Malware RSS Feed
The biggest security news of the week is the leaked photos of many celebrities. Many people, especially the involved celebrities, wondered how such a hack could take place.
The initial statement by the attacker was that the iCloud was hacked. This prompted Apple into their we-do-not-really-comment-until-we-have-done-our-research mode. Today, they released a statement on the incident:
For me the most interesting quote is: “accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.”
Apple is thus well aware of the problems that arise with these forms of authentication. The more interesting is their advice: strong passwords and two-step-verification.
Strong passwords are, according to Apple, passwords with a minimum of 8 characters, with some additional requirements. Interesting enough they do not enforce of all their suggestions. A password such as “Password1″ is acceptable, even though it can be easily guessed.
Their other advice, using two-factor-authentication is somewhat flawed. For instance, it does not protect your iCloud backups (see this post). Also, two-step-verification is not available in every country. If you use, for example, a Romanian or a Croatian telephone number, then bad luck. Considering that Google offers two factor authentication for such countries as well, one might wonder why Apple didn’t implement it as well. Could it be the cost of the SMSes?
So how to protect yourself properly? My colleague Alex Savitsky wrote an excellent article about this.
- Use strong and unique passwords that are easy to remember and hard to crack (for instance, a phrase in your native language with “spaces” in it, a number and a special char)
- If available in your country, enable two-factor authentication
- iPhone users may want to disable iCloud photo Stream / photo Sharing. Additionally iPhone users may want to delete the backup of their photos / iPhone in the iCloud.
Photo courtesy of my colleague Dmitry Bestuzhev – https://twitter.com/dimitribest/status/506820178320322560
And remember – if you don’t want your private photos to get leaked, better not take them in the first place!
We spotted an interesting attack from Brazilian bad guys aiming to change the DNS settings of home routers by using a web-based attack, some social engineering, and malicious websites. In these attacks the malicious DNS servers configured in the user's network device are pointed towards phishing pages of Brazilian Banks, programmed to steal financial credentials.
Attacks targeting home routers aren't new at all; in 2011, my colleague Marta described malware targeting network devices like these. In Brazil we documented a long and painful series of remote attacks that started in 2011-2012 that affected more than 4.5 million DSL modems, exploiting a remote vulnerability and changing DNS configurations. But this "web-based" approach was something new to Brazilian bad guys until now and we believe it will spread quickly amongst them as the number of victims increases.
The attack starts with a malicious e-mail and a bit of social engineering, inviting you to click:
"I'm your friend and want to tell you you're being cheated, look at the pics"
How many people believe in it? Well, many: 3.300 clicks in 3 days, with most of the users located in Brazil, US and China, probably Brazilians living there or people that understand Portuguese:
Shortened URLs are a cheap way for the bad guy measure their 'performance'
The website linked in the message is full of adult content, porn pics. While in the background it starts running scripts. Depending on your configuration, at some point the website may ask for the username and password of your wireless access point – if it has, this is a good thing. If not, this may be a problem for you:
The script located in the website will try to guess the password of your home router. It tries several combinations such as "admin:admin":
or "admin:gvt12345" (GVT is a big Brazilian ISP):
The scripts will continue trying combinations that point to the control panel of your network device such as [your-router-IP].rebootinfo.cgi or [your-router-IP].dnscfg.cgi?. Each script includes the commands to change the primary and secondary DNS servers. If you're using default credentials in your home router, there won't be an interaction and you'll never realize that the attack has occurred. If you're not using default credentials, then the website will pop up a prompt asking you to enter it manually.
We found Brazilian bad guys actively using 5 domains and 9 DNS servers – all of them hosting phishing pages for the biggest Brazilian Banks. The malicious websites used in the attacks are filtering direct access by using HTTP referrers, thus aiming to prevent direct access from security analysts.
So how do you protect yourself? Make sure you're not using the default password in your home router and NEVER enter your credentials into any website asking for them. Our Kaspersky Internet Security is also prepared to block such scripts automatically.
Anyone using the Internet is at risk, regardless of age and regardless of what they like to do online. Cybercriminals can deploy an impressive arsenal, targeting everyone from schoolchildren to pensioners and following them whether they are logged on to social networks, checking the latest headlines or watching their favorite videos. Internet scammers want access to our money, our personal data and the resources of our computer systems. In short, they want anything that they can profit from.
There are a huge range of different attacks facing us on the net: users can get caught by ransomware like Gimeno or Foreign, become part of the Andromeda botnet, see ZeuS/Zbot drain the cash from their bank accounts, or have their passwords compromised by Fareit spyware. Usually web attacks try to download and install an infected executable file on the target computer, but there are some exceptions, for instance XSS or CSRF, which execute embedded HTML code.Attack mechanism
For an attack to succeed, first of all users need to connect to a malicious site that downloads an executable file onto their computers. To tempt users to the resource, scammers might send them a link by email, SMS or via a social network. They might also try to promote their site via search engines. One further technique is to hack a popular legitimate resource and turn it into an instrument to attack its visitors.
Downloading and installing malware can be done in one of two ways. The first, a hidden drive-by download, relies on using a vulnerability in the user's software. The user of the infected site is often completely unaware that the computer is installing the malware, as usually there are no indications that this is happening.
The second method uses social engineering, where users are tricked into downloading and installing malware themselves, believing it is an updated flash player or some similar popular software.
Diagram of Internet attacks showing how executable malware files can be downloadedMalicious links and banners
The simplest way to lure victims to malicious sites is simply to display an attractive banner with a link. As a rule sites with illegal content, pornography, unlicensed software, films etc. are used as a host. Such sites can work "honestly" for a long time to build up an audience before they start hosting banners with links to malicious resources.
One popular infection method is malvertising, or the redirecting the user to a malicious site with the help of hidden banners. Dubious banner networks attract site administrators with high payments for 'click-throughs' on their ads and frequently earn money "on-the-side" by spreading malware.
When users enter the site displaying these banners, a so-called "pop-under" opens in the victim's browser. This is similar to a pop-up window, but it appears either under the main window of the site, or on an otherwise inactive neighboring tab. The contents of these "pop-unders" often depend on the location of the visitor to the site - the inhabitants of different countries are redirected to different resources. The visitors of one country might simply be shown an advert for example
Site sends American visitors to the resource watchmygfnet
Site sends Russian visitors to the resource runetkitv\
…whereas visitors from other countries will be attacked by exploit packs.
An inhabitant of Japan is attacked by an exploit and infected with the Zbot spyware Trojan
On occasion these malicious banners can even penetrate into honest banner networks, despite careful scrutiny by administrators. Cases like this have affected the Yahoo Advertising banner network and even YouTube.Spam
Spam is one of the most popular means of attracting victims to malicious resources. It includes messages sent by email, SMS and instant communications systems, via social networks, private messages on forums and comments in blogs.
A dangerous message might contain a malicious file or a link to an infected site. To encourage the user to click on a link or a file social engineering is used, for example:
- the name of a real organization or person is used as the sender's name,
- the letter pretends to be part of a legitimate mailshot or even a personal communication,
- the file is presented as a useful program or document.
During targeted attacks, when cybercriminals specifically attack a certain organization, the malicious letter might mimic a letter from a regular correspondent: the return address, content and signature could be the same as a genuine letter, for example from a partner of the company. By opening the attached document with a name like "invoice.docx" users put their computers at risk of infection.Black Search Engine Optimization
SEO or Search Engine Optimization is a collection of techniques to raise the position of a site in the results given by search engines. Modern users often go to search engines to find necessary information or services, so the easier it is to find a given site the more visitors it will get.
In addition to legitimate methods of optimization, those that are permissible in the eyes of the search engines, there are forbidden techniques that fool search engines. A site might "promote itself" with the help of a botnet - thousands of bots make certain search requests and select the malicious site, raising its rating. The site itself may adopt a different appearance depending on who has entered it: if it is a search robot it will be shown a page relevant to the request, if it is a normal user it will be redirected to a malicious site.
Also links to the site are distributed in forums and other sites known to search engines using special utilities, which raise the rating of the site and, consequently, its position in search results.
As a rule, sites that use black search optimization are actively blocked by search engine administrators. For this reason they are created by the hundred using automatic instruments.Infected legitimate sites
Sometimes cybercriminals infect popular legitimate sites in order to spread their programs. These might be high-traffic news resources, internet shops or portals and news aggregators.
There are two common ways to infect sites. If a software vulnerability was detected on the target site, malicious code can be inserted (for instance an SQL injection). In other cases the malefactors obtain authentication data from the site administrator's computer using one of the many Trojan spyware programs or using phishing and social engineering and seize control of the site. Once under the control of the criminals, the site can be infected in one way or another. The simplest approach is to use a hidden iframe tag with a link to the malicious resource added to the HTML code of the page.
Kaspersky Lab registers thousands of legitimate sites every day that download malicious code to their visitors with them being aware of it. Among the most prominent cases were the Lurk Trojan found on the site of the RIA Novosti news agency and gazeta.ru and the infection of PHP.Net
Visitors to an infected site are attacked with the use of hidden drive-by-downloads. The infection goes unnoticed by the users and does not require them to download or activate anything. An exploit, or set of exploits, is automatically downloaded from the page and, if the targeted machine has vulnerable software, a malicious executable is launched.Exploit packs
The most effective tool to infect a victim's computer is an exploit pack, such as Blackhole. These are hot products on the black market: exploit packs are developed to order or for widespread sale and are supported and updated. The price depends on the quantity and "freshness" of the exploits included, the ease of administration, the quality of the support, the regularity of updates and the greed of the seller.
As these attacks take place through the browser, the exploits have to use a vulnerability in either the browser itself, add-ons to it or third party software loaded by the browser to handle content. If one of these exploits is used successfully, a malicious file will be launched on the victim's machine.
Typical set of add-ons for the Internet Explorer browser that have permission to run by default. Add-ons the vulnerabilities in which are often used to attack a system are underlined in red.
An effective pack will contain exploits for useful vulnerabilities in popular browsers and their add-ons, and also for Adobe Flash Player and other popular programs. Often exploit packs have tools for fine tuning and collecting infection statistics.
Styx exploit pack control panelDirect download by users
Quite often cybercriminals don't need ingenious and expensive tools to insert their malicious programs onto users' computers. Users can simply be fooled into downloading and running malware themselves.
For instance, on entering a malicious site a user sees a preview video "for adults only". Clicking on this brings up a message to update Adobe Flash Player, and at the same time the site immediately offers him a file to download with an authentic sounding name. By installing the "update" the user infects the computer with a Trojan.
Message appearing when trying to view an "adult" video on a malicious site
Or a web-page might appear imitating the "My Computer" window, saying that a large number of viruses have been detected on the computer. And nearby a window opens offering a free "antivirus" program to cure the problems.
An apparent offer to install a free antivirus program hiding a TrojanInfection via social networks
Instructions for the installation of a semi-automatic Facebook worm
After these actions are carried out the worm activates and begins collecting data on the user, sending links to itself to the victim's contacts, awarding "likes" to various posts. This last option is a paid service that the owner of the worm offers to customers. And so we come to the reason why cybercriminals go to all this trouble and break the law.Money, money, money
Naturally nobody is attacking our computers for the intellectual challenge — the aim is money. One very popular way of illegally making money from victims is the use of Trojan ransom-ware, making it impossible to use the computer until a certain sum has been paid.
Having penetrated the user's computer the Trojan determines the country where the infected computer is and shows the victim the corresponding disable screen, containing threats and instructions on how to pay the ransom. The language of the message and the payment method suggested by the cybercriminals both depend on the user's country.
Usually the evildoers accuse the user of looking at child pornography or some other illegal action and then threaten a criminal investigation or to make the matter public. The assumption is that the victim will take these threats seriously and won't risk seeking help from law enforcement agencies. In some cases the Trojan ransom-ware may threaten to destroy the contents of the hard disk if the ransom is not paid quickly.
The disable screen that Trojan-Ransom.Win32.Foreign shows users in the USA
The cybercriminals offer the option of paying this "fine" by sending an SMS to a premium number or making a money transfer using one of the payment systems. In return the user should receive an unblocking key to deactivate the Trojan, but in practice this doesn't always happen.
Maintaining a communication channel with the victim can lead law enforcement agencies to the criminals and they frequently prefer not to take the risk, leaving the victim with a practically useless computer.
Another common method of illegal moneymaking is the collection and sale of users' confidential data. Contact details and personal data are tradable commodities that can be sold on the black market, albeit not for a great deal of money. However, it can be a profitable sideline, especially as the collection of information does not necessarily require any malware infection. Often the victims themselves supply all the necessary information — the important thing is for the site hosting the form for the entry of data to appear reliable and authentic.
A false site collecting contact details and personal information of visitors and then signing them up for paid mobile services
Banking Trojans bring their operators large profits. These programs are designed to steal money from users' bank accounts using distance banking systems. Malware of this type steals users' authentication data for online banking systems. Usually this is not enough as almost all banks and payment systems require authentication using several factors - entering an SMS code, inserting a USB key etc. In these cases the Trojan waits until the user makes a payment using internet banking and then changes the payment details, diverting the money to special accounts from which the criminal can cash out. There are other ways around two factor authentication: the Trojan might intercept messages with single use passwords or freeze the system at the moment the USB key is inserted, leaving the user powerless while the criminals hijack the operation and steal the money.
Finally, another profitable business is running botnets. The infected computers in a botnet can, unnoticed, be used by the evildoers for various money-making activities: mining bitcoins, sending spam, carrying out DDOS attacks, and boosting sites' ratings through search requests.Counteracting threats
As we have already shown, internet threats are diverse and can threaten users almost anywhere — when reading their mail, interacting on social networks, checking the news or simply surfing. There are also many ways to protect against these threats, but they can be summarized in four keys pieces of advice:
- Always pay attention to what you are doing on the Internet: which sites you visit, which files you download and what you run on your computer.
- Do not trust messages from unknown users and organizations, do not click on links and do not open attachments.
- Regularly update frequently-used software, especially software that works with your browser
- Install up-to-date defenses and keep anti-virus databases current.
It all sounds very simple, but the growing number of infections clearly demonstrates that too many users fail to take their safety seriously and neglect to follow this advice. We hope that our overview of current internet threats will help improve the situation.
There is currently a lot of buzz about the Backoff point-of-sale Trojan that is designed to steal credit card information from computers that have POS terminals attached.
Although very thorough, the existing public analyses of Backoff are missing a very relevant piece of information: the command-and-control (C&C) servers. However, if you have access to the samples it isn't hard to extract this information. At the end of this document, you can find a full list together with other IOCs (indicators of compromise).
Backoff malware configuration, with C&Cs
We sinkholed two C&C servers that Backoff samples used to communicate with their masters. These C&C servers are used by certain samples that were compiled from January - March 2014. Over the past few days, we observed over 100 victims in several countries connecting to the sinkhole.Statistics:
There were several interesting victims among them:
- A global freight shipping and transport logistics company with headquarters in North America.
- A U.K.-based charitable organization that provides support, advice and information to local voluntary organizations and community groups.
- A payroll association in North America.
- A state institute connected with information technology and communication in Eastern Europe.
- A liquor store chain in the U.S.
- An ISP in Alabama, U.S.
- A U.S.-based Mexican food chain.
- A company that owns and manages office buildings in California, U.S.
- A Canadian company that owns and operates a massive chain of restaurants.
There are also a lot of home user lines, mostly in the U.S. and Canada, connecting to the sinkhole. This is to be expected as many smaller businesses generally tend to run those rather than dedicated corporate connections.Conclusions
The success of Backoff paints a very bleak picture of the state of point-of-sale security. Our sinkhole covers less than 5% of the C&C channels and the sinkholed domains only apply to certain Backoff samples that were created in the first quarter of this year. Yet, we've seen more than 85 victims connecting to our sinkhole.
Most of these victims are located in North America and some of them are high profile. Taking into account the U.S. Secret Service statement, it's a pretty safe bet that the number of Backoff infections at businesses in North America is well north of 1,000.
Since its appearance last year, Backoff has not changed dramatically. The author created both non-obfuscated and obfuscated samples. This was likely done to defeat the security controls on the targeted networks. However, the defenses running on a PoS terminal and/or network should not have been affected by this. This speaks volumes about the current state of PoS security, and other cybercriminals are sure to have taken note.
It's very clear that PoS networks are prime targets for malware attacks. This is especially true in the US, which still doesn't support EMV chip-enabled cards. Unlike magnetic strips, EMV chips on credit cards can't be easily cloned, making them more resilient. Unfortunately, the US is adopting chip and signature, rather than chip and PIN. This effectively negates some of the added security EMV can bring.
This may prove another costly mistake. Not adopting EMV along with the rest of the world is really haunting retail in the U.S. and the situation is not likely to change anytime soon.IOCs / C&Cs: Trojan file paths:
Festive spam in July was largely dedicated to the holy month of Ramadan. Unwanted correspondence also included offers to send promotional messages to users' phones and email boxes. We also came across fraudulent emails asking for help with investments. There were offers of beauty products and services too.Ramadan
In July, spammers continued to exploit the holy month of Ramadan by offering mass mailing services. The emails were written in English. The subject and the text of the emails attracted readers with special offers and discounts in honor of the main Muslim holiday. Mass mailings advertising SMS distribution to residents of the United Arab Emirates were sent from free email services and designed in the same style. The emails used different text fonts and provided different contact details: for example, the phone numbers in the body of the message and in the subject of the email were different. Some emails indicated the site of a company engaged in SMS-marketing.
"Nigerian" scammers did not bother to invent anything new either and tried to attract users' attention by wishing them a Happy Ramadan both in the subject of the email and in the body of the message. Fraudulent emails that offered impressive rewards for help in investing money in a business project were circulated in both English and Arabic.
Current spam flows often include emails in different languages. In particular there has been an increase in the number of messages in Semitic languages, including Arabic, over the year. At the same time the scammers use English in the subject of the emails rather than Arabic. This is probably because English is more widespread and they hope an English subject will attract more readers.
One of the emails was written allegedly on behalf of a Muslim mother. It mentioned the complicated political situation in Syria and explained that this made it impossible to safely invest money at home. In this case, the content of the message suggests the author must know Arabic so a text in this language can be used to make it look more credible.
Among July's major mailings there was a notable campaign offering a variety of skin care products for women as well as promotions for beauty clinics. Spam mailings were used to sell different cleansers, anti-wrinkle creams, "elixirs of youth" and other cosmetic products. The scammers offered product samples to convince the user of their merits and promised to return the money if the results were unsatisfactory. The fraudsters tried to encourage potential customers by promising quick and free shipping to any country.
Beauty clinics were actively offering laser hair removal procedures at considerable discounts or even free of charge to supposed lottery winners. The sales pitch, complete with pictures, focused on the pressing need for this procedure before relaxing on the beach. Sometimes these emails were "noised" with texts that had nothing to do with the advertised goods and services. In some cases, this "noise" took up half the message (see the example below). The senders' names in these emails were a randomly generated combination of letters and numbers. The names of advertised centers and clinics were also mentioned in the body of the message to make it easier to find them via the search engine. However the links in the emails led to spammer parked sites registered on newly created domains. Sometimes they offered similar goods or services; sometimes they promoted completely different ones.
The heat of the summer has warmed up the market for products that help us to cool down: spam traffic actively promoted sun-protected foil for windows, fans and air conditioners, including repair and maintenance services. We often came across emails advertising water coolers and bottled water. Water was offered with special summer discounts and free delivery to homes and offices, while an extra bonus promised a free basket of fruit with every order in July or August. Making an order is as simple as calling the number in the advert.
Sunglasses were among the most popular summer offers. Knock-offs of designer sunglasses were offered at huge discounts compared to the original. Such emails often contained the designer logos and included icons of different social networks where the company is officially represented. However, these icons were merely decorative and offered no link to these sites. They were simply intended to make the email seem more realistic. Once users clicked on the link in the email, they were redirected to a newly created online sunglasses store. The names of the sites often included the words 'glasses' or 'sunglasses'. Sometimes you could even visually identify the distorted name of the glasses brand in the random set of letters and numbers which comprised the address of the site.Statistics The percentage of spam in email traffic
The percentage of spam in email traffic averaged 67%, which is 2.2 percentage points up from June. The highest spam levels were seen during the second week of the month (67.6%), and the lowest levels were seen in the first week (66%).
Percentage of spam in email trafficThe geographical distribution of spam sources
In July, the list of the most popular sources of spam around the world looked like this:
Sources of spam around the world
The USA took first place (15.3%) after its percentage increased 2.2 percentage points from the previous month. Next, Russia came in second place with 5.6%; the amount of spam originating in that country was down 1.4 percentage points. China was in third place with 5.3% having produced 0.3 pp less spam than in June.
Argentina was in 4th position with 4.2% of all distributed spam; its contribution remained practically unchanged but the country still climbed one place in the rankings. It is followed by Ukraine (4.1%) with a 0.9 pp rise compared to June.
In July, we saw the 1.8 pp reduction in the amount of spam from Vietnam (3.5%) which pushed this country from 4th to 8th place.
France rounded up the Top 10 with 2.63% of all distributed spam having pushed India (2.59%) to 11th position.Malicious attachments in email
The graphic below shows the Top 10 malicious programs spread by email in July.
The Top 10 malicious programs spread by email
This time the rating was topped by Trojan.Win32.Yakes.fize, the Trojan downloader Dofoil. This program downloads a malicious file on the victim computer, runs it, steals the user's personal information (especially passwords) and forwards it to the fraudsters.
The notorious Trojan-Spy.HTML.Fraud.gen dropped out of top spot for the first time in many months. Readers may remember that this is the threat that appears as an HTML phishing website and sends emails disguised as important notifications from banks, online stores, and other services.
Next came Trojan.JS.Redirector.adf which is the HTML page containing code to redirect users to a scammer site offering downloads of Binbot, the service for automatic sales of binary options which are currently very popular in the Internet. This malicious program is distributed via email attachments.
It is followed by Backdoor.Win32.Androm.enji. This malicious program is a modification of Andromeda – Gamarue, a universal modular bot which is a basis for building a botnet with a variety of features. The functionality of the bot can be expanded using a system of plugins that are loaded by the criminals as required.
Fifth position is occupied by Trojan-Banker.Win32.ChePro.ink. This downloader appears in the form of a CPL applet (a component of the control panel) and, as is typical for this type of malware, it downloads Trojans developed to steal bank information and passwords. These banking Trojans mainly target online customers of Brazilian and Portuguese banks.
Trojan-Ransom.Win32.Cryptodef.ny ended 8th in July. This malicious program encrypts files on computers, blocks the screen and asks the user to pay to restore the files.
Rounding off the Top 10 was Trojan.Win32.Bublik.cran. The main functionality of the Bublik malware family is the unauthorized download and installation of new versions of malware onto victim computers.
Distribution of email antivirus detections by country
July's Top 3 remained unchanged from June. Germany accounted for 11.7% of all antivirus detections and topped the rating (+4.71 percentage points). The USA was second with 9.82% (+0.28 pp). The UK was third with 6.9% (+0.10 percentage points).
India (5.16%) overtook Brazil (3.94%) and came fourth having increased its share by 0.54 percentage points. Italy moved up two steps to 5th in the rating (+1.2 pp).
Russia increased its contribution by 1.37 percentage points averaging 3.40% of all antivirus detections and climbing from 13th to 8th position.
The UAE saw a noticeable drop in antivirus detections – a 1.09 pp fall saw it lose six places on the ranking.
The July Top 20's newcomer was Poland which occupied 19th place with 1.42% of all antivirus detections.
The percentage of email antivirus detections in other countries did not change significantly in June.Special features of malicious spam
In July, we saw an increase in the number of fake Portuguese language notifications = sent on behalf of the popular smartphone messenger WhatsApp.
In another case, the fake message notified the recipient that after months of hard work WhatsApp for PC could now enable users to chat with friends in real time via their computer. To add to the intrigue the message claimed that 11 people had already sent friend request to the recipient. To find out who these 11 people were, the user had to download the latest version of the Messenger for PC by clicking on the link in the email. Noticeably, we have been registering different versions of this message since the beginning of 2014.
As in the previous cases, instead of the desired program the user received a ZIP-archive which contained the dropper Trojan-Dropper.Win32.Dapato.egel. Its task is to connect to a remote Brazilian host then download and run a Trojan banker designed to steal the user's financial data. The dropper also copies itself to C:\Documents and Settings\Administrator\Local Settings\Application Data\ under the name of BaRbEcuE.exe. There it creates a file called windataup.inf, in which it indicates its presence and states the current date. Finally it writes itself into the AutoRun, ensuring it is launched automatically.Phishing
In July 2014, Kaspersky Lab's anti-phishing component registered 20,157,877 detections.
Phishers attacked users in Brazil most often: at least once during the month the Anti-Phishing component of the system was activated on computers of 18.17% of Brazilian users. This surge in activity is probably related to the football World Cup that took place in the country in June and July.
The geography of phishing attacks*, June 2014
* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users
Top 10 countries by the percentage of attacked users:Country % of users 1 Brazil 18.17 2 India 12.99 3 Australia 11.10 4 France 10.73 5 Kazakhstan 10.62 6 UK 10.15 7 UAE 10.14 8 Dominican Republic 10.11 9 Canada 9.61 10 Ukraine 9.53 Targets of attacks by organization
The statistics on phishing targets is based on detections of Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page while information about it is not included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning about a potential threat.
In our previous reports we referred to the Top 100 organizations when analyzing the most attractive targets for phishing attacks. In July, we analyzed the statistics for all organizations that were attacked.
In July, the Global Internet portals category continued to top the rating of organizations most often attacked by phishers (29.49%) although its share decreased by 2.67 pp. Social networks came second with 14.61%, a 3.2 pp decline from the previous month.
Organizations most frequently targeted by phishers, by category – July 2014
Below is a similar chart for the previous month:
Organizations most frequently targeted by phishers, by category – June 2014
Financial phishing accounted for 41.85% of all attacks, a 7.86 pp growth compared with the previous month. The percentage of detections affecting Banks, Online stores and E-payment systems was up 2.25, 2.64 and 2.29 pp respectively. The most significant spike affected PayPal (3.24%) up 2.27 pp in July.
We came across an interesting example of PayPal phishing at the end of the month. The fraudulent email informed the recipient about an incoming payment from a Craiglist user (most likely, it is the incorrect spelling of Craigslist, the site of e-ads) but the money could not be transferred because of an error with a PayPal account.
The email arrived from the address which does not belong to PayPal. In addition, it is impersonal which is a typical feature of a phishing email
To solve the problem, the user was asked to immediately download the attached form, open it and fill it in.
The form was created using the design elements of the PayPal site
The attackers are phishing for the user's email address and a password for it, his full name and date of birth, his mother's maiden name, his address, his credit card number, its expiry date and CVV as well as any passwords for Verified by Visa or MasterCard SecureCode. This detailed personal information would make it easy for fraudsters to rob the user of all electronic savings.
If you look at the HTML code of the page, you can see that all the data entered in the form will be sent to a page that has nothing to do with PayPal.Top 3 most organizations most frequently targeted by phishers Organization % detections 1 Google Inc 11.64% 2 Facebook 9.64% 3 Windows Live 6.28%
In July, Google services were most heavily targeted by phishing links: their share made up 11.64% of all Anti-Phishing component detections.
The number of fraudulent links to Windows Live, the global portal of the Microsoft services (including Outlook), grew significantly in July. The attractiveness of this resource for fraudsters is easily explained because of the popularity of the MS services and especially with the fact that they are accessed from a single account. Phishing pages are usually designed as an entry page to Outlook (currently there is also a fake login page to live.com).
An example of the phishing page imitating the Outlook entry page
Interestingly, many recent phishing pages still use the old Hotmail design despite the fact that Outlook replaced it as far back as the beginning of 2012. However, it does not seem to worry users very much: they still jump at the bait of such phishing pages.
An example of phishing on live.com using the outdated Hotmail designConclusion
The proportion of spam in global email traffic in July increased 2.2 percentage points and averaged 67%.
Spam emails advertising services that would send messages to users' phones and emails tried to capitalize on the Ramadan festivities while new customers were lured with holiday discounts and favorable offers. "Nigerian" scammers spread emails in English and Arabic asking for assistance in investing money. There were also offers of beauty products and services.
In July, the list of the most popular sources of spam around the world was topped by the US (15.3%), Russia (%5.6%) and China (5.3%).
In July 2014, Kaspersky Lab's anti-phishing component registered 20,157,877 detections. Phishers attacked users in Brazil most often: 18.2% Brazilian computers flagged at least one phishing alert during the month. The Global Internet portals category continued to top the rating of organizations most often attacked by phishers (29.5%). Financial phishing accounted for 41.85% of all attacks, a 7.86 pp growth compared with the previous month.
The rating of the most popular malicious attachments distributed via email was topped by Trojan.Win32.Yakes.fize. Germany remains the country with the highest number of antivirus detections (11.7%).
A significant number of malicious attachments imitated fake notifications in Portuguese allegedly sent on behalf of the popular smartphone messenger WhatsApp. These attachments targeted the financial data of users in Brazil and Portugal.