wildberries, Cdek, Avito, Youla.
, , «» , 5-10 . e-commerce , . .
( «» order), («» delivery) («» pay). , «delivery» 53. 288. .
: 3 . , – . – . , 0 , – « ».
– . , , , «». , , , . « » .
. , . 2020, 10 -, sber . «-» , «» . sber-car, sber-burger, sber-maps, sber-disk, sber-book, sber-mobil . «SBER» - Bluetooth (« Bluetooth» ©TBBT S2E18). , .
, - , - : AVITO-SBERPAY-WALLET[.]RU ..
, , .
. , . VV W, 0 O, rn m . , . , : gosuslugie[.]ru, gosuslugis[.]ru
– .
VVWW-AVITO[.]ru
VWW-AVITO[.]ru
WWV-AVITO[.]ru
WWWSBERBANK[.]ru
: , «» ?
– - .
:
MY
MOI
LK
:
DELIVERY
DOSTAVKA
TRACK
CHECK
:
PAY
SECUREPAY
OPLATA
3DS
KASSA
SAFEDEAL
PROCESSING
:
HTTP-WWW-AVITO[.]ru
WWW-HTTPS-CDEK[.]ru
HTTPS-WWW-CDEK[.]ru
CDEK-RU-ORDER-WEBSITE-PAYMENT[.]ru
, , , . , .
AVITO-RU-ID83676894500-ORDER[.]ru
YOULA-RU-ID872798654490-ORDER[.]ru
AVITO-ORDER74916392[.]ru
AVITOPAY-ID7191392[.]ru
AVITOPAY-ID7491392[.]ru
AVITOPAY-ID74916392[.]ru
YOULA-ID74916392[.]ru
YOULA-ID74916396[.]ru
YOULA-ID74971392[.]ru
YOULA-ID749911392[.]ru
: , . «L-WWW-companyname.RU», «companyname-3DS.RU», «companyname-C2C.RU» .., .
– , , «» ( -, «» ..).
«» .
, , 2-3 . . , – .
«» . «» , . .
.
, . , , , . - , – . – , .
. 2 – «». .
. , Avito , .. - .
, , .
-
. , (https://www.sberbank.ru/promo/antifraud/check.html), , , . – .