ComputerWeekly.com – Warwick Ashford – May 4, 2016

Cyber attackers are crafting spam to deliver malware that uses vernacular, brands and payment methods for better cultural compatibility, Sophos researchers find

Cyber criminals are increasingly designing attacks for specific countries to trick victims into downloading malware, according to research by SophosLabs.

Analysis of data from millions of endpoints worldwide revealed a growing trend of crafting spam to deliver malware that uses vernacular, brands and payment methods for better cultural compatibility.

Ransomware disguised as an authentic email or notification, complete with local logos, is more believable, and therefore more financially rewarding to cyber criminals, the researchers said.

To be as effective as possible, scam emails are also impersonating local postal companies, tax and law enforcement agencies and utility firms through phony shipping notices, refunds, speeding tickets and electricity bills.

SophosLabs noted a rise in spam where the grammar was more often properly written and perfectly punctuated.

“You have to look harder to spot fake emails,” said Chester Wisniewski, senior security advisor at Sophos. “Being aware of the tactics used in your region is becoming an important aspect of security.”

Researchers also saw historic trends of different ransomware strains that targeted specific locations. Versions of CryptoWall predominantly hit victims in the US, UK, Canada, Australia, Germany and France; TorrentLocker attacked primarily the UK, Italy, Australia and Spain; and TeslaCrypt honed in on the UK, US, Canada, Singapore and Thailand.

The analysis also showed the level of malware infections and attacks per 1,000 Sophos endpoints for countries in the first three months of 2016, also known as threat exposure rates (TER). Although western economies were more highly targeted, they typically had a lower TER.

Countries ranked with the lowest TER included France at 5.2%, Canada at 4.6%, Australia at 4.1%, the US at 3% and the UK at 2.8%. Algeria at 30.7%, Bolivia at 20.3%, Pakistan at 19.9%, China at 18.5% and India at 16.9% were among the countries with the highest percentage of endpoints exposed to malware attacks.

“Even money laundering is localised to be more lucrative. Credit card processing can be risky for criminals, so they started using anonymous internet payment methods to extort money from ransomware victims,” said Wisniewski.

“We have seen cyber crooks using local online cash-equivalent cards and purchasing locations, such as prepaid Green Dot MoneyPak cards from Walgreens in the US, and Ukash, which is now paysafecard, from various retail outlets in the UK,” he said.

The concept of filtering out specific countries also emerged as a trend.

“Cyber criminals are programming attacks to avoid certain countries or keyboards with a particular language,” said Wisniewski. “This could be happening for many reasons. Maybe the crooks don’t want attacks anywhere near their launch point to better avoid detection. It could be national pride. Or perhaps there’s a conspiratorial undertone to create suspicion about a country by omitting it from an attack,” he said.

Banking is an example of how cyber criminals are using location-based malware to be more prosperous. The Sophos research revealed historically how Trojans and malware used to infiltrate banks and financial institutions converges on specific regions.

Brazilian banker Trojans and variants pinpoint Brazil, and Dridex is predominant in the US and Germany, for example, while Trustezeb is most prevalent in German-speaking countries, Yebot is popular in Hong Kong and Japan, and Zbot is found mostly in the US, UK, Canada, Germany, Australia, Italy, Spain and Japan.

“There is an entire cottage industry of uniquely crafted Trojans just targeting banks in Brazil,” said Wisniewski.

With cyber criminals having a deliberate hand in creating threats that look authentic and are specifically targeted, Sophos researchers said it is more difficult to recognise malicious spam.