6 C
Monday, November 20, 2017
Home Tags Financial Crime

Tag: Financial Crime

Financial crimes are crimes against property, involving the unlawful conversion of the ownership of property (belonging to one person) to one’s own personal use and benefit. Financial crimes may involve fraud (cheque fraud, credit card fraud, mortgage fraud, medical fraud, corporate fraud, securities fraud (including insider trading), bank fraud, market manipulation, payment (point of sale) fraud, health care fraud); theft; scams or confidence tricks; tax evasion; bribery; embezzlement; identity theft; money laundering; and forgery and counterfeiting, including the production of Counterfeit money and consumer goods.

Financial crimes may involve additional criminal acts, such as computer crime, elder abuse, burglary, armed robbery, and even violent crime such as robbery or murder. Financial crimes may be carried out by individuals, corporations, or by organized crime groups. Victims may include individuals, corporations, governments, and entire economies.

For most countries, money laundering and terrorist financing raise significant issues with regard to prevention, detection and prosecution. Sophisticated techniques used to launder money and finance terrorism add to the complexity of these issues. Such sophisticated techniques may involve different types of financial institutions; multiple financial transactions; the use of intermediaries, such as financial advisers, accountants, shell corporations and other service providers; transfers to, through, and from different countries; and the use of different financial instruments and other kinds of value-storing assets. Money laundering is, however, a fundamentally simple concept. It is the process by which proceeds from a criminal activity are disguised to conceal their true origin. Basically, money laundering involves the proceeds of criminally derived property rather than the property itself. Money laundering can be defined in a number of ways, most countries subscribe to the definition adopted by the United Nations Convention Against Illicit Traffic in Narcotic Drugs and Psychotropic Substances (1988) (Vienna Convention) and the United Nations Convention Against Transnational Organized Crime (2000) (Palermo Convention):

Cloud doubters often raise compliance requirements as a barrier to cloud adoption, but in fact cloud providers have many tools to ease compliance with regulations and industry standards.

They can help you maintain compliance with the least amount o...

eProseed will participate as a Supporting Partner in the 11th MENA Regulatory Summit on February 5th & 6th in Dubai, United Arab Emirates.

The summit will cover the main topical challenges faced by the regulatory authorities and the GRC community, a debate in which eProseed has a pivotal role to play as the publisher of FSIP, a comprehensive financial supervision solution dedicated to Central Banks, Financial Regulators and Supervisory Authorities.

The 11th MENA Regulatory Summit will take place in Dubai, UAE, in association with the Dubai Financial Services Authority (DFSA) and under the patronage of H.E.
Sultan bin Saeed Al Mansouri, the UAE Minister of Economy.

Formerly known as the GCC Regulators' Summit, the event has been renamed in an effort to ensure the utmost involvement of the governance, risk and compliance (GRC) community across the MENA (Middle East and North Africa) region, and to expand the dialogue to neighboring countries that share the same topical risk challenges and regulatory outlook.

eProseed logo

"With increasing demands from many international regulatory bodies, financial supervisory authorities are required to monitor the compliance of their financial institutions against numerous new national and international requirements.
In the MENA region, the recent macroeconomic developments have also triggered an unprecedented demand for collection of high precision data at high frequency from all financial institutions to support a better risk based supervision", comments Geoffroy de Lamalle, Chief Executive Officer of eProseed.

MENA: an increasing role in global compliance and combating financial crime
The 11th MENA Regulatory Summit will be attended and supported by regional and international regulators, financial services professionals, law practitioners, advisors and market players.

The participants will highlight the recent macroeconomic developments in the MENA region including the US election, Brexit aftermath, regional regulatory responses to the financial crisis, the digital revolution in financial services, block chain technology, and crowd funding.

The speakers will set the landscape for international anti-financial crime trends, FATF perspective on terrorist financing and emergent types of financial crimes, and the dangers of withdrawal of correspondent banking relationships. Panelists will also discuss trade-based money laundering and trade finance activities, compliance culture, business conduct, business ethics, and compliance conflicts.

eProseed, the Solution Provider for Financial Supervision
Leveraging the proven expertise in developing and implementing end-to-end business solutions based on Oracle's world-class software technology stack and a close collaboration with major Financial Institutions and Regulators, eProseed has developed eProseed Financial Supervision Insight Platform (FSIP), an end-to-end financial supervision solution dedicated to Central Banks, Financial Regulators and Supervisory Authorities.

"In essence, eProseed FSIP is a comprehensive, highly agile, and plug-and-play financial supervision solution, enabling efficient and pro-active collection of high precision data at high frequency from all financial institutions, as well as automating and integrating all regulatory and supervisory functions in one single software solution", says Geoffroy de Lamalle.

About eProseed
eProseed is an ICT services provider and a software publisher. Honored with 8 Oracle ACE Directors and 14 Oracle Excellence Awards in the last 7 years, eProseed is an Oracle Platinum Partner with in-depth expertise in Oracle Database, Oracle Fusion Middleware and Oracle Engineered Systems.

eProseed’s portfolio of business applications and business accelerators is built on state-of-the-art, reliable technologies and sound knowledge of today’s challenges, developed and maintained with the highest standards in mind.

Comprehensive training and support are provided by eProseed’s experts for both applications and underlying technologies.

Headquartered in Luxembourg, in the heart of Europe, eProseed has offices in Beirut (LB), Brussels (BE), Dubai (AE), London (UK), New York (USA), Porto (PT), Riyadh (SAU), Sydney (AU), and Utrecht (NL).


Alexandra Toma
Email: alexandra.toma@eproseed.com
Phone: +40 767 670 566

A Russian cybersecurity firm has issued a warning about a spate of remotely coordinated attacks on cash machines.Hacks of banks' centralised systems had made groups of machines issue cash simultaneously, a process known as "touchless jackpotting", said Group IB.The machines had not been physically tampered with, it said, but "money mules" had waited to grab the cash.Affected countries are said to include Armenia, Estonia, the Netherlands, Poland, Russia, Spain and the UK.But the company declined to name any specific banks.Dmitriy Volkov from Group IB told the BBC a successful attack could net its perpetrators up to $400,000 (£320,000) at a time."We have seen such attacks in Russia since 2013," he said."The threat is critical.

Attackers get access to an internal bank's network and critical information systems.

That allows them to rob the bank."Two cash machine manufacturers, Diebold Nixdorf and NCR Corp, told Reuters they were aware of the threat."They are taking this to the next level in being able to attack a large number of machines at once," said senior director Nicholas Billett, from Diebold Nixdorf. "They know they will be caught fairly quickly, so they stage it in such a way that they can get cash from as many ATMs as they can before they get shut down."'Follow the money'A recent report by Europol warned of the rise of cash-machine-related malware, although it said "skimming" - using hardware to steal card information at the machine itself - was still more common."The new method is being done by somehow gaining access to the banks' central systems and infecting whole communities of ATMs simultaneously, hence multiplying the amount of money that can be stolen in a short time," said cybersecurity expert Prof Alan Woodward.Because criminals were collecting the cash in person, it made the crime more difficult to trace, he added."The classic way of solving online financial crime is to 'follow the money' - but when you can no longer do this, it is very hard to find out who is behind it, even though the evidence suggests it is a very limited number of groups that have started perpetrating this type of crime."
 Download the PDF Yet another year has flown past and, as far as notable infosec happenings are concerned, this is one for the history books.

Drama, intrigue and exploits have plagued 2016 and, as we take stock of some of the more noteworthy stories, we once again cast our gaze forward to glean the shapes of the 2017 threat landscape. Rather than thinly-veiled vendor pitching, we hope to ground these predictions in trends we’ve observed in the course of our research and provide thought-provoking observations for researchers and visitors to the threat intelligence space alike. Our record Last year’s predictions fared well, with some coming to fruition ahead of schedule.
In case you didn’t commit these to memory, some of the more notable predictions included: APTs: We anticipated a decreased emphasis on persistence as well as an increased propensity to hide in plain sight by employing commodity malware in targeted attacks. We’ve seen this, both with an increase in memory or fileless malware as well as through the myriad reported targeted attacks on activists and companies, which relied on off-the-shelf malware like NJRat and Alienspy/Adwind. Ransomware: 2016 can be declared the year of ransomware.

Financial malware aimed at victimizing users has practically been galvanized into a ransomware-only space, with the more effective extortion scheme cannibalizing malware development resources from less profitable attempts at victimizing users. Forecast for 2017: time to start using Yara rules more extensively as IoCs become less effective Tweet More Bank Heists: When we considered the looming expansion of financial crime at the highest level, our hypothetical included targeting institutions like the stock exchange.

But it was the attacks on the SWIFT network that brought these predictions to bear, with millions walking out the door thanks to crafty, well-placed malware. Internet Attacks: Most recently, the oft-ignored world of sub-standard Internet-connected devices finally came to bear on our lives in the form of a nasty IoT botnet that caused outages for major Internet services, and hiccups for those relying on a specific DNS provider. Shame: Shame and extortion have continued to great fanfare as strategic and indiscriminate dumps have caused personal, reputational, and political problems left and right. We must admit that the scale and victims of some of these leaks have been genuinely astonishing to us. What does 2017 have in store? Those dreaded APTs The rise of bespoke and passive implants As hard as it is to get companies and large-scale enterprises to adopt protective measures, we also need to admit when these measures start to wear thin, fray, or fail.
Indicators of Compromise (IoCs) are a great way to share traits of already known malware, such as hashes, domains, or execution traits that will allow defenders to recognize an active infection. However, the trendsetting one-percenters of the cyberespionage game have known to defend against these generalized measures, as showcased by the recent ProjectSauron APT, a truly bespoke malware platform whose every feature was altered to fit each victim and thus would not serve to help defenders detect any other infections.

That is not to say that defenders are entirely without recourse but it’s time to push for the wider adoption of good Yara rules that allow us to both scan far-and-wide across an enterprise, inspect and identify traits in binaries at rest, and scan memory for fragments of known attacks. Forecast for 2017: passive implants showing almost no signs of infection come into fashion Tweet ProjectSauron also showcased another sophisticated trait we expect to see on the rise, that of the ‘passive implant’.

A network-driven backdoor, present in memory or as a backdoored driver in an internet gateway or internet-facing server, silently awaiting magic bytes to awaken its functionality. Until woken by its masters, passive implants will present little or no outward indication of an active infection, and are thus least likely to be found by anyone except the most paranoid of defenders, or as part of a wider incident response scenario. Keep in mind that these implants have no predefined command-and-control infrastructure to correlate and provide a more anonymous beachhead.

Thus, this is the tool of choice for the most cautious attackers, who must ensure a way into a target network at a moment’s notice. Ephemeral infections While adoption of PowerShell has risen as a dream tool for Windows administrators, it has also proven fruitful ground for the gamut of malware developers looking for stealthy deployment, lateral movement, and reconnaissance capabilities unlikely to be logged by standard configurations.

Tiny PowerShell malware stored in memory or in the registry is likely to have a field day on modern Windows systems.

Taking this further, we expect to see ephemeral infections: memory-resident malware intended for general reconnaissance and credential collection with no interest in persistence.
In highly sensitive environments, stealthy attackers may be satisfied to operate until a reboot wipes their infection from memory if it means avoiding all suspicion or potential operational loss from the discovery of their malware by defenders and researchers.

Ephemeral infections will highlight the need for proactive and sophisticated heuristics in advanced anti-malware solutions (see: System Watcher). Espionage goes mobile Multiple threat actors have employed mobile implants in the past, including Sofacy, RedOctober and CloudAtlas, as well as customers of HackingTeam and the suspected NSO Pegasus iOS malware suite. However, these have supplemented campaigns largely based on desktop toolkits.

As adoption of Desktop OS’s suffers from a lack of enthusiasm, and as more of the average user’s digital life is effectively transferred to their pockets, we expect to see the rise of primarily mobile espionage campaigns.

These will surely benefit from decreased attention and the difficulty of attaining forensic tools for the latest mobile operating systems.

Confidence in codesigning and integrity checks has stagnated visibility for security researchers in the mobile arena, but this won’t dissuade determined and well-resourced attackers from hunting their targets in this space. The future of financial attacks We heard you’d like to rob a bank… The announcement of this year’s attacks on the SWIFT network caused uproar throughout the financial services industry due to its sheer daring; measured in zeros and commas to the tune of multi-million dollar heists.

This move was a natural evolution for players like the Carbanak gang and perhaps other interesting threat actors. However, these cases remain the work of APT-style actors with a certain panache and established capability.
Surely, they’re not the only ones interested in robbing a bank for sizable funds? Forecast for 2017: growing popularity of short-lived infections, including those using PowerShell Tweet As cybercriminal interest grows, we expect to see the rise of the SWIFT-heist middlemen in the well-established underground scheme of tiered criminal enterprises. Performing one of these heists requires initial access, specialized software, patience, and, eventually, a money laundering scheme.

Each of these steps has a place for already established criminals to provide their services at a fee, with the missing piece being the specialized malware for performing SWIFT attacks. We expect to see the commodification of these attacks through specialized resources being offered for sale in underground forums or through as-a-service schemes. Resilient payment systems As payment systems became increasingly popular and widely adopted, we expected to see greater criminal interest in these. However, it appears that implementations have proven particularly resilient, and no major attacks have been noted at this time.

This relief for the consumer may, however, entail a headache for the payment system providers themselves, as cybercriminals are wont to target the latter through direct attacks on the payment system infrastructure. Whether these attacks will result in direct financial losses or simply outages and disruption, we expect increased adoption to attract more nefarious attention. Dirty, lying ransomware As much as we all hate ransomware (and with good reason), most ransomware thrives on the benefit of an unlikely trust relationship between the victim and their attacker.

This criminal ecosystem relies on the tenet that the attacker will abide by a tacit contract with the victim that, once payment is received, the ransomed files will be returned.

Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise and this has allowed the ecosystem to thrive. However, as the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise. We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.

At that point, little will distinguish ransomware from wiping attacks and we expect the ransomware ecosystem to feel the effects of a ‘crisis of confidence’.

This may not deter larger, more professional outfits from continuing their extortion campaigns, but it may galvanize forces against the rising ransomware epidemic into abandoning hope for the idea that ‘just pay the ransom’ is viable advice for victims. The big red button The famous Stuxnet may have opened a Pandora’s Box by realizing the potential for targeting industrial systems, but it was carefully designed with a watchful eye towards prolonged sabotage on very specific targets.

Even as the infection spread globally, checks on the payload limited collateral damage and no industrial Armageddon came to pass.
Since then, however, any rumor or reporting of an industrial accident or unexplained explosion will serve as a peg to pin a cyber-sabotage theory on. Forecast for 2017: espionage increasingly shifting to mobile platforms Tweet That said, a cyber-sabotage induced industrial accident is certainly not beyond the realm of possibility.

As critical infrastructure and manufacturing systems continue to remain connected to the internet, often with little or no protection, these tantalizing targets are bound to whet the appetite of well-resourced attackers looking to cause mayhem.
It’s important to note that, alarmism aside, these attacks are likely to require certain skills and intent.

An unfolding cyber-sabotage attack is likely to come hand-in-hand with rising geopolitical tensions and well-established threat actors intent on targeted destruction or the disruption of essential services. The overcrowded internet bites back A brick by any other name Long have we prophesied that the weak security of the Internet of Things (or Threats) will come back to bite us, and behold, the day is here.

As the Mirai botnet showcased recently, weak security in needlessly internet-enabled devices provides an opportunity for miscreants to cause mayhem with little or no accountability. While this is no surprise to the infosec-aficionados, the next step may prove particularly interesting, as we predict vigilante hackers may take matters into their own hands. Forecast for 2017: use of intermediaries in attacks against the SWIFT interbank messaging system Tweet The notion of patching known and reported vulnerabilities holds a certain sacrosanct stature as validation for the hard (and often uncompensated) work of security researchers.

As IoT-device manufacturers continue to pump out unsecured devices that cause wide-scale problems, vigilante hackers are likely to take matters into their own hands.

And what better way than to return the headache to the manufacturers themselves by mass bricking these vulnerable devices? As IoT botnets continue to cause DDoS and spam distribution headaches, the ecosystem’s immune response may very well take to disabling these devices altogether, to the chagrin of consumers and manufacturers alike.

The Internet of Bricks may very well be upon us. The silent blinky boxes The shocking release of the ShadowBrokers dump included a wealth of working exploits for multiple, major manufacturers’ firewalls. Reports of exploitation in-the-wild followed not long after as the manufacturers scrambled to understand the vulnerabilities exploited and issue patches. However, the extent of the fallout has yet to be accounted for. What were attackers able to gain with these exploits on hand? What sort of implants may lie dormant in vulnerable devices? Looking beyond these particular exploits (and keeping in mind the late 2015 discovery of a backdoor in Juniper’s ScreenOS), there’s a larger issue of device integrity that bears further research when it comes to appliances critical to enterprise perimeters.

The open question remains, ‘who’s your firewall working for?’ Who the hell are you? The topic of False Flags and PsyOps are a particular favorite of ours and to no surprise, we foresee the expansion of several trends in that vein… Information warfare The creation of fake outlets for targeted dumps and extortion was pioneered by threat actors like Lazarus and Sofacy.

After their somewhat successful and highly notorious use in the past few months, we expect information warfare operations to increase in popularity for the sake of opinion manipulation and overall chaos around popular processes.

Threat actors interested in dumping hacked data have little to lose from crafting a narrative through an established or fabricated hacktivist group; diverting attention from the attack itself to the contents of their revelations. Forecast for 2017: ‘script kiddie’ extortionists compromise the idea of paying ransom to retrieve data Tweet The true danger at that point is not that of hacking, or the invasion of privacy, but rather that as journalists and concerned citizens become accustomed to accepting dumped data as newsworthy facts, they open the door to more cunning threat actors seeking to manipulate the outcome by means of data manipulation or omission.
Vulnerability to these information warfare operations is at an all-time high and we hope discernment will prevail as the technique is adopted by more players (or by the same players with more throwaway masks). The promise of deterrence As cyberattacks come to play a greater role in international relations, attribution will become a central issue in determining the course of geopolitical overtures.

Governmental institutions have some difficult deliberating ahead to determine what standard of attribution will prove enough for demarches or public indictments.

As precise attribution is almost impossible with the fragmented visibility of different public and private institutions, it may be the case that ‘loose attribution’ will be considered good enough for these. While advising extreme caution is important, we must also keep in mind that there is a very real need for consequences to enter the space of cyberattacks. Our bigger issue is making sure that retaliation doesn’t engender further problems as cunning threat actors outsmart those seeking to do attribution in the first place. We must also keep in mind that as retaliation and consequences become more likely, we’ll see the abuse of open-source and commercial malware begin to increase sharply, with tools like Cobalt Strike and Metasploit providing a cover of plausible deniability that doesn’t exist with closed-source proprietary malware. Doubling-down on False Flags While the examples reported in the False Flags report included in-the-wild cases of APTs employing false flag elements, no true pure false flag operation has been witnessed at this time.

By that we mean an operation by Threat Actor-A carefully and entirely crafted in the style and with the resources of another, ‘Threat Actor-B’, with the intent of inciting tertiary retaliation by the victim against the blameless Threat Actor-B. While it’s entirely possible that researchers have simply not caught onto this already happening, these sorts of operations won’t make sense until retribution for cyberattacks becomes a de facto effect.

As retaliation (be it overtures, sanctions, or retaliatory CNE) becomes more common and impulsive, expect true false flag operations to enter the picture. Forecast for 2017: lack of security for the Internet of Things will turn it into an ‘Internet of Bricks’ Tweet As this becomes the case, we can expect false flags to be worth even greater investment, perhaps even inciting the dumping of infrastructure or even jealously guarded proprietary toolkits for mass use.
In this way, cunning threat actors may cause a momentary overwhelming confusion of researchers and defenders alike, as script kiddies, hacktivists, and cybercriminals are suddenly capable of operating with the proprietary tools of an advanced threat actor, thus providing a cover of anonymity in a mass of attacks and partially crippling the attribution capabilities of an enforcing body. What privacy? Pulling the veil There’s great value to be found in removing what vestiges of anonymity remain in cyberspace, whether for the sake of advertisers or spies.

For the former, tracking with persistent cookies has proven a valuable technique.

This is likely to expand further and be combined with widgets and other innocuous additions to common websites that allow companies to track individual users as they make their way beyond their particular domains, and thus compile a cohesive view of their browsing habits (more on this below). Forecast for 2017: the question “Who is your firewall working for?” will become increasingly relevant Tweet In other parts of the world, the targeting of activists and tracking of social media activities that ‘incite instability’ will continue to inspire surprising sophistication, as deep pockets continue to stumble into curiously well-placed, unheard of companies with novelties for tracking dissidents and activists through the depth and breadth of the internet.

These activities tend to have a great interest in the social networking tendencies of entire geographic regions and how they’re affected by dissident voices. Perhaps we’ll even see an actor so daring as to break into a social network for a goldmine of PII and incriminating information. The espionage ad network No pervasive technology is more capable of enabling truly targeted attacks than ad networks.

Their placement is already entirely financially motivated and there is little or no regulation, as evidenced by recurring malvertising attacks on major sites.

By their very nature, ad networks provide excellent target profiling through a combination of IPs, browser fingerprinting, and browsing interest and login selectivity.

This kind of user data allows a discriminate attacker to selectively inject or redirect specific victims to their payloads and thus largely avoid collateral infections and the persistent availability of payloads that tend to pique the interest of security researchers.

As such, we expect the most advanced cyberespionage actors to find the creation or co-opting of an ad network to be a small investment for sizable operational returns, hitting their targets while protecting their latest toolkits. Forecast for 2017: rapid evolution of false-flag cybercriminal operations Tweet The rise of the vigilante hacker Following his indiscriminate release of the HackingTeam dump in 2015, the mysterious Phineas Fisher released his guide for aspiring hackers to take down unjust organizations and shady companies.

This speaks to a latent sentiment that the asymmetrical power of the vigilante hacker is a force for good, despite the fact that the HackingTeam dump provided live zero-days to active APT teams and perhaps even encouragement for new and eager customers.

As the conspiratorial rhetoric increases around this election cycle, fuelled by the belief that data leaks and dumps are the way to tip the balance of information asymmetry, more will enter the space of vigilante hacking for data dumps and orchestrated leaks against vulnerable organizations. Forecast for 2017: cybercriminals increasingly turn to social and advertising networks for espionage Tweet
For cyber intelligence sharing to work, organizations need two things: to trust each other and better processes to collect, exchange and act on information quickly. As cyberthreats become more sophisticated and expand to the Cloud and the Internet of Things, the sharing of meaningful threat intel  between trusted organizations has become more critical than ever before.  At Fortinet  this year, our teams witnessed the benefits of info sharing first hand as part of a joint operation that helped INTERPOL and the Nigerian Economic & Financial Crime Commission uncover the head of an international criminal network. What did we learn? For one thing, these partnerships demonstrate the importance of global threat intelligence research and analytics that security vendors can offer in dealing with cyberthreats.
In my opinion, security vendors have a responsibility to share threat findings with each other, as well as end-user advocacy groups.
It is essentially the best way to combat adversaries and assist law enforcement in fighting cybercriminals. Yet, serious challenges remain to the worthwhile goal of info sharing, even among classified, trusted networks. One of the major barriers to information sharing is the perception of liability.
In a 2014 Ponemon survey of over 700 IT security practitioners, 71% of respondents who participate in information sharing said that sharing improves their security posture.

But for organizations that don’t share, half pointed to “potential liability” as the principal reason for holding back.  To get beyond these obstacles, two things must be in place: trust between organizations and a process to receive to receive and implement threat intelligence information quickly. Trust but VerifyNot only do organizations need detailed protocols in place about what information can be shared, but they also need to trust the organizations with whom they are sharing, or the process being used to collect, process and exchange such information. Another major concern revolves around data privacy and protecting personally identifiable information (PII). How can you share information that provides details about an attack and attacker without having it be connected, even contextually, to customers and thereby risk customer privacy and assume liability? Organizations have to rely on trusted partners who rigidly adhere to and enforce agreed-upon protocols, e.g. only sharing information related to the adversary, and anonymizing PII. Here are a few tips for developing trusted relationships: Start with folks you know in your industry.

Ask them their thoughts about threat sharing. Join an ISAO (Information Sharing and Analysis Organization) or ISAC (Information Sharing and Analysis Center).

These are groups focused on sharing threat intelligence relevant to that vertical that have established protocols and procedures best suited for an industry’s needs. Organizations like INTERPOL, the NATO Industry Cyber Partnership (NICP), and even regional organizations have active partnerships with vendors and industry leaders to collect and share threat data.

For security vendors, participation in industry organizations such as the Cyber Threat Alliance (CTA) and the OASIS Cyber Threat Intelligence (CTI) group makes everyone safer. Meet people in person.

Trust is a slow process and few things work better than meeting with peers over dinner or drinks to establish a rapport.

There are dozens of industry-related conferences, local meet-ups and user groups designed to bring folks together. As Ronald Reagan famously said, “Trust, but verify.” Sharing and receiving critical security information requires constant monitoring.

Are you sharing critical information but receiving junk? Is data being appropriately anonymized? Are you receiving the same data you shared? Keeping everyone honest is critical for maintaining a trusted relationship. Rapid ProcessingA common critique of many information-sharing services is that they are slow and unreliable.

For sharing to work, organizations need to be able to receive, process and implement threat intelligence information quickly.

They also need to ensure that any threat intelligence they share is immediately useful.  Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path.  Actionable information is the best way to move from being reactive to proactive.
It allows organizations to move from simply stopping attacks to actually catching cybercriminals.

Developing and sharing truly actionable intelligence requires the efforts of a trained security team on the part of the organization developing that information, as well as on the part of the users or organizations consuming it. While many organizations are actively engaged in collecting as much data as they can from a variety of sources — including their own — much of the work in processing, correlating and converting it into policy is still done manually.

This makes it very difficult to respond to an active threat quickly, or share timely and actionable information.
Ideally, the consumption, processing and correlation of threat intelligence is automated. Security vendors also need to automate the sharing of threat intelligence information – and not just with outside entities. Many organizations are still struggling to share threat intelligence between deployed security devices or even between different team members.

Automation ensures that time-sensitive threat information immediately reaches all stakeholders so it can be shared in real time and acted on. Trusted sharing, even with a known partner or community, is easier said than done. When evaluating your security landscape, characteristics of network design should be considered that will securely facilitate the receiving and sharing of threat intelligence.

Given that the time to compromise for today’s attacks continues to shorten, it is essential that we begin to to automate as much of the process as possible — including time-sensitive activities such as sharing, consuming, hand-correlating intelligence, and distributing updated policies.  Related Content: Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ...
View Full Bio More Insights
For many years I worked for Foundstone teaching hacking classes and doing penetration testing. It was the most enjoyable job I ever had. As part of that job, I traveled the world, including China, and got to determine firsthand which country had the best hackers. Although I didn't travel to Russia during that time, lots of Russian-born hackers showed up in my classes. Rumblings of cyberwar Foreign hacking is top of mind right now, thanks to Russia's attempts to shake up the U.S. presidential election. With a high degree of confidence, U.S. intelligence agencies say the highest levels of Russia's government are behind the Democratic National Committee email leaks intended to embarrass Hillary Clinton. According to the reports I've read, most of these Russian hacks seems to be based on simple password phishing. China has been involved in hacking American (and other) companies for decades. Most computer security experts believe that China already has every intellectual property secret it wants. I didn't believe the Chinese hacking rumors for years because accusers failed to provide public evidence. I've since changed my tune because many companies have released that evidence, and it appears quite convincing. Also, the Chinese government's tight control over its domestic internet makes it unlikely that Chinese hackers could have hacked U.S. targets without either direct orders -- or at least tacit acceptance. Regardless, recent evidence suggests that Chinese hacking against American companies has decreased since President Obama and Chinese leaders signed an antihacking agreement last year. I've been involved in dealing with advanced persistent threat (APT) attacks for more than a decade, and I'm personally hearing less complaints about Chinese intrusions. Which hackers cause the most damage? If by "damage" you mean frequency and severity of attacks, Chinese hackers take the No. 1 spot. Very likely tens of thousands of them, funded by the government, have broken into any company they like. I'm convinced they've stolen more secrets and intellectual property than any other country, with a single breach potentially incurring many millions of dollars in damage.  I've seen American companies work on a secret new product, only to have a Chinese company release a very similar, if not identical product first. Sometimes even the wording in the documentation is identical. I've seen entire American company divisions shut down as a result.  Russia's hackers are more focused on direct financial crime and probably incur hundreds of millions of dollars in damage each year. Who knows -- it could be billions of dollars. But if I compare the direct financial costs of Russia versus China, China probably wins that battle due to its theft of high-value intellectual property. What about Russia's impact on the American elections, especially if that hacking results in a presidency friendly to the Russian government? Luckily, despite Russia's best efforts, the American voting system is probably too much of a hodgepodge systems to be affected in a material way. Best hacking skills In my personal experience, the best hackers have always come from the United States or one of its friendly allies. I know that sounds biased, but when I taught hacking classes, the U.S. hackers always completed the hacking tests the fastest. In the Foundstone classes we ran little tests during the day that allowed our students to practice some skill we had taught them. Most students, regardless of country, tended to perform roughly the same. At the end of the class, we had a major capture-the-flag test, which required that students put together everything we had taught them, but in slightly different ways. It required thinking outside the box. U.S. students were always able to complete the major test and were always fastest. Unfortunately, my Foundstone experiences ended 10 years ago. Since then, several other countries have risen to become part of the elite club of hackers. Israel, for such a small country, has an enormous number of incredible hackers, and they enjoy a well-earned reputation as the best-thinking defenders. Who's the best? Sorry to disappoint you, but the real answer is that we don't know who's best. To be a "good" hacker you have to be invisible. The best hackers are the ones we don't see and don't know about. But the real irony is that breaking into most organizations requires little in the way of advanced techniques anyway. Even the elite hacking units don't use their best stuff unless they have to. Why hack smart and give away your best stuff when you can hack like any script kiddie and get into the same results without being discovered?
Scylex malware built from scratch for financial theft, according to an ad in infamous underground forum. Financial institutions could be in for more trouble of the Zeus-like variety if a new malware kit being promoted in an underground forum is any indication. The new Scylex malware kit appears designed to enable financial crime on a large scale, a researcher from Heimdal Security of Denmark, said in an alert this week. An advertisement on Lampeduza, a forum for buying and selling malware, touts Scylex as packing multiple functions including a user-mode root kit, web injects, and a secure socket reverse proxy, Heimdal researcher Andra Zaharia said.
So far, there have been no instances of Scylex being actually used anywhere. The base kit comes at a price tag of $7,500.

Those willing to spring an extra $2,000 can get additional functionality such as secure socket support for directing data transfers between a user PC and a malicious server, via a proxy. The malware kit is also being offered as a premium package for $10,000.

For this price, a buyer will get a Hidden Virtual Network Computing (HVNC) module in addition to all of the features available in the other two kits, Zaharia said. HVNC is a sought-after capability in banking Trojans and basically gives attackers a way to manipulate a victim’s computer remotely to access bank accounts without triggering any alerts. The purchase price for the malware includes support for up to 8 hours a day and periodic software updates.

A new kit that is under development will come with even more functions including capabilities for spreading via  social networks, a DDoS module, and reverse FTP. “From the looks of it, cybercriminals are trying to engineer the next big thing in financial malware,” Zaharia cautioned. “Their ambition is to replicate the impact that Zeus GameOver had a few years ago,” she said. The Zeus Trojan first surfaced around 2007 and is believed responsible for infecting tens of millions of computers and draining hundreds of millions of dollars from bank accounts worldwide.

The operators of the Zeus Trojan abruptly stopped their campaign about five years ago and released the source code for the malware online prompting scores of me-too banking Trojan in the last few years based on Zeus code. The authors of Scylex make it clear on their advertisement that the malware is not based on Zeus code. “It is a banking Trojan written 99% from scratch in C++,” they noted in the ad, a copy of which Heimdal posted on its site. “The goal is to bring back to the scene what Zeus/SpyEye, Citadel, ZeroAccess left behind, and introduce a brand new solution as well.” The malware kit appears designed for those who have solid technical skills, but the authors have made clear that it is available to anyone interested in purchasing it. This type of malware can usually be bought, with a lifetime license, like in the case of Scylex, or rented for a monthly fee, Zaharia told Dark Reading.

The kits “include the malware, a dashboard where the attacker can tweak the settings and tech support,” she said. “Often, the malware comes preloaded with vulnerabilities and targets, but we couldn't say if this is the case or not for Scylex." “The malware-as-a-service model has been growing in the past years, and with it the marketing efforts as well,” she said. “Since malware is now so readily available, malware creators have to differentiate themselves and present their offer with more transparency than before. Hence the conspicuous advertising.” Related stories: Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights
Roll-your-own-malware kit Scylex offered for seven large Cybercrooks are touting a new DIY financial crime kit that lets you roll your own ZeuS-like software nasty. The Scylex malware kit lets you build malicious code that, once running on a victim's Windows PC, can snooping on your online banking passwords, intercept your web traffic and open a backdoor granting full control over the machine. The gear is priced at $7,500+ in new adverts seen in underground crime forums.

The banking trojan toolkit was advertised on Lampeduza, a dark web forum where card details from the 2014 Target data breach were recently sold. Scylex aims to continue the Gameover Zeus legacy, but without reusing any code from the earlier cybercrime utilities. "The goal is to bring back to the scene what Zeus/SpyEye, Citadel, ZeroAccess left behind, and introduce a brand new solution as well," as the unknown crooks behind the malware explain it. The cybercrook tools are said to feature multiple functionalities – rootkit, form-grabber and web injects – as well as a development roadmap.

For an additional $2,000, would-be crooks get access to SOCKS5 (Socket Secure) support, which enables attackers to manipulate data transfers between a user's PC and a specific server through a proxy.

A "premium" package costing $10,000 adds a hidden virtual network computing (HVNC) module.

The ad features a demo video of the malware in action. Future capabilities on the roadmap include a DDoS module and a click bot for ad fraud. It's a convincing and detailed pitch.

Although the real capabilities of Scylex remain as yet unconfirmed, the danger it potentially represents is being taken seriously by security researchers.

The full advertisement is reproduced in an alert by Heimdal Security here. "So far, Scylex hasn't been spotted in the wild, so the claims made in the advertisement posted on Lampeduza forum can't be verified at the moment," writes Andra Zaharia, marcom manager at Heimdal Security. "However, both the video and the detailed description of what this new financial malware can do are strong evidence that the crime kit may indeed be real." ® Sponsored: Global DDoS threat landscape report
Humble piece comes in five slices The head of the SWIFT financial network has put forward a five-part plan to improve security after its systems were the focus of several cyberattacks. Gottfried Leibbrandt gave a keynote on Tuesday at a financial services conference in Brussels and promised the organization would work harder to ensure that incidents like last month's theft of $81m from Bangladesh's central bank were not possible in future. Although Leibbrandt reiterated his point that SWIFT's systems had not been compromised, the highly critical reaction to the network's initial not-my-problem response clearly had an impact, and some crumbs of humble pie were visible on the lectern. In response to the Bangladeshi bank scam, he said: "Two questions pop up for SWIFT, at least they have in the press. One: isn't SWIFT in the middle of all of this? Two: What are you going to do about it?" Hackers had managed to gain access to Bangladesh Bank's central keys and use them through the SWIFT international money system to divert funds.

From SWIFT's perspective the issue lies with the bank: their systems had been compromised. The organization responded aggressively to suggestions that it was in some way responsible for the theft, putting out an announcement that read in part: "SWIFT rejects the false, inaccurate and misleading allegations made by Bangladesh Bank and Bangladesh Police's Criminal Investigation Department (CID) officials to Reuters.

The accusations have no basis in fact." Out of step But it wasn't long before security experts pointed out that SWIFT's security systems were out of step with the modern world.
Its security guidelines are "outdated and incomplete," said one analysis.
Its systems were set up to deal with "the types of attacks that were prevalent a decade ago," and the network fails to safeguard against today's more sophisticated hacks – like the one suffered by the Bangladeshi bank. As just one example, SWIFT offers but does not insist on two-factor authentication, which is pretty much standard on most systems where critical information is approved online. SWIFT also acknowledged that it wasn't the first time that the method used by the Bangladeshi hackers had been attempted on its network. The outcry gave SWIFT food for thought, and a few weeks after the attack, the organization promised to take another look at its security.

That look comes in five parts, which are currently relatively vague but which the organization has promised to turn into real action. Leibbrandt outlined those parts as: Drastically improve information sharing among the global financial community. Harden security requirements for customer-managed software. Enhance guidelines and develop security audit frameworks for customers. Support banks' increased use of payment pattern controls to identify suspicious behavior. Introduce certification requirements for third-party providers. Or, in other words, do what the organization should have done as part of its job several years ago. Ummm But before you get too excited about Leibbrandt's sudden understanding of the modern world, his speech revealed a continued misunderstanding of modern financial crime. "Back before mainframes, ATMs, mobile banking and PCs, it was all about men and guns," he said. "Now it is about men in hoodies hunkering over keyboards." If he imagines that the kind of people that are breaking into a central bank, grabbing authorization keys, using SWIFT networks against it even to the extent of adjusting printed reports to hide fraudulent transfers, and then moving the money to accounts that can't be got at are "men in hoodies," he continues to massively underestimate the modern cybercriminal. There was some self-awareness however. "Change is hard," he noted. "Sometimes it takes a crisis.

As the saying goes: 'a crisis is a terrible thing to waste'; so let's use this crisis as an industry to come out stronger, better and even more secure." ® Sponsored: Rise of the machines
Apparently took months to contain Wendy’s confirmed on Wednesday that malicious software affected PoS (point-of-sale) devices in around 300 of the burger chain’s 5,500 franchised stores, or about five per cent of all its restaurants in North America. The update on Wednesday quantifies the extent of a previously announced breach and came as Wendy’s announced its first quarter financial results, in themselves of little or no relevance to Reg readers.

The section covering an “update on investigation into unusual credit card activity”, however, sheds fresh light on the hack against the fast food outlet’s cash registers by as yet identified cybercrooks. Wendy’s said it has cleaned up the malware as well as finding further unrelated problems in its stores as part of an ongoing security response operation. As previously reported, the Company engaged cybersecurity experts earlier this year to conduct a comprehensive investigation into unusual credit card activity at some Wendy's restaurants.
Investigation into this activity is nearing completion.

Based on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy's restaurants, starting in the fall of 2015.

These findings also indicate that the Aloha point of sale system has not been impacted by this activity.

The Aloha system is already installed at all Company-operated restaurants and in a majority of franchise-operated restaurants, with implementation throughout the North America system targeted by year-end 2016.

The Company expects that it will receive a final report from its investigator in the near future. The Company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants.

The Company continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation. Based upon the investigation to date, approximately 50 franchise restaurants are suspected of experiencing, or have been found to have, unrelated cybersecurity issues.

The Company and affected franchisees are working to verify and resolve these issues. Investigative journalist Brian Krebs reports that affected Wendy’s locations were still leaking customer card data up until early April, weeks after he broke news of the breach in late January.

This has caused rumbles of discontent from banks, Krebs adds. Security experts are not altogether surprised that the breach - one of a growing series centred on malware infecting PoS terminals at hotels and retail outlets - took months to contain. Tod Beardsley, security research manager at Rapid7, commented: "The Wendy's breach illustrates a number of recurring themes that we see with point-of-sale (PoS) system-based financial crime.

The criminal activity was ongoing, lasting at least six months from detection to containment.

The length of time the compromise went undetected, then unmitigated, is troubling news for any retailer that depends on a third party POS vendor for security.

The fact that the breach affected only 5 per cent of Wendy's locations is certainly a contributing factor to its success; a small footprint is much more difficult to detect, since the patterns resulting from the fraud take longer to materialise.” “It's easy to say this was Wendy's problem – and Wendy's is certainly taking on some of the responsibility by working hard to investigate and mitigate the issue — but I’d expect that the attack was enabled by weak credentials instituted by the unnamed secondary PoS vendor,” he added. ® Sponsored: Rise of the machines
Spam: features of the quarter Trending: dramatic increase in volume of malicious spam The first quarter of 2016 saw a dramatic increase in the number of unsolicited emails containing malicious attachments. Over the last two years the number of email antivirus detections on computers with a Kaspersky Lab product installed fluctuated between 3 and 6 million.

At the end of 2015 this number began to grow and in early 2016 there was a sharp upturn. Number of email antivirus detections on computers with a Kaspersky Lab product installed In March, the number of email antivirus detections reached 22,890,956, which is four times more than the average for the same period last year. With the rise of drive-by-downloads, we could have expected malicious email attachments to have long since given way to malicious sites that the user accesses via a link in an email. However, the use of emails has its advantages (for the attackers): the content of the email may encourage the user not only to download a malicious file but also launch it.
It’s also possible that malicious attachments are enjoying a new wave of popularity because in the last couple of years the developers of the most popular browsers have considered adding protection against infected and phishing websites (using in-house developments as well as partnering with well-known anti-virus vendors).

This is something that built-in protection at the email client level does not provide yet.

Therefore, if a potential victim doesn’t use antivirus software, their computer can be easily infected via email. What’s inside? The variety of malicious attachments is impressive.

They include classic executable EXE files and office documents (DOC, DOCX, XLS, RTF) with embedded malicious macros, and programs written in Java and Javascript (JS files, JAR, WSF, WRN, and others). Attachment containing a Trojan downloader written in Java Also worth noting is the diversity of languages used in malicious spam.
In addition to English, we regularly came across emails in Russian, Polish, German, French, Spanish, Portuguese and several other languages. Attachment containing the Trojan banker Gozi Most emails imitated notifications of unpaid bills, or business correspondence. The malicious .doc file in the attachment is a Trojan downloader.
It downloads and runs the encryptor Cryakl using macros written in Visual Basic Attachment containing backdoor-type malware that downloads other malicious programs to the infected machine Particular attention should be paid to emails containing Trojan downloaders that download the Locky encryptor.

The attackers exploited a variety of file types to infect victim computers: at first they used .doc files with malicious macros, then JS scripts.
In order to bypass filtering, the attackers made every malicious file within a single mass mailing unique.
In addition, the emails had different content and were written in different languages.

This doesn’t come as much of a surprise as attacks utilizing this encryptor were registered by KSN in 114 countries around the world. Examples of emails with the Locky encryptor The content of the emails was related to financial documents and prompted users to open the attachment. If the attack was successful, Locky encrypted files with specific extensions (office documents, multimedia content, etc.) on the user’s computer, and displayed a message with a link leading to a site on the Tor network containing the cybercriminals’ demands.

This process was analyzed in more detail in our blog. As Locky is not always contained directly in the message, we cannot estimate its share in the volume of other malicious mail. However, the scripts that download and run Locky (detected by Kaspersky Lab as Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR: Trojan-Downloader.Script.Generic) accounted for more than 50% of all malicious programs in email traffic. Spam terrorism Today terrorism is one of the most widely discussed topics both in the media and when political leaders meet.

Frequent terrorist attacks in Europe and Asia have become a major threat to the world community, and the theme of terrorism is widely used by cybercriminals to mislead users. In order to prevent terrorist attacks, security measures in many countries have been enhanced, and malicious spammers have been quick to take advantage.

They tried to convince recipients of mass mailings that a file attached in an email contained information that would help a mobile phone owner detect an explosive device moments before it was about to detonate.

The email claimed the technology came from the US Department of Defense, was easy to use and widely available.

The attachment, in the form of an executable EXE file, was detected as Trojan-Dropper.Win32.Dapato – a Trojan that is used to steal personal information, organize DDoS attacks, install other malware, etc. ‘Nigerian’ scammers also got in on the act, exploiting the theme of terrorism to try and concoct credible stories.

The senders introduced themselves as employees of a non-existent FBI division involved in the investigation of terrorism and financial crime.

Their story revolved around the need for the recipient to contact the sender in order to resolve issues that are preventing the payment of a large sum of money.

Among the reasons given for the delay in transferring the money the scammers cited a lack of confirmation that the money was legal and rightfully belonged to the recipient, or it was claimed third parties were trying to pocket the recipient’s money. Nigerian letters also told stories of money – some of which was offered to the recipient – that had been obtained legally and was not related to drugs, terrorism or other crime.

This was an attempt to dispel any doubts about their honesty and persuade recipients to reply. The theme of terrorism came up again in tales related to the current situation in the Middle East.

For example, some emails were sent on behalf of US soldiers who were fighting against terrorism in Afghanistan and were looking for an intermediary to save and invest money for them. Yet another author claimed that he had not joined ISIS or any another terrorist organization, but as a Muslim he wanted to donate a large sum of money for good deeds.

A mistrust of charities meant the “Muslim” wanted to transfer the money to the recipient of the email. Yet another story was written on behalf of an American businessman who had lost half his business in Syria and Iraq because of the war and terrorism, and was looking for a partner to help him invest the remaining money. Nigerian letters describing the tense situation in Syria also remained popular and were actively used by scammers to trick users. We also came across advertising spam from Chinese factories offering all sorts of devices to ensure public security (for example, special devices for detecting explosives) and other anti-terrorist products. Also trending: significant increase in volume of ‘Nigerian’ spam It seems so-called Nigerian spammers have also felt the effects of the economic crisis, because they have recently increased their activity.
In Q1 2016 we observed a significant increase in the volume of this type of mailing.
In the past, the scammers encouraged recipients to respond to an email by telling a long detailed story that often contained links to articles in the mainstream media; now they send out short messages with no details, just a request to get in touch.
Sometimes the email may mention a large sum of money that will be discussed in further correspondence, but there is no information about where it came from. Perhaps the scammers believe that those who are already aware of the classic ‘Nigerian’ tricks will fall for these types of messages; or maybe they think that such short messages will be more suited for busy people who have no time to read long emails from strangers. Spammer methods and tricks: short URL services and obfuscation In our spam and phishing report for 2015 we wrote about obfuscation of domains.
In Q1 2016, spammers continued this trend and even added some new tricks to their arsenal. Cybercriminals continued to use short URL services, although the methods for adding “noise” to them have changed. First of all, spammers began inserting characters – slashes, letters and dots – between the domain of a short URL service and the final link. Both the link which the user follows and the link to the uploaded image in the email are obfuscated: In addition to letters and dots, spammers even inserted random comment tags between slashes, and the browser continued to correctly interpret the links: Note that the subject of the email contains the name Edward; it is also included in the comment tag used to add “noise”.
In other words, the name is taken from one database while the “noise” tag is unique for each email in the mass mailing. Russian-language spam also used obfuscation and short URL services, but the algorithm was different. For example, to obfuscate links the @ symbol was used.

To recap, the @ symbol is intended for user authentication on the site (it is actually no longer used).
If the site does not require authentication, everything that precedes the @ symbol will simply be ignored.
It means that in the email above, the browser will first open the site ask.ru/go where it will execute the subquery ‘url =’ and then go to the URL specified, which belongs to a short URL service. The link in this emails was also obfuscated with the @ symbol. Noise was also added by additional subqueries including the user’s email address, which made it unique for each email in the mass mailing. Statistics Proportion of spam in email traffic Percentage of spam in global email traffic, Q1 2016 The percentage of spam in overall global email traffic remained stable during the last few months of 2015. However, in January 2016 we registered a considerable increase in the share of unwanted correspondence – over 5.5 p.p.

By February, however, the amount of spam in email traffic had dropped to its previous level.
In March it grew again, though less dramatically.

As a result, the average percentage of spam in Q1 2016 amounted to 56.92%. Sources of spam by country Sources of spam by country, Q1 2016 The US (12.43%) maintained its leadership, remaining the biggest source of spam in Q1 2016. Next came Vietnam (10.30%), India (6.19%) and Brazil (5.48%).

China rounded off the Top 5, accounting for 5.09% of global spam. Russia fell from last year’s second place to seventh (4.89%) in Q1 2016.
It followed closely behind France (4.90%), which was sixth biggest source of spam. Spam email size Spam email size distribution, Q4 2015 and Q1 2016 The most commonly distributed emails were very small – up to 2 KB (79.05%).

The proportion of these emails grew by 2.7 p.p. from the previous quarter.

The share of emails sized 20-50 KB also increased – from 3.02% to 7.67%.

The amount of emails sized 2-5 KB, however, fell significantly compared to Q4 2015 – from 8.91% to 2.5%. Malicious email attachments Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications.
So we have decided to turn to the more informative statistics of the Top 10 malware families. Top 10 malware families Trojan-Downloader.JS.Agent. A typical representative of this family is an obfuscated Java script.

This family malware uses ADODB.Stream technology that allows them to download and run DLL, EXE and PDF files. Trojan-Downloader.VBS.Agent. This is a family of VBS scripts.

As is the case with the JS.Agent family, ranked first, the representatives of this family use ADODB.Stream technology; however, they mainly download ZIP files, from which they extract and run other malicious software. Trojan-Downloader.MSWord.Agent. The representatives of this family are DOC files with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened.

The macro downloads other malware from the cybercriminal’s site and launches it on the victim’s computer. Backdoor.Win32.Androm.

Andromeda. This is a family of universal Andromeda/Gamarue modular bots.

The key features of these bots include downloading, storing and launching malicious executable files; downloading and uploading a malicious DLL (without saving it to disk); updating and deleting themselves.

The bot functionality is extended with plug-ins that can be loaded at any time. Trojan.Win32.Bayrob. The malicious programs of this Trojan family can download from the command server and run additional modules, as well as work as a proxy server.

They are used to distribute spam and steal personal data. Trojan-Downloader.JS.Cryptoload. A typical representative of this family is an obfuscated Java script.

The malicious programs of this family download and run ransomware on the user’s computer. Trojan-PSW.Win32.Fareit. This malware family was designed to steal data such as credentials for FTP clients installed on an infected computer, credentials for cloud storage programs, cookie files in browsers, passwords for email accounts.

The stolen information is sent to the criminals’ server.
Some members of the Trojan Fareit family are capable of downloading and running other malware. Trojan.Win32.Agent. The malicious programs of this family destroy, block, modify or copy data or disrupt the operation of computers or computer networks. Trojan-Downloader.Win32.Upatre. The Trojans of this family do not exceed 3.5 KB, and their functions are limited to downloading payloads on the infected computer – more often than not these are Trojan bankers known as Dyre/Dyzap/Dyreza.

The main aim of this family of Trojan bankers is to steal payment data from users. Trojan-Spy.HTML.Fraud. The Trojans of this family consist of a fake HTML page sent via email that imitates an important notification from a major commercial bank, online store, or software developer, etc.

The user has to enter their personal data on this page, which is then forwarded to cybercriminals. Countries targeted by malicious mailshots There were some significant changes in the ranking of countries targeted most often by mailshots in Q1 2016. Distribution of email antivirus verdicts by country, Q1 2016 Germany (18.93%) remained on top.

China (9.43%), which ended 2015 in 14th place, unexpectedly came second.

Brazil (7.35%) rounded off the Top 3. Italy (6.65%) came fourth in the ranking, followed by the UK (4.81%). Russia was in sixth place with a share of 4.47%. The US (3.95%), which had been in the Top 5 countries targeted by malicious mailshots for months on end, ended Q1 in eighth. Phishing In Q1 2016, the Anti-Phishing system was triggered 34,983,315 times on the computers of Kaspersky Lab users. Geography of attacks The country where the largest percentage of users were affected by phishing attacks was once again Brazil (21.5%), with a 3.37 p.p. increase from the previous quarter.

The share of those attacked in China (16.7%) and the UK (14.6%) also grew compared to Q4 2015 – by 4.4 p.p. and 3.68 p.p. respectively. Japan (13.8%), which was a leader in the previous year, saw its share fall by 3.18 p.p. Geography of phishing attacks*, Q1 2016 * Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country Top 10 countries by percentage of users attacked: Brazil 21.5% China 16.7% United Kingdom 14.6% Japan 13.8% India 13.1% Australia 12.9% Bangladesh 12.4% Canada 12.4% Ecuador 12.2% Ireland 12.0% Organizations under attack The statistics on phishing targets are based on detections of Kaspersky Lab’s anti-phishing component.
It is activated every time a user enters a phishing page when information about it is not yet included in Kaspersky Lab databases.
It does not matter how the user enters the page – by clicking a link in a phishing email, in a message on a social network or as a result of malware activity.

After the security system is activated, the user sees a banner in the browser warning about a potential threat. Distribution of organizations affected by phishing attacks, by category, Q1 2016 In the first quarter of 2016, the ‘Global Internet portals’ category (28.69%) topped the rating of organizations attacked by phishers; its share increased by 0.39 p.p. from the previous quarter.
Second and third were occupied by two financial categories: ‘Banks’ (+4.81 p.p.) and ‘Payment systems’ (-0.33 p.p.). ‘Social networking sites’ (11.84%) and ‘Online games’ (840 p.p.) rounded off the Top 5, having lost 0.33p.p.and 4.06 p.p. respectively. Online stores Attacks on online store users are interesting because they are often followed by the theft of bank card details and other personal information. Distribution of online stores subject to phishing attacks, Q1 2016 Apple Store was the most popular online store with phishers.
In the first quarter of 2016 its share in the ‘E-shop’ category accounted for 27.82%.

Behind it in second place was another popular online store –Amazon (21.6%). Example of a phishing page designed to steal Apple ID and bank card data Steam (13.23%), a popular gaming service that distributes computer games and programs, rounded off the Top 3.
It came 19th in the overall ranking of organizations affected by phishing attacks. Links to phishing pages exploiting the theme of online games and gaming services are distributed via banners, posts on social networking sites, forums and, less frequently, via email. Cybercriminal interest in Steam and gaming services in general is growing – gamers’ money and personal data are often targeted not only by phishers but also by software developers. Top 3 organizations attacked< Fraudsters continue to focus the greatest part of their non-spear phishing attacks on the most popular companies.

These companies have lots of customers around the world which enhances the chances of a successful phishing attack. The Top 3 organizations attacked most often by phishers accounted for 21.71% of all phishing links detected in Q1 2016. Organization % of detected phishing links 1 Yahoo! 8.51 2 Microsoft 7.49 3 Facebook 5.71 In Q1 2016, the leading three organizations targeted by phishers saw a few changes. Yahoo! remained top (+1.45 p.p.). Microsoft (+2.47 p.p.) came second, followed by Facebook (-2.02 p.p.). Interestingly, phishing on Facebook is delivered in almost all languages. Facebook is also popular with cybercriminals as a means of spreading malicious content. We wrote about one such scheme in a recent blog. Conclusion In the first quarter of 2016 the percentage of spam in email traffic increased by 2.7 percentage points compared with the previous quarter.

But it is too early to speak about a growth trend.

The proportion of spam grows significantly at the beginning of every year because the amount of normal email decreases over the holiday period. The US remained the biggest source of spam in Q1 2016.

The Top 5 also included Vietnam, India, Brazil and China – all large, fast developing countries with high levels of internet connection. Spam messages are becoming shorter.
In the first quarter, the proportion of emails up to 2 KB exceeded 80% of all spam. Q1 of 2016 saw the amount of spam containing malicious attachments increase dramatically.

The share of malicious attachments in mail reached a peak in March – four times greater than last year’s average.

This rapid growth was caused, specifically by the popularity of crypto-ransomware which was either contained in emails or downloaded to computers via a Trojan downloader. This growth confirms our long-term forecasts on the gradual criminalization of spam that makes it even more dangerous, as well as reducing the overall share of email traffic.

The diversity of languages, social engineering, lots of different types of attachments, text changing within a single mass mailing – all this takes spam to a new level of danger. Moreover, these malicious mass mailings have broad geographical coverage.

The picture of malware distribution by email has changed significantly this year.
In particular, China came an unexpected second in the ranking of countries targeted by malicious mailshots. Another factor confirming the trend of increasingly criminalized spam is the growth of fraudulent, namely ‘Nigerian’, spam in the first quarter of 2016. It is unlikely that the amount of malicious spam will continue to grow so rapidly: the more cybercriminals distribute malicious spam, the more people get to know of its dangers and the more careful they become about opening suspicious attachments.

Therefore, such attacks will gradually fade away after a few months. However, there is the risk they may be replaced by other, even more complex attacks.
The Royal Bank of Scotland is to provide the City of London Police with free training and advice to help fight financial crime. The bank will share financial, legal, language and cyber knowledge under an agreement to be announced this week, reports the Financial Times. Microsoft announced a similar agreement in September 2014 to share cyber threat intelligence with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to help fight cyber crime. In March 2014, a survey by PricewaterhouseCoopers revealed cyber crime is the second most common type of economic crime reported by financial services respondents after asset misappropriation. Last week, RBS announced it had set aside £400m to cover potential fines for manipulating currency markets and warned that further charges for past misconduct would continue to hit its profits. But City of London Police told the FT that any investigation into the bank will be kept separate from the new working relationship with RBS and that bank employees will not be involved in police operations. RBS will also not be asked for advice relating to specific police investigations, which range from insurance and card payment fraud to bribery, corruption and rogue financial traders. The co-operation agreement forms part of a police drive to crack down on financial crime in the UK, which is expected to cost the economy more than £73bn in 2014. The top ten internet-enabled frauds in the past year cost the UK £670m, according to statistics released in October 2014 by public-private internet safety initiative Get Safe Online. Financial crime is increasingly cyber-enabled, with criminals targeting bank and other financial computer systems to steal personal data to be used to commit fraud. The personal financial data of millions of US citizens have been stolen in recent months in a series of high-profile data breaches at banking institutions. In August 2014, the FBI said it was investigating a series of cyber attacks at JP Morgan Chase and at least four other financial institutions. The City of London Police has the UK’s biggest anti-fraud team and incorporates Action Fraud, the UK’s national fraud and cyber crime reporting centre. Reporting fraud Since launching in October 2009, Action Fraud has established itself as the place where victims of fraud can make an official crime report and find the professional support they need. According to the City of London Police, fraud, cyber-enabled fraud and cyber-dependent fraud reporting increased significantly from 2012 to 2013 when police forces started directing all victims to Action Fraud’s national contact centre and online reporting portal. In 2013 and 2014, more than 210,000 victims of fraud – individuals and small to medium sized businesses – reported in this way, marking a 17% increase on the previous year. There is a lot of work for us still to do in raising our profile across all demographics of people living in the UK Pauline Smith, Action Fraud All of the reports to Action Fraud are passed directly to the National Fraud Intelligence Bureau (NFIB), based within the City of London Police. The NFIB uses the reports as the basis of crime reports to local forces, of public and private sector fraud alerts and of recommendations for disruption of criminal activities. Since moving to the City of London Police in April 2014, the Action Fraud team has focused on victim support. The service now sends letters to everyone who makes a report, providing an update on how the information they have provided is being used by the NFIB. Pauline Smith, head of Action Fraud, said the service has come a long way since it was established, but there is still a lot of work to be done. “We recognise there is a lot of work for us still to do in raising our profile across all demographics of people living in the UK and explaining how important it is for them to contact us if they have fallen victim to a fraud, cyber-enabled fraud or a cyber-dependent fraud,” she said. Get Safe Online said the true economic cost is unknown because a significant number of internet-enabled fraud cases still go unreported. A Get Safe Online survey revealed that only 32% of victims reported the crime, while 47% of victims said they did not know how to report an online crime. Get Safe Online said it expected this figure to drop with the ongoing work of Action Fraud and the increased government resources dedicated to fighting cyber crime. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK