14.1 C
Tuesday, September 19, 2017

How Bitcoin Helped Fuel An Explosion In Ransomware Attacks

More often than not, hackers will demand a ransom payment be made in Bitcoin Image: Proofpoint Ransomware is booming. Be it Locky, CryptXXX or one of the countless other variants of the data-encrypting malware, cybercriminals are making hundreds of th...

Threat intelligence report for the telecommunications industry

 Download PDF Introduction The telecommunications industry keeps the world connected.

Telecoms providers build, operate and manage the complex network infrastructures used for voice and data transmission – and they communicate and store vast amounts of sensitive data.

This makes them a top target for cyber-attack. According to PwC’s Global State of Information Security, 2016, IT security incidents in the telecoms sector increased 45% in 2015 compared to the year before.

Telecoms providers need to arm themselves against this growing risk. In this intelligence report, we cover the main IT security threats facing the telecommunications industry and illustrate these with recent examples. Our insight draws on a range of sources.

These include: The latest telecoms security research by Kaspersky Lab experts. Kaspersky Lab monitoring systems, such as the cloud antivirus platform, Kaspersky Security Network (KSN), our botnet tracking system and multiple other internal systems including those used to detect and track sophisticated targeted (advanced persistent threat, APT) attacks and the corresponding malware. Underground forums and communities. Centralized, specialized security monitoring systems (such as Shodan). Threat bulletins and attack reports. Newsfeed aggregation and analysis tools. Threat intelligence is now a vital weapon in the fight against cyber-attack. We hope this report will help telecoms providers to better understand the cyber-risk landscape so that they can develop their security strategies accordingly. We can provide more detailed sector and company-specific intelligence on these and other threats.

For more information on our Threat Intelligence Reporting services please email intelligence@kaspersky.com. Executive summary Telecommunications providers are under fire from two sides: they face direct attacks from cybercriminals intent on breaching their organization and network operations, and indirect attacks from those in pursuit of their subscribers.

The top threats currently targeting each of these frontlines feature many classic attack vectors, but with a new twist in terms of complexity or scale that place new demands on telecoms companies. These threats include: Distributed Denial of Service (DDoS) attacks. DDoS attacks continue to increase in power and scale and, according to the 2016 Data Breach Investigations Report, the telecommunications sector is hit harder than any other. Kaspersky Lab’s research reveals that in Q2, 2016, the longest DDoS attack lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days), with vulnerable IoT devices increasingly used in botnets.

Direct DDoS attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are hit.

They can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack. The exploitation of vulnerabilities in network and consumer devices. Our intelligence shows that vulnerabilities in network devices, consumer or business femtocells, USBs and routers, as well as root exploits for Android phones, all provide new channels for attacks – involving malware and technologies that individuals, organisations and even basic antivirus solutions cannot always easily remove. Compromising subscribers with social engineering, phishing or malware.

These classic techniques remain popular and can easily be mastered by entry-level cybercriminals, although 2016 sees changes in how more sophisticated attackers conduct their campaigns.

Growing numbers of cyber-attackers now combine data sets from different sources, including open sources, to build up detailed pictures of potential targets for blackmail and social engineering purposes. Insider threat is growing.

Detailed profiles of targets are also used to recruit insiders to help perpetrate cybercrime.
Some insiders help voluntarily, others are cooerced through blackmail.
Insiders from cellular service providers are recruited mainly to provide access to data, while staff working for Internet service providers are chosen to support network mapping and man-in-the-middle attacks. Other threats facing telecommunications companies include targeted attacks; poorly configured access controls, particularly where interfaces are publicly available to any Internet user; inadequate security for 2G/3G communications; and the risk of telecoms providers being drawn into unrelated attacks that exploit telecoms resources, and suffering collateral damage as a result. Typical threats targeting telecoms Overview We can divide the main threats facing the telecommunications industry into two, interrelated, categories: Threats targeting telecommunication companies directly.

These include DDoS attacks, targeted attacks (APT campaigns), network device vulnerabilities and human-related threats like insider access, social engineering and the risk of allowing third parties to access information. Threats targeting subscribers of telecoms services – particularly the customers of cellular service providers (CSPs) and Internet service providers (ISPs).

These include malware for mobile devices, subscriber data harvesting, end-user device vulnerabilities, and more. Threats directed at telecoms companies DDoS DDoS (distributed denial of service) attacks remain a serious threat to telecoms providers around the world as attackers discover ever more ways of boosting the power and scale of attacks. Kaspersky Lab’s DDoS intelligence report for Q2, 2016 notes that websites in 70 countries were targeted with attacks.

By far the most affected country was China, with South Korea and the US also among the leaders. 70.2% of all detected attacks were launched from Linux botnets, with cybercriminals paying close attention to financial institutions working with cryptocurrency.

Another trend observed in Q2 was the use of vulnerable IoT devices in botnets to launch DDoS attacks. The telecommunications sector is particularly vulernable to DDoS attacks.

According to the 2016 Data Breach Investigations Report, the telecommunications sector was hit around twice as hard as the second placed sector (financial exchanges), with a median DDoS packet count of 4.61 million packets per second (compared to 2.4 Mpps for exchanges.) The impact of a DDoS attack should not be underestimated.

Direct attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are affected. With a growing number of connected devices and systems supporting mission-critical applications in areas such as healthcare and transport, unexpected downtime could be life threatening. Further, DDoS attacks can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack. A good example of the first is the 2015 cyber-attack on the UK telecoms company, TalkTalk.

The hack, alledgedly perpetrated by a couple of teenagers, resulted in the loss of around 1.2 million customers’ email addresses, names and phone numbers, as well as many thousands of customer dates of birth and financial information – all ideal for use in financially-motivated social engineering campaigns.

The forensic investigation revealed that the hackers had used a smokescreen DDoS attack to conceal their main activities. DDoS attacks are also evolving. 2015 saw attackers amplify the power of DDoS attacks by turning them into DrDoS (Distributed reflection Denial of Service) attacks through the use of standard network protocols like NTP, RIPv1, NetBIOS (Network Basic Input/Output System) and BGP (Border Gateway Patrol).

Another approach that is becoming more commonplace is the compromise of end-user routers via network-scanning malware and firmware vulnerabilities.

Today’s faster mobile data transfer speeds and the growing adoption of 4G are also making smartphone-based botnets more useful for implementing DDoS attacks. The worrying thing is that even inexperienced attackers can organize quite an effective DDoS campaign using such techniques. Targeted attacks The core infrastructure of a telecommunications company is a highly desirable target for cybercriminals, but gaining access is extremely difficult.

Breaking into the core requires a deep knowledge of GSM architecture, rarely seen except among the most skilled and resourced cybercriminals.
Such individuals can generally be found working for advanced, international APT groups and nation-state attackers, entities that have a powerful interest in obtaining access to the inner networks of telecommunication companies.

This is because compromised network devices are harder to detect by security systems and they offer more ways to control internal operations than can be achieved through simple server/workstation infiltration. Once inside the core infrastructure, attackers can easily intercept calls and data, and control, track and impersonate subscibers. Other APTs with telecommunications on their radar The Regin APT campaign, discovered in 2014, remains of the most sophisticated ever seen and has the ability to infiltrate GSM networks, while the Turla group, has developed the ability to hijack satellite-based Internet links as part of it’s Command & Control process, successfully obscuring its actual location. Others, such as Dark Hotel and a new cyber-espionage threat actor likely to be of Chinese origin, exploit telecoms networks in their targeted campaigns.
In these cases, the telecoms providers often suffer collateral damage even though they are not directly related to the attack.

Further details on these can be found on Kaspersky Lab’s expert Securelist blog or through a subscription to the Kaspersky APT Threat Intelligence Reporting service. Unaddressed software vulnerabilities Despite all the high profile hacks and embarrassing data leaks of the last 12 months, attackers are still breaching telecoms defenses and making off with vast quantities of valuable, personal data.
In many cases, attackers are exploiting new or under-protected vulnerabilities.

For example, in 2015, two members of the hacker group, Linker Squad gained access to Orange Spain through a company website vulnerable to a simple SQL injection, and stole 10 million items of customer and employee data. SQL injection vulnerability on Orange Spain web site The impact of service misconfiguration In many cases, the hardware used by by the telecommunications industry carries configuration interfaces that can be accessed openly via HTTP, SSH, FTP or telnet.

This means that if the firewall is not configured correctly, the hardware in question becomes an easy target for unauthorized access. The risk presented by publicly exposed GTP/GRX (GPRS Tunneling Protocol/GPRS Roaming Exchange) ports on devices provides a good example of this. As CSPs encrypt the GPRS traffic between the devices and the Serving GPRS Support Node (SGSN), it is difficult to intercept and decrypt the transferred data. However, an attacker can bypass this restriction by searching on Shodan.io for devices with open GTP ports, connecting to them and then encapsulating GTP control packets into the created tunnel. Table 1.

Top 10 countries with GTP/GRX ports exposed to Internet access
The Border Gateway Protocol (BGP) is the routing protocol used to make decisions on routing between autonomous systems.

Acceptance and propagation of routing information coming from other peers can allow an attacker to implement man-in-the-middle (MITM) attacks or cause denial of service.

Any route that is advertised by a neighboring BGP speaker is merged in the routing database and propagated to all the other BGP peers. Table 2.

Top five countries with BGP protocol exposed to Internet access
An example of such an attack took place in March 2015, when Internet traffic for 167 important British Telecom customers, including a UK defense contractor that helps to deliver the country’s nuclear warhead program, was illegally diverted to servers in Ukraine before being passed along to its final destinations. To avoid probable attacks against BGP from unauthorized remote malefactors, we recommend that companies provide network filtering, allowing only a limited number of authorized peers to connect to BGP services.

To protect against malicious re-routing and hijacking initiated through authorized autonomous systems we recommend that they monitor anomalies in BGP communications (this can be done through specialized software solutions or by subscribing to alerts from vendors providing this kind of monitoring.) Vulnerabilities in network devices Routers and other network devices are also primary targets for attacks against telecommunications companies. In September 2015, FireEye researchers revealed the router malware “SYNful knock”, a combination of leaked privilege (root) credentials and a way of replacing device firmware that targets Cisco 1841, 2811 and 3825 routers (see Cisco advisory here). Put simply, SYNful knock is a modified device firmware image with backdoor access that can replace the original operating system if the attacker has managed to obtain privileged access to the device or can physically connect to it. SYNful is not a pure software vulnerability, but a combination of leaked privileged credentials combined with a certain way of replacing device firmware.
Still, it is a dangerous way of compromising an organization’s IT infrastructure. SYNful knock backdoor sign-in credentials request Worldwide distribution of devices with the SYNful knock backdoor The latest information on the number of potentially compromised devices is available through the link https://synfulscan.shadowserver.org/stats/. A second Cisco vulnerability, CVE-2015-6389 enables attackers to access some sensitive data, such as the password file, system logs, and Cisco PCA database information, and to modify data, run internal executables and potentially make the system unstable or inaccessible.

Cisco Prime Collaboration Assurance Software releases prior to 11.0 are vulnerable.

Follow this Cisco bulletin for remediation actions. For further information on Cisco fixes for its devices see https://threatpost.com/cisco-warning-of-vulnerabilities-in-routers-data-center-platforms/115609. Juniper, another network device manufacturer has been found to carry vulnerabilities in its operating system for its NetScreen VPN appliances, enabling third-party access to network traffic.

The issue was reported by the vendor in the security advisory JSA10713 on December 18th, 2015, along with the release of the patch. It appears that the additional code with hardcoded password was planted in the source code in late 2013.

The backdoor allows any user to log in with administrator privileges using hard-coded password “<<< %s(un=’%s’) = %u”.This vulnerability has been identified as CVE-2015-7755 and is considered highly critical. Top countries where ScreenOS devices are used are the Netherlands, the United States, China, Italy and Mexico. Juniper ScreenOS-powered devices worldwide Another Juniper backdoor, CVE-2015-7756, affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 and allows a third party to monitor traffic inside VPN connections due to security flaws in the Dual_EC PRNG algorithm for random number generation. To protect the organization from misconfiguration and network device vulnerabilitiy, Kaspresky Lab recommendats that companies pay close attention to vulnerabilities in the network services of telecommunication equipment, establish effective vulnerability and configuration management processes, and regularly perform security assessments, including penetration testing for different types of attackers (a remote intruder, a subscriber, a contractor, etc.). Malicious insiders Even if you consider your critical systems and devices protected and safe, it is difficult to fully control some attack vectors. People rank at the very top of this list.

Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness. While insider-assisted attacks are uncommon, the impact of such attacks can be devastating as they provide a direct route to the most valuable information. Examples of insider attacks in recent years include: A rogue telecoms employee leaking 70 million prison inmate calls, many breaching client-attorney privilege. An SMS center support engineer who had intercepted messages containing OTP (One-Time Passwords) for the two-step authentication required to login to customer accounts at a popular fintech company.

The engineer was found to be freely offering his services on a popular DarkNet forum. For attackers, infiltrating the networks of ISPs and CSPs requires a certain level of experience – and it is often cheaper and easier to stroll across the perimeter with the help of a hired or blackmailed insider.

Cybercriminals generally recruit insiders through two approaches: enticing or coercing individual employees with relevant skills, or trawling around underground message boards looking for an appropriate employee or former employee. Employees of cellular service providers are in demand for fast track access to subscriber and company data or SIM card duplication/illegal reissuing, while staff working for Internet service providers are needed for network mapping and man-in-the-middle attacks. A particularly promising and successful attack vector for recruiting an insider for malicious intrusion is blackmail. Data breaches, such as the 2015 Ashley Madison leak reveal information that attackers can compare with other publically available information to track down where people work and compromise them accordingly.
Very often, these leaked databases contain corporate email addresses, including those of telecommunication companies. Further information on the emerging attack vectors based on the harvesting of Open Source Intelligence (OSINT) can be obtained using Kaspersky Lab’s customer-specific Intelligence Reporting services. Threats targeting CSP/ISP subscribers Overview Attacks targeting the customers of cloud and Internet service providers remain a key area of interest for cybercriminals. We’ve revealed a number of malware activities and attack techniques based on internal information and incidents that were caught in our scope.

As a result of analyzing this data the following main threats were identified: Obtaining subscribers’ credentials. This is growing in appeal as consumers and businesses undertake ever more activity online and particularly on mobile.

Further, security levels are often intentionally lowered on mobile devices in favor of usability, making mobile attacks even more attractive to criminals. Compromising subscribers’ devices.

The number of mobile malware infections is on the rise, as is the sophistication and functionality of the malware.

Experienced and skilled programmers are now focusing much of their attention on mobile – looking to exploit payment services as well as low-valued assets like compromised Instagram or Uber accounts, collecting every piece of data from the infected devices. Compromising small-scale telecoms cells used by consumers and businesses. Vulnerabilities in CSP-provided femtocells allow criminals to compromise the cells and even gain access to the entire cloud provider’s network. Successful Proof-Of-Concept attacks on USIM cards. Recent research shows that the cryptography of 3G/4G USIM cards is no longer unbreakable.
Successful attacks allow SIM card cloning, call spoofing and the interception of SMS. Social engineering, phishing and other ways in Social engineering and phishing remain popular activities and they continues to evolve and improve, targeting unaware or poorly aware subscribers and telecoms employees. The attackers exploit trust and naiivity.
In 2015, the TeamHans hacker group penetrated one of Canada’s biggest communications groups, Rogers, simply by repeatedly contacting IT support and impersonating mid-ranking employees, in order to build up enough personal information to gain access to the employee’s desktop.

The attack provided hackers with access to contracts with corporate customers, sensitive corporate e-mails, corporate employee IDs, documents, and more. Both social engineering and phishing approaches are worryingly successful.

The Data Breach Investigations Report 2016 found that 30% of phishing emails were opened, and that 12% clicked on the malicious attachment – with the entire process taking, on average, just 1 minute and 40 seconds. Social engineers and phishers also use multiple ways for increasing the likeness of authenticity in their attacks, enriching their data with leaked profiles, or successfully impersonating employees or contractors. Recently criminals have successfully stolen tens of thousands of euros from dozens of people across Germany after finding a way around systems that text a code to confirm transactions to online banking users.

After infecting their victims with banking malware and obtaining their phone numbers, they called the CSP’s support and, impersonating a retail shop, asked for a new SIM card to be activated, thus gaining access to OTP (One Time Passwords) or “mTan’s” used for two-factor authentication in online banking. Kaspersky Lab recommends that telecommunications providers implement notification services for financial organizations that alert them when a subscriber’s SIM card has been changed or when personal data is modified. Some CSPs have also implemented a threat exchange service to inform financial industry members when a subscriber’s phone is likely to have been infected with malware. Vulnerable kit USBs, modems and portable Wi-Fi routers remain high-risk assets for subscribers, and we continue to discover multiple vulnerabilities in their firmware and user interfaces.

These include: Vulnerabilities in web interfaces designed to help consumers configure their devices.

These can be modified to trick a user into visiting a specially crafted page. Vulnerabilities that result from insufficient authentication.

These can allow for the modification of device settings (like DNS server addresses), and the interception, sending and receiving of SMS messages, or USSD requests, by exploiting different XSS and CSRF vulnerabilities. RCE (Remote Code Execution) vulnerabilities based on different variants of embedded Linux that can enable firmware modification and even a complete remote compromise. Built-in “service” backdoor allowing no-authentication access to device settings Examples of these kind of vulnerabilities were demonstrated in research by Timur Yunusov from the SCADAStrangeLove team.

The author assessed a number of 3G/4G routers from ZTE, Huawei, Gemtek and Quanta. He has reported a number of serious vulnerabilities: Remote Code Execution from web scripts. Arbitrary device firmware modification due to insufficient consistency checks. Cross Site Request Forgert and Cross Site Scripting attacks. All these vectors can be used by an external attacker for the following scenarios: Infecting a subscriber’s computer via PowerShell code or badUSB attack. Traffic modification and interception. Subscriber account access and device settings modification. Revealing subscriber location. Using device firmware modification for APT attack persistence. Most of these issues exist due to web interface vulnerabilities (like insufficient input validation or CSRF) or modifications made by the vendor during the process of branding its devices for a specific telecommunications company. The risk of local cells Femtocells, which are essentially a personal NodeB with an IP network connection, are growing in popularity as an easy way to improve signal coverage inside buildings.
Small business customers often receive them from their CSPs. However, unlike core systems, they are not always submitted to suitably thorough security audits. Femtocell connection map Over the last year, our researchers have found a number of serious vulnerabilities in such devices that could allow an attacker to gain complete control over them.

Compromising a femtocell can lead to call interception, service abuse and even illegal access to the CSP’s internal network. At the moment, a successful attack on a femtocell requires a certain level of engineering experience, so risks remain low – but this is likely to change in the future. USIM card vulnerabilities Research presented at BlackHat USA in 2015 revealed successful attacks on USIM card security. USIMs had previously been considered unbreakable thanks to the AES-based MILENAGE algorithm used for authentication.

The reseachers conducted differential power analysis for the encryption key and secrets extraction that allowed them to clone the new generation of 3G/4G SIM cards from different manufacturers. Right byte guess peak on differential power analysis graph Conclusion Telecommunications is a critical infrastructure and needs to be protected accordingly.

The threat landscape shows that vulnerabilities exist on many levels: hardware, software and human, and that attacks can come from many directions.

Telecoms providers need to start regarding security as a process – one that encompasses threat prediction, prevention, detection, response and investigation. A comprehensive, multi-layered security solution is a key component of this, but it is not enough on its own.
It needs to be complemented by collaboration, employee education and shared intelligence. Many telecommunications companies already have agreements in place to share network capability and capacity in the case of disruption, and now is the time to start reaping the benefit of shared intelligence. Our Threat Intelligence Reporting services can provide customer-specific insight into the threats facing your organization.
If you’ve ever wondered what your business looks like to an attacker, now’s the time to find out.

Contact us at intelligence@kaspersky.com

New Brazilian Banking Trojan Uses Windows Powershell Utility

Microsoft’s PowerShell utility is being used as part of a new banking Trojan targeting Brazilians. Researchers made the discovery earlier this week and say the high quality of the Trojan is indicative of Brazilian malware that is growing more sophisticated. The banking Trojan is identified as “Trojan-Proxy.PowerShell.Agent.a” and is one of the most technically advanced Brazilian malware samples discovered, said Fabio Assolini, a senior security researcher with Kaspersky Lab’s Global Research and Analysis Team in a Securelist blog on Thursday. The banking Trojan is being delivered via a phishing campaign where emails are masquerading as a receipt from a mobile carrier.

A malicious .PIF (Program Information File) attachment is used to attack the target’s PC. PIF files tell MS-DOS applications how to run in Windows environments and can contain hidden BAT, EXE or COM programs that automatically execute after the host file is run. In the case of “Trojan-Proxy.PowerShell.Agent.a” the PIF file changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks, Assolini said.

Those changes in the system are made using a PowerShell script. The browser aspect of the attack is identical to how cybercriminals have exploited proxy auto-config (PAC) files in previous attacks, Assolini said. PAC files are designed to enable browsers to automatically select which proxy server to use to get a specific URL. “It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script,” Assolini wrote. Not only are Internet Explorer users affected, but also users of Firefox and Chrome. The malware has no command and control communication.
Instead, once the .PIF file is launched, the “powershell.exe” process is spawned and the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” is cued.

This is an attempt to bypass PowerShell execution policies, Assolini said.

The malware changes the file prefs.js, inserting the malicious proxy change. After being infected by “Trojan-Proxy.PowerShell.Agent.a”, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server.

The proxy domains used in the attack use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands, where there are several phishing pages for Brazilian banks, according to Assolini. According to Kaspersky Lab, Brazil was the most infected country when it comes to banking Trojans in Q1 2016. “Attackers (developing Brazilian malware) are investing time and money to develop solutions where the malicious payload is completely hidden under a lot of obfuscation and code protection,” notes a Securelist post from March.

That stands in stark contrast to Brazilian malware that not long ago was described as simple and easy to detect. Researchers believe Brazilian cybercriminals have upped their game by adopting new techniques as a result of collaboration with their European counterparts.

Attacker's Playbook Top 5 Is High On Passwords, Low On Malware

Report: Penetration testers' five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software. Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian. Organizations would be far better served by improving credential management and network segmentation, according to researchers there. Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks.

The most common of these "root causes" though, were not zero-days or malware at all. The top five activities in the cyber kill chain -- sometimes used alone, sometimes used in combination -- were: abuse of weak domain user passwords -- used in 66% of Praetorian pen testers' successful attacks broadcast name resolution poisoning (like WPAD) -- 64% local admin password attacks (pass-the-hash attacks) -- 61% attacks on cleartext passwords in memory (like those using Mimikatz) -- 59% insufficient network segmentation -- 52% The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering.
Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens after a social engineer gets past step one. "If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian.

The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do." As Abraham explains, one stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way -- should not, but often does.

By implementing mitigations against the attacks mentioned above, an organization ensures "you don't have that cascading effect," from one stolen credential, says Abraham. "The blast radius is very minimal."  The report does, of course, reflect the actions of Praetorian penetration testers, not actual attackers.

But the report states that "Praetorian’s core team includes former NSA operators and CIA clandestine service officers who are able to mimic the kill chains that are outlined in Verizon, Mandiant, and CrowdStrike’s annual breach reports." Indeed, the 2016 Verizon Data Breach Investigations Report attributed more breaches to hacking than to malware, and the use of stolen credentials was the most common sub-category of  hacking.

The M-Trends 2016 Report by Mandiant, a FireEye company, found that stolen credentials were "the most efficient and undetected technique for compromising an enterprise." Abraham says Praetorian pen testers -- and many attackers -- prefer to use system weaknesses over software exploits, for several reasons.

For one, he says, malware can fail or cause system failures, which draw attention to the attacker.
Vulnerability scans are "noisy" and unnecessary, according to the report. Plus, while a software hole can be quickly closed with a patch, "design weaknesses will be present in the environment until the design changes," states the report, meaning they have a long shelf life, because they take a longer time to fix.  Mitigation  There are basic, inexpensive practices and tools that would hugely improve organizations' security without costing them millions, according to the report, but Abraham says that pen testers found that many organizations were missing these basic elements. He recommended that organizations wanting to clean up their act, start with #3 and #4 on the list (pass-the-hash and cleartext passwords in memory), because they're the "most achievable." According to the report: Deploying Microsoft's LAPS tool on workstations and servers will go a long way to protecting against pass-the-hash attacks. Mimikatz and other attacks against cleartext passwords in memory can be largely cleaned up with a basic registry change, installation of Microsoft Security Advisory 2871997, and regular monitoring for any unauthorized registry changes.  Once that's done, Abraham suggests moving on to #1 and #2 (weak domain user passwords and broadcast name resolution poisoning) and leaving #5 (insufficient network segmentation) for last, since it will take the most time to fix. Some (not all) of Praetorian's suggestions in the report include: To strengthen passwords: increase Active Directory password length requirements to at least 15 characters enhance password policy enforcements (expiration, etc.) implement two-factor authentication for all administrator access and remote access. To mitigate broadcast name resolution poisoning: populate DNS servers with entries for all known valid resources disable LLMNR and NetBIOS on end-user workstations. To improve network segmentation -- after proper inventory of systems, data, and review with lines-of-business about employee access: Enforce network Access Control Lists (ACLs) so that only authorized systems have access to critical systems -- on a machine basis, by VLAN, or per user with "next-gen" firewalls. Update network architecture and network diagrams to reflect the new ACLs. For Praetorian's complete mitigation suggestions, see the report.  Related Content: Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

How Diversity Can Bridge The Talent Gap

Women and minorities in the security industry share some hard truths about the security industry's hiring traditions and practices. The dirty little secret about most security job openings today is that they often inadvertently preclude women and minorities. Employers typically have a specific type of person in mind for the job, and the job description is written accordingly, requiring several years of experience, a computer science degree or background, and other technical skills such as certifications or hands-on hacking tool expertise. That’s not typically a diversity-friendly job description – training and tool costs are often out of range for inner-city and small-town candidates.

A panel of diverse and accomplished female security professionals at Black Hat USA earlier this month shared their insight on this and other ways the industry is doing it wrong – and how to encourage more diversity. I served as moderator of the “Removing Roadblocks to Diversity” panel, which featured Jamesha Fisher, Security Operations Engineer at GitHub; Chenxi Wang, Chief Strategy Officer of Twistlock; Rebekah Brown, Threat Intelligence Lead at Rapid7; and Angie Leifson, Security Operations Center (SOC) Analyst at Insight Enterprises. Source: Black Hat USA The lack of diversity in security is a topic I’ve researched plenty this year, but listening to these women share what they see in the trenches every day, the firsthand lessons they’ve learned, and advice the give to other women and minorities, was enlightening.

To be honest, it was a bit frustrating, too, since the number of women in the security industry has remained at about 10% for at least three years now.

African-American women represent just 3% of computer-related jobs, and Latina women, 1%.   There’s also a glaring disconnect today between many job openings in cybersecurity and the types of skills the field now demands.

The panelists pointed to the importance and need in security for non-technical skills and backgrounds in psychology, linguistics, communications, for example. Yet those skills aren’t the norm in a typical job opening. Take Wang, whose career path came via the traditional route of a computer science degree and graduate school.
She said it’s time for a rewrite of inherently biased job descriptions:  “If you had somebody coaching them on writing a job description that is more inclusive, they would have gotten more candidates.
I try to do that myself,” Wang said during the panel. Fisher, who is African-American, said there are few if any junior security positions, which makes it tough for anyone to break into the industry. Minorities have a disadvantage up front. “They may not have the money to buy the training needed to do security to get that competitive edge. Where does this leave people who don’t have the money?” Fisher said. Rapid7’s Brown, whose military career as a linguist in Mandarin ultimately led her to cybersecurity threat intelligence, said the cookie-cutter job description doesn’t cut it today’s world. Having security staff with diverse backgrounds, educations, outlooks, and mindsets is key, Brown said. “If you just put one job description out, you’re never going to be successful,” she said. There’s a mindset problem here as well.
Studies and anecdotal data show that women are less likely to apply for a job if they don’t fit all of the listed qualifications, whereas men apply even if they don’t have all of the listed skills.

But that’s a trend that can be broken, the panelists said. On the flip side, women and minorities often aren’t given the benefit of the doubt like their counterparts when it comes to missing qualifications, Fisher said. White men, for instance, she said, are often given “reasonable doubt” that they will learn the skills they lack on the job.
She urged large companies to use their resources to train and attract more minorities and women to security jobs. Leifson, who graduated from college in December and is now a SOC analyst, had a refreshing view on this:  even when she doesn’t meet all of the qualifications listed in a job opening, she still applies for it. “I still feel confident in my skills,” she said. “Don’t be afraid” to put yourself out there and apply, she said. The social impact of security is also an element that needs to be touted more, the panelists said. “So many people are about the hacking aspect, but nobody is about the defensive aspect.

That has the social impact” that appeals to a broader talent pool, Fisher said. Diversity is one thing, but inclusiveness is another, the panelists said. Hiring more women and minorities is the first step to a truly diverse workforce – organizations then also need to ensure they respect and embrace their workers’ different backgrounds. To view the entire panel discussion and Q&A, check out the video recording here. Related Content: Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

Security Staff Shortages Incur Higher Breach Recovery Costs

New study measures the financial impact of a breach on a company short on IT security staff. The shortage of skilled IT security professionals is not a new topic. Multiple reports have shed light on the talent shortage and the type of security risks associated with an IT department that is short on security skills.

But a report released this week by Kaspersky Lab and partner B2B International shows the potential financial impact of being short-staffed in the security department.  The study, which surveyed nearly 5,000 representatives from companies of different sizes and industries, compared the breach recovery costs for large companies that had enough IT security staff with large companies that were light on security support.

The average cost of recovery for companies with inadequate security support was between $1.2 to $1.47 million, and from $100,000 to $500,000 for companies with a strong and sufficiently staffed IT security team. When an organization has internal IT security staff on the payroll, they become more familiar with the cyclical process of a breach and recovery and are able to learn from each incident and apply that knowledge to the organization’s security posture, says Michael Canavan, vice president of North America for Kaspersky Lab. “This is a large reason why you see the smaller dollar amount with those incidents [at organizations with in-house security staff],” he says.

They’re less traumatic because more information is known, he adds.   The survey also showed that additional staff wages make up a significant portion of the recovery costs -- $14K on average for SMBs and $126K for enterprises -- which was higher than the loss of business opportunities, credit rating, and compensation to clients and partners combined.  Candace Worley, vice president and general manager for enterprise endpoint security at Intel, points out that while nearly $1.5 million for a breach is high, the average cost of a breach is now over $4 million dollars per incident, according to the Ponemon Group's Cost of Data Breach 2016 report. “If a company was unfortunate enough to experience two breaches in a year," she says, then “investing in a security staff is the better way to go.” She also notes that in addition to labor costs, organizations have to account for the brand impact and opportunity cost of a breach in addition to the hard costs. “There’s the domino or cascade of costs,” Worley says.  Tejas Vashi, senior director of Cisco Services, says that while the industry acknowledges that many organizations need more security staff, it takes a long time to bring them on. “Enterprises need to be proactively seeking out the talent and continuously reskilling their existing workforce,” says Vashi, adding that a proactive mindset is very important in the security space right now, for both hiring and threat mitigation. He likens the IT security landscape to a quote from Henry Ford: "The only thing worse than training your employees and having them leave is not training them and having them stay."  Find the full report here. Emily Johnson is an Associate Editor on UBM America's Content Marketing team. Prior to this role, Emily spent four and a half years in content and marketing roles supporting the UBM America's IT events portfolio.

Emily earned her B.A. in English from the University of ...
View Full Bio More Insights

Brazilian banking Trojans meet PowerShell

Crooks are always creating new ways to improve the malware they use to target bank accounts, and now Brazilian bad guys have made an important addition to their arsenal: the use of PowerShell.

Brazil is the most infected country worldwide when it comes to banking Trojans, according to our Q1 2016 report, and the quality of the malware is evolving dramatically. We found Trojan-Proxy.PowerShell.Agent.a in the wild a few days ago, marking a new achievement by Brazil’s cybercriminals. The malware is distributed using a malicious email campaign disguised as a receipt from a mobile operator with a malicious .PIF file.

After the file is executed it changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks.
It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script.

As Windows 7 and newer OS versions are now the most popular in Brazil, the malware will not face a problem running on victims’ computers. The malware has no C&C communication.

After execution it spawned the process “powershell.exe” with the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” aiming to bypass PowerShell execution policies.

The .ps1 file in the temp folder uses random names.
It’s a base64 encoded script capable of making changes in the system. After some deobfuscation we can see the goal of the script: to change the Internet Settings key and enable a proxy server on it: And this is the result in the browser of the victim – a small change in the proxy settings: This change will not only affect IE but all other browsers installed in the system as well, as they tend to use the same proxy configuration set on IE.

The proxy domains used in the attack are listed below.

All of them use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands (, where there are several phishing pages for Brazilian banks: gbplugin.[REMOVED].com.brmoduloseguro.[REMOVED].com.brx0x0.[REMOVED].com.brX1x1.[REMOVED].com.br The malware also has other features of interest: it checks for the language of the OS and aborts if it’s not PTBR, a clever trick to avoid infecting Windows versions in languages other than Brazilian Portuguese. To protect a network against malware that uses PowerShell, it is important to modify its execution, using administrative templates that only allow signed scripts. We are sure this is the first of many that Brazil’s bad guys will code. Hash of the malware: cancelamento.pif -> MD5: 9419e7cd60487532313a43559b195cb0

5 Strategies For Enhancing Targeted Security Monitoring

These examples will help you improve early incident detection results. Crime scenes -- in both the physical and digital sense -- exist where investigators must work quickly to gather and process evidence before it is no longer available or has been modified.
In both cases, investigators set up a large perimeter around the crime scene and work to narrow it down by establishing credible, evidence-based conclusions. In the digital realm, the most common collection of security incident and event information occurs in sources where large volumes of data can be gathered in support of investigations.  However, this large volume of data can easily lead to "analysis paralysis," making it more difficult to find the proverbial needle in the haystack. Here are five ways to enhance your security monitoring capabilities to detect potential threats in a more effective and timely manner. 1.

Define (un)acceptable activity
Organizations must define what they consider to be both acceptable and unacceptable activity within the scope of their business environment through the creation of specific policies and standards documents.

To facilitate monitoring and alerting for these activities, organizations need to explicitly define the activities that are considered acceptable and unacceptable. Generally, acceptable activity includes any that is within the defined boundaries as stated in the organizations governance documentation; such as a Business Code of Conduct. On the other hand, unacceptable activity would include any activity that is not within the confines of what the organization has defined as acceptable (e.g. policies violations, breach of confidentiality). 2.

Follow criticality-based deployments
Collecting large volumes of security information and events can become overwhelming when it comes time to perform an investigation. While the idea of “casting the net wide” ensures that a broad scope of evidence will be readily available, targeted capabilities ensure that high-value and high-risk assets (e.g. employees, systems, networks) are being pro-actively monitored. Determining the criticality of assets requires organizations to validate the security properties encompassing each asset; including, for example, confidentiality, integrity, availability, authorization, authentication and non-repudiation.

Through the completion of a formal risk assessment and threat modeling exercise, organizations can then prioritize their targeted monitoring capabilities based on the criticality of their assets. 3. Utilize analytical techniquesApproaches to security monitoring depend on factors such as the type of security control used or the functionality provided in supporting technologies.

But the foundation of security monitoring is based on the concept that unacceptable activity is visibly different from acceptable activity and can be detected as a result of this difference.  Through the combination of different analytical techniques, such as anomaly detection or pattern matching, monitoring for both acceptable and unacceptable activity will improve proactive detection capabilities to identify security events before they intensify. 4.

Go for the best technology for the job
Business requirements are the primary driver for the use of all security monitoring technology.  While this should be common knowledge, security monitoring is often overshadowed by exploiting the capabilities of a technology instead of focusing on what the business need for using the technology really is.  At the end of the day, there are a wide range of technology solutions that offer varying levels of functionality specific to security monitoring.

Aside from analytical techniques, when selecting a solution best-suited for your organization, it is important to consider factors such as: Lower Total Cost of Ownership (TCO) Increased customizations to fit business requirements Minimal compromises on technology components Compatibility with other technologies and interface exchanges 5.

Conduct assurance exercises
The continued value-proposition of targeted security monitoring requires an organization to maintain its accuracy for identifying acceptable and unacceptable activity.
Similar to how we conduct audits against our information systems, regular assessments must be done to ensure that detection mechanisms (e.g. analytical techniques, signatures) are applicable and that critical assets are still relevant. While the frequency of these assurance exercises will be subjective to each organization, the approach must be consistent in that the administrative, physical, and technical aspects of security monitoring are measured equally.

Following this methodology will ensure that the overall implementation of targeted security monitoring remains effective and efficient throughout its continued operation. Before organizations implement any form of security monitoring, it is important that they understand the scope of what they need to monitor and how they will go about achieving their monitoring goals. Once established, using any combination of analytical techniques to monitor acceptable and unacceptable behaviour will improve detection capabilities to identify events and/or incidents before they intensify. This article was sourced in part from the book by Jason Sachowski, titled “Implementing Digital Forensic Readiness: From Reactive To Proactive Process,” available now at the Elsevier Store and other international retailers. More on this topic: Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group.

Throughout his career at Scotiabank, he has been responsible for digital investigations, ...
View Full Bio More Insights

Cisco Patches Zero-Day Firewall Flaw Exposed In Equation Group Hack

ShadowBrokers dump of Equation Group exploits uncovers previously unknown security hole as well as a known one. Cisco Systems yesterday released a security alert on flaws in its ASA and PIX firewalls that were publicly exposed via the recent online leak of files from the Equation Group (aka the National Security Agency). The so-called ShadowBrokers group -- thought by many experts to be a Russian-backed entity -- is holding an online auction of Equation Group exploits.  The first is a previously unknown security flaw.

Cisco in its security advisory said the ASA SNMP Remote Code Execution vulnerability is a “buffer overflow in the affected code area” that an intruder could use to execute arbitrary code remotely or to cause reload of the system. The second flaw that is one Cisco first announced in 2011 -- a ASA CLI Remote Code Execution vulnerability -- could allow a local attacker to call up invalid commands in an affected device and launch a denial-of-service attack or execute arbitrary code. For more information, see Cisco's advisory here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Cisco Addresses Zero-Day Firewall Flaw Exposed In Equation Group Hack

ShadowBrokers dump of Equation Group exploits uncovers previously unknown security hole as well as a known one. Cisco Systems yesterday released a security alert on flaws in its ASA and PIX firewalls that were publicly exposed via the recent online leak of files from the Equation Group (aka the National Security Agency). The so-called ShadowBrokers group -- thought by many experts to be a Russian-backed entity -- is holding an online auction of Equation Group exploits.  The first is a previously unknown security flaw.

Cisco in its security advisory said the ASA SNMP Remote Code Execution vulnerability is a “buffer overflow in the affected code area” that an intruder could use to execute arbitrary code remotely or to cause reload of the system. The second flaw that is one Cisco first announced in 2011 -- a ASA CLI Remote Code Execution vulnerability -- could allow a local attacker to call up invalid commands in an affected device and launch a denial-of-service attack or execute arbitrary code. For more information, see Cisco's advisory here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

SWIFT Ignored Lax Security In Smaller Member Banks, Say Officials

Former and current SWIFT managers admit security of customer terminals was not addressed, says Reuters report. A special report by Reuters reveals that for years SWIFT was aware of vulnerabilities in the security of smaller banks, which are part of the global messaging group, but neglected it.
Some former and current SWIFT officials have admitted the organization did not monitor security of customer terminals, leaving it up to bank regulators. "They were focusing on other things, and not about the fundamental, sacred role of SWIFT, which is the security and reliability of the system," former CEO Leonard Schrank told Reuters. Large banks traditionally take adequate care of computer security at their end, but it is the smaller banks which pose a threat, says the news agency. SWIFT, however, denied the charge: “Today's security threats are not the same threats the industry faced five or ten years ago – or even a year ago – and like any other responsible organization we adapt as the threat changes." Read details here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Spam and phishing in Q2 2016

 Download the full report (PDF) Spam: quarterly highlights The year of ransomware in spam Although the second quarter of 2016 has only just finished, it’s safe to say that this is already the year of ransomware Trojans.

By the end of Q2 there was still a large number of emails with malicious attachments, most of which download ransomware in one way or other to a victim’s computer. However, in the period between 1 June and 21 June the proportion of these emails decreased dramatically. The majority of malicious attachments were distributed in ZIP archives.

The decline can therefore be clearly seen in the following graph showing spam with ZIP attachments that arrived in our traps: Number of emails with malicious ZIP archives, Q2 2016 In addition to the decline, June saw another interesting feature: this sort of spam was not sent out on Saturdays or Sundays. The same situation could be observed in KSN: the number of email antivirus detections dropped sharply on 1 June and grew on 22 June. Number of email antivirus detections by day, Q2 2016 This decline was caused by a temporary lull in activity by the Necurs botnet, which is mostly used to distribute this type of malicious spam.

After the botnet resumed its activity, the spam email template changed, and the malicious attachments became even more sophisticated. As in the previous quarter, the spam messages were mainly notifications about bills, invoices or price lists that were supposedly attached to the email.

The attachments actually contained a Trojan downloader written in Javascript, and in most cases the malware loaded the Locky encryptor. For example, some emails (see the screenshot above) contained an attachment with a Trojan downloader. When run, it downloaded Trojan-Ransom.Win32.Locky.agn, which encrypts the data on a victim’s computer and demands a ransom, to be paid in bitcoin. Obfuscation The second quarter saw spammers continue to mask links using various Unicode ranges designed for specific purposes.

This tactic became especially popular in 2015, and is still widely used by spammers. The link in this example looks like this: If you transfer the domain from UTF-8 into the more familiar HTML, it becomes .

The characters, which look quite ordinary, in fact belong to the Mathematical Alphanumeric Symbols UTF range used in highly specific mathematical formulas, and are not intended for use in plain text or hyperlinks.

The dot in the domain is also unusual: it is the fullwidth full stop used in hieroglyphic languages.

The rest of the hyperlink, as well as the rest of the text in these spam messages, is written using the Latin alphabet. Spam in APT attacks In Q2, we came across a number of APT attacks in the corporate sector.

Emails were made to look as if they came from representatives of the targeted company, and contained a request to immediately transfer money to a specific account.

The text was fairly plausible and hinted at a personal acquaintance and previous communication.
In some cases, the emails included the logo of the attacked company.

All the messages conveyed a sense of urgency (“ASAP”, “urgent”, “must be completed today”) – scammers often use this trick in an attempt to catch people off guard, so that they act rather than think. Below is an example: Hello NNNNN, How are you doing! Are you available at the office? I need you to process an overdue payment that needs to be paid today. Thanks, XXXXX The emails were sent selectively – to individual employees, usually connected to the finance department.

The knowledge shown by the scammers suggests the attack was carefully prepared. The most suspicious aspect of the attack was the domain used in the ‘From’ field – myfirm.moby – that differed from the corporate one. Perhaps the attackers hope that some email clients only show the sender’s name by default, while concealing the address. It is not that difficult to write any domain in the ‘From’ field, and in the future we can expect more well-prepared attacks. Sporting events in spam Spam mailings exploiting real-life events have long become an integral part of junk email.
Sporting events are not as popular among spammers as political events, although their use is increasing with every year.

There is a continuous stream of emails mentioning various political figures, while sport-related spam messages usually only appear in the run-up to an event. However, we have noticed that mass mailings can now be launched long before an event starts.

For instance, emails exploiting the Olympic Games in Brazil were discovered over a year ago, in the second quarter of 2015.

The majority of them were fraudulent emails designed to trick recipients and steal their personal information and money. The classic scenario involves false notifications about lottery wins related to 2016 Olympics.

The messages claim that the lottery was held by the official organizers of the games and the recipient was selected at random from millions of addresses.
In order to claim the cash, the recipient has to reply to the email and provide some personal information. The text of the message was often contained in an attached file (.pdf, .doc, .jpg), while the body of the message only displayed a short text prompting the recipient to open the attachment. There were also more traditional messages where the spammer text was included directly in the body of the message. In addition to fraudulent messages, advertising spam was also sent out. Unlike the Olympics, football tournaments have long been used by scammers to grab people’s attention to their spam. Q2 2016 saw the long-awaited UEFA European Championship, and in the run-up to the tournament spam traffic included fake notifications of lottery wins.

The content was no different from that dedicated to the Olympic Games, and the emails also contained attachments explaining why the message was sent. The football theme was also exploited by ‘Nigerian’ scammers.

They sent out emails supposedly on behalf of the former FIFA president, and used the infamous corruption scandal associated with his name to make their messages look more realistic.

They believed that a fabricated story about how Sepp Blatter had supposedly received money and secretly transferred it to an account in a European bank would not arouse suspicion.
In return for keeping the money in their bank accounts, the recipients were promised a 40% cut of the total sum. In order to convince recipients that the message was genuine, the authors even went to the trouble of using the correct name and domain in the ‘From’ field. US politicians in spam The presidential election campaign is now in full swing in the United States and the nominees and their entourages are under close media scrutiny. Of course, spammers couldn’t resist using the names of high-profile politicians in their advertising and fraudulent emails.

For example, numerous ‘Nigerian’ letters were sent in the name of current president Barack Obama and his wife Michelle.
In their ‘official’ emails, the ‘President’ and the ‘First lady’ assured the recipient that a bank card or a check for a very large sum of money had already been issued in their name.

The only thing the recipient had to do was complete some formalities, and the money would be delivered shortly afterwards.
In order to get the instructions from the White House the recipient had to send some personal information, including their email address and the password for their email account, as well as detailed passport information to spoofed email addresses. Another politician whose name regularly cropped up in spam was Donald Trump, one of the contenders for the US presidency.
Spammers offered a unique Trump technique for earning money online: anyone who wanted to know how to get rich, had to click a link in the emails which were designed to look like news reports from CNN and Fox News. The links led to fake news sites also in the style of major media outlets and news networks.

The sites contained a story about a simple method for earning money – the publication of links, which is basically another kind of spam distribution.
In order to participate in the program, a user had to register by providing their phone number and email address. Statistics Proportion of spam in email traffic Percentage of spam in global email traffic, Q2 2016 The largest percentage of spam in the second quarter – 59.46% – was registered in May and was 3 p.p. more than in April.

The average percentage of spam in global email traffic for Q2 amounted to 57.25%. Sources of spam by country Sources of spam by country, Q2 2016 In Q2 2016, the biggest three sources of spam remained the same as in the previous quarter – the US (10.79%), Vietnam (10.10%) and India (10.01%). However, the figures for each country changed: the gap between them narrowed to within a single percentage point. China (6.52%) moved up to fourth with an increase of 1.43 p. p. compared to Q1. Mexico (4.55%) came fifth, followed by Russia (4.07%) and France (3.60%).

Brazil (3.28%), which was fourth in the previous quarter, lost 2.2 p.p. and dropped to eighth place.

Germany (2.97%) and Turkey (2.30%) completed the TOP 10. Spam email size Breakdown of spam emails by size, Q1 and Q2 2016 Traditionally, the most commonly distributed emails are very small – up to 2 KB (72.26%), although the proportion of these emails dropped by 9.6 p.p. compared to the previous quarter. Meanwhile, the share of emails sized 10-20 KB increased by 6.76 p.p.

The other categories saw minimal changes. Malicious email attachments Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications.
So we have decided to turn to the more informative statistics of the TOP 10 malware families.
TOP 10 malware families The three most popular malware families remained unchanged from the previous quarter – Trojan-Downloader.JS.Agent (10.45%), Trojan-Downloader.VBS.Agent (2.16%) and Trojan-Downloader.MSWord.Agent (1.82%). The Trojan.Win32.Bayrob family moved up to fourth place (1.68%), while the Backdoor.Win32.Androm family fell from fourth to ninth place with 0.6%. TOP 10 malware families in Q2 2016 A newcomer to this ranking was the Trojan.Win32.Inject family (0.61%).

The malicious programs from this family embed their code in the address space of other processes. The Trojan-Spy.HTML.Fraud family (0.55%) rounded off the TOP 10 in Q2 2016. Countries targeted by malicious mailshots Distribution of email antivirus verdicts by country, Q2 2016 Germany (14.69%) topped the ranking of countries targeted by malicious mailshots, although its share decreased 4.24 p.p.
It was followed by China (13.61%) whose contribution grew 4.18 p.p. Japan (6.42%) came third after ending the previous quarter in seventh with a share of 4.29%. Fourth place was occupied by Brazil (5.57%).
Italy claimed fifth with a share of 4.9% and Russia remained in sixth (4.36%). The US (4.06%) was the seventh most popular target of malicious mailshots.

Austria (2.29%) rounded off this TOP 10. Phishing In Q2 2016, the Anti-Phishing system was triggered 32,363,492 times on the computers of Kaspersky Lab users, which is 2.6 million less than the previous quarter. Overall, 8.7% of unique users of Kaspersky Lab products were attacked by phishers in Q2 of 2016. Geography of attacks The country where the largest percentage of users is affected by phishing attacks was China (20.22%).
In Q2 2016, the proportion of those attacked increased by 3.52 p.p. Geography of phishing attacks*, Q2 2015 * Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country The percentage of attacked users in Brazil decreased by 2.87 p.p. and accounted for 18.63%, placing the country second in this ranking.

Algeria (14.3%) came third following a 2.92 p.p. increase in its share compared to the previous quarter. TOP 10 countries by percentage of users attacked: China 20.22% Brazil 18.63% Algeria 14.3% United Kingdom 12.95% Australia 12.77% Vietnam 11.46% Ecuador 11.14% Chile 11.08% Qatar 10.97% Maldives 10.94% Organizations under attack The statistics on phishing targets are based on detections of Kaspersky Lab’s heuristic anti-phishing component.
It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases.
It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity.

After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.
In Q2 of 2016, the share of the ‘Global Internet portals’ category (20.85%), which topped the rating in the first quarter, decreased considerably – by 7.84 p.p.

The share of the ‘Financial organizations’ category grew 2.07 p.p. and accounted for 46.23%.

This category covers ‘Banks’ (25.43%, +1.51 p.p.), ‘Payment systems’ (11.24%, -0.42 p.p.) and ‘Online stores’ (9.39%, +0.99 p.p.). Distribution of organizations affected by phishing attacks by category, Q2 2016 The share of attacks on the ‘Social networking sites’ category increased by 2.65 p.p. and reached 12.4%.

The ‘Online games’ category was also attacked more often (5.65%, + 1.96 p.p.). Meanwhile, the ‘Telephone and Internet service providers’ (4.33%) and the ‘IMS’ (1.28%) categories lost 1.17 p.p. and 2.15 p.p. respectively. Hot topics this quarter The Olympics in Brazil For a number of years now Brazil has been among the countries with the highest proportion of users targeted by phishing.
In 2015 and 2016 phishers have focused on the Rio Olympic Games in Brazil. Last quarter showed that as well as ordinary users, the potential victims of phishing included the organizers of the Olympic Games. The Olympic theme remained popular in Q2, with phishers working overtime to send out fake notifications about big cash wins in a lottery that was supposedly organized by the Brazilian government and the Olympic Committee. ‘Porn virus’ for Facebook users Facebook users are often subjected to phishing attacks.

During one attack in the second quarter, a provocative video was used as bait.

To view it, the user was directed to a fake page imitating the popular YouTube video portal, and told to install a browser extension. This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information.

The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name. Phisher tricks Compromising domains with good reputation To bypass security software filters, fraudsters try to place phishing pages on domains with good reputations.

This significantly reduces the probability of them being blocked and means potential victims are more trusting.

The phishers can strike it big if they can use a bank or a government agency domain for their purposes.
In Q2, we came across a phishing attack targeting the visitors of a popular Brazilian e-commerce site: the fake page was located on the domain of a major Indian bank.

This is not the first time fraudsters have compromised the domain of a large bank and placed their content on it. Phishing pages targeting the users of the Brazilian store americanas.com When trying to purchase goods on the fake pages of the store, the victim is asked to enter lots of personal information. When it’s time to pay, the victim is prompted to print out a receipt that now shows the logo of a Brazilian bank. The domains of state structures are hacked much more frequently by phishers.
In Q2 2016, we registered numerous cases where phishing pages were located on the domains belonging to the governments of various countries. Here are just a few of them: Phishing pages located on the domains of government authorities The probability of these links being placed on blacklists is negligible thanks to the reputation of the domain. TOP 3 organizations attacked Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component fall on phishing pages hiding behind the names of fewer than 15 companies. The TOP 3 organizations attacked most frequently by phishers accounted for 23% of all phishing links detected in Q2 2016. Organization % of detected phishing links 1 Microsoft 8.1 2 Facebook 8.03 3 Yahoo! 6.87 In Q2 2016, this TOP 3 ranking saw a few changes. Microsoft was the new leader with 8.1% (+0.61 p.p.), while Facebook (8.03%, +2.32 p.p.) came second.

The share of attacks targeting Yahoo! (6.87%) fell 1.46 p.p., leaving last quarter’s leader in third. Q2 leader Microsoft is included in the ‘Global Internet portals’ category because the user can access a variety of the company’s services from a single account.

This is what attracts the fraudsters: in the event of a successful attack, they gain access to a number of services used by the victim. Example of phishing on Live.com, a Microsoft service Conclusion In the second quarter of 2016, the proportion of spam in email traffic increased insignificantly – by 0.33 p.p. – compared to the previous quarter and accounted for 57.25%.

The US remained the biggest source of spam.

As in the previous quarter, the top three sources also included Vietnam and India. Germany was once again the country targeted most by malicious mailshots, followed closely by China. Japan, which was seventh in the previous quarter’s ranking, completed the TOP 3 in Q2. Trojan-Downloader.JS.Agent remained the most popular malware family distributed via email. Next came Trojan-Downloader.VBS.Agent and Trojan-Downloader.MSWord.Agent.

A significant amount of malicious spam was used to spread ransomware Trojans such as Locky.

For almost a month, however, cybercriminals did not distribute their malicious spam, but then the Necurs botnet began working again. We don’t expect to see any significant reduction in the volume of malicious spam in the near future, although there may be changes in email patterns, the complexity of the malware, as well as the social engineering methods used by attackers to encourage a user to launch a malicious attachment. The focus of phishing attacks shifted slightly from the ‘Global Internet portals’ to the ‘Financial organizations’ category. The theme of the Olympic Games was exploited by both phishers and spammers to make users visit fake pages with the aim of acquiring their confidential information or simply to get their money. Events in the political arena, such as the presidential election in the US, also attracted spammers, while the sites of government agencies were compromised in phishing attacks. As we can see, the overriding trend of the quarter is that of fraud and making quick money from victims using direct methods such as Trojan cryptors that force unprotected users to pay a ransom, or phishing attacks that target financial organizations, rather than long drawn-out scams.

All of this once again highlights the need for both comprehensive protection on computers and increased vigilance by Internet users.