Malware RSS Feed

Detecting Fraud

SANS Tip of the Day - Wed, 12/14/2016 - 00:00
Review your bank, credit card and financial statements regularly to identify unauthorized activity. This is one of the most effective ways to quickly detect if your bank account, credit card or identity has been compromised.

Zcash, or the return of malicious miners

Malware Alerts - Mon, 12/12/2016 - 04:01

On 28 October, the cryptocurrency world saw the emergence of a new player, the Zcash (ZEC) cryptocurrency. Its developers have described it rather figuratively: “If Bitcoin is like HTTP for money, Zcash is HTTPS.” They continue by noting that “unlike Bitcoin, Zcash transactions can be shielded to hide the sender, the recipient and value of all transactions.”

The cryptocurrency market has been looking for this level of anonymity for a while now, so ZEC has attracted considerable interest from investors, miners and cybercriminals alike. Several major cryptocurrency exchanges were quick to offer support for the new currency.

Zcash got off to a flying start; within the first few hours, 1 ZEC reached $30,000. It should be pointed out, however, that there were only a few dozen coins in existence at that time, so the actual turnover was very low.

In the following days, ZEC’s value steadily declined against Bitcoin. At the time of writing, it had leveled out temporarily at 0.07 – 0.01 ZEC/BTC (around $70). Despite this dramatic drop from the initial values (which was anticipated), Zcash mining remains among the most profitable compared to other cryptocurrencies.

Ranking of cryptocurrency mining profitability, as reported by the CoinWarz website

This has led to the revival of a particular type of cybercriminal activity – the creation of botnets for mining. A few years ago, botnets were created for bitcoin mining, but the business all but died out after it became only marginally profitable.

In November, we recorded several incidents where Zcash mining software was installed on users’ computers without permission. Because these software programs are not malicious in themselves, most anti-malware programs do not react to them, or detect them as potentially unwanted programs (PUP). Kaspersky Lab products detect them as not-a-virus:RiskTool.Win64.BitCoinMiner.

Cybercriminals use rather conventional ways to distribute mining software – they are installed under the guise of other legitimate programs, such as pirated software distributed via torrents. So far, we have not seen any cases of mass-mailings or vulnerabilities in websites being exploited to distribute mining software; however, provided mining remains as profitable as it is now, this is only a matter of time. The software can also be installed on computers that were infected earlier and became part of a for-rent botnet.

The most popular mining software to date is nheqminer from the mining pool Micemash. It has two known variations: one earns payments in bitcoins, the other in Zcash. Both are detected by Kaspersky Lab products, with the respective verdicts not-a-virus:RiskTool.Win64.BitCoinMiner.bez and not-a-virus:RiskTool.Win64.BitCoinMiner.bfa.

All that cybercriminals need to do to start profiting from a mining program on infected computers is to launch it and provide details of their own bitcoin or Zcash wallets. After that, the “coin mining” profit created by the pool will be credited to the cybercriminals’ addresses, from where it can be withdrawn and exchanged for US dollars or other cryptocurrencies. This is what allows us to ‘snoop’ on some of the wallets used by cybercriminals. Here’s just one example:

Using a wallet’s address, we can find out how much money arrived and from which source (i.e. the mining pool) (

We see that the address was created on 31 October, just a couple of days after Zcash launched, and payments are still being made to it at the current time. You may be wondering what happened to the promised anonymity. Actually, there are two types of wallets in Zcash: completely private purses (z-address) and public wallets like that shown above (t-address). At the current time, the completely private wallets are not very popular (they are not supported by exchanges), and are only used to store around 1% of all existing Zcash coins.

We found approximately 1,000 unique users who have some version of the Zcash miner installed on their computers under a different name, which suggests these computers were infected without their owners’ knowledge. An average computer can mine about 20 hashes per second; a thousand infected computers can mine about 20,000 hashes a second. At current prices, that equals about $6,200 a month, or $75,000 a year in net profits.

Here are just a few real-life examples of the names used by these program and where they are installed on infected computers:

C:\Program Files\Common Files\nheqminer64.exe

As you can see, the names of many mining programs coincide with those of legitimate applications, but the installation location is different. For instance, the legitimate Windows Task Manager app (taskmngr.exe) should be located in the system folder C:\Windows\System32 and not in C:\system.

To ensure that the mining program is launched each time the operating system starts, the necessary records are added either to Task Scheduler or to the registry auto-run keys. Here are some examples of these records:

Task Scheduler\Microsoft\Windows Defender\Mine

A couple of detected websites distributing mining programs:


Additional DLLs are required for the mining program to work. These DLLs, shown below, are installed along with the mining program.


So, what are the threats facing a user who is unaware that their computer is being used for cryptocurrency mining?

Firstly, these operations are power hungry: the computer uses up a lot more electricity, which, in some countries, could mean the user ends up with a hefty electricity bill.

Secondly, a mining program typically devours up to 90% of the system’s RAM, which dramatically slows down both the operating system and other applications running on the computer. Not exactly what you want from your computer.

To prevent the installation of mining programs, Kaspersky Lab users should check their security products and make sure detection of unwanted software is enabled.

All other users are encouraged, at the very least, to check their folders and registry keys for suspicious files and records.

Kaspersky Security Bulletin 2016. Story of the year

Malware Alerts - Thu, 12/08/2016 - 03:54

 Download the PDF


In 2016, ransomware continued its rampage across the world, tightening its hold on data and devices, and on individuals and businesses.

The numbers speak for themselves:

  • 62 new ransomware families made their appearance.
  • There was an 11-fold increase in the number of ransomware modifications: from 2,900 new modifications in January/March, to 32,091 in July/September.
  • Attacks on business increased three-fold between January and the end of September: the difference between an attack every 2 minutes and one every 40 seconds.
  • For individuals the rate of increase went from every 20 seconds to every 10 seconds.
  • One in five small and medium-sized business who paid the ransom never got their data back.

2016 also saw ransomware grow in sophistication and diversity, for example: changing tack if it encountered financial software, written in scripting languages, exploiting new infection paths, becoming more targeted, and offering turn-key ransomware-as-a-service solutions to those with fewer skills, resources or time – all through a growing and increasingly efficient underground ecosystem.

At the same time, 2016 saw the world begin to unite to fight back:

The No More Ransom project was launched in July, bringing togetheal Police, Europol, Intel Security and Kaspersky Lab. A further 13 organizations joined in October. Among other things, the collaboration has resulted in a number of free online decryption tools that have so far helped thousands of ransomware victims to recover their data.

This is just the tip of the iceberg – much remains to be done. Together we can achieve far more than any of us can on our own.

What is ransomware?

Ransomware comes in two forms. The most common form of ransomware is the cryptor. These programs encrypt data on the victim’s device and demand money in return for a promise to restore the data. Blockers, by contrast, don’t affect the data stored on the device. Instead, they prevent the victim from accessing the device. The ransom demand, displayed across the screen, typically masquerades as a notice from a law enforcement agency, reporting that the victim has accessed illegal web content and indicating that they must pay a spot-fine. You can find an overview of both forms of ransomware here.

Ransomware: the main trends & discoveries of 2016

“Most ransomware thrives on an unlikely relationship of trust between the victim and their attacker: that, once payment is received, the ransomed files will be returned. Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise.”

GReAT, Threat Predictions for 2017

Arrivals and departures Arrivals – in 2016, the world said hello to Cerber, Locky and CryptXXX – as well as to 44,287 new ransomware modifications

Cerber and Locky arrived in the early Spring. Both are nasty, virulent strains of ransomware that are propagated widely, mainly through spam attachments and exploit kits. They rapidly established themselves as ‘major players’, targeting individuals and corporates. Not far behind them was CryptXXX. All three families continue to evolve and to hold the world to ransom alongside well-established incumbents such as CTB-Locker, CryptoWall and Shade.

Locky ransomware has so far been spread across 114 countries #KLReport


As of October 2016, the top ransomware families detected by Kaspersky Lab products look like this:

Name Verdicts* percentage of users** 1 CTB-Locker Trojan-Ransom.Win32.Onion /
Trojan-Ransom.NSIS.Onion 25.32 2 Locky Trojan-Ransom.Win32.Locky /
Trojan-Dropper.JS.Locky 7.07 3 TeslaCrypt (active till May 2016) Trojan-Ransom.Win32.Bitman 6.54 4 Scatter Trojan-Ransom.Win32.Scatter /
Trojan-Ransom.BAT.Scatter /
Trojan-Downloader.JS.Scatter /
Trojan-Dropper.JS.Scatter 2.85 5 Cryakl Trojan-Ransom.Win32.Cryakl 2.79 6 CryptoWall Trojan-Ransom.Win32.Cryptodef 2.36 7 Shade Trojan-Ransom.Win32.Shade 1.73 8 (generic verdict) Trojan-Ransom.Win32.Snocry 1.26 9 Crysis Trojan-Ransom.Win32.Crusis 1.15 10 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.90

* These statistics are based on the detection verdicts returned by Kaspersky Lab products, received from usersof Kaspersky Lab products who have consented to provide their statistical data.
** Percentage of users targeted by a certain crypto-ransomware family relative to all users targeted with crypto-ransomware.

Departures – and goodbye to Teslascrypt, Chimera and Wildfire – or so it seemed…

Probably the biggest surprise of 2016 was the shutdown of TeslaCrypt and the subsequent release of the master key, apparently by the malware actors themselves.

TeslaCrypt “committed suicide” – while the police shut down Encryptor RaaS and Wildfire #KLReport


Encryptor RaaS, one of the first Trojans to offer a Ransomware-as-a-Service model to other criminals shut up shop after part of its botnet was taken down by the police.

Then, in July, approximately 3,500 keys for the Chimera ransomware were publicly released by someone claiming to be behind the Petya/Mischa ransomware. However, since Petya used some of the Chimera source code for its own ransomware, it could in fact be the same group, simply updating its product suite and causing mischief.

Similarly, Wildfire, whose servers were seized and a decryption key developed following a combined effort by Kaspersky Lab, Intel Security and the Dutch Police, now appears to have re-emerged as Hades.

Abuse of ‘educational’ ransomware

Well-intentioned researchers developed ‘educational’ ransomware to give system administrators a tool to simulate a ransomware attack and test their defenses. Criminals were quick to seize upon these tools for their own malicious purposes.

Ransomware developed for ‘education’ gave rise to Ded Cryptor and Fantom, among others #KLReport


The developer of the educational ransomware Hidden Tear & EDA2 helpfully posted the source code on GitHub. Inevitably, 2016 saw the appearance of numerous malicious Trojans based on this code. This included Ded Cryptor, which changed the wallpaper on a victim computer to a picture of an evil-looking Santa Claus, and demanded a massive two Bitcoins (around $1,300) as a ransom. Another such program was Fantom, which simulated a genuine-looking Windows update screen.

Unconventional approaches
  • Why bother with a file when you can have the disk?

    New approaches to ransomware attacks that were seen for the first time in 2016 included disk encryption, where attackers block access to, or encrypt, all the files at once. Petya is an example of this, scrambling the master index of a user’s hard drive and making a reboot impossible. Another Trojan, Dcryptor, also known as Mamba, went one step further, locking down the entire hard drive. This ransomware is particularly unpleasant, scrambling every disk sector including the operating system, apps, shared files and all personal data – using a copy of the open source DiskCryptor software.

    Attackers are now targeting back-ups and hard drives – and brute-forcing passwords #KLReport

  • The ‘manual’ infection technique

    Dcrypter’s infection is carried out manually, with the attackers brute-forcing passwords for remote access to a victim machine. Although not new, this approach has become significantly more prominent in 2016, often as a way to target servers and gain entry into a corporate system.

    If the attack succeeds, the Trojan installs and encrypts the files on the server and possibly even on all the network shares accessible from it. We discovered TeamXRat taking this approach to spread its ransomware on Brazilian servers.

  • Two-in-one infection

    In August we discovered a sample of Shade that had unexpected functionality: if an infected computer turned out to belong to financial services, it would instead download and install a piece of spyware, possibly with the longer term aim of stealing money.

    Shade downloaded spyware if it found financial software #KLReport

Ransomware in scripting languages

Another trend that attracted our attention in 2016 was the growing number of cryptors written in scripting languages. In the third quarter alone, we came across several new families written in Python, including HolyCrypt and CryPy, as well as Stampado written in AutoIt, the automation language.

A long line of amateurs and copycats

Many of the new ransomware Trojans detected in 2016 turned out to be of low-quality; unsophisticated, with software flaws and sloppy errors in the ransom notes.

Poor quality ransomware increases likelihood of data being lost forever #KLReport


This was accompanied by a rise in copycat ransomware. Among other things, we spotted that:

  • Bart copies the ransom note & the style of Locky’s payment page.
  • An Autoit-based copycat of Locky (dubbed AutoLocky) uses the same extension “.locky”.
  • Crusis (aka Crysis) copies the extension “.xtbl” originally used by Shade.
  • Xorist copies the whole naming scheme of the files encrypted by Crusis.

Probably the most prominent copycat we discovered this year was Polyglot (aka MarsJoke). It fully mimics the appearance and file processing approach of CTB-Locker.

These trends are all expected to increase in 2017.

“As the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise. We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.”

GReAT, Threat Predictions for 2017

The thriving ransomware economy

The rise of RaaS

While Ransomware-as-a-Service is not a new trend, in 2016 this propagation model continued to develop, with ever more ransomware creators offering their malicious product ‘on demand’. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own.

Ransomware is increasingly for hire on the criminal underground #KLReport


Notable examples of ransomware that appeared in 2016 and use this model are Petya/Mischa and Shark ransomware, which was later rebranded under the name Atom.

This business model is increasingly sophisticated:

The Petya ransomware partner site

The partner often signs up to a traditional commission-based arrangement. For example, the “payment table” for Petya ransomware shows that if a partner makes 125 Bitcoins a week thy will walk away with 106.25 Bitcoins after commission.

Petya payment table

There is also an initial usage fee. Someone looking to use the Stompado ransomware, for example, needs to come up with just $39.

With other criminals offering their services in spam distribution, ransomware notes etc. it’s not difficult for an aspiring attacker to get started.

From commission-based networks to customer support and branding

The most ‘professional’ attackers offered their victims a help desk and technical support, guiding them through the process of buying Bitcoins to pay the ransom, and sometimes even being open to negotiation. Every step further encouraged the victim to pay.

Criminals offer customer support to ensure more victims pay #KLReport


Further, Kaspersky Lab experts studying ransomware in Brazil noticed that for many attacks, branding the ransomware was a matter of some importance. Those looking for media attention and customer fear would opt for a high profile, celebrity theme or gimmick – while those more concerned about staying under the radar would forgo the temptation of fame and leave their victims facing just an e-mail for contacting the bad guys and a Bitcoin address to pay into.

It’s still all about the Bitcoins

Throughout 2016, the most popular ransomware families still favored payment in Bitcoins. Most ransomware demands were not excessive, averaging at around $300, although some were charged – and paid – a great deal more.

Others, particularly regional and hand-crafted operations, often preferred a local payment option – although this also meant that they were no longer able to hide in plain sight and blend in with the rest of the ransomware noise.

Ransomware turned its weapons on business

In the first three months of 2016, 17% of ransomware attacks targeted corporates – this equates to an attack hitting a business somewhere in the world every two minutes1. By the end of Q3 this had increased to 23.9% – an attack every 40 seconds.

A business is attacked with ransomware every 40 seconds #KLReport


According to Kaspersky Lab research, in 2016, one in every five businesses worldwide suffered an IT security incident as a result of a ransomware attack.

  • 42% of small and medium-sized businesses were hit by ransomware in the last 12 months.
  • 32% of them paid the ransom.
  • One in five never got their files back, even after paying.
  • 67% of those affected by ransomware lost part or all of their corporate data – and one- in-four spent several weeks trying to restore access.

One in five SMBs never gets their data back, even after paying #KLReport


Social engineering and human error remain key factors in corporate vulnerability. One in five cases involving significant data loss came about through employee carelessness or lack of awareness.

“We are seeing more targeted ransomware, where criminal groups carefully hand-pick and spear-phish their targets because of the data they possess and/or their reliance on the availability of this valuable data.”

John Fokker, Digital team Coordinator with the Dutch National High Tech Crime unit

Some industry sectors are harder hit than others, but our research shows that all are at risk

There is no such thing as a low-risk sector anymore #KLReport

Tweet Industry sector % attacked with ransomware 1 Education 23 2 IT/Telecoms 22 3 Entertainment/Media 21 4 Financial Services 21 5 Construction 19 6 Government/
public sector/defence 18 7 Manufacturing 18 8 Transport 17 9 Healthcare 16 10 Retail/wholesale/leisure 16 Ransomware attacks that made the headlines
  • Hospitals became a prime target – with potentially devastating impact as operations were cancelled, patients diverted to other hospitals and more.

  • Hosted desktop and cloud provider VESK paid nearly $23,000 dollars in ransom to recover access to one of its systems following an attack in September.

  • Leading media, including the New York Times, the BBC and AOL were hit by malware carrying ransomware in March 2016.

  • The University of Calgary in Canada, a major research center, acknowledged it had paid around $16,000 to recover emails that been encrypted for a week.

  • A small police station in Massachusetts, ended paying a $500 ransom (via Bitcoin) in order to retrieve essential case-related data, after an officer opened a poisonous email attachment.

  • Even motor racing was hit: a leading NASCAR racing team faced losing data worth millions to a TeslaCrypt attack in April.

Fighting Back

Through technology

The latest versions of Kaspersky Lab products for smaller companies have been enhanced with anti-cryptomalware functionality. In addition, a new, free anti-ransomware tool has been made available for all businesses to download and use, regardless of the security solution they use.

A new free, AV-independent anti-ransomware tool is available #KLReport


Kaspersky Lab’s Anti-Ransomware Tool for Business is a ‘light’ solution that can function in parallel with other antivirus software. The tool uses two components needed for the early detection of Trojans: the distributed Kaspersky Security Network and System Watcher, which monitors applications’ activity.

Kaspersky Security Network quickly checks the reputation of files and website URLs through the cloud, and System Watcher monitors the behavior of programs, and provides proactive protection from yet-unknown versions of Trojans. Most importantly, the tool can back up files opened by suspicious applications and roll back the changes if the actions taken by programs prove malicious.

Through collaboration: The No More Ransom Initiative

On 25 July 2016, the Dutch National Police, Europol, Intel Security and Kaspersky Lab announced the launch of the No More Ransom project – a non-commercial initiative that unites public and private organizations and aims to inform people of the dangers of ransomware and help them to recover their data.

The online portal currently carries eight decryption tools, five of which were made by Kaspersky Lab. These can help to restore files encrypted by more than 20 types of cryptomalware. To date, more than 4,400 victims have got their data back – and more than $1.5 million dollars in ransom demands has been saved.

No More Ransom has so far got 4.400 people their data back – and deprived criminals of $1.5 million in ransom #KLReport


In October, law enforcement agencies from a further 13 countries joined the project, including: Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom.

Eurojust and the European Commission also support the project’s objectives, and more partners from the private sector and law enforcement are expected to be announced soon.

“Public/Private partnerships are the essence and the strength of the NMR initiative. They are essential to effectively and efficiently tackle the problem, providing us with much greater capability and reach than law enforcement could have alone.”

Steven Wilson, Head of Europol’s EC3

Standing up to ransomware – how to stay safe
  1. Back up data regularly.
  2. Use a reliable security solution, and remember to keep key features – such as System Watcher – switched on.
  3. Always keep software updated on all the devices you use.
  4. Treat email attachments, or messages from people you don’t know, with caution. If in doubt, don’t open it.
  5. If you’re a business, you should also educate your employees and IT teams; keep sensitive data separate; restrict access; and back up everything, always.
  6. If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean system to check our No More Ransom site; you may well find a decryption tool that can help you get your files back.
  7. Last, but not least, remember that ransomware is a criminal offence. Report it to your local law enforcement agency.

“We urge people to report an attack. Every victim holds an essential piece of evidence that provides invaluable insight. In return, we can keep them informed and protect them from dodgy third-party ‘offers’ to unencrypt data. But we need to ensure that more law enforcement offices know how to deal with digital crime.”

Ton Maas, Digital team Coordinator with the Dutch National High Tech Crime unit

Why you shouldn’t pay – advice from the Dutch National High Tech Crime Unit
  1. You become a bigger target.
  2. You can’t trust criminals – you may never get your data back, even if you pay.
  3. Your next ransom will be higher.
  4. You encourage the criminals.
Can we ever win the fight against ransomware?

We believe we can – but only by working together. Ransomware is a lucrative criminal business. To make it stop the world needs to unite to disrupt the criminals’ kill-chain and make it increasingly difficult for them to implement and profit from their attacks.

1Estimates based on: 17% of 372,602 unique users with ransomware attacks blocked by Kaspersky Lab products in Q1, 2016 and 23.9% of 821,865 unique users with ransomware attacks blocked by Kaspersky Lab products in Q3,2016.


SANS Tip of the Day - Wed, 12/07/2016 - 00:00
Phishing is when an attacker attempts to fool you into clicking on a malicious link or opening an attachment in an email. Be suspicious of any email or online message that creates a sense of urgency, has bad spelling or addresses you as "Dear Customer."

Never Give Your Password Over the Phone

SANS Tip of the Day - Tue, 12/06/2016 - 00:00
Never give your password to someone over the phone. If someone calls you and asks for your password while saying they are from the Help Desk or Tech Support team, it is an attacker attempting to gain access to your account.

New wave of Mirai attacking home routers

Malware Alerts - Mon, 11/28/2016 - 13:24


Starting from yesterday, many DSL customers in Germany were reporting problems with their routers, which weren’t able to connect to their ISP anymore or that the internet connection was very weak. Today we saw news, that a malicious attack could be the reason for this widespread problem.

Fortunately we got some more technical details from users reporting the specific behaviour. With this information, were able to get hands on some samples and were able to reconstruct some details. Let’s have a quick look:

Exploiting the remote management protocol

As mentioned, users were seeing suspicious network activity. They saw this request incoming on TCP port 7547:

This request is part of the TR-069 specification, that defines an application layer protocol for remote management of end-user devices. This particular request is defined in the TR-098 data model for TR-069.

A vulnerability in affected routers causes the device to download the binary with file name “1” from http://l.ocalhost[.]host to the /tmp/-directory and executes it. The IP addresses of this host changed a few times during the day. Starting from 28th November 2016, 16:36 CET the domains cannot be resolved to domains anymore (“NXDOMAIN”).

Mirai related binary

During a quick analysis of the ELF 32-bit MIPS-MSB (big endian) variant used in todays attacks on German customers, we saw this Mirai-related sample perfoming this behaviour:

  • Delete itself from filesystem (resides only in memory)
  • Close vulnerable port using iptables: “iptables -A INPUT -p tcp –destination-port 7547 -DROP
  • Resolve command and control servers using DNS
    • timeserver[.]host
    • securityupdates[.]us
  • Scan the internet for open TCP 7547 and infect other devices using the same malicious request as seen above.

Since the malware is not able to write itself to the router’s persistent filesystem, the infection will not survive a reboot.

Our products detect the corresponding binaries as HEUR:Backdoor.Linux.Mirai.b

Update (2016-11-28 19:50 CET)

At the moment the C2 servers timeserver[.]host and securityupdates[.]us are both pointing to US military related IPs in the range. Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again.

IOCs Samples




Malicious code and the Windows integrity mechanism

Malware Alerts - Mon, 11/28/2016 - 04:41


Ask any expert who analyzes malicious code for Windows which system privileges malware works with and wants to acquire and, without a second thought, they’ll tell you: “Administrator rights”. Are there any studies to back this up? Unfortunately, I was unable to find any coherent analysis on the subject; however, it is never too late to play Captain Obvious and present the facts for public evaluation.

My goal wasn’t to review the techniques of elevating system privileges; the Internet already has plenty of articles on the subject. New mechanisms are discovered every year, and each technique deserves its own review. Here, I wanted to look at the overall picture and talk about the whole range of Windows operating systems in all their diversity dating back to Windows Vista, but without discussing specific versions.

Step Back in Time

The Windows XP security model differs significantly from the security model of Windows Vista and newer operating systems. There are two types of user accounts in Windows XP: a standard account and an administrator account. The vast majority of users worked with administrator rights, despite the fact that they didn’t need the rights for everyday tasks. These people infected their systems with malicious software that acquired the rights of the current user and, more often than not, they were administrator rights. As a result, the malicious software did not encounter any serious problems acquiring elevated privileges in a system running Windows XP.

This mechanism was used until the release of the Windows Vista family, where Microsoft introduced a new security model: Windows integrity mechanism.

Integrity Level in Windows 10

Roughly speaking, the two aforementioned user account types are present in the new mechanism; however, the operating system now utilizes the Admin Approval Mode. Yes, that very same, our “beloved” UAC (User Access Control). As soon as there is a need for elevated privileges, a UAC dialog pops up and prompts the user for permission to perform a certain action.

The human factor is one of the primary security problems, and that is why placing responsibility on a user who doesn’t know the first thing about computer security is, to say the least, a questionable decision. Microsoft itself has issued the following statement on the topic: “One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed.” For those interested in Microsoft’s position on the matter, I recommend reading the following blog posts: User Account Control, User Account Control (UAC) – quick update, Update on UAC.

The Windows Integrity Mechanism

The new Windows integrity mechanism is the main protection component of the Windows security architecture. The mechanism restricts access permissions of applications that run under the same user account, but that are less trustworthy. Put more simply, this mechanism assigns an integrity level to processes as well as other securable objects in Windows. The integrity level restricts or grants access permissions of one object to another.


I won’t go into detail about the operation of the integrity mechanism. We only need one table to simplify interpretation of the gathered statistics: the table shows the connection between integrity levels and SID security identifiers (see Table 7) that identify the user, group, domain, or computer accounts in Windows.

SID in Access Token Assigned Integrity Level LocalSystem System LocalService System NetworkService System Administrators High Backup Operators High Network Configuration Operators High Cryptographic Operators High Authenticated Users Medium Everyone (World) Low Anonymous Untrusted

Most applications launched by a standard user are assigned a medium integrity level. Administrators get a high integrity level; services and the kernel receive system integrity. A low integrity level will be assigned to an App Container, for example. This is a typical level for modern browsers that protect the operating system from possible malware intrusions from malicious websites.

Basically, the high level and the levels above it are the ones that malicious software aims for.

Lies, Damned Lies, and Statistics

Contemporary anti-virus products implement a comprehensive approach to system security. That’s why they use dozens of components that prevent malicious code from infecting the system at various stages. Those components may include Web antivirus, script emulators, cloud signatures, exploit detectors, and much more. Data entering the system goes through numerous scans initiated by the different components of an antivirus product. As a result, a huge number of malicious programs do not get to the execution stage and are detected “on takeoff”. As for me, I was interested in malware that did manage to get to the execution stage. A contemporary antivirus product continues to track the potentially malicious object, in that even in the event of its execution, behavioral stream signatures (BSS) of the Kaspersky System Watcher component can be triggered.

So, I asked our Behavior Detection group to assist me in collecting statistics for system privilege levels used for execution by active malware, and which can be detected with the help of BSS.

Within 15 days, I managed to gather data on approximately 1.5 million detections with the help of Kaspersky Security Network. The entire range of Windows operating systems, starting with Windows Vista up to Windows 10, was included in the statistics. After filtering out some events and leaving only unique ones as well as those that do not contain our test signatures, I ended up with 976,000 detections. Let us take a look at the distribution of integrity levels for active malicious software during that period.

Distribution of Integrity Levels

By summing up Untrusted, Low, Medium, as well as High and System, it is possible to calculate a percentage ratio, which I called “OK to Bad”. Although, I assume, the creators of malware would not view this ratio as being so bad.

“OK to Bad” Ratio


What’s the reason for these horrifying statistics? To be honest, I can’t say for certain just yet; a deeper study is required. Sure enough, virus writers employ different methods to elevate privileges: autoelevation and bypassing the UAC mechanism, vulnerabilities in Windows and third-party software, social engineering, etc. There is a non-zero probability that many users have UAC completely disabled, as it irritates them. However, it is obvious that malware creators encounter no problems with acquiring elevated privileges in Windows; therefore, threat protection developers need to consider this problem.

Caribbean scuba diving with IT-security in mind

Malware Alerts - Thu, 11/24/2016 - 10:05

Dare to submit your research proposal before December 1, 2016 to dive into undiscovered and uncharted cybercrimes, hacks, espionage and much more at the Security Analyst Summit – April 2-6, 2017 on the Caribbean island of St. Maarten.

There are four months left before Kaspersky Lab’s Security Analyst Summit on the Caribbean Island of St Maarten, an invitation-only conference. If you still haven’t submitted your individual proposal, you’d better hurry up. There’s only one week left before the SAS17 program committee will start evaluating the abstracts. The summit will welcome those with new studies and tools, vulnerability reports, creative ideas, concepts or their results; insights into nation state cyber-espionage and government surveillance; research into attacks against financial institutions and critical infrastructure; mobile systems the IoT cyber risk landscape observations.

You’ll join the leading voices in the IT security industry – the chosen few – for knowledge and information sharing: senior executives from business organizations, global law enforcement agencies and CERTs, independent researchers and journalists. Previous events were joined by members of leading global companies, such as Samsung, Adobe, Microsoft, BlackBerry, CISCO, Boeing, Interpol, the World Bank, Team Cymru, The ShadowServer Foundation, ICSA Labs and Fidelis Cybersecurity Solutions. And every year SAS proves that IT security has no borders.

Requirements for submissions:

  1. Individual proposals should be no more than 350 words in length. SAS has a ground rule: nobody gets to speak from the stage for more than 30 minutes — this is the longest duration allowed for a keynote presentation — while everyone else gets 20 minutes maximum.
  2. Proposals should include the title of the paper and should clearly spell out the focus and goal of the presentation.
  3. The deadline for submissions is December 1, 2016.

You can send your abstract directly to The Program committee consists of six independent members, who evaluate the papers separately. They are Kaspersky Lab and external experts who share the SAS core value: uncompromising research. Have you been good this year? Santa The program committee will check soon.

Submit your abstract, find SPF20+ sunscreen, join the SAS family, follow @KasperskySAS and see how much fun it is — SAS2014, SAS2015 and SAS2016!

Research on unsecured Wi-Fi networks across the world

Malware Alerts - Thu, 11/24/2016 - 05:26

The very nature of wireless Wi-Fi networks means that hackers or criminals simply need to be located near an access point in order to eavesdrop and intercept network traffic. Poorly configured access point encryption or services that allow data to be sent without any encryption pose a serious threat to user data.

Confidential data can be protected by encrypting traffic at wireless access points. In fact, this method of protection is now considered essential for all Wi-Fi networks. But what actually happens in practice? Is traffic always encrypted on public Wi-Fi networks? How does the situation differ from country to country? Kaspersky Security Network statistics can answer all these questions. We compared the situation with Wi-Fi traffic encryption in different countries using data from our threat database. We counted the number of reliable and unreliable networks in each country that has more than 10 thousand access points known to us (this obviously excludes Antarctica and other regions where there is not enough data to draw any conclusions).

Security of Wireless Networks

Using statistics from Kaspersky Security Network (KSN), we analyzed data from across the world for almost 32 million Wi-Fi hotspots accessed by the wireless adapters of KSN users.

Encryption type used in public Wi-Fi hotspots across the world

Approximately 24.7% of Wi-Fi hotspots in the world do not use any encryption at all. This basically means that by using an antenna capable of sending and receiving data at 2.4 GHz, any individual located near an access point can easily intercept and store all user traffic and then browse it for data they are interested in. Fortunately, modern online banking systems and messengers do not transfer unencrypted data. But this is the only thing that prevents users of Wi-Fi networks with unencrypted traffic from revealing their passwords and other essential data when using an unsecure access point.

The WEP (Wired Equivalent Privacy) protocol for encryption of data transferred over Wi-Fi is used by approximately 3.1% of all analyzed access points. The protocol was the first to be created, quite a long time ago, and is now completely unreliable – it would take hackers just a few minutes to crack it. From a data security point of view, using WEP is not much different from using open networks. This protocol is being relegated to oblivion everywhere, but as we see from the chart above, it can still be found in use.

Around three-quarters of all access points use encryption based on the Wi-Fi Protected Access (WPA) protocol family. The protocols from this family are currently the most secure. The effort required to hack WPA depends on its settings, including the complexity of the password set by the hotspot owner. It is worth noting that an attempt to decipher traffic from “personal” (WPA-Personal, PSK authentication) wireless networks (with public access points) can be made by intercepting the handshakes between the access point and the device at the beginning of the session. “Corporate” versions are protected from this sort of interception because they use internal company authorization. When it comes to “personal” WPA2 attacks, the situation is similar to that of WPA and mostly depends on the strength of the password set by the hotspot owner.

It is only fair to note that during a standard attack on a Wi-Fi access point, a personal computer can generate from 50 to 300 keys per second on average. If the encryption key is strong, it will take years to hack it. Still, no one can guarantee that the key used at a cafe will be secure and that the attacker will have nothing but a PC at their disposal.

Overall, it can be said that today’s WPA/WPA2 “non-enterprise” versions are reasonably, but not absolutely, secure. In particular, they allow brute-force and dictionary attacks. There are ready-to-use publicly available tools (aircrack-ng and similar software) for performing such attacks, as well as a large number of manuals.

Geography of Unsecured Wi-Fi Access Points

Share of Wi-Fi hotspots that use unreliable WEP or do not encrypt data (by country)

We would like to note that the five countries with the highest proportion of unsecured connections include Korea (47.9% of unsecured Wi-Fi access points), while France (40.14%) and the US (39.31%) rate 9th and 12th respectively in the list.

Germany appears to be the most secure among Western European countries, with 84.91% of access points secured by WPA/WPA2 protocol encryption.

Share of Wi-Fi hotspots that use WPA/WPA2 (by country)

However, even when using an encrypted connection, you should not completely rely upon this security measure. There are several scenarios that could compromise even well-encrypted network traffic. These include fake access points with names that duplicate or mimic real ones (for example, TrainStation_Free or TrainStation Free) and compromised routers forwarding traffic without encryption to attackers (malware tools that infect such devices are already “in the wild”). At any rate, taking care of your own security is a good idea.

Recommendations for Users

There are several simple rules that help protect personal data when using open Wi-Fi networks in cafes, hotels, airports, and other public places.

  • Do not trust networks that are not password-protected.
  • Even if a network requests a password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection with the same password. This allows them to easily steal personal user data. You should only trust network names and passwords given to you by employees of the establishment.
  • To maximize your protection, turn off your Wi-Fi connection whenever you are not using it. This will also save your battery life. We recommend disabling automatic connection to existing Wi-Fi networks too.
  • If you are not 100% sure the wireless network you are using is secure, but you still need to connect to the internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely not perform any online banking operations or enter your bank card details anywhere.
  • To avoid being a target for cybercriminals, you should enable the “Always use a secure connection” (HTTPS) option in your device settings. It is recommended to enable this option when visiting any websites you think may lack the necessary protection.
  • If possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning criminals won’t be able to read your data, even if they gain access to them.
  • And, of course, you should use dedicated security solutions. They inform users about any potential dangers when connecting to a suspicious Wi-Fi network and prevent any passwords or other confidential data from being compromised if there is a threat.

One example of a dedicated solution is the Secure Connection tool included in the latest versions of Kaspersky Internet Security and Kaspersky Total Security. This module protects users connected to Wi-Fi networks by providing a secure encrypted connection channel. Secure Connection can be launched manually or, depending on the settings, activated automatically when connecting to public Wi-Fi networks, when navigating to online banking and payment systems or online stores, and when communicating online (mail services, social networks, etc.).

DDoS attack on the Russian banks: what the traffic data showed

Malware Alerts - Thu, 11/24/2016 - 03:57

From November 8 to 12, websites of some of the largest Russian banks fell victim to heavy DDoS attacks. Initially, it was no indication of anything unusual – all well-known banks get attacked from time to time – but further developments have evolved in the manner that allowed us to suggest a high level of organization in regards to the series of attacks.

The first attacks that took place on November 8 affected two banks, but already at 4:00 pm Moscow time, similar attacks struck three more banks. A little later, a fourth bank was attacked.

On November 9 at 3 am, the attacks stopped for a while only to commence again in the evening with an attack on yet another bank. At approximately 5 am on November 10, a new wave of attacks occurred.

The largest number of attacks took place between 5 and 8 am on November 11 when, within the space of 10 minutes, eleven attacks occurred, which targeted various objects, namely, corporate websites of banks and online banking systems. All attacks lasted approximately one hour and were similar to the attacks registered in the previous days.

In the days to follow, no new attacks occurred, but some of the previously launched attacks continued until the morning of November 14.

Kaspersky Lab received first-hand information as events unfolded: some of the banks that were attacked are our customers, and they promptly switched their traffic to Kaspersky DDoS Prevention centers with a few more joining after events had started. This provided the analysts of Kaspersky Lab access to the patterns of the attacks and gave them an opportunity to draw a number of conclusions about their nature.

  • Attackers used combinations of various attack methods. They applied SYN Flood that exhausts operating system resources, as well as HTTP/HTTPS Flood that overloads the target Web server.
  • The longest attack in the series lasted 4 days 6 hours and 34 minutes;
  • The peak power of the attack was 660 thousand requests per second, while the average load on a corporate website of a major bank during business hours rarely exceeds 1 thousand requests per second;
  • A few botnets “specializing” in different types of attacks participated in the attack. Approximately 24 thousand unique bots have been blocked;
  • The traffic analysis showed that the leads pointing to Mirai, which prematurely appeared in the press, were not substantiated: one of the botnets was indeed built on the basis of IoT devices, but a different bot was used.
  • Bots that participated in the attacks are located in 30 different countries. More than half of them are in the United States, India, Taiwan and Israel.

The most powerful attacks started when it was early morning in Moscow, which seems illogical at first glance – the number of visitors to the target websites of banks is low at this time of day. This can be attributed to feeling out the target: the attackers started loading the websites with relatively simple SYN Flood and HTTP Flood attacks, thereby determining the possibilities of the protection systems to filter packets of trash traffic. The small number of legitimate visitors enabled them to quite accurately determine the frequency of requests necessary to create a denial of service situation.

Attacks against the banks protected by Kaspersky DDoS Prevention were not successful. Having recognized this, the attackers began to act in accordance with a more complex and demanding procedure – via HTTPS requests, and in some cases transferring the focus of the attacks onto Internet banking systems. Since the traffic of an HTTPS session is encrypted, it is impossible to analyze and filter it when located outside of the affected network. Thanks to the ability to analyze the traffic at the customer site (for this purpose, a separate “sensor” component is used), we received the statistical parameters of requests that were used to generate the filtering parameters directly in the cloud. In addition, the results of the analysis were forwarded to the IT services of the banks, which, if necessary, successfully generated counteraction measures on their side.

The carefully thought-out tactics, use of combined methodologies and scale of the event suggest a high level of organization among the attackers – the “job” was done by professionals. In regards to one of the banks, after all attacks were successfully dealt with, an elaborate attack method against the application level that took advantage of the web server vulnerability was used. This also points to the attackers being highly qualified.

It is difficult to say what the aims of the series of attacks were: it may have been blackmail, diverting attention from a hacking attack against banking systems, or political hacktivism. However, the fact that the attackers targeted the banks’ corporate websites first, and only then switched to remote maintenance systems if they were unsuccessful, allows us to conclude that the organizers were more interested in publicity rather than doing real damage to the financial institutions.

To a certain extent, our findings correlate with the reports that appeared in the press referring to the attacks being ordered from a certain DDoS service. According to its owner, the persons who ordered the attacks were unhappy with the influence that Russia allegedly had on the US Presidential election and the websites of major Russian banks were selected as high-profile targets whose operational difficulties would definitely be noticed.

InPage zero-day exploit used to attack financial institutions in Asia

Malware Alerts - Wed, 11/23/2016 - 03:59

In September 2016, while researching a new wave of attacks, we found an interesting target which appeared to constantly receive spearphishes, a practice we commonly describe as a “magnet of threats”. Among all the attacks received by this magnet of threats, which included various older Office exploits such as CVE-2012-0158, one of them attracted our attention. This file, which was also uploaded to a multiscanner service in September 2016, had an extension that we were unfamiliar with – “.inp”. Further investigation revealed this was an InPage document. InPage, in case you are wondering, is publishing and text processing software, mostly popular with Urdu and Arabic speaking users.

InPage user groups from vendor official site

Since no exploits for InPage have previously been mentioned in public, we took a closer look to see if the document was malicious or not. Further analysis indicated the file contained shellcode, which appeared to decrypt itself and further decrypt an EXE file embedded in the document. The shellcode appeared to trigger on several versions of InPage. We don’t observe any public mentions of such exploit so we consider it a zero-day. All our attempts to contact InPage so far have failed.

Discovery and analysis

InPage is an interesting vulnerable software selection as it’s widely used within the Indian Muslim population, as well as in Pakistan. This, of course, includes local mass-media and print shops, governmental and financial institutions (banks). If someone wants to deploy attack modules into regional press-related companies, an InPage exploit would work well.

Due to its wide range of technologies, it wasn’t perhaps surprising to see that Kaspersky Lab products already detect the exploit with the generic rule HEUR:Exploit.Win32.Generic. This detection is triggered by the presence of the shellcode inside a Microsoft Compound Storage file (OLE), which works extremely well for a wide category of Office-based exploits, going back to 2009.

The good news is that Kaspersky Lab users have been protected against this attack for quite some time – and the protection worked well in the past when it blocked a number of malicious InPage documents.

Between the various phishing campaigns relying on this exploit, one particular attack attracted our attention. The targets of this attack were special, since they were banks in Asia and Africa. The payload and C&C servers are also different from the recent attacks we’ve observed, meaning there are probably several actors utilizing this zero-day exploit at the moment.

Technical details

Spearphishing e-mail with several malicious attachments. The .inp contains the zero-day exploit

In their attacks, the threat actors often use more than one malicious document. During spearphishing, the actors attached InPage files as well as .rtfs and .docs with old popular exploits.

Looking through all the related documents we could find, we counted several different versions of keyloggers and backdoors written mostly in Visual C++, Delphi and Visual Basic.

One such keylogger we analysed (MD5 hash: 18a5194a4254cefe8644d191cb96da21) was written in Visual C++. After gaining control, the module decodes several internal strings. One of them is the C2 domain name visitorzilla[.]com. This backdoor maintains persistence by creating “C:\Documents and Settings\<USER>\Start Menu\Programs\Startup\DataABackup.lnk“. Similar to the other campaign modules, it uses SetWindowsHook() with WH_KEYBOARD_LL hook to gather keystrokes. To gather keystroke data, the module uses two files on disk: C:\Documents and Settings\<USER>\Application Data\DataBackup\sed.ic and me.ic (located in the same directory).

Inside weaponized documents

InPage uses its own proprietary file format that is based on the Microsoft Compound File Format. The parser in the software’s main module “inpage.exe” contains a vulnerability when parsing certain fields. By carefully setting such a field in the document, an attacker can control the instruction flow and achieve code execution.

The shellcode has three main parts:

  1. Pattern searcher (so-called “egg hunter”) before the decoder,
  2. Decoder.
  3. Downloader.

The pattern searcher looks through all of the virtual memory space attempting to find the pattern “68726872”. Once the searcher identifies this pattern it starts the next stage of exploit – the decoder.

Shellcode decryptor

The small decoder obtains the instruction pointer and uses FLDPI + FSTENV instructions (an old and uncommon technique). The decoder is using an arithmetic NOT followed by a XOR 0xAC operation to decrypt the next stage.

Next, the downloader fetches a remote payload using InternetReadFile() and runs it using the WinExec() function in the %userprofile% directory. This functionality is very common and we’ve seen it with many other exploits. It’s the choice of vulnerable software that is interesting in this case and, for sure, the appearance of an exploit for software that is popular mostly in India and Pakistan.

The final payload is a Trojan written in Visual Basic 6. It defines a hook using the SetWindowsHook() function with the WH_MSGFILTER parameter. It communicates with its C2 server at on port 8080.

During the initial session the C2 server sends “Pass” and host replies with “Auth<username>@<hostname>\#/<OS version>\#/<IP address>\#/-” In addition to b4invite[.]com this same Trojan was also spread using a configuration with the C2 server relaybg[.]com.


So far, victims of these attacks have been observed in Myanmar, Sri-Lanka and Uganda. The sector for the victims include both financial and governmental institutions.


By all appearances, this newly discovered exploit has been in the wild for several years. In some way, it reminds us of other similar exploits for Hangul Word Processor, another language/region-specific text processing suite used almost exclusively in South Korea. HWP has been plagued by several exploits in the past, which have been used by various threat groups to attack Korean interests.

Despite our attempts, we haven’t been able to get in touch with the InPage developers. By comparison, the Hangul developers have been consistently patching vulnerabilities and publishing new variants that fix these problems. The best defense against exploits is always a multi-layered approach to security. Make sure you have an internet security suite capable of catching exploits generically, such as Kaspersky Internet Security. Installing the Microsoft EMET tool can also help, as well as running the most recent version of Windows (10). Finally, default deny policies, also known as whitelisting can mitigate many such attacks.

The Australian Signals Directorate Top35 list of mitigation strategies shows us that at least 85% of intrusions could have been mitigated by following the top four mitigation strategies together. These are: application whitelisting, updating applications, updating operating systems and restricting administrative privileges. Kaspersky Lab has technological solutions to cover the first three of these (i.e. all the technology-based strategies) as well as most of the others from Top35 ASD’s list.

Kaspersky Lab detects this exploit as HEUR:Exploit.Win32.Generic.

More information about this exploit, associated campaigns and attacks is available to customers of Kaspersky Intelligence Services. Contact:

Indicators of compromise: Hashes

f00e20ec50545106dc012b5f077954ae – rtf
729194d71ed65dd1fe9462c212c32159 – inp

C&Cs used in the samples dropped by the weaponized InPage documents:

Aliasway[.]com <- SINKHOLED by Kaspersky Lab

Lost in Translation, or the Peculiarities of Cybersecurity Tests

Malware Alerts - Mon, 11/21/2016 - 07:50

In the book The Hitchhiker’s Guide to the Galaxy there’s a character called the Babel fish, which is curiously able to translate into and from any language. Now, in the present-day world, the global cybersecurity industry speaks one language – English; however, sometimes you really do wish there was such a thing as a Babel fish to be able to help customers understand the true meaning of the marketing messages of certain vendors.

Here’s a fresh example.

Earlier this month the independent testing lab AV-Comparatives simultaneously conducted two tests of cybersecurity products using one and the same methodology. The only differences between the two tests were (i) in the line-ups of participating products in each; and (ii) in the names of the tests themselves: Comparative Test of Business Security Products and Comparison of ‘Next-Generation’ Security Products.

Strange? A little. So let me tell you what’s afoot here: why these practically identical tests were conducted at the same time.

It’s well-known already (to folks interested in IT security) how some cybersecurity vendors try to avoid open, public testing and comparisons with other products – so as not to expose their inadequacy. But by not taking part in such tests the marketing machinery of these vendors loses a crucial bit ton of leverage: all potential customers – mostly corporate ones – always consult independent tests run by dependable specialist organizations. So, what were they to do? A solution was found: to join up with other ‘next-gen’ developers to be tested together and separately (no ‘traditional AV’ allowed!), to hide behind a convenient methodology, and coat it all with the BS buzz term ‘next generation’.

Days after the testing the ‘next-gen’ participants published their own interpretations of the results based on dubious logical deduction, manipulation of figures, and biased marketing rhetoric. And you guessed it – those interpretations brought them all to the same conclusion, that ~ “here, finally, it’s been publicly proven how next-gen reigns supreme over traditional products”!

Really? Ok, time we turned on the Babel fish…

Is it really true that next-gen products are great? And if so great… – great compared to what? Let’s compare the results of the ‘next-gen’ test with the above-mentioned twin-test – i.e., the same test (using the exact same methodology), only with different (non ‘next-gen’) participating products.

Important: the true quality of protection should be judged by the figure outside the brackets that corresponds to protection rate, not detection rate, since there’s no point in just detecting attacks but still then letting them take place, i.e., not stopping them.

Protection from malware in different scenarios and false positives:

Protection against exploits:

Well, I can hear how the clanging of medals in the next-generation camp seems to have come to a sudden halt, while their ‘victorious’ self-published reports can now be seen for what they really are: mere attempts to intentionally deceive users ‘in the best traditions of misleading test marketing‘.

Judge for yourself:

One participant in its press release appears to have forgotten to tell anyone about its bombing on protection from exploits (28%), while also seeming to have switched its results on the protection rate in the WPDT scenario (100% instead of 98%).

Another participant also kept quiet about its modest result on protection from exploits (82%), but proudly called its… last-but-one place in the contest in this category as “…outperform[ing] other endpoint security competitors in exploit protection”. It also preferred not to mention its coming last in the AVC scenario test, but that didn’t stop it claiming that mythical ‘legacy AV’ (whatever that is) simply MUST be replaced by its products.

A third participant decided to get straight to the point by laying claim to the crown of the ‘most next-gen of all’, having received, nothing short of a blessing certification from this test lab to replace mythical ‘legacy AV’ with its next-gen products:

The Babel fish has a few other questions regarding this test.

The methodology used this time for testing protection against malicious programs was simpler than that used in the regular full-fledged Real World Protection Test by which other (non-‘next-gen’) products are normally certified. In the Real World Protection Test, each month for a year six times more real cyberattack scenarios (WPDT) are used. And even adding RTTL and AVC scenarios doesn’t make up for this simplification.

So why was simplification of the methodology and a division of the participants (into ‘next-gen’ and ‘business’) needed? Was it an indulgence to the next-gen vendors, which were afraid of flopping big-time on regular tests? How well would these developers do in a full-fledged test together with the technological leaders?

And the last question: what is ‘next generation’?

According to a comprehensive study by the SANS Institute conducted at the request of another self-proclaimed ‘next-gen’ vendor, the category ‘Next-generation AV’ covers all large vendors of cybersecurity solutions. Moreover, many ‘next-gen’ vendors do not qualify for the ‘Next-generation AV’ tag – especially when it comes to the level of effectiveness and protection from zero-day threats:

I can’t say that I fully agree with above mentioned definition: absent from it are such important things as multi-level protection, adaptability, and the ability to not only detect but also prevent, react to and predict cyberattacks, which are all much more important for the user. However, even this definition unequivocally states that all products need to be tested as per one and the same methodology.

Simplifying the WPDT-test and dividing the reports into ‘next-gen’ and ‘non-next-gen’ misleads customers, creates a basis for marketing maneuvering and manipulation, and even undermines the trust long invested in the independent labs running the tests.


First, (in spite of everything): I want to express my thanks to AV-Comparatives for finally being able to conduct a public test of several ‘next-gen’ products. Ok, so the methodology used was WPDT-lite, and the test results can’t be used to directly compare participants. Still, as they say, you can’t have everything straight away – or – the first step is always the most difficult/crucial: the main thing is that ‘next-gen’ has finally been publically tested by an authoritative independent lab, which is just what we’d been wanting for a long time.

Second: I hope that other independent test labs will follow AV-Comparatives’ example in testing ‘next-gen’ – preferably as per AMTSO standards – and, crucially, together with all vendors. And I hope the vendors in turn, won’t throw obstacles in the test labs’ way.

Third: When choosing a cybersecurity solution it’s necessary to take into account as many different tests as possible. Reliable products set themselves apart by constantly notching up stable top results in different tests by different independent labs over many years.

And finally: Now, in the nick of time for the planning of budgets for next year, I hope ‘next-gen’ developers will allocate more resources to the development of technologies and participation in public tests, rather than on fancy advertising billboards, planned inaccuracies in press-releases, and expensive parties stuffed with celebrities.

‘Next-gen’ security products manipulate public tests


PS – from Babel fish:

“The word combination ‘next-generation security’ and its derivations in public communications – be they marketing material, advertising videos, white papers, or the arguments of a sales manager – can be a sign of aggressive telepathic matrixes directed at the promotion of pure BS, and thus necessitate a particularly astringent practical application of critical reason.”

From the author:

“I understood none of that, but fully agree with the fish – whatever it was it was babbling on about.”

Kids and Education

SANS Tip of the Day - Mon, 11/21/2016 - 00:00
One of the most effective methods you can use to protect kids online is to talk to them. The younger you start talking to them, and they to you, the better. Hold regular conversations about online safety issues, even going so far as to show them actual negative events that have taken place. If you don't know what your kids are doing, simply ask. Play the clueless parent and ask them to show you what the latest technologies are and how they use them. Quite often, kids love the idea of being the teacher and will open up.

Kaspersky Security Bulletin. Predictions for 2017

Malware Alerts - Wed, 11/16/2016 - 03:57

 Download the PDF

Yet another year has flown past and, as far as notable infosec happenings are concerned, this is one for the history books. Drama, intrigue and exploits have plagued 2016 and, as we take stock of some of the more noteworthy stories, we once again cast our gaze forward to glean the shapes of the 2017 threat landscape. Rather than thinly-veiled vendor pitching, we hope to ground these predictions in trends we’ve observed in the course of our research and provide thought-provoking observations for researchers and visitors to the threat intelligence space alike.

Our record

Last year’s predictions fared well, with some coming to fruition ahead of schedule. In case you didn’t commit these to memory, some of the more notable predictions included:

APTs: We anticipated a decreased emphasis on persistence as well as an increased propensity to hide in plain sight by employing commodity malware in targeted attacks. We’ve seen this, both with an increase in memory or fileless malware as well as through the myriad reported targeted attacks on activists and companies, which relied on off-the-shelf malware like NJRat and Alienspy/Adwind.

Ransomware: 2016 can be declared the year of ransomware. Financial malware aimed at victimizing users has practically been galvanized into a ransomware-only space, with the more effective extortion scheme cannibalizing malware development resources from less profitable attempts at victimizing users.

Forecast for 2017: time to start using Yara rules more extensively as IoCs become less effective


More Bank Heists: When we considered the looming expansion of financial crime at the highest level, our hypothetical included targeting institutions like the stock exchange. But it was the attacks on the SWIFT network that brought these predictions to bear, with millions walking out the door thanks to crafty, well-placed malware.

Internet Attacks: Most recently, the oft-ignored world of sub-standard Internet-connected devices finally came to bear on our lives in the form of a nasty IoT botnet that caused outages for major Internet services, and hiccups for those relying on a specific DNS provider.

Shame: Shame and extortion have continued to great fanfare as strategic and indiscriminate dumps have caused personal, reputational, and political problems left and right. We must admit that the scale and victims of some of these leaks have been genuinely astonishing to us.

What does 2017 have in store? Those dreaded APTs The rise of bespoke and passive implants

As hard as it is to get companies and large-scale enterprises to adopt protective measures, we also need to admit when these measures start to wear thin, fray, or fail. Indicators of Compromise (IoCs) are a great way to share traits of already known malware, such as hashes, domains, or execution traits that will allow defenders to recognize an active infection. However, the trendsetting one-percenters of the cyberespionage game have known to defend against these generalized measures, as showcased by the recent ProjectSauron APT, a truly bespoke malware platform whose every feature was altered to fit each victim and thus would not serve to help defenders detect any other infections. That is not to say that defenders are entirely without recourse but it’s time to push for the wider adoption of good Yara rules that allow us to both scan far-and-wide across an enterprise, inspect and identify traits in binaries at rest, and scan memory for fragments of known attacks.

Forecast for 2017: passive implants showing almost no signs of infection come into fashion


ProjectSauron also showcased another sophisticated trait we expect to see on the rise, that of the ‘passive implant’. A network-driven backdoor, present in memory or as a backdoored driver in an internet gateway or internet-facing server, silently awaiting magic bytes to awaken its functionality. Until woken by its masters, passive implants will present little or no outward indication of an active infection, and are thus least likely to be found by anyone except the most paranoid of defenders, or as part of a wider incident response scenario. Keep in mind that these implants have no predefined command-and-control infrastructure to correlate and provide a more anonymous beachhead. Thus, this is the tool of choice for the most cautious attackers, who must ensure a way into a target network at a moment’s notice.

Ephemeral infections

While adoption of PowerShell has risen as a dream tool for Windows administrators, it has also proven fruitful ground for the gamut of malware developers looking for stealthy deployment, lateral movement, and reconnaissance capabilities unlikely to be logged by standard configurations. Tiny PowerShell malware stored in memory or in the registry is likely to have a field day on modern Windows systems. Taking this further, we expect to see ephemeral infections: memory-resident malware intended for general reconnaissance and credential collection with no interest in persistence. In highly sensitive environments, stealthy attackers may be satisfied to operate until a reboot wipes their infection from memory if it means avoiding all suspicion or potential operational loss from the discovery of their malware by defenders and researchers. Ephemeral infections will highlight the need for proactive and sophisticated heuristics in advanced anti-malware solutions (see: System Watcher).

Espionage goes mobile

Multiple threat actors have employed mobile implants in the past, including Sofacy, RedOctober and CloudAtlas, as well as customers of HackingTeam and the suspected NSO Pegasus iOS malware suite. However, these have supplemented campaigns largely based on desktop toolkits. As adoption of Desktop OS’s suffers from a lack of enthusiasm, and as more of the average user’s digital life is effectively transferred to their pockets, we expect to see the rise of primarily mobile espionage campaigns. These will surely benefit from decreased attention and the difficulty of attaining forensic tools for the latest mobile operating systems. Confidence in codesigning and integrity checks has stagnated visibility for security researchers in the mobile arena, but this won’t dissuade determined and well-resourced attackers from hunting their targets in this space.

The future of financial attacks We heard you’d like to rob a bank…

The announcement of this year’s attacks on the SWIFT network caused uproar throughout the financial services industry due to its sheer daring; measured in zeros and commas to the tune of multi-million dollar heists. This move was a natural evolution for players like the Carbanak gang and perhaps other interesting threat actors. However, these cases remain the work of APT-style actors with a certain panache and established capability. Surely, they’re not the only ones interested in robbing a bank for sizable funds?

Forecast for 2017: growing popularity of short-lived infections, including those using PowerShell


As cybercriminal interest grows, we expect to see the rise of the SWIFT-heist middlemen in the well-established underground scheme of tiered criminal enterprises. Performing one of these heists requires initial access, specialized software, patience, and, eventually, a money laundering scheme. Each of these steps has a place for already established criminals to provide their services at a fee, with the missing piece being the specialized malware for performing SWIFT attacks. We expect to see the commodification of these attacks through specialized resources being offered for sale in underground forums or through as-a-service schemes.

Resilient payment systems

As payment systems became increasingly popular and widely adopted, we expected to see greater criminal interest in these. However, it appears that implementations have proven particularly resilient, and no major attacks have been noted at this time. This relief for the consumer may, however, entail a headache for the payment system providers themselves, as cybercriminals are wont to target the latter through direct attacks on the payment system infrastructure. Whether these attacks will result in direct financial losses or simply outages and disruption, we expect increased adoption to attract more nefarious attention.

Dirty, lying ransomware

As much as we all hate ransomware (and with good reason), most ransomware thrives on the benefit of an unlikely trust relationship between the victim and their attacker. This criminal ecosystem relies on the tenet that the attacker will abide by a tacit contract with the victim that, once payment is received, the ransomed files will be returned. Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise and this has allowed the ecosystem to thrive. However, as the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise.

We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return. At that point, little will distinguish ransomware from wiping attacks and we expect the ransomware ecosystem to feel the effects of a ‘crisis of confidence’. This may not deter larger, more professional outfits from continuing their extortion campaigns, but it may galvanize forces against the rising ransomware epidemic into abandoning hope for the idea that ‘just pay the ransom’ is viable advice for victims.

The big red button

The famous Stuxnet may have opened a Pandora’s Box by realizing the potential for targeting industrial systems, but it was carefully designed with a watchful eye towards prolonged sabotage on very specific targets. Even as the infection spread globally, checks on the payload limited collateral damage and no industrial Armageddon came to pass. Since then, however, any rumor or reporting of an industrial accident or unexplained explosion will serve as a peg to pin a cyber-sabotage theory on.

Forecast for 2017: espionage increasingly shifting to mobile platforms


That said, a cyber-sabotage induced industrial accident is certainly not beyond the realm of possibility. As critical infrastructure and manufacturing systems continue to remain connected to the internet, often with little or no protection, these tantalizing targets are bound to whet the appetite of well-resourced attackers looking to cause mayhem. It’s important to note that, alarmism aside, these attacks are likely to require certain skills and intent. An unfolding cyber-sabotage attack is likely to come hand-in-hand with rising geopolitical tensions and well-established threat actors intent on targeted destruction or the disruption of essential services.

The overcrowded internet bites back A brick by any other name

Long have we prophesied that the weak security of the Internet of Things (or Threats) will come back to bite us, and behold, the day is here. As the Mirai botnet showcased recently, weak security in needlessly internet-enabled devices provides an opportunity for miscreants to cause mayhem with little or no accountability. While this is no surprise to the infosec-aficionados, the next step may prove particularly interesting, as we predict vigilante hackers may take matters into their own hands.

Forecast for 2017: use of intermediaries in attacks against the SWIFT interbank messaging system


The notion of patching known and reported vulnerabilities holds a certain sacrosanct stature as validation for the hard (and often uncompensated) work of security researchers. As IoT-device manufacturers continue to pump out unsecured devices that cause wide-scale problems, vigilante hackers are likely to take matters into their own hands. And what better way than to return the headache to the manufacturers themselves by mass bricking these vulnerable devices? As IoT botnets continue to cause DDoS and spam distribution headaches, the ecosystem’s immune response may very well take to disabling these devices altogether, to the chagrin of consumers and manufacturers alike. The Internet of Bricks may very well be upon us.

The silent blinky boxes

The shocking release of the ShadowBrokers dump included a wealth of working exploits for multiple, major manufacturers’ firewalls. Reports of exploitation in-the-wild followed not long after as the manufacturers scrambled to understand the vulnerabilities exploited and issue patches. However, the extent of the fallout has yet to be accounted for. What were attackers able to gain with these exploits on hand? What sort of implants may lie dormant in vulnerable devices?

Looking beyond these particular exploits (and keeping in mind the late 2015 discovery of a backdoor in Juniper’s ScreenOS), there’s a larger issue of device integrity that bears further research when it comes to appliances critical to enterprise perimeters. The open question remains, ‘who’s your firewall working for?’

Who the hell are you?

The topic of False Flags and PsyOps are a particular favorite of ours and to no surprise, we foresee the expansion of several trends in that vein…

Information warfare

The creation of fake outlets for targeted dumps and extortion was pioneered by threat actors like Lazarus and Sofacy. After their somewhat successful and highly notorious use in the past few months, we expect information warfare operations to increase in popularity for the sake of opinion manipulation and overall chaos around popular processes. Threat actors interested in dumping hacked data have little to lose from crafting a narrative through an established or fabricated hacktivist group; diverting attention from the attack itself to the contents of their revelations.

Forecast for 2017: ‘script kiddie’ extortionists compromise the idea of paying ransom to retrieve data


The true danger at that point is not that of hacking, or the invasion of privacy, but rather that as journalists and concerned citizens become accustomed to accepting dumped data as newsworthy facts, they open the door to more cunning threat actors seeking to manipulate the outcome by means of data manipulation or omission. Vulnerability to these information warfare operations is at an all-time high and we hope discernment will prevail as the technique is adopted by more players (or by the same players with more throwaway masks).

The promise of deterrence

As cyberattacks come to play a greater role in international relations, attribution will become a central issue in determining the course of geopolitical overtures. Governmental institutions have some difficult deliberating ahead to determine what standard of attribution will prove enough for demarches or public indictments. As precise attribution is almost impossible with the fragmented visibility of different public and private institutions, it may be the case that ‘loose attribution’ will be considered good enough for these. While advising extreme caution is important, we must also keep in mind that there is a very real need for consequences to enter the space of cyberattacks. Our bigger issue is making sure that retaliation doesn’t engender further problems as cunning threat actors outsmart those seeking to do attribution in the first place. We must also keep in mind that as retaliation and consequences become more likely, we’ll see the abuse of open-source and commercial malware begin to increase sharply, with tools like Cobalt Strike and Metasploit providing a cover of plausible deniability that doesn’t exist with closed-source proprietary malware.

Doubling-down on False Flags

While the examples reported in the False Flags report included in-the-wild cases of APTs employing false flag elements, no true pure false flag operation has been witnessed at this time. By that we mean an operation by Threat Actor-A carefully and entirely crafted in the style and with the resources of another, ‘Threat Actor-B’, with the intent of inciting tertiary retaliation by the victim against the blameless Threat Actor-B. While it’s entirely possible that researchers have simply not caught onto this already happening, these sorts of operations won’t make sense until retribution for cyberattacks becomes a de facto effect. As retaliation (be it overtures, sanctions, or retaliatory CNE) becomes more common and impulsive, expect true false flag operations to enter the picture.

Forecast for 2017: lack of security for the Internet of Things will turn it into an ‘Internet of Bricks’


As this becomes the case, we can expect false flags to be worth even greater investment, perhaps even inciting the dumping of infrastructure or even jealously guarded proprietary toolkits for mass use. In this way, cunning threat actors may cause a momentary overwhelming confusion of researchers and defenders alike, as script kiddies, hacktivists, and cybercriminals are suddenly capable of operating with the proprietary tools of an advanced threat actor, thus providing a cover of anonymity in a mass of attacks and partially crippling the attribution capabilities of an enforcing body.

What privacy? Pulling the veil

There’s great value to be found in removing what vestiges of anonymity remain in cyberspace, whether for the sake of advertisers or spies. For the former, tracking with persistent cookies has proven a valuable technique. This is likely to expand further and be combined with widgets and other innocuous additions to common websites that allow companies to track individual users as they make their way beyond their particular domains, and thus compile a cohesive view of their browsing habits (more on this below).

Forecast for 2017: the question “Who is your firewall working for?” will become increasingly relevant


In other parts of the world, the targeting of activists and tracking of social media activities that ‘incite instability’ will continue to inspire surprising sophistication, as deep pockets continue to stumble into curiously well-placed, unheard of companies with novelties for tracking dissidents and activists through the depth and breadth of the internet. These activities tend to have a great interest in the social networking tendencies of entire geographic regions and how they’re affected by dissident voices. Perhaps we’ll even see an actor so daring as to break into a social network for a goldmine of PII and incriminating information.

The espionage ad network

No pervasive technology is more capable of enabling truly targeted attacks than ad networks. Their placement is already entirely financially motivated and there is little or no regulation, as evidenced by recurring malvertising attacks on major sites. By their very nature, ad networks provide excellent target profiling through a combination of IPs, browser fingerprinting, and browsing interest and login selectivity. This kind of user data allows a discriminate attacker to selectively inject or redirect specific victims to their payloads and thus largely avoid collateral infections and the persistent availability of payloads that tend to pique the interest of security researchers. As such, we expect the most advanced cyberespionage actors to find the creation or co-opting of an ad network to be a small investment for sizable operational returns, hitting their targets while protecting their latest toolkits.

Forecast for 2017: rapid evolution of false-flag cybercriminal operations


The rise of the vigilante hacker

Following his indiscriminate release of the HackingTeam dump in 2015, the mysterious Phineas Fisher released his guide for aspiring hackers to take down unjust organizations and shady companies. This speaks to a latent sentiment that the asymmetrical power of the vigilante hacker is a force for good, despite the fact that the HackingTeam dump provided live zero-days to active APT teams and perhaps even encouragement for new and eager customers. As the conspiratorial rhetoric increases around this election cycle, fuelled by the belief that data leaks and dumps are the way to tip the balance of information asymmetry, more will enter the space of vigilante hacking for data dumps and orchestrated leaks against vulnerable organizations.

Forecast for 2017: cybercriminals increasingly turn to social and advertising networks for espionage


Kaspersky Lab Black Friday Threat Overview 2016

Malware Alerts - Mon, 11/14/2016 - 03:57

 Download the PDF


The Internet has changed forever how people shop. By 2018, around one in five of the world’s population will shop online; with ever more people doing so on a mobile device rather than a computer. In fact, it is estimated that by the end of 2017, 60% of e-commerce will come from smartphones. That’s millions of people enthusiastically browsing and buying while at home, at work, in restaurants, airports, and railway stations, walking down the street, standing in stores, and on holiday, often outside the protective reach of a secure, private wireless network.

Regardless of the device used, every interaction and transaction will generate a cloud of data that brands will want to capture in order to deliver ever more targeted and personalized offers. Unfortunately, others are waiting to seize consumers’ information too – through insecure public Wi-Fi networks, phishing emails and infected websites, among others. They are the cybercriminals, and they don’t have a consumer’s or even a brand’s best interests at heart.

The risks facing retailers and online shoppers peak during the busiest shopping days of the year: the late November Thanksgiving weekend that runs from Black Friday through to Cyber Monday, and all through December to Christmas and the New Year.

As the number and speed of transactions increase, so do the cyberthreats. In this overview, Kaspersky Lab reveals the reality in terms of the top cyber-attacks targeting consumers and retailers during this remarkable buying period.

To put this data in context, it is worth looking back over the last few years to see how the landscape has evolved, focusing in particular on Black Friday and Cyber Monday.

In 2013, the concepts of Black Friday and Cyber Monday were already well established in North America and starting to gain momentum elsewhere. In the US alone, Cyber Monday saw online sales grow by 21% on 2012, raking in sales of $2.27 billion. Black Friday achieved $1.93 billion worth of transactions, but won out on average sales value. 17% of total sales were undertaken on mobile – a 55% increase on 2012. In the UK, online sales rose by a slightly more modest 16% in November, with over $600 million believed to have been spent online on Cyber Monday alone.

This was also the year when US retailer Target discovered that the credit card details of around 40 million customers were breached between 27 November and 15 December, apparently through hacked in-store point-of-sale systems.

In 2014, the year of the now infamous Sony Entertainment hack, the records set in 2013 were all broken. Thanksgiving Day 2014 in the US marked the moment when more mobile devices (52%) than computers were used (48%) for browsing online; and Black Friday online sales were up 21% compared to the same day in 2013 – with around one in three (30%) orders placed using a mobile device. Adobe estimates overall online sales in the US of $2.4 billion on Black Friday, $1.3 billion on Thanksgiving Day and $2.7 billion on Cyber-Monday. In the UK, online sales peaked during the week of Black Friday sales surged by 44%, compared to the previous week, and up a staggering 135% on the same week in 2013. Mobile sales rose by 83%.

And the records were all broken again in 2015. In the US, Cyber Monday 2015 was the largest online sales day, ever. Online consumers spent a record $3.07 billion – and $8.03 billion across the four-day Thanksgiving weekend. IBM analysis shows that, overall, online sales were up by a quarter (26%) on 2014, with 40% of sales now coming from mobile devices.

The big consumer hacks of the season involved malware targeting point-of-sales systems in hotels, including Hyatt, Starwood and Hilton worldwide.

2016 looks set to break records all over again, and criminals will probably try even harder to take advantage of all the noise and activity to steal credentials to financial accounts or even to grab the money directly. This overview will cover the types of cyberthreats that buyers, sellers and providers of payment systems may face over the coming weeks.

Methodology and Key Findings

The overview is based on information gathered from Kaspersky Lab malware and phishing detection systems (number of attacks or number of attacked users), and also from the analysis of events and conversations happening on the hacker underground – multiple internet forums where users allegedly involved in financial fraud operations tend to gather. The overview covers Q4 in 2013, 2014, 2015 and partly (in some cases) 2016. Even though, officially, the “Black Friday” sales period ends with Cyber Monday, right after the Thanksgiving holidays, just a few days later another “high” sales period begins: the so-called pre-Christmas period, which is also one of the most profitable times of the year for retailers. We count October as a high sales period as well, because so-called “Black Friday” sales campaigns often start prior to the actual sales days (Halloween sales are a good example), and – what is more important – cybercriminals tend to start preparations in advance of day X.

The overview also contains a list of actions that could be implemented by regular users, business owners and owners of payment infrastructure in order to prevent fraud during the high retail season.

Key Findings:
  • The share of financial phishing during the high sales season is 9 percentage points higher than during other times of the year.
  • The share of phishing attacks against online shops and payment systems during the period is usually higher than phishing against banks.
  • Criminals are trying to connect their malicious campaigns, such as spreading financial malware and phishing pages, to particular dates: Black Friday, Cyber Monday, and the pre- and post-Christmas days.
  • Kaspersky Lab’s virus collection now counts 36 families of POS malware, 6 of which were added in 2016. The number of Banking malware families, in contrast, is only 30.
  • Underground vendors of skimmers and dummy plastic cards are already experiencing an increase in sales. In December 2015 the sales of skimmers rose more than tenfold: from the regular 25-30 devices to 500.
  • Kaspersky Lab researchers expect blackmailing DDoS-attacks against online retailers during the holidays.

More about these findings can be found in the overview.


Among cybercriminals, phishing is one of the most popular ways to steal payment card details and credentials to online banking accounts. A phishing scheme is relatively easy to set up (the fraudster doesn’t even need to know how to write malware; only basic web development and design skills are required), yet it is effective because it is mostly based on social engineering techniques. During the holiday period, users are eager to find the best goods at the best price and they are expecting to see offers of this kind while surfing the web. Cybercriminals know about that and try to exploit this feature as much as possible.

Share of financial phishing in overall volume of attacks

As statistics from the previous years show, financial phishing usually accounts for no less than a quarter of all phishing attacks registered in a year. For example, in 2013, it was 31.45% of all registered phishing attacks, in 2014 – 28.74%, in 2015 – 34.33%. The current year is not yet over, but judging by the quarterly statistics the trend is the same.

Share of financial phishing in overall number of phishing attacks 2013 – 2016

And at the same time things are significantly different when it comes to what we call the holiday sales period. As expected, the share of financial phishing at this time is noticeably higher than the typical yearly result.

Share of financial phishing in different periods in comparison to the holiday period

Although in 2013 the number of financial phishing attacks during the high sales period was only 0.5 percentage points higher than the total result for the same year, in 2014 and 2015 we detected a clear difference of around 9 p.p. in favour of attacks during the holidays. Of course these data are not enough to talk about a strong tendency; nevertheless, the chances are high that this year this difference will emerge again.

Types of financial phishing

At Kaspersky Lab we distinguish between three major types of financial phishing: Banking, E-payment and E-shopping. They are all types of phishing pages that imitate the corresponding legitimate services dealing with financial transactions. Based on what we have observed in Q4 in 2014 and 2015, during the “Holiday” period, the separation between different types of financial phishing is different to the result for the full year.

For example, in 2013, shares of phishing attacks during the year and during the last “Holiday” quarter weren’t very different – less than 1 percentage point. However inside the category differences were much more visible.

That year the share of e-shop phishing in Q4 increased more than 1 percentage point to 7.8%. And the share of phishing against users of popular payment systems more than doubled compared to the rest of the year – 5.46% against 2.74%. At the same time, the share of phishing against users of online banking was lower than during the year: 18.76% against 22.2%.

The situation was repeated the next year, but with more visible amplitude. Shopping phishing during the holiday season was 5.32 p.p. higher than the full year result. And the payment systems’ phishing was 2.78 p.p. higher.

2013 Full year Q4 Financial phishing total 31.45% 32.02% E-shop 6.51% 7.80% E-banks 22.20% 18.76% E-payments 2.74% 5.46% 2014 Full year Q4 Financial phishing total 28.73% 38.49% E-shop 7.32% 12.63% E-banks 16.27% 17.94% E-payments 5.14% 7.92% 2015 Full year Q4 Financial phishing total 34.33% 43.38% E-shop 9.08% 12.29% E-banks 17.45% 18.90% E-payments 7.08% 12.19%

The change in shares of different types of financial phishing in 2013-2015

These differences are accompanied by attacks against particular targets. In 2014, Kaspersky Lab researchers conducted a small investigation into the dynamics of attacks during Black Friday and discovered that the number of attempts to load phishing pages detected and blocked by users of Kaspersky Lab products was actually growing.

Here are the timeline graphs for several targets that are traditionally most often used by phishing scammers.

Dynamics of detection of attempts to load phishing page where the American Express brand is mentioned demonstrates very similar behaviour in 2014 and 2015.

Dynamics of phishing attacks using the American Express brand in the week of Black Friday 2014 2015

Example of timeline of attacks against a particular target

And when it comes to other brands connected to online money and shopping the situation is repeated. Though the growth of attacks in 2015 happened after Black Friday and peaked on Cyber Monday.

Dynamics of phishing attacks using the Visa brand on Black Friday 2014 2015

Example of timeline of attacks against a particular target

Last but not least phishing attacks that utilize online shopping brands also obviously have a connection to specific days, such as Black Friday.

Dynamics of phishing attacks using the Wal Mart brand on Black Friday 2014 2015

Example of timeline of attacks against a particular target

Example of timeline of attacks against a particular target

Spikes in the number of detections are also typical for Christmas and the New Year period – basically they’re the second highest period in the whole quarter. Further in this overview we will show that attack peaks are typical features not only for phishing, but for financial malware attacks as well.

Examples of “Holiday” Phishing

In most cases cybercriminals don’t bother themselves with inventing anything special. Instead they just copy pages of legitimate shops, internet banking and payment systems.

As can be seen on the picture below the phishing copies of the Amazon shop quite precisely resemble the original website.

Example of a fake Amazon e-shop

Which is also true for sites of payment systems and banks. Below are pictures of phishing sites imitating Visa and American Express data submission forms. Along with some others, these two brands are traditionally among the top of those faked by phishers.

Example of a fake Visa payment form

Example of a fake American Express payment form

Sometimes criminals create whole fake web-shops simply to collect victims’ credit card data.

Example of 100% fake internet shop

They attract victims with extremely low prices for goods from famous brands. And then – when the victim has chosen the item they like and proceeds to the payment page, they simply steal their financial credentials.

Example of 100% fake internet shop, part 2, the payment page

Another way in which criminals exploit the hot sales period is by creating allegedly legitimate websites that are selling gift cards and coupons that – if they’re real – can be monetized in legitimate internet shops. However, criminals sell phony coupons, not real. The only purpose of these websites is to collect card credentials. An example of such a website is displayed in the picture below.

Example of a fake shop selling phony coupons

And of course criminals exploit the brand of Black Friday itself and they start their preparations way in advance. While preparing this overview Kaspersky Lab researchers came across a number of fake websites, which have the word Black Friday in the name and the content of which offers outstanding discounts on expensive goods.

Example of a fake Black Friday themed shop

In all, Kaspersky Lab security specialists expect that in 2016 the trends which emerged in previous years (higher than average percent of financial phishing, topical Black Friday scams, etc.) will continue their development as phishing remains one of the main source of credit card data for criminals and is still one of the easiest ways to set up a fraud scheme.

Financial malware

For years, banking trojans were one of the most dangerous cyberthreats out there. Unlike usual spyware which hunts for any type of credentials and, in most cases, is not very sophisticated, banking trojans are aimed specifically at users of internet banking and remote banking systems. Criminals tend to invest a lot of resources in the development of such malware and also develop different sophisticated techniques to avoid detection by AV products, and spread the malware as effective as possible. The most famous examples of banking malware are: ZeuS, SpyEye, Carberp, Citadel, Emotet, Lurk and others.

In previous years Kaspersky Lab experts have prepared two reports covering the global financial malware landscape, in 2013 and in 2014. And since then multiple things have changed: first of all the number of users attacked with banking malware has started to decrease. Most likely this is due to the fact that criminals have largely switched their attention from clients of banks to the banks themselves, because a sophisticated attack against a bank can bring much more profit than an attack against a regular user. Another reason is the rise of encryption ransomware which has proven itself a relatively effective way of getting money illegally. What hasn’t changed a lot is the attention of criminals to the high sales season.

the change in the number of attacks and attacked users from November to December 2015

According to Kaspersky Lab telemetry, during the holiday season of 2015, 261,000 users were attacked with banking malware That’s significantly less than in the same period a year ago, when 307,600 users were attacked. However, 2015 has shown the fairly obvious interest that criminals are showing in Black Friday, Cyber Monday and Christmas. In October the number was 61,674 users, in November – 81,038, and in December – 154,324 attacked users. A year before, in 2014, 101,300 users were hit in October, 164,000– in November and 102,900 in December.

The pattern is obvious.

The dynamics of attacks with help of financial malware from November 20 to December 3 2015 (Black Friday through Cyber Monday)

As can be seen on the graph above, the number of attacked users started to grow from November 22nd and peaked on November 26th, the day before the Black Friday 2015. The next visible peak happened on November 30th, which was the day of Cyber Monday that year. These two peaks were noticeably the biggest since the beginning of the period.

The dynamics of attacks with financial malware in Christmas period 2015

The next big rise in the number of attacks and attacked users happened on 24th of December, right before Christmas, followed by a huge two-day spike detected on 28th and 29th, not long before New Year’s Eve.

In 2014, the spikes of attacks in the holiday season weren’t that obvious, but still it was clear enough that the Black Friday period is of interest: a visible rise in attacks started on November 24th and peaked on November 27th, which was again the day before Black Friday. After that another spike was registered on 1st December, which was the day of Cyber Monday.

The dynamics of attacks with financial malware from November 20 to December 3 2015 (Black Friday through Cyber Monday)

Christmas 2014 also has shown correlation between holiday dates and attacks: on 24th and on 28th of December.

The dynamics of attacks with financial malware in the Christmas period 2014

Almost the same spikes appear when it comes to Mobile malware. Most of the detections on the graphs below were generated by a few families of malware: Faketoken, Svpeng, Marcher and Acecard. These four are the main threats when it comes to mobile banking on Android, and the criminals behind them obviously used the holidays to actively propagate these malicious programs. It was especially visible in 2014:

The dynamics of attacks with mobile financial malware on Black Friday through Cyber Monday 2014 period

2015 was significantly calmer in terms of the number of detections, but certain spikes were still in place.

The dynamics of attacks with mobile financial malware on Black Friday through Cyber Monday in 2015

POS malware

Another dangerous type of malware which we have already seen and are expecting to see during this season is POS-malware – the type of financial malware which infects the OS of point of sales terminals and then steals the credentials of the credit cards processed by these devices. So far, due to the specific nature of the devices that this type of malware tends to attack, we don’t yet have relevant statistics on the number of detections during the holiday period.

However we can estimate the threat by counting the number of families which our experts added in recent years. In 2013 only 4 families were added to our collection, but the 2013 Target breach inspired many criminals to attempt to reproduce the “success” of those who hacked the famous retailer, and the next year 12 more families of POS-malware were added. 2015 was the hottest year in terms of POS malware with 14 new families. 2016 is fairly calm so far: 6 new families were added to our collection since the beginning of the year. In total there are at least 36 families of malware capable of stealing data from POS terminals out there in the wild. The number is even bigger than the amount of banking malware families, 30 species of which are now in the Kaspersky Lab collection.

Expect new attacks

The motivation behind attacks that are tied to concrete dates are clear: cybercriminals suggest that the chances that users will be working with their financial accounts online more than usual are higher than on any other day. Therefore they tend to increase their hacking efforts to raise their own chances of stealing money. Judging by the dynamics of attacks of “holiday” dates from 2014 and 2015, Kaspersky Lab expects that in 2016, the situation may be repeated.

News from the Underground

While online shoppers are drawing up their wish-lists for the upcoming sales, retailers are preparing their stores for a massive rise in visitors, and financial infrastructure owners – banks and payment systems – are getting ready for a huge increase in the number and value of transactions, criminals are also preparing for the season. For this report Kaspersky Lab experts have conducted some research into events and discussions taking place on several secret, invitation-only underground forums, where users allegedly involved in different types of financial fraud tend to gather and discuss things.

More about Cyber Monday

Based on the results of the research, we can say that underground cybercriminals, at least on East European fora, are more excited about Cyber Monday than about Black Friday. This may be because Cyber Monday is more about online sales. There will be a lot of online advertising of special deals and it will be easier for them to hide phishing scams inside the stream of legitimate offers.

Also, from a logistics perspective, Cyber Monday is more convenient than Black Friday, which is more about offline sales. Criminals don’t have to deal with physical access to ATMs in order to set up, and later collect a skimmer. Instead they could use a phishing or malware attack in order to collect credentials and then monetize them in a number of ways.

That said, ATM skimming attacks will happen during Black Friday and will continue through other holidays: Christmas and New Year.

Example of an online advertisement for skimmers on one of the hacker forums

Based on information from the last year, during December 2015 more than 500 skimmers were sold on an East European black market, while “usual” sale rate is 25 – 30 devices per month. These devices come packed with everything necessary for successful data-stealing, like fake PIN-pads, hidden cameras etc. The vast majority (around 96.5%) of skimmers mimic the products of four popular vendors, and the rest 3.5% are skimmers that replicate custom models.

As a result of the 2015 holiday fraud campaign, criminals experienced certain problems with the cashing out of compromised cards. Based on conversations on the corresponding web resources, the cash-out projects (groups that undertake the cash-out for other criminals) were heavily overloaded so the cash-out orders took three months to complete. This was due to a large number of stolen credentials waiting to be cashed-out. According to Kaspersky Lab data, during December 2015 criminals were able to collect approximately 10 times as many credentials as during a non-holiday period. Basically this equates to the total number of card details they are usually able to steal during the rest of the year.

Example of an advertisement by an online shop selling stolen credit cards credentials

Information on several forums suggests that, in 2016, a month prior to the start of the Black Friday, vendors of skimmers were already experiencing an increase in sales, alongside vendors of blank cards that will later be used to clone stolen cards. Also, some vendors are offering new generations of POS skimmers which are attached to legitimate POS’s. Unlike earlier skimmers, the new generation is placed inside the card reader, which makes them much harder to spot with the naked eye.

Another interesting trend is that many criminals are avoiding starting their campaigns with malware, choosing instead phishing attacks because they consider them to be more efficient and safe. Besides that they are actively utilizing schemes that involve direct contact with the victim. In these attacks the fraudsters will call the victim, seemingly on behalf of a bank, and try to find out their credit card credentials with help of psychological tricks.

Kaspersky Lab experts also expect that more cases of cash-out through Apple Pay and Samsung Pay payment systems will happen during this holiday season. The recent increase in the list of countries where the systems are supported has brought a certain inspiration to criminal community. The ability to attach a card to an Apple ID and then use it to pay for real goods creates a relatively convenient way to cash-out for so called “stuffers” – criminals who specialize in cashing out through buying goods from internet and physical shops, as well as for virtual carders – criminals who monetize stolen credentials through virtual goods

Another rather interesting conclusion made by Kaspersky Lab researchers during their research of the cybercriminal underground, is that fraudsters expect a lot of profits from attacks during the holiday period, especially the pre- and post- Christmas to New Year period, not only due to the high number of buyers seeking to spend money, but also because (based on their experience, which they share on forums) in this period the anti-fraud departments of banks are weakened. Due to many employees going on vacation around these dates, banks suffer from a lack of personnel, and it is theoretically easier for criminals to hide fraudulent operations in the stream of legal ones.

Example of a fraudster’s website selling a DDoS-attack service

Other types of criminal groups – such as those specializing in DDoS attacks, will most likely try to attack online shops for the purpose of blackmailing. That is a well-known tactic which they use against small and medium retail organizations. By setting up a DDoS attack they would block access to the attacked store and, until the owner pays a ransom, they would keep it blocked. Not wanting to lose money because of the unavailability of the store the owners will often pay the criminals. This is likely to happen in the coming holiday season.

Conclusion and advice

The main purpose of this paper is to raise awareness of the threats that may ruin the upcoming holiday season for regular users and shoppers and owners of online stores and owners of financial infrastructure. Both Kaspersky Lab telemetry and the analysis of conversations happening on the underground suggest that cybercriminals will pay special attention to the upcoming high sales season. But this doesn’t mean that the holidays are already doomed.

If prepared, each legitimate party of this process: buyers, sellers and financial services providers will end up in profit. All they have to do is to follow some simple advice.

For regular users
  • Do not click on any links received from unknown people or on suspicious links sent by your friends on social networking sites or via e-mail. They can be malicious; created to download malware to your device or to lead to the phishing webpages aimed at harvesting user credentials.
  • Do not download, open or store unfamiliar files on your device, they can be malicious.
  • Do not use unreliable (public) Wi-Fi networks to make online payments, as hotspots can be easily hacked in order to listen to user traffic and to steal confidential information.
  • Do not enter your credit card details on unfamiliar or suspicious sites, to avoid passing them into cybercriminals’ hands.
  • Always double-check the webpage is genuine before entering any of your credentials or confidential information (at least take a look at the URL). Fake websites may look just like the real ones.
  • Only use sites which run with a secure connection (the address of the site should begin with HTTPS:// rather than HTTP://) to hinder theft of information transmitted.
  • Don’t tell anybody your one-time password or PIN-code, not even a bank representative. Cybercriminals can use this data to steal your money.
  • Install a security solution on your device with built-in technologies designed to prevent financial fraud. For example, Safe Money technology in Kaspersky Lab’s solutions creates secure environment for financial transactions on all levels.
  • And don’t forget about the same rules when using your mobile device for financial transactions, because cybercriminals and fraudsters target them too.
For retailers
  • Keep your e-commerce platform up-to-date. Every new update may contain critical patches to make the system less vulnerable to cybercriminals.
  • Pay attention to the personal information used for registration. Fraudsters tend to hide their identities but lack of creativity can serve as an indication of fraud. John Smith whose email address reads as is likely to be a criminal. Check again and request more details from customers if needed. Adding captcha might be effective measure against this.
  • Restrict the number of attempted transactions. Criminals usually make multiple attempts to enter correct card numbers for one purchase. Use captcha and increased time intervals for attempts to re-enter card numbers.
  • Use two-factor authentication (Verified by Visa, MasterCard Secure Code and etc.). It will dramatically drop the number of cases of illegal card usage.
  • Be careful with suspicious orders. Several unrelated high-value items for more than $500 and extra payment for fast shipping to another country can be a sign of a criminal hurrying to resell as soon as possible. In such cases it is recommended to contact the customer on the phone and confirm the order.
  • Use tailored security solution to protect your point of sales terminals from malware attacks and make sure your POS terminals run the latest version of software.
  • Criminals may attempt to DDoS the website of your shop for blackmail purposes. Make sure that your IT security team is prepared for such attacks or, if you don’t have one, ask your hosting provider if it is possible to purchase a DDoS-protection service from them.
  • Educate your clients on possible cyberthreats they may encounter while shopping online and offline
For financial organizations
  • Introduce enterprise-wide fraud prevention strategy with special sections on ATM and internet banking security. Logical security, physical security of ATMs and fraud prevention measures should be addressed altogether as attacks are becoming more complex.
  • Conduct annual security audits and penetration tests. It is better to let professionals find vulnerabilities than wait until they will be found by cybercriminals.
  • Choose a multi-layered approach and techniques against fraud. Training employees to spot suspicious transactions should be combined with implementation of dedicated fraud prevention solutions. Financial security software based on innovative technologies helps to detect and fight fraudulent activity beyond human control.
  • Do not leave self-protection to customers. It is hardly possible to educate all customers – and it is always better to create a multi-layer security architecture that will provide all the services with the necessary level of security.
  • Remember that insiders are usually involved in half or more cybersecurity incidents. Use security approaches that allow for the detection of suspicious and potentially dangerous activity inside your infrastructure.
  • Make sure that your anti-fraud department is fully staffed during the holiday period.


SANS Tip of the Day - Mon, 11/14/2016 - 00:00
Make sure you have anti-virus software installed on your computer and that it is automatically updating. However, keep in mind that no anti-virus can catch all malware; your computer can still be infected. That is why it's so important you use common sense and be wary of any messages that seem odd or suspicious.

Loop of Confidence

Malware Alerts - Thu, 11/10/2016 - 04:10

With the arrival of Apple Pay and Samsung Pay in Russia, many are wondering just how secure these payment systems are, and how popular they are likely to become. A number of experts have commented on this, basing their opinions on the common stereotypes of Android being insecure and the attacks which currently take place on wireless payments. In our opinion however, these technologies require a more detailed examination and a separate evaluation of the threats they face.

The conventional approach

Traditional threats associated with the use of bank cards in ATMs and physical stores have already been studied and described in sufficient detail:

  • the magnetic strip can be read using skimmers; modern versions of skimmers are advanced and very inconspicuous;
  • to read EMV chips, dedicated skimmers have been designed that are planted into payment terminals;
  • wireless payment systems (PayPass, PayWave) are potentially vulnerable to contactless, remote card reading attacks.

However, the growth in popularity of mobile devices has given rise to a new type of wireless mobile payment: a regular card payment can now be emulated using the smartphone’s built-in NFC antenna. The functionality is turned on at the request of the user, meaning there’s less risk than carrying around a card that’s constantly ready to make a payment. Bank clients, in turn, don’t have to take out their wallets when making a payment, and don’t even have to carry their bank cards around with them.

The technology for emulating cards on mobile devices (Host Card Emulation, HCE) may have been inexpensive and available to a broad range of device users starting from Android 4.4, but it had several drawbacks:

  • the payment terminal had to support wireless payments;
  • the eSE (embedded Secure Element) chip made the device more expensive, so initially it was incorporated into just a few top-of-the-range devices from major manufacturers;
  • if the manufacturer decided to cut costs on secure data storage, important information ended up being stored by the operating system which could be attacked by malware with root privileges on the device. However, this didn’t go beyond a few proof-of-concept attacks, because there are plenty of other easier ways of attacking mobile banking systems;
  • the developers attempted to mitigate the risks associated with storing important payment information on a mobile device, e.g. by using secure element in the cloud. This made smartphone-assisted payments unavailable in locations with unstable mobile services;
  • the risks associated with using software-based HCE storage made it highly advisable to introduce extra security measures into banking applications, making their development more complicated.

As a result, for many large banks, as well as users, paying with the help of card emulation using a smartphone is little more than a quirky feature used for promos or simply to show off in public.

New technologies

The problems described above have given rise to a number of studies, including some by large international companies, in search of more advanced technologies. The next step in the evolution of mobile payments was tokenized payment systems proposed by major market players – Apple, Samsung, and Google. Unlike card emulation on the device, these systems are based on exchanging tokens. A token is a unique transaction ID; the card details are never sent to the payment terminal. This addresses the problem of payment terminals being compromised by malware or skimmers. Unfortunately, this approach has the same problem: the technology has to be adopted and maintained by the manufacturer of the payment terminal.

Several years ago, a startup project called LoopPay attempted to address this problem. The developers proposed a kit consisting of a regular card reader for a 3.5 mm (1⁄8 in) audio jack and a phone case. Their know-how was a patented technology for emulating a bank card magnetic strip using a signal generated by their dedicated device. It has to be said that the creators took an early interest in secure data storage (on a dedicated device rather than on the phone) and protection from using the details of other people’s bank cards (personal data checked by comparing information about the user against information from the bank card’s Track 1 information). Later on, Samsung became interested in LoopPay and acquired the startup. After some time, the Magnetic Secure Transmission (MST) technology became available, complementing Samsung Pay tokenized payments. As a result, regular users can use their smartphones to make payments at payment terminals that support new wireless payment technologies and use MST at any type of terminal by just placing their device next to the magnetic strip reader.

We have been monitoring this project closely, and can now safely say that this technology is, on the whole, a big step forward in terms of convenience and security, because its developers have addressed lots of relevant risks:

  • secure element is used to reliably store data;
  • activation of payment mode on the phone requires the user to enter a PIN code or use a fingerprint;
  • on Samsung devices, a KNOX security solution and basic antivirus are pre-installed – these two block payment features when malware lands on the device;
  • KNOX Tamper Switch – an object of hate among forum-based “experts” – protects against more serious rootkit malware. KNOX Tamper Switch is a software and hardware appliance that irreversibly blocks the device’s business and payment features during any privilege escalation attacks;
  • payment functionality is only available from new devices for which security updates are available, and on which all vulnerabilities are quickly patched;
  • on some of the Samsung smartphones sold in Russia, Kaspersky Internet Security for Android is pre-installed. This provides extended protection from viruses and other mobile threats.

It should be noted that Samsung Pay, when making payments, uses a virtual card whose number is not available to the user, rather than the actual banking card tied to the user’s account. This method of payment works just fine when there is no Internet connection.

New old threats

There’s no doubt that the new technology has become an object of interest for security researchers. Potential attacks do exist for it and were presented at the latest BlackHat USA conference. These attacks may still only be potential threats, but we should still stay alert. Banks are just planning to introduce biometric authentication on ATMs in 2017, but cybercriminals are already collecting intelligence on which hardware manufacturers are involved, what sort of vulnerabilities exist in the hardware, etc. In other words, the technology is not even available to the wider public yet, but cybercriminals are already searching for weaknesses.

Cybercriminals are also studying Apple and Samsung’s technologies. To makes things worse for Russian users, these technologies only arrive in the Russian market a year after they are launched in Western countries.

Cybercriminals discussing the prospects of exploiting Apple Pay in Russia

At the same time, cybersecurity researchers tend to forget about conventional fraud, which mobile vendors are completely unprepared for as they enter a new sphere of business. Wireless payments have made card fraudsters’ lives much easier both in terms of online trade and shopping in regular stores. They no longer have to use a fake card with stolen card data recorded onto it, and thus run the risk of getting caught at the shop counter – now they can play it much safer by paying for merchandise with a stolen card attached to a top-of-the-range phone.

Alternatively, a fraudster can simply buy merchandise and gift cards in an Apple Store. In spite of all the security measures taken by Apple, the Apple Pay fraud rate in the US was 6% in 2015, or 60 times greater than the 0.1% bank card fraud.

Samsung Pay also sacrificed some of the useful anti-fraud features for usability after it purchased the startup; one being that accounts be rigidly attached to the cardholder’s name. For instance, I added my own bank card to my smartphone, and then added my colleague’s as well; in the original LoopPay solution, this was impossible.

To conclude, it’s now safe to say that the new tokenized solutions are indeed more secure and convenient compared to their predecessors. However, there’s still plenty of room for improvement when it comes to security, and that’s very important for the future prospects of the technology. After all, no one likes to lose money, be it banks or their clients.

Spam and phishing in Q3 2016

Malware Alerts - Wed, 11/09/2016 - 05:00

 Download the full report (PDF)

Spam: quarterly highlights Malicious spam

Throughout 2016 we have registered a huge amount of spam with malicious attachments; in the third quarter, this figure once again increased significantly. According to KSN data, in Q3 2016 the number of email antivirus detections totaled 73,066,751. Most malicious attachments contained Trojan downloaders that one way or another loaded ransomware onto the victim’s computer.

Number of email antivirus detections, Q1-Q3 2016

The amount of malicious spam reached its peak in September 2016. According to our estimates, the number of mass mailings containing the Necurs botnet alone amounted to 6.5% of all spam in September. To recap, this kind of malicious spam downloads the Locky malware to computers.

Most emails were neutral in nature. Users were prompted to open malicious attachments imitating bills supposedly sent by a variety of organizations, receipts, tickets, scans of documents, voice messages, notifications from stores, etc. Some messages contained no text at all. All this is consistent with recent trends in spam: fraudsters are now less likely to try and impress or intimidate users to make them click a malicious link or open an attachment. Instead, spammers try to make the email contents look normal, indistinguishable from other personal correspondence. Cybercriminals appear to believe that a significant proportion of users have mastered the basics of Internet security and can spot a fake threat, so malicious attachments are made to look like everyday mail.

Of particular note is the fact that spam coming from the Necurs botnet had a set pattern of technical email headers, while the schemes used by the Locky cryptolocker varied a lot. For example, the five examples above contain the following four patterns:

  • JavaScript loader in a ZIP archive loads and runs Locky.
  • Locky is loaded using a macro in the .docm file.
  • Archived HTML page with a JavaScript script downloads Locky.
  • Archived HTML page with a JavaScript script downloads the encrypted object Payload.exe, which runs Locky after decryption.
Methods and tricks: links in focus IP obfuscation

The third quarter saw spammers continue to experiment with obfuscated links. This well-known method of writing IP addresses in hexadecimal and octal systems was updated by scammers who began to add ‘noise’. As a result, an IP address in a link may end up looking like this:


Spammers also began to insert non-alphanumeric symbols and slashes in domain/IP addresses, for example:


<a href=/@/0x40474B17

URL shortening services

Spammers also continued experimenting with URL shortening services, inserting text between slashes. For example:

Sometimes other links were used to add text noise:

The use of search queries

Some spammers have returned to the old method of hiding the addresses of their sites as search queries. This allows them to solve two problems: it bypasses black lists and makes the links unique for each email. In the third quarter, however, spammers went even further and used the Google option “I’m Feeling Lucky”. This option immediately redirects users to the website that’s displayed first in the list of search results, and it can be activated simply by adding “&btnI=ec” to the end of the link. Clicking on the link redirects users to the spammer’s site rather than to the page displayed in the Google search results. The advertising site itself is obviously optimized to appear first in the search results. There could be lots of similar queries within a single mass mailing.

The example above involves yet another trick. The search query is written in Cyrillic. The Cyrillic letters are first converted to a decimal format (e.g., “авто” becomes “Авто”), and then the whole query in decimal format, including special symbols, are converted to a hexadecimal URL format.

Imitations of popular sites

The third quarter saw phishers trying to cheat users by making a link look similar to that of a legitimate site. This trick is as old as the hills. In the past, real domain names were distorted very slightly; now, cybercriminals make use of either subdomains imitating real domain names or long domains with hyphens. So, in phishing attacks on PayPal users we came across the following domain names:

Phishing attacks targeting Apple users included the following names:

Spammers have also found help from new “descriptive” domain zones, where a fake link can seem more topical and trusted, for example:

Testers required

Q3 email traffic contained mass mailings asking users to participate in free testing of a product that they could then keep. The authors of the emails we analyzed were offering popular goods such as expensive brand-name home appliances (coffee machines, robot vacuum cleaners), cleaning products, cosmetics and even food. We also came across a lot of emails offering the chance to test the latest models of electronic devices including the new iPhone that was released at the end of the third quarter. The headers used in these mass mailings include: “Register to test & keep a new iPhone 7S! Wanted:! IPhone 7S Testers”. The release of the latest iPhone was met with the usual surge of spam activity dedicated exclusively to Apple products.

The largest percentage of spam in the third quarter – 61.25% – was registered in September #KLReport


The people sending out these messages are in no way related to the companies whose products they use as bait. Moreover, they send out their mass mailings from fake email addresses or from empty, newly created domains.

The senders promise to deliver the goods for testing by post, and using this pretext they ask for the recipient’s postal and email addresses as well as other personal information. A small postal charge in is imposed on the user, but even if the goods are delivered, there is no guarantee they will be good quality. There are lots of posts on the Internet by users saying they never received any goods, even after paying the postage costs. This has an element of old-fashioned non-virtual fraud: the cybercriminals receive money transfers under the pretext of a postal charges and then disappear.

Gift certificates to suit all tastes

Spam traffic in Q3 included some interesting mailings using the common theme of fake gift certificates. Recipients were offered the chance to participate in an online survey in return for a certificate worth anything from ten to hundreds of euros or dollars. They were led to believe that the certificates were valid for large international retail chains, online hypermarkets, grocery stores, popular fast-food chains as well as gas stations.

In some cases, the senders of these fraudulent messages said they were carrying out a survey to improve the customer support services of the organizations that were allegedly behind these generous offers, as well as to improve the quality of their products. In other cases, the message was described as a stroke of luck and that the recipient’s email address was randomly selected for a generous gift as a mark of appreciation for using the brand’s goods or services. The messages were indeed randomly sent out to email addresses that had been collected by spammers, and did not necessarily belong to customers of the companies named in emails.

To confirm receipt of the gift certificate, the user is asked to follow a link in the email which in fact leads to an empty domain with a descriptive name (e.g. “winner of the day”). Then, via the redirect, the user ends up at a newly created site with a banner designed in the style of the brand that supposedly sent out the mailing. The user is notified that the number of certificates is limited and that they have only 90 seconds to click on a link, thereby agreeing to receive the gift. After completing a short survey asking things such as “How often do you use our services?” and “How are you planning to use the certificate?” the user is asked to enter their personal data in a form. And finally the “lucky winner” is redirected to a secure payment page where they have to enter their bank card details and pay a minor fee (in the case we analyzed the sum was 1 krone).

In Q3 2016 Germany (13.21%) remained the country targeted most by malicious mailshots #KLReport


According to online reviews, some potential victims of this type of certificate fraud were asked to call a number to participate in a telephone survey rather than an online survey. This type of fraudulent scheme is also quite common: the idea is to keep someone on the paid line for as long as possible until they give up on the promised reward.

Like the offers to participate in the testing of goods, these themed messages were sent out from fake addresses with empty or newly created domains that had nothing to do with the organizations in whose name the cybercriminals were offering the certificates.

Statistics Proportion of spam in email traffic

Percentage of spam in global email traffic, Q2 and Q3 2016

The largest percentage of spam in the third quarter – 61.25% – was registered in September. The average share of spam in global email traffic for Q3 amounted to 59.19%, which was 2 p.p. more than in the previous quarter.

Sources of spam by country

Sources of spam by country, Q3 2016

In Q3 2016, the contribution from India increased considerably – by 4 p.p. – and became the biggest source of spam with a share of 14.02%. Vietnam (11.01%, +1 p.p.) remained in second place. The US fell to third after its share (8.88%) dropped by 1.9 p.p.

As in the previous quarter, fourth and fifth were occupied by China (5.02%) and Mexico (4.22%) respectively, followed by Brazil (4.01%), Germany (3.80%) and Russia (3.55%). Turkey (2.95%) rounded off the TOP 10.

Spam email size

Breakdown of spam emails by size, Q2 and Q3 2016

Traditionally, the most commonly distributed emails are very small – up to 2 KB (55.78%), although the proportion of these emails has been declining throughout the year, and in Q3 dropped by 16 p.p. compared to the previous quarter. Meanwhile, the proportion of emails sized 10-20 KB increased considerably from 10.66% to 21.19%. The other categories saw minimal changes.

Malicious email attachments

Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications. So we have decided to turn to the more informative statistics of the TOP 10 malware families to trigger mail antivirus.

TOP 10 malware families

Trojan-Downloader.JS.Agent (9.62%) once again topped the rating of the most popular malware families. Trojan-Downloader.JS.Cryptoload (2.58%) came second. Its share increased by 1.34 p.p. As in the previous quarter, Trojan-Downloader.MSWord.Agent (2.34%) completed the top three.

The popular Trojan-Downloader.VBS.Agent family (1.68%) fell to fourth with a 0.48 p.p. decline. It was followed by Trojan.Win32.Bayrob (0.94%).

TOP 10 malware families in Q3 2016

A number of newcomers made it into the bottom half of this TOP 10. Worm.Win32.WBVB (0.60%) in seventh place includes executable files written in Visual Basic 6 (in both P-code and Native modes) that are not recognized as trusted by KSN. The malware samples of this family are only detected by Mail Anti-Virus. For this type of verdict File Antivirus only detects objects with names that are likely to mislead users, for example, AdobeFlashPlayer, InstallAdobe, etc.

In Q3 2016 India (14.02%) became the biggest source of spam #KLReport


Trojan.JS.Agent (0.54%) came eighth. A typical representative of this family is a file with .wsf, .html, .js and other extensions. The malware is used to collect information about the browser, operating system and software whose vulnerabilities can be used. If the desired vulnerable software is found, the script tries to run a malicious script or an application via a specified link.

Yet another newcomer – Trojan-Downloader.MSWord.Cryptoload (0.52%) – occupied ninth place. It is usually a document with a .doc or .docx extension containing a script that can be executed in MS Word (Visual Basic for Applications). The script includes procedures for establishing a connection, downloading, saving and running a file – usually a Trojan cryptor.

Trojan.Win32.Agent (0,51%), which was seventh in the previous quarter, rounded off the TOP 10 in the third quarter.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, Q3 2016

Germany (13.21%) remained the country targeted most by malicious mailshots, although its share continued to decline – by 1.48 p.p. in Q3. Japan (8.76%), whose share increased by 2.36 p.p., moved up to second. China (8.37%) in third saw its share drop by 5.23 p.p.

In Q3 2016, fourth place was occupied by Russia (5.54%); its contribution increased by 1.14 p.p. from the previous quarter. Italy came fifth with a share of 5.01%. The US remained in seventh (4.15%). Austria (2.54%) rounded off this TOP 10.


In Q3 2016, the Anti-Phishing system was triggered 37,515,531 times on the computers of Kaspersky Lab users, which is 5.2 million more than the previous quarter. Overall, 7.75% of unique users of Kaspersky Lab products worldwide were attacked by phishers in Q3 2016.

Geography of attacks

China (20.21%) remained the country where the largest percentage of users is affected by phishing attacks. In Q3 2016, the proportion of those attacked increased by 0.01 p.p.

Geography of phishing attacks*, Q3 2016

*Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

The percentage of attacked users in Brazil decreased by 0.4 p.p. and accounted for 18.23%, placing the country second in this rating. UAE added 0.88 p.p. to the previous quarter’s figure and came third with 11.07%. It is followed by Australia (10.48%, -2.29 p.p.) and Saudi Arabia (10.13%, +1.5 p.p.).

TOP 10 countries by percentage of users attacked:

China 20.21% Brazil 18.23% United Arab Emirates 11.07% Australia 10.48% Saudi Arabia 10.13% Algeria 10.07% New Zealand 9.7% Macau 9.67% Palestinian Territory 9.59% South Africa 9.28%

The share of attacked users in Russia amounted to 7.74% in the third quarter. It is followed by Canada (7.16%), the US (6.56%) and the UK (6.42%).

Organizations under attack Rating the categories of organizations attacked by phishers

The rating of attacks by phishers on different categories of organizations is based on detections of Kaspersky Lab’s heuristic anti-phishing component. It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases. It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity. After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.

In Q3 of 2016, the share of the ‘Financial organizations’ category (banks, payment systems, online stores) accounted for more than half of all registered attacks. The percentage of the ‘Banks’ category increased by 1.7 p.p. and accounted for 27.13%. The proportion of ‘Online stores’ (12.21%) and ‘Payment systems’ (11.55%) increased by 2.82 p.p. and 0.31 p.p. respectively.

Distribution of organizations affected by phishing attacks by category, Q3 2016

In addition to financial organizations, phishers most often attacked ‘Global Internet portals’ (21.73%), ‘Social networking sites’ (11.54%) and ‘Telephone and Internet service providers’ (4.57%). However, their figures remained almost unchanged from the previous quarter – the change for each category was no more than a single percentage point.

Hot topics this quarter Attacks on users of online banking

The third quarter saw the proportion of attacked users in the ‘Banks’ category increase significantly – by 1.7 p.p. The four banks whose clients were attacked most often are all located in Brazil. For several years in a row this country has ranked among the countries with the highest proportion of users attacked by phishers, and occasionally occupies first place. Naturally, online banking users are priority targets for cybercriminals, since the financial benefits of a successful attack are self-evident.

Links to fake banking pages are mostly spread via email.

Example of a phishing email sent on behalf of a Brazilian bank. The link in the email leads to a fake page that imitates the login page to the user’s banking account

‘Porn virus’ for Facebook users

At the beginning of the previous quarter, Facebook users were subjected to phishing attacks. Almost half a year later, the same scheme was used by fraudsters to attack users in Europe. During the attack, a provocative adult video was used as bait. To view it, the user was directed to a fake page (a page on the domain was especially popular) imitating the popular YouTube video portal.

Example of a user being tagged in a post with the video

This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information. The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name.

Phisher tricks

Carrying on from the second quarter, we continue to talk about the popular tricks of Internet fraudsters. The objectives are simple – to convince their victims that they are using legitimate resources and to bypass security software filters. It is often the case that the more convincing the page is for the victim, the easier it is to detect with a variety of technologies for combating fraudsters.

Nice domains

We have already described a trick whereby spammers use genuine-looking links in emails to spread phishing content. Fraudsters often resort to this technique regardless of how the phishing page is distributed. They are trying to mislead users, who do actually pay attention to the address in the address bar, but who are not technically savvy enough to see the catch.

The main domain of the organization that is being attacked might be represented, for example, by a 13th-level domain:

Or might simply be used in combination with another relevant word, e.g., secure:

These tricks help deceive potential victims, though they make it much easier to detect phishing attacks using security solutions.

Different languages for different victims

By using information about the IP address of a potential victim, phishers determine the country in which they are located. In the example below, they do so by using the service

Depending on the country that has been identified, the cybercriminals will display pages with vocabulary in the corresponding language.

Examples of files that are used to display a phishing page in a specified language

The example below shows 11 different versions of pages for 32 different locations:

Example of a script used by phishers to display the relevant page depending on the location of the victim

TOP 3 attacked organizations

Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component are for phishing pages hiding behind the names of fewer than 15 companies.

The TOP 3 organizations attacked most frequently by phishers accounted for 21.96% of all phishing links detected in Q3 2016.

Organization % of detected phishing links Facebook 8.040955 Yahoo! 7.446908 6.469801

In Q3 2016, Facebook (8.1%, +0.07 p.p.) topped the ranking of organizations used by fraudsters to hide their attacks. Microsoft, the leader in the previous quarter, dropped out of the TOP 3. Second place was occupied by Yahoo! (7.45%), whose contribution increased by 0.38 p.p. Third place went to Amazon, a newcomer to the TOP 3 with 6.47%.


In the third quarter of 2016, the proportion of spam in email traffic increased by 2 p.p. compared to the previous quarter and accounted for 59.19%. The largest percentage of spam – 61.25% – was registered in September. India (14.02%), which was only fourth in the previous quarter, became the biggest source of spam. The top three sources also included Vietnam (11.01%) and the US (8.88%).

The top three countries targeted by malicious mailshots remained unchanged from the previous quarter. Germany (13.21%) came first again, followed by Japan (8.76%) and China (8.37%).

In Q3 2016, Kaspersky Lab products prevented over 37.5 million attempts to enter phishing sites, which is 5.2 million more than the previous quarter. Financial organizations were the main target, with banks the worst affected, accounting for 27.13% of all registered attacks. The most attractive phishing targets in Q3 2016 were clients of four banks located in Brazil.

The first cryptor to exploit Telegram

Malware Alerts - Tue, 11/08/2016 - 05:52

Earlier this month, we discovered a piece of encryption malware targeting Russian users. One of its peculiarities was that it uses Telegram Messenger’s communication protocol to send a decryption key to the threat actor. To our knowledge, this is the first cryptor to use the Telegram protocol in an encryption malware case.

What is a cryptor?

In general, cryptors can be classified into two groups: those which maintain offline encryption and those which don’t.

There are several reasons why file encryption malware requires an Internet connection. For instance, the threat actors may send an encryption key to the cryptor and receive data from it which they can later use to decrypt the victim’s encrypted files.

Obviously, a special service is required on the threat actor’s side to receive data from the cryptor malware. That service must be protected from third-party researchers, and this creates extra software development costs.

Analyzing the Telegram Trojan

The Telegram Trojan is written in Delphi and is over 3MB in size. After launching, it generates a file encryption key and an infection ID (infection_id).

Then it contacts the threat actors using the publicly available Telegram Bot API and operates as a Telegram bot, using the public API to communicate with its creators.

In order for that to happen, the cybercriminals first create a “Telegram bot”. A unique token from the Telegram servers identifies the newly-created bot and is placed into the Trojan’s body so it can use the Telegram API.

The Trojan then sends a request to the URL<token>/GetMe, where <token> the unique ID of the Telegram bot, created by the cybercriminals, is stored. According to the official API documentation, the method ‘getMe’ helps to check if a bot with the specified token exists and finds out basic information about it. The Trojan does not use the information about the bot that the server returns.

The Trojan sends the next request using the method ‘sendMessage’ which allows the bot to send messages to the chat thread of the specified number. The Trojan then uses the chat number hardwired into its body, and sends an “infection successful” report to its creators:<token>/sendmessage?chat_id=<chat>&text=<computer_name>_<infection_id>_<key_seed>

The Trojan sends the following parameters in the request:

<chat> – number of the chat with the cybercriminal;

<computer_name> – name of the infected computer;

<infection_id> – infection ID;

<key_seed> – number used as a basis to generate the file encryption key.

After sending the information, the Trojan searches the hard drives for files with specific extensions, and encrypts them bytewise, using the simple algorithm of adding each file byte to the key bytes.

File extensions selected for encryption

Depending on its configuration, the Trojan may add the extension ‘.Xcri’ to the encrypted files, or leave the extension unchanged. The Trojan’s sample that we analyzed does not change file extensions. A list of encrypted files is saved to the text file ‘%USERPROFILE%\Desktop\База зашифр файлов.txt’.

After encryption, the Trojan sends the request<token>/sendmessage?chat_id=<chat>&text=<computer_name>_<infection_id>_<key_seed>stop.

In this request, all parameters are the same as in the previous request, but the word ‘stop’ is added at the end.

Then the Trojan downloads the extra module Xhelp.exe (URL: http://***.ru/wp-includes/random_compat/Xhelp.exe) from a compromised site created using WordPress, and launches it. This module, called “Informer” (‘Информатор’ in the original Russian) by the cybercriminals, has a graphical interface and informs the victim about what has happened, and puts forward the ransom demand. The ransom is 5,000 RUB which is accepted via Qiwi or Yandex.Money payment methods.

Screens demonstrated to the victim user

The victim can communicate with the cybercriminals via a dedicated entry field in the “Informer” interface. This feature is also based on sending a Telegram message using the method ‘sendMessage’.

Multiple language mistakes in the ransom texts suggest the grade level of the Trojan’s creators. There is also a final phrase which catches the attention: “Thank you for helping Young Programmers Fund”.

Safeguarding measures

All Kaspersky Lab products detect this threat with the following verdicts:



3e24d064025ec20d6a8e8bae1d19ecdb – Trojan-Ransom.Win32.Telecrypt.a (the main module)
14d4bc13a12f8243383756de92529d6d – Trojan-Ransom.Win32.Telecrypt.a (the ‘Informer’ module).

If you have fallen victim to this encryption malware, we strongly advise you not to pay the ransom. Instead, contact Kaspersky Lab’s support team and we will help you decrypt your files.

Disassembling a Mobile Trojan Attack

Malware Alerts - Mon, 11/07/2016 - 05:27

In early August we detected several cases of a banking Trojan being downloaded automatically when users viewed certain news sites on their Android devices. Later it became apparent that this was being caused by advertising messages from the Google AdSense network, and was not restricted to news sites. In fact, any site using AdSense to display adverts could potentially have displayed messages that downloaded the dangerous Trojan-Banker.AndroidOS.Svpeng and automatically saved it to the device’s SD card. This behavior surprised us: typically, the browser warns users about downloading a potentially dangerous file, and offers them a choice of whether or not to save the file. We intercepted traffic coming from the attacked device when this sort of “advert” was displayed, and figured out how the malicious program was downloaded and automatically saved.

Some statistics

First of all, let’s provide some information about the latest versions of Trojan-Banker.AndroidOS.Svpeng. It is limited to Russia and the CIS (more about this later). Below is a graph showing detections of the Trojan’s latest version – Svpeng.q.

And here is the graph for the previous version that was distributed in July 2016, also via AdSense:

As you can see from the graphs, within a two-month period Svpeng was detected on the computers of approximately 318,000 users, with the detection rate peaking at around 37,000 attacked users in one day. The high rates and abrupt changes in the number of detections are easy to explain: Google has been quick to block the ads that the Trojan uses for propagation. However, this is a reactive rather than a proactive approach – the malicious ads were blocked after the Trojan was already on thousands of Android devices. It is also worth noting that there were multiple occasions in the past two months when these ads found their way on to AdSense; similar attacks have been occurring up to the present time, with the most recent attack registered on 12 September 2016.

Now for the juicy part

Let’s look at how the displaying of an ad is related to the automatic download of the APK file containing the Trojan and it being saved to the SD card. Below is the HTTP request that leads to the cybercriminals’ advert being displayed:

In response to this request, the server sends a Javascript script that displays the ad message. However, this script contains a hidden surprise: at the beginning there is some heavily obfuscated code. Let’s look, step by step, at what this code actually does:

  1. Declares the variables necessary for operation and deciphers the payload:
  2. We can see that the APK file was downloaded in the form of an encrypted array of bytes in the script. Now it just needs to be saved to the SD card.

  3. Defines the function that will save the file.
  4. The code checks the availability of functions from various browser engines, and if they are unavailable, defines its own function. The object URL and the element <a> (the latter being an HTML notation for a link) are created in this function. The resulting link is assigned the attribute ‘href’ (where the link leads to), and the malicious program emulates a click on this link. This method is not new; quite possibly the Trojan’s creators borrowed it from here, and only added obfuscation and a restriction: the click simulation is only done on touchscreen devices, which for the most part are smartphones.

  5. Breaks the decrypted APK file into blocks of 1024 bytes.
  6. Sets the handler for a page load event. Handler activation initiates the automatic saving of the APK file to the SD card.

Apart from the extra checks to see if the script runs on the smartphone or not, there is an important check in the code to identify the language used on the device. The attackers only target smartphones with a Russian-language interface – these are typically devices belonging to users in Russia and, to a lesser degree, CIS states.

Where’s the catch?

The method described above only works in Google Chrome for Android. When an APK file is downloaded via a link leading to an external web resource, the browser displays a warning that a potentially dangerous object is being downloaded, and prompts the user to choose whether or not to save the file.

When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user.

We notified Google about this browser behavior and that it was being exploited to distribute malicious content. At the time of publishing a patch had been released that fixed this problem in Google Chrome and will become available to users the next time the browser is updated.

In all other browsers, this method either does not work, or the user is asked if they want to save the file or not. Kaspersky Lab recommends updating Google Chrome to prevent infection by the malware when viewing sites that use AdSense.


Of course, just downloading the Trojan is not enough for it to work; the user also has to install it. To ensure this, the attackers resort to social engineering. The Trojan may be downloaded with any of the following names:

  • last-browser-update.apk
  • WhatsApp.apk
  • Google_Play.apk
  • 2GIS.apk
  • Viber.apk
  • DrugVokrug.apk
  • Instagram.apk
  • VKontakte.apk
  • minecraftPE.apk
  • Skype.apk
  • Android_3D_Accelerate.apk.
  • SpeedBoosterAndr6.0.apk
  • new-android-browser.apk
  • AndroidHDSpeedUp.apk
  • Android_update_6.apk
  • WEB-HD-VIDEO-Player.apk
  • Asphalt_7_Heat.apk
  • CHEAT.apk
  • Root_Uninstaller.apk
  • Mobogenie.apk
  • Chrome_update.apk
  • Trial_Xtreme.apk
  • Cut_the_Rope_2.apk
  • Установка.apk
  • Temple_Run.apk

These names imitate the names of popular legitimate apps or try to convince users that the downloaded app is important and has to be installed. In the latest versions of Android, installation of apps downloaded from unknown sources is blocked by default, but the cybercriminals are obviously counting on users disabling this setting to install an “important browser update” or a newer version of a popular app that is already on their phone.

So far, those behind Svpeng have limited their attacks to smartphone users in Russia. However, next time they push their “adverts” on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past. After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?