Global Security Report: 2016 Quarter 2

Security Reports

Global Security Report: 2016 Quarter 2

While spam email traffic is leveling off, email traffic has never been more dangerous. What used to be a constant stream of messages touting fake Rolex watches, male enhancement pills and pornography has now become a 24/7 deluge of ransomware, spyware, phishing, and other malware.

Malware activity continued to expand in the second quarter. While our research team saw a disruption from one massive botnet, the respite proved to only be temporary.

Ransomware remained in the spotlight given the massive amount of traffic associated with this threat throughout the second quarter. The continued proliferation of ransomware was just part of a bigger picture where other forms of malware and phishing attempts are being sent with greater frequency than ever before.


Necurs botnet slows in wake of arrests

Over the past year, it seems that malware levels are consistently doubling themselves every quarter. In Q2, we recorded an uncharacteristically busy April and a record-breaking May.

However, suddenly and without warning, there was a global disruption in malicious email traffic—falling to less than one tenth of prior daily volume. As of June 1, 2016, malware traffic was down by 90-95 percent, begging the question “Why?”

It appears that this drop in traffic was driven in large part by a period of inactivity from the Necurs botnet, which until June 1 had been driving the massive distribution of both Locky Ransomware and the Dridex Trojan.

On that very same day, news broke of the Russian-based cybercrime group commonly referred to as Lurk or Buhtrap (based on the malware families they commonly used to infect their targets) had been arrested in a coordinated multi-regional arrest. When the dust settled, 50 individuals had been arrested in connection to the group that had been wreaking havoc on banks across Russia for months.

The Lurk/Buhtrap group had been operating since at least 2011, and over the years had transitioned from attacking consumers to committing highly targeted attacks aimed exclusively at Russian banks, using phishing emails to compromise their targets. These attacks had become much more sophisticated from when the group first appeared.

Before their arrest, they would successfully compromise at least 13 Russian banks and steal in excess of $25 million (1.7bn Roubles).

So what is the connection between this one Russian group and the drop off in global malware traffic? Perhaps nothing more than coincidence and Necurs was just closed for improvements. We have yet to have any concrete information that would make a direct connection between the two events, but the timing suggests more than a coincidence.

Ultimately, the respite from Necurs was short-lived and on June 21, 2016, it resumed blasting huge malware bursts. Since then, Necurs has sustained the constant barrage of malware attachments it had once been so efficient at sending.

Banking Trojans Still Pose Threat

With ransomware attacks garnering all of the attention lately, it’s easy to forget that information stealing malware designed to harvest personal and banking credentials are still thriving, and can be equally, or in many cases—far more damaging.

The impact of finding that all of your files have been encrypted as the result of a ransomware attack will depend greatly on the importance of those files and how well they had been backed up. A home computer used exclusively to store pictures of the cat and play solitaire may not be as missed as your work computer containing the budget report for the entire company, for example. Additionally, being infected with Fareit, Zeus, Dridex, etc., can lead to the theft of your sensitive credentials—which leads to further data theft, credit fraud, and even identity theft.

As of the time of this report being issued, the latest version from the malware family known as “Fareit” was circulating via email, posing as a FedEx shipment notification. Under the ruse of a shipping receipt for a package that the courier was unable to deliver, the attached file, while it does have .pdf in the name, is actually a file archive utilizing the open source file archiver 7zip. Inside the compressed archive is an executable file (.exe), containing the Fareit malware.


The Fareit malware family has been circulating for a few years now. It is an information stealer that targets FTP credentials, email passwords and browser stored passwords.

During our dynamic analysis, our team observed all of the above being performed after the malware disabled local security tools. After scrapping the machine for the afore mentioned credentials, it established an outbound connection and pulled down a copy of the ever popular Zeus Trojan.

Once the Zeus infection is in place, the cybercriminal can gather more credentials, such as banking information. In addition to having their data stolen, victims’ machines are also vulnerable to being used to perpetuate more attacks or in future DDOS attacks.

fedex receipt

The State of Phishing

Today’s phishing attacks range from highly targeted spear phishing to the more traditional cast net style attack. In both cases, the cybercriminals have continued to hone their techniques to improve their success rate against their targets by adding greater detail and customization. One popular form of spear phishing that our team has been combatting with greater frequency this year are targeted messages that lead to wire transfer fraud. Often referred to as Business Email Compromise (BEC), these have been a popular attack vector throughout 2016. BECs have been estimated to have netted cybercriminals profits well into the billions of US dollars in the past few years.

These often begin with a message pretending to be from the CEO or another high ranking company officer and are sent only to a relevant person in the finance department at an organization using public facing data that they have gathered through means such as company websites and social media accounts. These messages can be innocuous at first, with the hacker (disguised as an executive or internal employee) asking the victims if they are at their desks.

To pull this off, the hacker sends the emails using a display address of the company’s domain, but uses a reply-to address of an external domain, often a free email service. These attacks usually lead to a wire transfer request ranging from $10,000-$50,000.

email phish

Of course, hackers are still hard at work phishing bulk with another increase in Q2. The traditional cast-net style approach has remained popular for gathering large volumes of data as the stolen data can be leveraged by cybercriminals to commit financial fraud, sold on the Dark Web for profit, or utilized in future targeted attacks.

Below is an example of this type of attack. This specific one posed as a security alert from Apple. At its peak, our team was seeing close to 20,000of these messages per hour. The message asks the user to verify his or her information so that his or her account can be unlocked.

apple email phish

Following the link in the email leads to a series of phishing pages, which leads to the compromise of the user’s name, address, telephone number, and credit card information.

card profile

Ransomware Update

Over the past few years, one of the main topics when talking about malware has been a specific type called ransomware. Normally, ransomware holds a victim’s files hostage until he or she pays up, usually between $200 and $1000. It kidnaps the files, so to speak, by using a secure encryption method that encrypts files locally, requiring the victim to pay for the key to unlock them.

This malware tactic has made cybercriminals all over the world a huge amount of money. According to the FBI, 2016 is on course to net ransomware authors over $1 billion. Ransomware keeps growing in popularity because, well, it doesn’t just work; it works really, really well. Why does it work? Because many netizens and organizations don’t properly backups their files, if it all (a backed up copy of an encrypted file would negate the need to pay a ransom).

Once the files have been encrypted, victims are left with the choice of paying to get them back, or lose all of their files. While this could seem like just an annoyance to an everyday user who may have lost some cat photos or his AP literature paper from 10 years ago, it can be a major blow for businesses, both small and large.

Losing access to things such as patient records for a hospital, or even a utility company’s grid being taken offline, these interruptions can have a far reaching impact. With essentially everyone being a target, the ransomware authors try to infect as many people as possible to get paid. To make sure their business model continues, many cybercriminals will even help their victims decrypt their files (post payment, of course) to ensure that their reputation for delivering the encryption key is intact. Because if word spread that it doesn’t matter how much victims pay, they won’t get their files back, people would likely stop paying. And ultimately people paying is what will continue to drive this malware and variants being released.

JavaScript usage

JavaScript malware is a powerful delivery conduit for malware campaigns, with many campaigns in the tens of millions. The infamous Locky ransomware depends on JavaScript malware to deliver its malevolent payload. The below image serves as an example of Locky in the wild, but it also stood out from standard messages we see, mainly because of what was inside the unzipped JavaScript file.

The message reads with an impatient tone in an attempt get users to urgently open its attachments. Giving users enough detail to think the file is legitimate is what gets users in the grasp of curiosity to open files. The attached .zip contains a single JavaScript file, the contents of the file mostly contain information and history about the antivirus company Avira. The short information is just repeated throughout the file with the text being pulled from the Avira Wikipedia page.

reminder email phishbad hax

We don’t often see filler text like this within the actual payload itself so this stood out. This filler text pushed the size of the file up from about the 14,000 it needed to actually be, to around 470,000. No doubt this was an attempt to throw of virus scanning while keeping the filler context somewhat relevant in a slightly ironic way. With all of the comments removed, the file goes from about 3000 lines to a little less than 90.

bad hax 2

Once executed the payload encrypts the targets files.

bad hax 3

Malicious macros and OLE’s

The majority of malware associated with Microsoft Office software is known as malicious macros. Macros are bits of coding that are embedded into spreadsheets and documents (such as Word and Excel files) to automate tasks. When used properly, it can make tasks such as filling out complex forms or calculating a large amount of data much easier and precise.

Due to how powerful of a tool it is and the fact that it’s built in, malware authors often use this for malicious reasons and writing code to download and execute viruses. However, there is also a lesser known malware vector related to Office programs. It’s called OLE malware, OLE standing for Object Linking and Embedding.

It allows a separate file to be embedded in to the document itself and be linked to within the file. Double clicking something like an icon in a word document body could open and execute an embedded file. Malware authors use this in a similar way to the macro malware where they try to get a user to click the OLE link and execute malicious code.

The OLE malware isn’t necessarily anything new, but there has been a slight uptick in it in 2016. While it still requires user interaction to run the embedded file, many users still fall for its tricks. Often the file says something along the lines of the document being secure and a user must double-click the embedded object, or for macros that they need to click the “Enable Content” button at the top which runs the code.

Both of these types of malware are very dangerous to an organization due to the familiarity most users have with the Office suite. Many people don’t realize these powerful features and tools are built in, and that if coded with malicious intent, they can get easily infected.

Taking steps to block these types of files and train users can go a long way in protecting computers from infection. One of the popular steps admins have been taking lately has been to go the extra step and disable macro and OLE functionality within Office itself for their entire organization—from the c-suite to the interns. For an organization that doesn’t have a need for macros to be enabled, disabling them can be a great step for securing end user machines in the event they get a hold of a malicious file.


Wendy’s Customers Served More than Frosties

Data breaches have continued this quarter with personal information being one of the major targets. However, it goes without saying that credit card and banking information are still big money makers for cybercriminals.

Wendy’s, which has about 5500 fast food chain restaurants, announced earlier in the quarter that they were victim to a credit card breach. As with many credit card related breaches, the announcement said the breach was through a compromised point of sale system and only affected about 300 of their stores. However, later on in June, Wendy’s made an announcement that the breach appears to be significantly larger than they first expected and possibly still ongoing.

This is very bad news as Wendy’s is still not sure how long the data skimming has been occurring. With a large fast food chain like Wendy’s, the cybercriminals have surely netted countless credit card numbers from the POS skimming. The investigation is still ongoing, but this data breach could turn out to be up there with some of the larger credit card breaches at major retailers in the past.

Myspace hack reminds the world that Tom actually has 427 million friends.

Credit card data is one of the major focuses for attackers to target, but another one is personal data. Two major incidents that were in the spotlight this quarter were the Myspace and LinkedIn breaches.

With the MySpace breach being around 427 million and LinkedIn coming in at 117 million, these rank as some of the largest data breaches to date. Cybercriminals like to target personal information like logins and passwords since it can further help in other attacks. Many users will have the same email address and password combination to log into various social media sites, banking accounts, etc.

By getting a user’s data from one of these breaches, a cybercriminal may be able to turn around and use that same information elsewhere to further the attack on a specific user. And that’s exactly what happened for many people.

Most notably, some well-known CEOs fell victim to social media hacking attacks, some directly due to leaks and reusing passwords. A group that calls themselves OurMine has been targeting some CEOs of major corporations lately and data from breaches have helped them pull off some social media account hacks.

Facebook’s Mark Zuckerberg was victim to one of their attacks and they gained access to his Instagram account. The password he used on LinkedIn ended up being the same one he used there. Google CEO Sundar Pichai had his Twitter and Quora accounts hacked. Daniel Ek the founder of Spotify and the CTO at Amazon Werner Vogels also had their Twitter accounts breached. Reusing passwords should be a thing of the past these days given how dangerous and, unfortunately, likely it is that a website you use may have a data breach.


Malware Traffic

In Q2 of 2016, our security analyst team quarantined about 4.2 billion emails containing malware. This total was double that of the already record-setting total we had recorded in Q1 of this year.

This quarter’s malicious traffic relied heavily upon the use of macro embedded documents and malicious JavaScript attachments. They also utilized the more traditional zipped executable approach along with some less common methods, like the use of legacy Word template files. Below you can see the steady increase of malicious email activity over the past four quarters.

malware traffic 1

Throughout the quarter, malware levels sustained rates routinely beyond previous daily totals that we have recorded. However, on June 1, 2016, traffic fell significantly for what would be a 20-day period of reduced malware activity. When the quarter had ended, we had quarantined just over 4.2 billion emails containing malware, the highest total in a three-month period that we have seen to date.

malware traffic 2

Spam Traffic

Spam traffic remained steady throughout Q2. Even as the Necurs botnet was on its brief hiatus in early June, spam traffic persisted. In total we quarantined 3.35 billion spam messages in the quarter.

spam traffic

Top Ten

Of the 3.3 billion spam messages quarantined in Q2, 2.3 billion of them emanated from the 10 countries pictured below.

top ten

Spam Traffic by Region

The chart below represents the global distribution of spam sources by region.

spam by traffic

Web Metrics

Daily Threat Percentage

The following are Web metrics as seen by our SecureSurf™ Web filtering solution. The chart below displays the percentage of web traffic deemed bad on a daily basis throughout Q2. This includes malware, phishing and compromised sites. The spike around the US tax day indicates an increase in tax related scams surrounding that event.

daily threat percentage

Threats Tracked

The following displays the total number of unique threat locations (domains, URIs and IPs) that we were tracking throughout the month of June. On average, we were tracking around 43 million unique threat locations on any given day with malware being the most prevalent.

threats tracked

Blocked Threats

The following chart displays the sum of both malware and phishing blocked DNS requests by our Web filtering customers. A blocked request could be generated by a user initiated request or in the background via malware activity.

blocked threats