Malware RSS Feed

ATM infector

Malware Alerts - Tue, 05/17/2016 - 06:57

Seven years ago, in 2009, we saw a completely new type of attack on banks. Instead of infecting the computers of thousands of users worldwide, criminals went directly after the ATM itself – infecting it with malware called Skimer. Seven years later, our Global Research and Analysis Team together with Penetration Testing Team have been called on for an incident response. They discovered a new, improved, version of Skimer.

Virus style infections

Criminals often obscured their malware with packers to make analysis more difficult for researchers. The criminals behind Skimer also did this, using the commercially available packer Themida, which packs both the infector and the dropper.

Once the malware is executed it checks if the file system is FAT32. If it is, it drops the file netmgr.dll in the folder C:\Windows\System32. If it is an NTFS file system, the same file will be placed in the NTFS data stream corresponding to the XFS service´s executable file. Placing the file in an NTFS data stream is most likely done to make forensic analysis more difficult.

After successful installation, the sample patches the XFS executable (SpiService.exe) entry point, in order to add a LoadLibrary call to the dropped netmgr.dll file. This file is also protected by Themida.

Entry point in SpiService.exe before infection

Entry point in SpiService.exe after infection

After a successful installation the ATM is rebooted. The malicious library will be loaded into the SpiService.exe thanks to the new LoadLibrary call, providing it with full access to XFS.

Functionality

Unlike Tyupkin, where there was a magic code and a specific time frame where the malware was active, Skimer only wakes up when a magic card (specific Track 2 data, see IOCs at the bottom of this blogpost) is inserted. It is a smart way to implement access control to the malware’s functionality.

Once the magic card is inserted, the malware is ready to interact with two different types of cards, each with different functions:

  1. Card type 1 – request commands through the interface
  2. Card type 2 – execute the command hardcoded in the Track2

After the card is ejected, the user will be presented with a form, asking them to insert the session key in less than 60 seconds. Now the user is authenticated, and the malware will accept 21 different codes for setting its activity. These codes should be entered from the pin pad.

Below is a list of the most important features:

  1. Show installation details;
  2. Dispense money – 40 notes from the specified cassette;
  3. Start collecting the details of inserted cards;
  4. Print collected card details;
  5. Self delete;
  6. Debug mode;
  7. Update (the updated malware code is embedded on the card).

During its activity, the malware also creates the following files or NTFS streams (depending on the file system type). These files are used by the malware at different stages of its activity, such as storing the configuration, storing skimmed card data and logging its activity:

C:\Windows\Temp\attrib1 card data collected from network traffic or from the card reader; C:\Windows\Temp\attrib4 logs data from different APIs responsible for the communication with the keyboard (effectively logging data such as the pin); C:\Windows\Temp\mk32 same as attrib4; C:\Windows\Temp:attrib1 same as the homologue file; C:\Windows\Temp:attrib4 same as the homologue file; C:\Windows\Temp:mk32 same as the homologue file; C:\Windows\Temp:opt logs mule´s activity.

Main window

The following video details the scenario on how money mules interact with an infected ATM as described above.

Conclusions

During our recent Incident Response cases related to the abuse of ATMs, we have identified Tyupkin, Carbanak and black box attacks. The evolution of Backdoor.Win32.Skimer demonstrates the attacker interest in these malware families as ATMs are a very convenient cash-out mechanism for criminals.

One important detail to note about this case is the hardcoded information in the Track2 – the malware waits for this to be inserted into the ATM in order to activate. Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware.

We also recommend regular AV scans, the use of whitelisting technologies, a good device management policy, full disk encryption, the protection of ATM BIOS with a password, only allowing HDD booting, and isolating the ATM network from any other internal bank networks.

Kaspersky Lab has now identified 49 modifications of this malware, with 37 of these modifications targeting ATMs made by just one manufacturer. The most recent version was discovered at the beginning of May 2016.

All samples described are detected by Kaspersky Lab as Backdoor.Win32.Skimer. Patched SpiService.exe files are detected as Trojan.Win32.Patched.rb

As this is still an ongoing investigation, we have already shared the full report with different LEAs, CERTs, financial institutions and Kaspersky Lab Threat Intelligence-Service customers. For more information please contact intelreports@kaspersky.com

Appendix I. Indicators of Compromise Hashes

F19B2E94DDFCC7BCEE9C2065EBEAA66C
3c434d7b73be228dfa4fb3f9367910d3
a67d3a0974f0941f1860cb81ebc4c37c
D0431E71EBE8A09F02BB858A0B9B80380
35484d750f13e763eae758a5f243133
e563e3113918a59745e98e2a425b4e81
a7441033925c390ddfc360b545750ff4

Filenames

C:\Windows\Temp\attrib1
C:\Windows\Temp\attrib4
C:\Windows\Temp\mk32
C:\Windows\Temp:attrib1
C:\Windows\Temp:attrib4
C:\Windows\Temp:mk32
C:\Windows\Temp:opt
C:\Windows\System32\netmgr.dll

Track 2 data

******446987512*=********************
******548965875*=********************
******487470138*=********************
******487470139*=********************
******000000000*=********************
******602207482*=********************
******518134828*=********************
******650680551*=********************
******466513969*=********************

The Rio Olympics: Scammers Already Competing

Malware Alerts - Mon, 05/16/2016 - 06:56

A few years ago, spammers and scammers were not as interested in the Olympics as they were in football (the World Cup and European Championships). The first major increase in the number of spam messages devoted to the Olympic Games occurred in the run-up to the Winter Olympics in Sochi in 2014. Since then, their interest in the Olympics has shown no sign of weakening and the upcoming event in Brazil is no exception.

Back in 2015, a year before the Olympics in Rio, we registered fake notifications of lottery wins allegedly organized by the country’s government and the International Olympic Committee. Similar emails continue to be sent in 2016. The vast majority of these messages contain a DOC or PDF attachment, while the body of the message includes only a brief text asking the recipient to open the attachment.

The name of the DOC file, the name of the sender and the subject line of the email often mention the Olympic Games.

The content of these attachments is fairly standard: a lottery was held by an official organization; the recipient’s address was randomly selected from a large number of email addresses, and to claim their winnings the recipient has to respond to the email and provide the necessary personal information.

We also came across emails without attachments; the text written by the scammers was included in the body of the message.

English is undoubtedly the most popular language used in fraudulent emails exploiting the Olympics theme, but we have also registered messages in other languages, for example Portuguese. In these the spammers stuck to the same story of a lottery win, trying to convince the recipient that the email is genuine.

In addition to fraudulent spam, we have registered unsolicited advertising messages containing offers for various goods and services that, one way or another, use the Olympics to grab the attention of recipients.

For example, spammers have been pushing new TVs for watching sporting events.

They also promised to make the recipient an “Olympic champion” with the help of magic pills.

Taking any of these emails seriously enough to reply to them could well leave you out of pocket. But the biggest hit that sporting fans’ wallets are likely to take are from fake ticketing services. We are constantly blocking dozens of newly registered domains with names containing the words “rio”, “rio2016” and so on. Each of these domains hosted good quality imitations of official services offering tickets to sporting events at this summer’s games in Rio de Janeiro.

The scammers register these domains to make their sites look more credible; for the same purpose, they often buy the cheapest and simplest SSL certificates. These certificates are registered within a few minutes, and certification authorities don’t verify the legal existence of the organization that has issued the certificate. The certificates simply provide data transfer over a secure protocol for the domain and, most importantly, gives fraudsters the desired “https” at the beginning of their address.

If you examine the whois data for such domains, you will find that they have only been registered recently, for a short period of time (usually a year) and in the names of individuals. Moreover, the detailed information is often hidden, and the hosting provider could be located anywhere, from Latin America to Russia.

The sites are necessary to implement a simple scam whereby the phishers ask for bank card information, allegedly to pay for tickets, and then use it to steal money from the victim’s bank account. In order to keep the buyer in the dark for some time, the scammers assure them that the payment has been received for the tickets and that they will be sent out two or three weeks before the event.

As a result, the criminals not only steal the victim’s money but deprive them of the chance of attending the Olympics – by the time they realize they won’t be getting the tickets they booked it will be too late to buy genuine tickets… especially if there’s no money in their bank account.

According to our information, the creation of these fake sites usually involves international cybercriminal groups, each fulfilling its own part of the scam. One group creates a website, the second registers the domains, the third collects people’s personal information and sells it, and the fourth withdraws the cash.

To avoid falling victim to the scammers’ tricks, sports fans should be careful and only buy tickets from authorized reseller sites and ignore resources offering tickets at very low prices. The official website of the Olympic Games provides a list of official ticket sellers in your region and a service that allows you to check the legitimacy of sites selling tickets.

Also, we strongly recommend not buying anything in stores advertised in spam mailings or advertising banners, whether it’s tickets or souvenirs related to the Olympics. At best, you’ll end up with non-certified goods of dubious quality, and at worst – you’ll just be wasting your money. For those who cannot resist impulse purchases, we recommend getting a separate bank card that is only used for online payments and which only ever has small sums of money on it. This will help to avoid serious losses if your banking information is stolen.

Spam and phishing in Q1 2016

Malware Alerts - Thu, 05/12/2016 - 06:56

Spam: features of the quarter Trending: dramatic increase in volume of malicious spam

The first quarter of 2016 saw a dramatic increase in the number of unsolicited emails containing malicious attachments. Over the last two years the number of email antivirus detections on computers with a Kaspersky Lab product installed fluctuated between 3 and 6 million. At the end of 2015 this number began to grow and in early 2016 there was a sharp upturn.

Number of email antivirus detections on computers with a Kaspersky Lab product installed

In March, the number of email antivirus detections reached 22,890,956, which is four times more than the average for the same period last year.

With the rise of drive-by-downloads, we could have expected malicious email attachments to have long since given way to malicious sites that the user accesses via a link in an email. However, the use of emails has its advantages (for the attackers): the content of the email may encourage the user not only to download a malicious file but also launch it. It’s also possible that malicious attachments are enjoying a new wave of popularity because in the last couple of years the developers of the most popular browsers have considered adding protection against infected and phishing websites (using in-house developments as well as partnering with well-known anti-virus vendors). This is something that built-in protection at the email client level does not provide yet. Therefore, if a potential victim doesn’t use antivirus software, their computer can be easily infected via email.

What’s inside?

The variety of malicious attachments is impressive. They include classic executable EXE files and office documents (DOC, DOCX, XLS, RTF) with embedded malicious macros, and programs written in Java and Javascript (JS files, JAR, WSF, WRN, and others).

Attachment containing a Trojan downloader written in Java

Also worth noting is the diversity of languages used in malicious spam. In addition to English, we regularly came across emails in Russian, Polish, German, French, Spanish, Portuguese and several other languages.

Attachment containing the Trojan banker Gozi

Most emails imitated notifications of unpaid bills, or business correspondence.

The malicious .doc file in the attachment is a Trojan downloader. It downloads and runs the encryptor Cryakl using macros written in Visual Basic

Attachment containing backdoor-type malware that downloads other malicious programs to the infected machine

Particular attention should be paid to emails containing Trojan downloaders that download the Locky encryptor. The attackers exploited a variety of file types to infect victim computers: at first they used .doc files with malicious macros, then JS scripts. In order to bypass filtering, the attackers made every malicious file within a single mass mailing unique. In addition, the emails had different content and were written in different languages. This doesn’t come as much of a surprise as attacks utilizing this encryptor were registered by KSN in 114 countries around the world.

Examples of emails with the Locky encryptor

The content of the emails was related to financial documents and prompted users to open the attachment.

If the attack was successful, Locky encrypted files with specific extensions (office documents, multimedia content, etc.) on the user’s computer, and displayed a message with a link leading to a site on the Tor network containing the cybercriminals’ demands. This process was analyzed in more detail in our blog.

As Locky is not always contained directly in the message, we cannot estimate its share in the volume of other malicious mail. However, the scripts that download and run Locky (detected by Kaspersky Lab as Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR: Trojan-Downloader.Script.Generic) accounted for more than 50% of all malicious programs in email traffic.

Spam terrorism

Today terrorism is one of the most widely discussed topics both in the media and when political leaders meet. Frequent terrorist attacks in Europe and Asia have become a major threat to the world community, and the theme of terrorism is widely used by cybercriminals to mislead users.

In order to prevent terrorist attacks, security measures in many countries have been enhanced, and malicious spammers have been quick to take advantage. They tried to convince recipients of mass mailings that a file attached in an email contained information that would help a mobile phone owner detect an explosive device moments before it was about to detonate. The email claimed the technology came from the US Department of Defense, was easy to use and widely available. The attachment, in the form of an executable EXE file, was detected as Trojan-Dropper.Win32.Dapato – a Trojan that is used to steal personal information, organize DDoS attacks, install other malware, etc.

‘Nigerian’ scammers also got in on the act, exploiting the theme of terrorism to try and concoct credible stories. The senders introduced themselves as employees of a non-existent FBI division involved in the investigation of terrorism and financial crime. Their story revolved around the need for the recipient to contact the sender in order to resolve issues that are preventing the payment of a large sum of money. Among the reasons given for the delay in transferring the money the scammers cited a lack of confirmation that the money was legal and rightfully belonged to the recipient, or it was claimed third parties were trying to pocket the recipient’s money.

Nigerian letters also told stories of money – some of which was offered to the recipient – that had been obtained legally and was not related to drugs, terrorism or other crime. This was an attempt to dispel any doubts about their honesty and persuade recipients to reply.

The theme of terrorism came up again in tales related to the current situation in the Middle East. For example, some emails were sent on behalf of US soldiers who were fighting against terrorism in Afghanistan and were looking for an intermediary to save and invest money for them. Yet another author claimed that he had not joined ISIS or any another terrorist organization, but as a Muslim he wanted to donate a large sum of money for good deeds. A mistrust of charities meant the “Muslim” wanted to transfer the money to the recipient of the email. Yet another story was written on behalf of an American businessman who had lost half his business in Syria and Iraq because of the war and terrorism, and was looking for a partner to help him invest the remaining money.

Nigerian letters describing the tense situation in Syria also remained popular and were actively used by scammers to trick users.

We also came across advertising spam from Chinese factories offering all sorts of devices to ensure public security (for example, special devices for detecting explosives) and other anti-terrorist products.

Also trending: significant increase in volume of ‘Nigerian’ spam

It seems so-called Nigerian spammers have also felt the effects of the economic crisis, because they have recently increased their activity. In Q1 2016 we observed a significant increase in the volume of this type of mailing. In the past, the scammers encouraged recipients to respond to an email by telling a long detailed story that often contained links to articles in the mainstream media; now they send out short messages with no details, just a request to get in touch. Sometimes the email may mention a large sum of money that will be discussed in further correspondence, but there is no information about where it came from.

Perhaps the scammers believe that those who are already aware of the classic ‘Nigerian’ tricks will fall for these types of messages; or maybe they think that such short messages will be more suited for busy people who have no time to read long emails from strangers.

Spammer methods and tricks: short URL services and obfuscation

In our spam and phishing report for 2015 we wrote about obfuscation of domains. In Q1 2016, spammers continued this trend and even added some new tricks to their arsenal.

Cybercriminals continued to use short URL services, although the methods for adding “noise” to them have changed.

First of all, spammers began inserting characters – slashes, letters and dots – between the domain of a short URL service and the final link.

Both the link which the user follows and the link to the uploaded image in the email are obfuscated:

In addition to letters and dots, spammers even inserted random comment tags between slashes, and the browser continued to correctly interpret the links:

Note that the subject of the email contains the name Edward; it is also included in the comment tag used to add “noise”. In other words, the name is taken from one database while the “noise” tag is unique for each email in the mass mailing.

Russian-language spam also used obfuscation and short URL services, but the algorithm was different.

For example, to obfuscate links the @ symbol was used. To recap, the @ symbol is intended for user authentication on the site (it is actually no longer used). If the site does not require authentication, everything that precedes the @ symbol will simply be ignored. It means that in the email above, the browser will first open the site ask.ru/go where it will execute the subquery ‘url =’ and then go to the URL specified, which belongs to a short URL service.

The link in this emails was also obfuscated with the @ symbol. Noise was also added by additional subqueries including the user’s email address, which made it unique for each email in the mass mailing.

Statistics Proportion of spam in email traffic

Percentage of spam in global email traffic, Q1 2016

The percentage of spam in overall global email traffic remained stable during the last few months of 2015. However, in January 2016 we registered a considerable increase in the share of unwanted correspondence – over 5.5 p.p. By February, however, the amount of spam in email traffic had dropped to its previous level. In March it grew again, though less dramatically. As a result, the average percentage of spam in Q1 2016 amounted to 56.92%.

Sources of spam by country

Sources of spam by country, Q1 2016

The US (12.43%) maintained its leadership, remaining the biggest source of spam in Q1 2016. Next came Vietnam (10.30%), India (6.19%) and Brazil (5.48%). China rounded off the Top 5, accounting for 5.09% of global spam.

Russia fell from last year’s second place to seventh (4.89%) in Q1 2016. It followed closely behind France (4.90%), which was sixth biggest source of spam.

Spam email size

Spam email size distribution, Q4 2015 and Q1 2016

The most commonly distributed emails were very small – up to 2 KB (79.05%). The proportion of these emails grew by 2.7 p.p. from the previous quarter. The share of emails sized 20-50 KB also increased – from 3.02% to 7.67%. The amount of emails sized 2-5 KB, however, fell significantly compared to Q4 2015 – from 8.91% to 2.5%.

Malicious email attachments

Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications. So we have decided to turn to the more informative statistics of the Top 10 malware families.

Top 10 malware families
  1. Trojan-Downloader.JS.Agent.
  2. A typical representative of this family is an obfuscated Java script. This family malware uses ADODB.Stream technology that allows them to download and run DLL, EXE and PDF files.

  3. Trojan-Downloader.VBS.Agent.
  4. This is a family of VBS scripts. As is the case with the JS.Agent family, ranked first, the representatives of this family use ADODB.Stream technology; however, they mainly download ZIP files, from which they extract and run other malicious software.

  5. Trojan-Downloader.MSWord.Agent.
  6. The representatives of this family are DOC files with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened. The macro downloads other malware from the cybercriminal’s site and launches it on the victim’s computer.

  7. Backdoor.Win32.Androm. Andromeda.
  8. This is a family of universal Andromeda/Gamarue modular bots. The key features of these bots include downloading, storing and launching malicious executable files; downloading and uploading a malicious DLL (without saving it to disk); updating and deleting themselves. The bot functionality is extended with plug-ins that can be loaded at any time.

  9. Trojan.Win32.Bayrob.
  10. The malicious programs of this Trojan family can download from the command server and run additional modules, as well as work as a proxy server. They are used to distribute spam and steal personal data.

  11. Trojan-Downloader.JS.Cryptoload.
  12. A typical representative of this family is an obfuscated Java script. The malicious programs of this family download and run ransomware on the user’s computer.

  13. Trojan-PSW.Win32.Fareit.
  14. This malware family was designed to steal data such as credentials for FTP clients installed on an infected computer, credentials for cloud storage programs, cookie files in browsers, passwords for email accounts. The stolen information is sent to the criminals’ server. Some members of the Trojan Fareit family are capable of downloading and running other malware.

  15. Trojan.Win32.Agent.
  16. The malicious programs of this family destroy, block, modify or copy data or disrupt the operation of computers or computer networks.

  17. Trojan-Downloader.Win32.Upatre.
  18. The Trojans of this family do not exceed 3.5 KB, and their functions are limited to downloading payloads on the infected computer – more often than not these are Trojan bankers known as Dyre/Dyzap/Dyreza. The main aim of this family of Trojan bankers is to steal payment data from users.

  19. Trojan-Spy.HTML.Fraud.
  20. The Trojans of this family consist of a fake HTML page sent via email that imitates an important notification from a major commercial bank, online store, or software developer, etc. The user has to enter their personal data on this page, which is then forwarded to cybercriminals.

Countries targeted by malicious mailshots

There were some significant changes in the ranking of countries targeted most often by mailshots in Q1 2016.

Distribution of email antivirus verdicts by country, Q1 2016

Germany (18.93%) remained on top. China (9.43%), which ended 2015 in 14th place, unexpectedly came second. Brazil (7.35%) rounded off the Top 3.

Italy (6.65%) came fourth in the ranking, followed by the UK (4.81%). Russia was in sixth place with a share of 4.47%.

The US (3.95%), which had been in the Top 5 countries targeted by malicious mailshots for months on end, ended Q1 in eighth.

Phishing

In Q1 2016, the Anti-Phishing system was triggered 34,983,315 times on the computers of Kaspersky Lab users.

Geography of attacks

The country where the largest percentage of users were affected by phishing attacks was once again Brazil (21.5%), with a 3.37 p.p. increase from the previous quarter. The share of those attacked in China (16.7%) and the UK (14.6%) also grew compared to Q4 2015 – by 4.4 p.p. and 3.68 p.p. respectively. Japan (13.8%), which was a leader in the previous year, saw its share fall by 3.18 p.p.

Geography of phishing attacks*, Q1 2016

* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

Top 10 countries by percentage of users attacked:

Brazil 21.5% China 16.7% United Kingdom 14.6% Japan 13.8% India 13.1% Australia 12.9% Bangladesh 12.4% Canada 12.4% Ecuador 12.2% Ireland 12.0% Organizations under attack

The statistics on phishing targets are based on detections of Kaspersky Lab’s anti-phishing component. It is activated every time a user enters a phishing page when information about it is not yet included in Kaspersky Lab databases. It does not matter how the user enters the page – by clicking a link in a phishing email, in a message on a social network or as a result of malware activity. After the security system is activated, the user sees a banner in the browser warning about a potential threat.

Distribution of organizations affected by phishing attacks, by category, Q1 2016

In the first quarter of 2016, the ‘Global Internet portals’ category (28.69%) topped the rating of organizations attacked by phishers; its share increased by 0.39 p.p. from the previous quarter. Second and third were occupied by two financial categories: ‘Banks’ (+4.81 p.p.) and ‘Payment systems’ (-0.33 p.p.). ‘Social networking sites’ (11.84%) and ‘Online games’ (840 p.p.) rounded off the Top 5, having lost 0.33p.p.and 4.06 p.p. respectively.

Online stores

Attacks on online store users are interesting because they are often followed by the theft of bank card details and other personal information.

Distribution of online stores subject to phishing attacks, Q1 2016

Apple Store was the most popular online store with phishers. In the first quarter of 2016 its share in the ‘E-shop’ category accounted for 27.82%. Behind it in second place was another popular online store –Amazon (21.6%).

Example of a phishing page designed to steal Apple ID and bank card data

Steam (13.23%), a popular gaming service that distributes computer games and programs, rounded off the Top 3. It came 19th in the overall ranking of organizations affected by phishing attacks.

Links to phishing pages exploiting the theme of online games and gaming services are distributed via banners, posts on social networking sites, forums and, less frequently, via email.

Cybercriminal interest in Steam and gaming services in general is growing – gamers’ money and personal data are often targeted not only by phishers but also by software developers.

Top 3 organizations attacked<

Fraudsters continue to focus the greatest part of their non-spear phishing attacks on the most popular companies. These companies have lots of customers around the world which enhances the chances of a successful phishing attack.

The Top 3 organizations attacked most often by phishers accounted for 21.71% of all phishing links detected in Q1 2016.

Organization % of detected phishing links 1 Yahoo! 8.51 2 Microsoft 7.49 3 Facebook 5.71

In Q1 2016, the leading three organizations targeted by phishers saw a few changes. Yahoo! remained top (+1.45 p.p.). Microsoft (+2.47 p.p.) came second, followed by Facebook (-2.02 p.p.).

Interestingly, phishing on Facebook is delivered in almost all languages.

Facebook is also popular with cybercriminals as a means of spreading malicious content. We wrote about one such scheme in a recent blog.

Conclusion

In the first quarter of 2016 the percentage of spam in email traffic increased by 2.7 percentage points compared with the previous quarter. But it is too early to speak about a growth trend. The proportion of spam grows significantly at the beginning of every year because the amount of normal email decreases over the holiday period.

The US remained the biggest source of spam in Q1 2016. The Top 5 also included Vietnam, India, Brazil and China – all large, fast developing countries with high levels of internet connection.

Spam messages are becoming shorter. In the first quarter, the proportion of emails up to 2 KB exceeded 80% of all spam.

Q1 of 2016 saw the amount of spam containing malicious attachments increase dramatically. The share of malicious attachments in mail reached a peak in March – four times greater than last year’s average. This rapid growth was caused, specifically by the popularity of crypto-ransomware which was either contained in emails or downloaded to computers via a Trojan downloader.

This growth confirms our long-term forecasts on the gradual criminalization of spam that makes it even more dangerous, as well as reducing the overall share of email traffic. The diversity of languages, social engineering, lots of different types of attachments, text changing within a single mass mailing – all this takes spam to a new level of danger. Moreover, these malicious mass mailings have broad geographical coverage. The picture of malware distribution by email has changed significantly this year. In particular, China came an unexpected second in the ranking of countries targeted by malicious mailshots.

Another factor confirming the trend of increasingly criminalized spam is the growth of fraudulent, namely ‘Nigerian’, spam in the first quarter of 2016.

It is unlikely that the amount of malicious spam will continue to grow so rapidly: the more cybercriminals distribute malicious spam, the more people get to know of its dangers and the more careful they become about opening suspicious attachments. Therefore, such attacks will gradually fade away after a few months. However, there is the risk they may be replaced by other, even more complex attacks.

Two-Step Verification

SANS Tip of the Day - Thu, 05/12/2016 - 01:00
Two-step verification is one of the best steps you can take to secure any account. Two-step verification is when you require both a password and code sent to or generated by your mobile device. Examples of services that support two-step verification include Gmail, Dropbox and Twitter.