Q2 2022 Phishing and Malware Report: Malware Volumes Increase 21% in Q2

After a drastic increase in malware emails in March 2022, malware leveled off in April and then rebounded in both May and June. Phishing, which historically sees much higher volumes than malware, saw month-over-month (MoM) increases throughout Q2, with a significant increase in June that pushed phishing emails back to the alarming volumes not seen since January 2022.

Malware rises and falls and rises again

After a 201% MoM increase in March 2022, malware emails decreased 48%, down from 32.9 million in March to 17 million in April. Malware rebounded 31% in May, with 22.4 million malware-weaponized emails detected. June saw even higher malware volumes (28.9 million), a 29% increase from the previous month.

Q2 Report

Phishing emails followed a different pattern, increasing each month in Q2. In April, phishing emails increased 23%, (36.6 million) followed by a 12% increase in May (41 million), and an 88% increase in June (77 million).

Q2 Report 1

Both phishing and malware email volumes topped nine figures in the first half of 2022. In H1, Vade detected 125,005,545 malware emails and 315,846,480 phishing emails. Notably, in all of 2021, Vade detected 241,900,915 malware emails. Barring a significant slowdown in H2, malware volumes in 2022 could outpace those of 2021.

Phishers continue to exploit trusted brands

The hallmark of phishing, brand impersonation is the primary tool with which phishers manipulate users into clicking on phishing emails. In Q2, phishers impersonated Facebook more than any other brand. Japanese telecommunications company, Au, was the second most impersonated brand in Q2, followed by Microsoft, Credit Agricole, and WhatsApp. Microsoft and Facebook alternate between the top spot quarter after quarter. Microsoft was the most impersonated brand in Q1 and in H1.

Q2 Report  2Top 10 impersonated brands in phishing in Q2 2022, based on unique phishing URLs

The financial services industry was the most impersonated in Q2, representing 31% of all unique phishing URLs detected by Vade, followed by social media (23%), Internet/Telco (20%), and cloud (17%).

Q2 Report 3

Financial services had nine brands in the top 25, more than any other industry on the list. Only Internet/telco brands came close, with five brands in the top 25, followed by eCommerce/logistics and cloud, each with four brands in the top 25.

Q2 Report 4

Phishing and malware trends: Exploiting global unrest and economic strain

Hackers of all types closely follow the news cycle. From inflation to fluctuating stocks to the decline of crypto, global unrest and economic strain were top motivators for hackers in Q2.

Emotet continues to haunt

The malware that came back to life after a short reprieve in 2021 continued to put businesses on edge in Q2. Emotet attacks in Europe increased 44% in Q2, with 70,762 Emotet-weaponized emails, compare to 49,216 attacks in Q1.

The volume of Emotet-laced emails in the US continues to pale compared to Europe, with 2,290 Emotet emails in the US, a decrease of 32% MoM. As you can see in the chart below, Emotet activity spiked in early April, then decreased throughout April and early May, then increased in mid-May and significantly in mid-June.

Q2 Report  5Emotet activity, Q2 2022

Spyware disguised as tax refunds slips past 47 antivirus programs

Tax-themed emails weaponized with spyware hit more than 9,000 users in India in June 2022. Vade first detected the campaign coming from a malicious IP on June 6, when more than 1,000 emails were sent. By June 13, that number exceeded 7,000.

The email, sent from a compromised email address, purports to come from the Indian tax department (incometaxindia.gov.in) and includes the subject line: Final Warning About Your Unsuccessful Tax Payment. The email includes a link, along with the instructions, “download and save a copy of your Payment Challan below.”

Q2 Report  6Indian government phishing email

The below link redirects to a website that downloads an archive with the name “Tax Invoice,” which also spreads under other names.

Q2 Report  7

The next link in the chain is from a legitimate website of an Indian construction company, which has most likely been compromised.

Q2 Report 8

The final website that downloads the malicious archive changes frequently, allowing the hacker to rotate between several compromised websites in the event that one site becomes disabled or any links become broken. The compromised email address, meanwhile, provides cover from detection, as seen in the SPF verification below.

Q2 Report  9SPF verification

The executable file containing the archive was detected by only 21 of 68 antivirus programs, revealing the sophistication of the campaign and the overall difficulty of detecting the executable, which was ultimately determined to be spyware.

Q2 Report  10

VirusTotal scan

Supply chain phishing

In May 2022, Vade detected a large-scale phishing attack impersonating Maersk, one of the world’s largest shipping companies. Exploiting the global supply chain crisis that is disrupting business operations around the world, phishers lured users with emails claiming to include shipping documents and linking to a Maersk phishing page.

Q2 Report  11Maersk phishing page

The phishing campaign, detected from January 2022 through May 2022, targeted more than 18,000 users in New Zealand, one of the countries hit hardest by the shipping crisis.

NFT scams

As economies around the world struggled with inflation and ongoing economic crises since the beginning of the pandemic, cryptocurrencies began a downward slide, and hackers took notice. On June 12, 2022, Vade detected a large-scale crypto phishing scam impersonating Trust Wallet.

Q2 Report  12

TrustWallet phishing email

Sent from a malicious Zendesk account, the phishing email urges the user to verify their account on the Trust Wallet site—or else risk seeing their wallet suspended. The Trust Wallet phishing page is highly sophisticated, with sleek visuals and even a countdown.

Q2 Report  13

TrustWallet phishing page with countdown

Q2 Report 14

Trust Wallet phishing page with recovery phrase

The inbox remains the #1 destination for hackers

The relative ease with which hackers can deliver punishing cyberattacks via email makes email one of the top vectors for attack and a constant menace for businesses and end users. Phishing emails impersonate the brands you trust the most, offering a wide net of potential victims and a cloak of legitimacy for the phishers masquerading as brands.

Email-borne malware is significantly easier to distribute than remote attacks, providing even inexperienced hackers with a quick and efficient method of causing destruction.

AI-based email security, combined with ongoing user awareness training, can significantly reduce the likelihood that your business will suffer the consequences.

New call-to-action