Global Security Report: 2016 Quarter 1

Security Reports

Global Security Report: 2016 Quarter 1

What is the Global Security Report?

As the 2015 Global Security Report predicted, malware has not slowed down over the first quarter. Largely due to companies failing to back up their files and install robust antivirus software, ransomware has hit a fever pitch in 2016, now being the main method for cybercriminals to make money in the cyber underworld.

Major crime groups have been leveraging botnets to deliver this encrypted ransomware in very large and very consistent blasts. Keyloggers and Bitcoin mining malware are still out there, but have fallen into the shadows of these massive ransomware attacks.

These ransomware attacks have morphed from a simple cast net-style approach where cybercriminals target whomever they can get, to targeted spearphishing attacks as seen against healthcare providers in the past few months.

What were some of the biggest trends of the first quarter?

Malicious macros in Microsoft Word and Excel documents have been a very popular method for delivering Trojans with ransomware encryption commands inside of them. Even though macros are disabled by default in Microsoft products, cybercriminals find it easy to hoodwink victims into enabling them.

For those who are not falling for the macro method, cybercriminals are also utilizing hidden PowerShell commands in documents to infect machines, as well as obfuscated JavaScript as a vehicle to deliver attack code.

There has also been an increase in the frequency of highly targeted attacks against companies and individuals. Wire transfer attacks have been a very popular theme targeting finance departments and the individuals inside of them. These attacks utilize custom communications spoofed to appear to come from within an organization, most often impersonating someone from the company’s c-suite.

Increasingly accompanying wire transfer fraud is Distributed Spam Distraction Technique (DSD) technique. DSD floods an individual’s inbox with spam in an attempt to hide critical confirmation emails for money transfers or purchases made in the victim’s name, which would normally alert the victim of fraud.

In addition to these topics, this report will examine other campaigns AppRiver has been thwarting over the past quarter, and major spam and malware campaigns that have been trending across the globe. The report will delve into the metrics as seen by AppRiver's SecureTide™ and SecureSurf™ filters from their nodes throughout the world.

Virus Traffic Soars

Is there an increase in traffic this year?

Just as AppRiver predicted in the 2015 Year-End Global Security Report, malware traffic has been on the uptick for the first quarter. From January 1 through March 31, AppRiver quarantined more than 2.3 billion malicious email messages, and 1.7 billion of those were from March alone. For scope, AppRiver quarantined just shy of 1.7 in the whole year of 2015.

The big contributors to this large volume of malware were again due to JavaScript and macros related malware, with JavaScript being more prevalent and effective. Using these attack vectors, malware authors are able to continually generate new code, which makes their messages more likely to evade antivirus filters and sail into their victims’ inboxes.

Cybercriminals’ ability to generate new code so quickly is why it is critical that organizations have their antivirus solutions updated at all times. Often, these updates contain new antimalware code to combat the newest malware campaigns. Organizations can also take the user-error out of the equation by using cloud-based antivirus solutions, which are updated in real time.

Distributed Spam Distraction Dizzies Victims

What is Distributed Spam Distraction?

Over the past few months, there has been an increase in highly targeted and customized attacks against individuals and organizations. One attack in particular, the Distributed Spam Distraction (DSD) technique, is unlike other targeted attacks, partially because it is so rudimentary that it actually works. Instead of spoofing an email address or website URL, the DSD can target anyone. Here is what a DSD attack looks like: everything seems to be business as usual, until suddenly a victim’s inbox begins to rapidly fill up with hundreds upon thousands of spam emails, the contents of which are nothing but a mash-ups of words and phrases from literature, or sometimes, as in the more recent versions, just random length strings of letters and numbers.

There are typically no malicious links to follow, no hidden JavaScript, no pictures or advertisements—the message is just gibberish. Every email is different as well, nearly perfectly randomized, though combing through them carefully, one may begin to see some repeated content, but very rarely. The emails themselves are obviously botnet-delivered, because all of the senders are different, usually free mail providers, the sending IPs are all different, and the rate at which they’re arriving would make one’s head spin. These blasts can last anywhere from 12 to 24 hours, and will dump an average of 100,000 pieces of this garbage in that duration, until suddenly, the attack will just stop as quickly as it began.

The theory behind DSDs is that with an overflowing inbox, valid emails are quickly lost in the deluge. While the victim is distracted with the mass dump of emails, a confirmation email containing a purchase or wire transfer confirmation code is much more likely to pass through undetected, giving the cybercriminal enough time to get away with his purchase or money.

In some cases, the cybercriminals are buying expensive items, such as electronics, with the victim’s previously stolen credit card or banking information, and are waiting for an email in which they need to click a confirmation link, or hiding wire transfer confirmations from the victim’s bank accounts directly. By the time these emails are located, if they even are, the deed is done.

Should an individual believe he or she is the victim of a DSD campaign, time is critical. Some steps to mitigate the damage are:

  • Change all passwords for all email, credit card, and banking accounts
  • Monitor and alert all bank and credit card accounts for fraudulent activity
  • Check for fraudulent confirmation emails
  • Report the attack to the authorities, especially if your information is compromised
  • Obtain new account numbers for any potentially compromised accounts
  • Enroll in credit monitoring

AppRiver clients should call the company’s support hotline if they suspect this type of attack is happening to them. The company can monitor clients’ inboxes and alleviate some of the spam messages. As the spam messages are blocked, the cybercriminal will likely realize that the victim is onto the DSD campaign, and scrub the plans of defrauding the victim.

Ransomware Welcomes Locky & Targets Macs

How sophisticated is ransomware on the Dark Web now?

Many people who keep up with the latest security threats probably are well aware of the ransomware called Locky. Locky is a piece of malware that came out around mid-February and it hit the ground running looking for victims.

The initial vector used was as a Trojan downloader within macros-enabled Word documents, which is a pretty common tactic. Running the macro in one of these files would then download the actual Locky virus and start encrypting files on the computer while changing the files extensions to “.locky”.

While Locky uses similar methods that has been seen in ransomware in the past, the biggest factor pushing its success is that its authors are persistently try to keep it ahead of virus scanning by pushing it in extremely large volumes. The more users that get infected and end up paying the ransom, the more money the cybercriminals make, driving this sort of malware to keep evolving.

What were some of the big ransomware scams this quarter?

Locky was not the only kid on the block of new ransomware this quarter, though. Ransomware targeting Linux and OSX operating systems also made news.

In early march, a BitTorrent client OSX installer was infected with ransomware coding. After the ransomware had encrypted all of the user’s files, the user then received the standard popup notification seen with ransomware these days, with instructions on how to pay the ransom (about one bitcoin) to get the files back.

While not nearly as popular as its Windows counterparts, Linux ransomware still makes headlines as well. One of the biggest reasons this can be a major issue is that a very large amount of Web servers on the Internet run on Linux. This means that rather than an end user’s machine getting infected and causing problems, an entire Web server could be compromised while taking down user data as well as any web facing information a company may have. Without proper backups for important systems such as servers, it could be a real headache or disaster for some businesses out there depending on what is hosted on the server.

Is there any way to fix being ransomed, or is it hopeless?

Ransomware continues to be a problem for individuals and businesses in general these days. With the success of Cryptolocker when it first came out, it was pretty evident that others would follow in its footsteps and become more evolved. There have been more and more high profile cases of large organizations being affected by ransomware as well.

Lately, there has been a rash of hospitals affected by ransomware. In these ransomware attacks, private patient data is often what is encrypted. Healthcare professionals’ ability access patient records quickly could literally mean life and death for a patient, making these ransomware attacks extremely dangerous.

There are tools being created and AV engines constantly trying to stay ahead of the curve, but as with most security training, a lot of the prevention can come down to user training. Organizations and the individuals within them should be vigilant of spotting questionable attachments, as well as avoiding browsing the Internet without a Web protection solution in place.

In the bigger picture, users cannot be expected to be perfect and recognize every threat. This is why from a technical standpoint, it is just as important to have systems in place to monitor network traffic and communications to try and stop malicious content from ever getting in to a user’s control.

Phishing Campaigns Reel in Big Bucks with Business Email Compromise

What were some of the phishing campaigns seen in the first quarter?


USAA Members Targeted

US military member and their families were once again in the cybercrime crosshairs as USAA members were targeted by cybercriminals looking to harvest their account credentials.

The attack came in the form of email, with the messages utilizing very common PDF embedded links to phishing websites. Phishing links within a PDF is a tried and true method AppRiver has seen being used heavily throughout the month of March.

The messages (as seen below) are very simple and are spoofed to appear from USAA. The message body is blank and there is a PDF attached with instructions to click the link:


The URL leads to a phishing page that looks identical to the actual USAA login—save for the URL base domain. If the intended victim is paying very close enough attention, he or she might notice the URL is not actually

USAA Screencap

Once the victim’s credentials have been phished, the cybercriminals may gain access to the victim’s account, which in many cases includes bank and credit accounts. Users should remember not to click on links or files in any unsolicited emails, as well as to check the name of the domain that they are logging into.

Wire Transfer Fraud

How much money have companies been paying?

Business Email Compromise (BEC) started picking up in October 2015, and it has showed no signs of slowing down since then.

This threat starts with a spoofed email that appears to be coming from a high level company executive within the target organization, like a CFO, to someone with access to the purse strings, say an accountant. After a couple of simple exchanges, the cybercriminal requests a wire transfer usually to the tune of $20-$50K. Because of the power dynamics in play (many employees, even those vigilante of cybersecurity, would not question their boss’s boss’s boss), the trust established by the spoofed email and courtesy email exchanges, the cybercriminal is able to use social engineering to commit wire transfer fraud.

The details of the attack are evidence that the attackers have spent time carefully gathering enough intelligence about the organization to craft an attack that is highly targeted.

These messages can be innocuous at first, with the hacker (disguised as an executive or internal employee) asking the victims if they are at their desks. To pull this off, the hacker sends the emails using a display address of the company’s domain, but uses a reply-to address of an external domain, often a free email service. Using this method, the victims can often end up conversing with the hacker via email without realizing they are being duped.

This method is used to steal thousands of dollars from companies in fraudulent transfers, often with the requests in the $20-50K range. While that is quite a bitter pill to swallow, many attempts are for much higher amounts and can lead to financial ruin for some companies.

These attacks have proven so effective that the FBI even released a recent warning about the increased traffic associated with this threat. According to the FBI, losses from this form of attack has totaled$ 2.3 billion since October 2013 with losses averaging $25,000-$75,000 per incident. AppRiver’s SecureTide has its own proprietary technology that allows for the identification and quarantine of this type of attack. In Q1 of 2016, AppRiver’s filters successfully captured more than 27,000 of these targeted attacks.

Tax Return Fraud

During this year’s tax season, AppRiver’s filters caught some nasty tax-related spearphishing emails targeting finance and human resources departments. These tricky emails were crafted in a way to make it look like the message was coming from someone important within the company, like the CEO, requesting that employees’ tax information, such as W-2 forms, social security numbers, and payroll information, be sent to him or her.

The cybercriminals used methods that are very similar to the wire transfer fraud emails, in which a cybercriminal asks a user to wire out erroneous amounts of cash to an account that the cybercriminal controls. Both of these email phishing tactics are performed in a few different ways, such as spoofing email addresses, using custom reply-to addresses, or even slightly misspelling domain names to trick users who do not keep a close eye on things.

Cybercriminals often put some effort into these messages by doing research on the company they are attempting to phish. Many make sure to use proper names of the CEO, sometimes even using the company’s proper email signatures, to make the email look even more convincing.

For the first quarter in 2016, AppRiver’s filters captured about 27,000 custom spearphishing messages. Compared to the millions and billions of messages captured, this can seem like a small amount. But the key point to remember about these types of attacks is that they are customized for the recipient and they can have serious implications if they are successful.

A successful wire transfer phishing attempt could mean a company is out tens of thousands of dollars, and a successful tax phishing message could mean an accountant just sent everyone’s W-2 forms to a foreign party. There have also been a few companies that are much less fortunate as well in these attacks, sometimes losing tens of millions of dollars or encountering data breaches due to phishing emails.


Traffic by Region

This chart represents region of origin for spam as detected by AppRiver filters. North America was again the most common point of origin for spam in Q1 2016.

Spam by Country

This chart represents the top ten countries (not including the United States) from which spam originated during Q1 2016 as seen by AppRiver’s filters. The US remained the top point of origin for spam as AppRiver saw nearly 2.5 billion spam and malicious emails with the US as its point of origin throughout Q1. India is seen here barely edging out Mexico as top spam point of origination in Q1 2016.

Top Ten Countries from Q1 2016

The chart below displays spam and malware email traffic as seen throughout Q1. November and December of 2015 were banner months in terms of malicious email activity. After a relatively lax January, both February and March eclipsed the previous high points seen at the end of 2015.

Malware email traffic through Q1

Top Email Virus Threats

These are the top 20 malware threats AppRiver saw in Q1 of 2016 in order of frequency, with the most frequent appearing in the top position. The virus names that begin with "X." signify rules that were written by AppRiver’s security analysts. This does not mean that other antivirus vendors did not eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before any of them.

  • X.ObfJS38r
  • X.TrojDownAgnt.AT
  • X.HeurDocBDClu
  • X.Mal.mcro.harvB
  • X.MWjsObfT23c
  • X.BayorthNMA.322a
  • X.BDdocMGenMal.mso
  • X.JSrgtOBF.js
  • X.BDMcrHeurDocB.doc
  • X.MalRTFend.318a
  • X.W97Mcyrmac
  • JS\TrojanDownloader.Nemucod.GI_trojan
  • X.ObfJSheurNM1214a
  • W97M\Agent.43269
  • X.MalGenVBA216e
  • X.MacEYSgen113
  • X.MalGenVBA216b
  • X.ObfJS310g
  • VBA\TrojanDownloader.Agent.AXA_trojan
  • X.MalRTFend.317
  • X.Pandorea.324a