15.6 C
London
Thursday, August 17, 2017
Home Tags Adsense

Tag: Adsense

In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae.
In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.

Mobile malware evolution 2016

In 2016, the growth in the number of advertising Trojans capable of exploiting super-user rights continued.

Throughout the year it was the No. 1 threat, and we see no sign of this trend changing.

Financial cyberthreats in 2016

In 2016 we continued our in-depth research into the financial cyberthreat landscape. We've noticed over the last few years that large financial cybercriminal groups have started to concentrate their efforts on targeting large organizations – such as banks, payment processing systems, retailers, hotels and other businesses where POS terminals are widely used.
 Download Review of the year  Download Overall statistics  Download the consolidated Kaspersky Security Bulletin 2016 Introduction If they were asked to sum up 2016 in a single word, many people around the world – particularly those in Europe and the US – might choose the word ‘unpredictable’. On the face of it, the same could apply to cyberthreats in 2016: the massive botnets of connected devices that paralysed much of the Internet in October; the relentless hacking of high profile websites and data dumps; the SWIFT-enabled bank heists that stole billions of dollars, and more. However, many of these incidents had been in fact been predicted, sometimes years ago, by the IT security industry, and the best word for them is probably ‘inevitable’. For cyberthreats, 2016 was the year when “sooner or later” became “now” #KLReport Tweet Most of all, in 2016, ransomware continued its relentless march across the world – with more new malware families, more modifications, more attacks and more victims. However, there are rays of hope, including the new, collaborative No More Ransom initiative. Kaspersky Lab has designated the revolution in ransomware its Story of the Year for 2016 and you can read more about its evolution and impact here. Elsewhere on the cybersecurity landscape, targeted cyberespionage attacks, financial theft, ‘hacktivism’ and vulnerable networks of connected devices all played their part in what has been a tense and turbulent year. This Executive Summary provides an overview of the top threats and statistics for 2016. Full details are included in the accompanying Review & Statistics. It also considers what these threats mean to organisations trying spot a breach or cyberattack. How ready are businesses to proactively prevent and mitigate a cyberthreat? What can be done to help them? Six things we learned this year that we didn’t know before 1. That the underground economy is more sophisticated and bigger than ever: xDedic – the shady marketplace In May, we uncovered a large, active cybercriminal trading platform, called xDedic. xDedic listed and facilitated the buying and selling of hacked server credentials. Around 70,000 compromised servers were on offer – although later evidence suggests that there could have been as many as 176,000 – located in organisations around the world. In most cases, the legitimate owners had no idea that one of their servers, humming away in a back room or data center, had been hijacked and was being passed from criminal to criminal. xDedic is not the first underground marketplace, but it is evidence of the growing complexity and sophistication of the black market economic ecosystem. “xDedic is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors.” GReAT 2. That the biggest financial heist did not involve a stock exchange: the SWIFT-enabled transfers One of the most serious attacks in 2016 was that using the inter-bank network, SWIFT (Society for Worldwide Interbank Financial Telecommunication). In February 2016, hackers used the SWIFT credentials of Bangladesh Central Bank employees to send fraudulent transaction requests to the Federal Reserve Bank of New York, asking it to transfer millions of dollars to various bank accounts in Asia. The hackers were able to get $81 million transferred to the Rizal Commercial Banking Corporation in the Philippines and an additional $20 million to Pan Asia Banking. The campaign was cut short when the bank spotted a typo in one of the transfer requests. You can read the story here. In the following months, further bank attacks using SWIFT credentials came to light. Following the theft of $100 million many banks were forced to improve their authentication and SWIFT software update procedures #KLReport Tweet 3. That critical infrastructure is worryingly vulnerable: the BlackEnergy attacks BlackEnergy deserves a place in this list even though, strictly speaking, it took place at the end of 2015. However, it was only in early 2016 that the full effect of the BlackEnergy cyber-attack on the Ukrainian energy sector became clear. The attack was unique in terms of the damage it caused. This included disabling the power distribution system in Western Ukraine, wiping software on targeted systems and unleashing a Distributed Denial of Service (DDoS) attack on the technical support services of affected companies. Kaspersky Lab has supported the investigation into BlackEnergy since 2010, with among other things, an analysis of the tool used to penetrate the target systems. You can find our 2016 report here. The BlackEnergy cyberattack on the Ukrainian energy sector revealed the vulnerability of critical infrastructures worldwide #KLReport Tweet To help organizations working with industrial control systems (ICS) to identify possible points of weakness, Kaspersky Lab experts have conducted an investigation into ICS threats. Their findings are published in the Industrial Control Systems Threat Landscape report. 4. That a targeted attack can have no pattern: the ProjectSauron APT In 2016 we discovered the ProjectSauron APT: a likely nation-state backed cyberespionage group that has been stealing confidential data from organisations in Russia, Iran and Rwanda – and probably other countries – since June 2011. Our analysis uncovered some remarkable features: for example, the group adopted innovative techniques from other major APTs, improving on their tactics in order to remain undiscovered. Most importantly of all: tools are customized for each given target, reducing their value as Indicators of Compromise (IoCs) for any other victim. An overview of the methods available to deal with such a complex threat can be found here. ProjectSauron’s pattern-less spying platform has far-reaching implications for some basic principles of threat detection #KLReport Tweet 5. That the online release of vast volumes of data can be an influential tactic: ShadowBrokers and other data dumps 2016 saw a number of remarkable online data dumps. The most famous is probably that by a group calling itself the ShadowBrokers. On August 13, they appeared online claiming to possess files belonging to the ultimate APT predator, the Equation Group. Our research suggests there are similarities between the data dumped by ShadowBrokers and that used by the Equation Group. The initial data dump included a number of unreported zero-days, and there have been further dumps in recent months. The long-term impact of all this activity is unknown, but is has already revealed the huge and rather worrying influence such data dumps can potentially have on public opinion and debate. In 2016 we also witnessed data breaches at beautifulpeople.com, Tumblr, the nulled.io hacker forum, Kiddicare, VK.com, Sage, the official forum of DotA 2, Yahoo, Brazzers, Weebly and Tesco Bank – for motives ranging from financial gain to personal reputation blackmail. A LinkedIn hack made public in 2016 revealed over a million uses of the password ‘123456’. #KLReport Tweet 6. That a camera could be part of a global cyber-army: the insecure Internet of Things Connected devices and systems, from homes and vehicles to hospitals and smart cities, exist to make our lives safer and easier. However, many were designed and manufactured without much thought for security – and sold to people who underestimated the need to protect them with more than default factory security settings. The risk of connecting everything without proper safeguards – after 2016, need we say more? #KLReport Tweet As the world now knows, all these millions of insecure connected devices represent a powerful temptation to cybercriminals. In October, attackers used a botnet of over half a million internet-connected home devices to launch a DDoS attack against Dyn – a company that provides DNS services to Twitter, Amazon, PayPal, Netflix and others. The world was shocked, but warnings about unstable IoT security have been around for a long time. For example, in February, we showed how easy it was to find a hospital, gain access to its internal network and take control of an MRI device – locating personal data about patients and their treatment procedures and obtaining access to the MRI device file system. In April, we published the results of our research into, among other things, the vulnerability of city traffic sensors and smart ticket terminals. Manufacturers need to work with the security industry to implement ‘security-by-design’ #KLReport Tweet Other top threats Inventive APTs At least 33 countries were targeted by APTs reported on by Kaspersky Lab #KLReport Tweet In February, we reported on Operation Blockbuster, a joint investigation by several major IT security companies into the activities of the Lazarus gang, a highly malicious entity responsible for data destruction. The Lazarus group is believed to have been behind the attack on Sony Pictures Entertainment in 2014 #KLReport Tweet Adwind, is a cross-platform, multi-functional RAT (Remote Access Tool) distributed openly as a paid service, where the customer pays a fee in return for use of the malicious software. It holds the dubious distinction of being one of the biggest malware platforms currently in existence, with around 1,800 customers in the system by the end of 2015. Adwind’s malware-for-rent had a customer base of 1,800 #KLReport Tweet APTs everywhere continued to make the most of the fact that not everyone promptly installs new software updates – in May we reported that at least six different groups across the Asia-Pacific and Far East regions, including the newly discovered Danti and SVCMONDR groups, were exploiting the CVE-2015-2545 vulnerability. This flaw enables an attacker to execute arbitrary code using a specially-crafted EPS image file. A patch for the vulnerability was issued back in 2015. Over six APT groups used the same vulnerability – patched back in 2015 #KLReport Tweet New zero-days Zero-days remained a top prize for many targeted attackers. In June, we reported on a cyber-espionage campaign launched by a group named ScarCruft and code-named Operation Daybreak, which was using a previously unknown Adobe Flash Player exploit (CVE-2016-1010). Then in September we discovered a Windows zero-day, CVE-2016-3393, being used by a threat actor known as FruityArmor to mount targeted attacks. In all, new Kaspersky Lab technologies designed to identify and block such vulnerabilities helped us to uncover four zero-days in 2016. The other two are an Adobe Flash vulnerability CVE-2016-4171 and a Windows EoP (Escalation of Privilege) exploit CVE-2016-0165 . The hunt for financial gain Tricking people into either disclosing personal information or installing malware that then seizes the details for their online bank account remained a popular and successful option for cyber-thieves in 2016. Kaspersky Lab solutions blocked attempts to launch such malware on 2,871,965 devices. The share of attacks targeting Android devices increased more than four-fold. A third of banking malware attacks now target Android devices #KLReport Tweet Some APT groups were also more interested in financial gain than cyberespionage. For example, the group behind Metel infiltrated the corporate network of banks in order to automate the roll-back of ATM transactions: gang members could then use debit cards to repeatedly steal money from ATMs without ever affecting the balance on the card. At the end of 2016 this group remains active. Metel launched targeted attacks on banks – then sent teams to ATMs at night to withdraw the cash #KLReport Tweet In June, Kaspersky Lab supported the Russian police in their investigation into the Lurk gang. The collaboration resulted in the arrest of 50 suspects allegedly involved in creating networks of infected computers and the theft of more than 45 million dollars from local banks, other financial institutions and commercial organizations. During the investigation, researchers spotted that users attacked by Lurk had the remote administration software Ammyy Admin installed on their computers. This led to the discovery that that the official Ammyy Admin website had most probably been compromised, with the Trojan was downloaded to users’ computers along with the legitimate Ammyy Admin software. The takedown of the Lurk gang was the largest ever arrest of hackers in Russia #KLReport Tweet The ultimate vulnerability: people 2016 also revealed that targeted attack campaigns don’t always need to be technically advanced in order to be successful. Human beings – from hapless employees to malicious insiders – often remained the easiest access route for attackers and their tools. In July, we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using high quality social engineering combined with old exploit code and some PowerShell-based malware, the group was able to successfully steal sensitive data from high-profile diplomatic and economic organisations linked to China’s foreign relations. Dropping Elephant and Operation Ghoul confirmed the fearsome power of high quality social engineering #KLReport Tweet Further, Operation Ghoul sent spear-phishing e-mails that appeared to come from a bank in the UAE to top and middle level managers of numerous companies. The messages claimed to offer payment advice from the bank and attached a look-like SWIFT document containing malware. Cybercriminals are using insiders to gain access to telecommunications networks and subscriber data, recruiting disaffected employees through underground channels or blackmailing staff using compromising information gathered from open sources.” Threat Intelligence Report for the Telecommunications Industry Mobile advertising The main mobile threats in 2016 were advertising Trojans able to obtain ‘root’ or superuser rights on an infected Android device – a level of access that allowed them to do pretty much whatever they wanted. This included hiding in the system folder, thereby making themselves almost impossible to delete, and silently installing and launching different apps that aggressively display advertising. They can even buy new apps from Google Play. 22 of the 30 most popular Trojans in 2016 are advertising Trojans – twice as many as in 2015 #KLReport Tweet Many such Trojans were distributed through the Google Play Store: some of them were installed more than 100,000 times, and one – an infected Pokemon GO Guide app was installed more than 500,000 times. Malware distributed through Google Play was downloaded hundreds of thousands of times #KLReport Tweet One Android Trojan installed and even updated as a ‘clean’ (malware-free) app before hitting targets with an infected version. Others, including Svpeng, used the Google AdSense advertising network for distribution Further, some Trojans found new ways to bypass Android security features – in particular the screen overlays and the need to request permission before opening a new app – forcing the user to sign over the access rights the Trojan was looking for. Mobile ransomware also evolved to make use of overlays, blocking rather than encrypting data since this is generally backed-up. To read more on these stories, please download the full annual Review for 2016 here. For an in-depth look at the Statistics for 2016, please register to download the Statistics report here. The impact on business The 2016 threat landscape indicates a growing need for security intelligence The Kaspersky Security Bulletin 2016 highlights the rise of complex and damaging cybersecurity threats, many of which have a far-reaching impact on businesses. This impact is also reflected in our Corporate IT Security Risks Reports (1, 2) based on a 2016 survey of more than 4000 businesses worldwide. Among other things, the survey asked companies about the most crucial metric of incident detection and response: time. Incident detection time is critical Previously unreleased findings from the research show that the typical time required to detect an IT Security event is several days – 28.7% of companies said it took them that long to detect a security breach on average. Time required to detect an IT security event Only 8.2% of businesses managed to detect security breaches almost instantly, and for 19.1% of businesses it took several weeks to detect a serious security event. When we asked how they eventually detected a long-standing breach, the replies were revealing. Going beyond prevention Average time frame required to detect a security event, across all security eventswithin the last 12 months In this chart we combine the average time to discover a security event with the responses we received on how businesses detected a breach. Apparently, businesses that struggle to detect a breach quickly, eventually spot them through one or more of the following: an external or internal security audit, or, sadly, notification from a third party. It turns out that for these businesses a security audit of any kind is the best measure of ‘last resort’ to finally bring it to light. But should it be only a last resort? This is where our report detects an obvious discrepancy between theory and practice. Although 65% of businesses admit that a security audit is an effective security measure, less than half of the companies surveyed (48%) have conducted such audit in the last 12 months. Further, 52% of companies operate under the assumption that their IT security will inevitably be compromised at some point, although 48% are not ready to accept this. In short: many businesses find a structured detection and response strategy difficult to embrace. The cost of delay It is safe to assume that the longer it takes to detect a security breach, the higher the mitigation costs and the greater the potential damage. The results reveal the shocking truth that failure to discover an attack within a few days, results in a doubling, or more of the costs. Cost of recovery vs. time needed to discover a security breach for enterprises For enterprises, an attack undiscovered for a week or more costs 2.77 times that of a breach detected almost instantly. SMBs end up paying 3.8 times more to recover from an incident detected too late. It is clear that better detection significantly reduces business costs. But the implementation of incident detection and response strategies is quite different from ensuring proper prevention. The latter provides a choice of well-established corporate solutions. The former requires security intelligence, a deep knowledge of the threat landscape, and security talent capable of applying that expertise to the unique specifics of a company. According to our special Corporate IT Security Risks report, businesses that struggle to attract security experts end up paying twice as much for their recovery after an incident. Kaspersky Lab’s solution: turning intelligence into protection In 2016 Kaspersky Lab significantly expanded its portfolio with products like Kaspersky Anti-Targeted Attack Platform and security services like Penetration Testing and Threat Data Feeds, all to help meet customer needs for better detection and response. Our plan is to offer security intelligence via any means necessary: with a technology to detect targeted threats, a service to analyze and respond to a security event, and intelligence that helps investigate an issue properly. [embedded content] We appreciate that, for many businesses, going beyond prevention is a challenge. But even a single targeted attack that is detected early and mitigated rapidly is worth the investment – and increases the chances that the next assault on the corporate infrastructure is prevented outright.
Servizi Multimedialireader comments 27 Share this story On Monday, the top trending story if you searched Google for "final election vote count 2016" was a fake story on a site called 70News claiming that Donald Trump had won the popular vote, even though he had not. And in the week before the election, Facebook and Google were being criticized about fake news on their sites, which critics believe could have swayed the presidential race's outcome. Google responded Monday with a pledge to restrict fake news sites from using its AdSense advertising network. Facebook, for its part, updated its policy to clearly state that its advertising ban on deceptive or misleading content applied to fake news. "We do not integrate or display ads in apps or sites containing content that is illegal, misleading or deceptive, which includes fake news," Facebook said in a statement. And Facebook chief Mark Zuckerberg on Saturday tried to put the kibosh on the idea that Facebook's platform influenced the election. "Of all the content on Facebook, more than 99 percent of what people see is authentic. Only a very small amount is fake news and hoaxes," Zuckerberg said. "The hoaxes that do exist are not limited to one partisan view, or even to politics. Overall, this makes it extremely unlikely hoaxes changed the outcome of this election in one direction or the other." Still, Google and Facebook are not preventing fake news or hoaxes from appearing on the social networking site or in Google search. Instead, the companies' policies are geared toward trying to reduce the financial incentive for producing fake news. And for Google, it's not just about seeking the truth. Advertisers don't want their wares displayed next to bogus content. "Moving forward, we will restrict ad serving on pages that misrepresent, misstate, or conceal information about the publisher, the publisher's content, or the primary purpose of the web property," Google said in a statement. Google also has the same policy for pornography or violent content. AdSense vets content with artificial intelligence and humans to ensure compliance. For its part, Facebook has been hit hard by some who accused the social-media platform of tilting voters in favor of Trump by allowing completely fabricated stories, including one that Trump won the endorsement of Pope Francis, to circulate on the site. The Pew Research Center, meanwhile, in May said that 62 percent of Americans obtain some, or all, of their news on social media—the bulk of it from Facebook.
Enlargereader comments 15 Share this story Google has shut down an operation that combined malicious AdSense advertisements with a zero-day attack exploiting Chrome for Android to force devices to download banking fraud malware. Over a two-month span, the campaign downloaded the Banker.AndroidOS.Svpeng banking trojan on about 318,000 devices monitored by Kaspersky Lab, researchers from the Moscow-based anti-malware provider reported in a blog post published Monday. While the malicious installation files weren't automatically executed, they carried names such as last-browser-update.apk and WhatsApp.apk that were designed to trick targets into manually installing them. Kaspersky privately reported the scam to Google, and engineers from the search company put an end to the campaign, although the timing of those two events wasn't immediately clear. "So far, those behind Svpeng have limited their attacks to smartphone users in Russia," Kaspersky Lab researchers Nikita Buchka and Anton Kivva wrote in Monday's post. "However, next time they push their 'adverts' on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past. After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?" A Google spokesman said a fix for the auto-download vulnerability was being tested in Chrome version 54 and was expected to be "live 100%" in version 55. (He didn't respond to a request asking him to elaborate.) He also said an Android security feature known as Verify Apps provided warnings when people tried to install one of the malicious apps. He didn't explain how the malicious advertisements snuck by Google security checks or what company engineers are doing to prevent AdSense from running similar ones in the future. Last week, researchers from a separate security firm named Cylance disclosed a separate malvertising campaign on Google AdWords that targeted Mac users. Kaspersky Lab researchers said it was clear from lulls in the campaign that someone or something inside Google detected and removed many of the malicious ads distributing the Svpeng installation files. But even after old ones were expelled, new ones managed to take their place. "The high rates and abrupt changes in the number of detections are easy to explain: Google has been quick to block the ads that the trojan uses for propagation," the researchers wrote. "However, this is a reactive rather than proactive approach—the malicious ads were blocked after the trojan was already on thousands of Android devices. It is also worth noting that there were multiple occasions in the past two months when these ads found their way on to AdSense; similar attacks have been occurring up to the present time, with the most recent attack registered on 19 October 2016." Monday's report is yet another reminder why it's generally a good idea not to change default Android settings preventing the installation of apps not carried in the official Google Play app bazaar. It also reaffirms the importance of remaining highly skeptical of webpages encouraging users to install files. Google deserves credit for quickly removing malicious ads and creating safety nets such as Verify Apps and a default prohibition on installing third-party apps, but as the Kaspersky Lab researchers point out, these approaches reactively treat the symptoms rather than curing the underlying disease.
Flaw allowing ads to offer dodgy apps won't be fixed for about three weeks An Android Chrome bug that's already under attack - with criminals pushing banking trojans to more than 300,000 devices - won't get patched until the next release of the mobile browser. The flaw allows malware writers to quietly download Android app installation (.apk) files to devices without requiring approval. Users need to install the banking trojan apps and tweak settings to allow installation of apps from stores other than Google Playto be infected; however, attackers increased the likelihood of compromise by using the titles of popular Android apps such as Skype, MinecraftPE, and WhatsApp. Kaspersky researchers Mikhail Kuzin and Nikita Buchka found the flaw last month in a wide-spread campaign across Russian news sites and web properties. Some 37,000 users at the campaign's peak received the malicious .apk files. While it is unknown when the next Android Chrome version will be released, Google usually sticks to a six week release cycle.
If Google sticks to that timeline, a new edition of the browser should land before December 3rd, 2016. This offers attackers a touch over three weeks to ramp what what Kuzin and Buchka say are likely attacks through AdSense against the rest of the world. The same attack group has been upgrading and spreading its Svpeng trojan since 2013, including changing its victim base in 2014 to target users in the United States. The pair acknowledge Google's plan to patch but say its efforts to date to block attacks have been ineffective. "Google has been quick to block the ads that the trojan uses for propagation; however, this is a reactive rather than a proactive approach [since] the malicious ads were blocked after the trojan was already on thousands of Android devices," the pair say. "It is also worth noting that there were multiple occasions in the past two months when these ads found their way onto AdSense. "[The] next time they push their adverts on AdSense they (criminals) may well choose to attack users in other countries; we have seen similar cases in the past; After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?" The attacks fail on all other browsers and would do so on Android Chrome if it were not for some clever file manipulation. Downloaded files are broken into pieces and passed to the save function via blob() class which lacks the security integrity checks of the conventional download method. ® Sponsored: Customer Identity and Access Management
In early August we detected several cases of a banking Trojan being downloaded automatically when users viewed certain news sites on their Android devices. Later it became apparent that this was being caused by advertising messages from the Google AdSense network, and was not restricted to news sites. In fact, any site using AdSense to display adverts could potentially have displayed messages that downloaded the dangerous Trojan-Banker.AndroidOS.Svpeng and automatically saved it to the device’s SD card. This behavior surprised us: typically, the browser warns users about downloading a potentially dangerous file, and offers them a choice of whether or not to save the file. We intercepted traffic coming from the attacked device when this sort of “advert” was displayed, and figured out how the malicious program was downloaded and automatically saved. Some statistics First of all, let’s provide some information about the latest versions of Trojan-Banker.AndroidOS.Svpeng. It is limited to Russia and the CIS (more about this later). Below is a graph showing detections of the Trojan’s latest version – Svpeng.q. And here is the graph for the previous version that was distributed in July 2016, also via AdSense: As you can see from the graphs, within a two-month period Svpeng was detected on the computers of approximately 318,000 users, with the detection rate peaking at around 37,000 attacked users in one day. The high rates and abrupt changes in the number of detections are easy to explain: Google has been quick to block the ads that the Trojan uses for propagation. However, this is a reactive rather than a proactive approach – the malicious ads were blocked after the Trojan was already on thousands of Android devices. It is also worth noting that there were multiple occasions in the past two months when these ads found their way on to AdSense; similar attacks have been occurring up to the present time, with the most recent attack registered on 12 September 2016. Now for the juicy part Let’s look at how the displaying of an ad is related to the automatic download of the APK file containing the Trojan and it being saved to the SD card. Below is the HTTP request that leads to the cybercriminals’ advert being displayed: In response to this request, the server sends a Javascript script that displays the ad message. However, this script contains a hidden surprise: at the beginning there is some heavily obfuscated code. Let’s look, step by step, at what this code actually does: Declares the variables necessary for operation and deciphers the payload: We can see that the APK file was downloaded in the form of an encrypted array of bytes in the script. Now it just needs to be saved to the SD card. Defines the function that will save the file. The code checks the availability of functions from various browser engines, and if they are unavailable, defines its own function. The object URL and the element <a> (the latter being an HTML notation for a link) are created in this function. The resulting link is assigned the attribute ‘href’ (where the link leads to), and the malicious program emulates a click on this link. This method is not new; quite possibly the Trojan’s creators borrowed it from here, and only added obfuscation and a restriction: the click simulation is only done on touchscreen devices, which for the most part are smartphones. Breaks the decrypted APK file into blocks of 1024 bytes. Sets the handler for a page load event. Handler activation initiates the automatic saving of the APK file to the SD card. Apart from the extra checks to see if the script runs on the smartphone or not, there is an important check in the code to identify the language used on the device. The attackers only target smartphones with a Russian-language interface – these are typically devices belonging to users in Russia and, to a lesser degree, CIS states. Where’s the catch? The method described above only works in Google Chrome for Android. When an APK file is downloaded via a link leading to an external web resource, the browser displays a warning that a potentially dangerous object is being downloaded, and prompts the user to choose whether or not to save the file. When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user. We notified Google about this browser behavior and that it was being exploited to distribute malicious content. At the time of publishing a patch had been released that fixed this problem in Google Chrome and will become available to users the next time the browser is updated. In all other browsers, this method either does not work, or the user is asked if they want to save the file or not. Kaspersky Lab recommends updating Google Chrome to prevent infection by the malware when viewing sites that use AdSense. Conclusion Of course, just downloading the Trojan is not enough for it to work; the user also has to install it. To ensure this, the attackers resort to social engineering. The Trojan may be downloaded with any of the following names: last-browser-update.apk WhatsApp.apk Google_Play.apk 2GIS.apk Viber.apk DrugVokrug.apk Instagram.apk VKontakte.apk minecraftPE.apk Skype.apk Android_3D_Accelerate.apk. SpeedBoosterAndr6.0.apk new-android-browser.apk AndroidHDSpeedUp.apk Android_update_6.apk WEB-HD-VIDEO-Player.apk Asphalt_7_Heat.apk CHEAT.apk Root_Uninstaller.apk Mobogenie.apk Chrome_update.apk Trial_Xtreme.apk Cut_the_Rope_2.apk Установка.apk Temple_Run.apk These names imitate the names of popular legitimate apps or try to convince users that the downloaded app is important and has to be installed. In the latest versions of Android, installation of apps downloaded from unknown sources is blocked by default, but the cybercriminals are obviously counting on users disabling this setting to install an “important browser update” or a newer version of a popular app that is already on their phone. So far, those behind Svpeng have limited their attacks to smartphone users in Russia. However, next time they push their “adverts” on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past. After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?
With Google goggles on, Chrome security performance outshines other browsers Two in three web pages served over the world's favourite web browser Chrome are now secured with HTTPS, Google says. The good news applies to Chrome on the desktop and signifies progress in the long-hoped-for decline of insecure cleartext browsing. Chrome security bods Adrienne Porter Felt and Emily Schechter say all platforms of desktop Chrome page loads are made over HTTPS. "More than half of pages loaded and two-thirds of total time spent by Chrome desktop users occur via HTTPS, and we expect these metrics to continue their strong upward trajectory," the pair said. Free SSL certificate services including those offered by Let's Encrypt, Cloudflare, and Amazon along with a recent much heightened demand for better information security controls by internet users have contributed to the rise in SSL. The Google security duo say the sometimes difficult migration to SSL does not impact its DoubleClick, AdWords, or AdSense advertising platforms, nor the search listing rankings of sites that move to the more secure protocol. Mountain View is also serving sticks with its SSL carrots.

By October 2017 sites that do not conform with its Certificate Transparency initiative will be marked as untrusted within the Chrome browser. The flags will indicate in plain English sites that may be using untrusted certificates and could therefore be home to phishing or malware. ® Sponsored: Customer Identity and Access Management
EnlargeGetty Images/Urich Baumgartgen reader comments 5 Share this story Google has rebutted the European Commission's anti-competitive charges against the ad giant's alleged abuse of dominance in its price comparison, specialised search services, and AdSense businesses. The company—after a number of deadline extensions from Brussels—came out fighting in a blog post penned by Google's chief counsel Kent Walker that was published on Thursday: In recent years, we’ve improved the format of our ads to include more informative displays with pictures, prices, and links where you can buy products. Showing more useful ads benefits us, our advertisers, and most of all, you, our users. That’s why we disagree with the European Commission’s argument that our improved Google Shopping results are harming competition. It claimed that EC antitrust chief Margrethe Vestager's charge on the company favouring its own price comparison and specialised search—or, as Google prefers to describe it, "shopping services"—over its competitors carried too "narrow" a definition, arguing that it excluded the "competitive significance" of Amazon and other players in that market. Walker said: Our response demonstrated that online shopping is robustly competitive, with lots of evidence supporting the common-sense conclusion that Google and many other websites are chasing Amazon, by far the largest player on the field. UK price comparison site Foundem—the original complainant in the EC case against Google, which was formally opened in 2010—said it was disappointed with the multinational's response. It said that "Google continues to publicly defend its anti-competitive search manipulation practices by misrepresenting both the charges it faces and the important differences between 'shopping' and 'shopping comparison'." Google—to ram home its argument—added that Brussels' case "just doesn’t fit the reality of how most people shop online." It repeatedly talked about how the ad market is constantly shifting, in comments that appeared to largely ignore the historic nature of some of the EC's charges against Google. "There are hundreds of shopping comparison sites and over the past 10 years, some gained traffic, others lost traffic. Some exited the market, others entered," Walker said. "This kind of dynamic competition is undeniable. Online advertising is evolving rapidly, with companies like Facebook, Pinterest, and many others re-inventing what it means to connect merchants with consumers." He claimed that "a rapidly increasing amount of traffic flowed from our search pages to popular sites like Amazon and eBay as they expanded in Europe." Foundem countered: Unfortunately for Google, its continuing protestations about the flourishing fortunes of Amazon and eBay remain the red herrings they have always been. Google does not (yet) have an eCommerce, auction, or merchant-platform service that competes with Amazon or eBay. Therefore, Google does not (yet) have any incentive to anti-competitively penalise Amazon or eBay in its natural search results, and it does not (yet) have any competing service of its own to anti-competitively favour. Separately in the same blog post, Google also disputed the commission's charge against its AdSense business tactics—though it didn't flesh out the reasons for its beef with Vestager in that particular case. Similarly, Google said that it would respond in the next few days to the commission's charge against its Android operating system. Presumably, this too will publicly rebut the bloc's competition chief. The commission is now mulling over Google's responses before it decides on how it might proceed on the three separate charges levelled against the ad giant. If fines are imposed on Google, it faces penalties of up to five percent of its annual turnover for each charge—potentially billions of euros. This post originated on Ars Technica UK
First it was Mozilla, and now Google is the latest to confirm that encryption is inching closer toward becoming a standard building block for websites and web applications. Google reported yesterday that more than half of pages loaded on desktop versions of the Chrome browser are being done so over HTTPS. “Secure web browsing through HTTPS is becoming the norm,” Google said in its Transparency Report, which for the first time now includes HTTPS usage statistics. Two weeks ago, telemetry from Mozilla showed that for the first time since it began monitoring that half of all traffic in transit is encrypted.

The number is a 10 percent jump from December 2015. The rise is due in part to the explosion of free Certificate Authorities and SSL certificate services such as those offered by Let’s Encrypt, Cloudflare, Amazon, WordPress and others. Google tracks HTTPS loads across platforms, and regionally worldwide.

As of Oct. 31, Google said, 53 percent of pageloads on Windows systems using Chrome were done over HTTPS; Linux systems were at 57 percent, Mac at 62 percent and Chrome OS at 68 percent. Lagging behind was Android at 42 percent, Google said, but that number is up from 29 percent in March 2015. “As the remainder of the web transitions to HTTPS, we’ll continue working to ensure that migrating to HTTPS is a no-brainer, providing business benefit beyond increased security,” wrote Adrienne Porter Felt and Emily Schechter of the Chrome Security Team. Google rewards HTTPS websites with favorable search rankings over non-encrypted pages, hoping to entice and speed up that transition to an encrypted web.

Google’s researchers also pointed out that ad traffic served over HTTPS is also going up, and that ads from Google sources such as AdWords, AdSense and others support HTTPS, and that ads sold directly through third-party ad networks must “HTTPS-friendly,” Google said. To support that movement, Google’s numbers point out that users apparently spend more time on HTTPS pages, 69 percent and 70 percent more time respectively for Windows and Mac users. Geographically, the U.S. leads the way in HTTPS usage (59 percent) on Windows, with Turkey, Russia, Mexico and others hovering at just more than 50 percent. Japan’s growth, however, is much slower, just 35 percent as of Monday’s numbers. As for the role of free SSL providers, Let’s Encrypt seems to be at the forefront, adding one million certificates in one week recently, and close to 7 million this year with more large hosting providers ready to switch over soon, said Josh Aas, executive director of the Internet Security Research Group. “I just love to think about how much data we’re talking about,” Aas recently told Threatpost. “The reality on the ground is there’s a whole bunch of data that’s encrypted now that wouldn’t have been before.

Going from 40 percent (39.5 percent when Let’s Encrypt entered its public beta last December) to 50 percent is a massive amount.
It’s hard to imagine what 10 percent of daily transfer on the Internet is like.”
 Download the full report (PDF) Statistics All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity. Q3 figures According to KSN data, Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world. 45,169,524 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects: scripts, exploits, executable files, etc. Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 1,198,264 user computers. Crypto ransomware attacks were blocked on 821,865 computers of unique users. Kaspersky Lab’s file antivirus detected a total of 116,469,744 unique malicious and potentially unwanted objects. Kaspersky Lab mobile security products detected: 1,520,931 malicious installation packages; 30,167 mobile banker Trojans (installation packages); 37,150 mobile ransomware Trojans (installation packages). Mobile threats Q3 events Pokémon GO: popular with users and hackers One of the most significant events of the third quarter was the release of Pokémon GO. Of course, cybercriminals could not ignore such a popular new product and tried to exploit the game for their own purposes. This was primarily done by adding malicious code to the original app and spreading malicious versions via third-party stores. This method was used, for example, to spread Trojan-Banker.AndroidOS.Tordow, which exploits vulnerabilities in the system to obtain root access to a device. With root access, this Trojan protects itself from being deleted, and it can also steal saved passwords from browsers. But perhaps the most notable case of Pokémon GO’s popularity being used to infect mobile devices involved fraudsters publishing a guide for the game in the official Google Play store. The app turned out to be an advertising Trojan capable of gaining root access to a device by exploiting vulnerabilities in the system. We later came across two more modifications of this Trojan, which were added to Google Play under the guise of different apps. According to Google Play data, one of them, imitating an equalizer, was installed between 100,000 and 500,000 times. Trojan.AndroidOS.Ztorg.ad in the official Google Play store Interestingly, one of the methods used by the cybercriminals to promote the Trojan was a company that pays users for the installation of advertising apps. Screenshot of the app that prompts the user to install the Trojan for 5 cents According to this company’s rules, it doesn’t work with users whose devices have root access. The users may be looking to earn some money, but they end up with an infected device and don’t actually receive any money, because after infection the device gains root access. Ad with a Trojan The most popular mobile Trojan in the third quarter of 2016 was Trojan-Banker.AndroidOS.Svpeng.q. During the quarter, the number of users attacked by it grew almost eightfold. Over 97% of users attacked by Svpeng were located in Russia. The attackers managed to make the Trojan so popular by advertising it via Google AdSense – one of the most popular advertising networks on the Russian Internet. Many popular sites use it to display targeted advertising. Anyone can pay to register their ad on the network, and that was exactly what the attackers did. Along with the advert, however, they added the AdSense Trojan. When a user visited the page with the advert, Svpeng was downloaded to their device. Bypassing protection mechanisms in Android 6 In our report for the second quarter of 2016 we mentioned the Trojan-Banker.AndroidOS.Asacub family that can bypass several system controls. Of special note this quarter is the Trojan-Banker.AndroidOS.Gugi family that has learned to bypass the security mechanisms introduced in Android 6 by tricking the user. The Trojan first requests rights to overlay other applications, and then uses those rights to trick the user into giving it privileges to work with text messages and to make calls. Trojan ransomware in the Google Play store In the third quarter, we registered the propagation of Trojan-Ransom.AndroidOS.Pletor.d, a mobile ransomware program, via Google Play. The Trojan imitated an app for servicing devices, including deleting unnecessary data, speeding up device performance and even antivirus protection. Trojan-Ransom.AndroidOS.Pletor.d in Google Play The Trojan checks which country the device is located in, and if it is not Russia or Ukraine, it requests administrator rights and calls the command server. Earlier versions of this Trojan encrypted user data, but this modification doesn’t possess such functionality. Instead, the Trojan blocks operation of the device by opening a window that covers all other open windows and demanding a ransom to unblock it. Mobile threat statistics In Q3 2016, Kaspersky Lab detected 1,520,931 malicious installation packages, which is 2.3 times fewer than in the previous quarter. Number of detected malicious installation packages (Q4 2015 – Q1 2016) Distribution of mobile malware by type Distribution of new mobile malware by type (Q2 2016 and Q3 2016) In Q3 2016, RiskTool software, or legitimate applications that are potentially dangerous to users, topped the rating of malicious objects detected for mobile devices. Their share continued to grow from 45.1% in Q2 to 55.8% this quarter. Due to the large number of RiskTool programs and the considerable increase in their overall share of the total flow of detected objects, the proportion of almost all other types of malicious programs decreased, even where the actual number of detected programs increased compared to the previous quarter. The most affected was Trojan-Ransom – its share decreased from 5.72% to 2.37%. This was caused by a decline in activity by the Trojan-Ransom.AndroidOS.Fusob family (covered in more detail below). At the same time, we registered a slight growth in the share of Trojan-Bankers – from 1.88% to 1.98%. TOP 20 mobile malware programs Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware. Name % of attacked users* 1 DangerousObject.Multi.Generic 78,46 2 Trojan-Banker.AndroidOS.Svpeng.q 11,45 3 Trojan.AndroidOS.Ztorg.t 8,03 4 Backdoor.AndroidOS.Ztorg.c 7,24 5 Backdoor.AndroidOS.Ztorg.a 6,55 6 Trojan-Dropper.AndroidOS.Agent.dm 4,91 7 Trojan.AndroidOS.Hiddad.v 4,55 8 Trojan.AndroidOS.Agent.gm 4,25 9 Trojan-Dropper.AndroidOS.Agent.cv 3,67 10 Trojan.AndroidOS.Ztorg.aa 3,61 11 Trojan-Banker.AndroidOS.Svpeng.r 3,44 12 Trojan.AndroidOS.Ztorg.pac 3,31 13 Trojan.AndroidOS.Iop.c 3,27 14 Trojan.AndroidOS.Muetan.b 3,17 15 Trojan.AndroidOS.Vdloader.a 3,14 16 Trojan-Dropper.AndroidOS.Triada.s 2,80 17 Trojan.AndroidOS.Muetan.a 2,77 18 Trojan.AndroidOS.Triada.pac 2,75 19 Trojan-Dropper.AndroidOS.Triada.d 2,73 20 Trojan.AndroidOS.Agent.eb 2,63 * Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked. First place is occupied by DangerousObject.Multi.Generic (78.46%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected. In Q3 2016, 17 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20. Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them. In Q3 2016, attempted infections by financial #malware were registered at 1.2m users’ computers #KLreport #banking Tweet With root access on the device, Trojans can do many different things without the user being aware, such as installing apps from Google Play, including paid apps. It’s worth noting that the Trojans from the Ztorg family, which occupied four places in the TOP 20, are often distributed via the official Google Play store. Since the end of 2015, we have registered more than 10 such cases (including a fake guide for Pokemon GO). Several times the Trojan notched up over 100,000 installations, and on one occasion it was installed more than 500,000 times. Trojan.AndroidOS.Ztorg.ad masquerading as a guide for Pokemon GO in Google Play The ranking also included two representatives of the Trojan-Banker.AndroidOS.Svpeng mobile banker family. As we mentioned above, Svpeng.q became the most popular malware in the third quarter of 2016. This was down to the Trojan being distributed via the AdSense advertising network, which is used by a large number of sites on the Russian segment of the Internet. The geography of mobile threats The geography of attempted mobile malware infections in Q3 2016 (percentage of all users attacked) TOP 10 countries attacked by mobile malware (ranked by percentage of users attacked) Country* % of users attacked ** 1 Bangladesh 35,57 2 Nepal 31.54 3 Iran 31.38 4 China 26.95 5 Pakistan 26.83 6 Indonesia 26.33 7 India 24,35 8 Nigeria 22.88 9 Algeria 21,82 10 The Philippines 21.67 * We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country. Bangladesh topped the rating, with almost 36% of users there encountering a mobile threat at least once during the quarter. China, which came first in this rating two quarters in a row, dropped to fourth place. The most popular mobile malware in all the countries of this rating (except China) was the same – advertising Trojans that mostly belonged to the Ztorg, Iop, Hiddad and Triada families. A significant proportion of attacks in China also involved advertising Trojans, but the majority of users there encountered Trojans from the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families. Russia (12.1%) came 24th in this rating, France (6.7%) 52nd, the US (5.3%) 63rd, Italy (5.1%) 65th, Germany (4.9%) 68th, and the United Kingdom (4.7%) 71st. The situation in Germany and Italy has improved significantly: in the previous quarter, 8.5% and 6.2% of users in those countries respectively were attacked. This was due to a decline in activity by the Fusob family of mobile ransomware. The safest countries were Austria (3.3%), Croatia (3.1%) and Japan (1.7%). Mobile banking Trojans Over the reporting period, we detected 30,167 installation packages for mobile banking Trojans, which is 1.1 times as many as in Q2. Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions(Q4 2015 – Q3 2016) Trojan-Banker.AndroidOS.Svpeng became the most popular mobile banking Trojan in Q3 due to its active distribution via the advertising network AdSense. More than half the users that encountered mobile banking Trojans in the third quarter faced Trojan-Banker.AndroidOS.Svpeng.q. It was constantly increasing the rate at which it spread – in September the number of users attacked by the Trojan was almost eight times greater than in June. The number of unique users attacked by the Trojan-Banker.AndroidOS.Svpeng banking Trojan family(June-September 2016) Over 97% of attacked users were in Russia. This family of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking. Geography of mobile banking threats in Q3 2016 (percentage of all users attacked) TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked) Country* % of users attacked** 1 Russia 3.12 2 Australia 1.42 3 Ukraine 0.95 4 Uzbekistan 0.60 5 Tajikistan 0.56 6 Kazakhstan 0.51 7 China 0.49 8 Latvia 0.47 9 Russia 0.41 10 Belarus 0.37 * We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country. In Q3 2016, first place was occupied by Russia (3.12%) where the proportion of users that encountered mobile banker Trojans almost doubled from the previous quarter. In second place again was Australia (1.42%), where the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were the most popular threats. The most widely distributed mobile banking Trojans in Q3 were representatives of the Svpeng, Faketoken, Regon, Asacub, Gugi and Grapereh families. In particular, the third quarter saw the Trojan-Banker.AndroidOS.Gugi family learn how to bypass protection mechanisms in Android by tricking users. Mobile Ransomware In Q3 2016, we detected 37,150 mobile Trojan-Ransomware installation packages. Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab(Q4 2015 – Q3 2016) The sharp rise in the number of mobile Trojan-Ransomware installation packages in Q1 and Q2 of 2016 was caused by the active proliferation of the Trojan-Ransom.AndroidOS.Fusob family of Trojans. In the first quarter of 2016, this family accounted for 96% of users attacked by mobile ransomware; in Q2 it accounted for 85%. Its share in Q3 was 73%. Number of users attacked by the Trojan-Ransom.AndroidOS.Fusob family, January-September 2016 The highest number of users attacked by the mobile Trojan-Ransomware family was registered in March 2016. Since then the amount of attacked users has been decreasing, especially in Germany. Despite this, Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in the third quarter, accounting for nearly 53% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device. Geography of mobile Trojan-Ransomware in Q3 2016 (percentage of all users attacked) TOP 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked) Country* % of users attacked ** 1 Canada 0.95 2 USA 0.94 3 Kazakhstan 0.71 4 Germany 0.63 5 UK 0.61 6 Mexico 0.58 7 Australia 0.57 8 Spain 0,54 9 Italy 0.53 10 Switzerland 0.51 * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country. In all the TOP 10 countries apart from Kazakhstan, the most popular Trojan-Ransom family was Fusob. In the US, the Trojan-Ransom.AndroidOS.Svpeng family was also popular. This Trojan family emerged in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng family. These Trojans demand a ransom of $100-$500 from victims to unblock their devices. In Q3 2016, #crypto #ransomware attacks were blocked on 821,865 unique computers #KLreport Tweet In Kazakhstan, the main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks the operation of a device by overlaying all the windows with its own and demanding $10 to remove it. Vulnerable apps exploited by cybercriminals In Q3 2016, the Neutrino exploit kit departed the cybercriminal market, following in the wake of Angler and Nuclear which also left the market in the previous quarter. RIG and Magnitude remain active. RIG was especially prominent – it has quickly filled the vacant niche on the exploit kit market. This is the overall picture for the use of exploits this quarter: Distribution of exploits used in attacks by the type of application attacked, Q3 2016 Exploits for different browsers and their components (45%) once again topped the rating, although their share decreased by 3 percentage points. They are followed by exploits for Android OS vulnerabilities (19%), whose share fell 5 p.p. in the third quarter. Exploits kits for Microsoft Office rounded off the top three. Their contribution actually saw an increase from 14% to 16% in Q3. Exploits for Adobe Flash Player remained popular. In fact, their share more than doubled from 6% to 13%. This was caused by the aforementioned RIG exploit kit: its use in several campaigns saw the share of SWF exploits increase dramatically. Online threats (Web-based attacks) The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources. In the third quarter of 2016, Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects (scripts, exploits, executable files, etc.) and 45,169,524 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world. Online threats in the banking sector These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,198,264 computers in Q3 2016. The number of users attacked by financial malware increased by 5.8% from the previous quarter (1,132,031). The third quarter is traditionally holiday season for many users of online banking services in Europe, which means the number of online payments made by these users increases during this period. This inevitably sees an increase in financial risks. Number of users attacked by financial malware, Q3 2016 In Q3, the activity of financial threats grew month on month. Geography of attacks To evaluate and compare the risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country. Geography of banking malware attacks in Q3 2016 (percentage of attacked users) TOP 10 countries by percentage of attacked users Country* % of attacked users** 1 Russia 4.20 2 Sri Lanka 3.48 3 Brazil 2.86 4 Turkey 2.77 5 Cambodia 2.59 6 Ukraine 1.90 7 Venezuela 1.90 8 Vietnam 1.86 9 Argentina 1.86 10 Uzbekistan 1.77 These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country. In the third quarter of 2016, Russia had the highest proportion of users attacked by banking Trojans. Representatives of the Trojan-Banker ZeuS (Zbot) family, which leads the way in terms of the number of attacked users worldwide, were especially active in Russia. This is unsurprising since Russian cybercriminals are allegedly behind the development of this malware. They know the specifics of Russia’s online banking systems as well as the mentality of Russian users and take them into consideration when developing their malware. In Russia, the Gozi banking Trojan continues to proliferate. It displayed a burst of activity in the previous quarter after its developers joined forces with the creators of the Nymaim Trojan. Russia also topped the TOP 10 countries with the highest proportion of users attacked by mobile bankers. Sri Lanka, a favorite destination with tourists, was a newcomer to the rating, going straight in at second. Financial threats were encountered by 3.48% of users in the country. Among them are likely to be foreigners who arrived in the country on holiday and used online banking services to make payments. The most active representatives of banking malware in the region were those from the Fsysna banker family. This family has previously been noted for attacks targeting customers of Latin American banks. In Q3 2016, @kaspersky #mobile security products detected 1.5m malicious installation packages #KLreport Tweet Brazil rounds off the top three for the second quarter in a row. In Q2, we forecast a surge of financial threat activity in Latin America and specifically in Brazil because of this summer’s Olympic Games. However, the increase in the proportion of users attacked in Brazil was negligible: in the third quarter, 2.86% of users in Brazil encountered financial threats compared to 2.63% in Q2. At the same time, users in Argentina were subjected to a surge in malicious attacks, and as a result, the country ranked ninth. The holiday season affected almost all countries in the TOP 10. In Russia, Ukraine and Uzbekistan, people traditionally have vacations at this time of the year, while other countries (Sri Lanka, Brazil, Turkey, Cambodia, etc.) are considered popular tourist destinations. Tourists tend to be active users of online banking systems, which in turn attracts cybercriminals and their banking malware. The share of banking Trojan victims in Italy was 0.60%, in Spain it was 0.61%, while in Germany and the UAE the figures were 1.21% and 1.14% respectively. The TOP 10 banking malware families The table below shows the TOP 10 malware families used in Q3 2016 to attack online banking users (as a percentage of users attacked): Name* % of attacked users** 1 Trojan-Spy.Win32.Zbot 34.58 2 Trojan.Win32.Qhost/Trojan.BAT.Qhost 9.48 3 Trojan.Win32.Fsysna 9.467 4 Trojan-Banker.Win32.Gozi 8.98 5 Trojan.Win32.Nymaim 8.32 6 Trojan-Banker.Win32.Shiotob 5.29 7 Trojan-Banker.Win32.ChePro 3.77 8 Trojan-Banker.Win32.BestaFera 3.31 9 Trojan-Banker.Win32.Banbra 2.79 10 Trojan.Win32.Neurevt 1.79 * The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware. The undisputed leader of the rating is Trojan-Spy.Win32.Zbot. Its source codes have been publicly available since a leak and are now widely exploited as an easy-to-use tool for stealing user payment data. Unsurprisingly, this malware consistently tops this rating – cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original. The family of Qhost Trojans (verdicts Trojan.Win32.Qhost and Trojan.BAT.Qhost) came second. The functionality of this family’s malicious programs is relatively simple: the Trojan modifies the content of the Host file (a special text file that contains a database of domain names that are used when transmitting to the network addresses of nodes) and as soon as specific resources are visited, the Trojan’s malicious components are loaded to an infected workstation and used to steal payment information. The Trojan adds a number of records to the Host file preventing the user’s browser from connecting to web-based apps and resources of popular antivirus vendors. The Q3 rating also includes a new malware representative that has already demonstrated its capabilities in Sri Lanka – the Trojan.Win32.Fsysna family of banking Trojans. Members of this family, in addition to stealing payment data from infected workstations, are also used by cybercriminals to distribute spam. The Trojan uses an infected machine to redirect spam messages from the command center to a mail server. Some representatives of this family also possess Trojan cryptor functionality. Fsysna is kind of a ‘Swiss army knife’ used by cybercriminals to steal money. Q3 2016 saw a decline in the activity of the notorious financial threat Trojan-Spy.Win32.Lurk: the number of users attacked by this malware fell by 7.1%. Lurk was not included in the TOP 10 banking malware families, but it still poses a threat to users of online banking systems. The cybercriminal group behind this financial threat has been arrested (something we wrote about in a separate article), so we expect to see a further decrease in activity by this banking Trojan next quarter. Ransomware Trojans Cryptors are currently one of the biggest threats to users and companies. These malicious programs are becoming more and more popular in the cybercriminal world because they are capable of generating large profits for their owners. A total of 21 new cryptor families and 32,091 new modifications were detected in Q3. We also added several existing cryptor families to our virus collection. The number of new cryptor families added to our virus collection is slightly less than in the second quarter (25), but the number of newly created modifications increased 3.5 times compared to the previous quarter. The number of newly created cryptor modifications, Q1 – Q3 2016 Malware writers are constantly trying to improve their creations. New ways to infect computers are always being sought, especially for attacks on companies, which cybercriminals see as far more profitable than attacks on standard users. Remote launching of cryptors by cybercriminals We are increasingly seeing incidents where cybercriminals crack passwords to gain remote access to a victim’s system (usually an organization) and infect a compromised machine with Trojan ransomware. Examples of this in Q3 were Dcryptor and Xpan. Dcryptor/Mamba Trojan-Ransom.Win32.Dcryptor is known on the Internet under the pseudonym ‘Mamba’. Infection is carried out manually. The fraudsters brute-force the passwords for remote access to the victim machine and run the Trojan, passing on the password for encryption as a command line argument. During infection, the Trojan uses the legitimate DiskCryptor utility. As a result, it’s not just individual files on network drives that are infected but entire hard drive sectors on the local machine. System boot is blocked: once the computer is started, a message appears on the screen demanding a ransom and displaying an email address for communicating with the attackers. This Trojan reminds us of the notorious Petya/Mischa Trojan and continues the growing trend of cybercriminals looking for new ways to block access to data. Xpan/TeamXRat ransomware Trojan-Ransom.Win32.Xpan is yet another example of ransomware that is launched after attackers remotely penetrate a system. This Trojan is distributed by Brazilian cybercriminals. They brute-force the RDP password (the standard protocol for remote access to Windows computers) and infect the compromised system using the Xpan Trojan that encrypts files and displays a ransom demand. Ransomware in scripting languages Another trend that has attracted our attention is the growing number of cryptors written in scripting languages. In the third quarter of 2016, we came across several new families written in Python: HolyCrypt (Trojan-Ransom.Python.Holy) CryPy (Trojan-Ransom.Python.Kpyna) Trojan-Ransom.Python.Agent Another example that emerged in June was Stampado (Trojan-Ransom.Win32.Stampa) written in AutoIt, the automation language. The number of users attacked by ransomware In Q3 2016, 821,865 unique KSN users were attacked by cryptors – that is 2.6 times more than the previous quarter. Number of unique users attacked by Trojan-Ransom cryptor malware (Q3 2016) The largest contribution was made by representatives of the Trojan-Downloader.JS.Cryptoload family. These Trojan downloaders, written in JavaScript, were designed to download and install representatives of different cryptor families in the system. Geography of Trojan-Ransomattacks in Q3 2016 (percentage of attacked users) Top 10 countries attacked by cryptors Country* % of users attacked by cryptors** 1 Japan 4.83 2 Croatia 3.71 3 Korea 3.36 4 Tunisia 3.22 5 Bulgaria 3.20 6 Hong Kong 3.14 7 Taiwan 3.03 8 Argentina 2.65 9 Maldives 2.63 10 Australia 2.56 * We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 10,000).** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country. As in the previous quarter, Japan topped this rating. Newcomers to this Top 10 were Tunisia, Hong Kong, Argentina, and Australia, with Italy, Djibouti, Luxembourg, and the Netherlands all making way. Top 10 most widespread cryptor families Name Verdict* % of attacked users** 1 CTB-Locker Trojan-Ransom.Win32.Onion/ Trojan-Ransom.NSIS.Onion 28.34 2 Locky Trojan-Ransom.Win32.Locky 9.60 3 CryptXXX Trojan-Ransom.Win32.CryptXXX 8.95 4 TeslaCrypt Trojan-Ransom.Win32.Bitman 1.44 5 Shade Trojan-Ransom.Win32.Shade 1.10 6 Cryakl Trojan-Ransom.Win32.Cryakl 0.82 7 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.73 8 Cerber Trojan-Ransom.Win32.Zerber 0.59 9 CryptoWall Trojan-Ransom.Win32.Cryptodef 0.58 10 Crysis Trojan-Ransom.Win32.Crusis 0.51 * These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware. CTB-Locker once again occupied first place in the Q3. The top three also included the now infamous Locky and CryptXXX. Despite the fact that the owners of TeslaCrypt disabled their servers and posted a master key to decrypt files back in May 2016, it continues to make it into our rating (although its contribution dropped by 5.8 times in Q3) Crysis Crysis (verdict Trojan-Ransom.Win32.Crusis) was a newcomer to the TOP 10 in Q3. This Trojan was first detected in February 2016 and since then has undergone several code modifications. Interestingly, the list of email addresses used for ransom demands by the distributors of Crysis partly matches the list associated with the Cryakl and Aura Trojans. Analysis of the executable files from these families, however, shows that they do not share the same code. It appears that these malicious programs are spread via a partner scheme, and because some distributors are distributing several different Trojans simultaneously they are using the same email address to communicate their ransom demands to the victims. Polyglot/MarsJoke This Trojan appeared in August 2016 (we recently published a detailed analysis of Polyglot/ MarsJoke). It is not included in the TOP 10, but it does have one interesting feature: the authors have tried to imitate the well-known CTB-Locker, which tops the rating for the second quarter in a row. Both the external and internal design of this piece of malware is very similar to the “original”, but the cybercriminals made a mistake that allows files to be decrypted without paying a ransom. Top 10 countries where online resources are seeded with malware The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established. In Q3 2016, Kaspersky Lab solutions blocked 171,802,109 attacks launched from web resources located in 190 countries around the world. 45,169,524 unique URLs were recognized as malicious by web antivirus components. 83% of notifications about blocked web attacks were triggered by attacks coming from web resources located in 10 countries. Distribution of web attack sources by country, Q3 2016 The US (33.51%) remained top of this rating in Q3. Russia (9%) dropped from second to fourth, while Germany came second with a share of 10.5%. Canada left the Top 10, with Cyprus a newcomer in ninth place (1.24%). Countries where users faced the greatest risk of online infection In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries. In Q3 2016, 30,167 #mobile #banking Trojans were detected by @kaspersky mobile security products #KLreport Tweet Please note that starting this quarter, this rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware. Country* % of users attacked ** 1 Slovenia 30.02 2 Bulgaria 29.49 3 Armenia 29.30 4 Italy 29.21 5 Ukraine 28.18 6 Spain 28.15 7 Brazil 27.83 8 Belarus 27.06 9 Algeria 26.95 10 Qatar 26.42 11 Greece 26.10 12 Portugal 26.08 13 Russia 25.87 14 France 25.44 15 Kazakhstan 25.26 16 Azerbaijan 25.05 17 United Arab Emirates 24.97 18 Vietnam 24.73 19 China 24.19 20 Albania 23.23 These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. * These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country. On average, 20.2% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter. Geography of malicious web attacks in Q3 2016 (ranked by percentage of users attacked) The countries with the safest online surfing environments included Croatia (14.21%), the UK (14.19%), Singapore (13.78%), the US (13.45%), Norway (13.07%), Czech Republic (12.80%), South Africa (11.98%), Sweden (10.96%), Korea (10.61%), the Netherlands (9.95%), Japan (9.78%). Local threats Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. In Q3 2016, Kaspersky Lab’s file antivirus detected 116,469,744 unique malicious and potentially unwanted objects. Countries where users faced the highest risk of local infection For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries. In Q3 2016, @kaspersky #mobile security products detected 37,150 mobile #ransomware Trojans #KLreport Tweet Please note that starting this quarter, the rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware. Country* % of users attacked** 1 Vietnam 52.07 2 Afghanistan 52.00 3 Yemen 51.32 4 Somalia 50.78 5 Ethiopia 50.50 6 Uzbekistan 50.15 7 Rwanda 50,14 8 Laos 49.27 9 Venezuela 49.27 10 Philippines 47.69 11 Nepal 47.01 12 Djibouti 46.49 13 Burundi 46,17 14 Syria 45.97 15 Bangladesh 45.48 16 Cambodia 44.51 17 Indonesia 43.31 18 Tajikistan 43,01 19 Mozambique 42.98 20 Myanmar 42.85 These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives. * These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products. An average of 22.9% of computers globally faced at least one Malware-class local threat during the third quarter. The safest countries in terms of local infection risks were: Spain (14.68%), Singapore (13.86%), Italy (13.30%), Finland (10.94%), Norway (10.86%), France (10.81%), Australia ( 10.77%), Czech Republic (9.89%), Croatia (9.70%), Ireland (9.62%), Germany (9.16%), the UK (9.09%), Canada (8.92%), Sweden (8.32%), the USA (8.08%), Denmark (6.53%), and Japan (6.53%).