0
21 August 2014 © 2014 CYREN Confidential and Proprietary
INSIGHTS FROM CYREN'S
NEW Q2 TREND REPORT
© 2014 CYREN Confidential and Proprietary
2
IN TODAY’S WEBINAR
 Android ransomware and banking malware
 The rise and fal...
© 2014 CYREN Confidential and Proprietary
3
© 2014 CYREN Confidential and Proprietary
ANDROID MALWARE TRENDS
© 2014 CYREN Confidential and Proprietary
4
PC RANSOMWARE
© 2014 CYREN Confidential and Proprietary
5
POLL – RANSOMWARE HONESTY
 Do you know someone who paid the ransom? Did
they ...
© 2014 CYREN Confidential and Proprietary
6
ANDROID RANSOMWARE ARRIVES
 May – “ransomware” – but no encryption
 June – r...
© 2014 CYREN Confidential and Proprietary
7
ANDROID RANSOMWARE ARRIVES
 Before and after encryption
 Scans SD card and e...
© 2014 CYREN Confidential and Proprietary
8
ANDROID IBANKING MALWARE
 SMS/spyware – collects
 Text messages,
 Phone cal...
© 2014 CYREN Confidential and Proprietary
9
UNKNOWN SOURCES?
© 2014 CYREN Confidential and Proprietary
10
NO MALWARE DETECTED
 ''Virus Shield'', priced at $3.99 in the Google Play
st...
© 2014 CYREN Confidential and Proprietary
11
POLL: YOUR MOBILE APPS
 Where do you download apps
 Android: The Google Pla...
© 2014 CYREN Confidential and Proprietary
MALWARE TRENDS
© 2014 CYREN Confidential and Proprietary
13
A QUICK ZBOT HISTORY
 Zeus Trojan (PC) discovered ~2007
 Generally steals c...
© 2014 CYREN Confidential and Proprietary
14
ONE OF THE LAST ZBOT EMAILS
 Attachment: Eonenergy-Bill-29052014.scr display...
© 2014 CYREN Confidential and Proprietary
15
ANOTHER ZBOT SENT USING DROPBOX
© 2014 CYREN Confidential and Proprietary
16
ACTUAL PDFS CAN ALSO BE PROBLEMATIC
 Securedoc.pdf from BoA
 Versions of re...
© 2014 CYREN Confidential and Proprietary
17
WORD DOCS TO AVOID
 traking_doc_MW42133077
1CA.doc
 aircanada_eticket_[rand...
© 2014 CYREN Confidential and Proprietary
18
SECURITY EDUCATION POLL
 Do you think people are aware that a PDF or Doc fil...
© 2014 CYREN Confidential and Proprietary
PHISHING TRENDS
© 2014 CYREN Confidential and Proprietary
20
WORLD CUP PHISHING
 Chance to win “World-Cup” related prizes
 Cielo – bigge...
© 2014 CYREN Confidential and Proprietary
21
GLOBAL BANK PHISHING
 Global brands
 American Express, Bank of America, or ...
© 2014 CYREN Confidential and Proprietary
SPAM TRENDS
© 2014 CYREN Confidential and Proprietary
23
SPAM LEVELS
 Spam levels continue to drop
 June average is lowest in 5 year...
© 2014 CYREN Confidential and Proprietary
24
Q2 SPAM TOPICS
Pharmacy Products
43%
Job Offer
22%
Stock
17%
Diet
8%
Other
4%...
© 2014 CYREN Confidential and Proprietary
25
PUMP AND DUMP - RCHA
 Buy: 417,000 @ 0.19
 Sell: Many more @ 0.36
 Profit ...
© 2014 CYREN Confidential and Proprietary
26
Q2 SPAM COUNTRIES, SPAM ZOMBIES
Argentina
8%
Spain
8%
Vietnam
7%
United State...
© 2014 CYREN Confidential and Proprietary
27
SAVING HOSTING COSTS…
 Google Docs phishing email
 Google logo at the top s...
© 2014 CYREN Confidential and Proprietary
GLOBALVIEW
© 2014 CYREN Confidential and Proprietary
29
GLOBALVIEW CLOUD AND PRODUCT FAMILIES
WEB EMAILANTIMALWARE
CYREN WebSecurity
...
© 2014 CYREN Confidential and Proprietary
30
We focus on our core
competencies so our
partners can focus
on theirs.
 Tech...
© 2014 CYREN Confidential and Proprietary
ANY QUESTIONS?
Upcoming SlideShare
Loading in...5
×

Insights from CYREN's Q2 2014 Internet Threats Trend Report

154

Published on

Insights from CYREN's Q2 2014 Internet Threats Trend Report

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
154
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • The Simplocker ransomware is hidden in an app that presents itself as a pornography player under the name “Sex Xonix”.  After launching the app, a message appears on the screen accusing the user of watching and distributing child pornography (among “other perversions”) and demands payment to decrypt the user’s now encrypted Android files. The user is asked to pay 260 UAH (Ukraine Hryvnia), around $22, via MoneXy, a money transferring service used mostly in Russia and Ukraine.
  • Users are tricked into downloading the file commbank.apk which disguises itself as a mobile authentication application. We’ve also seen other versions that look like Facebook or Gmail authentication apps and even a “malware scanner”.
    When downloaded, the app looks surprisingly legitimate, in this case, similar to an app that might be issued by a well-known bank: Australia and New Zealand Banking Group Limited, commonly called ANZ.  This app would normally provide mobile transaction authorization numbers (mTAN) or mTokens enabling login to the online banks using two-factor authentication.

    The stolen data is stored in a SQLite database directly on the victim’s phone
  • So can Play Store downloads be malicious?

    News reports later quoted the app’s developer as claiming that the app had been mistakenly released and was an early placeholder. This situation illustrates the struggles associated with scanning and evaluating the sheer number of Android apps appearing on the market.
  • Before we get started we though it would be interesting to get your opinion on which of these will grow in 2014.
  • All of the above pseudo-random domain names are now redirected to the IP address 142.0.36.234 which is a DNS Reply Sinkhole hosted by the FBI.
    Kudos to the US Department of Justice, the FBI, Europol and the UK’s National Crime Agency, who have managed to disrupt the GameOver Zeus botnet. They have built a sinkhole that redirects the infected computers to the substitute servers under the control of the government as opposed to the Zbot servers.
  • All of the above pseudo-random domain names are now redirected to the IP address 142.0.36.234 which is a DNS Reply Sinkhole hosted by the FBI.
    Kudos to the US Department of Justice, the FBI, Europol and the UK’s National Crime Agency, who have managed to disrupt the GameOver Zeus botnet. They have built a sinkhole that redirects the infected computers to the substitute servers under the control of the government as opposed to the Zbot servers.

  • Many users dismiss suggestions that these can be dangerous since they are “just text and images”.  It is true that PDF files are not blocked by most email programs.  But of course they can be malicious - as shown in this example. 

    9.303, 9.304, 9.4, 9.401, 9.402, 9.403, 9.404, 9.405, 9.406, 9.407, 9.5, 9.501, 9.502, 9.503, 9.504,10.101, 10.102, 10.103, 10.104, 10.105, 10.106, 11, 11.001
    (The current version is 11.0.07)

    If successfully exploited the malicious PDF then executes an embedded shellcode that downloads another malicious executable Backdoor from the following link which CYREN detects as W32/Androm.AQ:

    Lastly, keep your software up-to-date especially for Adobe Reader to protect you from possible vulnerability attacks.

  •  CVE-2010-3333 vulnerability even though it’s over a year old.  Why do attackers still use this exploit? Mainly because it’s very simple to exploit and many users have still not applied the MS10-087 update (or maybe they are using cracked versions of MS Office).
  • Since winxp is EOL from an update point of view and potentially exposed as soon as the next vuln is made public we were curious…
  • Reasons for decrease
    Pharma companies shutting down factories
    Big spam affiliates shut down
    In short – less monay in spam - more money elsewhere
  • “bioceutical” penny stock

    he Wolf of Wall Street, you’ll be amused at this pump and  dump schemers choice of pseudonym’s “Oakmont Stratton”. (Prosecuted in the 1990s for stock and investment fraud, the real owners of the firm Stratton Oakmont eventually pleaded guilty to 10 counts of securities fraud and money laundering.)
  • Countries – Spain 1st time number 1

    Zombies – top 5 is generally the same
  • More hacked gmail accounts
  • Our data is sourced from our GlobalView security lab and based on huge volume of traffic seen in GlobalView cloud – 12 billion trans per day.

    We have seen the big increase in web malware/explouit kits and PHISHING! So a cloud based solution is needed

    WebSecurity – in the cloud web securiyt and web filtering , with CYREN protection, the simplest user interface, and muti-tier partner management – and all with white label options so that you can make it look like your own.
  • Our partners can co- brand our yearbook or the Q1 trend report
  • Transcript of "Insights from CYREN's Q2 2014 Internet Threats Trend Report"

    1. 1. 21 August 2014 © 2014 CYREN Confidential and Proprietary INSIGHTS FROM CYREN'S NEW Q2 TREND REPORT
    2. 2. © 2014 CYREN Confidential and Proprietary 2 IN TODAY’S WEBINAR  Android ransomware and banking malware  The rise and fall (and rise) of Zbot  PDFs and Docs – real and unreal  Worldwide, World Cup phishing  Stock scams with Oakmont Stratton
    3. 3. © 2014 CYREN Confidential and Proprietary 3 © 2014 CYREN Confidential and Proprietary ANDROID MALWARE TRENDS
    4. 4. © 2014 CYREN Confidential and Proprietary 4 PC RANSOMWARE
    5. 5. © 2014 CYREN Confidential and Proprietary 5 POLL – RANSOMWARE HONESTY  Do you know someone who paid the ransom? Did they get their files back?  They paid and got their files back  They paid and lost their files  They refused to pay and lost their files  They refused to pay and managed to regain access to their PC  Happily I don’t know anyone who has been infected
    6. 6. © 2014 CYREN Confidential and Proprietary 6 ANDROID RANSOMWARE ARRIVES  May – “ransomware” – but no encryption  June – ransomware with encryption AndroidOS/Simplocker. A.gen!Eldorado.
    7. 7. © 2014 CYREN Confidential and Proprietary 7 ANDROID RANSOMWARE ARRIVES  Before and after encryption  Scans SD card and encrypts files like .jpg, .png, .doc amongst others
    8. 8. © 2014 CYREN Confidential and Proprietary 8 ANDROID IBANKING MALWARE  SMS/spyware – collects  Text messages,  Phone calls  Recorded audio  Works in tandem with PC- based malware  Intercepts SMS codes sent by banks  Android OS/Agent.HJ
    9. 9. © 2014 CYREN Confidential and Proprietary 9 UNKNOWN SOURCES?
    10. 10. © 2014 CYREN Confidential and Proprietary 10 NO MALWARE DETECTED  ''Virus Shield'', priced at $3.99 in the Google Play store  30,000 copies in April  Does nothing
    11. 11. © 2014 CYREN Confidential and Proprietary 11 POLL: YOUR MOBILE APPS  Where do you download apps  Android: The Google Play Store  Android: Anywhere I can find apps  iOS: Only the iTunes Store  iOS: Jailbroken device – anywhere I can find apps
    12. 12. © 2014 CYREN Confidential and Proprietary MALWARE TRENDS
    13. 13. © 2014 CYREN Confidential and Proprietary 13 A QUICK ZBOT HISTORY  Zeus Trojan (PC) discovered ~2007  Generally steals credentials - Banks, email, social media  Keyloggers, screenshots  Sold as botnet creation kit  Zeus botnet, other botnets  Distributed command and control  Millions of victims  2012 – Microsoft takedown of SpyEye  Gameover Zbot  Peer to peer encrypted botnet  June 2014- Operation Tovar disrupted botnet  July – new variants emerging…
    14. 14. © 2014 CYREN Confidential and Proprietary 14 ONE OF THE LAST ZBOT EMAILS  Attachment: Eonenergy-Bill-29052014.scr displays a PDF icon  W32/Zbot.BXN
    15. 15. © 2014 CYREN Confidential and Proprietary 15 ANOTHER ZBOT SENT USING DROPBOX
    16. 16. © 2014 CYREN Confidential and Proprietary 16 ACTUAL PDFS CAN ALSO BE PROBLEMATIC  Securedoc.pdf from BoA  Versions of reader attacked: 9.3x – 9.5x, 10.1x, 11, 11.001  (The current version is 11.0.07)
    17. 17. © 2014 CYREN Confidential and Proprietary 17 WORD DOCS TO AVOID  traking_doc_MW42133077 1CA.doc  aircanada_eticket_[random _number].doc  efax__[random_number].d oc  file- _[random_number]_doc  President Obama’s Speech.doc
    18. 18. © 2014 CYREN Confidential and Proprietary 18 SECURITY EDUCATION POLL  Do you think people are aware that a PDF or Doc file could be harmful?  Yes  No
    19. 19. © 2014 CYREN Confidential and Proprietary PHISHING TRENDS
    20. 20. © 2014 CYREN Confidential and Proprietary 20 WORLD CUP PHISHING  Chance to win “World-Cup” related prizes  Cielo – biggest credit card provider in Brazil
    21. 21. © 2014 CYREN Confidential and Proprietary 21 GLOBAL BANK PHISHING  Global brands  American Express, Bank of America, or Barclays  Country-specific  Natwest (Britain)  Danske Bank (Denmark)  Swedbank and SEB (Sweden)  Bank of India (India)  Credem (Italy)  Hypovereinsbank (Germany)
    22. 22. © 2014 CYREN Confidential and Proprietary SPAM TRENDS
    23. 23. © 2014 CYREN Confidential and Proprietary 23 SPAM LEVELS  Spam levels continue to drop  June average is lowest in 5 years! Q2 Average 55 Billion June Average 49 Billion
    24. 24. © 2014 CYREN Confidential and Proprietary 24 Q2 SPAM TOPICS Pharmacy Products 43% Job Offer 22% Stock 17% Diet 8% Other 4% Online Casino 3% Phishing 2% Malware 1% Pharmacy Products Job Offer Stock Diet Other Online Casino Phishing Malware
    25. 25. © 2014 CYREN Confidential and Proprietary 25 PUMP AND DUMP - RCHA  Buy: 417,000 @ 0.19  Sell: Many more @ 0.36  Profit ~$63,000
    26. 26. © 2014 CYREN Confidential and Proprietary 26 Q2 SPAM COUNTRIES, SPAM ZOMBIES Argentina 8% Spain 8% Vietnam 7% United States 6% Germany 5% Italy 5% Iran 4%Brazil 4% Colombia 4% Mexico 3% Others 46%
    27. 27. © 2014 CYREN Confidential and Proprietary 27 SAVING HOSTING COSTS…  Google Docs phishing email  Google logo at the top stored on legitimate Internet security blog called http://www.onlinethreatalerts.com/
    28. 28. © 2014 CYREN Confidential and Proprietary GLOBALVIEW
    29. 29. © 2014 CYREN Confidential and Proprietary 29 GLOBALVIEW CLOUD AND PRODUCT FAMILIES WEB EMAILANTIMALWARE CYREN WebSecurity URL-Filtering MobileSecurity AntiVirus CYREN EmailSecurity Email Messaging Suite AntiSpam Outbound AntiSpam IP Reputation AntiVirus for Email GlobalViewTM Cloud
    30. 30. © 2014 CYREN Confidential and Proprietary 30 We focus on our core competencies so our partners can focus on theirs.  Technical Account Managers  Partner Success Program COMMITTED TO PARTNER SUCCESS WHAT MAKES US DIFFERENT © 2014 CYREN Confidential and Proprietary
    31. 31. © 2014 CYREN Confidential and Proprietary ANY QUESTIONS?
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×