With the intricacies of the digital world growing exponentially, the relevance of effective and timely Digital Forensics and Incident Response (DFIR) cannot be overstated. Recognising this need for insight, Binalyze, in collaboration with the global market intelligence firm IDC, is excited to publish a compelling new report: “The State of Digital Forensics and Incident Response 2023”.

Based on an extensive survey conducted in June 2023, the study brings into focus the perspectives of over 100 cybersecurity professionals from five Middle Eastern countries. This diverse respondent pool consists of individuals directly influencing the cybersecurity functions within their organizations, with roles spanning SOC analysts, DFIR professionals, Incident responders, Threat hunters, SOC managers, and Directors.

The key findings of the report are critical for anyone involved in DFIR, from SOC teams to individual analysts and investigators. Report highlights include:

• According to the research and subsequent analysis, the average time to investigate an incident is approximately 26.1 days, and the time to resolve incidents is an additional 17.1 days.
• The importance of reducing “detection-to-resolution” times for efficient incident management.
• The ongoing skills shortage: 81% of respondents identified this as a major challenge.

“Our world thrives on digital connections, but with this connectivity comes vulnerabilities. As the frequency and intensity of cyber threats surge, the importance of DFIR in understanding, mitigating, and learning from these threats is paramount. There is a real and urgent need for forensic visibility at speed and scale. AIR is a game changer here and should be at the centre of all SOCs DFIR effort,” says Ahmet Öztoprak, Senior Sales Director of META at Binalyze.

This report serves as both a wake-up call and a guide. By leveraging the insights from the top cybersecurity professionals in the Middle East, ‘The State of Digital Forensics and Incident Response 2023’ aims to provide companies with the knowledge and solutions they need to combat emerging cyber threats effectively and maintain resiliency.

Positive Technologies analyzed attacks on individuals in Middle Eastern countries between 2022 and 2023. Malware was used in 70% of successful attacks. More than half of these attacks involved spyware. The vast majority of attacks used social engineering techniques. In 20% of phishing campaigns, the attack was multi-pronged, exploiting multiple social engineering channels simultaneously.

“According to our data, cybercriminals employed malware in 7 out of 10 successful attacks on individuals in the Middle East region. More often than not, the attackers infected users’ devices with spyware (three out of five malware attacks). This type of malware collects information from the infected device and then passes it on to the attacker. Depending on the task, spyware can steal personal and financial data, user credentials, as well as files from the device’s memory,” the company said.

Positive Technologies Information Security Research Analyst Roman Reznikov said, “By using spyware, attackers can compromise not only personal and payment information and personal accounts, but also corporate credentials, network connection information, and other sensitive data. The stolen data is then offered for sale on the dark web forums. As a result, a skilled attacker can gain access to an organization and carry out a successful attack, leading to non-tolerable consequences: disruption of technological and business processes, theft of funds, leakage of confidential information, attacks on customers and partners.”

In the vast majority (96%) of successful attacks on individuals in Middle Eastern countries, social engineering techniques were employed. Most often, these were mass attacks in which the criminals aimed to reach the maximum number of victims. To achieve this, they actively leveraged current news about significant global and regional events, including the 2022 FIFA World Cup Qatar.

In every fifth (20%) phishing campaign, the attack was multi-pronged, exploiting multiple social engineering channels simultaneously. Criminals led the victims through a series of steps until the device was infected and data stolen. For instance, users could be lured through social media accounts that contained links to a messenger channel from which the victim would install a malicious application.

One of the reasons for the success of social engineering is the numerous data leaks from various organizations. “According to our research on the cybersecurity threatscape in the Middle East, 63% of successful attacks on individuals in the region resulted in leaks of confidential information. The majority of stolen information consisted of personal data (30%) and account credentials (30%). Cybercriminals were also interested in payment card data (10%) and user correspondence (8%).” the company added.

On the dark web, malicious actors sell information about users and also provide stolen data archives for free. Criminals use the compromised information in subsequent attacks on users. For example, a successful attack on a bank could result in fraudulent actions against its customers. Cybersecurity experts recommend that users follow cyber-hygiene rules.

Companies also need to ensure the security of employee and customer data. Data breaches cause reputational and financial damage and put at risk users whose information has been compromised. To maintain cyber-resilience, it’s essential to regularly assess the effectiveness of security measures and pay special attention to the verification of non-tolerable events.

Group-IB can reveal in coordination with the UAE Cybersecurity Council that the scam-as-a-service operation Classiscam is continuing its worldwide campaign well into 2023. In a new blog, Group-IB analysts detail how the automated scheme uses Telegram bots to assist with the creation of ready-to-use phishing pages impersonating companies in a range of industries, including online marketplaces, classified sites, and logistics operators. These phishing pages are designed to steal money, payment data, and in some cases, bank login credentials from unsuspecting internet users.

According to Group-IB’s findings, 251 unique brands in a total of 79 countries were featured on Classiscam phishing pages from H1 2021 to H1 2023. In addition, the phishing templates created for each brand can be localised to different countries by editing the language and currency featured on the scam pages. As a result, one particular logistics brand was impersonated by “Classiscammers” targeting users in as many as 31 countries.

Since the second half of 2019, when the Group-IB Computer Emergency Response Team (CERT-GIB) in cooperation with the company’s Digital Risk Protection unit first identified Classiscam’s operations, 1,366 separate groups leveraging this scheme have been discovered on Telegram. Group-IB experts examined Telegram channels containing information pertaining to 393 Classiscam groups with more than 38,000 members that operated between H1 2020 and H1 2023. During this period, these groups made combined estimated earnings of $64.5 million.

Group-IB has noted how the threat actors behind Classiscam have worked, since inception, to formalize and expand the scam model’s operations. From 2022 onwards, Classiscammers have introduced new innovations, such as phishing schemes designed to harvest the credentials of victim’s online bank accounts, and some groups have begun to use information stealers. In line with its mission of combating global cybercrime, Group-IB will continue to share its findings about Classiscam, drawn from the company’s proprietary Digital Risk Protection solution, with law enforcement authorities. The primary aim of this research is to raise public awareness about the latest scamming methods and reduce the number of victims of this scam operation.

Classiscam originally appeared in Russia, where the scheme was tried and tested before being launched across the globe. The scam-as-a-service affiliate program surged in popularity in the spring of 2020 with the emergence of COVID-19 and the subsequent uptick in remote working and online shopping. Group-IB experts noticed how the scam scheme was exported first to Europe, before entering other global regions, such as the United States, the Asia-Pacific (APAC) region, and the Middle East and Africa (MEA).

As of H1 2021, Classiscammers had targeted internet users in 30 countries. Group-IB experts can reveal that, as of H1 2023, this figure has risen to 79. In the same time period, the number of targeted brands on the global market has increased from 38 to 251. More than 61% of the Classiscam resources analyzed by Group-IB experts that were created between H1 2021 and H1 2023 targeted users in Europe. Other heavily targeted regions were the Middle East and Africa (18.7% of resources) and the Asia-Pacific region (12.2%).

With the MEA region being the second most targeted by Classiscam, countries in the region encountered challenges with targeted brand activities. The UAE was no exception to this, with its emphasis on technological innovation and many large and prominent brands operating in the country.

“In response to the rising amount of cyberattacks in recent years, the UAE has introduced a multifaceted approach to cybersecurity erected by five pillars. By fortifying global collaboration, encouraging Public Private Partnerships (PPPs), reinforcing cybersecurity measures, nurturing innovation, and promoting a cyber-literate society, the UAE is actively remediating the impact of cyber incidents. As the nation propels forward with digital transformation, the emphasis on responsible digitization remains paramount, ensuring a secure and thriving digital landscape” said H.E. Dr. Mohamed Al Kuwaiti, Head of Cybersecurity for the UAE Government.

The average amount lost by Classiscam victims worldwide was $353, users in APAC and MEA were less likely to fall victim to Classiscam schemes, but when they did, they saw greater losses on average. Classiscam was initially launched as a relatively straightforward scam operation. Cybercriminals created fake ads on classified sites, and leveraged social engineering techniques to trick users into “buying” the falsely-advertised goods or services, whether by transferring money directly to the scammers or by debiting money from the victim’s bank card.

Classiscam operations have become increasingly automated over the past two years. The scheme now utilizes Telegram bots and chats to coordinate operations and create phishing and scam pages in a handful of seconds, and many of the groups offer easy-to-follow instructions, and experts are on hand to help with other users’ questions. Over the past year, Group-IB researchers have seen roles within scam groups become more specialized within an expanded hierarchy.

Classiscam phishing pages can now include a balance check, which the scammers use to assess how much they can charge to a victim’s card, and fake bank login pages that they use to harvest users’ credentials. At the time of writing, Group-IB experts found 35 such scam groups that distributed links to phishing pages that included fake login forms for banking services. In total, Classiscam scammers created resources emulating the login pages of 63 banks in 14 countries. Among the targeted banks were those based in Belgium, Canada, Czech Republic, France, Germany, Poland, Singapore, and Spain.

“Classiscam shows no sign of slowing down and the ranks of the Classiscammers are continuing to swell. Over the past year, we have seen scam groups adopt a new, expanded hierarchy, and roles within organizations are becoming increasingly specialized. Classiscam will likely remain one of the major global scam operations throughout 2023 due to the scheme’s full automation and low technical barrier of entry,” Sharef Hlal, Head of Group-IB’s Digital Risk Protection Analytics Team (MEA), at Group-IB, said.