The National CERT of the Republic of Serbia would like to inform and warn the citizens of a multitude of current online phishing and ransomware campaigns along with the existence of malicious applications for mobile devices. Beside the usual Internet based campaings targeting email addresses of the users, some SMS or mobile phone call based campaigns have also been observed.

These messages or malicious applications usually contains information on COVID-19, but a certain number of messages with different content have also been detected, since the users understandably switched to online and mobile communication during the state of emergency.

As part of preventive measures and actions, the National CERT urges all citizens to additionally verify the legitimacy of messages or calls requiring their personal data such as: user name and password, unique citizens identity number, current account number, credit card number including PIN and similar, so as to prevent the abuse of their accounts and personal data by the malicious Internet users.

The National CERT of the Republic of Serbia informs the citizens and companies that a phishing campaign abusing the Covid-19 pandemic, targeting the public institutions and companies is under way. An email sent from address katarina.vojvodic@batut.org.rs, contains a fake notification from the Institute of Public Health of Serbia „Dr Milan Jovanović Batut“ about free distribution of protective gear to all registered individuals, and an attachment titled „preventive gear application form.pdf.zip“. This fake registration requires filling-in of the attached application form and it being sent by the end of working hours, thus abusing the emergency procedure and starting the download of malicous software - malware LokiBot. More on this malware can be found here

The National CERT advises all citizens and companies who receive such notification not to open the attachment contained in the email and report the phishing attempt to vtk@mup.gov.rs

Here you can find a warning issued by the Department of prevention of high tech crime, of the Ministry of Interior.

The National CERT wishes to warn the users of Microsoft Office 365 of a possible new phishing campaign where attackers try to get hold of the users’ Office 365 account login credentials.

The phishing message features fake notification about the Zoom communication platform account being taken down, with a link redirecting the user to a fake Microsoft login page. Based on the latest research, similar phishing messages appear to have reached over 50,000 email addresses so far. Taking over the credentials enables the attackers to access and abuse all the sensitive information stored in these accounts.

More info is available at the following links:

• https://www.bleepingcomputer.com/news/security/persuasive-office-365-phishing-uses-fake-zoom-suspension-alerts/
• https://abnormalsecurity.com/blog/abnormal-attack-stories-spoofed-zoom-attack/

So far, with the pandemic still increasingly present and a great deal of work being done from home, numerous abuses of communications platforms have been observed, among them the popular Zoom application. For more, please follow the National CERT’s link.

On April 28, 2021, the first regular meeting of the government body CERT, the National Bank of Serbia and independent ICT system operators' CERTs was hosted by the National CERT. The challenges discussed at the meeting pertain to ever growing sophisticated phishing campaigns, highlighting the necessity of systems for detection and prevention of such types of attacks, as well as raising awareness both with the employees and the general public about this threat. Particular importance was placed on a continuous exchange of information on current events and activity plans for the future.

In accordance with the Law on Information Security, the National CERT, government body CERT and independent ICT system operators' CERTs maintain constant cooperation in the aim of improving the cyber security of the Republic of Serbia.

The National CERT of the Republic of Serbia informs the public about an ongoing phishing campaign that misuses the name of the National Bank of Serbia.  

Scams are being delivered to citizens via email or social media, requesting the entry of personal and financial information, which attackers can use to withdraw funds from citizens' accounts.  

The announcement from the National Bank of Serbia is available at the following link.  

In order to improve cooperation and strengthen public and private partnerships, the National CERT held its first regular meeting with Special CERTs. The representatives of Special CERTs presented their activities over the previous period, as well as challenges they encountered in their everyday work. Particular importance was placed on the importance of a continuous exchange of information about current activities regarding the National CERT and Special CERTs. The discussion was also held about current phishing campaigns, with a conclusion to improve the education of both employees and general public.

The National CERT, operating under RATEL, keeps a registry of Special CERT's in the Republic of Serbia, in accordance with the Law on Information Security. The Special CERTs perform tasks of prevention and protection against security risks in the area of cyber security. For more details on services provided to users, please visit: https://www.cert.rs/en/evidencija-certova.html

The National CERT of the Republic of Serbia would like to warn the public of current phishing campaign targeting Meta (Facebook) users.

The users are advised to be watchful if they receive a Messenger text reading „I think I saw you in this video, is this really you?“ including a link supposedly leading to the mentioned video clip. The purpose of the link is to obtain user account data, in order to abuse the account for the further malicious content distribution. The users are therefore advised not to click on links contained in this type of messages and to delete the communication right away.

If however the user has already clicked on the link and disclosed their personal data (user name and password), in an attempt to access the video supposedly featuring their person, it is necessary to immediately change the user name and password of that account, as well as all other accounts where that same user name and password are in use.

Message sample: 

The Naional CERT would like to warn all postal service users that a fraud abusing the name of the Post of Serbia is active again. The customers are sent an SMS about a parcel supposedly not being able to be delivered due to an unpaid customs fee. For a successful delivery, a click on an included link is needed.

This link however leads to a fake page where the customer is asked to fill in their credit card data, which then enables the attackers to clear the user’s bank account.

The Public Enterprise „Post of Serbia“ has repeatedly reminded its users that this is not how it communicates with its customers, so extra caution is warranted.

The National CERT urges all recipients of such SMS not to open the link contained in the message and not to enter the information required by the fraudsters.

The National CERT website offers publications on similar threats, including an explanation about how current phishing campaigns are being carried out.

It is advised that this fraudulent activity be reported to the Post of Serbia via its Call Center at 0700 100 300 and 011 3607 788, from 8h to 20h on business days and from 8h to 15h on weekends, and also to the National CERT.