They got off the hook: scammers refused to create fake cultural leisure sites
Phishing "mirrors" of cultural institutions are a thing of the past. The number of such sites has decreased sevenfold. Scammers have lost interest in creating them, as the costs of registering and promoting them are becoming higher than the potential profit. Instead, attackers use point-to-point attack schemes against people through hacking their social media accounts, malware, as well as voice and audio-visual deepfakes. According to experts, users now need to be even more vigilant as attacks become more sophisticated.
What is the reason for the decrease in the number of "mirrors" of sites?
Fake Internet pages disguised as websites of concerts, exhibitions and theatrical productions, hotels have lost their relevance to scammers, told Izvestia at the Coordination Center of the .RU/.RF domains. The dynamics of recent months shows that scammers are gradually abandoning the usual scenarios. If earlier in the holiday season they actively exploited these topics, now such schemes are becoming less and less in demand.
According to the Domain Patrol project, in 2024 there will be only three summer months in the zones.RU and .The Russian Federation has identified and blocked 642 phishing domains related to cultural events. In the summer of 2025, there are only 92. As a result, the number of such resources decreased by almost seven times. The greatest activity is still observed in July: last year, 253 fake websites were identified this month, this year — only 53.
This year, attackers have switched to attacks through popular messengers, and phishing campaigns targeting banks and marketplaces remain relevant, said a data analyst at the RU/ Domain Coordination Center.Russian Federation Evgeny Pankov.
In the first seven months of this year, Telegram (4711 domains), Avito (2209 domains), Sber (1839 domains), Yula (1720 domains), T-bank (1047 domains), WhatsApp (owned by Meta, which recognized as extremist in Russia and banned, 803 domains), Alfa-Bank (570 domains), Wildberries (509 domains), Ozon (385 domains) and Steam Community (306 domains).
— We are seeing an increase in the use of artificial intelligence tools to create more convincing attack scenarios. A separate disturbing trend is the involvement of children and teenagers in fraudulent schemes. Attackers use them as a "weak link", gaining access to family finances through social engineering, — said Evgeny Pankov.
Which schemes did the scammers switch to?
The reduction of phishing sites related to cultural events is only part of the overall picture, which indicates a redistribution of attackers' efforts in response to security measures and changes in user behavior, said Igor Bederov, head of the Information and analytical research department at T.Hunter.
— Scammers are actively moving from mass phishing to more sophisticated methods, including multi-channel and targeted attacks. After the revolving fines came into effect, the attackers' attention shifted towards organizations with higher potential financial returns. In the first half of 2025, the number of attacks on enterprise systems increased by 43%. There is also a growing number of attacks on cloud infrastructures due to configuration errors and leaked credentials," he said.
In addition, fraudsters actively use imitation of trusted brands on the Web, voice and audiovisual deepfakes, the expert added. The number of attacks through messengers, social networks, and landline telephony is increasing.
— The main victims were corporate users and users of mobile devices. Thus, there is an increase in phishing on mobile platforms by 25-40% compared to PCs, where protection mechanisms are less developed," he stressed.
Fedor Chunizhekov, head of the Positive Technologies research group, is confident that traditional schemes have not "gone away", but rather evolved.
"Today, mass mailings to phishing sites or deception pages have become more effectively blocked, so attackers are switching to more personalized deception techniques and additionally using malware," he said.
Among the popular schemes, the expert named personalized phishing using AI — letters, messages, for example, asking to borrow money. They also use phone calls to children on behalf of alleged law enforcement officers, intimidating them that their parents had allegedly violated the law. The attackers demanded to see their home for a "video search", and then sent fake "couriers" to "declare" (in fact, steal) valuables.
The main reason for the decline in interest in mirrors is the rising costs of registering, hosting and promoting them. In order to convince users of the authenticity of the resource, attackers have to invest in SEO, advertising and even fake security certificates, said Anton Nemkin, a member of the State Duma Committee on Information Policy and federal coordinator of the Digital Russia party project. These costs now often exceed the profits that can be made from deceived victims, especially when it comes to cultural institutions.
— It is important to understand that this does not mean reducing the threat level. On the contrary, attacks are becoming more sophisticated and difficult to recognize. It is becoming increasingly difficult for a user to distinguish a fake from the original, as attackers actively use social engineering, brand trust and psychological pressure," said Anton Nemkin.
Therefore, the key task today is to increase digital literacy and introduce additional levels of protection. Cultural institutions, like businesses in general, should invest not only in technical solutions, but also in audience education, he concluded.
Переведено сервисом «Яндекс Переводчик»
