Beyond the Headlines: The Silent Surge of Digital Fraud in 2025

Beyond the Headlines: The Silent Surge of Digital Fraud in 2025

The digital world is awash with news of spectacular cyberattacks – ransomware shutting down hospitals, data breaches exposing millions. These events grab headlines, with clear victims and a definitive moment of impact. But another, equally damaging threat operates quietly in the background: digital fraud. Unlike a sensational cyberattack, digital fraud rarely makes the front page, even as it costs businesses and individuals billions of dollars each year. So why does this silent threat go unnoticed, and what new forms is it taking?

Read on to uncover the latest fraud vectors and how to fortify your defenses.

Weekly Threat Overview: The Accelerating Pace of Digital Fraud

The cybersecurity landscape in 2025 is marked by an unprecedented speed, volume, and sophistication of attacks. Adversaries are increasingly bypassing traditional malware in favor of more elusive tactics that exploit human vulnerabilities and system misconfigurations.

Key trends dominating the threat landscape include:

  • Hands-on-Keyboard Attacks: A staggering 79% of detections in 2024 were malware-free, a significant increase from 40% in 2019. This shift means attackers are manually operating within networks, mimicking legitimate user activity to evade detection.
  • Shrinking Breakout Times: The average time for an eCrime adversary to move laterally from initial access to other valuable assets has plummeted to 48 minutes, with the fastest recorded breakout at just 51 seconds. This leaves defenders with less than a minute to detect and respond before attackers gain deeper control.
  • Surge in Vishing and Social Engineering: Vishing attacks alone saw a 442% increase between the first and second halves of 2024, as adversaries increasingly rely on compromising identities and human-centric tricks to gain initial access.
  • Rise of Access Brokers: There was a 50% increase in advertised access to organizations by specialized brokers who acquire and sell network access to other threat actors, including ransomware operators.
  • AI and Generative AI (GenAI) in Attacks: GenAI has become a low-barrier-to-entry tool for adversaries, enabling them to craft highly convincing phishing messages and deepfake content for social engineering and information operations.
  • Cloud Incidents via Valid Accounts: Misuse of legitimate credentials accounted for 35% of cloud-related incidents in the first half of 2024, highlighting adversaries' focus on compromising identities to access corporate environments.
  • Geopolitically Motivated Cyberattacks: Activity from China-nexus adversaries, for example, surged by 150% across all sectors and 200-300% in key targeted industries in 2024, demonstrating increasingly bold objectives and stealthy tactics.

These trends underscore a critical shift: successful defense no longer relies solely on traditional perimeter security but demands real-time detection, identity protection, and a proactive, adversary-focused approach.

The Most Interesting Case: CURLY SPIDER's Four-Minute Ransomware Incursion

In 2024, the eCrime adversary CURLY SPIDER emerged as one of the fastest and most adaptive threats, executing high-speed, hands-on-keyboard intrusions. This group's tactics vividly illustrate the current landscape of sophisticated social engineering combined with rapid operational tempo.

2.1 What Happened, How Discovered, What Was the Damage

CURLY SPIDER relies heavily on social engineering for initial access. In a notable incident, the adversary initiated an attack chain that lasted less than four minutes from the first user interaction to establishing persistence.

  1. Initial Deception: The victim received a large number of spam messages, seemingly from various charities, newsletters, or financial offers.
  2. Vishing Attack: Shortly after, the victim received a phone call from an individual impersonating IT support, claiming the spam was due to malware or outdated spam filters. This is a classic vishing tactic, leveraging a pre-existing "problem" to gain trust.
  3. Remote Access: The fake IT support convinced the user to join a remote session using a legitimate Remote Monitoring and Management (RMM) tool, such as Microsoft Quick Assist. The attacker guided the user through the installation if the tool wasn't already present.
  4. Rapid Exploitation: Once remote access was established, CURLY SPIDER quickly deployed its payload, which included scripts executed via curl or PowerShell. These scripts modified registry run keys to ensure execution upon startup and removed forensic artifacts to cover tracks.
  5. Persistence: Within minutes, the adversary created a backdoor user account, embedding persistence directly into the system. The final payload ran under the guise of a legitimate binary to blend with normal activity and avoid detection.

How it was discovered: The attack was stopped by CrowdStrike OverWatch, an advanced threat hunting service. This highlights the critical role of proactive, human-led threat hunting backed by robust technology in detecting these fast-moving, malware-free intrusions.

What was the damage: In this particular instance, the attack was prevented before it could fully unfold. However, CrowdStrike Intelligence noted that CURLY SPIDER's tactics directly support ransomware operations, often collaborating with WANDERING SPIDER, the group behind Black Basta ransomware. Had the attack not been stopped, the potential damage would have been a full-scale Black Basta ransomware deployment, leading to significant data encryption, exfiltration, and financial demands. The cumulative cost of such digital fraud, even when not making headlines, is immense.

2.2 How to Mitigate and Prevent It Next Time

To defend against rapid, social engineering-driven attacks like those by CURLY SPIDER, organizations must adopt a layered and proactive security posture:

  • Implement Phishing-Resistant MFA: Move beyond basic MFA to solutions like FIDO2 security keys or number-matching devices. These methods are significantly harder for adversaries like SCATTERED SPIDER (who also targets MFA) to manipulate.
  • Comprehensive User Awareness Training:
    • Educate employees on recognizing vishing (phone-based phishing), callback phishing, and general social engineering tactics.
    • Specifically train staff to be wary of unexpected calls from "IT support" asking for remote access, especially after unusual events like spam bombardments.
    • Emphasize that IT support will never ask for credentials or remote access via unsolicited calls.
    • Instruct employees to verify any suspicious requests directly through official, known company channels, not by calling back a number provided by the suspicious caller.
    • For password reset requests, consider requiring video authentication with government-issued identification.
  • Real-time Threat Detection and Response (XDR/SIEM):
    • Deploy Extended Detection and Response (XDR) platforms or next-generation Security Information and Event Management (SIEM) systems that offer unified visibility across endpoints, networks, cloud environments, and identity systems. This allows security teams to correlate suspicious behaviors and visualize the entire attack chain, crucial for catching fast-moving threats.
    • Prioritize real-time threat detection to intercept intrusions before they spread and minimize impact.
    • Engage in proactive threat hunting to identify pre-attack behaviors and block adversary actions early.
    • Accelerate response times to counter rapid breakout events.
  • Strong Identity and Access Management (IAM):
    • Prioritize identity protection with just-in-time access, regular account reviews, and conditional access policies.
    • Monitor for multiple users registering the same device or phone number for MFA, which could indicate compromise.
  • Adopt a Zero Trust Architecture: Implement the "never trust, always verify" principle across your network. This architecture helps to quickly contain suspicious activity by segmenting the network, limiting an attacker's ability to move laterally even if initial access is gained.
  • Patch Management and Vulnerability Prioritization: Regularly patch and update critical systems, especially internet-facing services. Focus on vulnerabilities that affect critical and high-risk systems, potentially using AI-driven tools for prioritization.
  • Secure Configuration Management: Regularly check and update SaaS application settings, and disable unnecessary features and integrations.
  • Data Loss Prevention (DLP): Implement DLP solutions to protect against data exfiltration.

By integrating these strategies, organizations can build a more resilient defense against the rapidly evolving and often invisible threats of digital fraud. The human element remains critical; educating employees to be the first line of defense is as important as deploying advanced technologies.

Further Resources: How to Secure Your Website

For a visual guide on securing your website and protecting it from hackers, watch this insightful video:

Sources

Made on Tilda

Made on
Tilda