Johannesburg, 10 May 2016
Sophos has revealed research that indicates a growing trend among cyber criminals to target and even filter out specific countries when designing ransomware and other malicious cyber attacks. The research includes information from millions of endpoints worldwide and is analysed by the team at SophosLabs.
To lure more victims with their attacks, cyber criminals are now crafting customised spam to carry threats using regional vernacular, brands and payment methods for better cultural compatibility, according to Sophos.
Ransomware, cleverly disguised as authentic e-mail notifications, complete with counterfeit local logos, is more believable, highly clickable and therefore more financially rewarding to the criminal. To be as effective as possible, these scam e-mails now impersonate local postal companies, tax and law enforcement agencies and utility firms, including phony shipping notices, refunds, speeding tickets and electricity bills. SophosLabs has seen a rise in spam where the grammar is more often properly written and perfectly punctuated.
"It's becoming harder to spot fake e-mails," says Brett Myroff, MD of Sophos distributor, NetXactics. "Being aware of the tactics used in your region is becoming an important aspect of security."
Researchers also saw historic trends of different ransomware strains that targeted specific locations. Versions of CryptoWall predominantly hit victims in the US, UK, Canada, Australia, Germany and France; TorrentLocker attacked primarily the UK, Italy, Australia and Spain; and TeslaCrypt honed in on the UK, US, Canada, Singapore and Thailand.
The analysis also shows Threat Exposure Rates (TER) for countries during the first three months of 2016. Although Western economies are more highly targeted, they typically have a lower TER. Nations ranked with the lowest TER include France at 5.2%, Canada at 4.6%, Australia at 4.1%, the US at 3%, and the UK at 2.8%. Algeria at 30.7%, Bolivia at 20.3%, Pakistan at 19.9%, China at 18.5% and India at 16.9% are among countries with the highest percentage of endpoints exposed to a malware attack.
Even money laundering is localised to be more lucrative. Credit card processing can be risky for criminals, so they started using anonymous Internet payment methods to extort money from ransomware victims. Sophos has seen cyber crooks using local online cash-equivalent cards and purchasing locations, such as prepaid Green Dot MoneyPak cards from Walgreens in the US, and Ukash from various retail outlets in the UK.
The concept of filtering out specific countries has also emerged as a trend.
"Cyber criminals are programming attacks to avoid certain countries or keyboards with a particular language. This could be happening for many reasons, such as criminals wanting to avoid detection, thus not wanting attacks anywhere near their launch point. It could be national pride or perhaps there's a conspiratorial undertone to create suspicion about a country by omitting it from an attack."
Banking is an example of how cyber criminals are using location-based malware to be more prosperous. "There is an entire cottage industry of uniquely crafted Trojans just targeting banks in Brazil, for example," Myroff says.
With cyber criminals having a deliberate hand in creating threats that look authentic and are specifically targeted, it is more difficult to recognise malicious spam. Home computer users are often a target of these attacks and should protect their systems from sophisticated malware threats. Free enterprise-grade security software that can detect threats and protect both Mac and PC for the home user is available from Sophos.
This research and analysis is from SophosLabs, a network of security experts across the world who detect and track all types of Internet breaches 24/7/365 worldwide, including computer viruses, advanced malware and Trojans, spam, Web threats, hack attacks and more. SophosLabs receives and investigates millions of e-mails, URLs, files and other data points daily, and leverages its extensive expertise within the group to develop new definitions that detect entire classes of threats and new variants. With facilities strategically located in Australia, Hungary, the UK and Canada, SophosLabs experts also monitor and determine threat trends and maintain malware, spam and Web threat dashboards in real-time.
Share