In 2015, we expect to see another stage in the evolution of cyber-criminal activity with the adoption of APT tactics and techniques in financially motivated online criminal activity.
During a recent investigation, we discovered an attack in which an accountant's computer was compromised and used to initiate a large transfer with a financial institution. It represented the emergence of an interesting trend: targeted attacks directly against banks.
We are seeing an upsurge in malware incidents where banks are being breached using methods coming directly from the APT playbook. Once the attackers got into the banks' networks, they siphon enough information to allow them to steal money directly from the bank in several ways:
- Remotely commanding ATMs to dispose cash.
- Performing SWIFT transfers from various customers accounts,
- Manipulating online banking systems to perform transfers in the background.
A new trend is embracing #APT style attacks in the #cybercriminal worldTweet
Such attacks are an indication of a new trend that is embracing APT style attacks in the cybercriminal world.APT groups fragment, diversify attacks
The naming-and-shaming of APT groups in 2014 led to the public exposure and indictment of a hacking group that allegedly carried out cyber-espionage against U.S. businesses.
We expect to see a shift in 2015 where the #APT groups splinter into smaller units, operating independentlyTweet
As security research teams continue to push for exposure of nation-state APT crews, we expect to see a shift in 2015 where the bigger, noisy APT groups splinter into smaller units, operating independently of each other. This in turn will result in a more widespread attack base, meaning more companies will be hit, as the smaller groups diversify their attacks. At the same time it means that bigger companies that were previously compromised by two or three major APT groups (eg. Comment Crew and Webky) will see more diverse attacks, coming from more sources.Old code, new (dangerous) vulnerabilities
Recent allegations of deliberate tampering and accidental failures in crypto implementations ("goto fail"), and critical vulnerabilities in essential software (Shellshock, Heartbleed, OpenSSL) have left the community suspicious of unaudited software. The reaction has been to either launch independent audits of key software or have security researchers poke them in search of critical vulnerabilities (tantamount to an unofficial audit). This means that 2015 will be another year of new, dangerous vulnerabilities appearing in old code, exposing the Internet infrastructure to menacing attacks.Escalation of ATM and PoS attacks
Attacks against cash machines (ATM) seemed to explode this year with several public incidents and a rush by law enforcement authorities globally to respond to this crisis. A corollary of this publicity is an awareness that ATMs are ripe for the taking and cybercriminals are sure to notice. As most of these systems are running Windows XP and also suffer from frail physical security, they are incredibly vulnerable by default and, as the impersonal gatekeepers of the financial institutions' cash, cybercriminals are bound to come knocking here first.
The next stage will see attackers compromising the networks of banks to manipulate #ATM #machines in real timeTweet
In 2015, we expect to see further evolution of these ATM attacks with the use of APT techniques to gain access to the "brain" of cash machines. The next stage will see attackers compromising the networks of banks and using that level of access to manipulate ATM machines in real time.Mac Attacks: OS X botnets
Despite efforts by Apple to lock down the Mac operating system, we continue to see malicious software being pushed via torrents and pirated software packages. The increasing popularity of Mac OS X devices is turning heads in the criminal world, making it more appealing to develop malware for this platform.
The increasing popularity of #MacOS X devices makes it more appealing to the #criminal world to develop #malwareTweet
The closed-by-default ecosystem makes it harder for this malware to successfully take hold of the platform, but there remains a subsection of users who'll gladly disable Mac OS X security measures – especially people who use pirated software. This means that those looking to hijack OS X systems for a variety of reasons know that they simply need to bundle their malware with desirable software (probably in the form of a key generator) to enjoy widespread success. Due to widespread beliefs about the security of the OS X platform, these systems are also unlikely to have an antimalware solution installed that will flag the infection so once the malware is installed, so it's likely to go unnoticed for a very long time.Attacks against ticketing machines
Incidents such as the NFC hack on Chilean public transport show an interest in abusing public resources such as transportation systems. Some hackers won't be looking to turn a profit from these types of attacks and will be satisfied to get some free rides and 'stick it to the man' by sharing this ability with others. However, ticketing systems are being shown to be vulnerable (many of them running Windows XP) and in many cities handle credit card transaction data directly. We expect to see bolder attacks on these systems to either game the system or steal credit card data for themselves.Attacks against virtual payment systems
Conventional wisdom tells us that cybercriminals are looking to monetize their daring exploits as simply and efficiently as possible. What better target than virtual payment systems in their infancy? As some countries like Ecuador rush to adopt virtual payment systems, we expect criminals to leap at every opportunity to exploit these. Whether social engineering the users, attacking the endpoints (cellphones in many cases), or hacking the banks directly, cybercriminals will jump all over directly monetized attacks and virtual payment systems will end up bearing the brunt.
We expect to the appearance of vulnerability warnings about weaknesses in #virtual #payment #systemsTweet
These fears can also be extended to the new Apple Pay, which uses NFC (Near Field Communications) to handle wireless consumer transactions. This is a ripe market for security research and we expect to the appearance of vulnerability warnings about weaknesses in Apple Pay, virtual wallets and other virtual payment systems.Apple Pay
Previous attacks have focused on NFC payment systems but, thanks to limited adoption, these have reaped limited rewards. Apple Pay is bound to change that. The enthusiasm over this new payment platform is going to drive adoption through the roof and that will inevitably attract many cybercriminals looking to reap the rewards of these transactions. Apple's design possesses and increased focus on security (like virtualized transaction data) but we'll be very curious to see how hackers will exploit the features of this implementation.Compromising the Internet of Things
Attacks against the Internet of Things (IoT) have been limited to proof-of-concepts and (sometimes overhyped) warnings that smart televisions and refrigerators will be targeted by hackers to create botnets or launch mischievous attacks.
In 2015, there will surely be in-the-wild attacks against networked printers and other #connected #devicesTweet
As more and more of these connected devices become available, we expect to see a wider discussion about security and privacy, especially among businesses in this space. In 2015, there will surely be in-the-wild attacks against networked printers and other connected devices that can help an advanced attacker to maintain persistence and lateral movement within a corporate network. We expect to see IoT devices form part of an APT group's arsenal, especially at high-value targets where connectivity is being introduced to the manufacturing and industrial processes.
On the consumer side, IoT attacks will be limited to demonstrations of weaknesses in protocol implementations and the possibility of embedding advertising (adware/spyware?) into smart TV programming.
Most phishing emails that aim to steal bank and e-payment data are written in English. However, we are seeing more and more fraudulent messages written in other languages, suggesting that the number of attacks targeting users in non-English speaking countries is growing. Here is an example of a fake notification in Japanese, supposedly sent on behalf of a major bank of Japan.
The text of the fake message warned users of a possible leak of their personal data. They were also told that the bank system security had been updated to protect their accounts so they had to follow the link and enter their login details and passwords on the bank's site to ensure their accounts weren't blocked. The information entered in the phishing form was sent to the fraudsters who got access to the personal account of the victims and could control their money via the online banking system.
The 'From' field of the email specified an address registered on a well-known free mail service from a Taiwanese (.tw) domain. The address of the phishing page in the body of the message was similar to the official web address of the bank but the real address of the page to which the user was redirected was different. Since the fraudulent page was designed to look like the bank's official page, users could only spot the trick if they paid close attention to the suspicious address in the browser.
A month later our colleagues registered a similar phishing mass mailing.
The sender's address looked genuine. The text informed recipients that the bank had updated its security system and users should follow the link to confirm their account details. That link went to the same phishing link as in the first example but this time the forgery was much more like a genuine link. Only a careful user would spot the difference.
In September there was a significant event in the IT industry - the iPhone 6 smartphone was presented to the public and put on sale. Not surprisingly, this was big news in the cybercriminal and spamming community as well and throughout the quarter we saw a sharp increase in spam about the famous brand. The number of phishing messages claiming to come from popular Apple services also significantly increased around the release date.
Spammers started offering the new smartphone long before its official release - as a prize for participating in questionnaires and special offers, as a gift when purchasing goods or using services offered in spam; the stylish accessory was the prize in various lotteries and featured in many false win notifications. Finally the iPhone 6 was offered for unbelievably low prices (compared to the official price).
Compared to the previous models the design of the iPhone 6 has several noticeable changes - including the size of the screen. This caused a burst of spam from factories producing all manner of accessories, actively offering protective cases and the like in the new size.
This all shows how a single event can trigger an increase in many different kind of spam, both swindles and adverts. In many cases it was also a powerful hook to draw attention to letters; the mere mention of the new iPhone in the subject header greatly increased the chances of the message being read.Spam as a way to steal mail addresses
The last quarter saw several leaks of account logins and passwords from major mail systems. The data appeared on the net, which worried users and prompted lively discussions about confidentiality. At the same time the companies owning the mail services announced that most of the published data was from long abandoned accounts and the few that were still active were probably hijacked by phishing.
We note that the ID data for an email account doesn't just give wrongdoers access to the owners' personal correspondence and their address books; it also opens up other services provided by the mail host. Logins and passwords for other resources could also fall into unwelcome hands, especially those for social networks and online stores registered to that mailbox. The demand for email logins and passwords is underlined by the volume of phishing communications we have found that were designed specifically for this purpose that. In the third quarter we encountered phishing letters using various methods to con people out of their data. Here are a few examples:
- Communications in which a phishing HTML-page is inserted directly into the letter.
- Communications with phishing links in the text of the letter. The false link might be tied to a text fragment or shown in the text of the letter. Often the swindlers place phishing pages on specially created third-level domains.
- Communications in which an email address and password have to be sent to a specific electronic address.
Among the most popular tricks used for stealing data are warnings about exceeding the size of a mailbox, system updates and blocking mailboxes. And although these phishing letters frequently imitate communications from specific mail services the great majority of them are just general requests to confirm logins and passwords for email addresses. Probably this is because the conmen are sending false warnings to a whole database of addresses at once rather than going through the unprofitably time-consuming process of selecting specific mail services.Spam is going beyond mail
Offers to conduct marketing campaign that will develop business and attract new clients is a popular and widespread trend in spam. Typically these involve mass mailshots to advertise services. Increasingly, though, these campaigns are moving away from mail services and email addresses and targeting mobiles and smartphones.
In the third quarter of 2014 spammers started offering SMS and instant messaging advertising more often. Does this mean that classic email spam is going to take a back seat and surrender its predominance to SMS spam? Having analyzed the link between SMS spam and email spam we came to the conclusion that this is unlikely. Firstly, more and more countries are alert to the problem of SMS spam and taking legislative measures banning this type of mass advertising. Secondly there is an obvious connection between all the media platforms used to distribute unwanted adverts and classic email spam.
The fact is, to find customers for their new products spammers continue to use old-fashioned techniques — with the help of spam mailings. There is even a specific type of email sendout in which spammers offer to buy readymade databases of electronic addresses and telephone numbers created using specific criteria to target a specific audience. There are also phishing mailshots aimed at collecting the personal data of users and organizations with the aim of consolidating them into databases for sale or use in mailshots. In this way spam is used to collect data for databases that are then offered for sale or used to send more spam. Spammers continue to use classic email spam to sell telephone numbers for use in SMS spam, and find buyers for their services.
Social networks are another media platform where spam distribution is growing. These have audiences in the millions and are gaining popularity all the time. At the same time hundreds of thousands of these accounts are "dead souls" - bots created specially for sending spam and stealing personal data from real users. In the last quarter we increasingly found spam content in apparently legal formal communications from social networks. What is happening is that almost all accounts in social networks are linked to the email addresses of their owners and messages distributed within the network are sent by email. The contents of such messages are typical spam: "Nigerian" stories of millions of dollars available to a helpful contact, offers of financial help to start a business or simply adverts for various goods.
This suggests that SMS mailshots and messages in social networks are not new types of spam but new methods that spammers have developed to deliver advertising to users. These are, in one way or another, linked to email spam. Moreover spammers can send the same message by various channels, which creates the impression of an increase in the overall quantity of unwanted adverts being sent.New developments in "Nigerian" spam
In the third quarter conmen used the political situation in Ukraine and the media storm around the Ebola virus as inspiration for their "Nigerian-style" tales. Politics is a popular topic for this type of conman, as can be seen by the large percentage of letters discussing political themes or well-known public figures. It's not surprising, then, that the situation in Ukraine was actively used during the third quarter. When creating the supposed authors of these messages the conmen didn't just invent Ukrainians in various professions; they also conjured up politicians and businessmen offering cash rewards for help in transferring or investing large sums of money.
Letters concerning the Ebola virus were usually sent in the name of individuals from West Africa infected with the deadly virus. But there were unusual variations, for example invitations to related conferences. Regardless of the author of the letter and the convincing tales within the aim of the conmen does not change from year to year — to relieve the victims of their money.Malicious email attachments
Top 10 malicious programs sent by email,
third quarter of 2014
In the third quarter of 2014 Trojan.JS.Redirector.adf was the malicious program most often distributed via email, according to our ranking. It appears as an HTML page which, when opened by users, redirects them to an infected site. There it usually offers to load Binbot — a service for the automatic trading of binary options, which are currently popular on the net. The malware spreads via email in a passwordless ZIP archive.
Next comes Trojan-Spy.HTML.Fraud.gen. This program was top of the list for several previous quarters but has finally been pushed down. Trojan-Spy.HTML.Fraud.gen is a phishing HTML page on which the user is asked to enter their confidential data. All the entered information is then sent to cybercriminals. Compared to the last quarter the figure for this malware has fallen by 0.62 percentage points.
In third place is Trojan.Win32.Yakes.fize, a Trojan loader of the Dofoil type. Its relative, Trojan-Downloader.Win32.Dofoil.dx, is in fourth. Malware programs of this type download another malicious program onto the user's computer, start it and use it to steal assorted user information, especially passwords.
In fifth and ninth places are two members of the universal bot module family Andromeda/Gamarue - Backdoor.Win32.Androm.enji and Backdoor.Win32.Androm.euqt. The main features of these malware programs are the ability to download, store and run executable files, downloading and loading DLL (without saving on disk), downloading plugins and the capability of updating and deleting themselves. The bot's functionality is enhanced with a system of plugins which can be downloded by the cybercriminals whenever necessary.
The sixth and seventh positions are taken by Trojan.Win32.Bublik.clhs and Trojan.Win32.Bublik.bwbx respectively. These are modifications of the well-known Bublik malware— a Trojan-loader that downloads a malicious file onto the user's computer and launches it.
In eighth place is the mail worm Email-Worm.Win32.Bagle.gt. The main function of all mail worms is to collect email addresses from infected computers. A mail worm of the Bagle family can also accept remote commands to install other malicious programs.
Our rating is completed by Trojan-Banker.Win32.ChePro.ink. This downloader is created in the form of a CPL-applet (a control panel component) and downloads Trojans designed to steal confidential financial information. Most programs of this type are aimed at Brazilian and Portuguese banks.Distribution of email malware by family
As regards the most popular families of malicious programs, their email distribution is as follows:
TOP 10 families of malware programs distributed by email,
third quarter of 2014
Heading the rating is the Andromeda family, which accounts for 12.35% of all malware. In second place is ZeuS/Zbot: members of this family are designed for attacks on servers and users' computers and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions it is most often used to steal banking information. It can also install CryptoLocker - a malicious program that extorts money to decrypt users' data.
Bublik, which often loads Zbot, also made the top 10 most frequently encountered malware families.Countries targeted by malicious mailshots
Distribution of email antivirus activations by country,
third quarter 2014
In the third quarter there were some changes in the countries targeted by mailshots with malicious contents. Now we see Germany in top spot with 10.11%. Britain drops to second, losing 1.22 percentage points compared to the second quarter. In the third place is the USA, down 1.77 percentage points.
Russia, which in the second quarter was in 19th place with 1.48%, climbed to 6th place this quarter (4.25%); the share of malicious spam directed at the country increased almost threefold.Special features of malicious spam Ice Bucket Challenge
During the past quarter cybercriminals continued to use high profile events to attract attention to mailshots containing malware. This time around the Ice Bucket Challenge, a hugely popular summer campaign, was one of these events. The aim of this campaign was to raise awareness of amyotrophic lateral sclerosis, and also to collect funds to research the disease. An enormous number of people took part, many of them famous: actors, politicians, sportsmen and women, businessmen, and musicians poured ice-cold water over themselves, uploading videos of the process and passing the baton on further. At the peak of its popularity conmen got involved, seeing the campaign as a chance to attract attention to their malicious communications.
As a result unsuspecting users began to receive letters with offers to join the ALS association and change their lives, as thousands of others had already done. The recipients were offered an inspiring video to watch, located in an archive attached to the letter. But in place of the promised video a malicious program such as Backdoor.Win32.Androm.eu.op lay in wait. Such programs allow cybercriminals to infect computers, which often become part of botnets."Malicious messages" from booking systems
In the third quarter of 2014 cybercriminals sent some seasonal malicious spam tying in with the themes of the summer holidays. Spam traffic featured false messages from hotels, booking services and airlines in English and German. Traditionally the conmen try to convince users that a ZIP archive contains information about hotel bookings or air tickets.
Among others we found false communications from American Airlines; executable files were attached to letters that contained malware from the Net-Worm.Win32.Aspxor family. These net worms can send spam, download and run other programs, collect valuable data from the victim's computer (saved passwords, mail and FTP accounts) and also automatically search for vulnerable sites for further infections to keep spreading the bot.
Forged letters in German, supposedly sent by an Internet portal for booking hotels in Germany, contained the malware Trojan-Spy.Win32.Ursnif. This Trojan steals confidential data and is capable of monitoring net traffic, loading and running other malware programs and also switching off several system applications.Malware in ARJ archives
In September we detected a major malicious mailout with an unusual attachment for spam letters — an archive in ARJ format. It should be noted that this choice of file archiver was probably made precisely because of the unusual file format. The criminals assumed users would be aware of the potential dangers of ZIP and RAR archive attachments but may be less suspicious of an unfamiliar tag. Furthermore the ARJ archiver allows the file size to be reduced considerably and its source code is available to all for study and modification.
The cybercriminals sent several types of malicious letter within one mailout. These were an announcement about receipt of a fax, an account statement from a specific company and a personal communication with a greeting in the body of the letter. All the letters had an attachment in the form of a malicious program from the family Trojan-Downloader.Win32.Cabby, which distracts victims with an RTF or DOC document and loads a malware program from the ZeuS/Zbot family at the same. All attachment filenames were generated using the same format. To give the letters a unique feel the cybercriminals changed several fragments of the text and the antivirus automatic signature.
The proportion of spam in email traffic,
April – September 2014
The proportion of spam in email traffic according to the figures for the third quarter of 2014 was 66.9%, which is 1.7 percentage points lower than in the previous quarter. The greatest amount of spam was sent in August and the least in September.Spam source countries
Countries that are sources of spam,
third quarter 2014
In the third quarter of 2014 the USA remained the country that was the biggest source of spam, sending almost 14% of unwanted mail. In second place was Russia with 6.1%. Completing the trio of leaders was Vietnam with almost the same amount as Russia at 6% of the world's spam.
The distribution of sources of spam had few surprises. China (5.1%), Argentina (4.1%), and Germany (3.5) made it into the top ten with Brazil in tenth place at 2.9%.The size of spam letters
The sizes of spam letters,
third quarter 2014
The distribution of spam by size has hardly changed from the second quarter. The leaders remain very short letters of up to 1 Kb, which are quick and easy to handle in mass mailings. The proportion of these letters increased by 4.6 percentage points.
There was a slight reduction in the proportion of letters in the size range 2 Kb — 5 Kb — by 4.8 percentage points. There was also a small reduction in the amount of spam in the 5-10 Kb range, by 2.5 percentage points. However there was a 1.7 percentage point increase in the share of letters with a size of 10-20 Kb.Phishing
In the third quarter of 2014 the computers of users of Kaspersky Lab products recorded 71,591,006 instances that triggered the "Antiphishing" system. This is 11.5 million more than in the last quarter.
As in the second quarter, the largest single group of users subjected to phishing attacks was in Brazil — the number was up 3.53 percentage points to 26.73%.
The geography of phishing attacks*,
third quarter of 2014
* The percentage of users on whose computers the "Antiphishing" system was triggered out of the total number of users of Kaspersky Lab products in the country
Top 10 countries by percentage of attacked users:Country % of users 1 Brazil 26.73% 2 India 20.08% 3 Australia 19.37% 4 France 18.08% 5 UAE 17.13% 6 Canada 17.08% 7 Kazakhstan 16.09% 8 China 16.05% 9 UK 15.58% 10 Portugal 15.34%
There was a noticeable increase in attacked users in China (+4.74%), Australia (+3.27%), the UAE (+2.83%) and Canada (+1.31%).Organisations under attack
The statistics on the targets of phishing attacks are based on the triggering of the heuristic component of the "Antiphishing" system. The heuristic component of the "Antiphishing" system is triggered when the user follows a link to a phishing page and there is no information about this page in the Kaspersky Lab databases. For this it is not important how the page was entered, as the result of clicking on a link in a phishing letter, a social network message or, for example, as the result of an action of a malicious program. As a result of the triggering the user sees a warning of the possible threat in the browser.
As before, the "Email and search portals" category (previously known as "Global Internet portals") was the group of organizations most often subject to phishing attacks. However the share for this category has dropped sharply – by 22.15 percentage points – and in the third quarter it stands at 28.54%.
Distribution of organisations subject to phishing attacks,
third quarter of 2014
In the third quarter of 2014 the "Online finance" category saw a 13.39 percentage point rise to 38.23%. Within its sub-categories there were increases for the second quarter in a row for "Banks" (+6.16%), "Payment systems" (+5.85%) and "Online shops" (+3.18%).
Distribution of phishing attacks on payment systems,
third quarter 2014
Phishing attacks on payment systems are particularly attractive because conmen can get their hands directly on their victims' money. Paypal was the most frequently targeted payment system (32.08%) with Visa (31.51%) close behind and American Express in third with 24.83%.
Phishing attacks on the users of payment systems are often conducted by sending false letters, apparently written by representatives of the financial organizations. These letters contain threats to block the account or stop account activity and are designed to startle users into a rash response, which could include transferring confidential information to cybercriminals.
An example of a phishing letter with a threat to block the victim's account
In this example the letter was sent from a suspicious address that didn't match Paypal's usual mailing address. There was a threat to the user that the account would be blocked if account data was not renewed, and a request to follow the link and enter personal data on the page that opened.
Phishing page imitating a Paypal website page
Following the link the user sees a page imitating the layout of the official Paypal website, with a form for the entry of personal data. However the connection to this page is not protected, which is shown by the lack of HTTPS in the address line and the indicated IP address does not belong to Paypal.Top 3 attacked organizations Organization % of phishing links 1 Google 10.34% 2 Facebook 10.21% 3 Yahoo! 6.36%
The top three target organizations remain Google, Facebook and Yahoo!, however there have been changes within the top three. The numbers for Google (10.34%) and Facebook (10.21%) have increased slightly: these organizations have gone up a place in step. Yahoo!, which was the undisputed leader in the first half of 2014, has dropped down to third — the figure for the organization decreased by 24.62% to 6.36%.Hot topics in phishing
Apple was not in the top three, although it climbed in the rating of organizations subject to phishing attacks to reach fourth place with a figure of 1.39% (+0.98%). At the beginning of September the company was involved in a major scandal, connected with leaked photographs of famous people from its iCloud storage servcie. Apple dismissed rumours about the presence of vulnerabilities in the service leading to leaked data; it could be the result of a phishing attack targeting users of Apple products (it is not clear whether this was a targeted attack or if hackers were simply lucky that there were several stars among their victims).
In addition, the new iPhone 6 and 6 Plus were announced on 9 September. Major events in a company usually attract additional interest from swindlers so it is not surprising that we recorded a growth in the number of false communications sent in the name of representatives of Apple services such as iTunes and iCloud.
Conmen used the name of the company to attract users' attention and frequently used the same letter format, changing only the name of the Apple service.
Number of daily phishing attacks imitating pages of Apple resources,
second and third quarters of 2014
Apple uses a two stage check for Apple ID to protect the personal data of users, including the registration of one or several trusted devices. The two stage check eliminates the possibility of unsanctioned access to or alteration of the user's registered details and prevents outsiders from making purchases by using stolen registration details. On 5 September Apple announced that it would soon be taking additional safety measures which would inform users of suspicious activity on their accounts.
Example phishing pages requesting Apple ID data
Among other things, users can improve their safety by attentively studying any page that asks for confidential information. Attention should be paid to the presence of a protected connection and whether the domain belongs to Apple. It is worth considering what information is being requested - conmen frequently ask for information unrelated to what is needed for using Apple ID; they often ask for bank card details under the pretext of linking them to the account. In these cases if the users independently supply the swindlers with financial information Apple's defenses cannot protect them from the consequences.
Example of a phishing page imitating an Apple request for confirmation of personal informationConclusion
The share of spam in email traffic for the third quarter of 2014 was 66.9%, which is 1.7 percentage points less than in the last quarter.
The topics of spam in the third quarter strongly reflected major news events such as the release of the iPhone 6, political developments in Ukraine, the leak of network passwords from major mail services, the Ice Bucket Challenge campaign and the summer holiday season. Major world events are also actively exploited in "Nigerian" spam.
The three leading source countries for spam sent across the world are the USA (14%), Russia (6.1%) and Vietnam (6%).
The rankings of malware programs sent by email, according to third quarter figures, are headed by Trojan.JS.Redirector.adf (2.8%), which sends users to an infected site. Among the families of malicious programs the Andromeda family was the leader with a 12.35% share of all malware. Users in Germany experience more attacks than those anywhere else.
The third quarter saw spam traffic consisting of phishing letters aimed at trying to steal logins and passwords for email accounts, and the release of the new iPhone saw a flare up of phishing communications apparently sent from the Apple iTunes and iCloud services.
In order to install their malicious programs on users' computers in the third quarter cybercriminals sent out not only false communications from hotel booking services and airlines but also letters with long unused file archivers.
The growth of phishing attacks on organizations involved in online financial operations continued (banks, payment systems, online shops). There was a significant reduction in the number of attacks on organizations from the category "Email and search portals", down to 28.54%. There was also a noticeable reduction in the proportion of attacks directed at Yahoo!, one of the organizations in this category.
A long time has passed since we published our analysis of threats for home network devices. Since then, the situation has significantly changed - alas, not for the better. Back in 2011, we were concerned mainly about the security of SOHO routers, DSL modems and wifi access points. Today, we are talking about the whole Internet-of-Things, which includes every single machine, appliance or gadget that is able to communicate over the Internet.
Let's recall what kind of threats for network devices we were aware of at the end of 2011:
- DNS poisoning, drive-by pharming and SOHO pharming: exploitation of vulnerabilities in a web interface of a router/modem to change its DNS settings in order to redirect users to malicious websites
- UPnP & SNMP based attacks: exploitation of vulnerabilities and implementation issues in widely used protocols in order to get access to the device
- Malicious binaries: Linux-based DDoS (Distributed Denial of Service) tools, especially customized to run on routers; router botnets, capable of conducting a wide range of attacks; worms, infecting routers and spreading through the network
And now, let's look at the year 2014 and see which of our predictions came true...More SOHO pharming attacks
True. There have been numerous attacks utilizing a router's DNS settings to obtain users banking credentials and redirect users to malicious websites. Just to name a few of the biggest incidents:
- January 2014: huge SOHO pharming campaign affecting a wide range of routers from several manufacturers all over the world.The attackers exploited a variety of vulnerabilities to change the DNS settings of more than 300 000 devices, mainly located in Vietnam, India and Thailand, but also in several countries in Europe, both Americas and Africa. As a result, all traffic from behind the compromised routers was redirected to the malicious servers, enabling cybercriminals to decide if users should be pointed to the original version of the website they requested, or to the phishing/malicious one.
- February 2014: another large scale campaign using the DNS poisoning technique. This time the attack was highly targeted and the goals of the cybercriminals were strictly defined: the attack was designed to steal the banking credentials from users of five popular Polish banks. In this case the number of infected routers was about 100 and most of them were located in Poland and Russia. When users tried to log into the online banking website, they were redirected to a modified site which requested them to provide the confidential information.
- September 2014: classical drive-by pharming attack targeting home routers in Mexico and Brazil. This attack started with malicious email, spammed to a large number of Portuguese-speaking users, in which cybercriminals tried to lure the recipient to click on the link to malicious website. The HTML script on this website was designed to try several combinations of default credentials to access the configuration of the router and change its DNS settings. If this approach failed, the script displayed a pop up, asking user to enter the router credentials manually.
True. We have discovered more malware samples that are affecting MIPS routers, and – more importantly – samples developed in such a way that they might be compiled for different platforms (MIPS, ARM, Intel, PPC, SuperH, etc.) and run on different kinds of Linux-based devices. A couple of examples:
- Aidra – an open source DDoS tool, designed to scan modems/routers and create a botnet from exploitable devices. There are currently several Aidra binaries in the wild, compiled for different platforms (MIPS, ARM, PPC, SuperH), which means that this worm has been customized to be able to infect Internet-of-Things devices.
- Darlloz – a Linux worm and bot designed for MIPS, ARM and Intel architectures, spreading through a PHP-CGI vulnerability to randomly generated IP addresses and capable of downloading and running additional code. It communicates with the malicious operator by opening a backdoor on TCP port 58455 and waiting for commands. It infected more than 30 000 devices, mainly in the US and China, and – as it was proven later – was used to install crypto-currency mining software (cpuminer), at least on Intel x86 devices.
- The Moon worm – a mysterious worm, spreading through a remote authentication bypass exploit in the implementation of the HNAP protocol in Linksys E-Series routers. This malware collects information about the device and communicates with its C&C (Command and Control) servers using quotes and images from the 2009 sci-fi movie called "The Moon". The IP ranges that the worm scans, in order to exploit them, are hard-coded in the binary and include about 670 networks, most of which belong to certain DSL and cable modem ISPs in different countries.
Figure 1 – Aidra - open source DDoS tool
Figure 2a – Darlloz worm, code compiled for ARM architecture
Figure 2b – Darlloz worm, same code snipped, compiled for x86 architecture
Figure 3 – The Moon worm, strings related to The Moon movie
True. The story published in the German c't magazine revealed the first router malware that was trying to make persistent changes to the router firmware. The malware consisted of several Linux shell scripts that were responsible for downloading the modified version of the firmware, overwriting the original image and rebooting the router. The malicious firmware came with a modified init script, which launched a sniffing tool (dsniff) on the infected machine, capturing traffic and sending all the intercepted data to the C&C FTP server. This malware was found to be affecting not only routers but also other Linux-based embedded devices, such as Dreambox DVB receivers.
Figure 4 – Flasher, script replacing the original firmware
Figure 5 – Flasher, script running the sniffer and uploading the data to FTP serverCross-platform and multi-platform malware
True. Malware and botnets traditionally associated with Windows machines only, now start to use routers and other Internet enabled devices for different malicious purposes:
- The Sality virus was found to incorporate SOHO routers in its replication process, by using DNS poisoning method to redirect users to infected files. In this case, the malware used was Windows malware similar to the DNSChanger Trojan.
- The Black Energy 2 botnet also got an IoT upgrade: it started to use additional plugins which are designed to run on Linux-based MIPS and ARM devices. These modules are capable of performing DDoS attacks, stealing passwords, scanning ports in the network and sniffing traffic. They are communicating with C&C servers and are able to execute specified shell commands and download and launch additional binaries. We have recently published an in-depth analysis of Black Energy 2, where you can find much more details about it.
True. Several critical vulnerabilities affecting Internet-of-Things devices were discovered and reported to the vendors this year. Just to name a few:
- Rom-0 vulnerability in ZyXEL routers, which allows an attacker to download the router's configuration file without any authentication
- CVE-2014-2719 vulnerability in ASUS wireless routers, which allows an attacker to retrieve the router's credentials
- 15 zero-day vulnerabilities in 10 different SOHO router models, revealed at the Defcon 22's SOHOpelessly Broken contest
- Our colleague, David Jacoby, found interesting zero-days in the devices he uses at home.
- We also need to remember that the Heartbleed and Shellshock vulnerabilities affect some Linux-based network devices and internet-of-Things devices as well.
But what is even more scary than the growth in discovered vulnerabilities, is the fact that certain vendors seem to implement hardcoded firmware backdoors in their products, providing cybercriminals with an easy way-in, especially to devices that no longer receive any updates.
As we can see, the security situation of the network devices didn't much improve since 2011. Most of our predictions came true: the threats are on the rise and cybercriminals widen their interest not only to home routers and modems, but to the whole Internet-of-Things. Although both the vendos and the ISPs are slowly realizing the threat and trying to make their devices more secure, there is still a lot to do. For example, one of the very serious issues is that most of the older devices are not receiving firmware updates anymore, so if there is any new attack vector discovered, users can do literally nothing to protect themselves against it, unless they decide to purchase an (often expensive) newer version of the device, that is still being supported. This issue is not easy to fix: for the vendors, it wouldn't really be cost-effective to support each of the devices they offer for a long period of time; and without the software patches, there is not much to do to secure these devices from the customer's side. Times has changed, and we need to come up with a new security model for Internet of Things, as the old one is not working properly anymore.
To learn, how to protect your home network, please read the guidelines put together by my colleague, David Jacoby.
Our homes today look more like small offices. We have tons of different devices connected to our network, everything from storage devices and network equipment to wireless network printers. The entire "home entertainment" industry is getting connected: it is very difficult to buy a TV, DVD or Blu-ray player that's does not have WIFI… the same thing goes for the gaming industry: all new gaming consoles require Internet connectivity.
I do love the fact that we are applying new technology to old concepts, and improving functionality. I personally even have my old retro computers connected to the Internet - and we are talking about old computers such as Commodore 64, Amiga 500 and Atari computers - because I love the fact of adding new functionality to old things.
And as we know, with great power comes great responsibility. But this is not something that the consumer product vendors are really adopting when adding extra functionality to their "old" products. I did some research where I looked into the devices that were connected to my own home network, and the result was extremely scary! Within minutes I was able to fully compromise some of my devices, turning them into zombie machines in botnets, bypassing all the security and accessing files on storage devices that I did not have the authority to access.
Many people still believe that these attacks are difficult, and require someone to sit on the same network as your devices, for example on your private WIFI connection, but this is false perception. There are very easy and effective ways to compromise the network of connected devices behind your personal firewall remotely over the Internet.
My colleague, Marta Janus, also did some very interesting research where she looked into the (in)security of home modems and routers, and we both came to the same conclusion. We need to act now! This is not a futuristic problem, this problem exists now. Cybercriminals are exploiting these weaknesses right now and the industry is not doing enough about this.
This is not only a technical problem that can be resolved with a patch. Consumers in general are very bad at understanding how these network connected devices should be installed. All of these devices have different usage, and because of that also require different network configurations. We are very lazy, and without proper installation instructions we simple connect the devices to our network; and when that is done, we consider the installation complete.
What is happening is that you are sharing the same network configuration among all devices. This results, for example, in having a TV, Blu-ray player and network storage device on the same network as the laptop you use to do online banking, home finances, online shopping and maybe even work.
The vendors also need to take more responsibility when shipping consumer products. Most people don't understand that the support lifecycle of these devices is only about six months; after that there will be no more updates or support from the vendor, because they need to support the next upcoming products.
From talking to friends and family, it's clear that they have a problem realizing that this is actually a threat! People still believe that it's always "someone else" who will get infected with malicious code, or who will get their credit card details or identity stolen. Please wake up to the real world - this is happening right here, right now! Some really good examples of these types of attacks are:
- Customers to one of the largest ISPs in Sweden were sent vulnerable routers by the ISP, allowing attackers to remotely compromise the device though a "god-like" account with an very weak password; and all devices had the same account with the same password.
- A large amount of money was stolen from the customers of five popular Polish banks, following an attack in which cybercriminals changed the settings of hundreds of vulnerable SOHO routers in order to redirect users to the fake banking websites.
- Malware (Psyb0t) targeted home SOHO routers exploiting software weaknesses, but also weak passwords in the administrative interface - turning the device into a zombie in a botnet.
- Malware (BlackEnergy2) implemented additional modules, designed to run on Internet-of-Things devices, in order to perform DDoS (Distributed Denial of Service) attacks, steal passwords and sniff network traffic.
- Malware (Flasher) replaced the firmware on vulnerable SOHO devices with a modified system image that eavesdrops on users' network activity.
As researchers it is very easy to identify security weaknesses and flame the vendors about them, but it is a bit more challenging to come up with an effective conclusion. Together with Marta, we compiled a little list of easy tips and tricks that you should apply if you have network connected devices. It's only general tips because finding one solution that works on multiple devices is very complex; all products look and feel different and have different usages.
- Change default passwords on the device; attackers will try to exploit this!
- If possible try to update the firmware to the latest version!
- If you do not use the network connectivity on the device, TURN IT OFF! If you use it, or if it's necessary for the device to work, make sure that there is NO REMOTE ACCESS to the management interface of the device from the outside world.
- Apply strong network segmentation for your connected devices
- Does the device require access to the INTERNET?
- Does the device, for example a TV, require access to the same network as your personal data?
- Switch off unnecessary features. Contemporary IoT devices usually implement a variety of different functionalities, some of which you might not even be aware of. It's good practice, after buying each new device, to learn about all its features and disable the ones that you are not going to use. Having all the features enabled increases the potential attack surface.
- Read The Fascinating Manual. Every device is shipped with a manual, which documents its features and configuration settings. Also, there is usually a lot of additional documentation available online. To keep your home secure, you should always familiarize yourself with any new device that you are going to incorporate into your network and take all the recommended steps to make the device as secure as possible.
- Please contact the support team of the vendor if you do have questions. When buying consumer products, you also pay for support. Use it! They will offer guidance for your specific device!